Re: mod_sll virtual hosts

2002-08-17 Thread Ron Ridley

My mistake.  I have an entry NameVirtualHost but it is in the form of NameVirtualHost 
ip.address.of.host probably left over from some testing.  It works for me (as is) 
which is why I left it in the example.

My apologies.

-Ron

On 17 Aug 2002 14:31 CDT you wrote:

> Em Sab 17 Ago 2002 11:21, Cliff Woolley escreveu:
> > On Sat, 17 Aug 2002, Ron Ridley wrote:
> > > Try something like this using IP based virtual hosts: Each one of your
> > > virtual hosts can have different SSL key material it points to.
> > > # This section only goes in the conf file once
> > > - Port 80
> > > ServerName domain.com
> > > NameVirtualHost x.x.x.x
> > > #- Domain.com -
> > > 
> >
> > Um, if I'm following this discussion correctly, I believe this advice is
> > mistaken.  NameVirtualHost's can *NOT* be used with SSL.  Every name-based
> > vhost would in reality get the certificate of the first one listed in the
> > config file.
> >
> > Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ToC47 .
> >
> 
> Hum, but in case all the virtualhosts are related (as in my case) this would 
> not matter much.
> But in case not, this would be a really problem.
> Thanks for your advice.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: mod_sll virtual hosts

2002-08-17 Thread Ron Ridley

Try something like this using IP based virtual hosts:
Each one of your virtual hosts can have different SSL key material it points to.

# This section only goes in the conf file once -
Port 80
ServerName domain.com
NameVirtualHost x.x.x.x

#- Domain.com -
 

ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/
ServerName domain.com
ServerAlias domain.com www.domain.com
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog logs/domain.com_log combined
ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/



ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/
ServerName domain.com  #name on certificate
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLLog logs/ssl_engine_log
SSLLogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
CustomLog logs/domain.com_log combined
ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/



Repeat the domain.com section for the other domains you need.

-Ron

On 16 Aug 2002 19:17 CDT you wrote:

> When I try to load apache, I get the error:
> [Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost :80 has no 
> VirtualHosts
> [Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost yy:80 has no 
> VirtualHosts
> [Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost xxx:80 has no 
> VirtualHosts
> /usr/local/apache/bin/apachectl startssl: httpd could not be started
> 
> contrary to what it says, http runs, but without ssl and I have virtualhosts 
> for each namevirtualhost.
> 
> How should I make my virtual hosts work with mod_sll? Can someone please 
> provide a example?
> 
> 
> -- 
> Iuri Fiedoruk
> Santa Maria, RS, Brazil
> 
> GnuPG Key fingerprint = 9D5F 7FA6 EF2C 6A5E 914F  E01B 9434 AA7D 032B 240F
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: IE browser does not disply proper error message if the certificate is expired

2002-03-07 Thread Ron Ridley

I posted a couple weeks back on the same problem.  I had also tried setting specific 
ErrorDocument directives in my httpd.conf, but it didn't work.  From what I can tell 
is that since the default errors are written into the apache/mod_ssl code to display 
errors in http not https and when all traffic from my site is forced through 
https(certificate required) you get a "page cannot be displayed" error.

Looking around newsgroup archives the only suggestion I found was to prompt for a cert 
and add logic to your web app to allow access only if the proper credentials were set 
as environment variables.  Unfortunately not everyone has their site setup with that 
much flexibility (mine for instance).  

I challenge those of you knowledgable in the intricacies of mod_ssl to explain why 
error messages don't display and a feasible workaround (preferrably using mod_ssl 
verification).

On 07 Mar 2002 13:50 CST you wrote:

> Any help from anyone?
> I need this desperately.
> Sincerely
> Shiva
> 
> 
> 
> --- Shiva Murugesan <[EMAIL PROTECTED]> wrote:
> > Many thanks jon.  The problem occurs in 5.5 and 6.0
> > as
> > well.  
> > I have tried unchecking the "Show friendly error
> > message", still it is not displaying the correct SSL
> > message.  After unchecking, it started asking twice
> > to
> > present the client certificate. After presenting the
> > client certificate for the second time, it displays
> > the standard error message.
> > 
> > Ta 
> > Shiva
> > 
> > 
> > 
> > --- jon schatz <[EMAIL PROTECTED]> wrote:
> > > On Mon, 2002-03-04 at 15:50, jon schatz wrote:
> > > > if you uncheck "Tools -> Internet Options ->
> > > Advanced -> Show Friendly
> > > > HTTP error messages", you can get more useful
> > > info. Unfortunately, the
> > > > default is to show the same error message for
> > > everything. You'll have to
> > > > change this by hand on your end users' machines
> > > (or write an ActiveX
> > > > control to do it for you).
> > > 
> > > oops. this is on ie 5.5/6.0. i can't speak for ie
> > > 5.0 personally. so
> > > ymmv.
> > > 
> > > -jon
> > > 
> > > -- 
> > > [EMAIL PROTECTED] || www.divisionbyzero.com
> > > gpg key: www.divisionbyzero.com/pubkey.asc
> > > think i have a virus?:
> > > www.divisionbyzero.com/pgp.html
> > > "You are in a twisty little maze of Sendmail
> > rules,
> > > all confusing." 
> > > 
> > 
> > > ATTACHMENT part 2 application/pgp-signature
> > name=signature.asc
> > 
> > 
> > 
> > __
> > Do You Yahoo!?
> > Try FREE Yahoo! Mail - the world's greatest free
> > email!
> > http://mail.yahoo.com/
> >
> __
> > Apache Interface to OpenSSL (mod_ssl)   
> >www.modssl.org
> > User Support Mailing List 
> > [EMAIL PROTECTED]
> > Automated List Manager   
> [EMAIL PROTECTED]
> 
> 
> __
> Do You Yahoo!?
> Try FREE Yahoo! Mail - the world's greatest free email!
> http://mail.yahoo.com/
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



ErrorDocuments and SSLVerifyClient

2002-02-14 Thread Ron Ridley

I have apache 1.22 w/ mod_ssl 2.8.5 running on NT from the contribs
directory on modssl.org.

I have the server configured to require a certificate through the
'SSLVerifyClient require' directive.  My users can get in fine, however
if they have no certificate or a revoked certificate, they get an IE
error page (Cannot find server or DNS error).

The apache and ssl error logs note that:
SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML
error page (OpenSSL library error follows)

This is done every time the user gets the error page.  I set up an Alias
to a directory containing custom error pages.  I also setup multiple
ErrorDocument directives to refer to the alias.  I can access the error
pages manually, but I am unsure on how to get them to show up when the
certificate prompt fails.

I have tried all of the IE related fixes in the FAQ (SetEnvIf, etc), and
I still have not been successful in getting the error messages to show
up.

Here is the catch to this:  My webserver can run on one port only(888) and
I have no VirtualHosts.  In my test environment I have set them up, but
I get a handshake renegotiation error instead of the http->https error.

Any ideas?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: CRL questions

2001-08-09 Thread Ron Ridley

In reference to making Apache reload the CRL are you sending a SIGHUP to do that or 
something else?

-Ron

On Thu, Aug 09, 2001 at 08:17:36AM +0200, [EMAIL PROTECTED] sent this 
message:
> Hello Ron,
> 
> As I Know there is no way to "learn" the new CRL file without making an 
> Apache stop and start. But you should be able to make a RELOAD only. I 
> used it in my Apache on Unix and it works quite well.
> 
> Maybe in the future Apache-ModSSL will support OCSP and it will solve this"
>  problem".
> 
> Sylvain 
> 
> 
>
> Sylvain Maret
> Senior Security Engineer - Strategic Director
> e-Xpert Solutions SA
> Route de Pré-Marais 29
> 1233 Bernex / Geneva
> Switzerland
> 
> Tel: +41 22 727 05 55
> Fax: +41 22 727 05 50
> Mail: [EMAIL PROTECTED]
> 
> 
> 
> 
> Ron Ridley <[EMAIL PROTECTED]>
> Sent by: [EMAIL PROTECTED]
> 09.08.2001 03:16
> Please respond to modssl-users
> 
>  
> To: [EMAIL PROTECTED]
> cc: 
> Subject:CRL questions
> 
> 
> Background:
> I have a win32 installation of apache 1.3.12 w/ mod_ssl 2.6.1 running on aN
>  T4
> server.  I am using W2K CA to handle client certs.  This setup is specialb
>  /c apache 
> runs as a part of the firewall service (Raptor 6.5) to enable secure 
> access to a web 
> based auth page.
> 
> Problem:
> Users can connect to the site fine with their certs, however, problems 
> exists 
> setting up a CRL.  I want to update the CRL every couple of days, yet it 
> requires
> a restart of apache to re-read the CRL.  My problem lies in that this alsor
>  equires
> a restart of the firewall. 
> 
> Question:
> Can someone verify my findings into the fact that apache must be restartedt
>  o 
> load the updated CRL?  If this is the case then are there plans to allow 
> updating/reloading of the CRL without reloading apache(e.g. CRL expirationp
>  eriod)?
> 
> Thanks in advance.
> Ron
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> 
> 
> 
> 
>---
> DISCLAIMER
> This email and any files transmitted with it, including replies
> and forwarded copies (which may contain alterations) 
> subsequently transmitted from the Company, are confidential
> and solely for the use of the intended recipient. It may contain
> material protected by attorney-client privilege. The contents 
> do not represent the opinion of e-Xpert Solutions SA except
> to the extent that it relates to their official business.
> 
> If you are not the intended recipient or the person responsible
> for delivering to the intended recipient, be advised that you
> have received this email in error and that any use is strictly
> prohibited. If you are not the intended recipient, please advise
> the sender by return e-mail, then delete this message and any
> attachments.
> 
> e-Xpert Solutions SA: [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



CRL questions

2001-08-08 Thread Ron Ridley

Background:
I have a win32 installation of apache 1.3.12 w/ mod_ssl 2.6.1 running on a NT4
server.  I am using W2K CA to handle client certs.  This setup is special b/c apache 
runs as a part of the firewall service (Raptor 6.5) to enable secure access to a web 
based auth page.

Problem:
Users can connect to the site fine with their certs, however, problems exists 
setting up a CRL.  I want to update the CRL every couple of days, yet it requires
a restart of apache to re-read the CRL.  My problem lies in that this also requires
a restart of the firewall.  

Question:
Can someone verify my findings into the fact that apache must be restarted to 
load the updated CRL?  If this is the case then are there plans to allow 
updating/reloading of the CRL without reloading apache(e.g. CRL expiration period)?

Thanks in advance.
Ron
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]