Re: Now I can be my own CA but there's more...
Steffen Dettmer wrote: > > certificate expires, IE 3 disallows access altogether. Anyway I can hack > > the Registry or something like that so IE3/4/5 users can go to my site? > > Like, adding my phony CA to IE's list of CAs? > > > > By the way, is there such hack to Netscape too? > > take a .htaccess and include the following line: > AddType application/x-x509-ca-cert .cacert > > Then convert your ca-cert into "der" Format (via "ssleay -in > -out -outform der") > (or was is "-infile" ? - no ssleay here ;) ) > > Then upload this file to the dir with .htaccess and it should work at > least with Netscape 3/4 (and I think IE 4 too) You can also take the "der format" certificate file and rename it "something.crt". You can then place it in a floppy, doubleclick on it in Windows 95/98/NT and voila!! Regards, Alf __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Now I can be my own CA but there's more...
What are the "VALUE"s that you refered? (>> ...so if you wan't to selfsigned your certify you need to change the values >> you are putting on both certicates) Thanks. -Original Message- From: Juan Carlos Castro y Castro <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, March 24, 1999 4:10 PM Subject: Now I can be my own CA but there's more... >Carlo Marcelo Arenas Belon wrote: >> >> Juan Carlos Castro y Castro wrote: >> > >> > Hi! I just bought a Brazilian RH Linux distribution with Apache 1.3.3 >> > and mod_ssl 2.0.something. When I follow the instructions to create my >> > own CA and sign the server certificate I just created, I get this in the >> > verification phase: >> > >> > error 7 at 0 depth lookup:certificate signature failure >> >> there is not a problem wit your distribution.. there is a strange "bug" >> on ssleay/openssl which doesn't allow the same values for a server.crt >> and a ca.crt >> so if you wan't to selfsigned your certify you need to change the values >> you are putting on both certicates >> >> i've learned this the difficult way.., should be on the FAQ, you could >> get a clue if you check the list archives > >YES! It worked! THANK YOU! Now I stumbled on an ugly thing: while >Netscape issues me a warning and allows me to proceed until the >certificate expires, IE 3 disallows access altogether. Anyway I can hack >the Registry or something like that so IE3/4/5 users can go to my site? >Like, adding my phony CA to IE's list of CAs? > >By the way, is there such hack to Netscape too? > >Cya, >-- > ___THE___ One man alone cannot fight the future. USE LINUX! > \ \ / / ___ > \ V / |Juan Carlos Castro y Castro| > \ /|[EMAIL PROTECTED] | > / \|Linuxeiro, alvinegro, X-Phile e Carioca Folgado| > / ^ \ |Diretor de Informática e Eventos Sobrenaturais | > / / \ \ |da E-RACE CORPORATION | > ~~~ ~~~ --- > RACER >__ >Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ >Official Support Mailing List [EMAIL PROTECTED] >Automated List Manager [EMAIL PROTECTED] > __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] How to compile mod_ssl without patching the original source? (PR#135)
Full_Name: Avi Alkalay Version: 2.2.6 OS: AIX 4.3.1 Submission from: igw1.br.ibm.com (32.96.196.66) Can I compile mod_ssl separately from Apache? I don't want to patch the Apache source to compile mod_ssl within Apache. Can I compile Apache, pack the binary files, remove the source, and in some day in the future use only 'apxs' and Apache include files to build mod_ssl? Thank you, Avi __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Now I can be my own CA but there's more...
> certificate expires, IE 3 disallows access altogether. Anyway I can hack > the Registry or something like that so IE3/4/5 users can go to my site? > Like, adding my phony CA to IE's list of CAs? > > By the way, is there such hack to Netscape too? take a .htaccess and include the following line: AddType application/x-x509-ca-cert .cacert Then convert your ca-cert into "der" Format (via "ssleay -in -out -outform der") (or was is "-infile" ? - no ssleay here ;) ) Then upload this file to the dir with .htaccess and it should work at least with Netscape 3/4 (and I think IE 4 too) oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Basic auth with SSL - again
Trung Tran-Duc ha scritto: > > > > > "Ralf S. Engelschall" <[EMAIL PROTECTED]> wrote: > > [...] > > > Thanks for the answer, Ralf. My problem is that I can't build > > > applications under Win32 platform. > > > > > > Is anybody able to build and uplownload on > > > ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write > > > access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 > > > ? > > > > Perhaps one of the Win32 users can put a binary there. I cannot do it, > > because my Win32 box is still totally messed up. > > I've uploaded > > Apache_1.3.6-mod_ssl_2.2.6-openssl_0.9.2b-WIN32-i386.zip > > to the contrib area. > > (The mod_proxy source was patched to fix one crash bug and a bug preventing > cache GC from functioning) Thanks for the upload: I installed it and Apache works fine on my system, too. As Ralf forecasted, the current version of mod-ssl fixes the authentication problem I found on the old version of mod-ssl and that I reported few days ago. Bye, Achille. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSl 0.9.2b test failed
At 07:40 PM 3/24/99 +0100, you wrote: >On Wed, Mar 24, 1999, Igor S. Livshits wrote: > >> I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having >> problems building openssl-0.9.2b. Configuration and compilation seems >> to go fine, but when I run the tests, I get this failure: >> >> ./rsa_oaep_test >> Decryption failed! >> Decryption failed! >> Decryption failed! >> make[1]: *** [test_rsa] Error 1 >> >> I am trying this on a RedHat 5.2 system with the following flags: >> >> perl Configure linux-elf -DRSAref -lRSAglue >> -L`pwd`/../rsaref-2.0/local/ -lrsaref >> >> I'd appreciate any hints... > >The RSA OEAP stuff is brand new. Nevertheless I guess the actual source of >your problem is the RSAref library. Compile without it and try again. I'm 95% >sure then it will work. If not, you can try to contact Ulf Moeller ><[EMAIL PROTECTED]> which wrote this stuff. Perhaps he has a clue why it could fail >for you... I also ran into this problem this morning on Solaris 2.6 using gcc. After seeing that it wasn't in openssl-0.9.1c, I #'d out the actual test in the test/Makefile and the build proceeded fine. The resulting server also worked fine. Being in the US, I also use rsaref. For what the extra data point is worth... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSl 0.9.2b test failed
(Hi Igor) This is almost certainly a problem due to building openssl-0.9.2b with RSAref. The problem is that OAEP is a new RSA "encryption scheme" defined in RFC2347 dated October 1998. RSAref 2.0 appears to date back to 1994. My fond hope here is that the "make test" failure is a minor oversight (forgetting to skip invocation of rsa_oaep_test when -DRSAref is used.) I just commented out the invocation of it in test/Makefile.ssl and got through the rest of "make test" (and "apps/openssl speed") without problems. Hope to try out mod-ssl-2.2.6-1.3.6 + openssl-0.9.2b + rsaref-2.0 on a production server tomorrow morning to see if my fond hope is wrong. Two background URLs: http://www.progressive-comp.com/Lists/?l=openssl-dev&m=92211886324200&w=2 http://www.cis.ohio-state.edu/htbin/rfc/rfc2437.html Ed -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign "Ralf S. Engelschall" wrote: > > On Wed, Mar 24, 1999, Igor S. Livshits wrote: > > > I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having > > problems building openssl-0.9.2b. Configuration and compilation seems > > to go fine, but when I run the tests, I get this failure: > > > > ./rsa_oaep_test > > Decryption failed! > > Decryption failed! > > Decryption failed! > > make[1]: *** [test_rsa] Error 1 > > > > I am trying this on a RedHat 5.2 system with the following flags: > > > > perl Configure linux-elf -DRSAref -lRSAglue > > -L`pwd`/../rsaref-2.0/local/ -lrsaref > > > > I'd appreciate any hints... > > The RSA OEAP stuff is brand new. Nevertheless I guess the actual source of > your problem is the RSAref library. Compile without it and try again. I'm 95% > sure then it will work. If not, you can try to contact Ulf Moeller > <[EMAIL PROTECTED]> which wrote this stuff. Perhaps he has a clue why it could fail > for you... >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > ... -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] https only sends 65536 bytes (PR#134)
Sounds more like an MTU problem. Perhaps the MTU for port 443 is set to a lower number than for port 80 on your router? HTH [EMAIL PROTECTED] wrote: > > Full_Name: Paul Curtis > Version: mod_ssl/2.2.2 SSLeay/0.9.0b > OS: Linux > Submission from: nyor1ts1.ny.us.ibm.net (165.87.14.10) > > A large PDF file, ~221KB, gets truncated at 65536 bytes. > There are no errors logged, the access log shows a completed > request delivering 65536 bytes. > > The problem does not occur when the file is requested via a > non-SSL URL. > Thanks, allan --- Allan Liska Spectrum Computers http://www.spectrum-computers.com http://www.webcreations-va.com If I don't document something, it's usually either for a good reason, or a bad reason. -- Larry Wall __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.2.5-1.3.4
"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes: [snip] > Yeah, the problem is that OpenSSL doesn't know these "ENCRYPTED PRIVATE KEY" > headers. Mod_ssl cannot change this, of course. The question now is: From > where do they come, i.e. which program created this format? And what's in > this container? Just a Base64-encoded DER key? >From our crypto dude, Marc Van Heyningen: It was generated by SSLPlus, a commercialization of Netscape's free sslref. I think sslref used the same label. The container is a DER of a PKCS#5 object, and the plaintext is a PKCS#8 private key. What I noticed was more than just that "ENCRYPTED PRIVATE KEY" was not known, but that the variable that pointed to it, should have been pointing to something like "RSA PRIVATE KEY", and vice versa. Much Thanks, Tom __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Basic authentication problems
On Wed, Mar 24, 1999, gil wrote: > I am running Server: Red Hat Secure/2.0 (Unix) PHP/3.0.3 mod_ssl/2.0.7 > SSLeay/0.9.0b and cannot get basic authentication to work. > > >From my httpd.conf in my non-SSL Apache 1.3.4, I cut and paste the > following section into my SSL httpd.conf (I'm running two apache > daemons) > > > AuthName"Truepath Protected Area" > AuthType Basic > AuthDBMUserFile /members/truepathdb > require valid-user > > > My non-SSL Apache works perfectly with dbm authentication, but the > mod-ssl version never authenticates a user. The error log says: > > [Wed Mar 24 10:05:13 1999] [error] (2)No such file or directory: could not open dbm >auth file: /members/truepathdb > [Wed Mar 24 10:05:13 1999] [error] DBM user tester not found: >/usr/www/truepath/cgi-bin/pass/janitor.cgi > [Wed Mar 24 10:33:56 1999] [error] Invalid URI in request /HTTP 1.0 / > [Wed Mar 24 11:03:31 1999] [error] Invalid method in request ~@O^A^C Seems like two problems: First as the error clearly indicates, the DBM file cannot be opened. This has nothing to do with mod_ssl. And second, the invalid method looks like you're connecting via HTTPS but HTTPS isn't enabled. Check your configuration for the SSLEnable directive. It has to be inside the for your HTTPS server. > If my mod_ssl version 2.0.7 is too hold. How do I go about updating it. Ask RedHat ;-) or do it on your own... > The original install came off the Red Hat CD, so I'm unsure as to which > steps to take. If I follow, Engelschall's instructions in the > documentation for re-installing, won't I loose the RSA key that I > purchased for $120 with the Red Hat software? I'm lost. No, you can install a fresh Apache+mod_ssl+OpenSSL triple under a different path and then copy over the cert/key from your original installation. > Any help on this would be really appreciated. BTW, isn't there any support from RedHat itself? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Basic authentication problems
Hi, I am running Server: Red Hat Secure/2.0 (Unix) PHP/3.0.3 mod_ssl/2.0.7 SSLeay/0.9.0b and cannot get basic authentication to work. >From my httpd.conf in my non-SSL Apache 1.3.4, I cut and paste the following section into my SSL httpd.conf (I'm running two apache daemons) AuthName"Truepath Protected Area" AuthType Basic AuthDBMUserFile /members/truepathdb require valid-user My non-SSL Apache works perfectly with dbm authentication, but the mod-ssl version never authenticates a user. The error log says: [Wed Mar 24 10:05:13 1999] [error] (2)No such file or directory: could not open dbm auth file: /members/truepathdb [Wed Mar 24 10:05:13 1999] [error] DBM user tester not found: /usr/www/truepath/cgi-bin/pass/janitor.cgi [Wed Mar 24 10:33:56 1999] [error] Invalid URI in request /HTTP 1.0 / [Wed Mar 24 11:03:31 1999] [error] Invalid method in request ~@O^A^C If my mod_ssl version 2.0.7 is too hold. How do I go about updating it. The original install came off the Red Hat CD, so I'm unsure as to which steps to take. If I follow, Engelschall's instructions in the documentation for re-installing, won't I loose the RSA key that I purchased for $120 with the Red Hat software? I'm lost. Any help on this would be really appreciated. in His grip, Gil http://www.truepath.com your Christ-centered web host __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] https only sends 65536 bytes (PR#134)
On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: > Full_Name: Paul Curtis > Version: mod_ssl/2.2.2 SSLeay/0.9.0b > OS: Linux > Submission from: nyor1ts1.ny.us.ibm.net (165.87.14.10) > > A large PDF file, ~221KB, gets truncated at 65536 bytes. > There are no errors logged, the access log shows a completed > request delivering 65536 bytes. > > The problem does not occur when the file is requested via a > non-SSL URL. Sorry, I cannot repeat this: | rse@en1:/e/www/html/title | :> tail -2 /sw/var/websrv/apache/logs/apache.sslreq.log | [24/Mar/1999:20:21:08 +0100] en1.engelschall.com SSLv3 RC4-MD5 "GET | /title/gany_as_published.pdf HTTP/1.0" 670726 - - | [24/Mar/1999:20:21:20 +0100] en1.engelschall.com SSLv3 RC4-MD5 "GET | /title/gany_as_published.pdf HTTP/1.0" 670726 - - | rse@en1:/e/www/html/title | :> ll gany_as_published.pdf | -rw-r--r-- 1 rse wheel 670726 Mar 24 20:20 gany_as_published.pdf | rse@en1:/e/www/html/title | :> The PDF I used here for testing was even larger, the logfile entries is still correct and Netscape displayed it correctly via my external viewer GV. That's with the latest Apache/1.3.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.2b software. So, I can only recommend you to first upgrade and then try again. OTOH I cannot image why data should be cut after 64KB, because it's not delivered by mod_ssl. Even over HTTPS the data is sent from Apache's default handler. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Now I can be my own CA but there's more...
Carlo Marcelo Arenas Belon wrote: > > Juan Carlos Castro y Castro wrote: > > > > Hi! I just bought a Brazilian RH Linux distribution with Apache 1.3.3 > > and mod_ssl 2.0.something. When I follow the instructions to create my > > own CA and sign the server certificate I just created, I get this in the > > verification phase: > > > > error 7 at 0 depth lookup:certificate signature failure > > there is not a problem wit your distribution.. there is a strange "bug" > on ssleay/openssl which doesn't allow the same values for a server.crt > and a ca.crt > so if you wan't to selfsigned your certify you need to change the values > you are putting on both certicates > > i've learned this the difficult way.., should be on the FAQ, you could > get a clue if you check the list archives YES! It worked! THANK YOU! Now I stumbled on an ugly thing: while Netscape issues me a warning and allows me to proceed until the certificate expires, IE 3 disallows access altogether. Anyway I can hack the Registry or something like that so IE3/4/5 users can go to my site? Like, adding my phony CA to IE's list of CAs? By the way, is there such hack to Netscape too? Cya, -- ___THE___ One man alone cannot fight the future. USE LINUX! \ \ / / ___ \ V / |Juan Carlos Castro y Castro| \ /|[EMAIL PROTECTED] | / \|Linuxeiro, alvinegro, X-Phile e Carioca Folgado| / ^ \ |Diretor de Informática e Eventos Sobrenaturais | / / \ \ |da E-RACE CORPORATION | ~~~ ~~~ --- RACER __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSl 0.9.2b test failed
On Wed, Mar 24, 1999, Igor S. Livshits wrote: > I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having > problems building openssl-0.9.2b. Configuration and compilation seems > to go fine, but when I run the tests, I get this failure: > > ./rsa_oaep_test > Decryption failed! > Decryption failed! > Decryption failed! > make[1]: *** [test_rsa] Error 1 > > I am trying this on a RedHat 5.2 system with the following flags: > > perl Configure linux-elf -DRSAref -lRSAglue > -L`pwd`/../rsaref-2.0/local/ -lrsaref > > I'd appreciate any hints... The RSA OEAP stuff is brand new. Nevertheless I guess the actual source of your problem is the RSAref library. Compile without it and try again. I'm 95% sure then it will work. If not, you can try to contact Ulf Moeller <[EMAIL PROTECTED]> which wrote this stuff. Perhaps he has a clue why it could fail for you... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] https only sends 65536 bytes (PR#134)
Full_Name: Paul Curtis Version: mod_ssl/2.2.2 SSLeay/0.9.0b OS: Linux Submission from: nyor1ts1.ny.us.ibm.net (165.87.14.10) A large PDF file, ~221KB, gets truncated at 65536 bytes. There are no errors logged, the access log shows a completed request delivering 65536 bytes. The problem does not occur when the file is requested via a non-SSL URL. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSl 0.9.2b test failed
Hello, I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having problems building openssl-0.9.2b. Configuration and compilation seems to go fine, but when I run the tests, I get this failure: ./rsa_oaep_test Decryption failed! Decryption failed! Decryption failed! make[1]: *** [test_rsa] Error 1 I am trying this on a RedHat 5.2 system with the following flags: perl Configure linux-elf -DRSAref -lRSAglue -L`pwd`/../rsaref-2.0/local/ -lrsaref I'd appreciate any hints... Thanks, igor __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Mod_SSL and PHP 3.0.7? (PR#132)
On Wed, Mar 24, 1999 at 08:22:06AM +0100, [EMAIL PROTECTED] wrote: > On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: > > > Full_Name: John Hoffmann > > Version: 2.2.5-1.3.4 > > OS: Solaris 2.6 > > Submission from: stargate.trytel.com (209.167.85.20) > > > > I'm trying to switch from StrongHold 2.4 to Apache 1.3.4 with > > mod_ssl, and I must say the installation went 200 times easier. > > One thing I am having a problem with however is getting PHP 3 to > > work at all. > > > > I recently compiled StrongHold with mod_auth_mysql-2.20, php 2.01 > > and php 3.0.7 and it worked fine, but when I compile these same > > modules into Apache 1.3.4 with mod_ssl the php3 engine seems to die. > > When accessing a .php3 page I simply get a "The document contains no > > data". PHP 2 pages work fine. I've checked my configuration: > > > > srm.conf:AddType application/x-httpd-php3 .php3 > > > > But no PHP 3 pages will return any data. Any ideas at all? > > No, I'm neither using PHP3 myself nor have deep experiences with it, so I > cannot help you very much. But because this doesn't look like it's really > mod_ssl related, I recommend you to write to the PHP3 support mailing lists. > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > The problem turns out to be a limit on the file descriptors that each process can open, I removed some VirtualHosts and it worked, now to figure out how to increase the limit on Solaris 2.6 ... anyways, thanks for the quick response, much faster than the Stronghold Commercial team ;') -- John Hoffmann <[EMAIL PROTECTED]> __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
2.2.6-1.3.6 problems
I'm having some strange problems... When compiling for the mod_ssl-2.2.6-1.3.6 RPMs I get a server that works with Win Netscape 4 Win M$IE 4, but *not* with Mac Netscape 4.5 Linux Netscape 4.08 (ssl connections that is, normal connections work fine) I use Redhat 5.2, kernel 2.2.4, openssl 0.9.1c (yeah, I know, but I did not find .2b RPMs and was lazy [could the former be the problem?]) Entries in ssl_engine.log: [info] Connection to child 2 established (server starbug.inbox.se:443) [info] SSL handshake stopped: connection was closed Netscape pops up a dialog "Netscape has encountered bad data from the server." No errors in httpd error_log /magnus __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Basic auth with SSL - again
> > > "Ralf S. Engelschall" <[EMAIL PROTECTED]> wrote: > [...] > > > Thanks for the answer, Ralf. My problem is that I can't build > > applications under Win32 platform. > > > > Is anybody able to build and uplownload on > > ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write > > access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 > > ? > > Perhaps one of the Win32 users can put a binary there. I cannot do it, > because my Win32 box is still totally messed up. I've uploaded Apache_1.3.6-mod_ssl_2.2.6-openssl_0.9.2b-WIN32-i386.zip to the contrib area. (The mod_proxy source was patched to fix one crash bug and a bug preventing cache GC from functioning) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
At 15:44 24/03/1999 +0100, you wrote: >On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: > >> Full_Name: Andre Albuquerque >> Version: 2.2.6-1.3.6 >> OS: Linux 2.0.36 >> Submission from: (NULL) (161.148.222.154) >> >> I have just installed the new mod_ssl-2.2.6-1.3.6 with the new >> apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean >> compiling, I have the following error while trying to get >> a page: >> >> [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client >> 161.148.222.154, server www >> s.visualnet.com.br:443) (OpenSSL library error follows) >> [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL >> routines:SSL3_READ_BYTES:sslv3 alert >> bad record mac >> >> Is it a mod_ssl error or an openssl error? > >H I've only the following ideas for you: > >1. When this isn't Linux on a Intel box make sure you've built OpenSSL > correctly. Usually on Alpha boxes you need to use a different platform id. > It is an Intel box (Linux 2.0.36 i386) >2. Make sure OpenSSL works correctly by running "make test" > after "make" inside the OpenSSL source tree. > It worked correctly. I've done this test. >3. Try to build OpenSSL without assembler stuff > >4. Try to connect to the server with "openssl s_client" to make sure > your browser isn't broken. > Ok Ralf, I'm going to test this as soon as possible. I've tested with netscape 4.5 and MSIE 4.0 (4.72.3110.8), both for WinNt 4.0. Thanks, Gustavo __ Andre Gustavo de C. Albuquerque [EMAIL PROTECTED] PGP Public Key:http://www.visualnet.com.br/~gustavo/pgpkey.asc __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: > Full_Name: Andre Albuquerque > Version: 2.2.6-1.3.6 > OS: Linux 2.0.36 > Submission from: (NULL) (161.148.222.154) > > I have just installed the new mod_ssl-2.2.6-1.3.6 with the new > apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean > compiling, I have the following error while trying to get > a page: > > [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client > 161.148.222.154, server www > s.visualnet.com.br:443) (OpenSSL library error follows) > [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL > routines:SSL3_READ_BYTES:sslv3 alert > bad record mac > > Is it a mod_ssl error or an openssl error? H I've only the following ideas for you: 1. When this isn't Linux on a Intel box make sure you've built OpenSSL correctly. Usually on Alpha boxes you need to use a different platform id. 2. Make sure OpenSSL works correctly by running "make test" after "make" inside the OpenSSL source tree. 3. Try to build OpenSSL without assembler stuff 4. Try to connect to the server with "openssl s_client" to make sure your browser isn't broken. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.2.5-1.3.4
On Fri, Mar 19, 1999, [EMAIL PROTECTED] wrote: > "Ralf S. Engelschall" <[EMAIL PROTECTED]> writes: > > >*) The SSLCertificateFile and SSLCertificateKeyFile directives now can read > > PEM (=DER+Base64+headers), DER+Base64 (without headers) and plain DER > > format certificate and private key files. This is mostly provided for > > convinience reasons. > > I haven't spent much more time on this, sorry, but I still cannot get this > to work. Using Ralf's patch from last week, there appears to be a problem > with how the private key is being read. > > Just for kicks, I went and got the latest versions of mod_ssl and OpenSSL > via rsync last night and tried again. (I built directly out of pkg.apache.) > This time I dump core on startup. > > I would appreciate it if someone who has this working successfully, try > this out with the provided _sample_ server cert and key. The second cert is > the ca cert used to issue the server cert. And let me know how it goes. > > [...] > -BEGIN ENCRYPTED PRIVATE KEY- > MIIBeDAaBgkqhkiG9w0BBQMwDQQIS0XKnH4OhTICAQUEggFY7p+anDqPJaJbDQMC > CSqitvjPRt1kg1O98O4bnB+GYiGMZPeFEB537OvRsyrhOpDHaV/JD+c4eMwshgVU > UUbaXqURzSi2vIV8LfCHUzjtQciJSjL721MHeyhN1z+rILFD8CmXDB2DV/NYjb28 > uVuU7ESIUnfKakRTJz6npj58DvpLJ/DaHJUp9/ap+EYrKgxFf3+A6Nnvr3vRLq1p > HYngIgSqWDCD9csCrGv9Yu1KCU+ht35nLHbf2+AnLgDtTxHZM2tEh6yhMt/9298L > HeTygTgcPHjsRd5uv6J3DSQm3Hx90lHrvXCgliL7x1zXbZWKW50D1ZFke2QGJzW9 > l5xZJ7mVMEgjp8KNB/dx2kwE+zeFCQUZYkfnoy36iCsshVZVV5lQEyL553jL71y5 > xdLxh6q/RhVO/UEnFM9Jk0QjxcVwIoNhjhc08ZmaeODm9QnWRCqtb9A7G9c= > -END ENCRYPTED PRIVATE KEY- Yeah, the problem is that OpenSSL doesn't know these "ENCRYPTED PRIVATE KEY" headers. Mod_ssl cannot change this, of course. The question now is: From where do they come, i.e. which program created this format? And what's in this container? Just a Base64-encoded DER key? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
Full_Name: Andre Albuquerque Version: 2.2.6-1.3.6 OS: Linux 2.0.36 Submission from: (NULL) (161.148.222.154) I have just installed the new mod_ssl-2.2.6-1.3.6 with the new apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean compiling, I have the following error while trying to get a page: [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client 161.148.222.154, server www s.visualnet.com.br:443) (OpenSSL library error follows) [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac Is it a mod_ssl error or an openssl error? BTW: my system have the following conf: Linux 2.0.36 (i386) Apache/1.3.6 mod_ssl/2.2.6 OpenSSL/0.9.2b PHP/3.0.7 Thanks in advance, Gustavo __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: POST problem
Ralf S. Engelschall wrote: > Ok, then I've to check now POST+keepalive+redirection, too. What a nice thing > that the HTTP protocol makes has such a lot of esoteric combinations > possibleI'll investigate when I find time. Just FYI, i've also come across the POST+keepalive+redirection problem. I think i'm right in saying it's still a problem because i can't see it in the changes for 2.2.6. thanks, Tony. -- - Tony Locke [EMAIL PROTECTED] Programmer, Open World Limited - __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: GSID, mod_ssl and Apache...
Ralf S. Engelschall wrote: > Then this is a client problem! The server cannot do anything here. At least > Netscape is very smart and remembers that he is reconnecting to a server with > a GlobalID cert and then _immediately_ starts with a strong cipher and never > does the stepup again (at least not until it's restarted or the server cert > changes). But I've not tried this with IE. But its Microsoft, what have you > expected... Yes I know, it's a client problem. ...and Microsoft... nothing more to say about them... Thanks for your replies, it's always good to hear someone else explain what you already suspects. --Patrik __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.2.6-1.3.6
Ok, after an additional delay of one week for OpenSSL 0.9.2b and another
tarball rolling round for Apache 1.3.6 (1.3.5 was skipped because of last
minute trouble), we can finally sync the triple Apache+mod_ssl+OpenSSL with
the remaining part: mod_ssl 2.2.6 which both upgrades to Apache and uses the
new session tagging facility of OpenSSL 0.9.2b to make session resumption
again working. Yeah, sometimes it's complicated to write a glue-code module
like Apache which has to sync with two other packages ;-)
Additionally to the Apache upgrade and OpenSSL security issue, this version
introduces the pkg.addon/ stuff. There I'll locate companion patches which
fall neither in the EAPI nor SSL class. The start are two little goodies: An
EAPI-based mod_define I wrote some time ago with my best friend which provides
a nifty variable expension feature on arbitrary(!) directive lines. And a
beautify-patch for mod_status overtaken from Stronghold (only the red "SSL"
coloumn is still missing because cleanness prevents me from patching the
scoreboard with SSL stuff and EAPI is still to weak for this, but that will
change the next weeks).
So, in your own interest (security issues!) you're now encauraged to upgrade
to the triple:
Apache/1.3.6 + mod_ssl/2.2.6 + OpenSSL/0.9.2b
which I now consider as a better combination we ever had. Especially the next
mod_ssl versions will try to massively use the new OpenSSL 0.9.2b code and so
I'll have to drop support for SSLeay 0.9.0b and even OpenSSL 0.9.1c in the
next weeks. Because the next functionality-improvement rounds bring full
DSA/DH support which is only possible with OpenSSL 0.9.2b and higher.
Additionally I'm planning to release general shared memory support for EAPI
which let's us finally create a fast and full in-core inter-process session
cache plus the ability to add inter-process SSL statistics to mod_status.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.2.6 (18-Mar-1999 to 24-Mar-1999)
*) Now mod_ssl logs the current Apache, mod_ssl and OpenSSL versions at
startup which makes it easier to distinguish which software combination
is actually running by just looking into the log.
*) Added support for new 56/1024 bit export ciphersuites (idea overtaken
from Apache-SSL 1.32) and sign-only-certificate situations where
stronger (1024 instead of 512 bit) temporary keys are reasonable to use.
*) Upgrade to new upstream version Apache 1.3.6 on vendor branch.
[Version 1.3.5 was not released because of last minute problems]
*) *** SECURITY *** SECURITY *** SECURITY ***
In the OpenSSL project we discovered that a terrible security hole
exists for _all_ SSLeay/OpenSSL server applications that use virtual
hosting. Here sessions could be resumed in the wrong context thus
bypassing client certificate protection! This hole is now fixed in
OpenSSL 0.9.2b by an ad-hoc solution were SSL sessions cannot be resumed
unless the server application tags it with a unique context id per
virtual host. mod_ssl now also performs this tagging to prevent this
exploit.
*) Added the nifty EAPI-based mod_define module to the source tree. This
modules provides variable definitions for arbitrary directive lines,
i.e. you can expand ${xxx} on any(!) directive line. This module is
disabled per default in src/Configuration.tmpl (need an
--enable-module=define) and it lives in the new pkg.addon area.
*) Added Stronghold's table look and feel to mod_status' display page.
This patch is harmless and enabled per default and lives in the new
pkg.addon area.
*) Opened another distribution package subdir: pkg.addon/.
Here addons will be stored which are not directly/physically related to
mod_ssl and EAPI, but indirectly.
*) Cleaned up the generation of the signature table in ap_hook.c
and updated the hook list with the still missing vendor hooks.
*) Renamed recently added vendor hooks to from ssl::vendor::xxx to
ap::mod_ssl::vendor::xxx to be consistent with remaining EAPI hook
names.
*) Upgrade to new upstream version Apache 1.3.5 on vendor branch
*) Fixed a segfault in the HTTPS support for mod_proxy which
occured when the proxy couldn't connect to the remote host.
*) Be 100% conservative and clean and use SSL_clean() after SSL_new().
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Basic auth with SSL - again
On Tue, Mar 23, 1999, Achille M. Luongo wrote: > > > I installed Apache/1.3.3 (Win32) mod_ssl/mod_ssl/2.1b8 SSLeay/0.9.0b. > > > > 2.1b8? Oh, that's really _OLD_, I hope you now this. I've no clue on your > > problem, but this is the first version which ran on Win32, so I strongly > > suggest that you upgrade to 2.2.5. Because the chance is high that this was > > implicitly solved by the changes since 2.1b8. > > Thanks for the answer, Ralf. My problem is that I can't build > applications under Win32 platform. > > Is anybody able to build and uplownload on > ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write > access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 > ? Perhaps one of the Win32 users can put a binary there. I cannot do it, because my Win32 box is still totally messed up. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: GSID, mod_ssl and Apache...
On Tue, Mar 23, 1999, Patrik Carlsson wrote: > Ralf S. Engelschall wrote: > > > Don't look at Microsoft papers when you want to understand anything, please. > > Instead look inside the SSLv3 spec or the TLSv1 RFC. Yes, the stuff is called > > renegotation of parameters and is nothing more than a new SSL handshake, of > > course. The interesting point is just that an SSL handshake can occur at any > > time and not only at startup of a new connection ;-) > > I've some experience with another web server and IE clients. IE seems to > renegotiate very often which is, maybe good when looking at security, but > performance suffers and if you plan to use the SSL session id for logging or > just tracking sessions, you can just forget it... ;-( Then this is a client problem! The server cannot do anything here. At least Netscape is very smart and remembers that he is reconnecting to a server with a GlobalID cert and then _immediately_ starts with a strong cipher and never does the stepup again (at least not until it's restarted or the server cert changes). But I've not tried this with IE. But its Microsoft, what have you expected... > A couple of weeks ago I managed to tag my CA certificate according to your > instructions in the README.GlobalID document - which is really a very good > and well written document! But it didn't work when I put the pieces together using > Apache/1.3.4 and mod_ssl/2.1.8. It went quite fast and I should try it again this > easter, but do you (or any one else) have any other tips/experiences which isn't > mentioned in the documents? No, I've written down all details I had about this topic and it worked fine for me with some with my mod_ssl 2.1.x and Netscape 4.05 (at this time). I recommend you to enable "SSLLogLevel debug" and look what's going on. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Mod_SSL and PHP 3.0.7? (PR#132)
On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: > Full_Name: John Hoffmann > Version: 2.2.5-1.3.4 > OS: Solaris 2.6 > Submission from: stargate.trytel.com (209.167.85.20) > > I'm trying to switch from StrongHold 2.4 to Apache 1.3.4 with > mod_ssl, and I must say the installation went 200 times easier. > One thing I am having a problem with however is getting PHP 3 to > work at all. > > I recently compiled StrongHold with mod_auth_mysql-2.20, php 2.01 > and php 3.0.7 and it worked fine, but when I compile these same > modules into Apache 1.3.4 with mod_ssl the php3 engine seems to die. > When accessing a .php3 page I simply get a "The document contains no > data". PHP 2 pages work fine. I've checked my configuration: > > srm.conf:AddType application/x-httpd-php3 .php3 > > But no PHP 3 pages will return any data. Any ideas at all? No, I'm neither using PHP3 myself nor have deep experiences with it, so I cannot help you very much. But because this doesn't look like it's really mod_ssl related, I recommend you to write to the PHP3 support mailing lists. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
