Re: Insecure information
Hi, Infact it should be the problem with server configuration. If you have all the links in your html page as https only , then when the client (browser) first belives the certificate, then every content from that server is displayed. If you configure your site (say the directory in which your application is there) to require SSL connection, and if you are specifying for your images as http://imagefile_name, which is in the same directory, then that particular image file you are trying to retrieve without SSL, which is against the setting you have done. So, change your html to use relative URL to that image files. Or, place those images on a different location which doesn't require SSL connection. One more point is that, if you are changing from https to http, in browser, your browser may give a warning message informing the same. This you can see in View - Internet Options - Advanced (one option asking you for that will be there, and disable it). May be this should resolve your problem. Regards -Hari Gopal, Senior Engineer, Internet Commerce Group, CMC Limited __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
x509v3 certs and NT4
Hi, this may not be the proper mailing list for my request, but the subject is related and maybe somebody will be able to help me. I've generated sono "Personal Digital IDs" using openssl. The format chosen is the PKCS12 blob file. I've installed them on Windows 2000 without any problem. When I tried to install the same certs under Windows NT 4 I get an error message. Any idea on which flags need to be set in order to generate certificates compatible with NT 4? Thank you very much in advance. Best regards, Costantino Imbrauglio
Re: Insecure information
In this case, file:// is being treated as equivalent to http:// as far as level of security goes. The only solution will be to move the images to your web server and deliver them via HTTPS alongside the page itself. Hope this helps. --Cliff Cliff WoolleyCentral Systems Software AdministratorWashington and Lee Universityhttp://www.wlu.edu/~jwoolley/ Work: (540) 463-8089Pager: (540) 462-2303 [EMAIL PROTECTED] 06/01/00 10:07PM What do you mean by mixing up http and https. All of the images are called from a file. eg. src="file:///tmp/pic/images.gir" --would this be mixing up http and https. If yes, how do i overcome this problem.
Re: x509v3 certs and NT4
Costantino, I've been playing with personal cert's and so I believe you would use something like this: openssl pkcs12 -export -keyex -noiter -keysig -in client.crt -inkey client.key -name "Personal Certificate" -out msclient.p12 I believe that the three options (-keyex -noiter -keysig) make it compatible with NT/IE4 as opposed to Netscape. I don't really know the adverse effects of setting these options, I think -noitter makes the pkcs12 blob less secure. Don't take this as a definitive answer as I don't understand all the details yet. Mikey "Costantino Imbrauglio" [EMAIL PROTECTED] on 05/06/2000 10:24:18 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Mike Innes/Virgin Direct/GB) Subject: x509v3 certs and NT4 Hi, this may not be the proper mailing list for my request, but the subject is related and maybe somebody will be able to help me. I've generated sono "Personal Digital IDs" using openssl. The format chosen is the PKCS12 blob file. I've installed them on Windows 2000 without any problem. When I tried to install the same certs under Windows NT 4 I get an error message. Any idea on which flags need to be set in order to generate certificates compatible with NT 4? Thank you very much in advance. Best regards, Costantino Imbrauglio Internet communications are not secure. This message is confidential to the intended addressee. Any copying or distribution of it by anyone without the addressee's consent may be unlawful. If you are not the intended addressee, please inform us immediately and then delete this message. Virgin Direct Personal Financial Service Ltd is regulated by the Personal Investment Authority for life insurance, pension and unit trust business and represents only the Virgin Direct marketing group. Registered office: Discovery House, Whiting Road, Norwich NR4 6EJ, UK. Registered in England No. 3072766. The Virgin One account is a secured personal bank account with The Royal Bank of Scotland plc. It is provided by Virgin Direct Personal Finance Ltd which is a representative only of Virgin Direct Personal Financial Service Ltd. Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. Registered in England no 3414708. The Virgin Deposit Account is a personal deposit account with The Royal Bank of Scotland plc administered by Virgin Direct Personal Financial Service Ltd. All telephone calls are recorded and may be monitored. Hi, this may not be the proper mailing list for my request, but the subject is related and maybe somebody will be able to help me. I've generated sono "Personal Digital IDs" using openssl. The format chosen is the PKCS12 blob file. I've installed them on Windows 2000 without any problem. When I tried to install the same certs under Windows NT 4 I get an error message. Any idea on which flags need to be set in order to generate certificates compatible with NT 4? Thank you very much in advance. Best regards, Costantino Imbrauglio
mod_ssl-2.6.4 and msie5
I installed mod_ssl-2.6.4 with apache-1.3.12. Everything goes fine with netscape and ie4, but ie5 cannot see the secure site. In ssl_request log i get lots of line like this: [05/Jun/2000:06:09:14 +0300] paris.rds.ro SSLv3 EXP1024-RC4-SHA "GET /auth/status.php HTTP/1.0" 89 However, all i get in msie5 is that annoying error page. What can do to correct this? -- Florin Andrei mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/ tel: +40-93-261162 PGP public key: http://members.linuxstart.com/~florin/public_key __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verisign SGC Netscape International releases
Hi everyone. I succesfully installed Apache+mod_ssl+php3 on an Win NT box and installed a Verisign Global Server ID Certificate (SGC). Everything works fine, except when dealing with Netscape international release (yes even the last 4.72) which stops saying that there is a network error. Looking at the engine.log i found the following lines: [01/Jun/2000 16:49:36 00088] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:36 00088] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:36 00088] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:36 00088] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:36 00088] [info] Init: Loading certificate private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:36 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:36 00088] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:37 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:37 00088] [info] Init: 2nd startup round (already detached) [01/Jun/2000 16:49:37 00088] [info] Init: Reinitializing OpenSSL library [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:38 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:38 00165] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:38 00165] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:38 00165] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:38 00165] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:38 00165] [info] Init: Loading certificate private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:38 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:38 00165] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:39 00165] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:40 00165] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:54 00165] [info] Connection to child 0 established (server www.mydomain.com:443, client 192.168.1.91) [01/Jun/2000 16:49:54 00165] [info] Seeding PRNG with 1160 bytes of entropy [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) [01/Jun/2000 16:49:55 00165] [info] Connection to child 0 closed with standard shutdown (server www.mydomain.com:443, client 192.168.1.91) The problem I think is in the line : [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) which with 128 bit Netscape/MS IE browsers looks something like : [01/Jun/2000 16:54:42 00207] [info] Connection: Client IP: 192.168.1.85, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) and in this last case everithing works fine. I know that I have to deal with something in the Apache' s httpd.conf but I can' t figure what to do. My SSLCipherSuite directive looks like the following : SSLCipherSuite
Re: x509v3 certs and NT4
First of all I'd like to say thank you :-) In fact I found a solution similar to the one suggested by you, so you might be interested in knowing it: I use the -des (usually it's 3des) and the -keysig options and it works for both Nt 4 and Windows 98. I'm a bit worried by the -keysig because I can't understand exactly what it does. Being a "newbie" in a security related filed makes me feel rather unsecure... Costantino - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 05, 2000 4:04 PM Subject: Re: x509v3 certs and NT4 Costantino, I've been playing with personal cert's and so I believe you would usesomething like this:openssl pkcs12 -export -keyex -noiter -keysig -in client.crt -inkey client.key-name "Personal Certificate" -out msclient.p12 I believe that the three options (-keyex -noiter -keysig) make itcompatible with NT/IE4 as opposed to Netscape.I don't really know the adverse effects of setting these options, I think-noitter makes the pkcs12 blob less secure.Don't take this as a definitive answer as I don't understand all the detailsyet.Mikey"Costantino Imbrauglio" [EMAIL PROTECTED] on 05/06/2000 10:24:18Please respond to [EMAIL PROTECTED]To: [EMAIL PROTECTED]cc: (bcc: Mike Innes/Virgin Direct/GB)Subject: x509v3 certs and NT4Hi,this may not be the proper mailing list for my request, but the subject isrelated and maybe somebody will be able to help me.I've generated sono "Personal Digital IDs" using openssl. The format chosen isthe PKCS12 blob file.I've installed them on Windows 2000 without any problem. When I tried to installthe same certs under Windows NT 4 I get an error message.Any idea on which flags need to be set in order to generate certificatescompatible with NT 4?Thank you very much in advance.Best regards,Costantino ImbrauglioInternet communications are not secure. This message is confidential to the intended addressee. Any copying or distribution of it by anyone without the addressee's consent may be unlawful. If you are not the intended addressee, please inform us immediately and then delete this message. Virgin Direct Personal Financial Service Ltd is regulated by the Personal Investment Authority for life insurance, pension and unit trust business and represents only the Virgin Direct marketing group. Registered office: Discovery House, Whiting Road, Norwich NR4 6EJ, UK. Registered in England No. 3072766.The Virgin One account is a secured personal bank account with The Royal Bank of Scotland plc. It is provided by Virgin Direct Personal Finance Ltd which is a representative only of Virgin Direct Personal Financial Service Ltd. Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. Registered in England no 3414708.The Virgin Deposit Account is a personal deposit account with The Royal Bank of Scotland plc administered by Virgin Direct Personal Financial Service Ltd.All telephone calls are recorded and may be monitored.
Re: Verisign SGC Netscape International releases
You could try removing +eNULL from SSLCipherSuite. Alternatively try setting 'SSLLogLevel trace' and compare with http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with Netscape International release mod_ssl
Hi everyone. I succesfully installed Apache+mod_ssl+php (opensa 0.20) on an Win NT box and installed a Verisign Global Server ID Certificate (SGC). Everything works fine, except when dealing with Netscape international release (yes even the last 4.72) which stops saying that there is a network error. Looking at the engine.log i found the following lines: [01/Jun/2000 16:49:36 00088] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:36 00088] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:36 00088] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:36 00088] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:36 00088] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:36 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:36 00088] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:37 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:37 00088] [info] Init: 2nd startup round (already detached) [01/Jun/2000 16:49:37 00088] [info] Init: Reinitializing OpenSSL library [01/Jun/2000 16:49:37 00088] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:37 00088] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:37 00088] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:38 00088] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:38 00165] [info] Server: OpenSA/0.20 Apache/1.3.12, Interface: mod_ssl/2.6.2, Library: OpenSSL/0.9.5 [01/Jun/2000 16:49:38 00165] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [01/Jun/2000 16:49:38 00165] [info] Init: 1st startup round (still not detached) [01/Jun/2000 16:49:38 00165] [info] Init: Initializing OpenSSL library [01/Jun/2000 16:49:38 00165] [info] Init: Loading certificate & private key of SSL-aware server www.mydomain.com:443 [01/Jun/2000 16:49:38 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:38 00165] [info] Init: Generating temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Seeding PRNG with 136 bytes of entropy [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Configuring temporary DH parameters (512/1024 bits) [01/Jun/2000 16:49:39 00165] [info] Init: Initializing (virtual) servers for SSL [01/Jun/2000 16:49:39 00165] [info] Init: Configuring server www.mydomain.com:443 for SSL protocol [01/Jun/2000 16:49:40 00165] [info] Init: (www.mydomain.com:443) RSA server certificate enables Server Gated Cryptography (SGC) [01/Jun/2000 16:49:54 00165] [info] Connection to child 0 established (server www.mydomain.com:443, client 192.168.1.91) [01/Jun/2000 16:49:54 00165] [info] Seeding PRNG with 1160 bytes of entropy [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) [01/Jun/2000 16:49:55 00165] [info] Connection to child 0 closed with standard shutdown (server www.mydomain.com:443, client 192.168.1.91) The problem I think is in the line : [01/Jun/2000 16:49:55 00165] [info] Connection: Client IP: 192.168.1.91, Protocol: SSLv3, Cipher: EXP1024-RC4-SHA (0/0 bits) which with 128 bit Netscape/MS IE browsers looks something like : [01/Jun/2000 16:54:42 00207] [info] Connection: Client IP: 192.168.1.85, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) and in this last case everithing works fine. I know that I have to deal with something in the Apache' s httpd.conf but I can' t figure what to do. My SSLCipherSuite directive looks like the following : SSLCipherSuite
Certificate installation for Apache 1.3.12 + mod_ssl
Hi, I have installed Apache 1.3.12 + mod_ssl_2.6.4_1.3.12 in my linux box and then I have created a server.key and server.crt for my private usage. However, I got an error message which was said that my ceritificate is invalid as I connects to my secured server. However, once I selects "install ceritificate" in I.E 5.0 at my win98 box, then the error is disappaered. Please tell me what is the problem is going on?. It is becuase I don't want my to select this opinion as they connect to my web server. Thank You! HK Woo Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
chroot segfault
hello all, using freebsd 4.0-stable as of may 25th. using the apache13-modssl port. works fine in a non-chroot environment. when using a chroot env. apache segfaults. this is in apache_ssl_engine_log: (dates trimmed) Server: Apache/1.3.12, Interface: mod_ssl/2.6.4, Library: OpenSSL/0.9.4 Init: 1st startup round (still not detached) Init: Initializing OpenSSL library Init: Seeding PRNG with 136 bytes of entropy Init: Generating temporary RSA private keys (512/1024 bits) gdb where says: gdb) where #0 0x281a89e5 in RSA_new_method () from /usr/lib/libcrypto.so.1 #1 0x281a8865 in RSA_new () from /usr/lib/libcrypto.so.1 #2 0x2814efd6 in RSA_generate_key () from /usr/lib/libcrypto.so.1 #3 0x804fe2c in ssl_init_TmpKeysHandle () #4 0x804fc62 in ssl_init_Module () (gdb) Oh yea.. when using the nonssl port: apache13, things work fine. Thanks in advance, -- laurens van alphen, craxx [EMAIL PROTECTED], http://www.craxx.nl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Build problems
On Thu, Jun 01, 2000, Vinod Mehra wrote: I am trying to install "The All-In-One mod_ssl+APACI". But the Apache build fails for me. The build without modssl always work. This is what I have got: - apache_1.3.9.tar.gz - mod_ssl-2_4_10-1_3_9_tar.gz - openssl-0_9_5a_tar.gz - rsaref20_tar.Z - mm-1_1_2_tar.gz [...] The README.Versions file I update for us shows: 08-Jan-2000 2.4.101.3.90.9.3-0.9.4 So, the mod_ssl version you're trying is too old for use with such a newer OpenSSL version. You have to use OpenSSL 0.9.4 or 0.9.4 with this mod_ssl version. Or (what I strongly recommend) use the current Apache 1.3.12 and mod_ssl 2.6.4 version. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
running apache ssl in chroot
anyone here know what i am missing here in my chroot enviroment.. normal apache works but when i run apache -DSSL , it loads up but dont work [I have no name!@server] /$ openssl s_client -connect localhost:443 -state -debug CONNECTED(0003) SSL_connect:before/connect initialization write to 0807F1C0 [0808E000] (103 bytes = 103 (0x67)) - 80 65 01 03 01 00 3c 00-00 00 20 00 00 16 00 00 .e... . 0010 - 13 00 00 0a 00 00 05 00-00 04 00 00 15 00 00 12 0020 - 00 00 09 07 00 c0 03 00-80 01 00 80 08 00 80 06 0030 - 00 40 00 00 14 00 00 11-00 00 08 00 00 06 00 00 .@.. 0040 - 03 04 00 80 02 00 80 ac-f4 d4 aa a1 a9 9b d3 32 ...2 0050 - 5f ef 15 d6 8b 05 4b 97-6c 9f 88 57 58 45 af d8 _.K.l..WXE.. 0060 - ac 3f 5a 11 31 34 76 .?Z.14v SSL_connect:SSLv2/v3 write client hello A read from 0807F1C0 [08094000] (7 bytes = 0 (0x0)) 52872:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_lib.c:215 : [I have no name!@server] /$ [I have no name!@server] / __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: chroot segfault
On Mon, Jun 05, 2000 at 01:37:13PM +0200, laurens van alphen (craxx) wrote: hello all, using freebsd 4.0-stable as of may 25th. using the apache13-modssl port. works fine in a non-chroot environment. when using a chroot env. apache segfaults. this is in apache_ssl_engine_log: (dates trimmed) Server: Apache/1.3.12, Interface: mod_ssl/2.6.4, Library: OpenSSL/0.9.4 Init: 1st startup round (still not detached) Init: Initializing OpenSSL library Init: Seeding PRNG with 136 bytes of entropy Init: Generating temporary RSA private keys (512/1024 bits) gdb where says: gdb) where #0 0x281a89e5 in RSA_new_method () from /usr/lib/libcrypto.so.1 #1 0x281a8865 in RSA_new () from /usr/lib/libcrypto.so.1 #2 0x2814efd6 in RSA_generate_key () from /usr/lib/libcrypto.so.1 #3 0x804fe2c in ssl_init_TmpKeysHandle () #4 0x804fc62 in ssl_init_Module () (gdb) These days OpenSSL is up to version 0.9.5a and quite a lot has happened to the wrt. key generation. It may be worth trying an update of OpenSSL. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mod_SSL+Tomcat
I am working with Apache, mod_ssl, and Tomcat on Debian Linux. I am trying to make sure all references to Tomcat are secure. Is there a way to tell Apache or Mod_SSL to keep Tomcat behind https? Tim Willis IS Technician Code Rite [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache, mod_ssl, certs, and such...
HA! That was it.. thanks now I have some cert setup mistakes to fix, and I'll be done... Tim Willis IS Technician Code Rite [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kirk Benson Sent: Friday, June 02, 2000 12:25 To: [EMAIL PROTECTED] Subject: RE: Apache, mod_ssl, certs, and such... It may be that Apache is trying to prompt you for the passphrase, but can't since it's a service. Try starting it from the command line to see if it works. cheers Kirk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tim Willis Sent: Friday, June 02, 2000 10:43 AM To: [EMAIL PROTECTED] Subject: Apache, mod_ssl, certs, and such... (system - WinNT, Apache+mod_ssl+openssl as a service) Ok - I've received a test cert from Thawte, installed it, created a server.key file, saved the Thawte cert as server.crt, and placed server.crt and server.key in the appropriate places in httpd.conf in Apache. The problem is, when I re-start Apache (as a service in NT), I get the following error: "Could Not Start Apache: Error 2186, the service is not responding to the control function." The strange thing is, that Apache DOES start, and my processor gets totally dog slow immediately, I'm unable to shutdown apache from the services GUI, the task manager, or from command line, I have to set to manual startup in services and re-boot. Other symptoms. Once I start Apache like above, I CAN access localhost, though obviously I cannot access https. Also, if I comment out the ssl-cert specific lines in httpd.conf, re-boot, then re-start apache, the problem is fixed. Also, if I replace server.crt and server.key with their snake-oil counterparts, the problem goes away. My assumption is that there is something dreadfully wrong with either my test server.crt (which I've generated three times now from Thawte) or my server.key file (which I've created several times as well) or both. Does anyone have any insight into my problem? Is it something simple I'm missing? Thanks in advance. Tim Willis IS Technician Code Rite [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL handshaking on remote machine
Winged Wolf wrote: (hotmail has a broken "reply to all") You're also going to have to munge the information in the keystructure itself, so that SSL itself doesn't complain that the IP or port that it's communicating with has changed. Okay, well, I revised what my program was going to be doing... I am no longer trying to pass a session between two machines, but rather I modified OpenSSL to hand the encrypted session keys to the accelerated server, which then calls RSA_private_decrypt() on them, and passes the decrypted keys back to the web server. The hardest thing was building the rsa_st structure on the accelerated server, using data passed over the TCP connection... but I got it to work between sockets on the same machine.. my next trick is getting it to work on another machine... But it is actually a very straightforward modification... on the web server, modify OpenSSL's RSA_private_decrypt() function to call the function I wrote that talks to the accelerated server.. on the accelerated server, just run the daemon I wrote.. J. Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CRL checking error
Hello: I am testing CRL check behaviors using apache_1.3.12 plus mod_ssl-2.6.4 plus openssl-0.9.5a. I have tested three CRLs issued by three different CAs: Windows2000 Enterprise CA,CMS4.1 and another CA. Although successful with Windows2000 Enterprise CA CRL, I always get the "CRL signature failure" error message when checking the twoother CAs' CRLs. All the CRLs are in the version2 format and their details are shown below. 1. Windows2000 Enterprise CA CRL(checking is successful with this one) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /Email=**/C=**/ST=**/L=**/O=**/ OU=**/CN=** Last Update: Jun 5 07:26:40 2000 GMT Next Update: Jun 5 09:01:40 2000 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:5F:BD:4E:7A:57:87:FC:9F:7E:F6:F3:DA:36:8E: C6:17:F2:FD:3A:40 1.3.6.1.4.1.311.21.1: Revoked Certificates: Serial Number: 01270EC807FA Revocation Date: Jun 5 07:36:11 2000 GMT ... 2. CMS4.1CRL(checking fails) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=**/ST=**/L**/O=**/OU=**/CN=** Last Update: Jun 5 08:25:33 2000 GMT Next Update: Jun 5 10:25:33 2000 GMT Revoked Certificates: Serial Number: 05 Revocation Date: May 17 11:07:13 2000 GMT CRL Reason Code: Unspecified ... 3. Another CA CRL(checking fails) Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=**/O=**/CN=** Last Update: May 8 16:00:03 2000 GMT Next Update: Jun 7 16:00:00 2000 GMT Revoked Certificates: Serial Number: 3BB6B4DF0003 Revocation Date: Nov 17 09:20:45 1999 GMT ... As shown above, the successfully checked W2K CRL has CRL extensions setting,X509v3 Authority Key Identifier, which the other two CAs have not. When checking v2 CRLs with mod_ssl(openssl), is it necessary to set at least one CRL extension ? Or is the specific Authority Key Identifier extension critical? Or is there anything else that causes the "CRL signature failure"? Any information would help me. Thank you, Tatsuya Yoshida __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]