Re: [BugDB] SSLRandomSeed exec directive not working with Win32 (PR#213)
On Fri, Jul 23, 1999, [EMAIL PROTECTED] wrote: Full_Name: Caitlin Howell Version: 2.3.5 OS: Windows Workstation 4.0 Submission from: proxy3.fm.intel.com (132.233.247.6) I compiled Apache for Win32 with OpenSSL and mod_ssl, according to the directions available on the respective web sites. Everything works great, except for the SSLRandomSeed exec directive. I would like to use SSLRandomSeed exec with an program that generates random bytes. SSLRandomSeed builtin and file work, but exec doesn't. I suspect this has to do with a difference in process handling between Linux and Win32. As far as I can tell, the web server won't launch the process to generate random bytes. I realize Win32 is low priority, but maybe one of the Apache - Win32 porters would know whether or not this is a process launching problem that could be cleared up easily. Hmmm... yes, brain-dead Win32 needs special exec() stuff. I've copied over the stuff from mod_rewrite.c to ssl_util.c. A patch is appended. Please try it out and give feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Index: ssl_util.c === RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_util.c,v retrieving revision 1.21 diff -u -r1.21 ssl_util.c --- ssl_util.c 1999/05/20 10:40:21 1.21 +++ ssl_util.c 1999/07/23 06:49:45 @@ -202,13 +202,48 @@ { int child_pid = 1; +/* + * Prepare for exec + */ ap_cleanup_for_exec(); #ifdef SIGHUP signal(SIGHUP, SIG_IGN); #endif -#if defined(__EMX__) + +/* + * Exec() the child program + */ +#if defined(WIN32) +/* MS Windows */ +{ +char pCommand[MAX_STRING_LEN]; +STARTUPINFO si; +PROCESS_INFORMATION pi; + +ap_snprintf(pCommand, sizeof(pCommand), "%s /C %s", SHELL_PATH, cmd); + +memset(si, 0, sizeof(si)); +memset(pi, 0, sizeof(pi)); + +si.cb = sizeof(si); +si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES; +si.wShowWindow = SW_HIDE; +si.hStdInput = pinfo-hPipeInputRead; +si.hStdOutput = pinfo-hPipeOutputWrite; +si.hStdError = pinfo-hPipeErrorWrite; + +if (CreateProcess(NULL, pCommand, NULL, NULL, TRUE, 0, + environ, NULL, si, pi)) { +CloseHandle(pi.hProcess); +CloseHandle(pi.hThread); +child_pid = pi.dwProcessId; +} +} +#elif defined(OS2) +/* IBM OS/2 */ execl(SHELL_PATH, SHELL_PATH, "/c", (char *)cmd, NULL); #else +/* Standard Unix */ execl(SHELL_PATH, SHELL_PATH, "-c", (char *)cmd, NULL); #endif return (child_pid); __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] Portability problem (flex) (PR#214)
Full_Name: Laurent FAILLIE Version: mod_ssl-2.3.6-1.3.6 OS: HP-UX 10.20 Submission from: gk-fr2.michelin.com (195.115.130.37) When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, the compilation fail because some files (like ssl_expr_yy) needs flex to compile. I wander if "configure" can't use "lexx" if flex isn't in the system. Regs Laurent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
22-Jul-99 16:41 you wrote: Hi, I just want to ask whether we can secure apache web server on NT using mod-ssl and openssl. Are the installations steps given fr win32 applicable for NT also. If not can any one give me the outline of the steps or any website from where i can follow the steps. :-))) Win32 is name of API used in Win9X and WinNT ... So, of course, steps for win32 must be applicable for WinNT as well. Just one subtle problem: Ralf does not have Win9X or WinNT (AFAIK) and thus all steps are not checked by him ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] open/146: consumes HUGE amounts of CPU after having served a request
I have the same problem on my solaris 2.5.1/apache 1.3.6/modssl 2.3.5/openssl 0.9.3a. any idea ? John PID USERNAME THR PRI NICE SIZE RES STATE TIMECPU COMMAND 19888 nobody 1 -150 3344K 2752K run20:17 97.78% httpd 20642 nobody 1 350 3200K 2416K sleep 0:00 1.32% httpd =[1] _lseek(0x4400, 0x4400, 0x0, 0x0, 0x1, 0x1), at 0xef5b74fc [2] dbm_access(0x1c8960, 0x11, 0x1a, 0x30, 0x1f, 0x0), at 0xef5cf4ac [3] dbm_firsthash(0x1c8960, 0x11, 0x1c8988, 0x0, 0xefffecc8, 0x0), at 0xef5ceb54 [4] dbm_do_nextkey(0xc, 0x3c, 0x3c, 0x0, 0x1c8a4f, 0x11), at 0xef5cf2e4 [5] dbm_nextkey(0x1c8960, 0xef612f30, 0x0, 0x2, 0x0, 0xefffeddc), at 0xef5cecec [6] ssl_scache_dbm_expire(0x19d338, 0x37973457, 0x0, 0x0, 0x0, 0x0), at 0x45f60 [7] ssl_scache_expire(0x19d338, 0x37973457, 0x0, 0x7, 0x8001400, 0x0), at 0x451ec [8] ssl_scache_retrieve(0x19d338, 0x1c1a13, 0x20, 0x1aaf00, 0x9bc2c2a2, 0x0), at 0x44e84 [9] ssl_callback_GetSessionCacheEntry(0x1b2f00, 0x1c1a13, 0x20, 0xefffefc8, 0x3fcb8, 0xe014), at 0x3fd14 [10] ssl_get_prev_session(0x1b2f00, 0x1c1a13, 0x20, 0x0, 0x0, 0x1b9110), at 0xd5ea0 [11] 0xde428(0x5b, 0x1b2f00, 0x1c1a13, 0x20, 0x, 0xffae), at 0xde427 [12] ssl3_accept(0x1b2f00, 0x1b2f00, 0x2000, 0x3000, 0x2, 0x2190), at 0xddd40 [13] ssl23_get_client_hello(0x2000, 0x1b2f00, 0x0, 0x0, 0x0, 0x3), at 0xcfd00 [14] ssl23_accept(0x4000, 0x1b2f00, 0x2000, 0x2000, 0x1, 0x2210), at 0xcf420 [15] ssl_hook_NewConnection(0x1b6068, 0xef6fb6e4, 0x1, 0xe32c, 0x4, 0x1a2360), at 0x3bef8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Compiling mod_ssl.c problem (PR#212)
22-Jul-99 20:35 you wrote: Full_Name: Marco Teunissen van Manen Version: 2.3.6 OS: Linux (Slackware 3.5) Submission from: n16152.telekabel.nl (212.142.16.152) After configuring and setting up mod_ssl for module use with apache 1.3.6, I got a message stating that an error was detected on line 496 of mod_ssl.h in the apache/src/modules/ssl directoy. That line defines a struct/union member of type AP_MM. However, since ap_mm.h was NOT included, the compiler did not know what to do. Something is screwed up :-(( Are you sure that EAPI patches are applied clearly ? Solution to overcome this minor problem: in the Apache section, add in the CORE PRIVATE the following line: #include "ap_mm.h" which will then automatically be used when compiling. Resides in apache/src/include and defines the type AP_MM. Unfortunately, afterwards a lot of linking failures occur: modules/ssl/libssl.a(ssl_engine_config.o): In function `ssl_cmd_SSLSessionCache': ssl_engine_config.o(.text+0x157d): undefined reference to `ap_mm_useable' ssl_engine_config.o(.text+0x165d): undefined reference to `ap_mm_core_maxsegsize' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_malloc': ssl_engine_scache.o(.text+0xd6c): undefined reference to `ap_mm_malloc' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_calloc': ssl_engine_scache.o(.text+0xdac): undefined reference to `ap_mm_calloc' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_realloc':ssl_engine_scache.o(.text+0xdec): undefined reference to `ap_mm_realloc' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_free': ssl_engine_scache.o(.text+0xe28): undefined reference to `ap_mm_free' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_init': ssl_engine_scache.o(.text+0xe84): undefined reference to `ap_mm_create' ssl_engine_scache.o(.text+0xe97): undefined reference to `ap_mm_error' ssl_engine_scache.o(.text+0xed7): undefined reference to `ap_mm_permission' ssl_engine_scache.o(.text+0xee3): undefined reference to `ap_mm_available' modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_kill': ssl_engine_scache.o(.text+0xfe0): undefined reference to `ap_mm_destroy' collect2: ld returned 1 exit status make[2]: *** [target_static] Error 1 make[2]: Leaving directory `/usr/src/apache_1.3.6/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/usr/src/apache_1.3.6' make: *** [build] Error 2 Looks like ap_mm.c not included in your Apache... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Portability problem (flex) (PR#214)
23-Jul-99 09:31 you wrote: Full_Name: Laurent FAILLIE Version: mod_ssl-2.3.6-1.3.6 OS: HP-UX 10.20 Submission from: gk-fr2.michelin.com (195.115.130.37) When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, the compilation fail because some files (like ssl_expr_yy) needs flex to compile. I wander if "configure" can't use "lexx" if flex isn't in the system. flex and lexx are different enough :-(( But you SHOULD not need flex at all ! Something is wrong with timestamps or your make... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL variables running APACHE on Windows NT 4.0
Hi Ralf, it's me again. I don't understand the use of ap_hook_use and how it would solve my problem. In my modules "URI to filename translation" phase I'd like to call the ssl's module handler "ssl_hook_fixup" which is setting up all SSL variables so the would be availbale to me immediately after the call to ssl_hook_fixup returns. Is there a way to do that right now? I read the documentation provided in ap_hook.c but I don't understand the workings I also would appreciate a short explanation of how ap_hook_use works. Must the hook specified in ap_hook_use be configured and registered in mod_ssl before it can be used? Thanks a lot for your help. Arnold -Original Message- From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 22, 1999 2:17 AM To: [EMAIL PROTECTED] Subject: Re: SSL variables running APACHE on Windows NT 4.0 On Mon, Jul 19, 1999, Ruetzel, Arnold wrote: I wrote my own module which is loaded by Apache at startup time. This module has to access the SSL variables in the "URI to filename translation" phase, but the variables are not available at this phase. Does anybody know what I have to do to make the SSL variables available to me in the "URI to filename translation" phase ? Is there a way to make use of mod_ssl's API's to get my hands on the SSL variables and how would that be done? When you looked into mod_rewrite, you would have found: #ifdef EAPI ap_hook_use("ap::mod_rewrite::lookup_variable", AP_HOOK_SIG3(ptr,ptr,ptr), AP_HOOK_DECLINE(NULL), result, r, var); #endif A similar call in your module will give you the results. PS: A note for Ralf Engelschall: Do you have any plans to change mod_ssl to make the SSL variables available right from the start, that is before the post_read_request or header_parser handlers are being called. Hmmm... mod_ssl currently does it in the "correct/intended" phase. But sure, it shouldn't harm to provide them earlier. I've to admit that I currently forgot what the reason was that have not done this already. I'll think about this again Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL variables running APACHE on Windows NT 4.0
On Fri, Jul 23, 1999, Ruetzel, Arnold wrote: it's me again. I don't understand the use of ap_hook_use and how it would solve my problem. In my modules "URI to filename translation" phase I'd like to call the ssl's module handler "ssl_hook_fixup" which is setting up all SSL variables so the would be availbale to me immediately after the call to ssl_hook_fixup returns. Is there a way to do that right now? I read the documentation provided in ap_hook.c but I don't understand the workings I also would appreciate a short explanation of how ap_hook_use works. Must the hook specified in ap_hook_use be configured and registered in mod_ssl before it can be used? The hooks _IS_ registered by mod_ssl, so you just have to use it with ap_hook_use. Try it out in your module the same way mod_rewrite does it. It internally calls the mod_ssl lookup function which is also used in the fixup handler. So you don't have to run the fixup handler manually. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Portability problem (flex) (PR#214)
23-Jul-99 09:31 you wrote: Full_Name: Laurent FAILLIE Version: mod_ssl-2.3.6-1.3.6 OS: HP-UX 10.20 Submission from: gk-fr2.michelin.com (195.115.130.37) When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, the compilation fail because some files (like ssl_expr_yy) needs flex to compile. I wander if "configure" can't use "lexx" if flex isn't in the system. flex and lexx are different enough :-(( But you SHOULD not need flex at all ! Something is wrong with timestamps or your make... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL variables running APACHE on Windows NT 4.0
23-Jul-99 09:03 you wrote: Hi Ralf, it's me again. I don't understand the use of ap_hook_use and how it would solve my problem. In my modules "URI to filename translation" phase I'd like to call the ssl's module handler "ssl_hook_fixup" which is setting up all SSL variables so the would be availbale to me immediately after the call to ssl_hook_fixup returns. Is there a way to do that right now? No. Not easy, anyway... I read the documentation provided in ap_hook.c but I don't understand the workings I also would appreciate a short explanation of how ap_hook_use works. Must the hook specified in ap_hook_use be configured and registered in mod_ssl before it can be used? No. You just call hook "ap::mod_rewrite::lookup_variable" to find out varible value instead of standard Apache way. That's all. What's so problematic here ??? Why you are so inclined to setting up SSL variables ? Thanks a lot for your help. Arnold -Original Message- From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 22, 1999 2:17 AM To: [EMAIL PROTECTED] Subject: Re: SSL variables running APACHE on Windows NT 4.0 On Mon, Jul 19, 1999, Ruetzel, Arnold wrote: I wrote my own module which is loaded by Apache at startup time. This module has to access the SSL variables in the "URI to filename translation" phase, but the variables are not available at this phase. Does anybody know what I have to do to make the SSL variables available to me in the "URI to filename translation" phase ? Is there a way to make use of mod_ssl's API's to get my hands on the SSL variables and how would that be done? When you looked into mod_rewrite, you would have found: #ifdef EAPI ap_hook_use("ap::mod_rewrite::lookup_variable", AP_HOOK_SIG3(ptr,ptr,ptr), AP_HOOK_DECLINE(NULL), result, r, var); #endif A similar call in your module will give you the results. PS: A note for Ralf Engelschall: Do you have any plans to change mod_ssl to make the SSL variables available right from the start, that is before the post_read_request or header_parser handlers are being called. Hmmm... mod_ssl currently does it in the "correct/intended" phase. But sure, it shouldn't harm to provide them earlier. I've to admit that I currently forgot what the reason was that have not done this already. I'll think about this again Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Probing Client-side certs in PHP
On Fri, Jul 23, 1999, Michael Bartlett wrote: I need to do login authentication using information stored in a class 2 certificate. Basically the directory of the web site (apache) requires a class 2 cert. The certs are Verisign Onsite certificates which have 3 custom fields in them. So what I need to do is probe the cert that is presented to the server using PHP and take the uid from the cert and authenticate against a mysql database and log the user on. I've done this before using IIS and ASP *shudder* using source code that looks like this : % response.write(Request.ClientCertificate("SUBJECTO") "br") response.write(Request.ClientCertificate("SUBJECTOU")) % But nobody on the php lists seems to know anything about certs, nor the people on the apache lists. These stuff is provided by mod_ssl in the SSL_CLIENT_CERT_XX environment variables. See the mod_ssl documentation for details. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [patch] read crt/keys from DB file
Wilt, Paul wrote: David: Is it possible for you to create an in-memory file on your OS? Seems like that would allow you to use all the FILE * type methods without leaving a snoopable file on the disk! Some Unix derivatives have some sort of RAM-disk-like device drivers for doing just what you are looking for. Paul E Wilt Principle Software Engineer The file I create on the disk is not really snoopable because it is unlinked after creation. Therefore, it has no attachment to the directory system and can't referenced with a filename. I like the idea of creating an in memory file and I've heard of that before, but it's not really needed. I'd be surprised if any of my temporary is actually written out to disk - it should all be in the buffer cache. - David Harris Principal Engineer, DRH Internet Services __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Getting Certificate !
Hi everybody, I want to know how to get certificate. After install, I have a Snake oil default certificate, but I don't think it really good. Possibly someone have tips for me. Thanks. I need SSL certificate to encrypted transaction. please help me to have more info. thanks ! * ** UNIX is user friendly. It's ** just selective about who ** its friends are. * __ BoƮte aux lettres - Caramail - http://www.caramail.com