Re: modssl on NT
22-Jul-99 16:41 you wrote: > Hi, > I just want to ask whether we can secure apache web server on NT using > mod-ssl and openssl. Are the installations steps given fr win32 applicable > for NT also. If not can any one give me the outline of the steps or any > website from where i can follow the steps. :-))) Win32 is name of API used in Win9X and WinNT ... So, of course, steps for win32 must be applicable for WinNT as well. Just one subtle problem: Ralf does not have Win9X or WinNT (AFAIK) and thus all steps are not checked by him ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] open/146: consumes HUGE amounts of CPU after having served a request
I have the same problem on my solaris 2.5.1/apache 1.3.6/modssl 2.3.5/openssl 0.9.3a. any idea ? John PID USERNAME THR PRI NICE SIZE RES STATE TIMECPU COMMAND 19888 nobody 1 -150 3344K 2752K run20:17 97.78% httpd 20642 nobody 1 350 3200K 2416K sleep 0:00 1.32% httpd =>[1] _lseek(0x4400, 0x4400, 0x0, 0x0, 0x1, 0x1), at 0xef5b74fc [2] dbm_access(0x1c8960, 0x11, 0x1a, 0x30, 0x1f, 0x0), at 0xef5cf4ac [3] dbm_firsthash(0x1c8960, 0x11, 0x1c8988, 0x0, 0xefffecc8, 0x0), at 0xef5ceb54 [4] dbm_do_nextkey(0xc, 0x3c, 0x3c, 0x0, 0x1c8a4f, 0x11), at 0xef5cf2e4 [5] dbm_nextkey(0x1c8960, 0xef612f30, 0x0, 0x2, 0x0, 0xefffeddc), at 0xef5cecec [6] ssl_scache_dbm_expire(0x19d338, 0x37973457, 0x0, 0x0, 0x0, 0x0), at 0x45f60 [7] ssl_scache_expire(0x19d338, 0x37973457, 0x0, 0x7, 0x8001400, 0x0), at 0x451ec [8] ssl_scache_retrieve(0x19d338, 0x1c1a13, 0x20, 0x1aaf00, 0x9bc2c2a2, 0x0), at 0x44e84 [9] ssl_callback_GetSessionCacheEntry(0x1b2f00, 0x1c1a13, 0x20, 0xefffefc8, 0x3fcb8, 0xe014), at 0x3fd14 [10] ssl_get_prev_session(0x1b2f00, 0x1c1a13, 0x20, 0x0, 0x0, 0x1b9110), at 0xd5ea0 [11] 0xde428(0x5b, 0x1b2f00, 0x1c1a13, 0x20, 0x, 0xffae), at 0xde427 [12] ssl3_accept(0x1b2f00, 0x1b2f00, 0x2000, 0x3000, 0x2, 0x2190), at 0xddd40 [13] ssl23_get_client_hello(0x2000, 0x1b2f00, 0x0, 0x0, 0x0, 0x3), at 0xcfd00 [14] ssl23_accept(0x4000, 0x1b2f00, 0x2000, 0x2000, 0x1, 0x2210), at 0xcf420 [15] ssl_hook_NewConnection(0x1b6068, 0xef6fb6e4, 0x1, 0xe32c, 0x4, 0x1a2360), at 0x3bef8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Compiling mod_ssl.c problem (PR#212)
22-Jul-99 20:35 you wrote: > Full_Name: Marco Teunissen van Manen > Version: 2.3.6 > OS: Linux (Slackware 3.5) > Submission from: n16152.telekabel.nl (212.142.16.152) > After configuring and setting up mod_ssl for module use with apache 1.3.6, > I got a message stating that an error was detected on line 496 of > mod_ssl.h in the apache/src/modules/ssl directoy. > That line defines a struct/union member of type AP_MM. However, > since ap_mm.h was NOT included, the compiler did not know what to do. Something is screwed up :-(( Are you sure that EAPI patches are applied clearly ? > Solution to overcome this minor problem: > in the Apache section, add in the CORE PRIVATE the following line: > #include "ap_mm.h" > which will then automatically be used when compiling. Resides in > apache/src/include and defines the type AP_MM. > Unfortunately, afterwards a lot of linking failures occur: > modules/ssl/libssl.a(ssl_engine_config.o): In function > `ssl_cmd_SSLSessionCache': > ssl_engine_config.o(.text+0x157d): undefined reference to `ap_mm_useable' > ssl_engine_config.o(.text+0x165d): undefined reference to > `ap_mm_core_maxsegsize' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_malloc': > ssl_engine_scache.o(.text+0xd6c): undefined reference to `ap_mm_malloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_calloc': > ssl_engine_scache.o(.text+0xdac): undefined reference to `ap_mm_calloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function > `ssl_scache_shm_realloc':ssl_engine_scache.o(.text+0xdec): undefined reference > to `ap_mm_realloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_free': > ssl_engine_scache.o(.text+0xe28): undefined reference to `ap_mm_free' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_init': > ssl_engine_scache.o(.text+0xe84): undefined reference to `ap_mm_create' > ssl_engine_scache.o(.text+0xe97): undefined reference to `ap_mm_error' > ssl_engine_scache.o(.text+0xed7): undefined reference to `ap_mm_permission' > ssl_engine_scache.o(.text+0xee3): undefined reference to `ap_mm_available' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_kill': > ssl_engine_scache.o(.text+0xfe0): undefined reference to `ap_mm_destroy' > collect2: ld returned 1 exit status > make[2]: *** [target_static] Error 1 > make[2]: Leaving directory `/usr/src/apache_1.3.6/src' > make[1]: *** [build-std] Error 2 > make[1]: Leaving directory `/usr/src/apache_1.3.6' > make: *** [build] Error 2 Looks like ap_mm.c not included in your Apache... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] open/146: consumes HUGE amounts of CPU after having served a request
I have the same problem on my solaris 2.5.1/apache 1.3.6/modssl 2.3.5/openssl 0.9.3a. any idea ? John PID USERNAME THR PRI NICE SIZE RES STATE TIMECPU COMMAND 19888 nobody 1 -150 3344K 2752K run20:17 97.78% httpd 20642 nobody 1 350 3200K 2416K sleep 0:00 1.32% httpd =>[1] _lseek(0x4400, 0x4400, 0x0, 0x0, 0x1, 0x1), at 0xef5b74fc [2] dbm_access(0x1c8960, 0x11, 0x1a, 0x30, 0x1f, 0x0), at 0xef5cf4ac [3] dbm_firsthash(0x1c8960, 0x11, 0x1c8988, 0x0, 0xefffecc8, 0x0), at 0xef5ceb54 [4] dbm_do_nextkey(0xc, 0x3c, 0x3c, 0x0, 0x1c8a4f, 0x11), at 0xef5cf2e4 [5] dbm_nextkey(0x1c8960, 0xef612f30, 0x0, 0x2, 0x0, 0xefffeddc), at 0xef5cecec [6] ssl_scache_dbm_expire(0x19d338, 0x37973457, 0x0, 0x0, 0x0, 0x0), at 0x45f60 [7] ssl_scache_expire(0x19d338, 0x37973457, 0x0, 0x7, 0x8001400, 0x0), at 0x451ec [8] ssl_scache_retrieve(0x19d338, 0x1c1a13, 0x20, 0x1aaf00, 0x9bc2c2a2, 0x0), at 0x44e84 [9] ssl_callback_GetSessionCacheEntry(0x1b2f00, 0x1c1a13, 0x20, 0xefffefc8, 0x3fcb8, 0xe014), at 0x3fd14 [10] ssl_get_prev_session(0x1b2f00, 0x1c1a13, 0x20, 0x0, 0x0, 0x1b9110), at 0xd5ea0 [11] 0xde428(0x5b, 0x1b2f00, 0x1c1a13, 0x20, 0x, 0xffae), at 0xde427 [12] ssl3_accept(0x1b2f00, 0x1b2f00, 0x2000, 0x3000, 0x2, 0x2190), at 0xddd40 [13] ssl23_get_client_hello(0x2000, 0x1b2f00, 0x0, 0x0, 0x0, 0x3), at 0xcfd00 [14] ssl23_accept(0x4000, 0x1b2f00, 0x2000, 0x2000, 0x1, 0x2210), at 0xcf420 [15] ssl_hook_NewConnection(0x1b6068, 0xef6fb6e4, 0x1, 0xe32c, 0x4, 0x1a2360), at 0x3bef8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can't negotiate compatible protocol
Jeffrey Burgoyne wrote: > On Wed, 21 Jul 1999, Leon Brooks wrote: > > Using Apache 1.3.6, Mod-SSL 2.3.5-1.3.6, OpenSSL 0.9.3a, PHP 3.0.10 all > > built from source under Linux kernel 2.2.9 (Mandrake 6.0 distro) I can > > browse through the resulting server using HTTP no problems, but HTTPS > > yields Netscape (4.61) complaining about not being able to negotiate > > compatibly, > Perhaps its negotiating Ciphers. I and several people have had this > problem and the error message is misleading. In my case the machine name I > had set up in the conf file was not the machine name, although it was a > valid DNS entry. On linux I especially noted that simply entering new > entries in the /etc/host file on a stand alone machine was not good at > all. Bingo! I was set up with domainname yyy.zzz and hostname xxx (and Apache's ServerName xxx.yyy.zzz) but setting hostname to xxx.yyy.zzz made it all fly. I used to be paranoid, but now I only worry that I'm not paranoid enough... (-: Thanks for the hint. -- "Oh Bentson, you are so mercifully free from the ravages of intellect." -- Evil, The Time Bandits __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Portability problem (flex) (PR#214)
23-Jul-99 09:31 you wrote: > Full_Name: Laurent FAILLIE > Version: mod_ssl-2.3.6-1.3.6 > OS: HP-UX 10.20 > Submission from: gk-fr2.michelin.com (195.115.130.37) > When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, > the compilation fail because some files (like ssl_expr_yy) needs flex > to compile. > I wander if "configure" can't use "lexx" if flex isn't in the system. flex and lexx are different enough :-(( But you SHOULD not need flex at all ! Something is wrong with timestamps or your make... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL variables running APACHE on Windows NT 4.0
Hi Ralf,
it's me again. I don't understand the use of ap_hook_use and how it would
solve my problem. In my modules "URI to filename translation" phase I'd like
to call the ssl's module handler "ssl_hook_fixup" which is setting up all
SSL variables so the would be availbale to me immediately after the call to
ssl_hook_fixup returns. Is there a way to do that right now?
I read the documentation provided in ap_hook.c but I don't understand the
workings I also would appreciate a short explanation of how ap_hook_use
works. Must the hook specified in ap_hook_use be configured and registered
in mod_ssl before it can be used?
Thanks a lot for your help.
Arnold
-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 22, 1999 2:17 AM
To: [EMAIL PROTECTED]
Subject: Re: SSL variables running APACHE on Windows NT 4.0
On Mon, Jul 19, 1999, Ruetzel, Arnold wrote:
> I wrote my own module which is loaded by Apache at startup time. This
module
> has to access the SSL variables in the "URI to filename translation"
phase,
> but the variables are not available at this phase. Does anybody know what
I
> have to do to make the SSL variables available to me in the "URI to
filename
> translation" phase ? Is there a way to make use of mod_ssl's API's to get
my
> hands on the SSL variables and how would that be done?
When you looked into mod_rewrite, you would have found:
#ifdef EAPI
ap_hook_use("ap::mod_rewrite::lookup_variable",
AP_HOOK_SIG3(ptr,ptr,ptr),
AP_HOOK_DECLINE(NULL),
&result, r, var);
#endif
A similar call in your module will give you the results.
> PS: A note for Ralf Engelschall: Do you have any plans to change mod_ssl
to
> make the SSL variables available right from the start, that is before the
> post_read_request or header_parser handlers are being called.
Hmmm... mod_ssl currently does it in the "correct/intended" phase. But
sure,
it shouldn't harm to provide them earlier. I've to admit that I currently
forgot what the reason was that have not done this already. I'll think about
this again
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: SSL variables running APACHE on Windows NT 4.0
On Fri, Jul 23, 1999, Ruetzel, Arnold wrote: > it's me again. I don't understand the use of ap_hook_use and how it would > solve my problem. In my modules "URI to filename translation" phase I'd like > to call the ssl's module handler "ssl_hook_fixup" which is setting up all > SSL variables so the would be availbale to me immediately after the call to > ssl_hook_fixup returns. Is there a way to do that right now? > I read the documentation provided in ap_hook.c but I don't understand the > workings I also would appreciate a short explanation of how ap_hook_use > works. Must the hook specified in ap_hook_use be configured and registered > in mod_ssl before it can be used? The hooks _IS_ registered by mod_ssl, so you just have to use it with ap_hook_use. Try it out in your module the same way mod_rewrite does it. It internally calls the mod_ssl lookup function which is also used in the fixup handler. So you don't have to run the fixup handler manually. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Portability problem (flex) (PR#214)
23-Jul-99 09:31 you wrote: > Full_Name: Laurent FAILLIE > Version: mod_ssl-2.3.6-1.3.6 > OS: HP-UX 10.20 > Submission from: gk-fr2.michelin.com (195.115.130.37) > When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, > the compilation fail because some files (like ssl_expr_yy) needs flex > to compile. > I wander if "configure" can't use "lexx" if flex isn't in the system. flex and lexx are different enough :-(( But you SHOULD not need flex at all ! Something is wrong with timestamps or your make... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL variables running APACHE on Windows NT 4.0
23-Jul-99 09:03 you wrote:
> Hi Ralf,
> it's me again. I don't understand the use of ap_hook_use and how it would
> solve my problem. In my modules "URI to filename translation" phase I'd like
> to call the ssl's module handler "ssl_hook_fixup" which is setting up all
> SSL variables so the would be availbale to me immediately after the call to
> ssl_hook_fixup returns. Is there a way to do that right now?
No. Not easy, anyway...
> I read the documentation provided in ap_hook.c but I don't understand the
> workings I also would appreciate a short explanation of how ap_hook_use
> works. Must the hook specified in ap_hook_use be configured and registered
> in mod_ssl before it can be used?
No. You just call hook "ap::mod_rewrite::lookup_variable" to find out varible
value instead of standard Apache way. That's all. What's so problematic here ???
Why you are so inclined to setting up SSL variables ?
> Thanks a lot for your help.
> Arnold
> -Original Message-
> From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 22, 1999 2:17 AM
> To: [EMAIL PROTECTED]
> Subject: Re: SSL variables running APACHE on Windows NT 4.0
> On Mon, Jul 19, 1999, Ruetzel, Arnold wrote:
>> I wrote my own module which is loaded by Apache at startup time. This
> module
>> has to access the SSL variables in the "URI to filename translation"
> phase,
>> but the variables are not available at this phase. Does anybody know what
> I
>> have to do to make the SSL variables available to me in the "URI to
> filename
>> translation" phase ? Is there a way to make use of mod_ssl's API's to get
> my
>> hands on the SSL variables and how would that be done?
> When you looked into mod_rewrite, you would have found:
> #ifdef EAPI
> ap_hook_use("ap::mod_rewrite::lookup_variable",
> AP_HOOK_SIG3(ptr,ptr,ptr),
> AP_HOOK_DECLINE(NULL),
> &result, r, var);
> #endif
> A similar call in your module will give you the results.
>> PS: A note for Ralf Engelschall: Do you have any plans to change mod_ssl
> to
>> make the SSL variables available right from the start, that is before the
>> post_read_request or header_parser handlers are being called.
> Hmmm... mod_ssl currently does it in the "correct/intended" phase. But
> sure,
> it shouldn't harm to provide them earlier. I've to admit that I currently
> forgot what the reason was that have not done this already. I'll think about
> this again
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Probing Client-side certs in PHP
Hi All.
I need to do login authentication using information stored in a class 2
certificate. Basically the directory of the web site (apache) requires a
class 2 cert. The certs are Verisign Onsite certificates which have 3 custom
fields in them.
So what I need to do is probe the cert that is presented to the server using
PHP and take the uid from the cert and authenticate against a mysql database
and log the user on.
I've done this before using IIS and ASP *shudder* using source code that
looks like this :
<%
response.write(Request.ClientCertificate("SUBJECTO") & "")
response.write(Request.ClientCertificate("SUBJECTOU"))
%>
But nobody on the php lists seems to know anything about certs, nor the
people on the apache lists.
Help would be much appreciated.
Regards
Mike Bartlett
Executive Producer
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Probing Client-side certs in PHP
On Fri, Jul 23, 1999, Michael Bartlett wrote:
> I need to do login authentication using information stored in a class 2
> certificate. Basically the directory of the web site (apache) requires a
> class 2 cert. The certs are Verisign Onsite certificates which have 3 custom
> fields in them.
>
> So what I need to do is probe the cert that is presented to the server using
> PHP and take the uid from the cert and authenticate against a mysql database
> and log the user on.
>
> I've done this before using IIS and ASP *shudder* using source code that
> looks like this :
>
> <%
> response.write(Request.ClientCertificate("SUBJECTO") & "")
> response.write(Request.ClientCertificate("SUBJECTOU"))
> %>
>
> But nobody on the php lists seems to know anything about certs, nor the
> people on the apache lists.
These stuff is provided by mod_ssl in the SSL_CLIENT_CERT_XX environment
variables. See the mod_ssl documentation for details.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: [patch] read crt/keys from DB file
Wilt, Paul wrote: > David: > > Is it possible for you to create an in-memory file on your OS? Seems like > that would allow you to use all the FILE * type methods without leaving a > snoopable file on the disk! Some Unix derivatives have some sort of > RAM-disk-like device drivers for doing just what you are looking for. > > Paul E Wilt > Principle Software Engineer The file I create on the disk is not really snoopable because it is unlinked after creation. Therefore, it has no attachment to the directory system and can't referenced with a filename. I like the idea of creating an in memory file and I've heard of that before, but it's not really needed. I'd be surprised if any of my temporary is actually written out to disk - it should all be in the buffer cache. - David Harris Principal Engineer, DRH Internet Services __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Getting Certificate !
Hi everybody, I want to know how to get certificate. After install, I have a Snake oil default certificate, but I don't think it really good. Possibly someone have tips for me. Thanks. I need SSL certificate to encrypted transaction. please help me to have more info. thanks ! * ** UNIX is user friendly. It's ** just selective about who ** its friends are. * __ Boîte aux lettres - Caramail - http://www.caramail.com
Re: Getting Certificate !
see www.verisign.com . -Original Message- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Friday, July 23, 1999 2:02 PM Subject: Getting Certificate ! Hi everybody, I want to know how to get certificate. After install, I have a Snake oil default certificate, but I don't think it really good. Possibly someone have tips for me. Thanks. I need SSL certificate to encrypted transaction. please help me to have more info. thanks ! * ** UNIX is user friendly. It's ** just selective about who ** its friends are. * __ Boîte aux lettres - Caramail - http://www.caramail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can I use RSA algorithms in Canada for mod_ssl?
22-Jul-99 13:04 you wrote: > I've been searching for some source of information about this... > I would like to be able to use OpenSSL + mod_ssl + Apache in order to > produce a secure web server; for a variety of reasons it would be very > nice if I could have one httpd serving both http and https clients. > While I am willing to pay Covalent or C2Net a fee in order to obtain a > legitimate license-to-use the RSA algorithms, I am highly averse to > blindly linking object code into my production Apache server! > Is it possible to compile Apache + mod_ssl + OpenSSL entirely from > source *AND* still include the RC4, RC5, etc... ciphers? Of course. Legality is completely other story, though... > This might be obvious already from my questions, but I haven't tried to > compile OpenSSL or mod_ssl yet. I'm trying to figure out if there's any > point in doing so. > I am a citizen of Canada, the company is a Canadian corporation and the > server will physically reside in Canada. From what I can tell, the > RSAREF issue is US-specific, but ? > Any pointers or explanations appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
