Re: Permission.
I just checked a Suse 6.1 system (Brian, original poster had such a thing). /usr/include/ndbm.h defines both DB_LOCK and DBM_SUFFIX: the former because ndbm.h includes db.h and the latter with the following comment: /* * The db(3) support for ndbm(3) always appends this suffix to the * file name to avoid overwriting the user's original database. */ #define DBM_SUFFIX ".db" As always, configure --enable-rule=SSL_SDBM would fix it ;-) Ralf S. Engelschall schrieb: On Thu, Jul 08, 1999, Dave Neuer wrote: I alread posted a bug report about this. It's PR # 200 @ http://www.modssl.org/support/bugdb, if anyone wants to look at it. Ralf is apparently rather busy now finishing his degree. If anyone has more info about this, I guess I'd be interested in finding out more. It's probably a pretty simple fix (it seems to be just an incorrect #define in mod_ssl.h). Brian, are you using Linux? Which version? What libc? What distro? What version of modsssl? Yes, seems like the stuff in mod_ssl.h around line 310 does not the correct thing for this platform. Please try to trace down to what SSL_DBM_FILE_SUFFIX_{DIR,PAG} is set any why. Thanks for your help. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Holger Reif Tel.: +49 361 74707-0 SmartRing GmbH Fax.: +49 361 7470720 Europaplatz 5 [EMAIL PROTECTED] D-99091 ErfurtWWW.SmartRing.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Permission.
Holger Reif wrote: I just checked a Suse 6.1 system (Brian, original poster had such a thing). /usr/include/ndbm.h defines both DB_LOCK and DBM_SUFFIX: the former because ndbm.h includes db.h and the latter with the following comment: /* * The db(3) support for ndbm(3) always appends this suffix to the * file name to avoid overwriting the user's original database. */ #define DBM_SUFFIX ".db" As always, configure --enable-rule=SSL_SDBM would fix it ;-) Then it should be set as a default rule! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Permission.
8-Jul-99 09:40 you wrote: Hello, I've been playing around with mod-ssl. I wonder about the following entries in the general error.log: [Thu Jul 8 09:12:05 1999] [error] mod_ssl: Cannot open SSLSessionCache DBM file `/var/run/ssl.dbm' for writing (store) (System error follows) [Thu Jul 8 09:12:05 1999] [error] System: Permission denied (errno: 13) I can see why it fails: root@dps-1:/log/error # cd /var/run root@dps-1:/var/run # ll ssl* -rw--- 2 root root12288 jul 8 09:13 ssl.dbm.dir -rw--- 2 root root12288 jul 8 09:13 ssl.dbm.pag -rw--- 1 nobody root0 jul 8 09:13 ssl.sem.1113 So my question is: Why is the *.dbm files owned by root, when the webserver runs as nobody - that is like asking for trouble! ;o) Somehow mod_ssl.h wrongly guessed extension for files: .db instead of .dir/.pag Permission denied come from the same problem... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Cypher suite combinations
Hi! Anyone knows which cyphersuites are supported by IIS and Netscape in contrast to Apache/ModSSL? Thanx, begin:vcard n:Castro;Juan tel;work:540-9100 Ramal 46 x-mozilla-html:FALSE url:http://www.appi.com.br/~jcastro org:APPI Informática;Desenvolvimento adr:;;Av. Ataulfo de Paiva, 135/1410 - Leblon;Rio de Janeiro;RJ;22499-900;Brasil version:2.1 email;internet:[EMAIL PROTECTED] title:Consultor note;quoted-printable:One man alone cannot fight the future. USE LINUX!=0D=0A=0D=0A-- The X Racer fn:Juan Carlos Castro y Castro end:vcard
different certs for v. domains
call this a stupid question: i have installed apache 1.3.6 with mod_ssl 2.3.5 and i am using OpenSSL 0.9.3a. i am unclear of how to have a different certificate for each virtual domain. i am able to assign a certificate, but that certificate is the same for all domains. i tried playing around with it, but there seemed to be no obvious solution, unless i am overlooking something huge. if i could have someone respond to me with a resolution it would be greatly appreciated. thanks, -brent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Does mod_ssl require flex to compile?
I'm trying to compile mod_ssl 2.3.5 for Apache 1.3.6 on AIX 4.3 but get stuck at the following: flex -Pssl_expr_yy -s -B ssl_expr_scan.l make: flex: Command not found make: *** [ssl_expr_scan.c] Error 127 I didn't notice flex being a prerequisite in the INSTALL doc (http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL). Looking in the src/modules/ssl/Makefile for the offending target: ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h flex -Pssl_expr_yy -s -B ssl_expr_scan.l sed -e '/$$Header:/d' lex.ssl_expr_yy.c ssl_expr_scan.c rm -f lex.ssl_expr_yy.c I noticed it was under the following header: ## DEVELOPER AREA ## We really don't expect end users to use these targets! What's the scoop? Do I need flex, are the dependencies screwed up, or what? -- Brandon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Off the Road: Time Stamping
We use our one CA to secure our site with client certificates and now my boss asked me if we could use certificates to sign our documents (e.g. Acrobat Docs). No problem at this point. But now he wants time stamps. I found a IETF Draft about Time Stamping but nothing else. Is it possible to use mod_ssl, OpenSSL for this task ? Daniel, according to Schneier's book "Appied Crypto" timestamping protocols are patented so you might not be able to use it without a proper license. It should not be too hard to implement one with crypto calls provided by Openssl library. However you still might want to contact Surety Technology if there's strict shedule and/or other requirements. You might want to download a papers if book is not handy; there's at least 3 entries with "stamp" in title listed on Counterpane's site. hope this helps, Vadim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does mod_ssl require flex to compile?
On Thu, Jul 08, 1999, Brandon Bell wrote: I'm trying to compile mod_ssl 2.3.5 for Apache 1.3.6 on AIX 4.3 but get stuck at the following: flex -Pssl_expr_yy -s -B ssl_expr_scan.l make: flex: Command not found make: *** [ssl_expr_scan.c] Error 127 I didn't notice flex being a prerequisite in the INSTALL doc (http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL). Looking in the src/modules/ssl/Makefile for the offending target: ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h flex -Pssl_expr_yy -s -B ssl_expr_scan.l sed -e '/$$Header:/d' lex.ssl_expr_yy.c ssl_expr_scan.c rm -f lex.ssl_expr_yy.c I noticed it was under the following header: ## DEVELOPER AREA ## We really don't expect end users to use these targets! What's the scoop? Do I need flex, are the dependencies screwed up, or what? I think just the timestamps on your disk are bogus. Do a ``touch ssl_expr_scan.c ssl_expr_parse.c ssl_expr_parse.h'' and try again. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: different certs for v. domains
(Not that I have done this, but ...) You should include a seperate SSLCertificateFile and SSLCertificateKeyFile directive within each secure server virtual host pointing to the appropriate file that holds the certs and associated keys. Jeff On Thu, 8 Jul 1999, Brent Holden wrote: call this a stupid question: i have installed apache 1.3.6 with mod_ssl 2.3.5 and i am using OpenSSL 0.9.3a. i am unclear of how to have a different certificate for each virtual domain. i am able to assign a certificate, but that certificate is the same for all domains. i tried playing around with it, but there seemed to be no obvious solution, unless i am overlooking something huge. if i could have someone respond to me with a resolution it would be greatly appreciated. thanks, -brent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Perl Script to proccess Netscape Client and Microsoft certificate Request
Hi, I sent this out with no response. Can some one comment? Well... Seems like nobody have such a script, ain't? Am looking for some Perl CGI script that can proccess Netscape and The scrript must completely automate the process, I don't think that you'll find such a script, because if you automate the certification procedure, you have no security, and so you don't need a cert at all... (IMHO) oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: different certs for v. domains
8-Jul-99 15:20 you wrote: call this a stupid question: i have installed apache 1.3.6 with mod_ssl 2.3.5 and i am using OpenSSL 0.9.3a. i am unclear of how to have a different certificate for each virtual domain. i am able to assign a certificate, but that certificate is the same for all domains. i tried playing around with it, but there seemed to be no obvious solution, unless i am overlooking something huge. if i could have someone respond to me with a resolution it would be greatly appreciated. If you have IP based vhosts (and you alredy aware that it's not possible with name based vhosts, right? it's in FAQ) then just specify different certificates for different vhosts (do not use _default_ one added automatically by mod_ssl)... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does mod_ssl require flex to compile?
8-Jul-99 13:32 you wrote: I'm trying to compile mod_ssl 2.3.5 for Apache 1.3.6 on AIX 4.3 but get stuck at the following: flex -Pssl_expr_yy -s -B ssl_expr_scan.l make: flex: Command not found make: *** [ssl_expr_scan.c] Error 127 I didn't notice flex being a prerequisite in the INSTALL doc (http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL). It does not. Looking in the src/modules/ssl/Makefile for the offending target: ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h flex -Pssl_expr_yy -s -B ssl_expr_scan.l sed -e '/$$Header:/d' lex.ssl_expr_yy.c ssl_expr_scan.c rm -f lex.ssl_expr_yy.c I noticed it was under the following header: ## DEVELOPER AREA ## We really don't expect end users to use these targets! What's the scoop? Do I need flex, are the dependencies screwed up, or what? Looks like you have ssl_expr_scan.l never then ssl_expr_scan.c ... Something is screwed up (wrong timestamp or error in AIX's make)... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Permission.
9-Jul-99 16:06 you wrote: There was a discussion about DBM extension/permission under GLIBC 2.1 some times ago. In fact even attached patch is not correct :-/ Since you can not just "#include db1/ndbm.h" and be happy ... db1/ndbm.h will include db.h instead of db1/db.h so some defines still will be screwed up unless you are using -I/usr/include/db1 ... And you must link with -ldb1 in such cases, NOT with -lndbm !!! Ok, -lndbm works in GLibC 2.1.1 but it's not guranteed that it will work in later versions as well: libndbm.so is link to Berkeley DB 2.x and db1/ndbm.h come from Berkeley DB 1.x so there are no guarantee that db1/ndbm.h is compatible with -lndbm :-(( I wonder why there are such a mess in Berkeley DB 1.x/Berkeley DB 2.x support ?? Why db_dump185 (provides especially for dumping Berkeley DB 1.x databases AFAIK) is linked against Berkeley DB 2.x so you can not dump Berkeley DB 1.x database with it (but can dump Berkeley DB 2.x database just like db_dump!) after all ??? Yes, I know that I can fix it with easy: -- cut -- mv /usr/bin/db_dump185 /usr/bin/db_dump185.o sed s-libdb[.]so[.]3-libdb.so.2- /usr/bin/db_dump185.o /usr/bin/db_dump185 rm -rf /usr/bin/db_dump185.o -- cut -- And I can create /usr/include/ndbm.h for libndbm.so (libdb.so.3 in fact) easily: -- cut -- #ifndef _NDBM_H_ #define _NDBM_H_ #ifdef _DB_H_ #if DB_DBM_HSEARCH == 0 #error db.h included before ndbm.h and DB_DBM_HSEARCH == 0 . Giving up. #endif #else #define DB_DBM_HSEARCH 1 #include db.h #endif #endif -- cut -- But still :-/ Looks like someone was on drugs when developed Berkeley DB 1.x/NDBM compatibility stuff in GLibC 2.1 ... Binaries are supported fine but for developer it's nightmare :-/ These problems are now fixed for the RPM we built with Magnus. You could take a look at the attached patches. Also why not using library MM to solve part of these problems ? And you STILL need patch over downloadable tarball :-)) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Perl Script to proccess Netscape Client and Microsoft certificate Request
9-Jul-99 14:03 you wrote: I sent this out with no response. Can some one comment? Am looking for some Perl CGI script that can proccess Netscape and Microsoft Clients Certificate Request Automatiquely for mod_ssl-2.3.5 + openssl_0_9_3a. The scrript must completely automate the process, causing a client certificate to be installed once the request Html form is submitted. If you know some place over the Internet where I can find it or if you have it, please tell me. If i could have someone respond to me with a response it would be greatly appreciated. Try to post this message to [EMAIL PROTECTED] as well... I'm not sure if you'll find script there but may be you'll got at least some ideas :-)) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]