Re: Compiling apache+mod_ssl+php3 in UK/Europe
I found the same problems here in AU.. If your working off the INSTALL file in mod_ssl, You will probably find that a final command in the installing of openssl is missing.. I installed openssl from it's own instructions, and the last line is 'make install'.. This did not appear in the previous mod_ssl/apache docs, but everything then compiled fine.. Best wishes, Jeff Kerr PS: You can get paid for the time you spend online, whether surfing, chatting, gaming or whatever. Drop over to http://www.desktopdollars.com/default.asp?[EMAIL PROTECTED] - Original Message - From: Andy Hughes <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 07, 2000 2:22 AM Subject: Compiling apache+mod_ssl+php3 in UK/Europe > Hello all, > I've been trying without success to build an apache server that incorporates > both mod_ssl and php. > I am getting stuck and repeatedly trip up on detail - if anyone has built > this within the UK, with all the UK-specific settings I would greatly > appreciate any guidance! > > make[4]: *** [mod_ssl.lo] Error 1 > make[3]: *** [all] Error 1 > make[2]: *** [subdirs] Error 1 > make[2]: Leaving directory `/usr/src/apache_1.3.12/src' > make[1]: *** [build-std] Error 2 > make[1]: Leaving directory `/usr/src/apache_1.3.12' > make: *** [build] Error 2 > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Installing as Root into NS and MSIE
Cliff, thanks for your explanation. > A com control is just a runtime object. > IE knows how to run them, so basically they are saying, > that they will give you a little program object that you > can use to install your own root CA. This means you can install it > on all your intranet IE's for internal use. Let me get this straight: MS would give me a small program/com control that would have all our CA details (certificate, etc) included. We would then give this com control to all those users who want to work with our certificates and ask them to run it on their computers. Am I right? > This means that other uses can also install your root CA if they > choose to. M$ did not answer the question regarding how much > it would cost to include your root CA in all of the browsers they > publish. They didn't. Cheers, Stefan. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiling apache+mod_ssl+php3 in UK/Europe ... RedHat 6.1?
>hello ... > >The whole thing ... apache 1.3.12, the newest mod_ssl, newest >mod_perl and php compiled nicely for me in Red >Hat 5.2. The only bug I had was the php/database support ... >but this list is not about that :-)) > >Question: should all this compile out of the box on a Red Hat >6.1 box as well, like on my Red Hat 5.2 box? I >really hope so ... I dread using the rpm's. If you go to http://www.modssl.org/contrib/ you'll find RPM (source and binaries) for apache-1.3.12 + mod_ssl 2.6.2. Also you could find RPM for mod_jserv and so on. These RPM are built for Redhat 6.x but you can rebuild the source RPM on your old Redhat 5.2 boxes . RH 5.2 complains about GLIBC 2.1 dependencies since it is GLIBC 2.0 based. Regards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate questions...
Karl, > However, the concept that a PERSON needs to pay upwards of $100 to get a key > by which they can have a SSL connection work from a web server is insane. It is not! It's a business model and if you're not prepared to pay those commercial CAs - don't. > Why are there no public CAs - much like the public keyrings for PGP? But there are: http://www.pca.dfn.de/dfnpca/pki-links.html#CA > Why does Nutscrape and Microslug only ship with COMMERCIAL, and EXPENSIVE, > CAs loaded? Because non-commercial CAs simply can't afford to buy themselves into the products. It's as simple as that. We've tried and we failed. Cheers, Stefan. PS: This really isn't relevant to mod-ssl. __ Stefan KelmPGP key: "finger [EMAIL PROTECTED]" or via key server DFN-PCA <[EMAIL PROTECTED]> Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/ 22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Certificate questions...
Karl Denninger wrote: > However, the concept that a PERSON needs to pay upwards of > $100 to get a key > by which they can have a SSL connection work from a web > server is insane. If you look at the simple operation of signing a server certificate, then sure, that does seem a bit expensive, BUT that's not all you get. If it was, then you should just use one of the certificates that mod_ssl lets you generate during installation. Setting up a CA to issue certificates is technically rather easy - getting the legal stuff and all the procedures in place is quite a lot more complicated (trust me - I've been been in that business for a while). > > Why are there no public CAs - much like the public keyrings for PGP? > Because it wouldn't make any sense - if you don't want liability, authenticity checks and lots of other legal stuff, then you might as well forget about using certificates at all - all you'd have was the encryption. > Why does Nutscrape and Microslug only ship with COMMERCIAL, > and EXPENSIVE, > CAs loaded? You can only guess... I've heard someone saying that Netscape wanted more than $100K to put their root cert in the browser - which I suppose would be a possible explanation. You might also ask yourself why those two browsers only support RSA patented algorithms... vh Mads Toftum, QDPH --- The brain is a wonderful organ; it starts working the moment you get up in the morning, and does not stop until you get to work. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiling apache+mod_ssl+php3 in UK/Europe ... RedHat 6.1?
Hi Tim, thanks for the feedback ... it's been pretty quiet so far! > The whole thing ... apache 1.3.12, the newest mod_ssl, newest mod_perl > and php compiled nicely for me in Red Hat 5.2. > ... > Question: should all this compile out of the box on a Red Hat 6.1 box > as well, like on my Red Hat 5.2 box? > I really hope so ... I dread using the rpm's. I would guess so, my problem (I think) is that I need to tell the make for Apache not to include idea (or allow it to compile in and hope it doesn't use it or build it in if that is legal or ... etc etc etc you get the idea (sic)). I am sure that I could build an "out of the box" Apache if I accepted all the defaults the trouble here is that I can't use the defaults ( Hence my request for experiences from successful builders of apache+ssl+php under Red Hat 6.x in the UK or Europe (come on guys and gals, *someone* must have successfully done this!!!). Althought I am comfortable with Apache, Red Hat and PHP I know *VERY* little about ssl and security (beyond basic concepts anyway) and this is my first crack at building a secure server using source tarballs and so far it has been pretty taumatic. Any useful references would also be appreciated. Thanks again, cheers, Andy. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compiling apache+mod_ssl+php3 in UK/Europe
On Tue, Mar 07, 2000, Jeff Kerr wrote: > I found the same problems here in AU.. If your working off the INSTALL file > in mod_ssl, You will probably find that a final command in the installing of > openssl is missing.. I installed openssl from it's own instructions, and > the last line is 'make install'.. This did not appear in the previous > mod_ssl/apache docs, but everything then compiled fine.. Errr.. no, there is no command missing in the INSTALL document, believe me. That there is no "make install" at the OpenSSL steps is intentionally, because OpenSSL is not required to be installed in order to link mod_ssl against it. One can do the "make install", of course. But then you also have to configure mod_ssl differently (--with-ssl=DIR has to point to DIR=$prefix instead of the source tree). So, the INSTALL document is complete and correct, but I guess the user seems to have used --with-ssl= instead of --with-ssl=. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] mod_ssl/2.6.2 (PR#348)
Full_Name: Version: OS: linux mips Submission from: (NULL) (165.228.129.12) i beleave there is a problem with ie4-5 works fine with netscape you get timeouts and errors which are not loged it also give protocol errors to msie but nothing to logs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate questions...
Karl Denninger <[EMAIL PROTECTED]> writes: > On Tue, Mar 07, 2000 at 12:23:33AM +0100, Jan Meijer wrote: > > Hi Karl, > > > > Whilst taking the risk to look like someone from Microshot, Netscape or the > > others some comment on your pleads for clarity. > > > > > There are to separate things that secure web servers do. > > > > > > 1. Authenticate who you're talking to, so that when you engage in > > > commerce you have some indication that the merchant you think you're > > > dealing with is really who you're dealing with. > > > > > > 2. Encrypt the data so that it cannot be intercepted between the > > > sending and receiving machines. > > > > True. Crypto allows for two other quite basic functions: non-repudiation > > and integrity. You only mentioned authenticity and confendiatlity. > > Well, confidentiality implies integrity, in that a tampered data stream > won't decode. Public key crypto with a known certification on the public > key provides non-repudiation (assuming the private key has not been > compromised) This is absolutely not true. Consider a data stream enciphered with RC4. It's perfectly easy to undetectably flip any plaintext bit by flipping the corresponding ciphertext bit. If you know the plaintext, you can modify it predictably. > The "man in the middle" risk is a red herring. As long as the CA vouches > for the key exchange its "cool", and you'd only detect the man in the middle > attack if you actually LOOKED at each certificate for each page served. > > How many people click on the padlock and LOOK at each page's certificate? > Without a warning nobody checks - and as such the risk is still there. This is incorrect. The browser has automatic checks that the certificate matches the server's domain name. These checks aren't perfect, but they're not useless either. If these checks didn't exist then it would be necessary to check every certificate manually. That would be bad. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] PureTLS - free SSLv3/TLS software for Java http://www.rtfm.com/puretls/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiling apache+mod_ssl+php3 in UK/Europe - *SUCCESS*
Hi Jeff, > I found the same problems here in AU.. > If your working off the INSTALL file in mod_ssl, > You will probably find that a final command in the installing > of openssl is missing.. > I installed openssl from it's own instructions, and > the last line is 'make install'.. > This did not appear in the previous > mod_ssl/apache docs, but everything then compiled fine.. Thanks for that, I did try that but it didn't work for me - it was that attempt that generated the idea error in my original post. However I managed to get everything compiled and working (works OK under http and https with dodgy test certificate and also recognises PHP - have not tried MySQL yet though). I didn't (AFAIK) do anything different/special this time, just wiped everything away as before and reinstalled. I *didn't* use the "make install" option this time, just pointed at the source, rather than the installed, directory hierarchies. If it would be useful for me to post my installation dialogue I will - I took notes this time ... Many thanks to those who replied and offered their assistance, especially Henri, your time and effort is appreciated. Thanks, Andy. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate questions...
At 12:23 AM 3/7/00 +0100, you wrote: > > Yet, in today's world, you cannot have one without the other, which means > > that to get EITHER you must pay someone. > >The pay part is untrue. If you really don't care about authenticity but >only are interested in confidentiality of your datastream (if you cannot >verify the authenticity of the entities on either side of your datastream I >think you're quite vulnerable for loosing your confidentiality, but that's >your choice) you can just generate your own certificate. And this is what we've done - we don't need to verify that the person on the far end of the connection really is Bob. As long as the stream is strongly encrypted, we are safe from casual sniffing of packets. You still need to access the protected portion of the site via a valid username/password, and that is where the authentication may enter into play (to strengthen the logon portion). In that case, we'd need to generate individual certificates for each user, and truck them around wherever we go. To much hassle for what we need, which is just basic protection from kiddies with sniffers. If you're running an Ecommerce site, then issuing individual certificates is wholly impractical. In that case, all we really want is encryption. It would be nice to have a cert signed by Verisign, but we (our corporate entity) trust ourselves, and that is good enough for us. I'm sure customers are more concerned with having their data encrypted moreso than worrying whether the session is being hijacked, which I believe is quite difficult to accomplish if the session (which is typically short) uses strong encryption. Our customers trust us as a corporate entity, so I fail to see why us issuing our own certificate is any more or less "secure" than us paying $$ to another company to do the same thing. > > Contrast this with PGP for email, in which I can publish a public key and > > once you obtain it you're able to receive an encrypted communication from > > me and decode the traffic. My generation of that key pair does not require > > that it be "certified" by any third party. > >I hope you made some typo here. You do not use the thing conceptually >referred to as "public key" to decode encrypted traffic/messages. That's >what the private thingie is for. The public part is for signature >verification (ie verifying the private part has been used to encrypt a piece >of data). > >Problem with your PGP schema is that I can publish my public key on the >keyserver (lets say the keys.pgpi.net which I trust a lot ;), you can get it >there and use it to crypt data for me. Essential problem here: how do you >know that the key you're using is mine and not from someone claiming to be >me (by entering *my* emailaddress and name during key generation)? Using >signatures --> signature=certificate. In this case - who cares? You'll receive a message composed and encrypted using the fake public key, but will be unable to decrypt it. If you compose a message, a recipient using the fake key will not be able to decrypt it. The worst that happens, as I see it, is an annoyance caused to both parties. > What is true is >that those stupid browser applications refuse to see key generation and the >*possible* certification as different steps. With openssl of course this is >possible. >I agree the key generation and the certification process *should* be >seperated, also in browsers. It is *not* possible for me to make a copy of >my oh so valuable private browser key *before* I receive my certificate >(which can be up to five days according to our certification practise >statement) which bothers me very much. I can not revoke the certificate and >just use the same key again. I'm not understanding what you are discussing here. Can you explain this concept a bit further please? Cheers! Jon - Jon Earle (613) 612-0946 (Cell) HUB Computer Consulting Inc.(613) 830-1499 (Office) http://www.hubcc.ca 1-888-353-7272 (Within Canada/US) "God does not subtract from one's alloted time on Earth, those hours spent flying." --Unknown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ASN1 : "Bad tag" Error with my own generated certificate
Hi, And thank you for your help, but i've check my Apache configuration and it's ok. I discovered that using a decrypted PEM version of my RSA key solve the problem... But don't satisfy me for security reasons :-( I suppose that the problem come at the first read of the certificate or key. Here are more infos : -Certificate generation: openssl genrsa -des3 -out server.key 1024 openssl req -new -key server.key -out server.csr ./sign.sh server.csr (with modified sign.sh and my own CA) NB: The personnal certificate (to import in browsers) that i've generated with this CA are all working in IE5 and NS4+fortify and i've build an SSLv3 canal with 128bits RC4-MD5 cipher between client and Apache started with PEM key. -Apache config : AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl . SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/log/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/log/ssl_mutex SSLLog /var/log/ssl_engine_log SSLLogLevel info . SSLEngine on SSLCACertificateFile /etc/httpd/ssl.crt/ca.crt SSLCACertificatePath /etc/httpd/ssl.crt/ SSLCertificateFile/etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCipherSuite +MEDIUM #SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars DocumentRoot /... ServerName www2.mba-france.com ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/... CustomLog /var/log/... - Logs ( /var/log/ssl_engibe_log ): Server: Apache/1.3.12, Interface: mod_ssl/2.6.1, Library: OpenSSL/0.9.5 Init: 1st startup round (still not detached) Init: Initializing OpenSSL library Init: Loading certificate & private key of SSL-aware server www2.mba-france.com:443 Init: Requesting pass phrase via builtin terminal dialog Init: Private key not found (OpenSSL library error follows) OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib ??? what mean this "bad tag" Error ??? Say me if you want more infos (Dummy Certificate files, prog versions...). Thank a lot. Olivier __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
Hi all, I just upgraded an Apache v1.3.9 + mod_ssl v2.4.10 installation to Apache v1.3.12 and mod_ssl v2.6.2. I stopped the server, and then restarted it again, but the new server would not start up - it gave the error: [Tue Mar 7 17:42:46 2000] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key Does anyone know why this might be the case? I also upgraded OpenSSL from v0.9.4 to 0.9.5, would this have broken anything? Regards, Graham -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl problems with MSIE
[Terje Malmedal] > [Jason Terry] >> I am running >> Apache/1.3.11 (Unix) mod_perl/1.21 PHP/3.0.14 mod_ssl/2.5.0 OpenSSL/0.9.4 >> I have this line in my http.conf >> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown >> However my mod_ssl server still has problems connecting with >> MSIE and I can find absolutely no cause in my logs. I have had >> administration ability for several different Linux boxes, and to >> my knowledge all of them have had this problem. And it has been >> happening for many months. >> Does anyone have any idea what may be causing MSIE to not >> connect. It has got to be something with only MSIE as I am an >> avid Netscape user and I have NEVER seen this problem on any of >> these servers when using Netscape. However if I switch to MSIE I >> do see the rare occurance. >> Any ideas, on how to track the problem, or fix it would be VERY much >> appreciated. > Did this get resolved? I am having the same problems, currently running: > Apache/1.3.12 (Unix) mod_perl/1.21 mod_ssl/2.6.2 OpenSSL/0.9.5 mod_fastcgi/2.2.2 > Netscape and Opera works perfectly, MSIE does not even leave an entry > in the log. I also have the SetEnvIf-thingie from the FAQ. After som experimentation I found that MSIE works if I disable everything except SSL version 2. Is it possible to make the server only force MSIE users to use SSLv2? -- - Terje [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate questions...
At 07:36 AM 3/7/00 -0800, you wrote: >Karl Denninger <[EMAIL PROTECTED]> writes: > > Well, confidentiality implies integrity, in that a tampered data stream > > won't decode. Public key crypto with a known certification on the public > > key provides non-repudiation (assuming the private key has not been > > compromised) >This is absolutely not true. > >Consider a data stream enciphered with RC4. It's perfectly >easy to undetectably flip any plaintext bit by >flipping the corresponding ciphertext bit. If you know the >plaintext, you can modify it predictably. Perhaps... but isn't this impractical? The key phrase here is "If you know the plaintext...". How would one know if a random, encrypted stream is a recipe, a love letter, or a secret message to religious extremists? It all just looks like encrypted packets. Jon - Jon Earle (613) 612-0946 (Cell) HUB Computer Consulting Inc.(613) 830-1499 (Office) http://www.hubcc.ca 1-888-353-7272 (Within Canada/US) "God does not subtract from one's alloted time on Earth, those hours spent flying." --Unknown __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl problems with MSIE
On Tue, Mar 07, 2000, Terje Malmedal wrote: > [...] > Is it possible to make the server only force MSIE users to use SSLv2? Unfortunately no, because the browser type can only be recognized through the HTTP header field User-Agent and this is available _after_ the SSL handshake (where the cipher suite is involved) _only_. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
On Tue, Mar 07, 2000, Graham Leggett wrote: > I just upgraded an Apache v1.3.9 + mod_ssl v2.4.10 installation to > Apache v1.3.12 and mod_ssl v2.6.2. I stopped the server, and then > restarted it again, but the new server would not start up - it gave the > error: > > [Tue Mar 7 17:42:46 2000] [error] mod_ssl: Init: Failed to generate > temporary 512 bit RSA private key FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#entropy Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
trub installing modssl 2.4.4 on linux 5.2
hope somebody can help me on this: im trying to install modssl 2.4.4 with apache 1.3.9. bumping into a couple problems which were not present with mod 2.3.3-1.3.6: 1. configure fails to build apache_1.3.9/src/Makefile even though it build configuration.acpi properly. this blows up of course the make attempt. for the few people in the world who read insructions, i was following set 5b for mod_ssl/INSTALL 2. since the script for step 5b is a little long, i put in in a script file xxx but found there is a difference between running "sh xxx" vs "./xxx". the same process worked for mod2.3.3 btw. the error is a bad reference to EAPI_MM. my world is apps. not unix nuances. any help would be great. i really want to get apache 1.3.9 up. thought it would be as smooth as 1.3.6. tks john z. [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ie4-5 and error messages
i just compiled this together and i am having a problem viewing them under ie4 the key is 1024bits comes up with the error Internet Explorer cannot open the Internet site https://www.foo.com An error occurred in the secure channel support worked fine with ssl 2.5 and openssl 0.9.4 anyone got any ideas or suggestions besides don't use ie4 -- *** http://www.wintronics.com.au/ Fast reliable web hosting and Computer Sales ph 08 8172 0420 Kinglsey Foreman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl problems with MSIE
I have yet to find any solution other than totaly dis-ableing the keepalive. And, for the time being... the fact that Are you sure that disableing everything except SSLv2 always works. When I experience this problem I could find no pattern to what would cause it to crash and what would allow it to work with the following exceptions 1) only fails with MSIE (any version) 2) it works if I disable keepalive I had several times that I tried different things then went to test the connection, I would test it thousands of times sucessfully (using self refreshing web pages) and assume that it was ok, yet the very next day would get complaints from my co-workers that it was still an issue. Do you have a test case that guarantees a failed SSL connection? I was never able to get a reliable failure. -Jason - Original Message - From: "Terje Malmedal" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Tuesday, March 07, 2000 10:01 AM Subject: Re: mod_ssl problems with MSIE > > [Terje Malmedal] > > [Jason Terry] > >> I am running > >> Apache/1.3.11 (Unix) mod_perl/1.21 PHP/3.0.14 mod_ssl/2.5.0 OpenSSL/0.9.4 > > >> I have this line in my http.conf > >> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > >> However my mod_ssl server still has problems connecting with > >> MSIE and I can find absolutely no cause in my logs. I have had > >> administration ability for several different Linux boxes, and to > >> my knowledge all of them have had this problem. And it has been > >> happening for many months. > > >> Does anyone have any idea what may be causing MSIE to not > >> connect. It has got to be something with only MSIE as I am an > >> avid Netscape user and I have NEVER seen this problem on any of > >> these servers when using Netscape. However if I switch to MSIE I > >> do see the rare occurance. > > >> Any ideas, on how to track the problem, or fix it would be VERY much > >> appreciated. > > > Did this get resolved? I am having the same problems, currently running: > > > Apache/1.3.12 (Unix) mod_perl/1.21 mod_ssl/2.6.2 OpenSSL/0.9.5 mod_fastcgi/2.2.2 > > > Netscape and Opera works perfectly, MSIE does not even leave an entry > > in the log. I also have the SetEnvIf-thingie from the FAQ. > > After som experimentation I found that MSIE works if I disable > everything except SSL version 2. > > Is it possible to make the server only force MSIE users to use SSLv2? > > -- > - Terje > [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: trub installing modssl 2.4.4 on linux 5.2
Is there a particular reason you're trying to install old versions of both mod_ssl and Apache? The current version of Apache is 1.3.12 and the current version of mod_ssl is 2.6.2. --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 >>> [EMAIL PROTECTED] 10/01/99 01:51PM >>> hope somebody can help me on this: im trying to install modssl 2.4.4 with apache 1.3.9. bumping into a couple problems which were not present with mod 2.3.3-1.3.6: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl problems with MSIE
On this note, I'd like to say that IE 5.0 is the only thing that is having a problem for me. I'd like to ask this though. I am using a cert that actually belongs to another DNS. (it is my cert, i'm just using it for testing on a new web server before changing the DNS entry) IE 4.0 works, 4.01, hell, 3.2 works too. but not 5.0. 5.01 works. Is this related to the fact that the DNS is not pointing to the IP that I'm using so the cert is being rejected by the browser? Austin -Original Message- From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 07, 2000 1:48 PM To: [EMAIL PROTECTED] Subject: Re: mod_ssl problems with MSIE On Tue, Mar 07, 2000, Terje Malmedal wrote: > [...] > Is it possible to make the server only force MSIE users to use SSLv2? Unfortunately no, because the browser type can only be recognized through the HTTP header field User-Agent and this is available _after_ the SSL handshake (where the cipher suite is involved) _only_. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.6.2-1.3.12 RPMs
At hthe usual place: http://www.modssl.org/contrib/ -- Magnus Stenman mailto:[EMAIL PROTECTED] http://www.hkust.se Get it up, keep it up. Linux -- Viagra for your PC __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate questions...
Jon Earle <[EMAIL PROTECTED]> writes: > At 07:36 AM 3/7/00 -0800, you wrote: > >Karl Denninger <[EMAIL PROTECTED]> writes: > > > Well, confidentiality implies integrity, in that a tampered data stream > > > won't decode. Public key crypto with a known certification on the public > > > key provides non-repudiation (assuming the private key has not been > > > compromised) > > >This is absolutely not true. > > > >Consider a data stream enciphered with RC4. It's perfectly > >easy to undetectably flip any plaintext bit by > >flipping the corresponding ciphertext bit. If you know the > >plaintext, you can modify it predictably. > > Perhaps... but isn't this impractical? The key phrase here is "If you know the > plaintext...". If you know the plaintext you can make PREDICTABLE changes. Without the plaintext, you can make arbitrary undetected changes. > How would one know if a random, encrypted stream is a > recipe, a love letter, or a secret message to religious extremists? It all > just looks like encrypted packets. You can tell an incredible amount from traffic analysis. For instance, connections on port 443 are almost always HTTP over SSL. If you've been looking at the previous HTTP traffic between this client and server pair, you can often get a pretty good idea of what the first encrypted message is. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] PureTLS - free SSLv3/TLS software for Java http://www.rtfm.com/puretls/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] Certificate Signature Failure in sign.sh (PR#349)
Full_Name: Roby Gamboa Version: 1.3.9.2.4.10-0.6.0 OS: RedHat Linux 6.1 Submission from: (NULL) (208.234.224.97) In attempting to use sign.sh, I get the error below. I've set up a self-signed CA key and crt, and have the server key and csr file generated. Any thoughts? *** Information from sign.sh *** Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'California' localityName :PRINTABLE:'Novato' organizationName :PRINTABLE:'Brightware Inc.' organizationalUnitName:PRINTABLE:'Development' commonName:PRINTABLE:'octave.brightware.com' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Mar 8 03:16:09 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=California/L=Novato/O=Brightware [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure *** End information from sign.sh *** After that point, even though I have a server.crt, I get a response saying that the server's certificate has an invalid signature, and that I will not be able to connect to this site securely. Any thoughts? Thanks, - Roby Gamboa [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]