Multiple SSL and non-SSL vhosts question...
Hi all, Probably a slap-on-the-forehead question... I've a server with 2 cnames... the machine is rarely accessed by its real name. One vhost is accessed both SSL and non-SSL. The other is only non-SSL at this time. Problem being when I add another VirtualHost directive to accept connections on 443 for the second vhost, I end up getting the first vhost pages. The non-secure pages are served ok. Is it me or is this normal? httpd.conf in essence... NameVirtualHost 1.2.3.4 VirtualHost 1.2.3.4 ServerName foo.etc.etc DocumentRoot /pkg/httpd/docroot/default /VirtualHost VirtualHost 1.2.3.4 ServerName bert.etc.etc DocumentRoot /pkg/httpd/docroot/bert /VirtualHost VirtualHost 1.2.3.4:443 ServerName bert.etc.etc DocumentRoot /pkg/httpd/docroot/bert ... SSL directives... ... /VirtualHost VirtualHost 131.181.127.63 ServerName ernie.etc.etc DocumentRoot /pkg/httpd/docroot/ernie /VirtualHost VirtualHost 1.2.3.4:443 ServerName ernie.etc.etc DocumentRoot /pkg/httpd/docroot/ernie ... SSL directives... ... /VirtualHost Any assistance greatly appreciated. Aaron J. Bell Business Process Re-Engineering Department of Computing Services Queensland University of Technology Brisbane, Queensland, Australia __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.1.1-1.3.3
On Wed, Dec 02, 1998, Paul Wolstenholme wrote: I just checked the CVS port branch at the FreeBSD site and the last version there is 2.0.15. I was wondering if someone knew if this was going to be upgraded to the 2.1 branch in the near future. I had still no time for this, but I'm now working on it. Expect it to be updated today. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.1.2-1.3.3
Here is the next pure bugfixing release. In addition to other minor fixes it mainly solves the problem where under Linux boxes the DBM library wasn't correctly found. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.1.2 (30-Nov-1998 to 03-Dec-1998) *) Let `httpd -V' show `-D EAPI', too. *) Fixed again the DBM library determination inside libssl.module: A syntax error caused the fallback (SDBM) to be never used which leaded to problems on systems where no DBM library exists. *) Added a check to libssl.module: It now complains with a warning when SSLeay 0.8 is used because of the known problems (core dumps on large files, etc.) with these versions. *) Slightly changed mod_ssl's configure hints displayed as the last step. *) Removed internal OPTIONAL_SSL stuff which was inherited from Apache-SSL. I currently cannot see a good reason for allowing subrequests to disable SSL, so kick out this stuff. *) Extended Chapter 5 (FAQ List) of the User Manual. *) Added the Website META Language (WML) sources for the User Manual to the distribution: This way all sources are available to the user community. *) Removed one last reference to SSLCACertificateReqFile inside the httpd.conf-dist file. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.1.2-1.3.3
On Thu, Dec 03, 1998, Ralf S. Engelschall wrote: [...] Changes with mod_ssl 2.1.2 (30-Nov-1998 to 03-Dec-1998) [...] The FreeBSD port is now again in sync with the current release version: I've updated the www/apache13-modssl port to Apache 1.3.3 + mod_ssl 2.1.2 now. Happy packaging ;-) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Any confirmation yet?
Have we received any "in print" confirmation from RSA with regards to us using one license from a commercial package to build and use mod_ssl in the States? Regards, dsp [EMAIL PROTECTED] -+-|-+- [EMAIL PROTECTED] #include disclaimer.h The two most oft overlooked motor vehicle laws: Inertia and Tonnage __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Any confirmation yet?
Hi, All! I`m new in this list and my firt post, I`m afraid, isnt related to the topic. Instead it talks with securing "standard" network daemons. I just released a new URL and want to share it with you: http://mike.daewoo.com.pl/computer/stunnel/ -- Dimitar Atanasov Stoikov | pgp fingerprint at Internet Department | http://ds.primasoft.bg PrimaSoft Ltd., Bulgaria | __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] Port port vs. Listen ip:port (PR#60)
Full_Name: Jake Buchholz Version: 2.1.1 OS: linux 2.0.36 Submission from: windowpane.execpc.com (169.207.1.11) mod_ssl 2.1.x doesn't pick up the primary port number for the server from the Listen directive the way 2.0.x appears to have done. Using the Port directive solves the problem, but I'm wondering if this may have been an oversight. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Port port vs. Listen ip:port (PR#60)
On Thu, Dec 03, 1998, [EMAIL PROTECTED] wrote: Full_Name: Jake Buchholz Version: 2.1.1 OS: linux 2.0.36 Submission from: windowpane.execpc.com (169.207.1.11) mod_ssl 2.1.x doesn't pick up the primary port number for the server from the Listen directive the way 2.0.x appears to have done. Using the Port directive solves the problem, but I'm wondering if this may have been an oversight. Hmmm... no changes were made in this direction. So how do you know that the Port setting is not inherited? What's the effect, i.e. where do you see that the port is not correct? And what particular config file are you using? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Official statement: mod_ssl 2.0 branch
Sounds fine to concentrate on the most recent. Meanwhile, for those who have a 2.0 install humming away happily, should there be any compelling reason to upgrade immediately rather than, say, with the next Apache release? \/\/ I-I I T Blauvelt [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Port port vs. Listen ip:port (PR#60)
On Thu, Dec 03, 1998 at 05:03:14PM +0100, [EMAIL PROTECTED] wrote: On Thu, Dec 03, 1998, [EMAIL PROTECTED] wrote: Full_Name: Jake Buchholz Version: 2.1.1 OS: linux 2.0.36 Submission from: windowpane.execpc.com (169.207.1.11) mod_ssl 2.1.x doesn't pick up the primary port number for the server from the Listen directive the way 2.0.x appears to have done. Using the Port directive solves the problem, but I'm wondering if this may have been an oversight. Hmmm... no changes were made in this direction. So how do you know that the Port setting is not inherited? What's the effect, i.e. where do you see that the port is not correct? And what particular config file are you using? I'm using a custom set of heirarchical config files: httpd.conf (LoadModule stuff) Include common.conf (stuff common to HTTP SSL) IfDefine SSL Include ssl.conf Listen 10.3.2.1:443 Include vssl.conf (virtual host stuff) /IfDefine IfDefine !SSL Include web.conf Listen 10.3.2.1:80 Include vweb.conf (virtual host stuff) /IfDefine I start two httpd's, one with -DSSL and one without, each runs as a separate user/group. When I had upgraded from 2.0.15 to 2.1.0 (and subsequently 2.1.1), and tried to start with -DSSL, it never made it past initialization phase 2, and always aborted with "Ops, can't find server certificate?!". This was the start of about two weeks of: making sure my self-signed server cert was signed properly--maybe 2.1.x did some extra cert checking? The cert was okay. double-checking the 'bsafeglue' library I use to link SSLeay with BSAFE... strace indicated that after opening, reading, and closing /dev/urandom, it was exiting. Everything was okay, if there were any problems I probably would have also seen it in 2.0.x... Maybe there was something not right with reading or writing to table that stores certs and keys between inits... There didn't seem to be anything wrong with those routines. Maybe BSAFE was doing a little aggressive housecleaning at the second SSLeay init? My tests came up negative on that one too. I then tried to pinpoint where exactly it was that I was losing the certificate, and scattered a number of debug log writes through both initialization phases. The cert for hostname:443 was being lost _before_ the second init. Then I noticed something I overlooked all this while: [info] Init: 1st startup round (still not detached) [info] Init: Initializing SSLeay library [info] Init: Loading certificate private key of SSL-aware server host:0 ^^ [trace] Init: (host:0) unencrypted private key - pass phrase not required [info] Init: 2nd startup round (already detached) [info] Init: Initializing SSLeay library [info] Init: Generating temporary (512 bit) RSA private key [info] Init: Initializing (virtual) servers for SSL [info] Init: Configuring server host:0 for SSL protocol ^^ [trace] Init: (host:443) Creating new SSL context [trace] Init: (host:443) Configuring permitted SSL ciphers [trace] Init: (host:443) Configuring server certificate [error] Init: (host:443) Ops, can't find server certificate?! It was saving the certificate and key in the table as host:0 and then trying to read it back later as host:443! I decided to take a gamble and add one line to my ssl.conf file right after my Listen directive: "Port 443". Problem solved... Talk about being relieved that it was working, but frustrated that it took so long to figure out what was going on... -- Jake Buchholz http://www.execpc.com/~jake ExecPC Senior Systems Administrator [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Annc: NetBSD mod_ssl pkgs now available/updated
I have updated the Apache and Apache/mod_ssl pkgs for NetBSD's pkgsrc
(similar to FreeBSD's ports) system.
The NetBSD setup is rather special in that it completely splits the
installation of Apache and mod_ssl. The Apache pkg (www/apache) is
installed without mod_ssl, but does contain the EAPI and documentation links
for a possible future installation of mod_ssl. It also contains the
necessary lines in the default httpd.conf to load the libcrypto, libssl,
and librsaref (if needed) shared libraries dynamically before mod_ssl.so.
The mod_ssl pkg (www/ap-ssl) compiles and installs without the need for an
Apache source tree, as Apache was installed beforehand with the necessary
patches. It uses the `apxs' Perl script to compile, link, and install
mod_ssl.so. Whe Apache is run, the new section of httpd.conf described
above will load the necessary libraries and mod_ssl, _only_ if needed with
httpd -DSSL ("apachectl startssl").
Many thanks to Ralf S. Engelschall for a wonderful, free product!
--
-- Todd Vierling (Personal [EMAIL PROTECTED]; Bus. [EMAIL PROTECTED])
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Official statement: mod_ssl 2.0 branch
On Thu, Dec 03, 1998, Whit Blauvelt wrote: Sounds fine to concentrate on the most recent. Meanwhile, for those who have a 2.0 install humming away happily, should there be any compelling reason to upgrade immediately rather than, say, with the next Apache release? As long as you're happy with 2.0.x (not failures occur) and don't need one of the new features of 2.1, you can wait, of course. Apache 1.3.4 should be released at least before Christmas ;-) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Annc: NetBSD mod_ssl pkgs now available/updated
On Thu, Dec 03, 1998, Todd Vierling wrote:
I have updated the Apache and Apache/mod_ssl pkgs for NetBSD's pkgsrc
(similar to FreeBSD's ports) system.
Great, I really appreciate this work for NetBSD.
Very good.
The NetBSD setup is rather special in that it completely splits the
installation of Apache and mod_ssl. The Apache pkg (www/apache) is
installed without mod_ssl, but does contain the EAPI and documentation links
for a possible future installation of mod_ssl. It also contains the
necessary lines in the default httpd.conf to load the libcrypto, libssl,
and librsaref (if needed) shared libraries dynamically before mod_ssl.so.
Just a question? Why do you have to load libcrypto.so and libssl.so manually?
Because of a.out? At least under ELF you should be able to link libssl.so
against libssl.so and libcrypto.so and they should be loaded implicitly. And
one more question: What's the reason you have to name the DSO mod_ssl.so
instead of libssl.so? Because of the conflict with the "real" libssl.so?
The mod_ssl pkg (www/ap-ssl) compiles and installs without the need for an
Apache source tree, as Apache was installed beforehand with the necessary
patches. It uses the `apxs' Perl script to compile, link, and install
mod_ssl.so. Whe Apache is run, the new section of httpd.conf described
above will load the necessary libraries and mod_ssl, _only_ if needed with
httpd -DSSL ("apachectl startssl").
Ops, seems like I was too slow or you too fast. Last weekend I've added full
APXS support to the distribution. I think this would make your life easier.
When you're interesting you can test my APXS support. I've still not comitted
it for mod_ssl 2.1.x because it's not enough tested. But it already works
fine for me. You just have to use --with-apxs instead of --with-apache and
anything else works magically ;-) Let it me know when I can use you as a
beta-tester for this stuff...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Annc: NetBSD mod_ssl pkgs now available/updated
On Thu, 3 Dec 1998, Ralf S. Engelschall wrote: : Just a question? Why do you have to load libcrypto.so and libssl.so manually? : Because of a.out? Yes. Some NetBSD ports are a.out (including the very popular i386 and sparc), others are ELF. To reduce confusion and keep it more cross-platform friendly, the build process I used doesn't assume that ELFisms are available. : one more question: What's the reason you have to name the DSO mod_ssl.so : instead of libssl.so? Because of the conflict with the "real" libssl.so? Conformity with "the rest of the world;" other apxs compiled modules, including those available through the NetBSD pkgsrc system, typically end up mod_modulename.so. The program is even called mod_ssl... ;) : Ops, seems like I was too slow or you too fast. Last weekend I've added full : APXS support to the distribution. I think this would make your life easier. : When you're interesting you can test my APXS support. I've still not comitted : it for mod_ssl 2.1.x because it's not enough tested. But it already works : fine for me. You just have to use --with-apxs instead of --with-apache and : anything else works magically ;-) Let it me know when I can use you as a : beta-tester for this stuff... I'll look at it. What I did notice was that the current --with-eapi-only for the Apache compile side doesn't apply the Makefile.tmpl patches (sslsup.patch), needed to tell Apache --enable-rule=EAPI, and some other stuff. Linking with libraries for a.out as you mention above similarly may be a problem. I'll mail you privately once I have a chance to look at it all. -- -- Todd Vierling (Personal [EMAIL PROTECTED]; Bus. [EMAIL PROTECTED]) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
