Re: network error when connecting to mod_ssl apache
Sorry. I made a mistake. I user SSLeay instaed of openssl. Sorry for the inconvenice caused. Regards Alan Alan Kong wrote: I have started with "./apachectl startssl" and checked with 'ps" that the http did started with http -DSSL. When make certificate", I used my host information instead of "snake oil" in creating the keys and certificates. I was using the certificate created by myself instead of from CA's. Regards Alan Mario Luis Peralta wrote: Alan Kong wrote: Hi, I am new to this list. I compiled apache 1.3.4 + mod_ssl-2.2.2-1.3.4 with ssl0.9 without problem. The apache server was running on Solaris 2.6. The server keys and certificcate were created with my server information using "make certificate". I had no problem in connecting to the apache server with "netscape" through "http". When I connect with "https", I received the following message: A network error occurred. Unable to connect to server (TCP error: Connection reset by peer) The server may be down or unreacheable. Could u advise what I have done wrong? Thank you. Regards Alan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Start apache with "apachectl startssl". This defines the option -DSSL which is needed by some definitions in the configuration file (see httpd.conf, IfDefine SSL) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl conflicts with mod_define?
I'm puzzled... I recently installed mod_ssl (2.2.0), and I've set up my configuration file to use mod_define (as distributed with mod_ssl). It works, and it really makes my life more convenient... ...until I try starting up in ssl mode (apachectl startssl). All of a sudden, apache parses the config file as if mod_define didn't exist, and it ignores the 'Define' directives in the file. Apache goes looking for a document root called ${document_root}, and mod_ssl goes looking for a certificate in ${server_root}. Since there isn't a directory called ${server_root} on my system, this is causing some confusion. Has anyone else encountered this situation? Misc. info: Apache 1.3.6/Mod_ssl 2.2.0/Irix 6.5 Thanks for your help, -- Lars -- Lars Kellogg-Stedman [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RPM for RH6
Hi !!! Just uploaded latest RPMs for apache-mod_ssl and openssl 0.9.2. Built on a RH5.2 box but with patches to make them for on RH6.0. They must run on 5.2 and 6.0 systems. PS: Users of mod-php3, you also have to get imap-4.5-4 I will upload to incoming.redhat.com, since imap released by Redhat didn't contains libimap. RE-PS: Since FTP transfert failed openssl-0.9.2b-3.src.rpm is bad. If there is a openssl-0.9.2b-3.src.rpm.good, get this one. If absent then Ralf have done the necessary cleaning... ... . . S.L.I.B . . [_] . 5 Place Charles BĂ©raudier . . (. .) . 69428 Lyon Cedex 03 . ..oOOo..(_)..oOOo.. . Tel: 0472367723 . . Henri Gomez [EMAIL PROTECTED] Fax: 0472367778 . ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ModSSL Breaks Apache
Im having a lot of problems. First the RSAref library that openssl tells me to use doesnt exist, rsa is not giving it out anymore. Then OpenSSL compiles fine. Mod_SSL compiles fine. I am following the instructions given in the mod_ssl tarball. Anyway when I get down to compiling Apache I see this, after lots of other standard compiler output. === src/modules/standard === src/modules/ssl gcc -c -I../../os/unix -I../../include -DLINUX=2 -DMOD_SSL=202108 -DUSE_HSREG EX -DEAPI `../../apaci` -DSSL_COMPAT -I/root/openssl-0.9.2b/include -DMOD_SSL_VE RSION=\"2.2.8\" mod_ssl.c In file included from mod_ssl.c:65: mod_ssl.h:282: ndbm.h: No such file or directory make[4]: *** [mod_ssl.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/root/apache_1.3.6/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/root/apache_1.3.6' make: *** [build] Error 2 [root@www apache_1.3.6]# -- This is quite distressing. I notice that in the INSTALL doc there is mention of ndbm (whatever that is) and that it should be "included by my vendor". Anybody know how to fix this? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL session id?
[EMAIL PROTECTED] on 99-05-17 17:31:40 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Lena Lindström/OMT/OMGROUP) Subject: Re: SSL session id? "Ralf S. Engelschall" [EMAIL PROTECTED] writes: On Mon, May 17, 1999, [EMAIL PROTECTED] wrote: Is it possible to get the SSL session id for further handling in my servlet? In the ssl_engine_log I can see the request with [info] Connection: Client IP: xx.xx.xx.xx... Is it possible to send this session information to my servlet for further handling? I have the mod_jserv installed and would like to get some session information to my java servlet that I can handle my client authorization. Tricky questions for me, but perhaps easy for someone else :) I've never used mod_jserv myself and do not know it's code. But per default you cannot get the session id (and I see no real reason why you should), but So other modules can use the SSL Session ID as a key into their own session data hash table. I brought this up a month or so ago. with two or three EAPI-related lines in mod_jserv and mod_ssl you could retrieve this information from mod_ssl, I think. I'll try to post a patch for this... -Tom -- Tom Vaughan tvaughan at aventail dot com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] I would really like to get that patch if possible. I have found out how to set an environment variable in jserv_ajpv11.c (ajpv11_handler) which is the connection between the web server and the java extension (servlet). I use the ap_table_addn() function and create a dummy environment variable that reaches my servlet. Fine. I am still confused about how to get the SSL-session-session_id from there. I tried to get the information in the different routines that use SSL in ssl_engine_kernel.c. Unfortunately all SSL information is empty (NULL) and I hoped to find the session_id from there and set the environment to the request, but no luck. Does anyone have any more hints how to proceed in the matter? /Lena __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache ssl question
Hi all, I have tried a couple of things and was looking to see if someone could give me a shove in the right direction. I am running apache 1.3.6 with mod_ssl-2.2.8-1.3.6 and openssl-0.9.2b. I can get the server to work in https mode, but would like to restrict this to only certain pages, 99.9% of traffic is http. If someone could send me a sample config or point me to where I could find one I would greatly appreciate it! Thanks Aaron Woldman Vision Net Ltd __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RPM for RH6
Oups All RPMs could be find at : http://www.modssl.org/contrib/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Message when starting ssl
just a trivial question: why is it that only the last virtual host is stated when starting ssl? Ive got a few virtual hosts and ive noticed that only the last one (in the httpd.conf file) is displayed. Bit intrigued ... Maybe you tried to use name based virtual ssl hosts? With SSL you can use ip based virtual hosts only, as described in the mod_ssl documentation. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
need help! please..
Hi all, I try to create and use my own CA. I followed the steps in the F.A.Q. in modssl.org webpage and at the end I ran sign.sh script from mod_ssl-2.2.8 distribution. It gave me this message: error 7 at 0 depth lookup:certificate signature failure is that normal? but it also told me that the database has been updated,CA verifying: server.crt - CA cert. Please help! TIA pe' -- UNIX System Admin. Distributed Computing Services Lake Superior State University 650 W. Easterday Ave. Sault Ste. Marie. MI 49783 USA. -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RPM for RH6
PS: Users of mod-php3, you also have to get imap-4.5-4 I will upload to incoming.redhat.com, since imap released by Redhat didn't contains libimap. Could you please upload to a more accessible location, since the redhat incoming location is almost always overloaded? Thanks, Harry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL Breaks Apache
You are using Linux w/ glibc 2.1, correct (RH 6.0, possibly)? You must change the mod_ssl.h header file to read #include db1/ndbm.h instead of #include ndbm.h. With glibc 2.1 systems, the location of ndbm.h has changed. Dave Neuer -Original Message- From: nreese [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, May 19, 1999 10:00 AM Subject: ModSSL Breaks Apache Im having a lot of problems. First the RSAref library that openssl tells me to use doesnt exist, rsa is not giving it out anymore. Then OpenSSL compiles fine. Mod_SSL compiles fine. I am following the instructions given in the mod_ssl tarball. Anyway when I get down to compiling Apache I see this, after lots of other standard compiler output. --- - === src/modules/standard === src/modules/ssl gcc -c -I../../os/unix -I../../include -DLINUX=2 -DMOD_SSL=202108 -DUSE_HSREG EX -DEAPI `../../apaci` -DSSL_COMPAT -I/root/openssl-0.9.2b/include -DMOD_SSL_VE RSION=\"2.2.8\" mod_ssl.c In file included from mod_ssl.c:65: mod_ssl.h:282: ndbm.h: No such file or directory make[4]: *** [mod_ssl.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/root/apache_1.3.6/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/root/apache_1.3.6' make: *** [build] Error 2 [root@www apache_1.3.6]# --- - -- This is quite distressing. I notice that in the INSTALL doc there is mention of ndbm (whatever that is) and that it should be "included by my vendor". Anybody know how to fix this? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ModSSL Breaks Apache
nreese wrote: Im having a lot of problems. First the RSAref library that openssl tells me to use doesnt exist, rsa is not giving it out anymore. As I recently pointed out, stick "http://ftpsearch.lycos.com" into a browser and search for: rsaref20.tar.Z .. there are a plethora of sites holding valid archive images. Then OpenSSL compiles fine. Mod_SSL compiles fine. I am following the instructions given in the mod_ssl tarball. Anyway when I get down to compiling Apache I see this, after lots of other standard compiler output. === src/modules/standard === src/modules/ssl gcc -c -I../../os/unix -I../../include -DLINUX=2 -DMOD_SSL=202108 -DUSE_HSREG EX -DEAPI `../../apaci` -DSSL_COMPAT -I/root/openssl-0.9.2b/include -DMOD_SSL_VE RSION=\"2.2.8\" mod_ssl.c In file included from mod_ssl.c:65: mod_ssl.h:282: ndbm.h: No such file or directory make[4]: *** [mod_ssl.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/root/apache_1.3.6/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/root/apache_1.3.6' make: *** [build] Error 2 [root@www apache_1.3.6]# -- This is quite distressing. I notice that in the INSTALL doc there is mention of ndbm (whatever that is) and that it should be "included by my vendor". Anybody know how to fix this? Not without you providing more details on your platform (although I'm very willing to guess you're talking about RedHat 6.0) .. see my post from last week for a complete build list to generate this package on RH6.0. -- Regards, Dave P: [EMAIL PROTECTED] W: [EMAIL PROTECTED] Ubergeek - AnglersWeb, Inc / W3Works, LLC Data Monger - Gestalt Technology, LLC "Why is the machine faster?" "We lubricated the sticky bits, it's much smoother now." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[PATCH] ssl session id as environment var
This patch makes the ssl session id available via the environment variable SSL_SESSION_ID. Apache modules may obtain this ssl session id via the "ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is actually the concatenation of the hex representation of each byte in the ssl session id. For example, running this through printenv produces: SSL_SESSION_ID = bd1c692524d2d3648cb8c87bf7484eb5dd81777659b479b2dbfbc3ec5d2 The idea behind this is to make the ssl session id available so that other modules may use the ssl session id as a `key' into their own session table. -Tom Index: ssl_engine_kernel.c === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.85 diff -u -3 -r1.85 ssl_engine_kernel.c --- ssl_engine_kernel.c 1999/05/14 15:37:50 1.85 +++ ssl_engine_kernel.c 1999/05/19 23:14:45 @@ -1041,6 +1041,7 @@ "SSL_SERVER_I_DN_Email", "SSL_SERVER_A_KEY", "SSL_SERVER_A_SIG", +"SSL_SESSION_ID", NULL }; Index: ssl_engine_vars.c === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v retrieving revision 1.34 diff -u -3 -r1.34 ssl_engine_vars.c --- ssl_engine_vars.c 1999/05/18 09:14:59 1.34 +++ ssl_engine_vars.c 1999/05/19 23:28:11 @@ -309,6 +309,22 @@ if ((xs = SSL_get_certificate(ssl)) != NULL) result = ssl_var_lookup_ssl_cert(p, xs, var+7); } +else if (strlen(var) == 10 strcEQn(var, "SESSION_ID", 10)) { + SSL_SESSION *pSession = NULL; + int i; + + ssl = ap_ctx_get(c-client-ctx, "ssl"); + if (ssl != NULL) { + pSession = SSL_get_session(ssl); + if (pSession != NULL) { + result = ""; + for (i = 0; i SSL_MAX_SSL_SESSION_ID_LENGTH; i++) { + result = ap_psprintf(p, "%x%s", +pSession-session_id[i], + +result); + } + } + } + } return result; } -- Tom Vaughan tvaughan at aventail dot com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[PATCH] canonical ssl server name and port
This patch[1] adds two new directives, SSLServerName and SSLServerPort. The idea behind these two directives is to associate a SSL-aware Apache server, with a non SSL-aware Apache server. For example: One could have in httpd.conf: Listen 80 Listen 443 SSLServerName ssl.foobar.org SSLServerPort 443 VirtualHost ssl.foobar.org:443 SSLEngine On [...other directives...] /VirtualHost VirtualHost www.xyzzy.com:80 SSLServerName ssl.xyzzy.com SSLServerPort 443 [...other directives...] /VirtualHost VirtualHost ssl.xyzzy.com:443 SSLEngine On [...other directives...] /VirtualHost Then you could write a module[2] that could, when necessary, redirect to an appropriate SSL-aware server whenever SSL is required. No, this will not work with name-based virtual hosts. If this patch is accepted, I'd be happy to follow up with documentation. Thanks, Tom [1] Index: mod_ssl.c === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.c,v retrieving revision 1.55 diff -u -3 -r1.55 mod_ssl.c --- mod_ssl.c 1999/05/06 09:56:35 1.55 +++ mod_ssl.c 1999/05/20 02:55:11 @@ -150,6 +150,10 @@ AP_SRV_CMD(Protocol, RAW_ARGS, "Enable or disable various SSL protocols" "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)") +AP_SRV_CMD(ServerName, TAKE1, + "The canonical SSL hostname") +AP_SRV_CMD(ServerPort, TAKE1, + "The canonical SSL TCP port number") /* * Per-directory context configuration directives Index: mod_ssl.h === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v retrieving revision 1.93 diff -u -3 -r1.93 mod_ssl.h --- mod_ssl.h 1999/05/06 09:56:36 1.93 +++ mod_ssl.h 1999/05/20 02:55:11 @@ -491,6 +491,8 @@ char*szCARevocationPath; char*szCARevocationFile; X509_STORE *pRevocationStore; +char*pServerName; +unsigned short nServerPort; #ifdef SSL_VENDOR ap_ctx *ctx; #endif @@ -555,6 +557,8 @@ const char *ssl_cmd_SSLOptions(cmd_parms *, SSLDirConfigRec *, const char *); const char *ssl_cmd_SSLRequireSSL(cmd_parms *, SSLDirConfigRec *, char *); const char *ssl_cmd_SSLRequire(cmd_parms *, SSLDirConfigRec *, char *); +const char *ssl_cmd_SSLServerName(cmd_parms *, void *, char *); +const char *ssl_cmd_SSLServerPort(cmd_parms *, void *, char *); /* module initialization */ void ssl_init_Module(server_rec *, pool *); Index: ssl_engine_config.c === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v retrieving revision 1.53 diff -u -3 -r1.53 ssl_engine_config.c --- ssl_engine_config.c 1999/05/06 09:56:36 1.53 +++ ssl_engine_config.c 1999/05/20 02:55:11 @@ -204,6 +204,8 @@ sc-szCARevocationPath = NULL; sc-szCARevocationFile = NULL; sc-pRevocationStore = NULL; +sc-pServerName= NULL; +sc-nServerPort= DEFAULT_HTTPS_PORT; #ifdef SSL_VENDOR sc-ctx = ap_ctx_new(p); @@ -245,6 +247,8 @@ cfgMerge(szCARevocationPath, NULL); cfgMerge(szCARevocationFile, NULL); cfgMerge(pRevocationStore, NULL); +cfgMergeString(pServerName); +cfgMerge(nServerPort, DEFAULT_HTTPS_PORT); #ifdef SSL_VENDOR cfgMergeCtx(ctx); @@ -801,3 +805,25 @@ return NULL; } +const char *ssl_cmd_SSLServerName(cmd_parms *cmd, void *dummy, char *word1) +{ +SSLSrvConfigRec *sc = mySrvConfig(cmd-server); + +sc-pServerName = word1; +return NULL; +} + +const char *ssl_cmd_SSLServerPort(cmd_parms *cmd, void *dummy, char *word1) +{ +SSLSrvConfigRec *sc = mySrvConfig(cmd-server); +int port; + +port = atoi(word1); +if (port = 0 || port = 65536) { /* 65536 == 116 */ +return ap_pstrcat(cmd-temp_pool, "The SSL port number \"", word1, + "\" is outside the appropriate range " + "(i.e., 1..65535).", NULL); +} +sc-nServerPort = port; +return NULL; +} Index: ssl_engine_kernel.c === RCS file: /usr/aventail/src/cvsroot/sdk/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v retrieving revision 1.85 diff -u -3 -r1.85 ssl_engine_kernel.c --- ssl_engine_kernel.c 1999/05/14 15:37:50 1.85 +++ ssl_engine_kernel.c 1999/05/20 02:55:11 @@ -1041,6 +1041,8 @@ "SSL_SERVER_I_DN_Email", "SSL_SERVER_A_KEY", "SSL_SERVER_A_SIG", +"SSL_SERVER_NAME", +"SSL_SERVER_PORT", NULL }; Index: ssl_engine_vars.c === RCS
Re: Forcing Particular Browser Certificate
On Wed, May 19, 1999, Stockwell, Travis wrote: Does anyone know a way to force the use of a particular browser certificate? IOW, when the browser issues an SSL request and then sends its cert, I don't want the user to choose one (IE makes you choose even when there is just one - I hear). I just want the browser to send a particular cert - any cert. Except for the fact that you then should only configure one(!) particular CA certificate on the server side, this is a browser issue. When IE lets you choose although only one possibility exists, there is nothing we can do. The server only sends the list of accepted CAs. Nothing more. What the client does to decide which cert to send is entirely his decision. But I guess the browser does this only when it doesn't already know the CA. When it knows the CA, I'm sure it directly uses his cert... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] ssl_engine_log (PR#176)
On Thu, May 20, 1999, [EMAIL PROTECTED] wrote: Full_Name: Stephen Taylor Version: 2.2.8-1.3.6 OS: Solaris 2.6 Submission from: terrapins.intelis.com (208.145.15.108) I get the following error while compiling Apache after including mod_ssl. gcc -c -I../../os/unix -I../../include -DSOLARIS2=260 -DMOD_SSL=202108 -DEAPI `../../apaci` -DSSL_COMPAT -I/usr/include -DMOD_SSL_VERSION=\"2.2.8\" ssl_engine_log.c ssl_engine_log.c: In function `ssl_log': ssl_engine_log.c:183: `__builtin_va_alist' undeclared (first use in this function) ssl_engine_log.c:183: (Each undeclared identifier is reported only once ssl_engine_log.c:183: for each function it appears in.) make[4]: *** [ssl_engine_log.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/usr/share/src/apache_1.3.6/src' Seems like your compiler is broken. I'm sure a "gcc -v" shows you a different Solaris version than "uname -a". They have to exactly match! Please check this first. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]