RE: VeriSign keys.
LENGLART Benjamin [[EMAIL PROTECTED]] said: place a SSLCertificateKeyfile and a SSLCertificatePrivateKey (must look like that, not sure of the grammar) in each of your virtual host ... (the good one naturally) Woops it works !!! ... but mustn't they also be IP-based rather than name-based? Steve -- Steve Fairhead - SFD - Solutions by Design www: http://www.sfdesign.co.uk -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: VeriSign keys.
Hi Zohar, I have several domains name and for each I have a separate key from VeriSign. How could I use them In the same httpd.conf If I want to hosts them on the same sever, using virtual server. which directive I should place beneath each virtual host section. Where can I look for example conf file? Please advise, Check out the FAQ at www.modssl.org. Your virtual hosts must be IP based and *not* name based. (Actually, you could do them name based but have each host on a different port. I would not do this, but someone else once suggested this idea.) If you only have one nic you can ipalias in multiple IP numbers (available on Solaris, Linux, and perhaps others). Hope that helps, Joshua __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
BIO or SSL bug?
Folks, I'm running Apache 1.3.12 + modssl 2.6.3 + 0.9.5a on a Solaris 2.7 (X86) I've run into a problem where the server is consistently coredumping after it shuts down the connection. It occurs immediately after the server log reflects the following line: [15/May/2000 12:26:23 24486] [info] Connection to child 0 closed with standard shutdown (server blackbird:8443, client 1.1.1.1) Further investigation shows that this line is added to the log **AFTER** the SSL struct has been freed in ssl_engine_kernel.c (approx. line 511 or so) When debugging using the -DSSL -X options, I observe the following: The server is currently blocking on the line in s3_pkt.c: clear_sys_error(); if (s-rbio != NULL) { s-rwstate=SSL_READING; blocked---i=BIO_read(s-rbio, (s-s3-rbuf.buf[off+newb]), max-newb); } Then, the timer goes off and we start to cleanup the SSL struct. At a certain point, we get to the code that is (I assume...;-) supposed to unblock the socket so that it can terminate. It goes through the ssl_free() function just fine. What I'm observing is that the blocked read (above) never unblocks and the server code goes about it's business cleaning up the SSL structure! Thus, it releases the s-s3 buffer, and the whole s pointer before the BIO_read() from above ever unblocks! Finally, the read unblocks and then picks up where it left off executing the code below, and then SIGSEV occurs (obviously) else { SSLerr(SSL_F_SSL3_READ_N,SSL_R_READ_BIO_NOT_SET); i = -1; } if (i = 0) { SIGSEGV-- s-s3-rbuf.left = newb; /* s-s3 = 0, and I believe S has been freed! */ return(i); } newb+=i; } I've compiled all parts using GCC 2.95.2 on a PIII X86 machine running Solaris 7 (i.e. 2.7). The only other thing which might be affecting this build is that I compiled OpenSSL with the 'threads' options. Plus, my mods have included some additions that required to link in the pthreads library. (buy my changes to the code had not yet run.) My guess is that the pthreads library has introduced either some unexpected blocking I/O behavior (i.e. the pthread read function doesn't unblock with the signal), and/or some signal sending/recieving problems are occuring. Has anyone come across this problem when using libpthread with OpenSSL or Apache? Any help appreciated. Thanks, - Bob P.S. I'm going to try switching to the Solaris compiler debugger to see if it provides any additional info -- Bob BurnsZaxus [EMAIL PROTECTED] 1-888-744-4976, X6510 (local) 1-954-846-6510 -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: VeriSign keys.
Addressed to: [EMAIL PROTECTED] Zohar Friling [EMAIL PROTECTED] ** Reply to note from Zohar Friling [EMAIL PROTECTED] Mon, 15 May 2000 18:22:32 +0300 (GMT+0300) Hi, I have several domains name and for each I have a separate key from VeriSign. How could I use them In the same httpd.conf If I want to hosts them on the same sever, using virtual server. which directive I should place beneath each virtual host section. Where can I look for example conf file? Please advise, Thanks. Zohar. First thing you must remember about multiple secure virtual hosts, they must have separate IP addresses. The document request that includes the host name being requested is sent encrypted, so you can't read the host name from the request without decrypting the request. If you don't use separate IP addresses there is no way to identify which key to use to decrypt the request. Here is the minimum configuration I've found to enable a SSL virtual host. There are many other options available, you should read thru the mod_ssl documentation to make sure there are no other options you want to use. # You are supposed to list them by IP address so the server # can start if DNS is now yet running. VirtualHost 123.145.167.213:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /web/hosts/www.conpaulos.com/secure ServerName www.conpaulos.com # enable SSL for this virtual host SSLEnable SSLCertificateFile/web/hosts/www.conpaulos.com/crypto/www.conpaulos.com.crt SSLCertificateKeyFile /web/hosts/www.conpaulos.com/crypto/www.conpaulos.com.key SSLVerifyClient none /VirtualHost Rick Widmer www.developersdesk.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
What do I need after the installation
Hi, I would like to know what do I need after the installation, And If i have servial vitual domain host in my server, How many certificate do I have to get. Thank you Mark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: What do I need after the installation
On Tue, May 16, 2000 at 02:50:04PM +0800, Mark Lo wrote: Hi, I would like to know what do I need after the installation, And If i have servial vitual domain host in my server, How many certificate do I have to get. You need one certificate for each virtual host [1], but note that you also need one ip for each vhost - see http://www.modssl.org/docs/2.6/ssl_faq.html#vhosts [1] You could beat this by using nonstandard ports. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with mod_php
Hello, I cannot get php3 to run with apache. I am using RH6.2,and apache-mod_ssl-1.3.12.2.6.4-0.6.0.i386.rpm. Here is the error that I am receiving when starting apache: Shutting down http:[FAILED] Starting httpd: Syntax error on line 244 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/apache/libphp3.so into server: /usr/lib/apache/libphp3.so: undefined symbol: gss_mech_krb5 Here is the edit to the SPEC file: %build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS=-s \ ./configure \ --with-apxs=/usr/sbin/apxs \ --prefix=/usr \ --with-config-file-path=/etc/httpd/conf \ --with-apache=/usr/src/redhat/BUILD/apache-mod_ssl_1.3.12.2.6.4 \ --with-gdbm \ --with-system-regex \ --with-gd \ --with-zlib \ --with-mysql \ --with-imap \ --with-postgres \ --with-xml \ --with-imap \ --with-ldap \ --with-memory-limit \ --enable-url-includes make What do I need to do to get libphp3.so to work properly? Thank you, Orlando __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_SSL Running...
My listen directives are as follows: Port 80 IfDefine SSL Listen 80 Listen 443 /IfDefine Also, as per your other email, I connected to :443 using openSSL, this seemed to work, however, I still got a "Method Not Implemented" error. Other than that, it seems to be reading the SnakeOil certs and server certs and keys. Tim Willis IS Technician Code Rite [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum Sent: Monday, May 15, 2000 15:02 To: [EMAIL PROTECTED] Subject: Re: Mod_SSL Running... On Mon, May 15, 2000 at 11:53:27AM -0500, Tim Willis wrote: ..but where? I'm able to start apache with mod_ssl, and the ssl_engine log verifies that it has started, but when I go to https://localhost:443, it's not there. Interestingly enough however, if I go to http://localhost:443, I get the content from port 8080. I know that it's listening to both ports, but why doesn't https work? What does you Listen directives say? And what about the VirtualHost host directive - the latest versions of apache+mod_ssl will start on ports 8080 and 8433 if it is installed by a non root user. Note that both the http and https ports point to the same document root by default. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL Running...
On Tue, May 16, 2000 at 10:10:39AM -0500, Tim Willis wrote: My listen directives are as follows: Port 80 IfDefine SSL Listen 80 Listen 443 /IfDefine Those look allright. Also, as per your other email, I connected to :443 using openSSL, this seemed to work, however, I still got a "Method Not Implemented" error. Other than that, it seems to be reading the SnakeOil certs and server certs and keys. You will get that unless you type a valid http request - which could be: GET / HTTP/1.0 Then you should get the page after sending the second newline. That you get Method not implemented is is quite allright - the ssl session has been established correctly. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with mod_php
On Tue, May 16, 2000 at 06:58:10AM -0700, Orlando wrote: Hello, I cannot get php3 to run with apache. I am using RH6.2,and apache-mod_ssl-1.3.12.2.6.4-0.6.0.i386.rpm. Here is the error that I am receiving when starting apache: Shutting down http:[FAILED] Starting httpd: Syntax error on line 244 of /etc/httpd/conf/httpd.conf: Cannot load /usr/lib/apache/libphp3.so into server: /usr/lib/apache/libphp3.so: undefined symbol: gss_mech_krb5 That has nothing to do with mod_ssl - it is php3. One of the modules in php must be trying to use gss_mech_krb5 - which is not related to either mod_ssl, apache or openssl. Looking through my RH6.2 installation that specific symbol seems to be from krb5-1.1.1-9. Exactly which of the modules in your php config that is causing the problem, is a good question - which you'll probably have a much better chance of getting an answer to on a php list. But my guess would be either mysql, imap, postgres or ldap. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]