Re: Success with FrontPage ?
I could comment that although we were able to compile mod_frontpage with mod_ssl frontpage never worked properly and we considered it a failure. Regards, Jeff Koch On Sat, 6 Nov 1999, Martin Kuchar wrote: Hi, please have anybody compiled Apache 1.3.9 with mod_ssl + mod_php3.12 + mod_perl + mod_frontpage 4 under RedHat 5.2 or 6.x ??? Can you please send me spec`s and coment ?? many thanx Martin Kuchar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca and certs
Dear list readers - Sorry to be such a pest, but does anyone have a ca.config that they could share with me so i can see the correct syntax of this file. I would greatly appreciate it. Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and server certs
Um.. sounds like you didn't sign it correctly.. Following instructions using 'sign.sh' right? hUnTeR wrote: Dear list readers - I have followed the instructions for generating my own CA and server certificate, and signed the server.csr creating the server.crt and put both the server.crt and server.key in /etc/httpd/conf/ and checked the httpd.conf.ssl file to make sure the server was pointing to these files in the corect location. And stopped and restarted the webserver. Now when i go to connect to it via an https request i get the following error: "The server's certificate has an invalid signature. You will not be able to connect to this site securely." I comared the pub and priv keys using the commands from the FAQ and have verified, i believe, that they do indeed match. Any ideas on how to correct this problem? Any help/advice would be GREATLY appreciated. -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Colin Faber Perl programer, Systems administration fpsn.net, Inc. [EMAIL PROTECTED] www.fpsn.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and certs
your CA information has to be different from the information listed in the key you wish to sign. Try that and it should work. hUnTeR wrote: Dear list readers: I found what i believe to be the problem that i am having. When i go to sign the server.csr, i get the following error after committing: error 7 at 0 depth lookup:certificate signature failure And that is why i am getting the signature error in apache trying to connect to the https. Any ideas? -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Colin Faber Perl programer, Systems administration fpsn.net, Inc. [EMAIL PROTECTED] www.fpsn.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.4.8 (Important Bugfix)
I assume that there is no change in the EAPI part, or is there? (I'm asking this question because we previously patched apache.1.3.9 with the EPAI from mod_ssl 2.4.5) Thanks, --Yan On Fri, 5 Nov 1999, Ralf S. Engelschall wrote: Because of the availability of a very important bugfix, I immediately release mod_ssl 2.4.8 with it. This version especially should solve any observed segfaults which not even gone away by using `SSLSessionCache none' (because they were not related to DBM libraries and other session cache problematic things). See below for details. So, if you received segfaults in the past, you're now strongly encouraged to upgrade to this version (because the chance is very high that your situation applies to the three conditions listed below). Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.4.8 (02-Nov-1999 to 05-Nov-1999) *) ** IMPORTANT BUGFIX ** If (and only if)... 1. a server restart at least once happened 2. a HTTPS request occurs from a 40-bit/export browser 3. the underlaying Unix flavor doesn't map DSOs always to the same memory address on each restart ...then a segfault was very likely to occur for usually all previous mod_ssl version. The reason was that mod_ssl's temporary RSA keys and DH parameters were stored in the persistent memory pool directly as OpenSSL's RSA and DH structures. But although these structures successfully survived restarts, the contained pointers, which were placed there by OpenSSL and which were referencing _static_ parts of OpenSSL, pointed to Nirvana after restarts. So on the next need for RSA temporary keys or DH parameters (usually caused by 40bit clients) the OpenSSL library internally segfaulted while processing these structures. This was a very long-standing bug and is now fixed by storing the RSA keys and DH parameters as raw (and this way safe) DER-encoded ASN.1 dats streams (and not structures) in the persistent memory pool. *) Added an FAQ entry about Verisign GIDs and the intermediate CA certificate which is required to fill the gap in the server certificate chain or browsers will complain. *) The configure.bat for Win32 now tries to complain if patches were rejected while they are applied to the Apache source tree. *) Updated ANNOUNCE and README documents. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Success with FrontPage ?
Behalf Of R. DuFresne wrote: Of course, if you are going to do this you have put the server up on a sacrificial box on a dmz, as the frontpage extensions are a nasty peice of work, yes? Don't bother with the MS mod_frontpage because it's (a) not really secure and (b) is a gross hack that patches a core data structure and the cgi modules in addition to adding a new module. If you scrap Microsoft's stupid little setuid hack and write your own mechanism to run the frontpage cgi executables as the user who owns the web files, then things can be done securely. I've written my own mod_frontpage and mechanism, and some other guy out there has written his own too: ftp://ftp.vr.net/pub/apache/mod_frontpage/ I've not used his module, but I've looked at it and it seems just dandy. - David Harris Principal Engineer, DRH Internet Services __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and certs
[EMAIL PROTECTED] wrote: your CA information has to be different from the information listed in the key you wish to sign. Try that and it should work. -- Colin Faber Perl programer, Systems administration fpsn.net, Inc. [EMAIL PROTECTED] www.fpsn.net Colin - Here is the procedure i followed: 1) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out ca.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .+ .+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 2) /usr/share/ssl/mod_ssl/ openssl req -new -x509 -days 365 -key ca.key -out ca.crt Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:UFN CA Email Address []:[EMAIL PROTECTED] 3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...+ ..+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out server.csr Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Web Development Unit Common Name (eg, YOUR name) []:www.userfriendly.net Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr CA signing: server.csr - server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Ohio' localityName :PRINTABLE:'Lakewood' organizationName :PRINTABLE:'The UserFriendly Network' organizationalUnitName:PRINTABLE:'Web Development Unit' commonName:PRINTABLE:'www.userfriendly.net' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: OK 6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out server.key read RSA private key Enter PEM pass phrase: writing RSA private key 7) Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:35pm /usr/share/ssl/mod_ssl/ chmod 400 server.key Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:43pm /usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.crt'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:54pm /usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.key'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:59pm /usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart I restarted the webserver and STILL get the annoying message about the signature: "The server's certificate has an invalid signature. You will not be able to connect to this site securely." Now, i took your advice as evidenced above, and still got the same result. Any ideas? Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL
RE: Success with FrontPage ?
has either been audited over for buffer overflows and the like? thanks, Ron DuFresne On Sat, 6 Nov 1999, David Harris wrote: Behalf Of R. DuFresne wrote: Of course, if you are going to do this you have put the server up on a sacrificial box on a dmz, as the frontpage extensions are a nasty peice of work, yes? Don't bother with the MS mod_frontpage because it's (a) not really secure and (b) is a gross hack that patches a core data structure and the cgi modules in addition to adding a new module. If you scrap Microsoft's stupid little setuid hack and write your own mechanism to run the frontpage cgi executables as the user who owns the web files, then things can be done securely. I've written my own mod_frontpage and mechanism, and some other guy out there has written his own too: ftp://ftp.vr.net/pub/apache/mod_frontpage/ I've not used his module, but I've looked at it and it seems just dandy. - David Harris Principal Engineer, DRH Internet Services __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA and certs
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:UFN CA Nope, needs to be something like secure.userfriendly.net. It's the machine name, not anything else that might be hinted at by calling it Common Name. Email Address []:[EMAIL PROTECTED] 3) /usr/share/ssl/mod_ssl/ openssl genrsa -des3 -out server.key 1024 1112 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...+ ..+ e is 65537 (0x10001) Enter PEM pass phrase: Verifying password - Enter PEM pass phrase: 4) /usr/share/ssl/mod_ssl/ openssl req -new -key server.key -out server.csr Using configuration from /usr/local/openssl/openssl.cnf Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Ohio Locality Name (eg, city) []:Lakewood Organization Name (eg, company) [Internet Widgits Pty Ltd]:The UserFriendly Netw ork Organizational Unit Name (eg, section) []:Web Development Unit Common Name (eg, YOUR name) []:www.userfriendly.net Email Address []:[EMAIL PROTECTED] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 5) /usr/share/ssl/mod_ssl/ ./sign.sh server.csr CA signing: server.csr - server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Ohio' localityName :PRINTABLE:'Lakewood' organizationName :PRINTABLE:'The UserFriendly Network' organizationalUnitName:PRINTABLE:'Web Development Unit' commonName:PRINTABLE:'www.userfriendly.net' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Nov 6 02:06:59 2000 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: OK 6) /usr/share/ssl/mod_ssl/ openssl rsa -in server.key.org -out server.key read RSA private key Enter PEM pass phrase: writing RSA private key 7) Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:35pm /usr/share/ssl/mod_ssl/ chmod 400 server.key Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:43pm /usr/share/ssl/mod_ssl/ cp server.crt /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.crt'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:54pm /usr/share/ssl/mod_ssl/ cp server.key /etc/httpd/conf/ cp: overwrite `/etc/httpd/conf/server.key'? y Û²±°root@niteowl°±²ÛÛ²±° Sat Nov 6 09:07:59pm /usr/share/ssl/mod_ssl/ /etc/rc.d/init.d/httpd restart I restarted the webserver and STILL get the annoying message about the signature: "The server's certificate has an invalid signature. You will not be able to connect to this site securely." Now, i took your advice as evidenced above, and still got the same result. Any ideas? Regards -- Michael B. Weiner Systems Administrator/Partner The UserFriendly Network (UFN) -- / / (_)__ __ __ / /__/ / _ \/ // /\ \/ / //_/_//_/\_,_/ /_/\_\ * * * CHOICE OF A GNU GENERATION * * * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Dom Gallagher ([EMAIL PROTECTED]) Systems Administrator Stayfree Internet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.4.8 (Important Bugfix)
Hey Aaron,
I run the exact same setup as you with the exception on one thing, and
am having no problems what so ever.
I run:
Apache 1.3.9
OpenSSL 0.9.4
mod_ssl 2.4.8
-- Linux 2.2.7 on a PII
You might try upgrading your kernel, then again, I might be wrong, but
it's worth a shot. Any one else have any ideas?
Pete
Aaron Turner wrote:
I'm having a lot of problems getting apache to run with the -DSSL flag.
Runs great without, but it bombs every time when ssl is enabled.
Linux 2.0.36 (RH 5.2) on PII
Apache 1.3.9
OpenSSL 0.9.4
mod_ssl 2.4.8
(nothing else)
Last bit of strace:
time(NULL) = 941856228
getpid()= 1133
write(16, "[05/Nov/1999 18:43:48 01133] [in"..., 95) = 95
brk(0x8192000) = 0x8192000
open("/home/https/conf/mime.types", O_RDONLY) = 3
fstat(3, {st_mode=0, st_size=0, ...}) = 0
fstat(3, {st_mode=0, st_size=0, ...}) = 0
mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x2956b000
read(3, "# This is a comment. I love comm"..., 4096) = 4096
read(3, "application/vnd.powerbuilder6\na"..., 4096) = 3258
brk(0x8195000) = 0x8195000
read(3, "", 4096) = 0
close(3)= 0
munmap(0x2956b000, 4096)= 0
open("/home/https/logs/access_log", O_WRONLY|O_APPEND|O_CREAT, 0644) = 3
fcntl(3, F_DUPFD, 15) = 17
close(3)= 0
open("/home/https/logs/access_log", O_WRONLY|O_APPEND|O_CREAT, 0644) = 3
fcntl(3, F_DUPFD, 15) = 18
close(3)= 0
open("/home/https/logs/ssl_request_log", O_WRONLY|O_APPEND|O_CREAT, 0644)
= 3
fcntl(3, F_DUPFD, 15) = 19
close(3)= 0
chdir("/") = 0
fork() = 1134
--- SIGCHLD (Child exited) ---
munmap(0x29561000, 4096)= 0
_exit(0)= ?
The error_log says it can't bind to the port, but w/o ssl support it will
bind to port 81/443 just fine.
Compiled like:
cd /usr/local/src/https/openssl
./config
make
make test
make install
cd /usr/local/src/https/apache
make clean ; ./configure --prefix=/home/https --exec-prefix=/usr/local/https
cd /usr/local/src/https/mod_ssl
sudo ./configure --with-apache=../apache \
--with-prefix=/home/https \
--with-crt=/home/https/server.crt \
--with-key=/home/https/server.key
cd /usr/local/src/https/apache
export SSL_BASE=../openssl
sudo ./configure --prefix=/home/https \
--exec-prefix=/usr/local/https \
--enable-module=ssl \
--runtimedir=/home/https/run
sudo make
sudo make install
su -
/usr/local/https/bin/httpd -DSSL
*boom*
Thanks...
--
Aaron Turner, Core Developer http://vodka.linuxkb.org/~aturner/
Linux Knowledge Base Organization http://linuxkb.org/
Because world domination requires quality open documentation.
On Fri, 5 Nov 1999, Ralf S. Engelschall wrote:
Because of the availability of a very important bugfix, I immediately release
mod_ssl 2.4.8 with it. This version especially should solve any observed
segfaults which not even gone away by using `SSLSessionCache none' (because
they were not related to DBM libraries and other session cache problematic
things). See below for details. So, if you received segfaults in the past,
you're now strongly encouraged to upgrade to this version (because the chance
is very high that your situation applies to the three conditions listed
below).
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: ca and certs
On Sat, Nov 06, 1999 at 03:58:36PM -0500, hUnTeR wrote: Dear list readers - Sorry to be such a pest, but does anyone have a ca.config that they could share with me so i can see the correct syntax of this file. I would greatly appreciate it. Michael, I won´t comment on the pest aspect. Please make sure that you really understand what you are doing and that you did check all resources to find the problem yourself. I am definitely missing the logfile entries for the apache startup and for your connection attempts. Maybe they already include the hint you are looking for. For another approach is to take the openssl CA.pl tool for generating the certs, it will hide some part of the process for you. Please consider reading http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/doc/myownca.html as description of this way (which is just hiding the full process by wrapping it with a, hmm, comfortable script). Regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
