Re: Mod_proxy and client certificate auth

[Paul D. Robertson]

On Wed, 7 Jun 2006, BJ Swope wrote:

 From everything I've heard and read, mod-proxy will not proxy HTTPS on the
 back like what you are asking.  You can have HTTPS on the front end but not
 on the back.  It will have to be HTTP to the back.
 
 If you get this working I would LOVE to hear how you got it done
 
 

I'm getting end-to-end SSL, just the undesired (this time) effect of 
having the client cert passed all the way through the chain, which I'd 
expect folks to want as normal behavior.

Paul
-
Paul D. Robertson  My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact.
http://fora.compuwar.net  Infosec discussion boards 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Mod_proxy and client certificate auth

[Paul D. Robertson]

Hi,

I'm trying to get mod_proxy to work as an SSL proxy using a client 
certificate on the proxy to connect to a backend IIS server that's set up 
to use any client certificate signed by my OpenSSL-based CA.  

If I use a browser with the same certificate bundled up as a PKCS12 
bundle, through the proxy, it all works, but what I really need is for 
Apache/mod_ssl to use a locally stored version of the cert/key to connect, 
then let the IIS server do its normal basic auth.  That's one single 
client cert/key for all externally connecting users (yes, I understand 
the ramifaction- it's not for user authentication,) not a per-user proxy 
cert.

Here's what I have in my Apache ssl.conf file:

RequestHeader set Front-End-Https On
CacheDisable *
SSLProxyEngine On
ProxyPass /app https://iisserver/app
ProxyPassReverse /app https://iisserver/app
SSLProxyMachineCertificatePath conf/cert
SSLEngine on

conf/cert contains user.pem, a .pem cert file with an RSA private key 
catenated to it.  I also have a hash link to the user.pem cert file.

Just in case, I've also added export OPENSSL_ALLOW_PROXY_CERTS=1 to 
bin/envvars.

Can anyone tell me what I'm doing wrong?

Thanks,

Paul
-
Paul D. Robertson  My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient fails

[Paul Puschmann]

Sven Löschner schrieb:
Try using openssl s_client  to connect(? arg for 
options). It'll give alot of debug info.
 
 
 Okay, I tried openssl s_client -connect www.test.de:443 -CAfile
 /etc/ssl/UserCA/UserCAchaincert.pem -verify 3 -cert
 /etc/ssl/UserCA/svencert.pem -key /etc/ssl/UserCA/svenkey.pem -reconnect
 -showcerts -state -bugs
 
 The output is the following:
 
 CONNECTED(0003)
 SSL_connect:before/connect initialization
 SSL_connect:SSLv2/v3 write client hello A
 SSL_connect:SSLv3 read server hello A
 depth=0 /C=DE/ST=NRW/L=Hattingen/O=MX/OU=Demo
 Server/CN=www.test.de/[EMAIL PROTECTED]
 verify error:num=20:unable to get local issuer certificate

Seems you don't have the required Root-CA-Certificates installed on your
webserver. (you need the root-certificate of your client-certificates)
anyone correct me if I'm wrong.

Paul
-- 
Linux-User #271918 with the Linux Counter, http://counter.li.org/



signature.asc
Description: OpenPGP digital signature

Re: SSLCACertificatePath

[Paul Puschmann]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
 User authentication works when I specify
 SSLCACertificateFile
 
 However, it does not work when I use
 SSLCACertificatePath
 
 I use the Makefile.crt renamed Makefile in the same directory pointed 
 to by SSLCACertificatePath
 The has symlinks are created.
 
 The log shows that Apache loads those certificates in, but when I try 
 to authenticate, it can't find them.
 
Yes, there are some problems with SSLCACertificatePath.
I used SSLCACertificateFile and have put all certificate-entries in one
file. This worked for me.

Paul
- --
Linux-User #271918 with the Linux Counter, http://counter.li.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLDpF0ACgkQqErKtBWD7VRs+wCfSsCouThgc6mT5MyQprbvCbJi
rDkAoPFUHhuQo1e9uLJF/WBDrRZkCs6F
=bVdr
-END PGP SIGNATURE-

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient

[Paul Puschmann]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[EMAIL PROTECTED] wrote:
 Indeed, the trouble was with Safari and Keychain. Apparently, having
 more than one certificate confuses Safari. I am not sure what to do now,
 except get a different browser. Any advice would be appreciated.
 
 On Jun 28, 2005, at 11:01 AM, [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] wrote:
 
 This can't be the problem, as I specify the CA using
 SSLCACertificatePath using the proper HASH names. I've also tried
 SSLCACertificateFile.

 using s_client with SSLVerifyClient optional, it shows that the server
 is correctly identifying which CAs are allowed.

 I think the problem is with Safari and Keychain. I shall look further
 into the matter.

Please answer BELOW THE QUOTE! Thank you.

Perhaps you could file a bug against Safari (or have a look in their
bug-database (if existent)).

Paul
- --
Linux-User #271918 with the Linux Counter, http://counter.li.org/
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)

iEYEARECAAYFAkLDpLUACgkQqErKtBWD7VQNWQCgu8DI++FBv5TCkrCDUUE5hrFC
nYAAnAtzNNr3g+ljVeP8jEBpvzgZ4Q4y
=bgbS
-END PGP SIGNATURE-

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Invalid command SSLEngine

[Paul Madoff]

Newbie to list, please tell me if I'm got the wrong one! :)
SuSE 9, Apache 1.3.28 with curl 7.10.5 and openSSL 0.9.7b -- was 
working with SSL

Updated with rpms to curl 7.11.2 and openSSL 0.9.7d -- Apache won't 
restart with SSL.

Syntax error on line 1419 of /etc/httpd/httpd.conf:
Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module 
not included in the server configuration
/usr/sbin/apachectl startssl: httpd could not be started

IfDefine DUMMYSSL
LoadModule ssl_module /usr/lib/apache/libssl.so
/IfDefine
Also tried with no success:
LoadModule ssl_module /usr/lib/apache/libssl.so.0
LoadModule ssl_module /usr/lib/apache/libssl.so.0.9.7
Last clue I found on the internet suggested that mod_ssl was not 
loading. Is that my problem or have I missed something?

thanks,
Paul


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl and mod_jk (Win32)

[Paul Christmann]

Answering my own question in case anyone else ever encounters this:

Modify Tomcat's server.xml specifying scheme=https (rather than 
scheme=http) for the Connector used to wire Apache and Tomcat.

Paul Christmann wrote:
Environment:

Running Apache 2.0.43/OpenSSL 9.6.g as downloaded from 
hunter.campbus.com and mod_jk 1.2.1 for build 2.0.43 from jakarta.

Problem:

When I access the URL https://localhost/app, I *hope* to get the 
contents of index.html (i.e., https://localhost/app/index.html). 
Instead, my browser (Mozilla 1.0) reports a Bad Request error, 
indicating that there was a protocol error in accessing the URL 
http://localhost:443/app/index.html;.

Of course there will be a protocol error -- using http to talk to the 
https port!

Any ideas where that error might come from?  I assume its something 
happening with a redirect in Tomcat.

FWIW:

Each of the following URLs work fine (right now, I have Apache 
configured to take all connections either from http or https and forward 
to Tomcat):

+ http://localhost/app
+ http://localhost/app/index.html
+ https://localhost/app/index.html

Its only the https://localhost/app URL that's failing.

Thanks for any assistance,

Paul Christmann


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

How to read the html content

[Blesson Paul]

Hi all
		I am a newbie to  this list. I need to know how mod_ssl gets the 
content(I mean the HTML message body) which the apache sends to the client. 
If it is difficult to explain, atleast please tell in which part of code, 
it is described

Thanking in advance
regards
Blesson Paul

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Win32 Binary Builds

[Paul Christmann]

I'm just installing my first Apache server on a W2K box, and I'd like to 
include SSL support.  From browsing this newsgroup and reading the 
apache docs, it appears that the following statements are true (please 
correct me if I'm wrong):

1.  mod_ssl source is now bundled in Apache 2.X
2.  No binary version of Apache 2.X is available with mod_ssl support.
3.  Compiling Apache source requires MSVC 5

I've found several links (thanks primarily to hunter for links and 
instructions) to downloading SSL executables built for Windows, and am 
starting to play with them.  But I am left with two questions:

1.  Why isn't there an Apache 2.X binary distribution with SSL?  As best 
I can tell, there is an issue with export laws.  But why doesn't that 
same issue apply to non-windows builds?

2.  I don't have (nor do I want to purchase) a MS license.  Without 
that, is there any way I can compile Apache 2.X?  (I have and use 
cygwin's gcc and make if that matters)

Thanks,

Paul Christmann


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Securing directories

[Paul Bleimeyer]

Rob,

You might want to use a restricted realm setup and use the 
authnname and setup a number of users to control the access.
Part I: Restricting access.
Using a authorization file on the folder in question is also
possible, but if your users create subfolders, then they will
be prompted to reauthenticate as they traverse the subfolders.

Using the Authusername might be easier. 

Part II: Secure vs. unsecure connections:
If you have both 80 and 443 bound to each of these 
virtual websites, then users will be able to connect on each
port. Inserting the access controls mentioned at the top will
work across both. If you want to insure that users are not able
to open this connection via 80, then do not include this 
port in your listen statements in http.conf.

There are many different ways to deal with this. See the following
for more details.

Binding ports and the listen option:
http://httpd.apache.org/docs-2.0/bind.html

Authentication overview.
http://httpd.apache.org/docs-2.0/howto/auth.html

Users via a password file:
http://httpd.apache.org/docs-2.0/howto/auth.html#gettingitworking

Users via a groups file:
http://httpd.apache.org/docs-2.0/howto/auth.html#lettingmorethanonepersonin

On Fri, 8 Nov 2002, Robert Lagana wrote:

 Hello,
i  
 Using mod_ssl .. on Apache .. I would like to secure two directories..
  
 https://www.domain.com/homedir https://www.domain.com/homedir 
  
 https://www.domain.com/homedir2 https://www.domain.com/homedir2 
  
 Now if user go to http://www.domain.com http://www.domain.com  will users
 get a pop up saying that SSL is required?
  
 Is this just a matter of having Port 80 and Port 443 enabled?
  
 Do I set these directories up as virtual hosts?
  
 Is there a link someone can provided that explains this?
  
 Thanks,
 Rob
  
  
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Securing directories

[Paul Bleimeyer]

Anytime. Thats what this group is all about.
Let us know once you get things rolling.

Regards,

Paul


On Fri, 8 Nov 2002, Robert Lagana wrote:

 Thank you very much Paul.
 
 Regards,
 Robert
 
 -Original Message-
 From: Paul Bleimeyer [mailto:paulb;mayo.edu]
 Sent: Friday, November 08, 2002 2:45 PM
 To: '[EMAIL PROTECTED]'
 Subject: Re: Securing directories
 
 
 
 Rob,
 
 You might want to use a restricted realm setup and use the 
 authnname and setup a number of users to control the access.
 Part I: Restricting access.
 Using a authorization file on the folder in question is also
 possible, but if your users create subfolders, then they will
 be prompted to reauthenticate as they traverse the subfolders.
 
 Using the Authusername might be easier. 
 
 Part II: Secure vs. unsecure connections:
 If you have both 80 and 443 bound to each of these 
 virtual websites, then users will be able to connect on each
 port. Inserting the access controls mentioned at the top will
 work across both. If you want to insure that users are not able
 to open this connection via 80, then do not include this 
 port in your listen statements in http.conf.
 
 There are many different ways to deal with this. See the following
 for more details.
 
 Binding ports and the listen option:
 http://httpd.apache.org/docs-2.0/bind.html
 
 Authentication overview.
 http://httpd.apache.org/docs-2.0/howto/auth.html
 
 Users via a password file:
 http://httpd.apache.org/docs-2.0/howto/auth.html#gettingitworking
 
 Users via a groups file:
 http://httpd.apache.org/docs-2.0/howto/auth.html#lettingmorethanonepersonin
 
 On Fri, 8 Nov 2002, Robert Lagana wrote:
 
  Hello,
 i  
  Using mod_ssl .. on Apache .. I would like to secure two directories..
   
  https://www.domain.com/homedir https://www.domain.com/homedir 
   
  https://www.domain.com/homedir2 https://www.domain.com/homedir2 
   
  Now if user go to http://www.domain.com http://www.domain.com  will
 users
  get a pop up saying that SSL is required?
   
  Is this just a matter of having Port 80 and Port 443 enabled?
   
  Do I set these directories up as virtual hosts?
   
  Is there a link someone can provided that explains this?
   
  Thanks,
  Rob
   
   
  
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Mod_SSL_2.8.10 and OpenSSL_0.9.6g

[Paul Bleimeyer]

Geoff,

Are you running 1.x or 2.40 apache?

Regards,

Paul


 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Geoffrey Talvola
 Sent: Thursday, September 19, 2002 1:28 PM
 To: '[EMAIL PROTECTED]'
 Subject: RE: Mod_SSL_2.8.10 and OpenSSL_0.9.6g
 
 
 I'm using the binaries from the OpenSA package and they are 
 working fine for
 me, both on NT and on 2000.
 
 details at http://www.opensa.org/development/news/101.html
 
 - Geoff
 
  -Original Message-
  From: David Diehl [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, September 19, 2002 2:15 PM
  To: [EMAIL PROTECTED]
  Subject: Mod_SSL_2.8.10 and OpenSSL_0.9.6g
  
  
  Has anybody got this to function on a NT 4.0 server?
  
  I've downloaded and compiled apache 1.3.26 with modssl 2.8.10 and
  openssl 9.6g and can't seem to get it to work on a NT 4.0 server. It
  works fine on a windows 2000 server, but when I try and start 
  it on a NT
  4.0 server the second apache process never starts and there 
  are no error
  indications in the log files.
  
  I've also download 2 seperate precompiled builds and niether of them
  came with the openssl dll files libeay32.dll and ssleay32.dll, which
  normally reside in the system32 directory. If I use the ones 
  I compiled,
  the same symptoms occur. Of course, if I remove all SSL 
  directives from
  the httpd.conf file, I don't need the dll's and it 
 functions properly.
  
  It seems that any version prior to 9.6 i.e. 9.5a  functions 
  without any
  problems.
  
  Any ideas or insight would be greatly appreciated.
  
  Thanks
  
  David
  
  
 __
  Apache Interface to OpenSSL (mod_ssl)   
 www.modssl.org
  User Support Mailing List  
 [EMAIL PROTECTED]
  Automated List Manager
 [EMAIL PROTECTED]
  
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?

[Paul Bleimeyer]

Andre,

I think I am hitting a wall somewhere. Somewhat the same errors running your
code. Could it be my browser? Connections over 80 and 443 are fine, but when
I
invoke ssl via https://localhost or the server name I get the internal 501
error code. I shutdown my copy, renamed the folder to apache2.old inserted
yours, copied my ssl folder over with my key and cert in it and edited
http.conf and ssl.conf to reflect my directory structure. Any Ideas here? I
think I am tired, since I can't seem to figure out what's amiss here.

here is my http.conf and ssl.conf files for reference.



Access log still shows:
127.0.0.1 - - [03/Sep/2002:13:00:37 -0500] €L

 501 288

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Andre Schild
 Sent: Tuesday, September 03, 2002 10:25 AM
 To: [EMAIL PROTECTED]
 Subject: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?


 Has anyone successfully implemented mod_sll under 2.40
 apache for w2k?
 I am getting a 501 1051 internal server error back. The ssl engine is
 loading
 but no response when I connect to the port.

 2.0.40 works fine for me under W2K with OpenSSL 0.9.6e
 Did compile it from the scratch...

 Binaries are here:
 http://www.switzerland.net/Pneatec/

 André
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]



#
# Based upon the NCSA server configuration files originally by Rob McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See URL:http://httpd.apache.org/docs-2.0/ for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server process as a
# whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default' server,
# which responds to requests that aren't handled by a virtual host.
# These directives also provide default values for the settings
# of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with / (or drive:/ for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with /, the value of ServerRoot is prepended -- so logs/foo.log
# with ServerRoot set to C:/Apache2 will be interpreted by the
# server as C:/Apache2/logs/foo.log.
#
# NOTE: Where filenames are specified, you must use forward slashes
# instead of backslashes (e.g., c:/apache instead of c:\apache).
# If a drive letter is omitted, the drive on which Apache.exe is located
# will be used by default.  It is recommended that you always supply
# an explicit drive letter in absolute paths, however, to avoid
# confusion.
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at URL:http://httpd.apache.org/docs-2.0/mod/core.html#lockfile);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot C:/program files/Apache Group/Apache2

#
# ScoreBoardFile: File used to store internal server process information.
# If unspecified (the default), the scoreboard will be stored in an
# anonymous shared memory segment, and will be unavailable to third-party
# applications.
# If specified, ensure that no two invocations of Apache share the same
# scoreboard file. The scoreboard file MUST BE STORED ON A LOCAL DISK.
#
#ScoreBoardFile logs/apache_runtime_status

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile logs/httpd.pid

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to Off to deactivate.
#
KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a 

RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?

[Paul Bleimeyer]

Has anyone successfully implemented mod_sll under 2.40 apache for w2k?
I am getting a 501 1051 internal server error back. The ssl engine is
loading
but no response when I connect to the port.

[info] Init: Initializing OpenSSL library
[Fri Aug 30 15:51:28 2002] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Aug 30 15:51:28 2002] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Fri Aug 30 15:51:28 2002] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Aug 30 15:51:28 2002] [info] Init: Initializing (virtual) servers for
SSL
[Fri Aug 30 15:51:28 2002] [info] Server: Apache/2.0.40, Interface:
mod_ssl/2.0.40, Library: OpenSSL/0.9.6g
[Fri Aug 30 15:51:29 2002] [notice] Parent: Created child process 3484
[Fri Aug 30 15:51:29 2002] [debug] .\server\mpm\winnt\mpm_winnt.c(483):
Parent: Sent the scoreboard to the child
[Fri Aug 30 15:51:29 2002] [info] Init: Initializing OpenSSL library
[Fri Aug 30 15:51:29 2002] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Aug 30 15:51:29 2002] [info] Init: Generating temporary RSA private
keys (512/1024 bits)
[Fri Aug 30 15:51:29 2002] [notice] Child 564: Released the start mutex
[Fri Aug 30 15:51:29 2002] [info] Init: Generating temporary DH parameters
(512/1024 bits)
[Fri Aug 30 15:51:29 2002] [warn] Init: Session Cache is not configured
[hint: SSLSessionCache]

192.168.1.2 - - [30/Aug/2002:12:30:48 -0500] ?L

 501 1051
192.168.1.2 - - [30/Aug/2002:13:23:04 -0500] ?L

 501 1051
192.168.1.2 - - [30/Aug/2002:14:35:42 -0500] ?L

 501 1051
192.168.1.2 - - [30/Aug/2002:14:35:45 -0500] ?L

 501 1051
192.168.1.2 - - [30/Aug/2002:14:35:53 -0500] ?L

 501 1051



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Apache 2.0.35 - ssl fails silently?

[Paul English]

 Have you tried looking in ssl_engine.log?

That one wasn't being generated. Now I'm not sure what the problem was, 
but upgrading to 2.0.40 fixed it. Now that I've seen the build again, it 
is possible that mod_ssl failed to build, and I missed it as the messages 
scrolled past. I made sure that it did build for 2.0.40.

Thanks everyone,
Paul
 -Original Message-
 From: Paul English [mailto:[EMAIL PROTECTED]]
 Sent: 02 September 2002 22:55
 To: [EMAIL PROTECTED]
 Subject: Re: Apache 2.0.35 - ssl fails silently?
 
 
 
  On Mon, 2 Sep 2002, Paul English wrote:
  
 I'm working with a new setup of 2.0.35 under Linux, and having
  
  First of all, why 2.0.35 on a new setup?  2.0.36 was the first full
  release (back in April).  2.0.40 is the current release.
 
 
 Oops, I guess I should have said relatively new. It has been up and 
 running without any SSL for a few months.
 
 I'm downloading 2.0.40 now, although I think the problem is most
 likely 
 configuration somehow.
 
 Paul
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?

[Paul Bleimeyer]

Whose compiler did you use?

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Lakey,
 Jeremy # IHTUL
 Sent: Tuesday, September 03, 2002 10:52 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on
 w2k?


 Ditto, compiled from scratch, apache 2.0.40, seperately
 compiled mod_ssl.so
 and moved it into the apache2 installed directory, worked fine..



 -Original Message-
 From: Andre Schild [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, September 03, 2002 10:25 AM
 To: [EMAIL PROTECTED]
 Subject: Antw: RE: Apache 2.0.40 - Loaded mod_ssl successfully on w2k?


 Has anyone successfully implemented mod_sll under 2.40
 apache for w2k?
 I am getting a 501 1051 internal server error back. The ssl
 engine is
 loading but no response when I connect to the port.

 2.0.40 works fine for me under W2K with OpenSSL 0.9.6e
 Did compile it from the scratch...

 Binaries are here:
 http://www.switzerland.net/Pneatec/

 André
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache 2.0.35 - ssl fails silently?

[Paul English]

Hi,
I'm working with a new setup of 2.0.35 under Linux, and having 
some trouble. I'm not sure where to look as there are no errors in 
error_log, or /var/log/messages or on the console. 

Reading the docs I eliminated:
having Listen on port 443 and an appropriate virtual host context
using apachectl startssl to pass -DSSL to the server
tried using the stock httpd.conf and ssl.conf

None of the above seems to work. Thrown into the mix I have several 
interfaces on the machine, and ipchains (for which I've enabled access 
from everywhere to port 443). I tested all the interfaces using nmap, 
which just says that port 443 is closed, and telnet. 

I've attached my config files to see if anyone else can make sense of it.

Thanks,
Paul


#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these 
# directives see URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html
#
#   For the moment, see URL:http://www.modssl.org/docs/ for this info. 
#   The documents are still being prepared from material donated by the
#   modssl project.
# 
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
IfDefine SSL

#   Until documentation is completed, please check http://www.modssl.org/
#   for additional config examples and module docmentation.  Directives
#   and features of mod_ssl are largely unchanged from the mod_ssl project
#   for Apache 1.3.

#
# When we also provide SSL we have to listen to the 
# standard HTTP port (see above) and to the HTTPS port
#
Listen 206.253.195.210:443

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
#ErrorLog logs/dummy-host.example.com-error_log
#CustomLog logs/dummy-host.example.com-access_log common

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#
#   Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
#SSLSessionCachenone
#SSLSessionCacheshmht:logs/ssl_scache(512000)
#SSLSessionCacheshmcb:logs/ssl_scache(512000)
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual exclusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
SSLMutex  file:logs/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog  logs/ssl_engine_log
SSLLogLevel info

##
## SSL Virtual Host Context
##

VirtualHost 206.253.195.210:443

#  General setup for the virtual host
DocumentRoot /usr/local/htdocs/test
ServerName 3tiergroup.com:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log
TransferLog logs/access_log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite

Re: Apache 2.0.35 - ssl fails silently?

[Paul English]

 On Mon, 2 Sep 2002, Paul English wrote:
 
  I'm working with a new setup of 2.0.35 under Linux, and having
 
 First of all, why 2.0.35 on a new setup?  2.0.36 was the first full
 release (back in April).  2.0.40 is the current release.


Oops, I guess I should have said relatively new. It has been up and 
running without any SSL for a few months.

I'm downloading 2.0.40 now, although I think the problem is most likely 
configuration somehow.

Paul

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Changing dummy cetificates?

[Paul F]

Can anyone tell me how to change the dummy cert? I run gendummycerts again
but the old cert is still kept for apache.

Thanks!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

http or https but not both?

[Paul F]

I have a fresh linux installation with apache + mod_ssl.

With the mod_ssl module and AddModule uncommented, I can access
https://mysite. BUT NOT
http://mysite.

Any help appreciated!


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Warning message when starting modssl

[paul priestman]

Hello mod ssl users,

I have compiled apache 1.3.26 with modssl.  However, when i start apache it 
gives me a load of warning messages:

[Fri Jul 19 13:40:36 2002] [warn] module mod_vhost_alias.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_env.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_log_config.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_mime_magic.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_mime.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_negotiation.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_status.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_info.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_include.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_autoindex.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_dir.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_cgi.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_asis.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_imap.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_actions.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_speling.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_userdir.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_alias.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_rewrite.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_access.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_auth.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_auth_anon.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_auth_dbm.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_digest.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_proxy.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_cern_meta.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_expires.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_headers.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_usertrack.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_unique_id.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_so.c is already added, skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_setenvif.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module auth_ldap.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_ssl.c is already added, 
skipping
[Fri Jul 19 13:40:36 2002] [warn] module mod_dav.c is already added, 
skipping

but apache still starts but why is it giving me these warning messages?

thanks paul

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Performance issues - testing

[paul priestman]

Hello all,

I am having worries about the performance of using mod_ssl.  Can anyone 
suggest any good testing package that will give me hits per second when 
running on a https server and hits per second when running on a normal http 
server so i can compare the performance. I am using apache 1.3.22 with mod 
ssl.

Thanks for your time

Paul


_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems with Apache 2.0.35 and SSL

[paul priestman]

1.  I have managed to install Apache 2.0.35 with mod SSL but it ony works
when i sepecify the servername as been the servers IP address instead of 
the
actual name - is this a bug or is this the way Apache in tended?

Do you mean in the actual ServerName directive?  No that's not intended,
but I've also never seen this problem.  Can you email me a configuration
snippet that demonstrates the problem?

 Yes, its the ServerName directive.  If i specify the host name e.g 
wellington.location.com:8443 then my server starts up okay and will run on 
http okay but when I try to goto port 8443 it says that connection is 
refused - i have tried also just putting wellington.location.com without the 
port number at the end but with the same effect.  However, if i specify the 
actual IP address of the wellington then this works! - weired

Cannot load /opt/local/apache/apache_2.0.35/modules/mod_ssl.so into server:
ld.so.1: /opt/local/apache/apache_2.0.35/bin/httpd: fatal: relocation 
error:
file /opt/local/apache/apache_2.0.35/modules/mod_ssl.so: symbol
X509_INFO_free: referenced symbol not found

Is this a common bug?

Yes, it's a fairly frequently asked question.  The problem is that you've
built a shared mod_ssl against a static OpenSSL (ie, libssl.a and
libcrypto.a instead of .so).  That won't work because the way the build
system currently works, OpenSSL is linked into httpd, not mod_ssl.  httpd
doesn't need the symbols from the OpenSSL libraries, so the static linker
throws them away, meaning they're no longer available when mod_ssl is
dynamically linked at runtime.

Solution: use a shared OpenSSL.

- this works now!! thanks for your help

--Cliff


_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_auth_ldap with Apache 2.0.35?

[paul priestman]

Hello,

Does anyone know if mod_auth_ldap comes with apache 2.0.35 like mod_ssl and 
mod_dav etc..The documentation seems to suggest so but I can't figure out a 
way to configure the makefile to install the module at compile time.

Does anyone have any suggestions?

Paul

_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache 2.0.35 with SSL - wont start

[paul priestman]

Hello all,

I have downloaded and installed Apache 2.0.35 with SSL.  I have configured 
the httpd.conf as they suggest in ssl.conf.  However, when i try to start 
apachectl i get the following message:

(13)Permission denied: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down
./apachectl startssl: httpd could not be started

Has anyone any ideas what i'm doing wrong - i have succesfully got ssl 
working with apache 1.3.22.

Thanks for your time

Paul

_
Chat with friends online, try MSN Messenger: http://messenger.msn.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0.35 with SSL - wont start

[paul priestman]

i'm actually trying to run this server on port 8443 - the other httpd runs 
on port 443 but i have stopped this server running (as its just another test 
server).  I am starting the server as my self - not as root but the port is 
  1024 anyway

I have tried chaning the port to other numbers aswell but to no luck

Paul

From: R. DuFresne [EMAIL PROTECTED]
To: paul priestman [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: Apache 2.0.35 with SSL - wont start
Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT)


You're not trying to run two httpd's on the same set of ports are you, the
old one running while trying to fire up the new?

that's what the error suggests I think...

thanks,

Ron DuFresne

On Mon, 15 Apr 2002, paul priestman wrote:

  Hello all,
 
  I have downloaded and installed Apache 2.0.35 with SSL.  I have 
configured
  the httpd.conf as they suggest in ssl.conf.  However, when i try to 
start
  apachectl i get the following message:
 
  (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443
  no listening sockets available, shutting down
  ./apachectl startssl: httpd could not be started
 
  Has anyone any ideas what i'm doing wrong - i have succesfully got ssl
  working with apache 1.3.22.
 
  Thanks for your time
 
  Paul
 
  _
  Chat with friends online, try MSN Messenger: http://messenger.msn.com
 
  __
  Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
  User Support Mailing List  [EMAIL PROTECTED]
  Automated List Manager[EMAIL PROTECTED]
 

--
~~
 admin  senior security consultant:  sysinfo.com
 http://sysinfo.com

Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation.
 -- Johnny Hart

testing, only testing, and damn good at it too!





_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0.35 with SSL - wont start

[paul priestman]

So its trying to bind to 443 - i have stated in my ssl.conf to listen on 
port 8443 and have set up a virtual host for port 8443 with ssl enabled - 
how come it tries to bind to port 443?

I have therefore tried to start the server as root - it started okay but I 
cannot make a ssl connection - i goto https://servername.com:443 but get a 
server error telling me i could not connect to server - in the error logs i 
get:
mod_ssl: Unable to set session id context to 'servername.com:443' (OpenSSL 
library error follows)

OpenSSL: error:140DA111::lib(20) :func(218) :reason(273)





  (13)Permission denied: make_sock: could not bind to address
0.0.0.0:443
  no listening sockets available, shutting down
  ./apachectl startssl: httpd could not be started
 

It's *not* trying to start on 8443 though...

thanks,

Ron DuFresne

On Mon, 15 Apr 2002, paul priestman wrote:

i'm actually trying to run this server on port 8443 - the other httpd runs 
on port 443 but i have stopped this server running (as its just another 
test server).  I am starting the server as my self - not as root but the 
port is   1024 anyway

I have tried chaning the port to other numbers aswell but to no luck

Paul

 From: R. DuFresne [EMAIL PROTECTED]
 To: paul priestman [EMAIL PROTECTED]
 CC: [EMAIL PROTECTED]
 Subject: Re: Apache 2.0.35 with SSL - wont start
 Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT)
 
 
 You're not trying to run two httpd's on the same set of ports are you, 
the
 old one running while trying to fire up the new?
 
 that's what the error suggests I think...
 
 thanks,
 
 Ron DuFresne
 
 On Mon, 15 Apr 2002, paul priestman wrote:
 
   Hello all,
  
   I have downloaded and installed Apache 2.0.35 with SSL.  I have 
 configured
   the httpd.conf as they suggest in ssl.conf.  However, when i try to 
 start
   apachectl i get the following message:
  


From: R. DuFresne [EMAIL PROTECTED]
To: paul priestman [EMAIL PROTECTED]
CC: [EMAIL PROTECTED]
Subject: Re: Apache 2.0.35 with SSL - wont start
Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT)


You're not trying to run two httpd's on the same set of ports are you, the
old one running while trying to fire up the new?

that's what the error suggests I think...

thanks,

Ron DuFresne

On Mon, 15 Apr 2002, paul priestman wrote:

  Hello all,
 
  I have downloaded and installed Apache 2.0.35 with SSL.  I have 
configured
  the httpd.conf as they suggest in ssl.conf.  However, when i try to 
start
  apachectl i get the following message:
 
  (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443
  no listening sockets available, shutting down
  ./apachectl startssl: httpd could not be started
 
  Has anyone any ideas what i'm doing wrong - i have succesfully got ssl
  working with apache 1.3.22.
 
  Thanks for your time
 
  Paul
 
  _
  Chat with friends online, try MSN Messenger: http://messenger.msn.com
 
  __
  Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
  User Support Mailing List  [EMAIL PROTECTED]
  Automated List Manager[EMAIL PROTECTED]
 

--
~~
 admin  senior security consultant:  sysinfo.com
 http://sysinfo.com

Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation.
 -- Johnny Hart

testing, only testing, and damn good at it too!





_
Send and receive Hotmail on your mobile device: http://mobile.msn.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache 2.0.35 and SSL

[paul priestman]

Hello all,

I am trying to compile apache 2.0.35 with ssl but it is not working.  My 
config is as follows:

./configure --prefix=/path/whereiwant/apache \
--enable-ssl \
--with-ssl=/path/to/openssl

however on make i get the following error

flex -Pssl_expr_yy -s -B 
/home/user/jwoodman/apache/httpd-2.0.35/modules/ssl/ssl_expr_scan.l
sh: flex: not found
*** Error code 1
make: Fatal error: Command failed for target `ssl_expr_scan.c'
Current working directory 
/home/user/jwoodman/apache/httpd-2.0.35/modules/ssl
*** Error code 1
make: Fatal error: Command failed for target `all-recursive'
Current working directory 
/home/user/jwoodman/apache/httpd-2.0.35/modules/ssl
*** Error code 1
make: Fatal error: Command failed for target `all-recursive'
Current working directory /home/user/jwoodman/apache/httpd-2.0.35/modules
*** Error code 1
make: Fatal error: Command failed for target `all-recursive'

I have managed to get apache 1.3.22 working with modssl and apache 2.0.35 
working without ssl.

Thanks for your help

Regards



_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Job openings

[Paul G. Weiss]

  -Original Message-From: Mark J. Matheson 
  [mailto:[EMAIL PROTECTED]]Sent: Thursday, March 07, 2002 9:40 
  PMTo: [EMAIL PROTECTED]Subject: Re: Job 
  openingsavijeet banerjee wrote: 
  
   We have a requirement for a 
developer(senior) in a large software development organization. The 
person should have expertise in C , apache mods , Oracle Pl/sql and java/jsp 
experience would be an added advantage.Please send resumes ASAP.thanks 
Avijeet   
  
Avijeet Banerjee From: "Patrick 
Willart"<[EMAIL PROTECTED]> Reply-To: 
[EMAIL PROTECTED] To: 
"cesar"<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]> 
Subject: Re: mod_ssl Date: Thu, 7 Mar 2002 13:34:41 -0800 
 Hi Cesar,  Mod_ssl isn't the problem It 
works fine. But when you also add JSP functionality (tomcat / WARP), 
the server becomes instable. It appears to be crashing when multiple 
requests for one or more JSPs are send to the server at the same 
time.  Apache+mod_ssl works ok Apache+tomcat works 
ok  but  Apache+mod_ssl+tomcat works but is 
very instable.  I actually changed to iPlanet ($ 1500) 
because of this.  Apache 2.0 will have SSL integrated. Maybe 
the problem will be solved then... Personally I have good feelings 
about this because the way threading is handled is completely 
revised.  Are you only getting an error message in the log 
and does everything work? Or doesn't it...  Patrick 
- Original Message - From: 
"cesar"<[EMAIL PROTECTED]> 
To:<[EMAIL PROTECTED]> Sent: Thursday, March 07, 
2002 12:39 PM Subject: mod_ssl Hello 
Patrick I have a problem with apache+mod_ssl, 
when i execute any pages .jsp in   my web server(windows 2000) i 
receive this error log: You are using mod_ssl 
under Win32.This combination is *NOT* officially   
supported. Use it at your own risk! What is 
this??   Is there a version stable of the apache+ssl for 
windows? Tks. Cesar 

__ 
Apache Interface to OpenSSL (mod_ssl) www.modssl.org User 
Support Mailing List [EMAIL PROTECTED] Automated List Manager 
[EMAIL PROTECTED]


Chat with friends online, try MSN Messenger: Click Here 
__ 
Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing 
List [EMAIL PROTECTED] Automated List Manager 
  [EMAIL PROTECTED]
  contact me directly at [EMAIL PROTECTED] I might be able to help 
  Mark
Thank you for sharing that with the group.
-P

RE: Job openings

[Paul G. Weiss]

OK, 
well that's what I call putting your foot in your mouth! Apologies to 
all.
-P

  -Original Message-From: Paul G. Weiss 
  Sent: Thursday, March 07, 2002 9:43 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: Job 
  openings
  
  
-Original Message-From: Mark J. Matheson 
[mailto:[EMAIL PROTECTED]]Sent: Thursday, March 07, 2002 9:40 
PMTo: [EMAIL PROTECTED]Subject: Re: Job 
openingsavijeet banerjee wrote: 

We have a requirement for a 
  developer(senior) in a large software development organization. The 
  person should have expertise in C , apache mods , Oracle Pl/sql and 
  java/jsp experience would be an added advantage.Please send resumes 
  ASAP.thanks 
  Avijeet  
 
  Avijeet Banerjee From: "Patrick 
  Willart"<[EMAIL PROTECTED]> Reply-To: 
  [EMAIL PROTECTED] To: 
  "cesar"<[EMAIL PROTECTED]>,<[EMAIL PROTECTED]> 
  Subject: Re: mod_ssl Date: Thu, 7 Mar 2002 13:34:41 -0800 
   Hi Cesar,  Mod_ssl isn't the problem 
  It works fine. But when you also add JSP functionality (tomcat / 
  WARP), the server becomes instable. It appears to be crashing when 
  multiple requests for one or more JSPs are send to the server at 
  the same time.  Apache+mod_ssl works ok 
  Apache+tomcat works ok  but  
  Apache+mod_ssl+tomcat works but is very instable.  
  I actually changed to iPlanet ($ 1500) because of this.  
  Apache 2.0 will have SSL integrated. Maybe the problem will be 
  solved then... Personally I have good feelings about this because 
  the way threading is handled is completely revised.  
  Are you only getting an error message in the log and does 
  everything work? Or doesn't it...  Patrick 
  - Original Message - From: 
  "cesar"<[EMAIL PROTECTED]> 
  To:<[EMAIL PROTECTED]> Sent: Thursday, March 07, 
  2002 12:39 PM Subject: mod_ssl 
  Hello Patrick I have a problem with 
  apache+mod_ssl, when i execute any pages .jsp in   my web 
  server(windows 2000) i receive this error log: 
  You are using mod_ssl under Win32.This combination is *NOT* officially 
supported. Use it at your own risk!
   What is this??   Is there a version stable of the 
  apache+ssl for windows? Tks.   
Cesar 
  __ 
  Apache Interface to OpenSSL (mod_ssl) www.modssl.org User 
  Support Mailing List [EMAIL PROTECTED] Automated List 
  Manager [EMAIL PROTECTED]
  
  
  Chat with friends online, try MSN Messenger: Click Here 
  __ 
  Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing 
  List [EMAIL PROTECTED] Automated List Manager 
[EMAIL PROTECTED]
contact me directly at [EMAIL PROTECTED] I might be able to help 
Mark
  Thank you for sharing that with the group.
  -P

Hanging Processes

[Paul G. Weiss]

( My apologies if this is posted twice. )


I have processes that appear to hang for a considerable period of time 
while waiting for a read to complete.  I would have thought that there 
would be a timeout but apparently not. 

My server is: 
Apache/1.3.19 (Unix) mod_perl/1.25_01-dev mod_ssl/2.8.1 OpenSSL/0.9.6 

Running on Solaris 2.7. 

There are actually two flavors of hanging processes.  Here is how they 
look with pstack: 

First flavor: 

26058:  
-  lwp# 1 / thread# 1   
 ff216f88 read (3, 14cef58, b) 
 fe39a7cc read (0, 14cef58, b, fee79f00, fef03c64, 1) + 30 
 fee77ed0 BIO_read (12c7138, 14cef58, b, 1070, 1000, 0) + d0 
 fee506b0 ssl23_read_bytes (12ac0d0, b, 5455b8, 116c, 1000, f0) + 30 
 fee4f0f4 ssl23_get_client_hello (12ac0d0, ffbef640, 0, 0, ffbef640, 725560)
+ 54 
 fee4eff4 ssl23_accept (2210, 6000, 4000, 2003, 2211, 6f757400) + 194 
 fee54224 SSL_accept (12ac0d0, 12c, 0, 7efefeff, 81010100, ff) + 24 
 fee3d07c ssl_hook_NewConnection (7214a0, 7234d0, 1e2c, ff310154, 4, 1) +
378 
 00025cb0 new_connection (45415049, 5df00, 6e89f8, ffbef8a8, ffbef8b8, c) +
f4 
 00026ad0 child_main (59400, 59000, 59c00, 59400, 59438, 59c00) + 5a0 
 00026d80 make_child (5df00, c, 3b963c46, 59000, ff2369f4, 4) + 114 
 000270ac perform_idle_server_maintenance (17, 0, 0, 5df00, 40f58, 3bb38) +
250 
 00027598 standalone_main (3fc00, 59400, 55000, 44, ff236508, ff236844) +
324 
 00027b54 main (7, ffbefbbc, ffbefbdc, 59b28, 0, 0) + 328 
 00018e58 _start   (0, 0, 0, 0, 0, 0) + 5c 
-  lwp# 2 / thread# 2   
 ff2174bc signotifywait () 
 fe38f590 _dynamiclwps (fe3ac524, fe3ade3c, 2, 0, ff233968, ff233968) + 1c 
 ff212830 thr_errnop (0, 0, 0, 0, 0, 0) + 24 
-  lwp# 5 / thread# 3   
 ff217aec lwp_sema_wait (fdf0de78) 
 fe38b044 _park(fdf0ddc8, fdf0de78, 0, 1, fe3ad298, 0) + 10c 
 fe38ad38 _swtch   (5, fe3ac524, fdf0de58, fdf0de54, fdf0de50, fdf0de4c) +
350 
 fe38e64c _reap_wait (fe3ae070, fe3b0fa0, 0, 0, 0, 0) + 34 
 fe38e3d0 _reaper  (fe3ac524, fe3ae070, fe3ad308, 455f34, 1, fe401000) + 34 
 fe39b824 _thread_start (0, 0, 0, 0, 0, 0) + 40 



Second flavor: 

21644:  / 
-  lwp# 1 / thread# 1   
 ff216f88 read (3, 174c798, 5) 
 fe39a7cc read (0, 174c798, 5, fee79f00, fef03c64, 1) + 30 
 fee77ed0 BIO_read (14a96c0, 174c798, 5, 174c798, 97538, 97538) + d0 
 fee668a0 ssl3_read_n (0, 5, 5, 0, ff233968, fee79eb8) + 160 
 fee6697c ssl3_get_record (132ab70, 97538, 97628, 0, fee7a000, 1) + 5c 
 fee671b4 ssl3_read_bytes (132ab70, 16, 15e0868, 4, 0, 0) + 1b4 
 fee681f4 ssl3_get_message (132ab70, 2180, 2181, , 4000, ffbef4ec) +
b4 
 fee61720 ssl3_check_client_hello (132ab70, 21c0, 21c1, 0, 2, ffbef408) + 20

 fee5f59c ssl3_accept (, 2100, 3, 2180, 21d0, 21c0) + 6fc 
 fee54224 SSL_accept (132ab70, 1, 97538, 1, 4c, 800) + 24 
 fee4f818 ssl23_get_client_hello (8, ffbef658, 4f, 2, ffbef658, 722680) +
778 
 fee4eff4 ssl23_accept (2210, 6000, 4000, 2003, 2211, 6f757400) + 194 
 fee54224 SSL_accept (132ab70, 12c, 0, 7efefeff, 81010100, ff) + 24 
 fee3d07c ssl_hook_NewConnection (71e5c0, 7205f0, 1e2c, ff310154, 4, 1) +
378 
 00025cb0 new_connection (45415049, 5df00, 13e458, ffbef8c0, ffbef8d0, a) +
f4 
 00026ad0 child_main (59400, 59000, 59c00, 59400, 59438, 59c00) + 5a0 
 00026d80 make_child (5df00, a, 3b9638d8, 59000, ff2369f4, 1) + 114 
 000270ac perform_idle_server_maintenance (24, 0, 0, 5df00, 40f58, 3bb38) +
250 
 00027598 standalone_main (3fc00, 59400, 55000, 44, ff236508, ff236844) +
324 
 00027b54 main (7, ffbefbd4, ffbefbf4, 59b28, 0, 0) + 328 
 00018e58 _start   (0, 0, 0, 0, 0, 0) + 5c 
-  lwp# 2 / thread# 2   
 ff2174bc signotifywait () 
 fe38f590 _dynamiclwps (fe3ac524, fe3ade3c, 2, 0, ff233968, ff233968) + 1c 
 ff212830 thr_errnop (0, 0, 0, 0, 0, 0) + 24 
-  lwp# 4 / thread# 3   
 ff217aec lwp_sema_wait (fdf0de78) 
 fe38b044 _park(fdf0ddc8, fdf0de78, 0, 1, fe3ad298, 0) + 10c 
 fe38ad38 _swtch   (5, fe3ac524, fdf0de58, fdf0de54, fdf0de50, fdf0de4c) +
350 
 fe38e64c _reap_wait (fe3ae070, fe3b0fa0, 0, 0, 0, 0) + 34 
 fe38e3d0 _reaper  (fe3ac524, fe3ae070, fe3ad308, 455f34, 1, fe401000) + 34 

Look familiar to anyone? 

-Paul Weiss 

  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Solaris8(x86) install problem

[Paul McGarry]

Hi Breughel,

 Sorry but I'm still new to Solaris. Where can I get
 that C compiler? Sorry for being such a dummy.

http://www.sunfreeware.com/ should provide you with
all the goodies you need.

Their FAQ is useful too, as it gives solutions to a
lot of common problems you can run into when compiling
things yourself on Solaris.

Paul

This document and any attachments are intended solely for
the named addressee(s), are confidential, and may be subject to
legal professional privilege. Please notify us (on +61-2 9878 1744)
as soon as possible if you have received this document in error.
Any confidentiality or privilege is not waived or lost because this
email has been sent to you by mistake. This document and any
attachments are subject to copyright.  No part of them should be
reproduced or distributed by any means whatsoever without the
prior consent of the copyright owner.  Opentec does not warrant
that this email and any attachments are error or virus free.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: http and https, same instance

[Paul]

If you have mod_perl, check out an article I wrote for take23 a while
back at
http://take23.org/articles/2001/03/12/redirect.xml?style=printable

If you don't, maybe mod_rewrite would help?

Then again, maybe I'm misreading what you need?

--- Christopher Piggott HOME [EMAIL PROTECTED] wrote:
 Is it reasonable to expect to run some http and some https traffic on
 the same instance of apache 1.3 ?
 
 I have named virtual hosts, and I understand they don't work with
 mod_ssl, but what if I want something like this:
 
 NameVirtualHost 192.168.0.101
 
 ### Definition for some http (non SSL) virtual hosts
 
 Virtual 192.168.0.101:80
ServerName host1.blah.blah.blah.com
# definition for this virtual host
 /Virtual
 
 Virtual 192.168.0.101:80
ServerName host2.blah.blah.blah.com
# definition for this virtual host
 /Virtual
 
 ### Definition for SSL - ALL port 443!
 Virtual _default_:443
Location /
   SSLRequireSSL
/Location
 /Virtual
 
 
 
 In other words, I don't care if the virtual named hosts work properly
 for
 SSL, I just want it to work - and it's ok if HTTPS exists outside of
 any
 virtual host.
 
 I have thought of adding a second instance of the server, with its
 own
 config file (or switches in httpd.conf using IfDefine SSL) ... but
 I don't
 really want to lose the usefulness of apachectl.  I don't know of a
 convenient way to do this other than brute force.
 
 Thanks,
 
 --Chris
 
 
 

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Seriously frustrating problem...

[Paul Hooper]

Sorry about the long mail message, but I wanted to supply as much
information as possible.

Software Versions:

OS  HP-UX 11
Apache  1.3.12
mod_ssl 2.6.6-1.3.12
OpenSSL 0.9.6a
Flex2.5.4a
Compilercc NOT gcc

Flex

Builds no problem. All OK

Apache

Builds no problem. All OK

OpenSSL

Changed CC=gcc to CC=cc in config file
Ran ./config no-idea
Ran make
Ran make test - 

GreatAll fine

modSSL

Run:

./configure \
--with-apache=/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/build/apache_1.3.
12 \
--with-ssl=/vg_U2YDEV_HOME/u2ydev/users/ums_web/openssl-0.9.6a \
--prefix=/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/install/apache_1.3.12
\
--enable-shared=ssl

Output =

Configuring mod_ssl/2.6.6 for Apache/1.3.12
 + Apache location:
/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/build/apache_1.3.12 (Version
1.3.12)
 + Auxiliary patch tool: ./etc/patch/patch (local)
./configure:Error: Building of 'patch' tool failed:
-
x patch/rename.c, 1323 bytes, 3 tape blocks
x patch/util.c, 9365 bytes, 19 tape blocks
x patch/util.h, 2325 bytes, 5 tape blocks
x patch/version.c, 280 bytes, 1 tape blocks
x patch/version.h, 25 bytes, 1 tape blocks
loading cache ./config.cache
checking for gcc... gcc
checking whether the C compiler (gcc  ) works... no
configure: error: installation or configuration problem: C compiler
cannot create executables.
Make: No arguments or description file.  Stop.
-
Hint: Either try to build 'patch' under etc/patch/
Hint: manually and re-run this 'configure' script
Hint: or provide us the path to your vendor 'patch'
Hint: program via the --with-patch=FILE option (but
Hint: expect perhaps failures when applying patches!)

The compiler line says   checking for gcc... gcc
checking whether the C compiler (gcc  ) works... no
but I can't work out where this is being read from.

Can somebody please explain what is happening.  I have been mulling this
over for a good few days now, but really need some expert advice.

Thanks

Paul

I did not have sexual relations with Miss Lewinski






NOTICE AND DISCLAIMER:
This email (including attachments) is confidential.  If you have received
this email in error please notify the sender immediately and delete this
email from your system without copying or disseminating it or placing any
reliance upon its contents.  We cannot accept liability for any breaches of
confidence arising through use of email.  Any opinions expressed in this
email (including attachments) are those of the author and do not necessarily
reflect our opinions.  We will not accept responsibility for any commitments
made by our employees outside the scope of our business.  We do not warrant
the accuracy or completeness of such information.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Newbie to mod_ssl

[Paul McGarry]

 I've downloaded apache_1.3.20.tar.gz and mod_ssl-2.8.4-1.3.20.tar.gz.
 Is there a step-by-step guide to install Apache with mod_ssl ?

Such instructions are hidden away in a file named, somewhat
cryptically, Install in the mod_ssl tar.gz.

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9870 4718 
North Ryde NSW 2113 Fax:   (02) 9878 1755

This document and any attachments are intended solely for
the named addressee(s), are confidential, and may be subject to
legal professional privilege. Please notify us (on +61-2 9878 1744)
as soon as possible if you have received this document in error.
Any confidentiality or privilege is not waived or lost because this
email has been sent to you by mistake. This document and any
attachments are subject to copyright.  No part of them should be
reproduced or distributed by any means whatsoever without the
prior consent of the copyright owner.  Opentec does not warrant
that this email and any attachments are error or virus free.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Multiple Server Certificates

[Hooper, Paul, (FNMF)]

I have an Apache server running multiple Name Based Virtual Hosts, all
running SSL with both server and client authentication.  I have not been
able to set up different server certificates for individual virtual hosts,
and I have been told that this is not possible.  
Is this really the case and, if so, can anyone recommend a solution to meet
this requirement.

Thanks for any help you can offer.

Paul
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Multiple Server Certificates

[Hooper, Paul, (FNMF)]

Owen,

Thank you very much.  I hadn't dared hope for such a clear and succinct
answer. Much appreciated.

Paul

-Original Message-
From: Owen Boyle [mailto:[EMAIL PROTECTED]]
Sent: 11 June 2001 10:34
To: [EMAIL PROTECTED]
Subject: Re: Multiple Server Certificates


Hooper, Paul, (FNMF) wrote:
 
 I have an Apache server running multiple Name Based Virtual Hosts, all
 running SSL with both server and client authentication.  I have not been
 able to set up different server certificates for individual virtual hosts,
 and I have been told that this is not possible.
 Is this really the case and, if so, can anyone recommend a solution to
meet
 this requirement.

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

Q: Why is it not possible to use Name-Based Virtual Hosting to identify
different SSL virtual hosts? 

A: Name-Based Virtual Hosting is a very popular method of identifying
different virtual = hosts. It allows you to use the same IP address and
the same port number for many different sites. When people move on to
SSL, it seems natural to assume that the same method can be used to have
lots of different SSL virtual hosts on the same server. 

It comes as rather a shock to learn that it is impossible. 

The reason is that the SSL protocol is a separate layer which
encapsulates the HTTP protocol. So the problem is that the SSL session
is a separate transaction that takes place before the HTTP session even
starts. Therefore all the server receives is an SSL request on IP
address X and port Y (usually 443). Since the SSL request does not
contain any Host: field, the server has no way to decide which SSL
virtual host to use. Usually, it will just use the first one it finds
that matches the port and IP address. 

You can, of course, use Name-Based Virtual Hosting to identify many
non-SSL virtual hosts (all on port 80, for example) and then you can
have no more than 1 SSL virtual host (on port 443). But if you do this,
you must make sure to put the non-SSL port number on the NameVirtualHost
directive, e.g. 

 NameVirtualHost 192.168.1.1:80 

Other workaround solutions are: 

 Use separate IP addresses for different SSL hosts. 
 Use different port numbers for different SSL hosts. 


Rgds,

Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: Cert signed by own CA and IE

[Paul-Catalin Oros]

Hi Arcady!

Have you solved your problem? I wasw able to install your Certificate, after I 
installed your self-signed CA certificate. Is it possible this to be the missing step 
in your testing? The CA cert has to be added to your root auth., then you'll be able 
to install the actual server certificate.

Hope this help,

Paul

PS: I am using IE 5.0

On Wed, 16 May 2001, Arcady Genkin wrote:

 Andrea Cerrito [EMAIL PROTECTED] writes:
 
 Connecting to a secure site with a certificate signed by own CA, IE
 seems to provide no obvious way of permanently adding the cert to the
 browser's configuration.  As a result, a warning that The security
 certificate is issued by a company you have not chosen to trust... is
 displayed every time I'm trying to establish a connection.  Is there a
 fool-proof way to permanently add a certificate or tell IE that the CA
 is to be trusted?
   
Show Certificate / Install Certificate.
  
   I tried that, and it didn't work.  It told me that the certificate was
   installed successfully, but once I quit IE, restart it, and load the
   page again, it displays the same warning again.
  
   The minimal html page I'm experimenting with is at https://www.thpoon.com
   If anyone would try to install the certificate from it in IE: maybe I
   did something wrong with configuration?
  
  I wasn't able to install it.  Can u print your conf?
 
 You mean from httpd.conf?  Since it's huge, I've posted it at
 
   http://www.thpoon.com/tmp/httpd.conf
 
 rather than sending to the list.  The SSL-related stuff is at the
 bottom of it.
 
 Thanks!
 
 p.s.  This is a repost, since I have replied from a different email
 address than the one I've subscribed from and I'm afraid that it
 didn't come through.  Sorry if this is a dupe.
 -- 
 Arcady Genkin
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

-- 
Bills travel through the mail at twice the speed of checks 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Urgent: remove password from server cert?

[Paul]

 Forsake rebooting, use Unix! (-:

LOL!! I'm with you, bud.
But it *is* UNIX, just 10.2(only recently upgraded to that!) on an old
T-500 machine.  We just try to keep it clean. =o)

__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Urgent: remove password from server cert?

[Paul]

In a sudden (and late) moment of epiphany, I just realized (while
writing a note to our CSA to please put the new server's startup in the
machines boot cycle) that when we reboot (*every* monday morning in the
wee hours) it's not terribly likely that anyone's going to be around to
feed the password to the startup query.

This really needs to be automated.
Help? =o)

Paul
=
Friends are those who,
when you must inconvenience them,
are less bothered by it than you. ;o]

__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

hang time, segfaults

[Paul]

This is way too generic, and I apologize, but maybe someone will have
had a similar problem and be able to clue me into what I should be
looking at.

The server's running on the testbed (Apache/1.3.12 (Unix) mod_perl/1.23
mod_ssl/2.6.4 OpenSSL/0.9.5a, with an automatic redirect from 8080 to
8443), but not quite perfectly. :o/

It hangs a lot, especially on page reloads.  Sometimes it delivers
pages perfectly, other times it takes half a minute.  The other day the
error log piled up with several dozen segfault child expirations while
checking it from a coworkers desk, which probably explains the empty
document pages he kept getting.  I have no real clue why.

The one thing amiss I can find is probably just ignorance on my part.
When I telnet to the server, it's return output includes numbers that I
am not seeing in my web pages, which are no logical part of the output
that I understand, and aren't there from the normal server.
Specifically (as an example), I'm getting 15a as the first line of
actual text after the blank line that ends headers, and a 0 two lines
after the /BODY/HTML line that ends the page the server sends at
the end of the 302 message from the page I requested (which 302 is
correct server behavior, btw).  Here's the Telnet transcript, with my
parenthetical comments (note it's an intranet site, not accessible from
outside the company):
=
$ telnet buda.bst.bls.com 8080  
Trying...
Connected to buda.bst.bls.com.
Escape character is '^]'.
GET / HTTP/1.1(** I send request headers **)
Host: buda.bst.bls.com

HTTP/1.1 302 Found(** It responds correctly **)
Date: Tue, 30 May 2000 14:39:03 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a
Location: https://buda.bst.bls.com:8443/
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

15a   (** but what is this? **)
!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN
HTMLHEAD
TITLE302 Found/TITLE
/HEADBODY
H1Found/H1
The document has moved A
HREF=https://buda.bst.bls.com:8443/;here/A.P
HR
ADDRESSApache/1.3.12 Server at A
HREF=mailto:[EMAIL PROTECTED]
mbos04111.al.bst.bls.com/A Port 8080/ADDRESS
/BODY/HTML

0 (** and this? **)

Connection closed by foreign host.
=

Help? :o/

Paul

We are symbols, and inhabit symbols. -- Emerson


__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Invalid method in request

[Paul]

--- Pavel_Hlou¹ek [EMAIL PROTECTED] wrote:
 What's wrong? When I connect to apache via https, Netscape says
 Conection refused and there is invalid method in request written
 in apache's error_log.
 I'm using Apache 1.3.19 + mod_ssl-2.8.1-1.3.19 + openssl-0.9.6.

Did you use GET? or maybe a form, with POST? or even HEAD?
Some servers restrict certain methods, for example PUT is pretty
commonly a no-no.

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

negative LocationMatch syntax?

[Paul]

Hi all.

I need to leave a few areas of our site freely accessible, but most of
the site is restricted, and I'd like the default behavior to be
restrictive. I don't want to have to remember to change the config if I
add new directories, as in adding 
Location
SSLVerifyClient require
/Location

Is there a way I could use LocationMatch to specify a not condition?
as in 
LocationMatch !~ "/(thisfile|thatDir|whatever).*"
SSLVerifyClient require
/LocationMatch

That would let me list the exceptions, and everything else would be
restricted by default..

???


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re:[OT] explusion?

[Paul]

Thanks, Ralph. Now I don't feel so stupid, lol

--- "Ralf S. Engelschall" [EMAIL PROTECTED] wrote:
 On Thu, Apr 05, 2001, Paul wrote:
 
  I have been looking at this for a while, and must be looking in the
  wrong places.  From httpd.conf:
  
  #   Semaphore:
  #   Configure the path to the mutual explusion semaphore the
  #   SSL engine uses internally for inter-process synchronization.
  
  "mutual eplusion semaphore"? OK, expulsion I would understand.
  Exclusion I would understand even better. Explusion?
  
  Is it just a typo? Or if not, what the hell is "explusion", and
 where
  can I find docs on it? =o)
 
 Sure, it's a typo. "exclusion" is the word. Now fixed for 2.8.3
 
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

explusion?

[Paul]

I have been looking at this for a while, and must be looking in the
wrong places.  From httpd.conf:

#   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization.


"mutual eplusion semaphore"? OK, expulsion I would understand.
Exclusion I would understand even better. Explusion?

Is it just a typo? Or if not, what the hell is "explusion", and where
can I find docs on it? =o)

(FYI, a web search turned up lots of typos; requiring SSL in addition
to "explusion" gave me a bunch of quotes from httpd.conf! lol! ;o)

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL validation

[Paul]

--- Manne Anliot [EMAIL PROTECTED] wrote:
 Hi all,
 
 New to mod_ssl I've stumled upon a very disturbing problem: I'm
 coding an Apache module that needs to know whether we have a secure
 (SSL) connection or not in the URI Translation phase. We've solved
 this problem on for example MS IIS by checking SSI/CGI environments
 with the standard SSL information (HTTPS=on). A quick look in the
 mod_ssl source reveals that this variable isn't set before the
pre-run
 fixup phase (just before the response handlers), so this solution
 seems inadequate.
 
 So in short: How can a module check if the current request is a
 secure one? (without workarounds à la specifying secure ports in
 configuration files etc)

I'm not sure off the top of my head exactly what you mean here.
Maybe I'm just being dense. Sorry.

I do know that on our server we're using the standard port 80 for http,
and 443 for https, so I check for secure connections in my
PostReadRequestHandler with 

 return OK if 443 == $r-get_server_port;

I don't know if that's the sort of workaround you meant -- in our case,
we know what ports are what, and this works before the system has to
bother with access/authen/authorization handlers, path translation, or
most anything else.
 
 A mod_ssl solution or even better a generic SSL solution would be soo
 much
 appretiated.
 
 (Apache/1.3.14, mod_ssl/2.7.2, OpenSSL/0.9.6)
 
 Regards,
 Manne Anliot
 Sweden.
 
 mailto:[EMAIL PROTECTED]

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: can anyone help me....

[Paul]

--- Rene Labiran [EMAIL PROTECTED] wrote:
 i been having this error:
 
 "invalid command loadmodule perhaps mispelled or defined by a module
 notincluded in the server configuration sshd."

It would help to see the commend in context.
Is it in your config file? In a script?
Are you using DSO? and if so, I honestly don't remember (sheepish
grin)... is http.conf case sensitive? If so, the DSO LoadModule command
has caps in two places.
 
 can anyone help me
 
 rene

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Enabling a single directory as SSL enabled

[Paul]

--- Alex Moon [EMAIL PROTECTED] wrote:
 Set the server up as secure - allowing insecure or secure 
 connection to the server but denying access to the the directory 
 you want as secure except through the secure server port 443

You know, that makes remarkably good sense.
Does it work? I've seen this question a dozen times here, and nobody
ever said anything so simple.

Can it be that easy?

 On 16 Mar 01, at 21:14, Scott Brown wrote:
 
  I'm probably looking for an answer to a FAQ tell me where it's
 listed,
  and I'll take it from there.
  
  I'm from a MS-IIS background - and when I want to make a directory
 secure,
  it's easy to tell the system via the MMC that /secure/ is to have a
 secure
  connection requirement.
  
  Is there any way to set Apache up such that it recognizes that a
 specific
  directory is supposed to be secure?
  
  I've tried a
  
  virtualhost www.mytestdomain.com
  ...non-ssl directives
  Directory /secure/
  SSLEngine on
  SSLRequireSSL
  etc..etc.. (including cert/key definitions)
  /Directory
  /virtualhost
  
  but it's not behaving as I would expect (at very least I would be
 expecting
  it to complain that my site cert's name doesnt match my
 testdomain's name -
  but it doesnt)... IE5.01 doesnt display the locked symbol - BUT it
 is saying
  that it has a cert (and no, I've not installed the cert...)
  
  Is it not possible to have a subdirectory of a domain declared and
 processed
  as SSL enabled under Apache/modssl/openssl??
  
 

__
  Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
  User Support Mailing List 
 [EMAIL PROTECTED]
  Automated List Manager   
 [EMAIL PROTECTED]
 
 
 
 

--
 Alex Moon   
 email:[EMAIL PROTECTED] 
 Tel:020 8411 5092  
 Middlesex University Business School,
 The Burroughs
 Hendon 
 London
 NW4 4BT   

--

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Enabling a single directory as SSL enabled

[Paul]

--- Scott Brown [EMAIL PROTECTED] wrote:
 I'm probably looking for an answer to a FAQ tell me where it's
 listed, and I'll take it from there.

lol -- on these lists, a lot of the time. Read back through the
archives.

 I'm from a MS-IIS background - and when I want to make a directory
 secure, it's easy to tell the system via the MMC that /secure/ is to
 have a secure connection requirement.

But not via webserver..

 Is there any way to set Apache up such that it recognizes that a
 specific directory is supposed to be secure?

There are definitely ways, but they require a bit of a hack.

I recently wrote an article for how to do this with mod_perl at
 http://take23.org/articles/2001/03/12/redirect.xml?style=printable
but if you don't have mod_perl installed you could do basically the
same thing with mod_rewrite, I'm pretty sure. (mod_rewrite docs are at
http://httpd.apache.org/docs-2.0/mod/mod_rewrite.html )

It boils down to this: before the web server looks to see which
directory you want, it has already either established a secure protocol
or a nonsecure one. If you have nonsecure accesses redirected
externally to the secure port, you tell the browser to ask using the
right "language" (say please, basically).

Hope that helps.

 I've tried a
 
 virtualhost www.mytestdomain.com
   ...non-ssl directives
   Directory /secure/
   SSLEngine on
   SSLRequireSSL
   etc..etc.. (including cert/key definitions)
   /Directory
 /virtualhost
 
 but it's not behaving as I would expect (at very least I would be
 expecting it to complain that my site cert's name doesnt match my
 testdomain's name - but it doesnt)...
 IE5.01 doesnt display the locked symbol - BUT it is saying
 that it has a cert (and no, I've not installed the cert...)
 
 Is it not possible to have a subdirectory of a domain declared and
 processed as SSL enabled under Apache/modssl/openssl??

no and sort of. See above. ;o)

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: FYI - Equifax reselling Verisign Global SGC certs at cost!

[Paul McGarry]

 Given my experiences of Verisign's customer service, I often 
 wonder what
 exactly they do for me.

Well, they gave me something to laugh about this morning.
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSLSession and an HTTP session

[Paul McGarry]

Thanks Mads, that has saved me some time.

  I'm considering mapping SSL_SESSION_IDs to sessions on my
  webserver. Are there any obvious gotchas that I should be
  aware of before I start going down this route?
  
 Don't use SSL_SESSION_ID - most MSIE browser versions will 
 expire the session after 1 or 2 minutes.

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

SSLSession and an HTTP session

[Paul McGarry]

Howdy All,

I'm considering mapping SSL_SESSION_IDs to sessions on my
webserver. Are there any obvious gotchas that I should be
aware of before I start going down this route?

Thanks.

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Very[OT]:Technical query re: scratchpad lookups for my() vars

[Paul]

Anybody know offhand *why* my() lexicals are supposedly faster?
If they're stored on a scratchpad for the scope, which is an array,
(technically a stack of them to accommodate recursion,) then exactly
how does Perl go about finding which data location you mean when you
say $x for a lexical?  $::x has to go through the package lookup, which
(if I recall correctly) is technically a hash element of a hash element
at least..but if the scratchpad has a lot of scope-specific
lexicals, how does it find which one is x?

my $brain = 'tapioca'; #=o)

__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Very[OT]:Technical query re: scratchpad lookups for my() vars

[Paul]

--- Brian Ingerson [EMAIL PROTECTED] wrote:
 Garrett Goebel wrote:
  
  From: Paul [mailto:[EMAIL PROTECTED]]
  
   Anybody know offhand *why* my() lexicals are supposedly faster?



 Yes this is OT, but I'll contribute to the problem as well...
 
 My coworker Gisle Aas (maybe you've heard of him ;) says that globals
 and lexicals have identical speed because Perl optimizes out the
 symbol-table lookup.
 
 Trust Gisle.

lol -- now *there's* an answer.
So for my details I should go to the parse tree docs, and the code, I'm
thinking.

BTW -- with many thanks to everyone -- my question was "why are they
faster", but the reason was never the speed -- it was to understand the
way Perl stores and *accesses* lexicals.

Any input? =o)


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices.
http://auctions.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19

[Paul Rubin]

That's interesting if the dbm cache is causing those problems.
Unfortunately
I'm not able to use the shm cache in my installation.  I might try replacing
dbm with Berkeley DB (www.sleepycat.com) which is an upward-compatible dbm
replacement with much better concurrency support.  It might be worth
incorporating
that as an option in the modssl distribution.

-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 03, 2001 3:13 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19



Sorry for the short delay, but here it finally is: mod_ssl 2.8.1 for
Apache 1.3.19. The corresponding CHANGES entries are appended below.
Grab it from:

http://www.modssl.org/source/
 ftp://ftp.modssl.org/source/

Yours,
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com

  Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001)

   *) Conditionally adjusted source to build quietly also under
  latest OpenSSL 0.9.7-dev versions.

   *) Added a bunch of (untested!) adjustments and fixes for 
  the Win32 platform as posted to modssl-users some time
  ago by various people.

   *) Fixed SSLCipherSuite example in httpd.conf-dist: 
  The string EXP56 is actually EXPORT56, although OpenSSL
  internally the variable is named SSL_TXT_EXP56.

   *) Upgraded to Apache 1.3.19 as base version.

   *) Extended FAQ entry for MSIE problems.

   *) Added FAQ entry for questions "Why do I get lots of random SSL
  errors under heavy load?"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
Official Announcement Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: it runs but that's about it

[Paul]

--- Justin Naik [EMAIL PROTECTED] wrote:
 . . .
 The apache server starts up ok in normal form and even starts up with
 -startssl parameter.
 But I go to https://myaddress.com and I get a doesn't exist error
 HELP! - where do I start to look for errors - I have no idea!

What sort of "doesn't exist error"? Like a *htat page* doesn't exist
error, as reported by *that server*, or like a *that server* doesn't
exist error, as reported by your browser after not finding it?

If it's a *that page* error, then your server's working fine, and
you're in fact already taling to it with SSL, because you're using
https://. The problem may be in the configuration of your default index
page; look for a DirectoryIndex directive in your httpd.conf (or it's
equivelent), and make sure it has whatever you're using as your
index.htm or ome.shtml or whatever.  

If it's a *that server* doesn't exist, maybe you should check to make
certain your SSL server is running on a valid virtual server name? I
dunno, that could be so many things. and I'm no expert.

But good luck!

Paul

__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

port correction consequences....

[Paul]

Hi all. I have an intranet site with a core area that is public access,
but the rest of the site is SSL secured. I have a PostReadRequest
handler checking the port, and if it's 443 returning OK, but if not it
checks to see if the requested page is in the list of nonsecure areas
and exceptions. Anything not clearly specified as unsecured is sent an
external redirect to the same page on the secure socket.

This works great for most things, but there are a few consequences that
I just can't think around.

Specifically, other intranet sites link directly to relevant data
locations on our server. This is fine under normal circumstances, but
today I got a nastygram from a user for "changing" my access. Her
certificate had expired (along with several others in her office who
had all installed on the same day), and suddenly it was effectively a
dead link. Even once they had installed new certs, several of them were
still getting "certificate expired" because they had told their
browsers to use the old one by default.  

I have pages on the site to explain all this and provide solutions, but
these aren't exactly sophisticated users; someone helps them get it all
installed and then they remember the certificate password, and go from
there. When it expires, it never occurs to them to see if the server
root is still accessible, or if it does, to take the "s" out of the
protocol, which would let them get to the site (on virtually every page
of which we have a header link to "Digital Certificate Info").

The best suggestion I could come up with was to ask the linking site to
add a link to a nonsecure page, like our comment form.

Anyone have anything better?

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: ssl connection for a particular directory

[Paul]

 [EMAIL PROTECTED] wrote:
  Is there anybody to tell me : How can i force in the apache
  configuration file the use of a ssl connection for a particular
  directory without using virtual hosts ?

You'll probably have to run a whole seperate server if you aren't using
vhosts.

The choice of protocol is done before the connection is established;
path translation is way later. What you *could* do, however, is to have
the index page in that directory check the port number or something.
mod_perl makes that pretty easy; Apache::Request probably does, too.
I'm not sure off the top of my head how you'd do it without perl. If
it's not secure, redirect to the secure server.

You could kind of do it anyway, just as a matter of course. Have the
index page (I'd recommend a CGI) do an external redirect to the secure
socket. Obviously, you have to have an SSL server running somewhere,
either as another server or as a vhost or *something*, but then the
default page in that directory will redirect to the https://
other-page.

But you can't have just one directory be SSL on one server, because the
SSL protocol has to be established *WAY* before the server knows what
directory the user wants.

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key

[Paul]

--- Ges Seger [EMAIL PROTECTED] wrote:
 Paul wrote:
 
  Hi, all.
  
  I've been trying to add a couple of modules to my Apache, and just
  can't seem to get it to do it's thing.  Forgive me if I tell you
 too
  much, but I'm just trying to be thorough.
  
  STEP 1:
  ===
  perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1  \
DO_HTTPD=1 SSL_BASE=/usr/local/ssl \
APACHE_SRC=../apache_1.3.12/src\
   
 

APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul
  e=info,--enable-module=rewrite,--enable-module=usertrack
  
  This runs smoothly.
  
  STEP 2: make
  This, too, runs smoothly.
  ==
  STEP 3: make test
  Here's the problem. It runs fine till t/TEST tries to spawn a
 server
  and hit it.  The server fails at init because it can't generate a
  temporary 512 bit RSA private key. I've moved to the apache
 directory
  and run "make certificate" before the "make test", but it doesn't
 help.
  
  
  If I'm not mistaken, I had this problem when I was first installing
 the
  server, and ended up skipping the test. It installed and has been
  working fine. I'd just rather have a clean test before I try
 installing
  and using the new binary now that it's in production.
  
  Anybody got a suggestion?
 
 Recent versions of mod_ssl compiled for HPUX require an equivalent to
 Linux's /dev/random.  You can get this by downloading and installing
 an Entropy Gathering Daemon (egd), which can be found at:
 
 http://www.lothar.com/tech/crypto/
 
 I ran into the same problem last month upgrading my team's website, 
 until trawling through various mailing list archives pointed me to
 egd.  
 If 10.20 is anything like 11.x, this should get you through "make
 test"  with flying colors.
 
 Apologies for being sort of off-topic here...
 
 Ges
 Senior Perl Hacker
 Ingenium Corporation

EGD is great -- thanks for the suggestion -- but the "make test" is
still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs
pointed me) says if the socket is /dev/egd-pool it'll use it
automatically, but it's a no-go so far.

I'm at wit's end. Could it be something in the test httpd.conf? 

As a test I backed up the old httpd and replaced it with the new one,
and it seems to be working fine. All that took less than a minute, and
we're a small enough server that it was a tolerable interruption even
if it hadn't worked, but I'd still like to do the install, just to
update everything. Is that safe? What else does it change?


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[OT] make test fail [WAS mod_ssl: Init: Failed to generate temporary 512 bit RSA private key]

[Paul]

--- Lutz Jaenicke [EMAIL PROTECTED] wrote:
 On Fri, Feb 09, 2001 at 01:04:51PM -0800, Paul wrote:
  EGD is great -- thanks for the suggestion -- but the "make test" is
  still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs
  pointed me) says if the socket is /dev/egd-pool it'll use it
  automatically, but it's a no-go so far.
 
 The automatic usage is brand new and only included in the version to
 become 0.9.7 one fine day. If you have =0.9.6 you have to explicitly
 specify the place in httpd.conf
   SSLRandomSeed startup egd:/var/run/egd-pool

First, that was exactly the problem.
May you and all who contributed to its resolution receive skillfully
rendered the prurient favors you prefer most from the individual(s) of
your choosing.

Now, I have a slightly different point of confusion.
The "make test" still fails, but leaves the spawned httpd running on
the test port. The error log says:

[notice] Destruction-DESTROY called for $global_object
[Fri Feb  9 16:29:43 2001] [warn] [notice] child_init for process
23323, report any problems to [no address given]


But if I hit the port with a browser I can pull the test.shtml page
with all the SSI mod_perl calls working fine. I feel a lot better about
doing the install now, but I still want to know what the problem is
here.

FYI, there was an suexec problem before, but I think that's just
because this box doesn't have a user "nobody". I edited the test
httpd.conf to run as our actual server id and it was happy, at least
for that. It's just that I keep coming back to various suexec
problems But since the current server runs and suexec's as it
should, I'm not too worried about that.  I just hate leaving *any*
loose ends.

_

On a seperate note, the main reason I was doing the recompile was to
add in mod_auth_dbm. I finally got a test directory to do a simple
request for authentication by ID/password, but now I can't get it to
accept my password. I built the file with Apache's dbmmanage, importing
a list of id/passwords from a script which used a perl crypt() to
encrypt the passwords as it fed them to dbmmanage via pipe in the
specified "id:encpwd" format. Everything seems to have gone smoothly
enough, but it won't accept the password. What now? :o/

The .htaccess file is:
===
AuthDBMUserFile /dart10/web/docs/public/test/test
AuthType Basic
AuthName "password test site"
Require valid-user
===

The DBM is in the directory I'm accessing, just as a test.
*sigh*

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl: Init: Failed to generate temporary 512 bit RSA private key

[Paul]

Hi, all.

I've been trying to add a couple of modules to my Apache, and just
can't seem to get it to do it's thing.  Forgive me if I tell you too
much, but I'm just trying to be thorough.

STEP 1:
===
perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1  \
  DO_HTTPD=1 SSL_BASE=/usr/local/ssl \
  APACHE_SRC=../apache_1.3.12/src\
 
APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul
e=info,--enable-module=rewrite,--enable-module=usertrack

This runs smoothly.

STEP 2: make
This, too, runs smoothly.
==
STEP 3: make test
Here's the problem. It runs fine till t/TEST tries to spawn a server
and hit it.  The server fails at init because it can't generate a
temporary 512 bit RSA private key. I've moved to the apache directory
and run "make certificate" before the "make test", but it doesn't help.


If I'm not mistaken, I had this problem when I was first installing the
server, and ended up skipping the test. It installed and has been
working fine. I'd just rather have a clean test before I try installing
and using the new binary now that it's in production.

Anybody got a suggestion?

[ROOT] /dart26/mod_perl-1.23: uname -a
HP-UX uap5 B.10.20 C 9000/891 373319211 32-user license
[ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -V
Server version: Apache/1.3.12 (Unix)
Server built:   Feb  8 2001 16:04:39
Server's Module Magic Number: 19990320:7
Server compiled with
 -D EAPI
 -D HAVE_SHMGET
 -D USE_SHMGET_SCOREBOARD
 -D USE_FCNTL_SERIALIZED_ACCEPT
 -D HTTPD_ROOT="/usr/local/apache"
 -D SUEXEC_BIN="/usr/local/apache/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard"
 -D DEFAULT_LOCKFILE="logs/httpd.lock"
 -D DEFAULT_XFERLOG="logs/access_log"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
 -D ACCESS_CONFIG_FILE="conf/access.conf"
 -D RESOURCE_CONFIG_FILE="conf/srm.conf"
[ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -l
Compiled-in modules:
  http_core.c
  mod_env.c
  mod_log_config.c
  mod_mime.c
  mod_negotiation.c
  mod_status.c
  mod_info.c
  mod_include.c
  mod_autoindex.c
  mod_dir.c
  mod_cgi.c
  mod_asis.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_rewrite.c
  mod_access.c
  mod_auth.c
  mod_auth_dbm.c
  mod_usertrack.c
  mod_setenvif.c
  mod_ssl.c
  mod_perl.c
suexec: disabled; invalid wrapper /usr/local/apache/bin/suexec

(Also, anybody got an idea why this suexec message? is it something to
worry about?)

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Certs: where to get them?

[Paul McGarry]

 You can obtain a 'test id' from Verisign for free...good for 14 days.
 The only difference between one that's free and one you pay for?
 * No 'verification process'
 * Only valid for 14 days as opposed for 365 days (one year)

And:
  * The root certificate for the test ids doesn't come with your
average browser and therefore needs to be installed 'manually' by
visitors to your site to prevent the warning messages from occurring.
May as well use your own CA.

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Certs: where to get them?

[Paul McGarry]

 And you wouldn't have to do that if you issued your own?

Yes, you would. That's why I said you 'may as well use your
own'. The advantage there being that you don't have to fiddle
around with your server setup every 14 days to install a 
new cert (actually this was primarily an issue for me when
developing on NES, as that completely refused to start when
it had a cert is out of date IIRC. I started using my own CA
for testing and non-general-public uses before I started 
using apache  mod_ssl so I don't know how it behaves).

 Actually, if you think about it, whether you use your own 
 self signed CA or
 a test ID from Verisign, and don't install the 'test' root 
 CA, the end user
 still gets the same error message, something about the issuer 
 not being
 trusted...

There's nothing inherently wrong with using Verisign test
certs. I've just found the time limit annoying. For 
non-general-public uses (ie where you do have real users)
I think the "Do Not Trust" nature of the Verisign test
root cert may raise a few eyebrows, where a CA created
by your own company may not (as you are already likely
to have an existing business relationship with such
users). For general-public uses you more or less need
a commercial cert if you don't want to scare people 
off.

--
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Opinion on SSL/Virtual Hosting problem

[Jason Paul McCartan]

Hi Owen

Thanks for the reply

Owen Boyle wrote:
 
 Jason Paul McCartan wrote:
  Recently though the server was used to add other name-based virtual domains.
  Now the SSL through HTTPS is totally unavailable, and when we tried to view
  anything over HTTPS we get a blank "Page Not Found" page. We have no problem
  on port 80 for any of the sites. Initially we could hit the same site on
  HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine, but we
  get that "Page Not Found" error on HTTPS.
 
 One big trap that a lot of people fall into is that you *cannot* have
 SSL name-based virtual hosts. This is basically because SSL negotiation
 has to be complete before any HTTP traffic can be received - to
 negotiate SSL you need the certificate, which is defined in the VH,
 which is selected using the ServerName, which can only be found from
 HTTP, which can't take place until SSL is established... see the
 problem?

Yup. That's what I was afraid would be the case.
 
 That aside, you don't actually say you are trying to run SSL VHs so you
 may have a simpler solution - define the port numbers explicitly in the
 NameVirtualHost and VirtualHost directives to avoid ambiguities, e.g:
 
 NameVirtualHost 192.168.1.1:80
 
 # HTTP host1
 VirtualHost 192.168.1.1:80
   Servername www.site1.com
 /VirtualHost
 
 # HTTP host2
 VirtualHost 192.168.1.1:80
   Servername www.site2.com
 /VirtualHost
 
 # SSL host
 VirtualHost 192.168.1.1:443
   Servername ssl.site1.com
 /VirtualHost

We had this working before about 4 months ago before we added a
different domain through the virtual servers. Until then all the virtual
servers belonged to the same name, and we had several on port 80 and
only one on port 443  - pretty much as you defined above.

We're not using SSL based virtual hosts. We only require one SSL enabled
site - https://secure.mydomain.com for example. All the other virtual
servers run on port 80.
 
 Did you get a warning message when starting the server? Check in the
 common_error_log...

No errors at all. The SSL is up and running as far as we can see. There
are no error messages when we telnet into it as well - it closes the
connection which is what we're aware of what it's supposed to do. We
initially got a "cannot mix * ports and non-* ports" error message when
we changed some of the settings, but we nominated all the ports on the
virtual servers to be port 80 or 443. 

At this point I'm thinking that it's best for us to used another IP
address, and move the SSL service onto that, and leave all the name
based virtual hosting on the other IP address. Will this do the trick ?

I appreciate the helpfulness of your response.

-- 
Jason Paul McCartan - [EMAIL PROTECTED]
CEO/President
MindShift Design LLC
http://www.mindshiftdesign.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Opinion on SSL/Virtual Hosting problem

[Jason Paul McCartan]

I'd like to get an opinion from the experts on a problem we've ran into.

We use Redhat 6.1 at the moment and Apache/1.3.9 (Unix) Red-Hat-Secure/3.1
mod_ssl/2.4.10 OpenSSL/0.9.4 as installed by our hosting company on our
dedicated machine.

When we first kicked the server into life we were using only one domain
name, and it pointed to that machine from our own DNS and from our hosting
companies DNS. We had our SSL up and running with only a few hitches, but
were able to work on both port 80 and 443 without any problem. As we
launched the site, we had no problems with our SSL working properly - we
were taking orders via e-commerce as the site should have.

Recently though the server was used to add other name-based virtual domains.
Now the SSL through HTTPS is totally unavailable, and when we tried to view
anything over HTTPS we get a blank "Page Not Found" page. We have no problem
on port 80 for any of the sites. Initially we could hit the same site on
HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine, but we
get that "Page Not Found" error on HTTPS.

I'd just like to confirm that this is a problem because we're not using
IP-based virtual machines, but name-based virtual machines so that we can
get the SSL up and running again ASAP. I've checked the HOW-TOs and FAQS,
and I know that it mentions that SSL won't work with MOD_SSL, but it doesn't
tell me what I should or shouldn't see through hitting a HTTPS web page g.

Any help or comments are appreciated.

--
Jason Paul McCartan - [EMAIL PROTECTED]
CEO/President
MindShift Design LLC
http://www.mindshiftdesign.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: forcing http to https with a twist

[Paul]

--- Haroon Rafique [EMAIL PROTECTED] wrote:
 Thanks for responding, Paul, Carlos and Michael.

You're welcome. =o)

 Unfortunately, my situation is a catch 22. I will give you more
 background to help understand my position.

Good idea, lol

 Here's the current situation:
 
 - homepage is http which leads to an https form-based login page.
 
 Here's what we want to achieve:
 
 - Make the https form-based login page be the actual homepage to
 eliminate an extra click-thru with a way to silently redirect to
 http page in the case of non-SSL capapble browser.

Ah! That's a little simpler than I was thinking, actually.
I think ~lol~

 How do other people deal with this scenario? Is there always an http
 page which leads to the https page to cover the possibility that the
 user is coming in with non-SSL lynx and at least you could warn them
 about that on the http page. Any other way out?

Ok. Try this (and I'm hoping more knowledgeable folk will poke holes in
this where applicable, since they'll probably have better ideas.)

I run my SSL server as a VirtualHost on the same box, but with
practically the same setup (docroot, etc.), but I think you should be
able to set up the SSL document root in one location (the https
form-based login page you mentioned) and the http on port 80 (or
whatever you're using) document root on the nonsecure info page.  If
someone hits the nonsecure server, it'll give them its page, which
isn't the same as the SSL login (though it can be named the same, just
in another directory). If they use https they'll hit the secure port,
and get the secure docroot's login page.

Holes, anyone? I'm not testing this or rummaging through the
documentation as I blather, so please don't let me lead anyone
astray...

Paul

 Thanks,
 --
 Haroon Rafique [EMAIL PROTECTED]
 
 

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: forcing http to https with a twist

[Paul]

--- Haroon Rafique [EMAIL PROTECTED] wrote:
 I have been reading the archives for a while now and didn't see any
 solution
 to my problem. So here goes... Thank in advance for any solutions
 
 To force people to use https instead of http, I could use the
 mod_rewrite as
 follows (all is theoretical, I don't have access to apache or apache
 with
 mod_ssl right now, so please bear with me):
 
 RewriteEngine On
 # use log level 9 for most verbose 0 for least
 RewriteLogLevel 9
 RewriteLog "/etc/httpd/logs/rewrite.log"
 RewriteCond %{HTTPS} !=on
 RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
 
 It is absolutely essential to give the user the ability to see the
 homepage
 as regular http (and a few tech support pages) in case they have SSL
 turned
 off, or are using lynx without SSL support. Otherwise, if I blindly
 forward
 all http requests to https how would they know they're supposed to
 use SSL
 when they're using a non-SSL browser.
 
 Is it possible to not have a RewriteCond which prevents the
 RewriteRule to
 execute to take care of the above situation? Am I missing something
 obvious?
 
 Thanks,
 --
 Haroon Rafique [EMAIL PROTECTED]

As a quick-and-dirty response, here's a modperl
handler we set up:

#~~
# module for Apache/mod_perl PerlPostReadRequestHandler to redirect
#  users on the nonsecure port over to SSL (hopefully saving bookmarks)
#__
package Apache::PortCorrect;
use strict;
use Apache::Constants qw( :response :methods );
sub handler {
 my($r,$s,$url,$args,$uri,$subr);
 $r = shift;# the request object
 return OK if 443 == $r-get_server_port;
 (undef,$url,undef) = split(/\s+/o, $r-the_request);
 return OK if $url =~ m{ ^(?:/
   |.*[.](?:gif|jpg)
   |/(?: public
   | teampages
   | pics
   | avgrates
   | regulatory
 )(?:/.*)?
   |/(?:home|cook)[.]shtml
  )$
   }ixo;
 $uri = "https://buda.bst.bls.com" . $url;
 $uri .= "?$args" if $args = $r-args;
 $r-custom_response(MOVED,$uri);
 return MOVED;
}
1; # guarantee return code for load


===

It allows http on the listed subsites, but redirects to the secure port
for everything else.

If you don't have mod_perl, you might manage a similar effect with some
hacking.  There are better ways, but my ride's waiting. =o)

Good luck.

__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Some question about modssl

[Paul]

 James Treworgy wrote:
 I would absolutely *not* do this, [mix SSL and non-SSL content]
 unless you want your web site users to see a message from the web
 browser saying "this page has both secure and insecure information.
 Do you want to proceed?" every time they user your site. 
 This does not instill confidence. 

--- Owen Boyle [EMAIL PROTECTED] wrote:
 Good point Jamie. However, for some users this may be necessary,
 there is nothing in the protocol against doing this, the browser
 warnings are browser-dependent (Netscape doesn't give a peep)

Which NetScape? I could swear I got this message from my Navigator a
few times when I was first setting up our site, and hadn't cleared up
the messes

Our intranet site uses a modperl PerlPostReadRequest handler to reroute
requests that *should* have been on the secure protocol, but doesn't
bother with .jpg's or .gif's or certain directories or pages that are
generally OK.  That regularly means pages with mixed content, but the
user never gets those messages.  

On the other hand, we're a small enough site (an intranet) that we can
afford the extra performance hit of all the 302's for correcting the
protocol on restricted pages. On any high volume site, you'd want
to handle it differently, but I think I've seen some posts where
someone suggested mod_rewrite as an option. 

Paul

__
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one Place.
http://shopping.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[repost]garbled redirects

[Paul]

;
 -D ACCESS_CONFIG_FILE="conf/access.conf"
 -D RESOURCE_CONFIG_FILE="conf/srm.conf"

Summary of my perl5 (revision 5.0 version 6 subversion 0)
configuration:
  Platform:
osname=hpux, osvers=10.20, archname=PA-RISC1.1-multi
uname='hp-ux uap5 b.10.20 c 9000891 373319211 32-user license '
config_args=''
hint=recommended, useposix=true, d_sigaction=define
usethreads=undef use5005threads=undef useithreads=undef
usemultiplicity=define
useperlio=undef d_sfio=undef uselargefiles=define 
use64bitint=undef use64bitall=undef uselongdouble=undef
usesocks=undef
  Compiler:
cc='cc', optimize='-O', gccversion=
cppflags='-D_HPUX_SOURCE -Aa -DDEBUGGING'
ccflags =' -D_HPUX_SOURCE -DDEBUGGING -D_LARGEFILE_SOURCE  
-D_FILE_OFFSET_BITS=64  -Ae'
stdchar='unsigned char', d_stdstdio=define, usevfork=false
intsize=4, longsize=4, ptrsize=4, doublesize=8
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', 
   lseeksize=8
alignbytes=8, usemymalloc=y, prototype=define
  Linker and Libraries:
ld='ld', ldflags =' -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib /usr/ccs/lib
libs=-lnsl_s -lndbm -ldld -lm -lc -lndir -lcrypt -lsec
libc=/lib/libc.sl, so=sl, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
dlsrc=dl_hpux.xs, dlext=sl, d_dlsymun=undef, ccdlflags='-Wl,-E
-Wl,-B,deferred '
cccdlflags='+z', lddlflags='-b +vnocompatwarnings -L/usr/local/lib'


Characteristics of this binary (from libperl): 
  Compile-time options: DEBUGGING MULTIPLICITY USE_LARGE_FILES 
   PERL_IMPLICIT_CONTEXT
  Built under hpux
  Compiled at May  5 2000 15:36:16
  @INC:
/usr/local/lib/perl5/5.6.0/PA-RISC1.1-multi
/usr/local/lib/perl5/5.6.0
/dart10/perl5/lib/site_perl/PA-RISC1.1-multi
/dart10/perl5/lib/site_perl
    /dart10/perl5/lib/site_perl
.


(Sorry, I don't have utilities for a decent stacktrace)

As always, thanks much in advance for any suggestions.

Paul

__
Do You Yahoo!?
Thousands of Stores.  Millions of Products.  All in one Place.
http://shopping.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: How do browsers cache ssl pages?

[Paul McGarry]

"Wohlgemuth, Michael J." wrote:
 Now, on to my new question, and I hope I can explain it without thoroughly
 confusing everyone:
 
 We have modssl configured with an SSLSessionCacheTimeout of 300 seconds.
 One of the web applications running on the server uses frames, with one
 frameset containing an HTTP form, and the other frameset having navigation
 buttons, including the submit button.  The design and implementation of
 these pages is out of my control.  When the user hits the submit button, the
 page runs some JavaScript that performs an HTTP post on the frameset with
 the form.  This works fine as long as the user doesn't take longer that 300
 seconds to fill out the form and hit submit.  If modssl expires the session
 cache, the browser clears all the entries in the HTML form.  This leads me
 to believe that the browser is somehow limiting access from one frameset to
 the other based on the session id, and since the session ids don't match, it
 is clearing the form data.  We see this behavior in both IE and Netscape.

As I understand it the SSLSessions are completely unrelated to any
http-level sessions you may be using on the site.

An SSLsession timing out should be completely transparent to the
client at the http level, a new SSLsession should simply be created
at the SSL level.

For what it's worth, I am using a frame based application over
SSL with an SSLSessionCacheTimout of 300, using http sessions
(which last until the browser is shutdown) to track users and I am 
not experiencing any such problems. I'm not doing any javascript
posts to another frame, but I do use javascript to trigger gets
in other frames.

Can you run your app in straight http mode to check that SSL is
really involved in causing the problem?

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: unsecure objects with IE5.5

[Paul McGarry]

[EMAIL PROTECTED] wrote:
 Now Microsoft has released the SP1 for IE5.5 which fixes the
 bug with unsecure objects.

Thanks for the update Andreas, I've been polling Windows Update daily
but it doesn't seem to rate a mention there.

Now let's cross our fingers and hope a fix for the similar bug in
Mozilla will get in prior to Netscape 6 (though I think it's unlikely).

Actually, if anyone has a publically accessible real world example
then perhaps they could attach it to:
http://bugzilla.mozilla.org/show_bug.cgi?id=58180
then perhaps the Mozilla folks may up the priority a bit. My
testcase may seem a bit academic compared to the real world
implications of the bug (making a secure site that uses javascript
urls unusable unless the user turns off their security features).

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Ready for Prime Time ?

[Paul McGarry]

Keith Parkansky wrote:

 If there are any commercial support operations
 available, where can I find contact information
 for them ?

Redhat will probably happily take your money from you..
I'm sure Linuxcare will too...

In fact, with many of the largish Open Source companies basing much 
of their business model on support revenue I wouldn't think it would
be all that difficult to find someone willing to give you support if
you actually go and look.

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Ready for Prime Time ?

[Paul McGarry]

Keith Parkansky wrote:

  In fact, with many of the largish Open Source companies basing much
  of their business model on support revenue I wouldn't think it would
  be all that difficult to find someone willing to give you support if
  you actually go and look.
 
 For issues related to the OS this is true, but for issues
 related to the applications they bundle, such as Apache,
 they will not provide "in depth" technical support.

http://www.redhat.com/products/support/ecommerce/

I haven't talked to them or anything, but their web-page suggests
they'll help you with 'your toughest technical problems'.

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: unsecure objects with IE5.5

[Paul McGarry]

David Rees wrote:

  We've got no problems with NS or other IE versions.
 
  Maybe a reason: We use extensively javascript within the pages.
 
 This is a known bug in IE 5.5.  I don't know of any work arounds.

Does anyone know where (if) this bug is documented. I couldn't find
anything on MS's site (I'd just like something to point to when 
people ask what the error means).

In further bad news, a similar bug exists in Mozilla:

http://bugzilla.mozilla.org/show_bug.cgi?id=58180

This is all somewhat annoying, having the most recent versions of the
two leading browsers screw up an application I spent some time 
crafting out of entirely standards based technology (HTML4, CSS,
ecmascript and DOM).

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: should you start ssl as a root???

[Paul McGarry]

Susmitha Vuyyuru wrote:
I have apache+jserv+modssl running on red hat. I start it as a root. But,
 I have a question
 about the usual convention... Is the usual convention to start webserver as
 a root or as a general user??

Yes, it is normal to start Apache as root (in fact you have to if you
want it to bind to the standard port numbers for http and https).
However your webserver should be changing to another user/group once it
has started.

Search for "User" in your httpd.conf file.

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

multiple secure name-based virtual hosts and mod_ssl

[Panon, Paul-Andre]

Hello,

I am trying to use multiple name-based virtual hosts with mod_ssl. The
system is running Mandrake 7.1 with mod_ssl-2.6.4. The virtual hosts
definition work fine with one gotcha, the first certificate/private key pair
is being used for both virtual hosts. The configuration file looks like
this:

###

NameVirtualHost IPAddr1:443
VirtualHost  IPAddr1:443
DocumentRoot /home/httpd/site1/html
ServerName site1.domain
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCertificateFile conf/ssl/site1.domain.crt
SSLCertificateKeyFile conf/ssl/site1.domain.key

...Location/directory specific directives 

/VirtualHost

NameVirtualHost IPAddr1:443
VirtualHost  IPAddr1:443
DocumentRoot /home/httpd/site2/html
ServerName site2.domain
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCertificateFile conf/ssl/site2.domain.crt
SSLCertificateKeyFile conf/ssl/site2.domain.key

...Location/directory specific directives 

/VirtualHost



If I try to establish a secure connection to either site1 or site2, then I
get appropriate the pages and access for that site based on the document
root and the location/directory specific directives. However when I connect
to site2, I get a browser error stemming from a name mismatch between the
site name and the site certificate. When I check the detailed information
for the server certificate, it's showing me the information for the
certificate of site1, even though I retrieve the pages for site 2. Can't
mod_ssl handle separate certificates for each vhost? If not, then why are
the SSSCertificate(Key)File directives used in VirtualHost instead of
being global?

Thank you,

Paul-Andre Panon
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: multiple secure name-based virtual hosts and mod_ssl

[Paul McGarry]

 Can't  mod_ssl handle separate certificates for each vhost? 

Not for name based hosts. See the FAQ!

 If not, then why are
 the SSSCertificate(Key)File directives used in VirtualHost instead of
 being global?

Because VirtualHosts can also be IP or port based.

Could mod_ssl be changed to refuse to start up if name based virtual
secure hosts are set up, with an appropriate message ("READ THE FAQ!")
output to the Apache log files?

You'd probably want another configuration directive too,

SSLYesIHaveReadTheFAQ on

too override this new behavior for situations where someone doesn't
care about the browser errors (eg in a dev environment).

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: THE CLUELESS MORON

[Paul McGarry]

Harald Langaker wrote:

 The above person (Harald Langaker ([EMAIL PROTECTED])) has been
 sending obscene and insulting mail to me.  Please request that he cease
 this
 activity and that he withdraw his postings from any online archives.
 He is a member of a group of people who illegally posted advertising on
 my
 Web site.  Complaints are being made to the appropriate law-enforcement
 authorities.

I wonder what the legality is of him stating that you (and 
members of the modssl group for that matter) are involved in illegal
behaviour.

Perhaps someone should drop a line to somewhere appropriate 
([EMAIL PROTECTED]) in the computing services department 
there and get them to have a quiet word.

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: why 8443?

[Paul]

--- [EMAIL PROTECTED] wrote:
 Can someone explain the differences and why 8443 is the default?

Anything below 1024 requires root privelege.
Sometimes the web admin isn't root, so this is a "standard" accomodation.

__
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

./configure --with-apxs=/usr/sbin/apxs

[Paul Ingendorf]

When running the configure with apxs command on mandrake
7.1 helium with apache 1.3.12 already installed from rpm
I recieved the following message.

Configuring mod_ssl/2.6.6 for Apache/1.3.12
./configure:Error: The mod_ssl/2.6.6 can be used for
Apache/1.3.12 only.
./configure:Error: Your Apache source tree under /usr is
version Server.
./configure:Hint:  Please use an extracted
apache_1.3.12.tar.gz tarball
./configure:Hint:  with the --with-apache option,
only.

I dug through the configure script and fell on line 289
after breaking it up I found that the mandrake version
is a bit fouled up.

This is the first line of output from httpd -v

Server version: Apache-AdvancedExtranetServer/1.3.12 
(NetRevolution/Linux-Mandrake)

I retouched line 289 to read

APV=`/usr/sbin/httpd -v | grep \"Server version:\" | awk
{print\'$3\'} | sed -e \'s/.*\\///\' -e \'s/ .*//\'`

and all was well.

I\'m posting this so maybe it can be fixed and so people
can find it in the mail archives.  I know that was one
of the first places I looked.

-- http://edispatch.timespace.org
-- mailto:[EMAIL PROTECTED]
Running ... Cos anything else would be a waste...
`:::\'  ...  ..
 :::  *  `::.::\'
 ::: .::  .:.::.  .:: .::  `::. :\'
 :::  ::   ::  ::  ::  :::::.
 ::: .::. .::  ::.  `. .:\'  ::.
.:::.::\'   ...
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

ssl_scache

[Paul]

I have my session caching set to about 5 minutes, and now it's working
*but* -- I've had some trouble getting the system to *keep* the
ssl_scache file.  At this point I have a nightly process doing a
"ssl_scache.pag" and "ssl_scache.dir" and "chmod 777
ssl_scache.???", but that certainly doesn't seem to be the optimal
solution.  never mind the security problem with the 777 mode, why
should I have to keep manually creating the file every night?  How was
it getting deleted, or the permissions changed?  Has anybody else seen
anything like this, or is it just another ridiculous quirk of this old
system on which I work?

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Frames Javascript - insecure?

[Paul]

--- Lee Feigenbaum [EMAIL PROTECTED] wrote:
 the page gives the warning
 "this page contains both secure and insecure elements" 

This will happen if ANYTHING is accessed by a nonsecure protocol, even
so much as a single banner from another site.

You did say all links were relative, though
Anything offsite being accessed through that JS?
Or maybe are you loading images for flyover changes?
That *might* count as nonsecure, though I don't know the internal implementation

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: What's this error?

[Paul]

--- Mads Toftum [EMAIL PROTECTED] wrote:
 On Wed, Jul 19, 2000 at 08:22:57AM -0700, Paul wrote:
  
  Somebody suggest a debugger? I'm feeling pretty ignorant, here, and
  unfortunately won't have any time to RTFM for a few weeks yet.
  (~mumblegrumble~)
  
 http://www.modssl.org/docs/2.6/ssl_faq.html#report-backtrace
 
 You may also have a tool like strace (Linux) or truss (Solaris),
 which can be very helpful too.

Thanks much.
Maybe that's why I haven't been getting core files..
Will look into it.

__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: What's this error?

[Paul]

  I have also noted a fair amount of 
  [Wed Jul 19 16:01:58 2000] [notice] child pid 24703 exit signal
  Segmentation Fault (11)

I get this, too, a *LOT*.

 Err... I'm convinced that our current mod_ssl 2.6.5 is 100% stable
 and does not produce any segfaults. If you really get segfaults, some
 other component causes it.  Let me guess: You're running PHP or 
 mod_ssl+OpenSSL as a DSO underf Solaris, right?

Forgive the "me, too"-ism, here, but this problem just won't seem to go
away.  I'm running on HP-UX B.10.20 (best the company will spring for)
on a PARISC1.1 9000/891.  I probably did build DSO, though, and I
really don't need it. Hmm think the same prob might apply here?

 If no, then I've no clue and you have to attach a debugger to find
out
 where it segfaults.

Somebody suggest a debugger? I'm feeling pretty ignorant, here, and
unfortunately won't have any time to RTFM for a few weeks yet.
(~mumblegrumble~)

Paul

__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: error_log message

[Paul]

--- Penny Rand [EMAIL PROTECTED] wrote:
 [Fri Jul 14 09:26:50 2000] [crit] (48)Address already in use:
 make_sock: could not bind to port 80

Something's already using port 80, the default web port.
Check memory -- try "ps -ef|grep -i httpd"
If there's *any* webserver active, shut it down, then try again
(if that's an option).

Paul


__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple secure domains against one server.

[Paul McGarry]

David Leeson wrote:

 If its an RTFM, mads, please tell me gently ;-)
It is, and TFM will tell you that you can't do it.
It'll also tell you why.

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: How to ...?

[Paul]

--- "Amr A. Aysha" [EMAIL PROTECTED] wrote:
 Hi All,

Hi, Amr.

 Now, after one of my Netscape client get its certficates, I would
 like to sign any HTML form for non repudiation. How can I do that ?

If I understand your questions correctly, you only have to make certain
that the page is accessed via HTTPS.  The server will sign the page as
part of the protocol.


 Second question, if I want to cross-sign two Certificate Authority
 between them. How to proceed an hierarchical certificate structure?

For this either I am ignorant, or I do not understand the question.

Good luck.

Paul

__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: HTTPS

[Paul]

   - Original Message - 
   From: Alexandre Dias 
   To: [EMAIL PROTECTED] 
   Sent: Tuesday, July 11, 2000 4:45 PM
   Subject: HTTPS
   I would like to use HTTPS on another port than 443...
   How can I do it?

*sigh*
RTFM is good advice, but I know that sometimes one wonders where in the
manual to look.

The standard configuration looks something like this:

IfDefine SSL
Listen 80
Listen 443
/IfDefine

This assumes that 80 (the HTTP default) is your standard port, and 443
(the HTTPS default) is your standard SSL port.  If, however, you don't
have root permissions (as an example), you can do this:

IfDefine SSL
Listen 8080
Listen 8443
/IfDefine

This is a common practice, and will work fine (as long as you keep
everything lined up -- make sure your Port and Listen commands for the
standard http access are in fact watching 8080, and that any virtual
host you want on the secure port knows it should be watching 8443 --
cross-port the commands, and I kinda doubt it will work. =o)

*Read The Manual*, but for a quick reference check the http.conf file.

Paul

__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: which port ? 80 or 443

[Paul]

--- Danilo Nascimento [EMAIL PROTECTED] wrote:
 From: "Yu, Leo" [EMAIL PROTECTED]
 Reply-To: [EMAIL PROTECTED]
 To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED]
 CC: "Yu, Leo" [EMAIL PROTECTED]
 Subject: which port ? 80 or 443
 Date: Mon, 10 Jul 2000 12:30:40 -0700
  Hi,
  I  configure a  Linux system to run Apache and Jserv and SSL. 
  The server is listening to both port 80 and port 443 (for SSL).
  I have a servlet running on the system to print out which port is
  request is coming form
  The problem is no matter what port ( 80 or 443 ) the URL
  request is coming in.  The servlet always prints out port 80.
  I use the gerServerPort() function of the request
  object to retrieve the port number.
  Any idea why ?  Does Apache need to have port 80 open always ?
Thanks!
 Leo
 Hi Leo, but what´s your Test URL?
 This question can sound strange, but i have saw many users testing
 SSL connections using a HTTP URL!
 Bye, Danilo.

A little added clarification -- HTTP always comes o through port 80 by
default; httpS comes through port 443.

Paul

__
Do You Yahoo!?
Get Yahoo! Mail – Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Help : Annoying information windows in Internet Explorer ?

[Paul]

Sounds vaguely familiar (though our intranet uses mostly NetScape).
It's a browser-end problem, if I understand you correctly, and I don't
think you can change it from the server-end, though I've been wrong
about such things before. =o)

I posted instructions for how the user can tell the browser not to
bother him/her anymore.  Some reconfigure, some just suffer
through.

Paul

--- Gianluca Morello [EMAIL PROTECTED] wrote:
 I configured a good working configuration of Apache-SSL,
 I created my own CA.
 All is up and working:
 I have a web based certificate request,
 an automatic signing process of the client certificates
 and automatic downloading of certicates.
 All works well,
 
 Only one thing:
 
 When (MS Internet Explorer) clients connect to my secure web server,
 they can choose their client certificate. OK.
 The authentification of certificates is OK.
 The problem is that when a client make a page request (through links
 or forms)
 in their browser a window appears  saying that they are exchange data
 with the server
 signing these data  with their private key,
 so in their navigation, for each page they view they have to close
 this information window with a nervous effect.
 
 So the question :
 There's a way to avoid these annoying popup windows to appears.
 
 Note :
 I create the certificate request using the Enroll.CreatePKCS10 method
 of Enroll object of MS Internet Explorer,
 and the download of the signed client certificate is made with the
 IControl.AcceptPKCS7
 method.
 I used php , vba and a short shell script to do all the stuff.
 
 Thanks.


__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache/mod_perl

[Paul]

Stronghold would give you professional tech support, but if all you
want is SSL, check out Ralph Engelschall's mod_ssl (www.modssl.org)
based on the OpenSSL protocol (www.openssl.org).  It works well with
vanilla Apache, and it's *free* -- thanks again, Ralph. =o)

--- Pramod Sokke [EMAIL PROTECTED] wrote:
 Has anybody used stronghold? I'm considering using stronghold for SSL
 support since ours is a commercial application. Would mod_perl and
 all related modules work as fine with Stronghold as with plain
Apache?
 
 Thanks,
 Pramod
 
 At 10:24 AM 7/7/00 -0400, Vivek Khera wrote:
  "PS" == Pramod Sokke [EMAIL PROTECTED] writes:
 PS We are running Netscape Enterprise server with cgis written in
 perl
 and C.
 PS I'm looking at moving over to Apache and start using mod_perl.
 How
  [ .. ]
 PS over to Apache/mod_perl going to be a simple plug-in or would it
 involve
 PS re-writing lots of stuff?
 
 The C stuff will probably not be worth rewriting, but that depends
 on
 what it does.
 
 The perl stuff will need to be "cleaned" if it is sloppy code.  That
 is, if it is clean running in Perl under "-w" and "use strict"
 you're
 most likely going to have little difficulty with them.
 
 But what you should do is use the two-server performance enhancement
 (using mod_proxy and mod_rewrite) and have your legacy apps run on
 the
 front-end server, and then migrate your perl to the mod_perl backend
 one at a time.
 
 -- 

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Vivek Khera, Ph.D.Khera Communications, Inc.
 Internet: [EMAIL PROTECTED]   Rockville, MD  
 +1-301-545-6996
 GPG  MIME spoken herehttp://www.khera.org/~vivek/
  


=
"Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with 
wings wide open to the sky." -- B-52's 
-
Real friends are those whom, when you inconvenience them, it bothers you more than 
them. -- me. =o) 
-
"There are trivial truths and there are great Truths. The opposite of a trival truth 
is obviously false. The opposite of a great Truth is also true."  -- Neils Bohr 
-
TEMPVS PECVDEM COLLARE EST - It's time to thin the herd.
-
[http://www.catfishforbreakfast.com/letgod.html]
-


__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re:[OT] Welcome to the world, Noah!

[Paul]

*MANY* congrats, and welcome to the gene pool.
God bless each of you.

Paul

--- "Ralf S. Engelschall" [EMAIL PROTECTED] wrote:
 
 Welcome to the world, Noah!
 
 Three hours ago (at June 23th, 2000 - 4:08pm CET) our first kid was
 born: 
 
Noah Sebastian Engelschall, weight: 3690g, length: 52cm.
 
 Mother Daniela (27 years) and Noah (3 hours ;) are feeling very well!
 Father Ralf also still feels well... and now really understands why
 we
 men are considered snivelling and what OTOH our womans really
 accomplish
 in their life. I'm very proud.
 
 In case you're interested: we've chosen the first name Noah for him,
 because
 this name stands for "the bringer of ease and comfort" (according to
 the text
 books of names). And Daniela and I found it not unreasonable if at
 least one
 of our family members _at least by definition_ is more of a calming
 type ;)
 
 Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


=
"Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with 
wings wide open to the sky." -- B-52's 
-
Real friends are those whom, when you inconvenience them, it bothers you more than 
them. -- me. =o) 
-
"There are trivial truths and there are great Truths. The opposite of a trival truth 
is obviously false. The opposite of a great Truth is also true."  -- Neils Bohr 
-
TEMPVS PECVDEM COLLARE EST - It's time to thin the herd.
-
[http://www.catfishforbreakfast.com/letgod.html]
-


__
Do You Yahoo!?
Get Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: garbled redirections

[Paul]

--- "Jason P. Winters" [EMAIL PROTECTED] wrote:
  
  First, the problem:
  
  [Tue Jun 20 09:06:55 2000] [error] [client 90.17.209.65] Invalid
 error
  redirection directive: üØ@
  
  üØ@? Let me assure you, "üØ@" isn't in my code anywhere. =o)
 
  Am I confusing or crosswiring Apache by doing a cross-port custom
  response here?  It seems to work
  
  Or is it something entirely different?
 
 This looks more like a system that is sending you 16bit encoded text,
 instead of straight 8bit ASCII...  (and yes, my system converted the
 text to something it can read. ;} )  You may not be seeing all of the
 data because it is 16bit and the 8bit processor chops it off...

But it's not consistent.
Here's another:
__
[Tue Jun 20 08:53:03 2000] [error] [client 96.90.8.163] Invalid error
redirection directive: @^_íØs://buda.bst.bls.com/dres/dres.cgi
~~

"buda.bst.bls.com" is our intranet server.
"@^_íØ" is *VERY* confusing. I'm assigning the $uri for the
custom_response with a literal string :
~
$uri = "https://buda.bst.bls.com" . $url;
_

How it that coming through as "@^_íØs://buda.bst.bls.com"?
If I spoof the same uri with a telnet, I get this:
~
HTTP/1.1 302 Found
Date: Tue, 20 Jun 2000 16:29:29 GMT
Server: Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a
Location: https://buda.bst.bls.com/dres/dres.cgi
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
_

It's internal to the server, and not consistent. :o(

Thanks for the suggestion, tho.
Every idea is worth checking!



__
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Compiling a module during the build of apache

[Paul McGarry]

"Michael J. McGillick" wrote:

 I've just downloaded the php-4.0.0 tarball, and would like to have it get
 built and recognized in the http.conf file when I make apache.  Is there a
 document that shows how to do this?

Just compile Apache (and mod_ssl) as you normally would with mod_so 
enabled and install it.

Once you've done that then install PHP as explained in the INSTALL 
file in the section "QUICK INSTALL (DSO)".

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Auto HTTPS

[Paul]

I wrote a handler to do it.  
(BTW, I hope this helps, but PLEASE feel free to give criticisms and
suggestions.  I'm new to Apache/modperl/etc. =o)

#~~
# module for Apache/mod_perl PerlPostReadRequestHandler to redirect
#  users on the nonsecure port over to SSL (hopefully saving bookmarks)
#__

package Apache::PortCorrect;

use strict;
use Apache::Constants qw( :response :methods );
use Carp ();
$SIG{__WARN__} = \Carp::cluck;

sub handler {
 my($r,$s,$url,$args,$uri);
 $r = shift;   # the request object
 return OK if 443 == $r-get_server_port;
 (undef,$url,undef) = split(/\s+/o, $r-the_request);
 # allow HTTP:// access to some core pages and to graphics
 return OK if $url =~ m{ ^(?:/
   | /(public|teampages|pics|avgrates)/.*
   | /(home|cook)[.]shtml
   | .*[.](gif|jpg)
  )$
   }ixo;
 # else redirect to the secure server
 $uri = "https://$our_server.com" . $url; # edited :o)
 $args = $r-args;
 $uri .= "?$args" if $args;
 $r-custom_response(MOVED,$uri);
 return MOVED;
}

1; # guarantee return code for load

##
In the config file, I just said (with minimal edit): 
PerlModule  Apache::PortCorrect
PerlPostReadRequestHandler  Apache::PortCorrect
##

Hope that helps. 

Paul


--- "Airey, John" [EMAIL PROTECTED] wrote:
 A user redirect in the head a web page at
 http://www/mydomain.com/michel
 such as
 
 META HTTP-EQUIV="refresh" CONTENT="1;
 URL=https://www/mydomain.com/michel"
 
 
 Would achieve this (redirecting after 1 second). However, the secure
 document root would have to be different!
 
 I don't think (AFAIK) there's a way for a web server to do this.
 
 - 
 John Airey
 Internet Systems Support Officer, ITCSD, Royal National Institute for
 the
 Blind,
 Bakewell Road, Peterborough PE2 6XU,
 Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
 [EMAIL PROTECTED] 
 
 
 -Original Message-
 From: michel [mailto:[EMAIL PROTECTED]]
 Sent: 14 June 2000 16:46
 To: [EMAIL PROTECTED]
 Subject: Auto HTTPS
 
 
 Hi, I have a site with SSL. I want that if a user came in
 http://www/mydomain.com/michel via automatic the user is redirect to
 https://www/mydomain.com/michel
 
 I have see manual, but I'm a newbie in regular expression. 
 In httpd.conf I have:
 Directory /usr/local/apache-1.3.12/htdocs/michel
 Order allow,deny
 Allow from all
 RewriteEngineon
 RewriteCond  %{HTTPS} !=on
 RewriteRule  (.*) https://%{SERVER_NAME}/ [R,L]
 #RewriteRule   * https://%{SERVER_NAME}/$1
 /Directory
 
 out of every IfModule 
 
 Tnx in advance
 
 both them (Windows and M. Lewinski) suck a lot and both them are
 are giving Bill some trouble.
 --
 Michel ZioBudda Morelli   [EMAIL PROTECTED]
 
 ICQ UIN: 58351764   PR of PhpItalia.com
 http://www.ziobudda.net http://faq.ziobudda.net
 

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
 [EMAIL PROTECTED]

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: How can I create certificates and keys using *.bat files? Please help.

[Paul]

--- Derek DeMoro [EMAIL PROTECTED] wrote:
 I need to be able to create keys and certificates using *.bat files? 
 How can I do that?

Are you using OpenSSL?
It has a command-line interface that can be executed from a *.bat;
check out http://www.openssl.org/docs/apps/genrsa.html

Paul
=


__
Do You Yahoo!?
Yahoo! Photos -- now, 100 FREE prints!
http://photos.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Urgent: remove password from server cert?

[Paul]

 Forsake rebooting, use Unix! (-:

LOL!! I'm with you, bud.
But it *is* UNIX, just 10.2(only recently upgraded to that!) on an old
T-500 machine.  We just try to keep it clean. =o)

__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Urgent: remove password from server cert?

[Paul]

--- Victor STANESCU [EMAIL PROTECTED] wrote:
 First question:
 
 Is there any logical reason to reboot every week?
 If you are speaking a real, production-environment server,
 it is stupid to do such a thing.
 It should have months or years of uptime..
 The only excuse for a reboot can be:
 - hardware upgrade / failure
 - operating system upgrade / patching
   (depending on what are you using)
 - the use of windows where it does not belong
   (on a real-world server)
 
 Which is your case?

LOL!!
Case #4: IT says so.
In response to your question,

 Is there any logical reason to reboot every week?

the answer is that I can't think of one, unless it's because we're
running an *old* midrange box with an old OS (10.2 UNIX) and have are
asking it to do too much -- they're chain-branching disk arrays because
we've run out of card slots.  Still, the IT dept. is horribly
underbudgeted, and mostly farmed out to contractors who are obeying the
legacy guidelines as laid down by people they (nor I) never met.

So I'm stuck with monday morning reboots until we can get a new box,
and manage it ourselves.

In the meantime, however, the password problem has been satisfactorily
solved (security caveats noted), and thank you all. =o)


Paul
=
...Look upon my works, ye Mighty, and despair!...
"Ozymandias" -- Percy Bysshe Shelley

__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Insecure information

[Paul]

Are the links written img src=http://.?
That makes the server access the *insecure* server for them.
Try making them relative URL's?

--- Mark Lo [EMAIL PROTECTED] wrote:
 Hi,
 
   I have installed my secure web server and get the test
 certificate
 from verisign.  I was trying some of my web pages that using
 https://mydomain/test.html.  Then, a window pop-up and indicate that
 some of the information is not secured, so it will not be show on the
 web page.  All of the insecured informations are picture which is
 using
 jpeg or gif format.  I wonder what is wrong with those pictures.  And
 How to overcome this problem.
 
 Thanks
 
 Mark
 

__
 Apache Interface to OpenSSL (mod_ssl)  
 www.modssl.org
 User Support Mailing List 
 [EMAIL PROTECTED]
 Automated List Manager   
[EMAIL PROTECTED]


=
"Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with 
wings wide open to the sky." -- B-52's 
-
Real friends are those whom, when you inconvenience them, it bothers you more than 
them. -- me. =o) 
-
"There are trivial truths and there are great Truths. The opposite of a trival truth 
is obviously false. The opposite of a great Truth is also true."  -- Neils Bohr 
-
TEMPVS PECVDEM COLLARE EST - It's time to thin the herd.
-
[http://www.catfishforbreakfast.com/letgod.html]
-


__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Urgent: remove password from server cert?

[Paul]

In a sudden (and late) moment of epiphany, I just realized (while
writing a note to our CSA to please put the new server's startup in the
machines boot cycle) that when we reboot (*every* monday morning in the
wee hours) it's not terribly likely that anyone's going to be around to
feed the password to the startup query.

This really needs to be automated.
Help? =o)

Paul
=
Friends are those who,
when you must inconvenience them,
are less bothered by it than you. ;o]

__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]