RE: Removing passphrase at boot
On Fri, 02 Jul 1999, you wrote: > > Now from /usr/local/apache/bin I go httpsdctl stop and then httpsdctl > > start. I'm still asked for password as before. Is this correct? Assume > > it would do the same in the script from /etc/rc2 (solaris). Or maybe I > > You may try "restart" or "graceful" as parameter instead of "stop". > Or you could save a copy of the original server key, then use: openssl rsa -in server.key.orig -out server.key chmod 400 server.key as per the faq. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Turning off 128-bit encryption
David M Walker wrote: > > Hi, > > Being outside the US we don't dave access to a strongly encrypted > version of netscape It's not true, you may find 128-bits Netscape in many places outside US it's perfectly legal too. I download it and other strong-crypto stuff from Replay (http://www.replay.com). Try to use FTPsearch too... Just my 0.02 euros :^) Bye! -- Daniele --- Daniele Orlandi - Utility Line Italia - http://www.orlandi.com Via Mezzera 29/A - 20030 - Seveso (MI) - Italy --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: accepting/ installing certificates
Most browsers have an installed list of CAs Certificate Authorities. If a host certificate has been certified by a root CA such as Verisign, then the browser will automatically accept the host certificate without comment. Albert Steiner At 03:14 PM 7/1/99 +0200, Josef Hartmann wrote: >Hi, > >how do people build SSL systems which do not require the client to >accept certificates? E.g. if you want to order a book at www.amazon.de >and you are using the SSL connection, users do not have to accept the >certificates, although the certificate of the website is not in the >browser implemented, yet and the site is used the first time. > >ANY HINTS > > >Thanks > >Josef Hartmann >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- Albert Steiner Coordinator Distributed Computing Emerging Technologies Group of Academic Technologies N O R T H W E S T E R N U N I V E R S I T Y 1603 Orrington Suite #1400, Evanston, IL 60201-5064 [EMAIL PROTECTED] Phone 847-491-4056 FAX 847-467-7732 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: accepting/ installing certificates
> how do people build SSL systems which do not require the client to > accept certificates? E.g. if you want to order a book at www.amazon.de > and you are using the SSL connection, users do not have to accept the > certificates, although the certificate of the website is not in the > browser implemented, yet and the site is used the first time. The signer/issuer certificate of the server-certificate is in the browser cert-db, this CA is "trusted", and so the issued Certs are trusted. A client like Netscape knows about the CA Certificate of Thathwe, Verisign and others. If the server uses a Certificate signed by one of these CA's, it doesn't ask the user. So you have to go to Thathwe or Verisign (i.e.) and buy a Certificate. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Removing passphrase at boot
> Now from /usr/local/apache/bin I go httpsdctl stop and then httpsdctl > start. I'm still asked for password as before. Is this correct? Assume > it would do the same in the script from /etc/rc2 (solaris). Or maybe I You may try "restart" or "graceful" as parameter instead of "stop". oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Removing passphrase at boot
I've tried the instructions at ssl_faq.html#ToC20 (below) and am wondering ... I log on as root, the instructions were done, chmod 400 etc. Now from /usr/local/apache/bin I go httpsdctl stop and then httpsdctl start. I'm still asked for password as before. Is this correct? Assume it would do the same in the script from /etc/rc2 (solaris). Or maybe I should use a different way to start/stop? I've read and saved all the other thoughtful comments too. But I'm starting at the beginning. Thanks. Chuck Williams http://www.sme.org >-Original Message- >From: Ralf S. Engelschall [SMTP:[EMAIL PROTECTED]] >Sent: Thursday, July 01, 1999 2:38 AM >To:[EMAIL PROTECTED] >Subject: Re: Removing passphrase at boot > >On Wed, Jun 30, 1999, [EMAIL PROTECTED] wrote: > >> How would I go about doing this? > >http://www.modssl.org/docs/2.3/ssl_faq.html#ToC20 > > Ralf S. Engelschall > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
accepting/ installing certificates
Hi, how do people build SSL systems which do not require the client to accept certificates? E.g. if you want to order a book at www.amazon.de and you are using the SSL connection, users do not have to accept the certificates, although the certificate of the website is not in the browser implemented, yet and the site is used the first time. ANY HINTS Thanks Josef Hartmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] PRIVATE: Setting up Apache Server with mod_ssl (PR#199)
May I politely point out that Win2K is _BETA_. If something's b0rken, go back to a known, stable platform. -dsp -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, July 01, 1999 12:32 PM Subject: [BugDB] PRIVATE: Setting up Apache Server with mod_ssl (PR#199) >Full_Name: Kai Ming Chan >Version: 2.3.5 >OS: Windows 2000 >Submission from: proxy2.ch.intel.com (143.182.246.21) > > >I followed the steps in install.win32 and was able to build openssl and apache. >However, I don't know how to do step 6. > >"6. Now you're on your own, because Win32 is not an officially >supported platform of mod_ssl. You have to setup the config files >and certificates manually. Good luck..." > >I know win32 is not supported, but could you just give me some hints of setting >mod_ssl up with apache. What do I need to change in the cofig file? How do I >make the certificate and where do I put it? > >Thanks! >Ming > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] PRIVATE: Setting up Apache Server with mod_ssl (PR#199)
Full_Name: Kai Ming Chan Version: 2.3.5 OS: Windows 2000 Submission from: proxy2.ch.intel.com (143.182.246.21) I followed the steps in install.win32 and was able to build openssl and apache. However, I don't know how to do step 6. "6. Now you're on your own, because Win32 is not an officially supported platform of mod_ssl. You have to setup the config files and certificates manually. Good luck..." I know win32 is not supported, but could you just give me some hints of setting mod_ssl up with apache. What do I need to change in the cofig file? How do I make the certificate and where do I put it? Thanks! Ming __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Removing passphrase at boot
or you could have an expect process inside your firewall monitoring the webserver and on detecting a problem, it would do an ssh logon to the webserver, su, and do the password stuff as below, logoff... continue monitoring... ps... no code yet ;-) cheers, Sean [EMAIL PROTECTED] System Administrator wrote: > > OK I know this is defeats the purpose of having a password protected > certificate, but this will do what you want. Get a program called > "expect".here's the expect script that does exactly what you want > albiet its for apache 1.2.6 > > -- Cut Here -- > #!/usr/local/bin/expect -- > > # Expect has to be at least version 5.0, which is ancient! > exp_version -exit 5.0 > > # The passphrase is going to be the pword variable > set pword "THE_PASSPHRASE" > > # Duh, make it big for the hell of it > set timeout 60 > > # Just for the hell of it > spawn /usr/bin/kill -TERM `/usr/bin/cat /var/httpd/logs/httpd.pid` > > # Run the secure version of apache > spawn /usr/local/apache/bin/httpsd -f /etc/httpd.conf > > # Apache will say something like "Enter passphrase:", so lets wait till it > says Enter > expect "Enter" > > # Tell it our passphrase > send "$pword\r" > > # Because I'm patient > sleep 1 > > # If you have more than one passphrase you want to bypass, just uncomment > these and > # if the password is different, create a new variable on top, easy enough.. > #expect "Enter" > #send "$pword\r" > #sleep 1 > > -- Stop Here - EOF -- > > You can put this in your rc files so it does this at bootup...in solaris > you can put it in /etc/rc2 > > Sidenote : If you want it to be a little more secure than the above (having > the password in plaintext, you can do a "man libexpect" and see how to code > a C program using expect) > > - Original Message - > From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, June 30, 1999 8:43 AM > Subject: Removing passphrase at boot > > > Hello all, > > I know this has been covered before and is documented but we are having > power > > problems and I don't have any power on my computer where all this info is > stored > > so I apologize for the repeat. > > We have recieved a cert from Verisign. We need to remove the passphrase > so that > > if we remotely reboot the machine it will not sit and wait for the phrase > before > > finishing the boot process. > > How would I go about doing this? > > Thanks, > > John > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] SSL handshake interrupted by system - open bug 112 (PR#198)
Full_Name: John Hynes Version: mod_ssl-2.2.8-1.3.6 OS: Solaris 2.5.1 and AIX 4.3.2 Submission from: lsi243.dtr.fr (195.6.83.243) Message: SSL handshake interrupted by system open problem 112 [01/Jul/1999 11:54:01] [trace] OpenSSL: Handshake: start [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: before/accept initialization [01/Jul/1999 11:54:01] [debug] OpenSSL: read 7/7 bytes from BIO#001EB6B0 [mem: 00217A18] (BIO dump follows) +-+ | : 16 03 00 00 5f 01_. | | 0007 - +-+ [01/Jul/1999 11:54:01] [debug] OpenSSL: read 93/93 bytes from BIO#001EB6B0 [mem: 00217A1F] (BIO dump follows) +-+ | : 00 5b 03 00 fe 23 ec 90-ef 17 6b a1 d0 c7 75 7d .[...#k...u} | | 0010: af b4 4a bd d9 d0 91 cc-49 47 27 ca 0c ad 0e d0 ..J.IG'. | | 0020: ea 1b 33 74 20 bc aa 91-99 01 47 ce f0 bf a5 f1 ..3t .G. | | 0030: e8 69 9f 03 31 4f 75 66-3f 87 22 21 81 62 f2 6b .i..1Ouf?."!.b.k | | 0040: 55 a5 9c 7d 6e 00 14 00-04 00 05 00 0a 00 16 00 U..}n... | | 0050: 09 00 15 00 03 00 08 00-14 00 06 01 | | 005d - +-+ [01/Jul/1999 11:54:01] [trace] Inter-Process Session Cache: request=GET status=FOUND id=BCAA91990147CEF0BFA5F1E8699F0331 4F75663F8722218162F26B55A59C7D6E (session reuse) [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: SSLv3 read client hello A [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: SSLv3 write server hello A [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: SSLv3 write finished A [01/Jul/1999 11:54:01] [debug] OpenSSL: write 146/146 bytes to BIO#001EB6B0 [mem: 00205D50] (BIO dump follows) +-+ | : 16 03 00 00 4a 02 00 00-46 03 00 37 7b 3a b9 8b J...F..7{:.. | | 0010: 18 59 bf 9d 50 ff 6e 08-47 f6 d7 af 0e b9 56 ec .Y..P.n.G.V. | | 0020: 75 96 ac 8f 3d 2f 91 f2-08 4d 7e 20 bc aa 91 99 u...=/...M~ | | 0030: 01 47 ce f0 bf a5 f1 e8-69 9f 03 31 4f 75 66 3f .G..i..1Ouf? | | 0040: 87 22 21 81 62 f2 6b 55-a5 9c 7d 6e 00 04 00 14 ."!.b.kU..}n | | 0050: 03 00 00 01 01 16 03 00-00 38 b6 90 58 1e 4d af .8..X.M. | | 0060: 93 bc d3 b0 ee cf 36 49-47 39 f6 9d 1d dc 52 28 ..6IG9R( | | 0070: b9 37 e0 89 60 e3 dd 1a-d5 9d e4 2c b7 42 79 2a .7..`..,.By* | | 0080: 82 93 27 2b cd 1b cd 07-5c 3e 30 63 a3 2b 56 80 ..'+\>0c.+V. | | 0090: 71 f2q. | +-+ [01/Jul/1999 11:54:01] [trace] OpenSSL: Loop: SSLv3 flush data [01/Jul/1999 11:54:01] [debug] OpenSSL: read 0/5 bytes from BIO#001EB6B0 [mem: 00217A18] (BIO dump follows) +-+ +-+ [01/Jul/1999 11:54:01] [trace] OpenSSL: Exit: failed in SSLv3 read finished A [01/Jul/1999 11:54:01] [error] SSL handshake interrupted by system that's what I have with debug enabled on solaris 2.5.1, apache 1.3.6, openssl-0.9.2b and mod_ssl-2.2.8-1.3.6. I'm going to try out openssl-0.9.3a and mod_ssl-2.3.5-1.3.6 John Hynes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Removing passphrase at boot
Just read the mod SSL manuals. There's one parameter (something like SSLPassPhrase). You just say: SSLPassPhrase exec:/safe/directory/passPhrase.sh passPhrase.sh looks like #!/bin/sh echo "My password" That's all. It's all in the docs, which happen to available online on Ralf's SSL homepage. Kind regards / Met vriendelijke groet, Jeroen Gremmen Country-Micado Consultant / Check 2000 Team Manager Origin International B.V. Complex Vredeoord VH 1.20 Groenewoudseweg 1, 5621 BA Eindhoven +31 (0)40 2756943 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 30 June, 1999 17:44 To: [EMAIL PROTECTED] Subject: Removing passphrase at boot Hello all, I know this has been covered before and is documented but we are having power problems and I don't have any power on my computer where all this info is stored so I apologize for the repeat. We have recieved a cert from Verisign. We need to remove the passphrase so that if we remotely reboot the machine it will not sit and wait for the phrase before finishing the boot process. How would I go about doing this? Thanks, John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Removing passphrase at boot
System Administrator schrieb: > > OK I know this is defeats the purpose of having a password protected > certificate, but this will do what you want. Get a program called s/certificate/key Not the cert is protected but the key! -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Removing passphrase at boot
On Wed, Jun 30, 1999, System Administrator wrote: > OK I know this is defeats the purpose of having a password protected > certificate, but this will do what you want. Get a program called > "expect".here's the expect script that does exactly what you want > albiet its for apache 1.2.6 Nice little script, but it's a lot easier: When you really want to provide the pass phrase via a program in batch all you've to do is to use a program via SSLPassPhraseDialog exec:/path/to/program". That's a lot faster and robust than the expect fiddling and the result is the same. But please always keep in mind what the docs explicitly say: The whole stuff is not more secure than just removing the pass phrase at all! At least not until your exec:/path/to/program is a more clever thing... and even when its clever, you cannot achieve real security even this way, of course. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Anyone using Thawte?
Mark Jaffe schrieb: > > >On Tue, Jun 29, 1999 at 04:27:21PM -0700, Mark Jaffe wrote: > > > I'm needing to get a certificate from Thawte, and their instructions > > > show I need to run ssleay to generate a CSR/key pair. I don't find > > > that in my installation of > > > apache-1.3.6/mod_ssl-2.3.4-1.3.6/openssl-0.9.3a on MkLinux. Anyone > > > else in this same boat? Did I miss a step? > > > > > > >Instead of using ssleay to generate the key, use openssl. > Sorry, I found it was NOT on my regular PATH, in /usr/local/ssl/bin > so I made a link: > > ln -s /usr/local/ssl/bin/openssl /usr/local/bin/ssleay You should not do this. *ssleay is superseeded by openssl*. You really should either follow the mod_ssl instructions (that name openssl) or just use openssl instead of ssleay. -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Removing passphrase at boot
OK I know this is defeats the purpose of having a password protected certificate, but this will do what you want. Get a program called "expect".here's the expect script that does exactly what you want albiet its for apache 1.2.6 -- Cut Here -- #!/usr/local/bin/expect -- # Expect has to be at least version 5.0, which is ancient! exp_version -exit 5.0 # The passphrase is going to be the pword variable set pword "THE_PASSPHRASE" # Duh, make it big for the hell of it set timeout 60 # Just for the hell of it spawn /usr/bin/kill -TERM `/usr/bin/cat /var/httpd/logs/httpd.pid` # Run the secure version of apache spawn /usr/local/apache/bin/httpsd -f /etc/httpd.conf # Apache will say something like "Enter passphrase:", so lets wait till it says Enter expect "Enter" # Tell it our passphrase send "$pword\r" # Because I'm patient sleep 1 # If you have more than one passphrase you want to bypass, just uncomment these and # if the password is different, create a new variable on top, easy enough.. #expect "Enter" #send "$pword\r" #sleep 1 -- Stop Here - EOF -- You can put this in your rc files so it does this at bootup...in solaris you can put it in /etc/rc2 Sidenote : If you want it to be a little more secure than the above (having the password in plaintext, you can do a "man libexpect" and see how to code a C program using expect) - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 30, 1999 8:43 AM Subject: Removing passphrase at boot > Hello all, > I know this has been covered before and is documented but we are having power > problems and I don't have any power on my computer where all this info is stored > so I apologize for the repeat. > We have recieved a cert from Verisign. We need to remove the passphrase so that > if we remotely reboot the machine it will not sit and wait for the phrase before > finishing the boot process. > How would I go about doing this? > Thanks, > John > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]