Re: Urgent: remove password from server cert?
First question: Is there any logical reason to reboot every week? If you are speaking a real, production-environment server, it is stupid to do such a thing.. It should have months or years of uptime.. The only excuse for a reboot can be: - hardware upgrade / failure - operating system upgrade / patching (depending on what are you using) - the use of windows where it does not belong (on a real-world server) Which is your case? Paul wrote: > In a sudden (and late) moment of epiphany, I just realized (while > writing a note to our CSA to please put the new server's startup in the > machines boot cycle) that when we reboot (*every* monday morning in the > wee hours) it's not terribly likely that anyone's going to be around to > feed the password to the startup query. > > This really needs to be automated. > Help? =o) > > Paul > = > Friends are those who, > when you must inconvenience them, > are less bothered by it than you. ;o] > > __ > Do You Yahoo!? > Send instant messages & get email alerts with Yahoo! Messenger. > http://im.yahoo.com/ > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Bad Protocol Version Number ???
Past experience with Covalent Raven SSL, which hopefully provides some useful insight. The SSL engine started happily with the PEM passphrase, as does yours. However, I encountered this error message when the certificate installed did not match up with the private key. I had initially self-signed to test the installation, but encountered same error message, "unable to configure server private key for connection (OpenSSL library error follows)" when I re-generated a CSR, submitted it to Verisign, and subsequently installed the signed certificate. In fact, I should have submitted the original certificate, had Verisign that, and re-install the certificate. When I did this, the problem was eliminated. At 01:11 PM 5/31/00 -0800, you wrote: >Greetz from Alaska, > > Every time I start httpsd I'm asked for the Pass Phrase, given the ok >and the daemon is started. >All the SSL domains work except one. Even though I am asked for the >Pass Phrase and it replies with OK but I can't connect. Below is the >error I get in the ssl_engine_log file when I try to connect to the >site. > >When I change their CRT and KEY file to the the main servers >(server.crt/key) the site works great. > >Any ideas? > >Thanks > >Dan >Please reply to [EMAIL PROTECTED] > >[31/May/2000 12:11:56] [error] Unable to configure server private key >for connection (OpenSSL library error follows) >[31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL >routines:SSL3_ACCEPT:bad protocol version number >[31/May/2000 12:11:56] [error] Unable to configure server private key >for connection (OpenSSL library error follows) >[31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL >routines:SSL3_ACCEPT:bad protocol version number >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > = Jody Fraser, CISA, CISSP - Lucent NPS Pager (800) 467-1467 Mobile (916) 769-5751 email: [EMAIL PROTECTED] [EMAIL PROTECTED] = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
www.modssl.org site down
Hi, I have tried to access modssl.org from California, USA for the past several days and the site is down. Also, the engelschall.com site is down. When will www.modssl.org be up. Why is it down? Do we need to set up mirror sites to avoid interruption in the future... in His grip, Gil Vidals / CEO http://www.truepath.com your Christ-centered web host __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > Hi, > > I have tried to access modssl.org from California, USA for the past > several days and the site is down. Also, the engelschall.com site is > down. > > When will www.modssl.org be up. Why is it down? Do we need to set up > mirror sites to avoid interruption in the future... > Seems ok from here (Australia). [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
> Forsake rebooting, use Unix! (-: LOL!! I'm with you, bud. But it *is* UNIX, just 10.2(only recently upgraded to that!) on an old T-500 machine. We just try to keep it clean. =o) __ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] SSLCertificateFile error (PR#391)
Full_Name: Kees Vonk
Version: 2.4.8
OS: HP-UX 10.20
Submission from: (NULL) (62.188.15.202)
I have a SSL enabled server that has been running for month
without any problem. Now I need to add a virtual host the
httpd.conf file so I have done this on our development
machine and on our test machine and both work fine, but when
I copy the the httpd.conf from either of those machines to my
production machine I get the following error:
Syntax error on line 332 of
/opt/ward/apache/conf/httpd.conf.new:
SSLCertificateFile: only up to 2 different certificates per
virtual host allowed
(I only try to use one!!!)
However the SSL stuff is _exactly_ the same in the old and
the new httpd.conf. When, in the new conf, I take one virtual
host out and put the directives of the second virtual host in
the main conf section, apache fails without error message in
the error_log and ssl_error_log or on STDOUT, there is no
core file or nothing. When I take the -DSSL flag away
everything works.
The old httpd.conf still works (even with SSL).
My test machines run mod_ssl 2.3.5-1.3.6 (openssl 0.9.3a) and
my production machine runs mod_ssl 2.4.8-1.3.9 (openssl 0.9.4).
I really don't know where to start with this one, can anyone
give me any hints? I have tried replacing _default_ with the
ip address, but that doesn't make any difference. (I have even
checked my file for control characters, but there are none.)
Kees
PS. my virtual host section looks like this:
delete $INC{'Apache/PerlVINC.pm'};
require Apache::PerlVINC;
DocumentRoot /opt/ward/DocumentRoot
SetEnv IDVENV Production
Alias /idv/ "/opt/ward/IDV/PROD/Scripts/"
DefaultType text/html
SetHandler perl-script
PerlHandler Apache::Registry
PerlVersionINC On
PerlINC /opt/ward/IDV/PROD/Modules
PerlFixupHandler Apache::PerlVINC
PerlRequire Ward/IDV/IDVDatabase.pm
Alias "/images/idv/" "/opt/ward/IDV/PROD/Images/"
##
## This can also go in a section
##
SSLEngine on
#line 332:
SSLCertificateFile/opt/ward/apache/conf/ssl.crt/kees.crt
SSLCertificateKeyFile /opt/ward/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[BugDB] www.modssl.org/support give empty page (PR#392)
Full_Name: Kees Vonk Version: OS: Submission from: (NULL) (62.188.15.202) Clicking on the 'Support' tab in www.modssl.org displays an empty page, there is some html source, but no display. Looks like there might be a table tag missing or something like that. I am using Netscape 4.05 on Windows NT (not my platform of choice). Kees __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
On Wed, 31 May 2000, Gil Vidals wrote: >I have tried to access modssl.org from California, USA for the past >several days and the site is down. Also, the engelschall.com site is >down. I can successfully get to it from my neck of the woods. Tracing the route to world.modssl.org (129.132.7.171) (snip) 3 Serial5-1-1.GW3.ATL1.ALTER.NET (157.130.25.185) 12 msec 12 msec 8 msec 4 106.ATM1-0.XR1.ATL1.ALTER.NET (146.188.232.114) 12 msec 8 msec 12 msec 5 195.at-1-1-0.TR1.ATL5.ALTER.NET (152.63.81.22) 16 msec 12 msec 12 msec 6 129.at-6-0-0.TR1.NYC9.ALTER.NET (152.63.0.114) 28 msec 28 msec 32 msec 7 187.ATM6-0.XR1.NYC4.ALTER.NET (152.63.21.121) 32 msec 28 msec 28 msec 8 189.ATM7-0.GW2.NYC6.ALTER.NET (152.63.22.1) 28 msec 32 msec 32 msec 9 switchng-gw.GW2.NYC6.ALTER.NET (157.130.29.210) 32 msec 36 msec 32 msec 10 swiEG1-A5-0-0-1.switch.ch (130.59.33.1) 144 msec 148 msec 148 msec 11 swiEZ1-F1-0-0.switch.ch (130.59.20.206) 144 msec 144 msec 160 msec 12 ezci1-eth-switch-fast.ethz.ch (192.33.92.65) 148 msec 144 msec 144 msec 13 rou-etz-1-mega-transit.ethz.ch (129.132.99.79) 148 msec 144 msec 160 msec 14 opensource-01.ee.ethz.ch (129.132.7.153) 144 msec * 144 msec __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
Actaully, the machine has seemed to be up, but the web server has not been up. I've had problems over the last several days as well. Jeff [EMAIL PROTECTED] On Thu, 1 Jun 2000, James Ford wrote: > On Wed, 31 May 2000, Gil Vidals wrote: > > >I have tried to access modssl.org from California, USA for the past > >several days and the site is down. Also, the engelschall.com site is > >down. > > I can successfully get to it from my neck of the woods. > > Tracing the route to world.modssl.org (129.132.7.171) > > (snip) > 3 Serial5-1-1.GW3.ATL1.ALTER.NET (157.130.25.185) 12 msec 12 msec 8 msec > 4 106.ATM1-0.XR1.ATL1.ALTER.NET (146.188.232.114) 12 msec 8 msec 12 msec > 5 195.at-1-1-0.TR1.ATL5.ALTER.NET (152.63.81.22) 16 msec 12 msec 12 msec > 6 129.at-6-0-0.TR1.NYC9.ALTER.NET (152.63.0.114) 28 msec 28 msec 32 msec > 7 187.ATM6-0.XR1.NYC4.ALTER.NET (152.63.21.121) 32 msec 28 msec 28 msec > 8 189.ATM7-0.GW2.NYC6.ALTER.NET (152.63.22.1) 28 msec 32 msec 32 msec > 9 switchng-gw.GW2.NYC6.ALTER.NET (157.130.29.210) 32 msec 36 msec 32 > msec > 10 swiEG1-A5-0-0-1.switch.ch (130.59.33.1) 144 msec 148 msec 148 msec > 11 swiEZ1-F1-0-0.switch.ch (130.59.20.206) 144 msec 144 msec 160 msec > 12 ezci1-eth-switch-fast.ethz.ch (192.33.92.65) 148 msec 144 msec 144 > msec > 13 rou-etz-1-mega-transit.ethz.ch (129.132.99.79) 148 msec 144 msec 160 > msec > 14 opensource-01.ee.ethz.ch (129.132.7.153) 144 msec * 144 msec > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
Add: SSLPassPhraseDialog exec:(path to SSLpassphrasefile) to httpd.conf SSLpassphrasefile is: #!/bin/sh echo (passphrase) Of course, this is a security risk, since you've got your pass phrase stored on the server itself in clear text. The consequences of that should be considered. You could improve this a little by having your SSLPassphrasefile keep the passphrase in some encrypted form, and pass it the decryption key from httpd.conf which would at least require a hacker gain access to both files to get the pass phrase. But I can't think of a really secure way to accomplish this. Jamie At 05:06 PM 5/31/00 -0700, Paul wrote: >In a sudden (and late) moment of epiphany, I just realized (while >writing a note to our CSA to please put the new server's startup in the >machines boot cycle) that when we reboot (*every* monday morning in the >wee hours) it's not terribly likely that anyone's going to be around to >feed the password to the startup query. > >This really needs to be automated. >Help? =o) > >Paul >= __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: www.modssl.org site down
OK from Vegas as well. (US) CB TWCIS -Original Message- From: tom minchin [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 01, 2000 5:04 AM To: [EMAIL PROTECTED] Subject: Re: www.modssl.org site down On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > Hi, > > I have tried to access modssl.org from California, USA for the past > several days and the site is down. Also, the engelschall.com site is > down. > > When will www.modssl.org be up. Why is it down? Do we need to set up > mirror sites to avoid interruption in the future... > Seems ok from here (Australia). [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: www.modssl.org site down
OK here in Oregon... -Original Message- From: tom minchin [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 01, 2000 9:02 AM To: [EMAIL PROTECTED] Subject: Re: www.modssl.org site down On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > Hi, > > I have tried to access modssl.org from California, USA for the past > several days and the site is down. Also, the engelschall.com site is > down. > > When will www.modssl.org be up. Why is it down? Do we need to set up > mirror sites to avoid interruption in the future... > Seems ok from here (Australia). [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] application/ms-tnef
Re: [BugDB] www.modssl.org/support give empty page (PR#392)
On Thu, Jun 01, 2000 at 03:45:29PM +0200, [EMAIL PROTECTED] wrote: > > Clicking on the 'Support' tab in www.modssl.org displays an empty page, there is > some html source, but no display. Looks like there might be a table tag missing > or something like that. > > I am using Netscape 4.05 on Windows NT (not my platform of choice). > H - no trouble here with Nutscrape 4.7 or M$IE. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
it wasn't yesterday from Dallas, WI... but is OK today.. rjl "Rolle, Ted" wrote: > > OK here in Oregon... > > -Original Message- > From: tom minchin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 01, 2000 9:02 AM > To: [EMAIL PROTECTED] > Subject: Re: www.modssl.org site down > > On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > > Hi, > > > > I have tried to access modssl.org from California, USA for the past > > several days and the site is down. Also, the engelschall.com site is > > down. > > > > When will www.modssl.org be up. Why is it down? Do we need to set up > > mirror sites to avoid interruption in the future... > > > > Seems ok from here (Australia). > > [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > >Part 1.2Type: application/ms-tnef >Encoding: base64 begin:vcard n:Lee;Randy tel;fax:(715) 658-1189 tel;work:(715) 658-1189 x-mozilla-html:FALSE url:http://www.CommunicatorToGo.com org:OneDisc.com adr:;;3564-H Rolling View Dr.;St. Paul;MN;55110;USA version:2.1 email;internet:[EMAIL PROTECTED] x-mozilla-cpt:;10128 fn:Randy Lee end:vcard S/MIME Cryptographic Signature
RSA or DSA
Hi, I would like to know the difference between RSA and DSA Encryption Engine. Thank you, Mark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verisign SGC & Netscape International releases
Hi everyone. I succesfully installed Apache+mod_ssl+php3 on an Win NT box and installed a Verisign Global Server ID Certificate (SGC). Everything works fine, except when dealing with Netscape international release (yes even the last 4.72) which stops saying that there is a network error. Looking at the engine.log i found the following lines: [01/Jun/2000 16:49:36 00088] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:36 00088] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:36 00088] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:36 00088] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:36 00088] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:36 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:36 00088] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:37 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:37 00088] [info] Init: 2nd startup round (already detached) [01/Jun/2000 16:49:37 00088] [info] Init: Reinitializing OpenSSL library [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:38 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:38 00165] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:38 00165] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:38 00165] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:38 00165] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:38 00165] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:38 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:38 00165] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:39 00165] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:40 00165] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:54 00165] [info] Connection to child 0 established (server www.mydomain.com:443, client 192.168.1.91) [01/Jun/2000 16:49:54 00165] [info] Seeding PRNG with 1160 bytes of entropy [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) [01/Jun/2000 16:49:55 00165] [info] Connection to child 0 closed with standard shutdown (server www.mydomain.com:443, client 192.168.1.91) The problem I think is in the line : [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) which with 128 bit Netscape/MS IE browsers looks something like : [01/Jun/2000 16:54:42 00207] [info] Connection: Client IP: 192.168.1.85, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) and in this last case everithing works fine. I know that I have to deal with something in the Apache' s httpd.conf but I can' t figure what to do. My SSLCipherSuite directive looks like the following : SSLCipherSuite ALL:!ADH:RC4+RSA:+SHA1:+HIGH:+MEDIUM:+L
Insecure information
Hi, I have installed my secure web server and get the test certificate from verisign. I was trying some of my web pages that using https://mydomain/test.html. Then, a window pop-up and indicate that some of the information is not secured, so it will not be show on the web page. All of the insecured informations are picture which is using jpeg or gif format. I wonder what is wrong with those pictures. And How to overcome this problem. Thanks Mark __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
OK in Denver, CO "Rolle, Ted" wrote: > OK here in Oregon... > > -Original Message- > From: tom minchin [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 01, 2000 9:02 AM > To: [EMAIL PROTECTED] > Subject: Re: www.modssl.org site down > > On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > > Hi, > > > > I have tried to access modssl.org from California, USA for the past > > several days and the site is down. Also, the engelschall.com site is > > down. > > > > When will www.modssl.org be up. Why is it down? Do we need to set up > > mirror sites to avoid interruption in the future... > > > > Seems ok from here (Australia). > > [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > >Part 1.2Type: application/ms-tnef >Encoding: base64 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
It's working from here, Huntington Beach, California -Carlos Christopher Barnes wrote: OK from Vegas as well. (US) CB TWCIS -Original Message- From: tom minchin [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 01, 2000 5:04 AM To: [EMAIL PROTECTED] Subject: Re: www.modssl.org site down On Wed, May 31, 2000 at 11:41:20AM -0700, Gil Vidals wrote: > Hi, > > I have tried to access modssl.org from California, USA for the past > several days and the site is down. Also, the engelschall.com site is > down. > > When will www.modssl.org be up. Why is it down? Do we need to set up > mirror sites to avoid interruption in the future... > Seems ok from here (Australia). [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- --- Carlos Ramirez + Boeing + Reusable Space Systems + 714.372.4181 ---
Re: www.modssl.org site down
On Thursday, 1 May 2000, Mark Lo wrote: >Hi, > I would like to know the difference between RSA >and DSA Encryption >Engine. > >Thank you, > >Mark > I hope you'll find an answer at http://www.privacy.nb.ca/cryptography/archives/coderpunks Good luck! Vitali. Get your free email from AltaVista at http://altavista.iname.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
You cannot mix HTTP and HTTPS in one page, regardless of the content type, if you want to avoid that message. The bottom line is that you'll need to deliver ALL elements of the page *including images* via HTTPS. Hope this helps. --Cliff Cliff WoolleyCentral Systems Software AdministratorWashington and Lee Universityhttp://www.wlu.edu/~jwoolley/ Work: (540) 463-8089Pager: (540) 462-2303 >>> [EMAIL PROTECTED] 06/01/00 02:56PM >>> I have installed my secure web server and get the test certificatefrom verisign. I was trying some of my web pages that usinghttps://mydomain/test.html. Then, a window pop-up and indicate thatsome of the information is not secured, so it will not be show on theweb page. All of the insecured informations are picture which is usingjpeg or gif format. I wonder what is wrong with those pictures. AndHow to overcome this problem.
Re: Urgent: remove password from server cert?
>SSLpassphrasefile is: > >#!/bin/sh >echo (passphrase) Write a program in C. First thing to check is to make sure that stdout is not a tty. There are various things you can do to make it harder and harder for a hacker to steal your key. But if the hacker has root on your machine, there's really nothing you can do, they could set up a grabber to steal the encryption passphrase, so nothing is really secure. Don't store the passphrase in plain text in the C program, write a function similar to memfrob() that XORs each character in the string with a number you pick, then store the encrypted version in the C source. The key thing to check is what UID the program is running as.. if you're root, go ahead and put the passphrase on stdout, otherwise return a bogus value, or nothing, or send an email, or whatever. J Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL and reverse proxy weirdness : >
I would like to do something with mod_ssl and Apache 1.3.12 that seems simple yet is not doing what I require. https://www.foobar.com or http://www.foobar.com should reverse proxy for http://www.safeplace.com. ie: I should see the pages from www.safeplace.com appear on foobar.com's http server either as a client SSL connection or plain connection. I have read all examples on engelschalls pages and have tried maybe 100 variations of rules today and usually get /tmp contents of foobar and nothing in the logs. As there is nothing in the logs I cannot tell what is wrong with my rules. I have also been through a couple of archives today and dejanews and this precise topic does not show up thus far. Any suggestions or ideas? Thanks - Gerry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
--- Victor STANESCU <[EMAIL PROTECTED]> wrote: > First question: > > Is there any logical reason to reboot every week? > If you are speaking a real, production-environment server, > it is stupid to do such a thing. > It should have months or years of uptime.. > The only excuse for a reboot can be: > - hardware upgrade / failure > - operating system upgrade / patching > (depending on what are you using) > - the use of windows where it does not belong > (on a real-world server) > > Which is your case? LOL!! Case #4: IT says so. In response to your question, > Is there any logical reason to reboot every week? the answer is that I can't think of one, unless it's because we're running an *old* midrange box with an old OS (10.2 UNIX) and have are asking it to do too much -- they're chain-branching disk arrays because we've run out of card slots. Still, the IT dept. is horribly underbudgeted, and mostly farmed out to contractors who are obeying the legacy guidelines as laid down by people they (nor I) never met. So I'm stuck with monday morning reboots until we can get a new box, and manage it ourselves. In the meantime, however, the password problem has been satisfactorily solved (security caveats noted), and thank you all. =o) Paul = ...Look upon my works, ye Mighty, and despair!... "Ozymandias" -- Percy Bysshe Shelley __ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
Are the links written wrote: > Hi, > > I have installed my secure web server and get the test > certificate > from verisign. I was trying some of my web pages that using > https://mydomain/test.html. Then, a window pop-up and indicate that > some of the information is not secured, so it will not be show on the > web page. All of the insecured informations are picture which is > using > jpeg or gif format. I wonder what is wrong with those pictures. And > How to overcome this problem. > > Thanks > > Mark > > __ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] = "Seize the wildness of the moment, Feel the movement of the moon -- Swans fly with wings wide open to the sky." -- B-52's - Real friends are those whom, when you inconvenience them, it bothers you more than them. -- me. =o) - "There are trivial truths and there are great Truths. The opposite of a trival truth is obviously false. The opposite of a great Truth is also true." -- Neils Bohr - TEMPVS PECVDEM COLLARE EST - It's time to thin the herd. - [http://www.catfishforbreakfast.com/letgod.html] - __ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Build problems
I am trying to install "The All-In-One mod_ssl+APACI". But the Apache build fails for me. The build without modssl always work. This is what I have got: - apache_1.3.9.tar.gz - mod_ssl-2_4_10-1_3_9_tar.gz - openssl-0_9_5a_tar.gz - rsaref20_tar.Z - mm-1_1_2_tar.gz OS: Solaris 2.5.1 I chose these options to configure mod_ssl: $ ./configure --with-apache=../apache_1.3.9 --with-ssl=../openssl-0.9.5a \ > --with-rsa=../rsaref-2.0/local --with-mm=../mm-1.1.2 --prefix=/usr/local/apache_1.3.9/apachessl/apache \ > --enable-shared=ssl The Apache's "make" fails here: gcc -c -I../../../../mm-1.1.2 -I../../os/unix -I../../include -DSOLARIS2=251 -DMOD_SSL=204110 -DEAPI -DEAPI_MM -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fPIC -DSHARED_MODULE -DSSL_COMPAT -I/usr/local/apache_1.3.9/apachessl/openssl-0.9.5a/include -DMOD_SSL_VERSION=\"2.4.10\" ssl_util_ssl.c && mv ssl_util_ssl.o ssl_util_ssl.lo ssl_util_ssl.c:145: conflicting types for `d2i_PrivateKey_bio' /usr/local/apache_1.3.9/apachessl/openssl-0.9.5a/include/openssl/x509.h:696: previous declaration of `d2i_PrivateKey_bio' make[4]: *** [ssl_util_ssl.lo] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/usr/local/apache_1.3.9/apachessl/apache_1.3.9/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/usr/local/apache_1.3.9/apachessl/apache_1.3.9' make: *** [build] Error 2 Any ideas? Need your help urgently. Thanks, --Vinod. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
> On Thursday, 1 May 2000, Mark Lo wrote: > >Hi, > > I would like to know the difference between RSA >and DSA Encryption >Engine. > >Thank you, > >Mark > Hi, Mark I wouldn't like you to waste your time on searching throughout the coderprunk folders just click here http://www.privacy.nb.ca/cryptography/archives/coderpunks/new/1998-07/0460.html Sorry not to have given you the complete link before. The best of luck! Vitali. Get your free email from AltaVista at http://altavista.iname.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: www.modssl.org site down
> It's working from here, Huntington Beach, California > > OK from Vegas as well. (US) There definitely have been major network routing problems in general. Note that modssl.org and engelschall.com are located in Zurich, Switzerland. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
Hi, What do you mean by mixing up http and https. All of the images are called from a file. eg. src="file:///tmp/pic/images.gir" -->would this be mixing up http and https. If yes, how do i overcome this problem. Thank you so much, Mark Cliff Woolley wrote: You cannot mix HTTP and HTTPS in one page, regardless of the content type, if you want to avoid that message. The bottom line is that you'll need to deliver ALL elements of the page *including images* via HTTPS. Hope this helps. --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 >>> [EMAIL PROTECTED] 06/01/00 02:56PM >>> I have installed my secure web server and get the test certificate from verisign. I was trying some of my web pages that using https://mydomain/test.html. Then, a window pop-up and indicate that some of the information is not secured, so it will not be show on the web page. All of the insecured informations are picture which is using jpeg or gif format. I wonder what is wrong with those pictures. And How to overcome this problem.
Re: SSL handshaking on remote machine
Okay. You're going to end up getting yourself into something related to hot water when you do something like this. I'm assuming that you actually have a clue about what you're doing, so I'm going to skip the "this is why the handshake was designed the way it was" speech. The entire point of the handshake is to have a set of keys for the connection, as well as the state that's necessary to manage the keys in the connection. There is no protocol-level IP-redirect-with-same-state function, so you're going to have to have some machine in the middle act as a stateful intelligent router/headermunger based on some condition... either seeing both the change-cipher messages, or (more likely) seeing a notice from the accellerated system about what system to redirect the stream to, on what port. (Essentially, starting a Network Address Translation process -after- the connection is already established.) You're also going to have to munge the information in the keystructure itself, so that SSL itself doesn't complain that the IP or port that it's communicating with has changed. Also, you're going to have to do some kind of kernel patching on the actual content servers to be able to force a connection into an OPEN state without having to go through the TCP handshake, since most UNIXes follow the standards and send an RST to a non-SYN packet to a port that is listening. Bottom line: I'd suggest that you get accellerator cards for all your content servers. It's MUCH less headache, and it will be faster (as well as more effective, and time-efficient, and energy-efficient) in the long run than the kind of hack you're suggesting. --- Mat Butler, Winged Wolf <[EMAIL PROTECTED]> SPASTIC Web Engineer SPASTIC Server Administrator Begin FurryCode v1.3 FCWw5amrsw A- C+ D H+++ M+[servercoder] P+ R++ T+++ W Z++ Sm++ RLCT/M*/LW* a cl/u/v>+ !d e- f> h++ iwf+++ j p->+ sm++ End FurryCode v1.3 On Thu, 1 Jun 2000, Jacob Cohen wrote: > I'm trying to get SSL handshaking to work on a remote, accelerated machine > to take some load off of the web servers when they have a lot of incoming > connections. > Since the accelerator card in the remote machine supports OpenSSL, I figured > I would use the OpenSSL routines on that machine to do the handshaking. > However, in order to do the handshake, the SSL structure has a pointer to a > handshake function, and several pointers to other data and structures.. > passing these pointers to the remote machine is pretty useless, and short of > doing a deep copy of the entire structure (it's pretty deeply nested) I > don't really see any way around it. > > As far as I can tell, the best point to have OpenSSL on the web server send > data to the remote server is in the SSL_accept() function. Instead of doing > the handshaking locally, it will do it remotely. > > Is there a better way to do this? Should I just place the remote call within > the handshake function itself, so I don't have to pass the entire SSL > structure over to the remote server? > > Thanks. > J. > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL handshaking on remote machine
I'm trying to get SSL handshaking to work on a remote, accelerated machine to take some load off of the web servers when they have a lot of incoming connections. Since the accelerator card in the remote machine supports OpenSSL, I figured I would use the OpenSSL routines on that machine to do the handshaking. However, in order to do the handshake, the SSL structure has a pointer to a handshake function, and several pointers to other data and structures.. passing these pointers to the remote machine is pretty useless, and short of doing a deep copy of the entire structure (it's pretty deeply nested) I don't really see any way around it. As far as I can tell, the best point to have OpenSSL on the web server send data to the remote server is in the SSL_accept() function. Instead of doing the handshaking locally, it will do it remotely. Is there a better way to do this? Should I just place the remote call within the handshake function itself, so I don't have to pass the entire SSL structure over to the remote server? Thanks. J. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
> machines boot cycle) that when we reboot (*every* monday morning in the > wee hours) it's not terribly likely that anyone's going to be around to > feed the password to the startup query. Why reboot every week? My web servers are never rebooted, save for hardware upgrades... > This really needs to be automated. There is a security risk associated with automating it. There are instructions for removing the password from the cert in the on-line doc's / FAQs. begin:vcard n:Lyon;James tel;pager:24-hour contact via Work number tel;cell:+44 (7973) 824857 tel;fax:+44 (24) 7670 2501 tel;home:Please use Cellular number. tel;work:+44 (24) 7670 2500 x-mozilla-html:TRUE url:http://www.aztec.co.uk/ org:Business IT Research Ltd t/a Aztec Business Solutions version:2.1 email;internet:[EMAIL PROTECTED] title:Managing Director adr;quoted-printable:;;Enterprise House=0D=0ACourtaulds Way;Coventry;;CV6 5NX;UK fn:James Lyon end:vcard
www.modssl.org site down
here in San Diego, it was down Tuesday May 30th..so was openssl.org, and since they are on the same C block I figured it was a provider problem on modssl's provider's side. Anyways, it worked fine the next day... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
At 02:56 AM 6/2/00 +0800, you wrote: The problem is references to gifs that are by http >Hi, > > I have installed my secure web server and get the test certificate >from verisign. I was trying some of my web pages that using >https://mydomain/test.html. Then, a window pop-up and indicate that >some of the information is not secured, so it will not be show on the >web page. All of the insecured informations are picture which is using >jpeg or gif format. I wonder what is wrong with those pictures. And >How to overcome this problem. > >Thanks > >Mark > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- Albert Steiner Coordinator Distributed Computing Technology Support Services N O R T H W E S T E R N U N I V E R S I T Y 1603 Orrington Suite #1400, Evanston, IL 60201-5064 [EMAIL PROTECTED] Phone 847-491-4056 FAX 847-467-7732 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Insecure information
What about using the mixed-mode approach with HTTP and HTTPS, using frames? At 06:06 PM 6/1/00 -0400, you wrote: You cannot mix HTTP and HTTPS in one page, regardless of the content type, if you want to avoid that message. The bottom line is that you'll need to deliver ALL elements of the page *including images* via HTTPS. Hope this helps. --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 >>> [EMAIL PROTECTED] 06/01/00 02:56PM >>> I have installed my secure web server and get the test certificate from verisign. I was trying some of my web pages that using https://mydomain/test.html. Then, a window pop-up and indicate that some of the information is not secured, so it will not be show on the web page. All of the insecured informations are picture which is using jpeg or gif format. I wonder what is wrong with those pictures. And How to overcome this problem. = Jody Fraser, CISA, CISSP - Lucent NPS Pager (800) 467-1467 Mobile (916) 769-5751 email: [EMAIL PROTECTED] [EMAIL PROTECTED] = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE 4.01 [german]
Check this solution out in the mod_ssl mailing_list... http://marc.theaimsgroup.com/?l=apache-modssl&m=95635597203775&w=2 It just helped me solve the "Spurious" openssl problem. Phil Deacon [EMAIL PROTECTED] -Original Message- From: Roman Gerteis [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 28, 2000 9:57 AM To: [EMAIL PROTECTED] Subject: IE 4.01 [german] Hay everybody, I'm having a strange prob with my Apache/openSSL/mod_ssl: Versions: Apache 1.3.12 OpenSSL: 0.9.5a ModSSL: 2.6.2 AND 2.6.4 (for Apache 1.3.12) the following occures. Any german Internet Explorer in the Version Numbers 4.01.x up to 5.0 no matter if it has an 40bit or 128bit Chipher, is showing my Certificate (I'm my own CA). Looks good. If you accept the Cert the Browser shows: "Seite kann nicht angezeigt werden." Which means site can't be display. I attached some snips of my system configuration. I created my own CA key, making a own Server key and the corresponding Certs. I everything like it is said in the howto's and tutorials. Whatever I do. These f***ing german versions of IE (And only this) don't work. It's working with every other Browser very well btw. My Testurl is: https://nuwonder.ghb.fh-furtwangen.de The following ist the config in httpd.conf: --snip SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 SSLRandomSeed startup builtin SSLLog logs/ssl_engine_log SSLLogLevel info SSLProtocol ALL SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ServerAdmin [EMAIL PROTECTED] DocumentRoot /www/htdocs/es ServerName nuwonder.ghb.fh-furtwangen.de CustomLog /var/log/apache/es_ssl_log common ErrorLog /var/log/apache/es_ssl_error_log SSLEngine on SSLCertificateFile /etc/apache/ssl.nuwonder/nuwonder.crt SSLCertificateKeyFile /etc/apache/ssl.nuwonder/nuwonder.key.unsecure SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclear-shutdown --snip The following is the ssl_log entry I get. --snip [28/May/2000 17:53:01 13180] [info] Seeding PRNG with 0 bytes of entropy [28/May/2000 17:53:02 13180] [info] Connection: Client IP: 141.28.228.194, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/May/2000 17:53:02 13180] [info] Connection to child 7 closed with standard shutdown (server nuwonder.ghb.fh-furtwangen.de:443, client 141.28.228.194) [28/May/2000 17:53:07 13135] [info] Connection to child 1 established (server nuwonder.ghb.fh-furtwangen.de:443, client 141.28.228.194) [28/May/2000 17:53:07 13135] [info] Seeding PRNG with 0 bytes of entropy [28/May/2000 17:53:07 13135] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] --snip Does anybody know what to do? I'm pretty close at giving up. Regards roman Roman Gerteis - c o m p u t e r n e t w o r k i n g [FHF] ICQ: 42160345 | Mail: [EMAIL PROTECTED] --- $ man woman No manual entry for woman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
