RE: Apache wouldn't start with -DSSL
I noticed that, with SSLeay 0.9.0b, apache would not start with -DSSL if you specify an invalid path name for SSL log files. As in your case, no error message goes into the logs. Juergen -Original Message- From: Rauznitz Balazs [SMTP:[EMAIL PROTECTED]] Sent: Monday, March 29, 1999 11:17 AM To: [EMAIL PROTECTED] Subject:Re: Apache wouldn't start with -DSSL --- "Ralf S. Engelschall" <[EMAIL PROTECTED]> wrote: > On Sun, Mar 28, 1999, Rauznitz Balazs wrote: > > > I just compiled the new Apache, but have strange problems when > starting > > with -DSSL. It wouldn't give any error, only: > > > > /napache/apache/bin/apachectl startssl: httpd could not be started __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Practical solution for MSIE problems!?
The problem still exists on https://en4.engelschall.com/manual/mod/mod_ssl hmmm... I am checking further, will post more shortly. John > I've already applied the patch and the above two > directives to the > server on en4.engelschall.com, so for a quick test, those who > still had > problems there can now again connect to > https://en4.engelschall.com/ with the > MSIE clients and try again. I really hope the problems are > now gone. When > not, I've no more clue what we can do... > >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > > __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Apache wouldn't start with -DSSL
--- "Ralf S. Engelschall" <[EMAIL PROTECTED]> wrote: > On Sun, Mar 28, 1999, Rauznitz Balazs wrote: > > > I just compiled the new Apache, but have strange problems when > starting > > with -DSSL. It wouldn't give any error, only: > > > > /napache/apache/bin/apachectl startssl: httpd could not be started > > > > I'm setting LogLevel and LogSSLLevel to Debug, but still get no info > in > > the error_log file and only this in the ssl_engine_log: > > > > [28/Mar/1999 10:28:30] [info] Server: Apache/1.3.6, Interface: > > mod_ssl/2.2.6, Library: OpenSSL/0.9.2b > > [28/Mar/1999 10:28:30] [info] Init: 1st startup round (still not > > detached) > > [28/Mar/1999 10:28:30] [info] Init: Initializing OpenSSL library > > [28/Mar/1999 10:28:30] [info] Init: Loading certificate & private > key > > of SSL-aware server localhost.localdomain:8443 > > > > When I start without -DSSL, then everything's fine... > > When I built the httpd I got no errors and did all "make test"-s and > > they also succeded. > > I have Linux 2.0.x ; gcc 2.7.2.3 > > > > I have a feeling that, I'm missing something; what is that ? > > A few points: > > 1. Don't intermix apachectl's startssl with a manual -DSSL >option for httpd. Either use "apachectl startssl" _OR_ >"httpd -DSSL" to start Apache. Yeah, when I try httpd -DSSL it give a core dump. > 2. You should see a lot more entries in the ssl_engine_log >with "SSLLogLevel debug", of course. I swear I have SSLLogLevel debug and LogLEvel debug and only the 4 lines in ssl_engine_log. And there is nothing written to error_log. > 3. Apache has no "make test", so I think you're speaking >about OpenSSL here. You're right; I did OpenSSL and mod_perl tests. Thankx, Balazs _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] modssl 2.2.6 broken ? (PR#141)
Have you created a new server certificate? This sounds familiar. If I remember correctly, you'll have to goto Security->Web Sites in your browser and delete the server certificate entry for this site. -Tom [EMAIL PROTECTED] writes: > Full_Name: Ronan-Yann Lorin > Version: 2.2.6 > OS: Linux > Submission from: nt.adesium-services.fr (195.101.47.132) > > > Hi, > > I've been using ModSSL 2.2.2 for a while without any problem on my Linux Box > (Mandrake 5.3). > > I upgraded to mod_ssl 2.2.6 and can't get it running anymore. I'm using SSLEay > 0.9.0b and linux 2.2.3.. > > The problem is the following: > I connect to my server with https://lorin.adesium-services.fr with Netscape > 4.5. > Netscape gives me the (test) certificate acceptance dialogs, then the "check > name" dialog, then get an: > Netscape has encountered bad data from the server. > > I get the following messages from ssl_engine_log: > [27/Mar/1999 17:32:51] [info] Connection to child 2 established (server > lorin.adesium-services.fr:443) > [27/Mar/1999 17:33:10] [info] SSL handshake stopped: connection was closed > > Any idea? > > Thanks in advance for your help. > > __ > Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] modssl 2.2.6 broken ? (PR#141)
Have you created a new server certificate? This sounds familiar. If I remember correctly, you'll have to goto Security->Web Sites in your browser and delete the server certificate entry for this site. -Tom [EMAIL PROTECTED] writes: > Full_Name: Ronan-Yann Lorin > Version: 2.2.6 > OS: Linux > Submission from: nt.adesium-services.fr (195.101.47.132) > > > Hi, > > I've been using ModSSL 2.2.2 for a while without any problem on my Linux Box > (Mandrake 5.3). > > I upgraded to mod_ssl 2.2.6 and can't get it running anymore. I'm using SSLEay > 0.9.0b and linux 2.2.3.. > > The problem is the following: > I connect to my server with https://lorin.adesium-services.fr with Netscape > 4.5. > Netscape gives me the (test) certificate acceptance dialogs, then the "check > name" dialog, then get an: > Netscape has encountered bad data from the server. > > I get the following messages from ssl_engine_log: > [27/Mar/1999 17:32:51] [info] Connection to child 2 established (server > lorin.adesium-services.fr:443) > [27/Mar/1999 17:33:10] [info] SSL handshake stopped: connection was closed > > Any idea? > > Thanks in advance for your help. > > __ > Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Practical solution for MSIE problems!?
As you know, we've discovered nasty problems with MSIE clients which seem to be related to the recently fixed SSL close notify stuff. Because the current code _IS_ already correct and standard compliant, I cannot change anything to make MSIE happy again. Nevertheless we need a solution. So I've today thought about the situation and found a practical solution which will occur with 2.2.7: The behaviour on connection close can be now adjusted on a per request basis. This way one can for instance force a different type of shutdown approach for MSIE clients. Bascially there are three approaches: 1. the unclean approach where no close notify alerts are send or received (violates the SSL/TLS standard), 2. the accurate approach where close notify alert is send and the close notify of the client received (can cause hanging connections) and 3. (the default!) where mod_ssl sends the close notify but doesn't wait for the clients close notify (which _IS_ standard compliant!). Approach 1.) can be forced with a variable ssl-unclean-shutdown and 2.) can be forced with a variable ssl-accurate-shutdown. So, those of you who've still problems with MSIE clients, should now apply the appended patch to ssl_engine_kernel.c and add the following line to the SSL-aware virtual host: SetEnvIf User-Agent "^MSIE.*" ssl-unclean-shutdown This forces mod_ssl 2.2.6 to the behave like mod_ssl 2.1 on connection close and this way should solve the MSIE problems. Additionally you can use SetEnvIf User-Agent "^MSIE.*" nokeepalive to avoid keep-alive situations with MSIE. Please try this out and give me feedback. I've already applied the patch and the above two directives to the server on en4.engelschall.com, so for a quick test, those who still had problems there can now again connect to https://en4.engelschall.com/ with the MSIE clients and try again. I really hope the problems are now gone. When not, I've no more clue what we can do... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: ssl_engine_kernel.c === RCS file: /e/modssl/REPOS/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.75 retrieving revision 1.76 diff -u -r1.75 -r1.76 --- ssl_engine_kernel.c 1999/03/23 09:52:45 1.75 +++ ssl_engine_kernel.c 1999/03/28 18:50:09 1.76 @@ -438,6 +438,7 @@ void ssl_hook_CloseConnection(conn_rec *conn) { SSL *ssl; +char *cpType; ssl = ap_ctx_get(conn->client->ctx, "ssl"); if (ssl == NULL) @@ -475,8 +476,28 @@ * 4.x) don't send one, so we would hang. */ -/* send close notify message */ -SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); +/* + * exchange close notify messages, but allow the user + * to force the type of handshake via SetEnvIf directive + */ +if (ap_ctx_get(conn->client->ctx, "ssl::flag::unclean-shutdown") == (void *)1) { +/* perform no close notify handshake at all + (violates the SSL/TLS standard!) */ +SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); +cpType = "unclean"; +} +else if (ap_ctx_get(conn->client->ctx, "ssl::flag::accurate-shutdown") == (void +*)1) { +/* send close notify and wait for clients close notify + (standard compliant, but usually causes connection hangs) */ +SSL_set_shutdown(ssl, 0); +cpType = "accurate"; +} +else { +/* send close notify, but don't wait for clients close notify + (standard compliant and safe, so it's the DEFAULT!) */ +SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); +cpType = "standard"; +} SSL_smart_shutdown(ssl); /* deallocate the SSL connection */ @@ -485,8 +506,8 @@ /* and finally log the fact that we've closed the connection */ ssl_log(conn->server, SSL_LOG_INFO, -"Connection to child %d closed (server %s)", -conn->child_num, ssl_util_vhostid(conn->pool, conn->server)); +"Connection to child %d closed with %s shutdown (server %s)", +conn->child_num, cpType, ssl_util_vhostid(conn->pool, conn->server)); return; } @@ -529,6 +550,9 @@ if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL) return DECLINED; +/* + * Log information about incoming HTTPS requests + */ ssl_log(r->server, SSL_LOG_INFO, "%s HTTPS request received for child %d (server %s)", r->connection->keepalives <= 0 ? @@ -537,6 +561,19 @@ r->connection->keepalives+1), r->connection->child_num, ssl_util_vhostid(r->pool, r->server)); + +/* + * Move SetEnvIf information from request_rec to conn_rec/BUFF + * to allow the close connection handler to use them. + */ +if (ap_table_ge
Re: Apache wouldn't start with -DSSL
On Sun, Mar 28, 1999, Rauznitz Balazs wrote: > I just compiled the new Apache, but have strange problems when starting > with -DSSL. It wouldn't give any error, only: > > /napache/apache/bin/apachectl startssl: httpd could not be started > > I'm setting LogLevel and LogSSLLevel to Debug, but still get no info in > the error_log file and only this in the ssl_engine_log: > > [28/Mar/1999 10:28:30] [info] Server: Apache/1.3.6, Interface: > mod_ssl/2.2.6, Library: OpenSSL/0.9.2b > [28/Mar/1999 10:28:30] [info] Init: 1st startup round (still not > detached) > [28/Mar/1999 10:28:30] [info] Init: Initializing OpenSSL library > [28/Mar/1999 10:28:30] [info] Init: Loading certificate & private key > of SSL-aware server localhost.localdomain:8443 > > When I start without -DSSL, then everything's fine... > When I built the httpd I got no errors and did all "make test"-s and > they also succeded. > I have Linux 2.0.x ; gcc 2.7.2.3 > > I have a feeling that, I'm missing something; what is that ? A few points: 1. Don't intermix apachectl's startssl with a manual -DSSL option for httpd. Either use "apachectl startssl" _OR_ "httpd -DSSL" to start Apache. 2. You should see a lot more entries in the ssl_engine_log with "SSLLogLevel debug", of course. 3. Apache has no "make test", so I think you're speaking about OpenSSL here. 4. When Apache+mod_ssl doesn't startup you really should find the error in the error_log. At least I do not know any part in mod_ssl where an exit() is done but no error written. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Apache graceful restart Problem with Virtual Hosts (PR#143)
On Sun, Mar 28, 1999, [EMAIL PROTECTED] wrote: > Full_Name: Victor Burwitz > Version: mod_ssl/2.1.6 SSLeay/0.9.0b > OS: Linux S.u.S.E. 6.0 > Submission from: ppp158.stud.tu-darmstadt.de (130.83.177.158) > > Apache can not restart with the option graceful > when using Virtual Hosts. > > The situation is: > - Apache is running > - a new virtual host (one on Port 80 + one on 443) is added > to the old ones in httpd.conf > - "apachectl graceful" is executed > - Apache kills all processes, just one is left (I think it > was the root process) which does not answer anymore > - "apachectl stop;apachectl start" works always fine > but we need graceful > - the certificate is for "*.domain.de" and every Virtual > Host uses it > > Everything works fine when a Virtual Host ist just renamed (the > Domain) or deleted > > After the last Apache process is killed by hand everything works > fine with graceful, till the next new Virtual Host is created. I've not not checked the CHANGES entries, but I think that the problem I've fixed for mod_ssl 2.2 recently. At least with mod_ssl 2.2.6 both full and graceful restarts work fine. I've tested it myself last weeks. So please upgrade to the latest mod_ssl version. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache wouldn't start with -DSSL
Hello, I just compiled the new Apache, but have strange problems when starting with -DSSL. It wouldn't give any error, only: /napache/apache/bin/apachectl startssl: httpd could not be started I'm setting LogLevel and LogSSLLevel to Debug, but still get no info in the error_log file and only this in the ssl_engine_log: [28/Mar/1999 10:28:30] [info] Server: Apache/1.3.6, Interface: mod_ssl/2.2.6, Library: OpenSSL/0.9.2b [28/Mar/1999 10:28:30] [info] Init: 1st startup round (still not detached) [28/Mar/1999 10:28:30] [info] Init: Initializing OpenSSL library [28/Mar/1999 10:28:30] [info] Init: Loading certificate & private key of SSL-aware server localhost.localdomain:8443 When I start without -DSSL, then everything's fine... When I built the httpd I got no errors and did all "make test"-s and they also succeded. I have Linux 2.0.x ; gcc 2.7.2.3 I have a feeling that, I'm missing something; what is that ? Thankx, Balazs _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] Apache graceful restart Problem with Virtual Hosts (PR#143)
Full_Name: Victor Burwitz Version: mod_ssl/2.1.6 SSLeay/0.9.0b OS: Linux S.u.S.E. 6.0 Submission from: ppp158.stud.tu-darmstadt.de (130.83.177.158) Apache can not restart with the option graceful when using Virtual Hosts. The situation is: - Apache is running - a new virtual host (one on Port 80 + one on 443) is added to the old ones in httpd.conf - "apachectl graceful" is executed - Apache kills all processes, just one is left (I think it was the root process) which does not answer anymore - "apachectl stop;apachectl start" works always fine but we need graceful - the certificate is for "*.domain.de" and every Virtual Host uses it Everything works fine when a Virtual Host ist just renamed (the Domain) or deleted After the last Apache process is killed by hand everything works fine with graceful, till the next new Virtual Host is created. Thanx __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]