in the docs.
Err... there is no correct location. Ok, usually WHERE THE APACHE SOURCE ARE
is not the correct location, of course. But you can use whatever fits your
platform. When you're still not sure what you should specify, then use
--prefix=/usr/local/apache,
; If I remove the lines from the httpd.conf everything works (without https).
> Can't I install the SSL as a module? And why I can install it? Could I use
> the old server-binary?
As said, you cannot use it because you need EAPI - the API extension for
o try to get a back-trace of the core dump to allow us to
see _where_ it dumps core. Sorry, but unless I can repeat the problem I cannot
fix it, of course.
Ralf S. Engelschall
e first certificat ?!?
As long as www.domain1.com and www.domain2.com use individual IP addresses you
can use different certificates. It's explained in the mod_ssl FAQ, so please
RTFM. Thanks.
Ralf S. Engelschall
ilt as a DSO. Ok, then I've
to test it again. I'll investigate. Thanks for the essential hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
here can be thousands of possible locations where it could
segfault. So we need a little bit more details to help you.
Ralf S. Engelschall
[EMAIL PROTECTED]
l is mod_ssl
and both at the same time you can't used. So this is a little bit confusing,
isn't it?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
od_ssl.h around line 310 does not the correct
thing for this platform. Please try to trace down to what
SSL_DBM_FILE_SUFFIX_{DIR,PAG} is set any why. Thanks for your help.
Ralf S. Engelschall
[EMAIL PROTECTED]
eed flex, are the dependencies screwed up, or
> what?
I think just the timestamps on your disk are bogus.
Do a ``touch ssl_expr_scan.c ssl_expr_parse.c ssl_expr_parse.h'' and try again.
Ralf S. Engelschall
The mod_ssl statistics from Netscraft and E-Soft Inc. for the last months were
now appended to http://www.modssl.org/news/statistic.html in case you're
interested.
Ralf S. Engelschall
[EMAIL PROT
ory based session cache
is certainly a magnitude faster then the disk-I/O dependent DBM based session
cache, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ns of the underlaying shared memory implementation! But MM and
mod_ssl check this, so don't worry to much about this. A cache of 512 KB is
usually fine.
Ralf S. Engelschall
[E
pache/libssl.so into server:
> /usr/lib/apache/libssl.so: undefined symbol: ap_global_ctx
> I get this message when a restart the apache server.
Seems like your Apache core part isn't compiled with EAPI.
A plain Apache doesn't work.
Ralf S. E
o here on the mod_ssl support list we cannot help you very
much.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to
MB. A usual SSL
session has less than 1KB. So even with just a 512 KB cache and a reasonable
expiry time you can cache a lot. But when you have lots of HTTPS traffic you
can increase this, of course.
Ralf S. Engelschall
help us in updating the document. Start from the version I've
appended to this mail. Thanks for your help.
Ralf S. Engelschall
[EMAIL PROTECTED]
ed area which points to your website.
Thanks for the hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
gcc compiler.
It _DOES_ work when it's configured correctly. Check where your RewriteRule's
are placed. They have to be either outside of any and then you
need a "RewriteOptions inherit" inside the for HTTPS or you need
two rulesets - inside each .
solution would be best (I think the "Satisfy" solution should be it), so
please try to investigate yourself a little bit. When someone already known a
good solution let it me know: I'll send add it to the HowTo chapter of
mod_ssl's user manual.
apache 1.3.6, mod_ssl 2.3.5)
Do you have losts of virtual hosts?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
On Wed, Jul 14, 1999, Ralf S. Engelschall wrote:
> > I'm new to mod_ssl, and I have a question regarding the use of SSLRequire.
> > I am using Apache 1.3.6, mod_ssl 2.3.5, and PHP 3.0.8 on Redhat Linux 6.0.
> >
> > I have looked through the manual, FAQ, t
7;ve to admit that I no longer know why it really was needed in the
past. It was some conflict, of course. But I don't know with which component.
I've removed this from the INSTALL.Win32 for now. Let's see what happens... ;)
d you have to recompile Apache
with EAPI.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)
e_1.3.6'
> make: *** [build] Error 2
>
> The "configure" line I used was:
>
> SSL_BASE=../openssl-0.9.3a
> /configure --prefix=/usr/local/apache --activate-module=src/modules/php3/li
> bphp3.a --enable-module=ssl
Seems like the EAPI patches were
he mod_ssl FAQ.
Thanks for the hint, Rasmus.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apach
s, it's a reasonable
approach. And as I said unless someone has a good argument against it I'll try
to take it over for 2.4.0.
Ralf S. Engelschall
[EMAIL PROTECTED]
.a very reasonable approach. Has anybody any objections?
If not, I'll try to take it over for 2.4.0.
Thanks for your contribution, David.
Ralf S. Engelschall
[EMAIL PROTE
tatus but because it wasn't enabled there existed now real mod_ssl
per-server configuration. I've added a check for 2.3.6 and it now works fine
also in your situation, i.e. it doesn't display anything.
Ralf S. Engelschall
em?"
This is a nice idea. Just write a first cut of such a README.Cfg or whatever
document and let others contribute their ideas and experiences. We can include
this into the mod_ssl distribution.
Ralf S. Engelschall
7;
> make[1]: *** [build-std] Error 2
> make[1]: Leaving directory `/usr/local/src/apache_1.3.6'
> make: *** [build] Error 2
A -lRSAglue is missing, I think.
Ralf S. Engelschall
[EMAIL PROTECTED]
umped)
>
> What wrong with the httpd? any ideas? please help.
We cannot give you an answer unless you find out the location of the core
dump, of course. Look inside the mod_ssl FAQ for details on how to get a
backtrace in the debugger.
Ralf S. Engelscha
angs usually mean one connects via HTTP to a HTTPS port or vice versa.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
*full* server kill and restart. Not just a
"restart" or "graceful restart".
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
ts. I've added now an entry to the FAQ for this.
Thanks for the hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
at the MM
object wasn't destroyed on restarts. On my development machine it doesn't
require an underlying file, so it never occured. On your platform it seems to
use a temporary file, so you lost one fd per restart.
R
:-) Of course in case of inactivity DBM file
> will be pushed out of page cache but shared memory can be pushed in swap in
> such case as well ! Of course MM is faster but magnitude... Hardly...
Yeah, "magnitude" certainly was the wrong word, of course.
e would store that would be useful. Since its session based, I
> assume some keys would be stored.
Youc an have a look at mod_mmap_static and mod_cache...
Ralf S. Engelschall
[EMAIL PROTECTED]
dn't stop your stuff might not work. Actually the check looks at the
CA list stack which was build by ssl_init_FindCAList(). So it seems this
function doesn't find anything for you. It would be fine when you can trace
down this function and find out why it doesn't why any CA cert
ich component.
>
> I've suggested the fix at that time. Yes it was a conflict, but now
> I also don't know with what.
>
> In any case I know that with OpenSSL 0.9.3a it's not needed anymore.
> Everything should work "out-of-the
so.5.4.46
You mean the directory into which MM wants to create the temp files didn't
exist, right? Ok, the "Ouch!" message should be more descriptive, of course.
I've enhanced it for 2.3.6: it now prints both the exact ap_mm_create() call,
the MM error and the errno. Thanks f
ot;
or "Cannot open SSLSessionCache DBM file `%s' for reading (fetch)" - which it
doesn't for you. Very confusing...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
gt;
> We checked things a bit more, it's definitively a limit of 16. We
> commented out a domain, and uncommented another. It dies with an
> error 3.
>
> This is under Solaris 7.
There is no such limit in mod_ssl itself, of course. It has to be a limit
coming from the O
log
> [14/Jul/1999 21:26:25] [info] Init: Wiped out the queried pass phrases from memory
> [14/Jul/1999 21:26:26] [info] Init: 2nd startup round (already detached)
> [14/Jul/1999 21:26:26] [info] Init: Reinitializing OpenSSL library
This looks fine. Are there no entries
If I recompile the src, which option i had . i.e.:
> rpm --rebuild apache-1.3.6.src.rpm
> ...
Err... a RPM build for a plain Apache doesn't work, of course. You need a
patched Apache which includes the EAPI stuff. Do yourself a favor and start
from scratch by followin
(because I've still not found time to review it)
o David Harris's fix for graceful restart problem
(because I've still not found time to review it)
o The old "SSLListen" idea
(because it still doesn't work I want it to work)
Greetings,
ause you can't
force stdio to use SSL_read/SSL_write instead of read/write when you perform
any fprintf/fputs/etc calls. It's better to use OpenSSL BIO library for this.
Ralf S. Engelschall
ot important here. Usually CRLs and certs are _not_ in the same
file.
Ralf S. Engelschall
[EMAIL PROTECTED]
ww
not changed recently. But nevertheless you mention a
good idea to overcome the /dev/random variants which block: we could read in
non-blocking mode. H... that would be perhaps a reasonable thing. Any
opinions?
Ralf S. Engelschall
ed
by the error messages from Perl, of course. But I think you've
to ask on [EMAIL PROTECTED] for more hints.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschal
patch.
> [...]
> 9 out of 9 hunks ignored--saving rejects to configure.rej
> [...]
That's your problem! The tree wasn't a fresh one!
Ralf S. Engelschall
[EMAIL PROTECTED]
ient authentication all clients issued by this CA are
accepted (which would happen when one references the CA cert via
SSLCACertificatePath or SSLCACertificateFile instead of
SSLCertificateChainFile).
Ralf S.
sed only for
the session cache and so I do not see why I should produce socket-related
errors.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
rc'
> make[1]: *** [build-std] Error 2
> make[1]: Leaving directory `/usr/src/apache_1.3.6'
> make: *** [build] Error 2
>
> Can anyone suggest how/what I need to do to fix it?
libRSAglue.a is not linked in, but it's needed AFAIK.
Is this an OpenSSL bug?
Server with the same progs installed and
> it works !?
>
> Could anyone help me???
Perhaps "perl" is not in PATH?
Ralf S. Engelschall
[EMAIL PROTECTED]
to first generate a cert out of your CSR. Either by an
explicit openssl x509 command or at least by using the -x509 option of openssl
req.
Ralf S. Engelschall
[EMAIL PROTECTED]
Hmmm yes. But because of the additional REMOTE_ADDR is wasn't able to use
SSLRequireSSL.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
all. Then perhaps check the AllowOverride directives and related things of
mod_auth.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ECTED], I'm sure someone of the Win32 guys know what is
going on here.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
A
With 2.3.6 I've fixed a leak related to memory and fds:
*) Fixed memory leaks on restarts related to shared memory session cache:
the MM object wasn't removed at all.
So even when you have only a few vhosts, but do lots
of restarts, the problem can occur with < 2.3.6 version
gt; [14/Jul/1999 21:26:26] [info] Init: Reinitializing OpenSSL library
You mean there is really _NOTHING_ the Apache error log? I cannot believe
this, even on a core dump there would be an error. BTW, try to start the
server with option -X and look whether it really returns immediately.
it shouldn't harm to provide them earlier. I've to admit that I currently
forgot what the reason was that have not done this already. I'll think about
this again
Ralf S. Engelschall
ndard CGI/1.1 environment variables in
your Perl CGI scripts. Look inside the CGI/1.1 specification for details.
Ralf S. Engelschall
[EMAIL PROTECTED]
where i can follow the steps.
The stuff works under Win-NT, too.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.eng
he unencrypted private
key should be readable via "openssl rsa -noout -text -in " _WITHOUT_
entering a pass phrase. Until it asks you, you've still done something wrong
with the openssl command and don't have to try mod_ssl with it.
s it. It
internally calls the mod_ssl lookup function which is also used in the fixup
handler. So you don't have to run the fixup handler manually.
Ralf S. Engelschall
people on the apache lists.
These stuff is provided by mod_ssl in the SSL_CLIENT_CERT_XX environment
variables. See the mod_ssl documentation for details.
Ralf S. Engelschall
[EMAIL PROTECTED]
uy a beer
those guy who finds out why some vendor DBM libraries get crazy on the session
cache expiring...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engels
ompletely rewritten the ssl_scache_dbm_expire()
function, because it seems that some DBM libraries get crazy when one iterates
over the contents and deleting elements in parallel. The new function now
uses a two pass approach where this should no longer happen (hopefully ;) When
2.3.7 is released, please
ot;.., 1024) = 1024
These are from the DBM-based session cache expiry operations. The trouble
seems to be caused by the fact that some DBM libs do not like iteration and
deletion operations in parallel. It should be now fixed with mod_ssl 2
problems are strongly
encouraged to upgrade to this version.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.3.7 (14-Jul-1999 to 25-Jul-1999
It's 40 KB per
vhost for both mod_ssl and OpenSSL. Or are not all of those 1000 vhosts SSL
based?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
s now comitted for mod_ssl 2.3.7.
Thanks for your contribution, David.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
rnoon...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.3.8 (25-Jul-1999 to 25-Jul-1999)
*) Fixed a nasty problem with early pool cleanups d
ction it appears in.)
> *** Error code 1
Yes, correct. I've always compiled with MM and for the non-MM case an #ifdef
is missing in alloc.c. Just apply the appended patch or wait for 2.3.9.
Ralf S. Engelschall
[
I'm really
interesting what comes next ;) Sorry for the inconviniences.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.3.9 (25-Jul-1999
tion. I've less time these days and weeks, so I would
appreciate when you investigate more for us - starting from this first cut of
a solution. Thanks.
Greetings,
Ralf S. Engelschall
On Mon, Jul 26, 1999, Ralf S. Engelschall wrote:
> As Matthias L. found out, the problems with POST requests in conjunction with
> per-directory/location SSL renegotiations is that the pending POST request
> body in the SSL BIO caused problems for the handshake. I've today spende
pache
source tree after you've applied the standard mod_ssl 2.3.9 code.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
from mod_ssl's buffer instead
(again) from the SSL I/O layer.
Please test the appended patch and give feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Inde
>
> and no server child is launched.
>
> Apache 1.3.6 + mod_ssl 2.3.6 and previous versions run all fine on my
> machine (with same apache configuration).
Perhaps the directory /services/httpsd/run/ doesn't exist?
Ralf S. Engelschall
the POST data you've to already use a stronger cipher for the form page, of
course.
Or I'm missing some more essential points here?
BTW, what does ISS do? Does it really renegotiate between the MIME headers and
the following POST body?
for some Auth* directives).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to Op
enssl.
See the scripts in the mod_ssl pkg.contrib/
subdir or even better: www.openca.org
Ralf S. Engelschall
[EMAIL PROTECTED]
www.
e the name-based vhost problem for
SSL.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
e just the bytes for the per-server
configs (< 1KB) plus the bytes for the cached certs and keys (< 10KB). The
remaining 30KB seem to be allocated by OpenSSL's SSL context, I think.
Ralf S. Engelschall
n't need both. Either use Apache-SSL
or mod_ssl. If you use Apache-SSL your forum is
[EMAIL PROTECTED] and your website
http://www.apache-ssl.org/. If you use mod_ssl your forum is this mailing
list ([EMAIL PROTECTED]) and the website http://www.modssl.org/.
3. To reduce your package
On Tue, Jul 27, 1999, Arend van der Veen wrote:
> [...]
> 2.removed nscerttype=ssICA
> 3.remove nscerttype=client
> [...]
What are the reasons?
Ralf S. Engelschall
[EMA
ast.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_
This is the most elegant but also most non-portable Mutex variant
where a SysV IPC Semaphore (under Unix) and a Windows Mutex (under
Win32) is used when possible. It is only available when the underlying
platform supports it.
IT HAS TO
work with this patch as long as it's true that it worked before with 2.3.6 as
others reported.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
on for the POST problems
which occured under per-URL SSL parameter re-configuration (read below for
more details).
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall
(hopefully ;). Please
upgrade to mod_ssl 2.3.10.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSS
nk this is caused or related to mod_ssl. But without more
details (for instance found via a debugger) we cannot do anything for you.
Ralf S. Engelschall
[EMAIL PROTECTED]
mod_ssl 2.3.10 now, please.
I've changed the init and cleanup logic and I really
hope the problems are now fixed.
Ralf S. Engelschall
[EMAIL PROTECTED]
directory.
>
> The server.csr file can only be created once? What am I doing wrong?
Err... no, the server.csr ist always generated. Look around line 240 in
src/support/mkcert.sh for details. I guess your filesystem permissions are
wrong.
em seems to have gone. But I'm
> sure you already now that...
Yes, I expected that they are gone, because I've changed this time the
complete logic of init and cleanup for the mutex. But thanks for the feedback.
Not that I know it also works for you, I'm even more happy.
plete file, including a
newline, etc. And the result is not a list, it's a single string. So the
above seems to be equal to
SSLRequire ( %{SSL_CLIENT_S_DN_CN} in
{ "apv\n" } )
and this way fails. Sorry, but file() is very weak.
-DUSE_SYSVSEM_SERIALIZED_ACCEPT
| -DNO_SEM_UNDO
| #elif defined (USE_SYSVSEM_SERIALIZED_ACCEPT)
That's interesting. Inside Apache 1.3.6 we've still the check for the define,
but no place where it actually is set. I'll investigate
Ralf S. E
sl::request_rec");
+if (actx != NULL)
+r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec");
rv = -1;
if (r != NULL) {
Ralf S. Engelschall
[EMAIL PROTECTED]
e, thanks for the feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Int
901 - 1000 of 1115 matches
Mail list logo
