Re: Apache/modssl upgrade Questions
On Tue, Mar 21, 2000, [EMAIL PROTECTED] wrote: I currently have 1.39 with modssl working which was installed according to the previous example set forth at www.modssl.org/example/. If I again follow the procedure at http://www.modssl.org/example/ to upgrade and the upgrade does not go well--will the former version of Apache and modssl that I currently have working still be available on the server or will the new installation overwrite the old version ? If I do the upgrade, will it leave my existing httpd.conf file intact or will I need to bring my current virtual host container entries, etc., into newly created httpd.conf file ? It will overwrite your executeables and DSOs, but it will preserve your configuration files. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question:Child could not open SSLMutex...
On Mon, Mar 20, 2000, Rob Leachman wrote: I just installed mod_ssl. When I started the httpd server(./apachectl startssl), there was error messages in error_log saying "Child could not open SSLMutex lockfile logs/ssl_mutex.17472". Would you tell me how to fix it? Finally a chance to give something back. Not much, but something. This kind of thing gave me fits, also with the ssl_scache.dir and ssl_scache.pag files. I dove into the source, did some experiments, and came out with an answer! The program creates these files as root (or whomever starts the server) and then does a chown as the web User (configured as "nobody") to allow the children to get the job done. On my system (it is an old build) I cannot chown a file to user "nobody", just doesn't work. No error messages but it doesn't work. I found this out by doing it manually, logged in as root and attempted to chown the files in question, no dice. So I created another non-privileged user "webdaemon" and changed httpd.conf to run the web as this real (but not powerful) user... and voila my problems with the SSL lock files went away. Hmmm... strange. But just to make sure: you nevertheless have a "nobody" in your /etc/passwd, right? But it nevertheless doesn't allow you to perform a "chown nobody" on some files if you are logged in as root? H... very strange. What strange OS is this? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https proxying
On Tue, Mar 21, 2000, Dat Truong wrote: I was wondering if you can help me with a particular problem. I'm trying to go from browser to apache proxy via HTTP and from apache proxy to ws via HTTPS. I keep getting FORBIDDEN (You don't have permission to access /pinky/ on this server.). My ws (NES) is configured with SSL (server cert only). Can Apache Proxy act as a SSL client? If mod_ssl is loaded, mod_proxy can act as a HTTPS client, yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ie certificate problem when using mod_ssl
What am I doing wrong with my certificate? IE is somewhat more peculiar in what it accepts. It makes more fuss about the certification path and wether it can be followed. Going to both sites you can see the issuer CN of the site that works is the same as the cert CN, namely the site name (www.math.tamu.edu = www.math.tamu.edu) whereas the issuer of the non-working cert is: Statistics, Texas AM and the certificate CN is: stat.tamu.edu Therefor the Internet Exploder wants to find the issuer cert, and it does not have that. Ergo, your self signed certificate is no self signed certificate. I think this would approx. do the trick. openssl req -new -x509 -keyout keyname.pem -out self-signed-cert.pem Jan -- alive=true __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MaxClients setting in httpd.conf
Hi I'm running RedHat Linux 5.2 with Apache_1.3.12 with OpenSSL-0.9.5 and Mod_SSL-2.6.2 installed. We're running this onaP3 650MHz, 128Mb RAM with 10/100 network card. We are expecting alot of traffic on our site, so is it possible to increase the MaxClients and MaxKeepAliveRequest settings in the httpd.conf file, orare the default values fine? Thanks in advance for the help Regards Martin
How to start an Apache + modssl without human interact?
Hello group I want to know if is possible to start an apache server with modssl whether the private key is password-protected, without human interact, that is, is there some script or program that colud give the private key password to the command 'apachectl startssl'. I know that in Linux exits the 'expect' command, but my server is running in Sun Solaris. thanks in advance. ---Francisco Javier Martinez MartinezUniversidad Nacional de Educación a DistanciaCSI-Comunicaciones TelematicasSección Seguridad y Nuevas Aplicacionesc/ Bravo Murillo 38, 2ª PlantaMadrid - Spain---
Re: Navigator 3.x die upon connection
Hi All, On: Apache/1.3.12 (Unix) mod_perl/1.21_03 mod_ssl/2.6.2 OpenSSL/0.9.5 The browser just dies with this error on Win 98: The application has performed an illegal operation and will be shutdown. The error_log says: [Wed Mar 22 14:10:53 2000] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Wed Mar 22 14:10:53 2000] [error] System: Connection reset by peer (errno: 131) There is no entry in access_log for this. Anybody have a similar problem? Try inserting this in your httpd.conf in a global section SSLProtocolSSLv2 I had a similar problem, it didn't make the system crash but hey, it's Windows 98. Robert W. Oliver [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How works the 'SSLPassPhraseDialog'
Hello I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any ideaof this program.Would you please post an example of this program to take it as pattern to make my customized one. Thanks in advance.
Re: Odd message with mod_ssl and php4
The --with-apache switch can be used in php4 as well instead of the apxs. I see though as you said, the full path is there. I apologize for this but I have slept since then. What was the original problem? Is apache complaining about php and mod_perl being compiled as API instead of EAPI? If so I am clue-less at this point. Mine DOES complain of this as well. I looked at the apxs script and it looks as though it should be taking care of this. It looks for DSO support, mod_so and so forth. Since there is no way to configure php other than: --with-apache or --with-apxs=[DIR] then I guess we are sunk. Grab the tarball of apache + mod_ssl and compile it with EAPI? Is this the answer I am groping in the dark for? Maybe the kind gentleman who made the rpm's knows. If we don't get any suggestions I'll grab the spec file tomorrow and see if I can find the answer there. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
HTTPS Proxy
What Ho, In the notes of 2.6.2 it mentions that HTTPS proxying is now available. How do I implement this is it the same as an insecure proxy or are there new commands like SSLProxy on? I have rebuilt apache with --enable-rule=SSL_EXPERIMENTAL --enable-module=proxy and started with a fresh httpd.file but he proxy information is commented out and I see no other proxy directive. Have I missed something? there is nothing in the FAQ. Regards Bob Weeks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache/modssl upgrade Questions
I am not an expert but I THINK this is the answer to your question. "make install" *will* overwrite /usr/local/apache/bin/httpd and the other binaries. /usr/local/apache/conf/*.conf will not be overwritten, instead additional sets with an altered filename will appear there. To preserve your 1.3.9 installation in case you have a problem, take a backup copy of /usr/local/apache/bin. Someone else who knows more than me will no doubt advise that following http://www.modssl.org/example/ is probably not a good idea - it really is just an example but you're probably missing some configuration options that you might want (eg. MM shared memory libary, DSO support) or (depending upon your home jurisdiction) might need (eg RSAref). See http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL Regards = Original Message From [EMAIL PROTECTED] = I currently have 1.39 with modssl working which was installed according to the previous example set forth at www.modssl.org/example/. If I again follow the procedure at http://www.modssl.org/example/ to upgrade and the upgrade does not go well--will the former version of Apache and modssl that I currently have working still be available on the server or will the new installation overwrite the old version ? If I do the upgrade, will it leave my existing httpd.conf file intact or will I need to bring my current virtual host container entries, etc., into newly created httpd.conf file ? Thanks for any advice. Bill __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to start an Apache + modssl without human interact?
On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote: I want to know if is possible to start an apache server with modssl whether the private key is password-protected, without human interact, that is, is there some script or program that colud give the private key password to the command 'apachectl startssl'. I know that in Linux exits the 'expect' command, but my server is running in Sun Solaris. thanks in advance. Read the mod_ssl user manual, please. You can either use a program which feeds the passphrase or you can remove the passphrase at all. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MaxClients setting in httpd.conf
On Wed, Mar 22, 2000, Mukesh Sooka wrote: I'm running RedHat Linux 5.2 with Apache_1.3.12 with OpenSSL-0.9.5 and Mod_SSL-2.6.2 installed. We're running this on a P3 650MHz, 128Mb RAM with 10/100 network card. We are expecting alot of traffic on our site, so is it possible to increase the MaxClients and MaxKeepAliveRequest settings in the httpd.conf file, or are the default values fine? You can increase the values, of course. But it is always reasonable to first calculate/guess the expected amount of traffic to not exaggerate with the values. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
On Wed, Mar 22, 2000, Francisco Javier Martínez Martínez wrote: I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any idea of this program. Would you please post an example of this program to take it as pattern to make my customized one. The user manual makes it pretty clear how this program has to look, doesn't it? | exec:/path/to/program | Here an external program is configured which is called at startup for each | encrypted Private Key file. It is called with two arguments (the first is of the | form ``servername:portnumber'', the second is either ``RSA'' or ``DSA''), which | indicate for which server and algorithm it has to print the corresponding Pass | Phrase to stdout. [...] Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTPS Proxy
On Wed, Mar 22, 2000, Robert X Weeks wrote: In the notes of 2.6.2 it mentions that HTTPS proxying is now available. How do I implement this is it the same as an insecure proxy or are there new commands like SSLProxy on? The same CHANGES entry you mention also included this: | o SSLProxyProtocol [+-][SSLv2|SSLv3|TLSv1] ... | (enable or disable SSL protocol flavors) | o SSLProxyCipherSuite XXX:...:XXX | (colon-delimited list of permitted SSL ciphers) | o SSLProxyVerify on|off | (whether to verify the remote certificate) | o SSLProxyVerifyDepth N | (maximum certificate verification depth) | o SSLProxyCACertificateFile /path/to/file | (file containing server certificates) | o SSLProxyCACertificatePath /path/to/dir | (directory containing server certificates) | o SSLProxyMachineCertificateFile /path/to/file | (file containing client certificates) | o SSLProxyMachineCertificatePath /path/to/dir | (directory containing client certificates) I have rebuilt apache with --enable-rule=SSL_EXPERIMENTAL --enable-module=proxy and started with a fresh httpd.file but he proxy information is commented out and I see no other proxy directive. Have I missed something? there is nothing in the FAQ. The stuff is experimental and so it is still not documented. That's why the FAQ also does not contain anything about it. The above short overview and the source code is the only information available for such an experimental feature. But keep in mind that for simple HTTPS client support in mod_proxy you don't need this experimental stuff. mod_ssl always provides basic HTTPS support for mod_proxy. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
https hangings/fails on serving pages..
Morning, I've spent two days (and nights) going over mail lists, FAQ's, manuals, code trying to solve a nasty little porblem with mod_ssl... The version strings are Apache/1.3.12 (Unix) PHP/3.0.15 mod_ssl/2.6.2 OpenSSL/0.9.5a-beta1. I had to use OpenSSL/0.9.5a-beta1 in order to get it to work on Solaris2.6 (lack of a /dev/urandom). The VirtualHost _default_:443 segment of the httpd.conf is the same as the default with the following exceptions; - ServerAdmin changed - SSLCertificateChainFile has been uncommented The only other modifications are port 80 VirtualHosts (which all work) added to the bottom of the config. HTTP works fine, the problem is only with HTTPS service. In summary, NS4.7 gets in a loop (sending packets to the server) then I get the "There was no response..." message. IE5 throws up the generic connection failure dialogue, but doesn't get into a packet exchange loop. No messages of any kind show up in the logs, even with SSLLogLevel set to debug when using browsers. Debugging with s_client gets even more intresting (command used openssl s_client -connect woof.unicity.com.au:443 -state -debug)... | SSL handshake has read 2203 bytes and written 320 bytes | --- | New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA | Server public key is 1024 bit | SSL-Session: | Protocol : TLSv1 | Cipher: EDH-RSA-DES-CBC3-SHA | Session-ID: | 9463556D63A740C4A6A81735F7F12E85675ABE87FA11F768EFB9486F7FB67AC6 | Session-ID-ctx: | Master-Key: | 809B02680DBA169A2C91169152E0C46ACECF94C475B2538B340ACE2BEABB38C4170C3C83AE9859B4C54324B501DC5105 | Key-Arg : None | Start Time: 953729207 | Timeout : 300 (sec) | Verify return code: 0 (ok) | --- | GET / HTTP/1.0 ## User input! | write to 08148EE0 [08154E10] (45 bytes = 45 (0x2D)) | - 17 03 01 00 28 2e ba 9b-2d d0 2a f5 9f 0f 90 a8 (...-.*. | 0010 - 12 20 b4 7e 24 7c e2 56-5a e9 1e e7 ab a8 19 18 . .~$|.VZ... | 0020 - f7 95 cc 5b 98 14 3b 69-83 5c 89 1b 86...[..;i.\... The connection just hangs... Now if I provide a bad method, I get an HTML error message!? | SSL handshake has read 2203 bytes and written 320 bytes | --- | New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA | Server public key is 1024 bit | SSL-Session: | Protocol : TLSv1 | Cipher: EDH-RSA-DES-CBC3-SHA | Session-ID: | 656AFD7A3239C785F1ADA553FD521938FF4F230AACAFC9EA2FE72377830B409A | Session-ID-ctx: | Master-Key: | 01054BE1259DECD5502AF84123684AD3B894A79BA634B7B0037353324ACB9914A1CCFB8B2EBE415B90BED8204B0DE28D | Key-Arg : None | Start Time: 953729352 | Timeout : 300 (sec) | Verify return code: 0 (ok) | --- | Gdf / | write to 08148EE0 [08154E10] (37 bytes = 37 (0x25)) | - 17 03 01 00 20 65 e9 8c-03 8a 27 77 ad 36 23 dd e'w.6#. | 0010 - b2 0b e8 76 0b 19 97 0d-69 07 04 33 4e 38 41 47 ...vi..3N8AG | 0020 - f7 83 cf b8 fb. | read from 08148EE0 [08150600] (5 bytes = 5 (0x5)) | - 17 03 01 01 58X | read from 08148EE0 [08150605] (344 bytes = 344 (0x158)) | - f0 55 f2 67 d6 6d 99 49-09 ea 43 f6 70 f7 bb 4d .U.g.m.I..C.p..M | 0010 - 95 f4 78 1c cb 9b cb 40-74 5b 73 76 de ed 88 6b ..x@t[sv...k | ... | 0130 - 22 ea 99 23 ba 20 95 83-d6 dc 89 3e c0 5a 2e 0f "..#. ..Z.. | 0140 - 6e 2b aa 3b 0d 68 3c a5-eb e7 24 25 95 4d 27 d8 n+.;.h...$%.M'. | 0150 - 5e cf 50 c1 b1 7f 60 c8- ^.P...`. | !DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN" | HTMLHEAD | TITLE501 Method Not Implemented/TITLE | /HEADBODY | H1Method Not Implemented/H1 | Gdf to /index.html not supported.P | Invalid method in request Gdf /P | HR | ADDRESSApache/1.3.12 Server at woof.unicity.com.au Port 443/ADDRESS | /BODY/HTML | read from 08148EE0 [08150600] (5 bytes = 5 (0x5)) | - 15 03 01 00 18. | read from 08148EE0 [08150605] (24 bytes = 24 (0x18)) | - b1 1d 12 ea 24 18 15 a7-e6 f9 13 67 e7 05 43 a0 $..g..C. | 0010 - a0 a5 fd 9d e7 e5 5d 26- ..] | SSL3 alert read:warning:close notify | closed | write to 08148EE0 [08154E10] (29 bytes = 29 (0x1D)) | - 15 03 01 00 18 59 0e 72-e9 6c 8a e0 b6 67 14 48 .Y.r.l...g.H | 0010 - 60 72 02 79 c9 b2 64 ff-62 0c f9 5a cb`r.y..d.b..Z. | SSL3 alert write:warning:close notify Both of the above openssl commands were logged; | woof.unicity.com.au - - [22/Mar/2000:23:49:11 +1100] "GET / HTTP/1.0" 200 718 | woof.unicity.com.au - - [22/Mar/2000:23:49:20 +1100] "Gdf /" 501 - As I can tell, no one has had this problem. I have kept the configuration as close to the default as possible and it still gets me nothing. Netscape fails in a send packet loop until it times out, IE5 fails almost immediately. Both clients log nothing to the apache logs. OpenSSL s_client completes the hand-shake and session establishment, but data is never returned against a
mod_bandwidth.so module with mod_ssl-1.3.12.2.6.2-0.6.0.src.rpm
Hi there. I've recently been trying to get the third-party module mod_bandwidth.so to function in the copy of apache-modssl I'm running, but I've had no luck. Originally, I was running v 1.3.9 of mod_ssl. However, as it was installed as an RPM, I couldn't recomile it with mod_bandwidth. I found that apache-1.3.12. comes with mod_bandwidth included, so I downloaded this, pulled out the mod_bandwidth.so file, stuck it in /usr/lib/apache/, and added it to the apache config file. However, when I did this, I got the following error in my error_log: [warn] Loaded DSO lib/apache/mod_bandwidth.so uses plain Apache 1.3 DSO, this module might crash under EAPI! I assumed this was because of differences between 1.3.9 and 1.3.12, so I downloaded apache-mod_ssl-1.3.12.2.6.2-0.6.0.src.rpm (today), which I noticed doesn't come with mod_bandwidth.so, and built and installed it. I used the mod_bandwidth.so file from the main apache rpm. and left the module reference in the config file. However, on restarting the server again, I got an almost identical error, as below: [warn] Loaded DSO lib/apache/mod_bandwidth.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) I was wondering if anyone has any ideas about what might be causing this - I'm afraid I don't understand the error. Is this module incompatible with mod_ssl? Is that why it's not included? Are there any alternatives (I just want to limit bandwidth by transfer rate on a virtualhost basis)? Is it the module which needs to be compiled with -deapi switch? Is there any way to do this only on the module, without having to do a source compile of modssl (all I really want is the .so file)? The module is located at ftp://ftp.cohprog.com/pub/apache/module/mod_bandwidth.c Many thanks for any advice. Andrew Clark. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mutex File disappears
I got this error when the apache locked up: Failed to acquire global mutex lock We are currently at 2.4.10-1.3.9 on Solaris 2.6 I looked and the mutex file was gone. (we are using files and fncl access) Stopping and then staring apache fixed things by recreating the file. But I am concerned as to why the file disappeared? Anyone else seen this behaviour? Is there a patch (Apache, Solaris or Mod-ssl) that addressed this? thanks John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
I only get RC4-56?
Hello All at modssl-users, What a great product! I have downloaded everything (latest 0.9.5, 2.6.2, 1.3.12). I did a config/make, and everything went fine (even using DSO). I made a key and cert for the default server and a second set for a specific URL. ./httpsdctl startssl works fine. I have a self signed key/cert. It works. However, when I get in with Netscape 4.7, the encryption level is lower than I expect or want. My browser uses 128 bit encryption at other sites with no problem (so the problem doesn't seem to be the browser). OpenSSL has a whole slug of 128 bit ciphers to choose from (I did a 'openssl cipher -v'). The message I get from my secure connection is this: Security: This is a secure document that uses a medium-grade encryption key suited for U.S. export (RC4-56, 128 bit with 56 secret). I have tried upping the level with these settings in httpsd.conf: SSLProtocol -all +SSLv3 SSLCipherSuite SSLv3:+HIGH:+MEDIUM:+EXP and SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 These settings simply prevent me from getting in. It seems like the key/cert has some characteristic that is less than what I want. What do I do to up-it to 128? Is it somewhere in the config process? Is it a different setting in httpsd.conf? Is it a change to my browser? Thanks in advance. -- Mark Temple, Information System Manager ABC Labs, Columbia, Missouri 65202 voice:573.876.8198 fax:573.443.9033 -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
problem compiling
I'm trying to compile Apache 1.3.12 with mod-ssl_2.6.4_1.3.12 on Mac OS X Server 1.2. I have successfully compiled and installed Apache 1.3.12 without mod_ssl. Now, I am trying to compile Apache with mod_ssl-2.6.2, but it is not working. I have pasted in the the configure command and output that I am getting. Does anyone have any ideas? ./configure --with-apache=/usr/local/apache_1.3.12 \ --with-ssl=/usr/local/openssl-0.9.5 --prefix=/usr/local/sbin I get the following error: C + doing sanity check on compiler and options ** A test compilation with your Makefile configuration ** failed. The below error output from the compilation ** test will give you an idea what is failing. Note that ** Apache requires an ANSI C Compiler, such as gcc. cd ..; cc -DMAC_OS_X_SERVER -DMOD_SSL=206102 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I./lib/expat-lite -DNO_DL_NEEDED `./apaci` -L/usr/local/openssl-0.9.5 -o helpers/dummy helpers/dummy.c -ldbm -lssl -lcrypto /usr/bin/ld: can't locate file for: -ldbm make: *** [dummy] Error 1 Error Output for sanity check = End of Error Report = Aborting! ./configure:Error: APACI failed I think the problem is that in Makefile.config I see this: "LIBS1= -ldbm -lssl -lcrypto". However, I don't how to solve this. Thanks -- --adhamh __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Create my own CA
-- From: Gustavo Amarilla[SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: 21 March 2000 19:54 To: modssl-users Cc: openssl-users Subject: Create my own CA I download the Apache/1.3.12 mod_ssl/2.6.2 and openssl-0.9.5.and I created my own CA, and I will do my own CA certified entity, because we can not pay to a entity like Virisign or something, but when I used MS Explorer 5.0 or Netscape 4.0 those program say to me:"I don't recognize the autority who sign this certificate". I used de sigh.sh (that came with the open_ssl package) and create a server.csr, I put this file in the httpd.conf but the same msg. Hmm, the .csr is the "Certificate Signing Request", the /half cooked chicken/. Once you sign it with sign.sh, you create the server.crt. For a free implementation, you may consider www.openca.org. For a doc on openca you may look at: ftp://pc96.ma.rhbnc.ac.uk/pub/OpenCA/ Regards, Simos __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
The program is any program that outputs the password to the standard output, that is to the screen. For example in C: int main(int argc, char** argv) { printf("xx"); // replace xx with your actual password. return 0; } Another possibility is to use an executable script that just echoes the password. If all you're looking for is a way to make Apache start without intervention, this will do fine. But in a real world environment where security is a concern, you may want that program to be more sophisiticated. Regards, Jan Dries Francisco Javier Martínez Martínez wrote: Hello I had noticed that I could give the password of the private key fo the server with the 'SSLPassPhraseDialog' with no human-interactive in the server start up. With the directive 'exec:/path/to/program' but I don´t had any idea of this program. Would you please post an example of this program to take it as pattern to make my customized one. Thanks in advance. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Navigator 3.x die upon connection
Jie Gao wrote: [...] On: Apache/1.3.12 (Unix) mod_perl/1.21_03 mod_ssl/2.6.2 OpenSSL/0.9.5 The browser just dies with this error on Win 98: The application has performed an illegal operation and will be shutdown. [...] I've had exactly the same problem for an Apache 1.3.12 / mod_ssl 2.6.2 / OpenSSL 0.9.5 running on Win NT 4. I was using the Netscape 4.6 browser, either on NT or Linux. And actually, IE 4.0 had the same problem. That is, although it didn't crash, it would give an error message and if then checked the SSL log, it would have identical displays. The problem only occurs when requiring clients to authenticate (having specified "SSLVerifyClient require"). The odd thing was, it did initially work with the NS 4.6 as well as the IE 4.0 browser. And one day, for no obvious reason, it just didn't work any more. At that point, a downgrade to a previous version of Apache / modssl / openssl that had worked fine for quite some time, didn't make the problem go away, which made me wonder if the problem could be date related. I've now upgraded to NS 4.72 and IE 5.0 on Win NT, and the problem has gone away. But if I connect to the same configuration from my NS 4.6 browser on Linux, the browser crashes. Regards, Jan Dries __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache/mod_ssl Not Working with Inetd
I am trying to setup apache/mod_perl/mod_php/mod_ssl to work in a virtual file system which requires the services to run under inetd. I have apache server working fine with the above mods in standalone mode but when I switch to inetd mode the ssl cant initiate. It also creates multiple MUTEX files (one for every connection attempt. Also if you go to http://www.domain.com:443/ the server responds just like it would on port 80. Has anyone else tried this type of install, and did anyone get it working. PS. Apache has no problems in inetd mode on port 80 - just with ssl. Tony Dean MIS Director Quest Net, Corp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Create my own CA
During the process of creating your own CA, you came up with a 'ca.crt' file (the FIRST .crt file that you came up with). You need to download this into your client, as a specific MIME type. (application/x-x509-certificate) For MSIE, it requires it to be sent in .der format, which is essentially a .crt minus the base-64 encoding. (openssl x509 -inform crt -in ca.crt -outform der -out ca.der ... or something like that. It's been a while since I've done it. There's an FAQ entry on it, at the least.) --- Mat Butler, Winged Wolf [EMAIL PROTECTED] SPASTIC Web Engineer SPASTIC Server Administrator Begin FurryCode v1.3 FCWw5amrsw A- C+ D H+++ M+[servercoder] P+ R++ T+++ W Z++ Sm++ RLCT/M*/LW* a cl/u/v+ !d e- f h++ iwf+++ j p-+ sm++ End FurryCode v1.3 On Tue, 21 Mar 2000, Gustavo Amarilla wrote: I download the Apache/1.3.12 mod_ssl/2.6.2 and openssl-0.9.5.and I created my own CA, and I will do my own CA certified entity, because we can not pay to a entity like Virisign or something, but when I used MS Explorer 5.0 or Netscape 4.0 those program say to me:"I don't recognize the autority who sign this certificate". I used de sigh.sh (that came with the open_ssl package) and create a server.csr, I put this file in the httpd.conf but the same msg. May you help me, Thanks in advance __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Create my own CA
I download the Apache/1.3.12 mod_ssl/2.6.2 and openssl-0.9.5.and I created my own CA, and I will do my own CA certified entity, because we can not pay to a entity like Virisign or something, but when I used MS Explorer 5.0 or Netscape 4.0 those program say to me:"I don't recognize the autority who sign this certificate". I used de sigh.sh (that came with the open_ssl package) and create a server.csr, I put this file in the httpd.conf but the same msg. May you help me, Thanks in advance __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
second try: Error while running config.
I'm trying to compile Apache 1.3.12 with mod-ssl_2.6.4_1.3.12 on Mac OS X Server 1.2. I have successfully compiled and installed Apache 1.3.12 without mod_ssl. Now, I am trying to compile Apache with mod_ssl-2.6.2. I have pasted in the the configure command and output that I am getting. Does anyone have any ideas? /configure --with-apache=/usr/local/apache_1.3.12 \ --with-ssl=/usr/local/openssl-0.9.5 --prefix=/usr/local/sbin I get the following error: C + doing sanity check on compiler and options ** A test compilation with your Makefile configuration ** failed. The below error output from the compilation ** test will give you an idea what is failing. Note that ** Apache requires an ANSI C Compiler, such as gcc. cd ..; cc -DMAC_OS_X_SERVER -DMOD_SSL=206102 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I./lib/expat-lite -DNO_DL_NEEDED `./apaci` -L/usr/local/openssl-0.9.5 -o helpers/dummy helpers/dummy.c -ldbm -lssl -lcrypto /usr/bin/ld: can't locate file for: -ldbm make: *** [dummy] Error 1 Error Output for sanity check = End of Error Report = Aborting! ./configure:Error: APACI failed I think the problem is that in Makefile.config I see this: "LIBS1= -ldbm -lssl -lcrypto". However, I can't tell how configure is generating this. Thanks -- --adhamh __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Navigator 3.x die upon connection
On Thu, 23 Mar 2000, Jan Dries wrote: Jie Gao wrote: [...] On: Apache/1.3.12 (Unix) mod_perl/1.21_03 mod_ssl/2.6.2 OpenSSL/0.9.5 The browser just dies with this error on Win 98: The application has performed an illegal operation and will be shutdown. [...] I've had exactly the same problem for an Apache 1.3.12 / mod_ssl 2.6.2 / OpenSSL 0.9.5 running on Win NT 4. I was using the Netscape 4.6 browser, either on NT or Linux. And actually, IE 4.0 had the same problem. That is, although it didn't crash, it would give an error message and if then checked the SSL log, it would have identical displays. The problem only occurs when requiring clients to authenticate (having specified "SSLVerifyClient require"). The odd thing was, it did initially work with the NS 4.6 as well as the IE 4.0 browser. And one day, for no obvious reason, it just didn't work any more. At that point, a downgrade to a previous version of Apache / modssl / openssl that had worked fine for quite some time, didn't make the problem go away, which made me wonder if the problem could be date related. I've now upgraded to NS 4.72 and IE 5.0 on Win NT, and the problem has gone away. But if I connect to the same configuration from my NS 4.6 browser on Linux, the browser crashes. I have done a few more tests: 1. Navigator 3.01 on win98 worked initailly, but it is now a sure kill; 2. Navigator Gold 3.01 on win95, dies invariably; 3. No problem with Mozilla/4.07 [en] (X11; I; SunOS 5.6 sun4m); 4. No problem with Mozilla/4.5 [en] (X11; I; SunOS 5.6 sun4u); 5. No problem with MSIE 5.0 on Win95. 6. Setting SSLPortocol "sslv2" did not help. I would not really mind if it just happens with Navigator 3.x, as the users should upgrade anyway; but if this is a problem with NS 4.72 and IE 5.0, it's going to affect a lot of users. I suspect this has to do mainly with OpenSSL 0.9.5 which is said to be a major release? Jie __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How works the 'SSLPassPhraseDialog'
In short, as I claim always, there is nothing good in PEM, because you can't eat the cake and have it. You either have an un-encrypted file, or you have an encrypted file - but with another program that outputs this password. And you don't have to look for this program - just look at the appropriate rc.d script... A hacker can copy your key, no matter if it is encrypted or not; It will just spend one more minute for him. The only use for this PEM, is when it is transferred via non-secure ways, for example when it is e-mailed, or stored in another computer. Or may I miss anything? -- Eli Marmor __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]