Re: ModSSL Breaks Apache

[Adam D. McKenna]

From: Joe McMahon <[EMAIL PROTECTED]>
: > Im having a lot of problems. First the RSAref library that openssl tells
me
: > to use doesnt exist, rsa is not giving it out anymore. Then OpenSSL
: > compiles fine. Mod_SSL compiles fine. I am following the instructions
given
: > in the mod_ssl tarball. Anyway when I get down to compiling Apache I see
: > this, after lots of other standard compiler output.
: >
: You can pick up RSAREF from the URL noted in the install instructions. It
: is at hacktic.somethingoranother.nl.

>From what I've heard even RSAREF is not legal to use inside the US for
commercial purposes.  However, verisign (a division of RSA) does not have a
problem issuing certificates for servers running OpenSSL (SSLeay is actually
what is mentioned).  They say this on their homepage and there is no mention
of RSAREF.  This leads me to believe that RSA really doesn't care about
people using OpenSSL (with RSAREF or without) within the US.

Does anyone care to comment on this?

--Adam

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: cert status lookup with OCSP

[Ralf S. Engelschall]

On Thu, May 20, 1999, Andrea e Luca Giacobazzi wrote:

> >o  The whole fperr stuff is not needed (and acceptable). mod_ssl provides a
> >really sophisticated logging mechanism through ssl_log() which the user
> can
> >   configure and adjust. You should use this, please.  Additionally you use
> >   insecure things ``fperr = fopen(..'' without error checks.  And the use
> of
> >   a static fperr isn't a good idea, too.  mod_ssl uses no global variables
> >   for thread safety and other reasons.
> 
> You're right, that was just for my internal debug use, but I forget to
> change it.  Will be correct use a bio_err for error log ? (I'm still studing
> to understand how to use a bio structure in the right way).

No, a bio_err is just stderr encapsulated via OpenSSL's BIO library.  You
should use ssl_log() to write directly to the user customizeable SSL engine
logfile.
 
> >o  whenever you do I/O you should use the ap_fopen() and friends
> >   functions and not directly stdio stuff. Additionally unsafe
> >   things like sprintf() has to be replaced with ap_snprintf().
> >
> >o  hard-coded things like ``fopen("/m/home/giacob/...'' or ``ldapservers =
> >   "callisto.comune.modena.it:3389"'' are not acceptable.  Every used
> >   parameter either has to be a generic one which fits all situations or
> has
> >   to be user configurable via an Apache config directive.
> 
> How can I set some env vars via Apache config directive to describe all
> ocsp-ldap context in httpd.conf ? (ldap-servers, ldap-dn, ldap-passwd,
> ocsp-ldap-enable...)

Not env-vars, you have to implement a few Apache directives similar to what
mod_ssl does with the various SSL directives. For instance for you I would
use an "SSLOCSP" or "SSLLDAP" directive which parses "key=value" pairs at it's
arguments and sets the variables inside an internal structure which you later
use under run-time. For instance something like 

SSLLDAP server=callisto.comune.modena.it port=3389 dn=foobar passwd=test

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL config error on NT?

[Lin Geng]

Can you access the server in regular HTTP mode?
When you start the server, did you use the -D SSL switch?

lin geng

-Original Message-
From: Ingo Zitzmann <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Thursday, May 20, 1999 1:48 PM
Subject: SSL config error on NT?


>Hi folks,
>
>after compiling Apache 1.3.6, mod_ssl-2.2.7-1.3.6, opensssl-0.9.2b using
>VisualC++ 6.0
>as well as downloading the packing from a different site I get still the
>same results:
>
>[ssl-access.log]
>xx.xx.xx.x - - [20/May/1999:16:22:00 +0200] "€@
" 501 -
>xx.xx.xx.x - - [20/May/1999:16:24:41 +0200] "€@
" 501 -
>xx.xx.xx.x - - [20/May/1999:16:30:37 +0200] "€@
" 501 -
>
>[ssl-error.log]
>[Thu May 20 16:22:00 1999] [error] [client xx.xx.xx.x] Invalid method in
>request €@

>[Thu May 20 16:24:41 1999] [error] [client xx.xx.xx.x] Invalid method in
>request €@

>[Thu May 20 16:30:37 1999] [error] [client xx.xx.xx.x] Invalid method in
>request €@

>
>I created test certificates as described on apache-ssl.org.
>
>Anybody an idea?
>
>thanx,
>Ingo.
>
>
>--
>Ingo Zitzmann
>Senior Developer
>
>-
>OpenShop Internet Software Inc.
>39 Broadway, Suite 730
>New York, NY 10006
>
>http://www.openshop.com
>
>Fon  212.943.0663
>Fax  212.943.0666
>Cell  917.561.5701
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[tvaughan]

Ben Laurie <[EMAIL PROTECTED]> writes:

> [EMAIL PROTECTED] wrote:
> > 
> > No user session that
> > is. My idea is to have the user authenticate, and then bind the user id to
> > the ssl session id. Next time around, I'll see that I have an user id
> > associated with the ssl session id and not bother with the authentication
> > mumbo jumbo. We're not doing Basic or Digest authentication. We have a
> > forms based scheme that can back-end against just about anything, RADIUS
> > challenge-response even.
> 
> I understand the idea. My point is mostly that the lifetime you would
> like for this "user session" has completely different requirements from
> the SSL session.

Not sure I would say "requirement". The idea is to only bind an identity to
the SSL session id. Then policy enforcement, session management, is done
based on the identity. Like Tom can have access for only five minutes per
hour, while Ben is allowed access all day. But, yes, certainly it would be
nice if the SSL session was (guaranteed to be) longer lived in a case like
this. 

> 
> > I see your second point. At worst this would mean the user would have to
> > re-authenticate. And the old, non-reused, session would just timeout.
> 
> Right. But the main point is that there are at least three really
> obvious ways to do this properly, so why try to bend SSL session IDs to
> a purpose they don't really fit?

Because the other two are way too spoofable.

-Tom

-- 
Tom Vaughan 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[Ben Laurie]

[EMAIL PROTECTED] wrote:
> 
> Ben Laurie <[EMAIL PROTECTED]> writes:
> 
> > [EMAIL PROTECTED] wrote:
> > >
> > > The idea behind this is to make the ssl session id available so that other
> > > modules may use the ssl session id as a `key' into their own session table.
> >
> > This really isn't a good idea. The most obvious reason is that there is
> > a conflict between the lifetime requirements for SSL sessions and HTTP
> > sessions. Another is that clients are not required to reuse SSL
> > sessions, and may time them out arbitrarily.
> 
> Not sure I understand your first point. Do you mean on a per-packet basis?
> The way I see it, there is no `session' within HTTP.

Well, quite. I meant sessions that your HTTP-utilising application
creates.

> No user session that
> is. My idea is to have the user authenticate, and then bind the user id to
> the ssl session id. Next time around, I'll see that I have an user id
> associated with the ssl session id and not bother with the authentication
> mumbo jumbo. We're not doing Basic or Digest authentication. We have a
> forms based scheme that can back-end against just about anything, RADIUS
> challenge-response even.

I understand the idea. My point is mostly that the lifetime you would
like for this "user session" has completely different requirements from
the SSL session.

> I see your second point. At worst this would mean the user would have to
> re-authenticate. And the old, non-reused, session would just timeout.

Right. But the main point is that there are at least three really
obvious ways to do this properly, so why try to bend SSL session IDs to
a purpose they don't really fit?

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[tvaughan]

Ben Laurie <[EMAIL PROTECTED]> writes:

> [EMAIL PROTECTED] wrote:
> > 
> > The idea behind this is to make the ssl session id available so that other
> > modules may use the ssl session id as a `key' into their own session table.
> 
> This really isn't a good idea. The most obvious reason is that there is
> a conflict between the lifetime requirements for SSL sessions and HTTP
> sessions. Another is that clients are not required to reuse SSL
> sessions, and may time them out arbitrarily.

Not sure I understand your first point. Do you mean on a per-packet basis?
The way I see it, there is no `session' within HTTP. No user session that
is. My idea is to have the user authenticate, and then bind the user id to
the ssl session id. Next time around, I'll see that I have an user id
associated with the ssl session id and not bother with the authentication
mumbo jumbo. We're not doing Basic or Digest authentication. We have a
forms based scheme that can back-end against just about anything, RADIUS
challenge-response even.

I see your second point. At worst this would mean the user would have to
re-authenticate. And the old, non-reused, session would just timeout.

-Tom

-- 
Tom Vaughan 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

R: cert status lookup with OCSP

[Andrea e Luca Giacobazzi]

>
>o  The whole fperr stuff is not needed (and acceptable). mod_ssl provides a
>   really sophisticated logging mechanism through ssl_log() which the user
can
>   configure and adjust. You should use this, please.  Additionally you use
>   insecure things ``fperr = fopen(..'' without error checks.  And the use
of
>   a static fperr isn't a good idea, too.  mod_ssl uses no global variables
>   for thread safety and other reasons.


You're right, that was just for my internal debug use, but I forget to
change it.
Will be correct use a bio_err for error log ? (I'm still studing to
understand how to use a bio structure in the right way).

>o  whenever you do I/O you should use the ap_fopen() and friends
>   functions and not directly stdio stuff. Additionally unsafe
>   things like sprintf() has to be replaced with ap_snprintf().
>
>o  hard-coded things like ``fopen("/m/home/giacob/...'' or ``ldapservers =
>   "callisto.comune.modena.it:3389"'' are not acceptable.  Every used
>   parameter either has to be a generic one which fits all situations or
has
>   to be user configurable via an Apache config directive.

How can I set some env vars via Apache config directive to describe all
ocsp-ldap context in httpd.conf ? (ldap-servers, ldap-dn, ldap-passwd,
ocsp-ldap-enable...)

>
>So, in short: I think the stuff is still not ready for inclusion, but when
you
>work on the above points it will be a very useful extension in the future.
>Thanks for your efforts.

Thanks for your usefull suggestion, I'll work on it.

Andrea


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL config error on NT?

[Ralf S. Engelschall]

On Thu, May 20, 1999, Ingo Zitzmann wrote:

> after compiling Apache 1.3.6, mod_ssl-2.2.7-1.3.6, opensssl-0.9.2b using
> VisualC++ 6.0
> as well as downloading the packing from a different site I get still the
> same results:
> 
> [ssl-access.log]
> xx.xx.xx.x - - [20/May/1999:16:22:00 +0200] "€@
" 501 -
> xx.xx.xx.x - - [20/May/1999:16:24:41 +0200] "€@
" 501 -
> xx.xx.xx.x - - [20/May/1999:16:30:37 +0200] "€@
" 501 -
> 
> [ssl-error.log]
> [Thu May 20 16:22:00 1999] [error] [client xx.xx.xx.x] Invalid method in
> request €@

> [Thu May 20 16:24:41 1999] [error] [client xx.xx.xx.x] Invalid method in
> request €@

> [Thu May 20 16:30:37 1999] [error] [client xx.xx.xx.x] Invalid method in
> request €@

> 
> I created test certificates as described on apache-ssl.org.

This means you talk HTTPS to a HTTP port, i.e.  on that port SSL isn't
enabled. Check your server configuration. I guess your Listen and
 sections do not match.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: ModSSL Breaks Apache

[Joe McMahon]

> 
> Im having a lot of problems. First the RSAref library that openssl tells me
> to use doesnt exist, rsa is not giving it out anymore. Then OpenSSL
> compiles fine. Mod_SSL compiles fine. I am following the instructions given
> in the mod_ssl tarball. Anyway when I get down to compiling Apache I see
> this, after lots of other standard compiler output.
> 
You can pick up RSAREF from the URL noted in the install instructions. It
is at hacktic.somethingoranother.nl. 

 --- Joe M.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

SSL config error on NT?

[Ingo Zitzmann]

Hi folks,

after compiling Apache 1.3.6, mod_ssl-2.2.7-1.3.6, opensssl-0.9.2b using
VisualC++ 6.0
as well as downloading the packing from a different site I get still the
same results:

[ssl-access.log]
xx.xx.xx.x - - [20/May/1999:16:22:00 +0200] "€@
" 501 -
xx.xx.xx.x - - [20/May/1999:16:24:41 +0200] "€@
" 501 -
xx.xx.xx.x - - [20/May/1999:16:30:37 +0200] "€@
" 501 -

[ssl-error.log]
[Thu May 20 16:22:00 1999] [error] [client xx.xx.xx.x] Invalid method in
request €@

[Thu May 20 16:24:41 1999] [error] [client xx.xx.xx.x] Invalid method in
request €@

[Thu May 20 16:30:37 1999] [error] [client xx.xx.xx.x] Invalid method in
request €@


I created test certificates as described on apache-ssl.org.

Anybody an idea?

thanx,
Ingo.


--
Ingo Zitzmann
Senior Developer

-
OpenShop Internet Software Inc.
39 Broadway, Suite 730
New York, NY 10006

http://www.openshop.com

Fon  212.943.0663
Fax  212.943.0666
Cell  917.561.5701

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[Ralf S. Engelschall]

On Thu, May 20, 1999, [EMAIL PROTECTED] wrote:

> [...]
> > > The idea behind this is to make the ssl session id available so that other
> > > modules may use the ssl session id as a `key' into their own session table.
> > > 
> > > + result = ap_psprintf(p, "%x%s", 
>pSession->session_id[i],
> > > +  
>result);
> > > [...]
> > 
> > Is there a reason why you reverse the bytes?
> > I think it should be ``..."%s%x", result, pSessio..''.
> 
> No. It really doesn't matter, to me, in what order the bytes are. So long
> as it's consistent of course. Are the bytes really reversed?

Yes, because you call the above in a loop where i counts from 0 to maximum and
in every iteration you append the _next_ element to the _head_ of "result", so
I think the result is the id but in reversed byte order. At least with my
variant I've now comitted for 2.3.0 the SSL_SESSION_ID which a "GET
/cgi-bin/printenv HTTP/1.0" prints through a "openssl s_client" connection is
identical to the string "openssl s_client" itself prints out while processing.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: am I missing something?

[Adam D. McKenna]

From: Derek Smith <[EMAIL PROTECTED]>


: Adam,
:
: Could be you installed over your previous version of Apache, in which case
your
: problem is the fact that it doesn't overwrite your httpd.conf file.
You'll find
: the defualt install copy in the conf directory in your Apache source
directory.

Yes, I needed to RTFM, I eventually got it working.

Thanks,

--Adam


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[tvaughan]

"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:

> On Wed, May 19, 1999, [EMAIL PROTECTED] wrote:
> 
> > This patch makes the ssl session id available via the environment variable
> > SSL_SESSION_ID. Apache modules may obtain this ssl session id via the
> > "ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is
> > actually the concatenation of the hex representation of each byte in the
> > ssl session id. For example, running this through printenv produces:
> > 
> > SSL_SESSION_ID = bd1c692524d2d3648cb8c87bf7484eb5dd81777659b479b2dbfbc3ec5d2
> 
> Fine, good idea. I'll take it over for 2.3.0.

Cool. Thanks.

> 
> > The idea behind this is to make the ssl session id available so that other
> > modules may use the ssl session id as a `key' into their own session table.
> > 
> > +   result = ap_psprintf(p, "%x%s", 
>pSession->session_id[i],
> > +
>result);
> > [...]
> 
> Is there a reason why you reverse the bytes?
> I think it should be ``..."%s%x", result, pSessio..''.

No. It really doesn't matter, to me, in what order the bytes are. So long
as it's consistent of course. Are the bytes really reversed?

> OTOH you can use ssl_scache_id2sz() for this task

Ah. I didn't know about that. Thanks again.

-Tom

-- 
Tom Vaughan 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] canonical ssl server name and port

[tvaughan]

"Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:

> 1. When this is a separate module which does the redirect and 
>mod_ssl does nothing more with the variables than just implement them, it
>would be more clean to implement the two directives directly in your own
>module where you do the redirects.

Your assestment is spot on.

I was thinking that one day you would have more than one module loaded at
the same time that might like to have this functionality.

> 
> 2. I'm still not convinced whether it's necessary to implement this
>stuff with two new directives. All you need is a way to set server/port and
>fetch these values later. Why not use this:
> 
>  Listen 80
>  Listen 443
> 
>  SetEnv SSLServerName ssl.foobar.org
>  SetEnv SSLServerPort 443

Ah very nice. This works just as well. Thanks.

>Ok, I know you want to do the redirect earlier.

No. I really don't care where the redirect happens. My point on new-httpd
was that given what I had read and seen, it was reasonable for me to assume 
that a redirect *could* happen in the post-read phase, not that is *should* 
happen there.

-Tom

-- 
Tom Vaughan 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Request for Review: DH/DSA support now comitted...

[Lin]

On Thu, 20 May 1999, Ralf S. Engelschall wrote:

> 
> Ok, after a _very_ deep breath today, I've comitted the Diffie-Hellman/DSA
> support for mod_ssl. Puhh!
> 
> When you remember, I've already started to prepare this complex change already
> in November(!) last year, but had to wait for a lot of things (mainly better
> DH/DSA support in OpenSSL) until its ready for release. Additionally the stuff
> needed really such a lot of months to survive my personal quality assurance,
> because the changes affected really lots of code in mod_ssl. That's why you
> had to wait such long...
> 
> But now it's finished and really nice: One can connect to mod_ssl even with
> the EDH-DSS-DES-CBC3-SHA cipher and friends. I like this very much, although
> the popular browsers still doesn't support these ciphers, of course.
> 
> Now that this DH/DSA support is an official part of mod_ssl and will be
> released with 2.3.0 the next week, I really would appreciate some testing in
> advance by the user community. So, when you want a stable 2.3.0 please
> contribute an hour and do the following:
> 
> 1. You need a latest OpenSSL snapshot (mod_ssl 2.3.0 later will
>_require_ OpenSSL 0.9.3) from ftp://ftp.openssl.org/snapshot/, the latest
>mod_ssl snapshot from ftp://ftp.modssl.org/snapshot/ and Apache 1.3.6 from
>ftp://ftp.apache.org/dist/.
> 
> 2. Follow the standard procedure for building an Apache+mod_ssl+OpenSSL
>based webserver.
> 
> 3. Use "make certificate" to generate a RSA cert/key. Now use
>"make instalL" to install the package. Now again run "make certificate
>ALGO=DSA" to generate a second cert/key pair using the DSA algorithm. Copy
>over the conf/ssl.crt/server.crt to $prefix/etc/ssl.crt/server-dsa.crt and
>conf/ssl.key/server.key to $prefix/etc/ssl.key/server-dsa.key. Then add two
>_ADDITIONAL_ SSLCertificateFile and SSLCertificateKeyFile directives to the
>pre-configured $prefix/etc/httpd.conf file.
> 
> 4. Try to access the server with RSA or DH ciphers. Especially
>things like 
>$ (echo "GET $1 HTTP/1.0"; echo "Host: localhost:8443"; echo ""; sleep 2) |\
>  openssl s_client -connect localhost:8443 -state -cipher EDH-DSS-DES-CBC3-SHA 
>should now work!
> 
> BTW, you don't need two cert/keys, of course. mod_ssl still allows you to run
> just RSA or just DSA cert/keys, of course. But then you can either use RSA or
> DH ciphers, of course... while with two cert/key pairs you can use all ciphers
> ;) But try it out, even a DSA-only server is now possible...
> 
> Please give me feedback.
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> 

Looking forward to trying it.  Thanks.

lin geng

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: WinNT + Apache + mod_ssl + openssl -> VC++6 = doesn't work?!

[Lin]

On Wed, 19 May 1999, Ingo Zitzmann wrote:

> Hi folks,
> 
> I am trying to compile Apache 1.3.6, mod_ssl-2.2.7-1.3.6,
> opensssl-0.9.2b using VisualC++ 6.0 and apparently it compiles the
> openssl option into apache (I checked it by hiding the ssleay.dll and
> the libeay32.dll) but when I call "apache -l" I don't see the mod_ssl.c.
> Of course I can't use SSLEnable for example. I followed the instructions
> in install.Win32.
> 
> Can anybody help?
> 
> thanx,
> Ingo.
> 
> 
I huild and run Apache 1.3.6 with mod_ssl 2.2.8 (openssl 0.9.1c) have no
problem.  The install.Win32 instruction works.  I had problems trying to
build openssl 0.9.2b.  It doesn't build.  
Since I did not use mod_ssl 2.2.7, I cannot comment much on it.  Why don't
you try 2.2.8?

lin geng


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] canonical ssl server name and port

[Ralf S. Engelschall]

On Wed, May 19, 1999, [EMAIL PROTECTED] wrote:

> This patch[1] adds two new directives, SSLServerName and SSLServerPort. The
> idea behind these two directives is to associate a SSL-aware Apache server,
> with a non SSL-aware Apache server. For example:
> 
> One could have in httpd.conf:
> 
> Listen 80
> Listen 443
> 
> SSLServerName ssl.foobar.org
> SSLServerPort 443
> 
> 
> SSLEngine On
> [...other directives...]
> 
> 
> 
> SSLServerName ssl.xyzzy.com
> SSLServerPort 443
> [...other directives...]
> 
> 
> 
> SSLEngine On
> [...other directives...]
> 
> 
> Then you could write a module[2] that could, when necessary, redirect to an 
> appropriate SSL-aware server whenever SSL is required. No, this will not
> work with name-based virtual hosts.
> 
> If this patch is accepted, I'd be happy to follow up with documentation.

My problem with this patch is that it adds two additional directives, although
both do (mainly) nothing more than set variables. I'm not sure whether I
really understand the situation (feel free to change this), so this might be
still my problem. But all you seem to achieve is to be able to find out in a
module the name and port of the corresponding SSL server. Fine, two comments:

1. When this is a separate module which does the redirect and 
   mod_ssl does nothing more with the variables than just implement them, it
   would be more clean to implement the two directives directly in your own
   module where you do the redirects.

2. I'm still not convinced whether it's necessary to implement this
   stuff with two new directives. All you need is a way to set server/port and
   fetch these values later. Why not use this:

 Listen 80
 Listen 443

 SetEnv SSLServerName ssl.foobar.org
 SetEnv SSLServerPort 443

 
 SSLEngine On
 [...other directives...]
 

   and then use r->subprocess_env in a Fixup handler to test the values and do
   the redirect. Ok, I know you want to do the redirect earlier. But when you
   insist on this you can still implement the two directives yourself in your
   own module.  The relationship to mod_ssl seems to be just logically, but
   not physically. And as I said, when you do the redirect in an own module it
   would be more clean to set the vars there, too.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

CA certificate in IIS

[Tudor Sileam]

Hello everybody.

First of all I want you to know that I'm a beginner in CA stuff.

Thanks to modssl and opnessl docs I managed to install apache with ssl,
and created my own CA.
I created my own certificates for servers and clients.

I had no problem using them in IE4.0, Netscape 4.5, Apache 1.3.6,
Netscape Web Server, IIS 3.0 and 4.0.
I mean that I was abble to install them and make secure conection with
server authentication.

Problems started when I wanted to make also client authentication, using
my certificates.
At the end I did it for apache and netscape.

But not for IIS 3.0 or 4.0. The problem, I think, is that iis web server
does not recognize my CA as a trusted one.
I tried all that I found in IIS docs to install my CA like a trusted CA
and didn't work.

So first question: Does anybody konw how can I add (in IIS) a CA
certificate in the list of trusted CA for client authentication?

To create my onw certificate for CA, and create certificates for server
and client I used CA.sh script that comes with modssl/openssl, and
openssl.cnf. (in attach)

Second question :  What do I need to add to openssl.cnf in order to have
a friendly name for my CA certificate ? Or what else can I do?
(for client certificates I use  >pkcs12  ... -name " kkk"  < when I
create a pkcs12  file which I can import in IE or Netscape)

Please help me.

thanks,
tudors.
--
~
   Tudor Sileam


 openssl.cnf
 CA.sh

Re: cert status lookup with OCSP

[Ralf S. Engelschall]

On Thu, May 20, 1999, Andrea e Luca Giacobazzi wrote:

> I made a patch to ssl_engine_kernel.c in Apache 1.3.6 + mod_ssl-2.2.8-1.3.6
> + openssl-0.9.2b.tar.gz for verifying client certificate status with LDAPv2
> directory during client authentication, using OCSP API made by Tom Titchener
> for OpenSSL.
> The function search in LDAP the client certificate, by e-mail, and I assumed
> that if the cert is found in LDAP the status is 'good' (right just for our
> internal use), instead is 'revoked' or 'unauthorized'. It add an env var
> containing the cert status.
> 
> I attach a diff file to apply the patch, with 'patch' command:
> patch -p1 original_file cert_status_patch.diff
> 
> Hope is usefull to somebody, accept any critics or suggestion.

Thanks for working on an extensions for mod_ssl.  I've still not tried out the
stuff myself under runtime, but at least I've a few comments for you after
I've looked at your source. When you can take these into account your patches
will be even better.

o  The whole fperr stuff is not needed (and acceptable). mod_ssl provides a
   really sophisticated logging mechanism through ssl_log() which the user can
   configure and adjust. You should use this, please.  Additionally you use
   insecure things ``fperr = fopen(..'' without error checks.  And the use of
   a static fperr isn't a good idea, too.  mod_ssl uses no global variables
   for thread safety and other reasons.

o  whenever you do I/O you should use the ap_fopen() and friends
   functions and not directly stdio stuff. Additionally unsafe
   things like sprintf() has to be replaced with ap_snprintf().

o  hard-coded things like ``fopen("/m/home/giacob/...'' or ``ldapservers =
   "callisto.comune.modena.it:3389"'' are not acceptable.  Every used
   parameter either has to be a generic one which fits all situations or has
   to be user configurable via an Apache config directive.

o  additionally when you want that this code is finally considered to be
   included into mod_ssl at some time it would be helpful when you already
   change its coding style to the Apache coding style (mostly K&R style).  For
   details see http://dev.apache.org/styleguide.html and all other Apache
   source code.

So, in short: I think the stuff is still not ready for inclusion, but when you
work on the above points it will be a very useful extension in the future.
Thanks for your efforts.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

cert status lookup with OCSP

[Andrea e Luca Giacobazzi]

I made a patch to ssl_engine_kernel.c in Apache 1.3.6 + mod_ssl-2.2.8-1.3.6
+ openssl-0.9.2b.tar.gz for verifying client certificate status with LDAPv2
directory during client authentication, using OCSP API made by Tom Titchener
for OpenSSL.
The function search in LDAP the client certificate, by e-mail, and I assumed
that if the cert is found in LDAP the status is 'good' (right just for our
internal use), instead is 'revoked' or 'unauthorized'. It add an env var
containing the cert status.

I attach a diff file to apply the patch, with 'patch' command:

patch -p1 original_file cert_status_patch.diff

Hope is usefull to somebody, accept any critics or suggestion.

Andrea



 cert_status_patch.diff.tar.gz

SSLRequire user

[Andrea e Luca Giacobazzi]

I tried :


SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
SSLRequire %{SSL_CLIENT_S_DN_Email} eq "e-mail on cert"
SSLRequireSSL


but it doesn't work, access is always denied (forbidden).

Any idea ?

Thanks,
Andrea

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[Ben Laurie]

[EMAIL PROTECTED] wrote:
> 
> This patch makes the ssl session id available via the environment variable
> SSL_SESSION_ID. Apache modules may obtain this ssl session id via the
> "ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is
> actually the concatenation of the hex representation of each byte in the
> ssl session id. For example, running this through printenv produces:
> 
> SSL_SESSION_ID = bd1c692524d2d3648cb8c87bf7484eb5dd81777659b479b2dbfbc3ec5d2
> 
> The idea behind this is to make the ssl session id available so that other
> modules may use the ssl session id as a `key' into their own session table.

This really isn't a good idea. The most obvious reason is that there is
a conflict between the lifetime requirements for SSL sessions and HTTP
sessions. Another is that clients are not required to reuse SSL
sessions, and may time them out arbitrarily.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
 - Indira Gandhi
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Message when starting ssl

[Derek Smith]

Gilles,

I belive that it is only possible to use IP based virtual hosts with SSL, so if
you are using name based, your problem may be to do with that.


Regards,

Derek.


"Gilles L. Chong Hok Yuen" wrote:

> You are rite Derek!
> So i created 2 priv keys (in ../ssl.key/) n 2 server certs (in ../ssl.crt/)
> for my 2 virtual hosts- using the ssleay commands. Reading the server certs
> #ssleay x509 -noout -text -in .crt  gives 2 different cert contents.
> Here is the prob:
> In my httpd.conf file, I specifically point out each virtual host to their
> respective cert n priv key:
>
> 
> SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/1.crt
> SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/1.key
> 
>
> 
> SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/2.crt
> SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/2.key
> 
>
> Starting the SSL server even asks for each virtual host's respective password
> (*as pointed out by Derek*).
>
> Here is the prob:
> On the browser, going on those 2 sites gives the SAME certificate info. More
> precisely info on the virtual host listed first in the httpd.conf file. If i
> place the  ...  BEFORE  ...
> , then both sites display the info on cert belonging to v host
> 2. Basically, which comes first have total control!
> Testing with 1 virtual host at a time gives the proper result. URL 1 will
> display cert info of virtual host 1. 2 will be 2. But putting those 2 virtual
> hosts together, the first one listed in the httpd.conf will have priority and
> total control!
>
> N i can get in both sites even if the cert belonging to the respective server
> doesnt correspond to that particular server.
>
> Any idea why?
>
> G.
>
> Derek Smith wrote:
>
> > Gilles,
> >
> > If all SSLEnabled Virtual Hosts use the same key/cert then the passphrase
> > dialogue will only ask for one.
> >
> > Regards,
> >
> > Derek Smith
> > System Administrator/Developer
> > MotorTR@K - www.motortrak.com
> >
> > "Gilles L. Chong Hok Yuen" wrote:
> >
> > > Hi,
> > > just a trivial question: why is it that only the last virtual host is
> > > stated when starting ssl? Ive got a few virtual hosts and ive noticed
> > > that only the last one (in the httpd.conf file) is displayed. Bit
> > > intrigued ...
> > >
> > > "Apache/1.3.4 mod_ssl/2.2.3 (Pass Phrase Dialog)
> > > Some of your private key files are encrypted for security reasons.
> > > In order to read them you have to provide us with the pass phrases.
> > >
> > > Server tmcwork.cc21.com.sg:443
> > > Enter pass phrase:
> > >
> > > Ok: Pass Phrase Dialog successful.
> > > /opt/apache/SSLapache_1.3.4/bin/apachectl startssl: httpd started"
> > >
> > > G.
> > > --
> > > Gilles Chong ([EMAIL PROTECTED], [EMAIL PROTECTED])
> > > Systems Engineer, Internet Division
> > > CSA Automated Pte Ltd, Singapore.
> > >
> > > __
> > > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > > User Support Mailing List  [EMAIL PROTECTED]
> > > Automated List Manager[EMAIL PROTECTED]
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
>
> --
> Gilles Chong ([EMAIL PROTECTED], [EMAIL PROTECTED])
> Systems Engineer, Internet Division
> CSA Automated Pte Ltd, Singapore.
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Request for Review: DH/DSA support now comitted...

[Ralf S. Engelschall]

Ok, after a _very_ deep breath today, I've comitted the Diffie-Hellman/DSA
support for mod_ssl. Puhh!

When you remember, I've already started to prepare this complex change already
in November(!) last year, but had to wait for a lot of things (mainly better
DH/DSA support in OpenSSL) until its ready for release. Additionally the stuff
needed really such a lot of months to survive my personal quality assurance,
because the changes affected really lots of code in mod_ssl. That's why you
had to wait such long...

But now it's finished and really nice: One can connect to mod_ssl even with
the EDH-DSS-DES-CBC3-SHA cipher and friends. I like this very much, although
the popular browsers still doesn't support these ciphers, of course.

Now that this DH/DSA support is an official part of mod_ssl and will be
released with 2.3.0 the next week, I really would appreciate some testing in
advance by the user community. So, when you want a stable 2.3.0 please
contribute an hour and do the following:

1. You need a latest OpenSSL snapshot (mod_ssl 2.3.0 later will
   _require_ OpenSSL 0.9.3) from ftp://ftp.openssl.org/snapshot/, the latest
   mod_ssl snapshot from ftp://ftp.modssl.org/snapshot/ and Apache 1.3.6 from
   ftp://ftp.apache.org/dist/.

2. Follow the standard procedure for building an Apache+mod_ssl+OpenSSL
   based webserver.

3. Use "make certificate" to generate a RSA cert/key. Now use
   "make instalL" to install the package. Now again run "make certificate
   ALGO=DSA" to generate a second cert/key pair using the DSA algorithm. Copy
   over the conf/ssl.crt/server.crt to $prefix/etc/ssl.crt/server-dsa.crt and
   conf/ssl.key/server.key to $prefix/etc/ssl.key/server-dsa.key. Then add two
   _ADDITIONAL_ SSLCertificateFile and SSLCertificateKeyFile directives to the
   pre-configured $prefix/etc/httpd.conf file.

4. Try to access the server with RSA or DH ciphers. Especially
   things like 
   $ (echo "GET $1 HTTP/1.0"; echo "Host: localhost:8443"; echo ""; sleep 2) |\
 openssl s_client -connect localhost:8443 -state -cipher EDH-DSS-DES-CBC3-SHA 
   should now work!

BTW, you don't need two cert/keys, of course. mod_ssl still allows you to run
just RSA or just DSA cert/keys, of course. But then you can either use RSA or
DH ciphers, of course... while with two cert/key pairs you can use all ciphers
;) But try it out, even a DSA-only server is now possible...

Please give me feedback.
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[Ralf S. Engelschall]

On Thu, May 20, 1999, [EMAIL PROTECTED] wrote:

> I added your correction for the ssl_lookup_var_ssl() function (and also
> the minor correction to ssl_engine_kernel.c and now I want to retreive
> the SSL_SESSION_ID value from my java module (jserv_ajpv11.c,
> function ajpv11_handler(), where environment variables are being
> set to the request that will be sent to the servlet.
> 
> char* ssl_session_id;
> request_rec* r;
> 
> ap_hook_call("ap::mod_ssl::var_lookup",
>  &ssl_session_id,
>  &r->pool,
>  &r->server,
>  &r->connection,
>  r,
>  "SSL_SESSION_ID");
> 
> The result is an empty string in "ssl_session_id", and after doing
> traces in the ssl_lookup_var_ssl() function I found out I get
> no SSL from the patch lookup part.
> 
> ssl = ap_ctx_get(c->client->ctx);
> 
>  ==> gives ssl == NULL
> 
> I also tried the r->prev (since I have a redirected request) but
> the result remains the same. Any more hints why my context
> is bad (I have a context, so it's not NULL)? How do I get
> the SSL_SESSION_ID in the java module?

I've now comitted Tom's stuff, but in a slightly different way. It worked fine
for my printenv CGI script.  So, can you retry this with the latest mod_ssl
snapshot from ftp://ftp.modssl.org/snapshot/?

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[lena . lindstrom]

tvaughan wrote:
This patch makes the ssl session id available via the environment variable
SSL_SESSION_ID. Apache modules may obtain this ssl session id via the
"ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is
actually the concatenation of the hex representation of each byte in the
ssl session id. For example, running this through printenv produces:

SSL_SESSION_ID = bd1c692524d2d3648cb8c87bf7484eb5dd81777659b479b2dbfbc3ec5d2

The idea behind this is to make the ssl session id available so that other
modules may use the ssl session id as a `key' into their own session table.

-Tom

I added your correction for the ssl_lookup_var_ssl() function (and also
the minor correction to ssl_engine_kernel.c and now I want to retreive
the SSL_SESSION_ID value from my java module (jserv_ajpv11.c,
function ajpv11_handler(), where environment variables are being
set to the request that will be sent to the servlet.

char* ssl_session_id;
request_rec* r;

ap_hook_call("ap::mod_ssl::var_lookup",
 &ssl_session_id,
 &r->pool,
 &r->server,
 &r->connection,
 r,
 "SSL_SESSION_ID");

The result is an empty string in "ssl_session_id", and after doing
traces in the ssl_lookup_var_ssl() function I found out I get
no SSL from the patch lookup part.

ssl = ap_ctx_get(c->client->ctx);

 ==> gives ssl == NULL

I also tried the r->prev (since I have a redirected request) but
the result remains the same. Any more hints why my context
is bad (I have a context, so it's not NULL)? How do I get
the SSL_SESSION_ID in the java module?

/Lena












__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PATCH] ssl session id as environment var

[Ralf S. Engelschall]

On Wed, May 19, 1999, [EMAIL PROTECTED] wrote:

> This patch makes the ssl session id available via the environment variable
> SSL_SESSION_ID. Apache modules may obtain this ssl session id via the
> "ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is
> actually the concatenation of the hex representation of each byte in the
> ssl session id. For example, running this through printenv produces:
> 
> SSL_SESSION_ID = bd1c692524d2d3648cb8c87bf7484eb5dd81777659b479b2dbfbc3ec5d2

Fine, good idea. I'll take it over for 2.3.0.

> The idea behind this is to make the ssl session id available so that other
> modules may use the ssl session id as a `key' into their own session table.
> 
> + result = ap_psprintf(p, "%x%s", 
>pSession->session_id[i],
> +  
>result);
> [...]

Is there a reason why you reverse the bytes?
I think it should be ``..."%s%x", result, pSessio..''.
OTOH you can use ssl_scache_id2sz() for this task

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: am I missing something?

[Derek Smith]

Adam,

Could be you installed over your previous version of Apache, in which case your
problem is the fact that it doesn't overwrite your httpd.conf file.  You'll find
the defualt install copy in the conf directory in your Apache source directory.


Regards,

Derek Smith
Systems Administrator/Developer
MotorTR@K - www.motortrak.com

"Adam D. McKenna" wrote:

> I followed the instructions to install OpenSSL and mod_ssl on my server.  I
> can do an apachectl startssl, and httpd starts fine.  But for some reason it
> is not listening on port 443, even if I tell it to in httpd.conf.  It's
> definitely running, when I do a ps auxw | grep httpd I get:
>
> httpd16797  0.0  1.8  3200  2308  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16798  0.0  1.7  3200  2296  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16799  0.0  1.7  3172  2288  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16800  0.0  1.7  3168  2280  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16801  0.0  1.7  3164  2268  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16803  0.0  1.7  3200  2300  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16804  0.0  1.8  3236  2344  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16805  0.0  1.7  3172  2288  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16832  0.0  1.3  2852  1724  ?  S17:50   0:00
> /usr/local/apache/bin/httpd -DSSL
> httpd16833  0.0  1.2  2804  1596  ?  S17:50   0:00
> /usr/local/apache/bin/httpd -DSSL
> root 16796  0.0  1.2  2804  1596  ?  S17:49   0:00
> /usr/local/apache/bin/httpd -DSSL
>
> Did I miss something in the installation?  The INSTALL file doesn't say
> anything about changes to the httpd.conf file, nor does it indicate how to
> specify which certificate will be used for each site.  If someon can help
> me out here I'd appreciate it.
>
> TIA
>
> --Adam
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Message when starting ssl

[Ralf S. Engelschall]

On Thu, May 20, 1999, Gilles L. Chong Hok Yuen wrote:

> You are rite Derek!
> So i created 2 priv keys (in ../ssl.key/) n 2 server certs (in ../ssl.crt/)
> for my 2 virtual hosts- using the ssleay commands. Reading the server certs
> #ssleay x509 -noout -text -in .crt  gives 2 different cert contents.
> Here is the prob:
> In my httpd.conf file, I specifically point out each virtual host to their
> respective cert n priv key:
> 
> 
> SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/1.crt
> SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/1.key
> 
> 
> 
> SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/2.crt
> SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/2.key
> 
> 
> Starting the SSL server even asks for each virtual host's respective password
> (*as pointed out by Derek*).
> 
> Here is the prob:
> On the browser, going on those 2 sites gives the SAME certificate info. More
> precisely info on the virtual host listed first in the httpd.conf file. If i
> place the  ...  BEFORE  ...
> , then both sites display the info on cert belonging to v host
> 2. Basically, which comes first have total control!
> Testing with 1 virtual host at a time gives the proper result. URL 1 will
> display cert info of virtual host 1. 2 will be 2. But putting those 2 virtual
> hosts together, the first one listed in the httpd.conf will have priority and
> total control!

The FAQ would be your friend:
http://www.modssl.org/docs/2.3/ssl_faq.html#vhosts

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Message when starting ssl

[Gilles L. Chong Hok Yuen]

You are rite Derek!
So i created 2 priv keys (in ../ssl.key/) n 2 server certs (in ../ssl.crt/)
for my 2 virtual hosts- using the ssleay commands. Reading the server certs
#ssleay x509 -noout -text -in .crt  gives 2 different cert contents.
Here is the prob:
In my httpd.conf file, I specifically point out each virtual host to their
respective cert n priv key:


SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/1.crt
SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/1.key



SSLCertificateFile/opt/apache/SSLapache_1.3.4/conf/ssl.crt/2.crt
SSLCertificateKeyFile /opt/apache/SSLapache_1.3.4/conf/ssl.key/2.key


Starting the SSL server even asks for each virtual host's respective password
(*as pointed out by Derek*).

Here is the prob:
On the browser, going on those 2 sites gives the SAME certificate info. More
precisely info on the virtual host listed first in the httpd.conf file. If i
place the  ...  BEFORE  ...
, then both sites display the info on cert belonging to v host
2. Basically, which comes first have total control!
Testing with 1 virtual host at a time gives the proper result. URL 1 will
display cert info of virtual host 1. 2 will be 2. But putting those 2 virtual
hosts together, the first one listed in the httpd.conf will have priority and
total control!

N i can get in both sites even if the cert belonging to the respective server
doesnt correspond to that particular server.

Any idea why?


G.

Derek Smith wrote:

> Gilles,
>
> If all SSLEnabled Virtual Hosts use the same key/cert then the passphrase
> dialogue will only ask for one.
>
> Regards,
>
> Derek Smith
> System Administrator/Developer
> MotorTR@K - www.motortrak.com
>
> "Gilles L. Chong Hok Yuen" wrote:
>
> > Hi,
> > just a trivial question: why is it that only the last virtual host is
> > stated when starting ssl? Ive got a few virtual hosts and ive noticed
> > that only the last one (in the httpd.conf file) is displayed. Bit
> > intrigued ...
> >
> > "Apache/1.3.4 mod_ssl/2.2.3 (Pass Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server tmcwork.cc21.com.sg:443
> > Enter pass phrase:
> >
> > Ok: Pass Phrase Dialog successful.
> > /opt/apache/SSLapache_1.3.4/bin/apachectl startssl: httpd started"
> >
> > G.
> > --
> > Gilles Chong ([EMAIL PROTECTED], [EMAIL PROTECTED])
> > Systems Engineer, Internet Division
> > CSA Automated Pte Ltd, Singapore.
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

--
Gilles Chong ([EMAIL PROTECTED], [EMAIL PROTECTED])
Systems Engineer, Internet Division
CSA Automated Pte Ltd, Singapore.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: WinNT + Apache + mod_ssl + openssl -> VC++6 = doesn't work?!

[Trung Tran-Duc]

Ingo Zitzmann <[EMAIL PROTECTED]> writes:

> Hi folks,
> 
> I am trying to compile Apache 1.3.6, mod_ssl-2.2.7-1.3.6,
> opensssl-0.9.2b using VisualC++ 6.0 and apparently it compiles the
> openssl option into apache (I checked it by hiding the ssleay.dll and
> the libeay32.dll) but when I call "apache -l" I don't see the mod_ssl.c.

No, you can't see mod_ssl.c in the output of "apache -l". On NT
mod_ssl is build as an DLL (==DSO). "apache -l" only lists the
modules compiled and statically linked in apachecore.dll.

Just go ahead and configure ssl. This is the ssl-related part of my
httpd.conf

Listen 80
Listen 443

;; NT specific
LoadModule ssl_module modules/ApacheModuleSSL.dll


SSLMutex sem
SSLSessionCache dbm:logs/ssl_gcache_data
SSLSessionCacheTimeout 15
SSLLog logs/ssl.log
SSLLogLevel warn


SSLEngine On
SSLCertificateFile cert/server.crt
SSLCertificateKeyFile cert/server.key.unsecure

ServerName myserver.mydomain.dom

# this is the common stuff for http and https virtual hosts
# DocumentRoot, Alias and the likes
Include conf/tranduc.conf







> > Of course I can't use SSLEnable for example. I followed the
> instructions in install.Win32.
> 
> Can anybody help?
> 
> thanx,
> Ingo.
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]