Re: certificates
On Tue, Jul 11, 2000, Segerlund, Lars wrote: Anybody who knows if mod_ssl can handle 'step up' connections ? In other words start a 40 bit and send a Thawte certificate wich makes the browser renegotiate for 128 bit ? ( encryption key's ). Yes, mod_ssl supports the step up of the Server Gated Cryptography (SGC) facility. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: which port ? 80 or 443
Hi, I don't know why your servlet always prints that it is listening on port 80, but yesterday I managed to remove port 80 from my server by changing the httpd.conf file in the following manner: 8 # # Port: The port to which the standalone server listens. # # Port 80 # Don't permit that someone connects without using SSL ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL # Listen 80 # Don't permit that someone connects without using SSL Listen 443 /IfDefine 8 After that, http://... didn't work any more, only https://... (which was the intention) Maybe you should try this, and try to run your servlet again. Hopes this helps, Filip -- Filip van Laenen [EMAIL PROTECTED] ([EMAIL PROTECTED]) Senior Knowledge Engineer, Computas, http://www.computas.com http://www.computas.com/ Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 -Original Message- From: Yu, Leo [mailto:[EMAIL PROTECTED]] Sent: Monday, July 10, 2000 9:31 PM To: '[EMAIL PROTECTED]' Cc: Yu, Leo Subject: which port ? 80 or 443 Hi, I configure a Linux system to run Apache and Jserv and SSL. The server is listening to both port 80 and port 443 (for SSL). I have a servlet running on the system to print out which port is request is coming form The problem is no matter what port ( 80 or 443 ) the URL request is coming in. The servlet always prints out port 80. I use the gerServerPort() function of the request object to retrieve the port number. Any idea why ? Does Apache need to have port 80 open always ? Thanks! Leo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
client certificates
Hello, I have installed apache with mod_ssl and it works well. Now I create client certificates with openssl and want to send them with "application/x-x509-user-cert" to the browser. I tested DER, PEM and PKCS12 but nothing really worked. Netscape says it doesn't know the corresponding private key and Internet Explorer either wants to save my *.cgi-file or holds on loading and does nothing. There is no problem when I save the certificate on disk and import it by hand (neither IE nor Netscape). I have read so many howtos and tutorial but nothing helped me. Thomas -- _ Thomas Barthel e-mail: [EMAIL PROTECTED] SuSE GmbH Nuernberg, Germany "Internet is a wonderful mechanism for making a fool of yourself in front of a very large audience" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: client certificates
On Tue, Jul 11, 2000 at 08:32:09AM +0200, Thomas Barthel wrote: Hello, I have installed apache with mod_ssl and it works well. Now I create client certificates with openssl and want to send them with "application/x-x509-user-cert" to the browser. I tested DER, PEM and PKCS12 but nothing really worked. Netscape says it doesn't know the corresponding private key and Internet Explorer either wants to save my *.cgi-file or holds on loading and does nothing. There is no problem when I save the certificate on disk and import it by hand (neither IE nor Netscape). For all these operations you must be aware that two different items are needed: - the private key (secret) - the public key (included in the "certificate") If you only download the user-cert, the corresponding private key is missing, this is what Netscape tries to tell you. Netscape does have its own function to generate a private/public key pair. It then keeps the private key and includes the public key with a "request". The request is then signed by the CA and sent back to Netscape, which still has the private key. This is used by several CA packages. Hmm, I don't know, whether you can also download the private key via an "application/x-x509..." transfer, I only ever used the PKCS12 way. It however would not make sense to have such a function, since the private key of the user should only be known to him. If somebody else created it it is worthless. Best regards, Lutz PS. Having this said, for several of my DAUs I have created the keys and the computer center of our university offers the same service for those who don't know how to create such a key... -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Pre-complied binaries of mod_ssl
Hello all, I have Apache 1.3.12 for Win NT running on my machine. Now, I want to have secure web services and hence mod_ssl. But mod_ssl is available only in source form. I don't want to disturb my existing set-up.So please let me know from where can I get the pre-complied binaries of mod-ssl for Windows so that I can readily use them. By the way I tried one site called 'www.opensa.org' but I got an error saying 'there is no DNS entry for this server' Has this site been moved to some other location or what? Further info regarding this will be greatly appreciated. Thanks in advance, Anil. Anil B.R Engineer, Software Development Siemens Public Communication Networks Ltd. 25/2, M.G Road, Bangalore, India. Tel : +91-80-5594067 Extn:4527 Fax : +91-80-5594369 mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems Starting up Apache and mod_ssl
On Mon, Jul 10, 2000 at 10:23:50PM -0600, george wrote: [SNIP] # /usr/local/apache/bin/apachectl configtest Syntax OK # /usr/local/apache/bin/apachectl startssl Syntax error on line 1032 of /usr/local/apache/conf/httpd.conf Invalid command 'SSLEnable', perhaps mis-spelled or defined by a module not included in the server configuration /usr/local/apache/bin/apachectl startssl: httpd could not be started. /screen output I then uncommented the line "SSLEngine on" on the line above the one in question (line 1032), and re-issued the commands above. It looks like you haven't enabled mod_ssl. Do a: /path/to/apache/bin/httpd -l Does it list mod_ssl.c? Or do you get only http_core.c and mod_so.c - then you need to check for that mod_ssl is loaded (AddModule and LoadModule) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: BSDI 4.1 and modssl help. *urgent*
On Tue, Jul 11, 2000 at 03:49:15AM +, moses von wrote: We have had modssl working for a very long time, and it worked fine from BSDI 2.1 till 4.0.1. As soon as we installed BSDI 4.1, our httpd server stopped working.. It starts up but only a single process starts, and basically does nothing. So we decided to re-compile apache, and used all of the latest versions of modssl, openssl, apache, etc. Everything compiled and installed just fine. BUT, it still starts up only as a single process which does basically nothing. We re-compiled the server without ssl, and apache startups up fine with multiple processes and answers queries. Could you run a trace[1] on it to see what it is waiting for? It could very well be waiting to get random data from /dev/random (or /dev/urandom) or wherever you've got SSLRandomSeed pointed at. [1] On linux that would be strace, on solaris it would be truss on BSDI it would be ??? vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: client certificates
On Tue, Jul 11, 2000 at 09:16:34AM +0200, Thomas Barthel wrote: Maybe I'm too new to this topic but isn't it true that PKCS12 contains both the public and the private key? Yes, the PKCS12 does support both keys. You however cannot download the PKCS12 directly into the browser. You can only download it to a file and then import it. The direct download technique is only available for the cert (which only contains the public key): http://home.netscape.com/eng/security/downloadcert.html (maybe old, but I didn't find any other information stating something else, so its ok.) There seems to be a MIME-type for PKCS12 available: http://www.crosswinds.net/san-marino/~jom/filex/mime.htm .p12 application/pkcs-12 .p12 application/x-pkcs-12 I however don't know whether it is actually supported by Netscape. (If it is, please inform us.) Furthermore the client only should be able to prove that he/she got the certificate I gave him/her to authenticate. I don't see the need of a private key (for the client) here. Well the public key shouldn't be here as public as one could think. You always need the pair. Whether you have to keep the private key private for your application is a different question you and your organization has to answer yourself. It's intention is to allow the person in question to receive encrypted emails, that only he can read, and to sign messages with proven authencity. This is broken by your concept, as you (the CA _and_ key generator) can read all encrypted messages and can fake the signatures of your clients. Hence, the automatic generation of the private key on a foreign server really doesn't make sense. Hence, if I would write the software, I would probably omit the feature you are requesting. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: client certificates
Yes, the PKCS12 does support both keys. You however cannot download the PKCS12 directly into the browser. You can only download it to a file and then import it. The direct download technique is only available for the cert (which only contains the public key): http://home.netscape.com/eng/security/downloadcert.html (maybe old, but I didn't find any other information stating something else, so its ok.) yes this worked (but only once now I can't load it again (of course I deleted the former imported certificate first)). There seems to be a MIME-type for PKCS12 available: http://www.crosswinds.net/san-marino/~jom/filex/mime.htm .p12 application/pkcs-12 .p12 application/x-pkcs-12 I however don't know whether it is actually supported by Netscape. (If it is, please inform us.) thanks so far. I will try it. You always need the pair. Whether you have to keep the private key private for your application is a different question you and your organization has to answer yourself. of course, you are right. It's intention is to allow the person in question to receive encrypted emails, that only he can read, and to sign messages with proven authencity. This is broken by your concept, as you (the CA _and_ key generator) can read all encrypted messages and can fake the signatures of your clients. Hence, the automatic generation of the private key on a foreign server really doesn't make sense. Hence, if I would write the software, I would probably omit the feature you are requesting. in this case you are right again. But I only want the user to connect to my Server without entering his username and password. I only want to allow this to chosen persons. For these persons I will create a certificate. (with the fact in mind that I already have their data to create a proper request) Thomas -- _ Thomas Barthel e-mail: [EMAIL PROTECTED] SuSE GmbH Nuernberg, Germany "Internet is a wonderful mechanism for making a fool of yourself in front of a very large audience" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Pb : Apache/modssl with php4
I've installed Apache + mod_ssl/OpenSSL + PHP3/MySQL by following INSTALL.SSL file. It works well. I've tried to install to do the same thing with the new release of php : PHP4 I've made the following modifications in the file INSTALL.SSL ... # configure PHP4 and apply it to the Apache source tree $ cd ../php-4.0.1pl2 $ CFLAGS='-O2 -I/path/to/openssl/include' \ ./configure \ --prefix=/path/to/php \ --with-apache=../apache_1.3.12 \ --with-mysql=/path/to/mysql \ --enable-memory-limit=yes \ --enable-debug=no $ gmake $ gmake install $ cd .. # build/install Apache with mod_ssl and PHP4 $ cd apache_1.3.12 $ SSL_BASE=/path/to/openssl \ ./configure \ --prefix=/path/to/apache \ --enable-module=ssl \ --activate-module=src/modules/php4/libmodphp4.a \ --enable-module=modphp4 $ make But it doesn't work. I get the following message with the make in apache : ===> src/modules/php4 gcc -c -I../../../../mm-1.1.3 -I../../os/unix -I../../include -DHPUX10 -DMOD_SSL=2061 04 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED `../../apac i` mod_php4.c mod_php4.c:28: zend.h: No such file or directory mod_php4.c:29: php.h: No such file or directory mod_php4.c:30: php_variables.h: No such file or directory mod_php4.c:31: SAPI.h: No such file or directory mod_php4.c:48: php_ini.h: No such file or directory mod_php4.c:49: php_globals.h: No such file or directory mod_php4.c:50: SAPI.h: No such file or directory mod_php4.c:51: php_main.h: No such file or directory mod_php4.c:53: zend_compile.h: No such file or directory mod_php4.c:54: zend_execute.h: No such file or directory mod_php4.c:55: zend_highlight.h: No such file or directory mod_php4.c:56: zend_indent.h: No such file or directory mod_php4.c:58: ext/standard/php_standard.h: No such file or directory *** Error exit code 1 Any suggestions ? Thanks in advance. Lionel
module mod_define.c: not found in module list
The following error messages are showing up in my apache error_logs. Does anyone have an idea on what may be causing this, and if so how do I fix the problem? [Mon Jul 10 18:00:01 2000] [notice] SIGHUP received. Attempting to restart [Mon Jul 10 18:00:01 2000] [error] Cannot remove module mod_define.c: not found in module list [Mon Jul 10 18:00:02 2000] [info] mod_unique_id: using ip addr *.*.*.* [Mon Jul 10 18:00:03 2000] [notice] Apache/1.3.12 (Unix) mod_ssl/2.6.1 OpenSSL/0.9.5 PHP/3.0.15 configure d -- resuming normal operations [Mon Jul 10 18:00:03 2000] [info] Server built: Mar 27 2000 12:34:59 [Tue Jul 11 06:00:02 2000] [notice] SIGHUP received. Attempting to restart [Tue Jul 11 06:00:02 2000] [error] Cannot remove module mod_define.c: not found in module list [Tue Jul 11 06:00:03 2000] [info] mod_unique_id: using ip addr *.*.*.* [Tue Jul 11 06:00:04 2000] [notice] Apache/1.3.12 (Unix) mod_ssl/2.6.1 OpenSSL/0.9.5 PHP/3.0.15 configure d -- resuming normal operations [Tue Jul 11 06:00:04 2000] [info] Server built: Mar 27 2000 12:34:59 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: client certificates
There seems to be a MIME-type for PKCS12 available: http://www.crosswinds.net/san-marino/~jom/filex/mime.htm .p12 application/pkcs-12 .p12 application/x-pkcs-12 I however don't know whether it is actually supported by Netscape. (If it is, please inform us.) thanks so far. I will try it. well Internet Explorer accepts it (only 'application/x-pkcs-12'). But I can't persuade Netscape. The only way is to save the certificate on disk and then import it by hand. Ain't there no way to automatically import it into IE as well as NC (is there any way in Netscape)? Thomas -- _ Thomas Barthel e-mail: [EMAIL PROTECTED] SuSE GmbH Nuernberg, Germany "Internet is a wonderful mechanism for making a fool of yourself in front of a very large audience" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Pb : Apache/modssl with php4
On Tue, Jul 11, 2000 at 11:15:20AM +0200, Lionel Mace wrote: I've installed Apache + mod_ssl/OpenSSL + PHP3/MySQL by following INSTALL.SSL file. It works well. I've tried to install to do the same thing with the new release of php : PHP4 I've made the following modifications in the file INSTALL.SSL ... # configure PHP4 and apply it to the Apache source tree $ cd ../php-4.0.1pl2 $ CFLAGS='-O2 -I/path/to/openssl/include' \ ./configure \ --prefix=/path/to/php \ --with-apache=../apache_1.3.12 \ --with-mysql=/path/to/mysql \ --enable-memory-limit=yes \ --enable-debug=no $ gmake $ gmake install $ cd .. # build/install Apache with mod_ssl and PHP4 $ cd apache_1.3.12 $ SSL_BASE=/path/to/openssl \ ./configure \ --prefix=/path/to/apache \ --enable-module=ssl \ --activate-module=src/modules/php4/libmodphp4.a \ --enable-module=modphp4 $ make But it doesn't work. I get the following message with the make in apache : Looks very much as if the trouble is with php4 and not with mod_ssl. In the above example, -DEAPI seems to be missing from the CFLAGS and you should also make sure that mod_ssl is applied before php (you're probably already doing this, and just cut out that part :) Another and usually much easier way would be to build php as an shared module: $ cd mod_ssl $ ./configure \ --with-apache=../apache_1.3.x \ --with-ssl=../openssl-0.9.x \ --enable-shared=ssl $ cd ../apache_1.3.x $ make $ make install $ cd ../php-x $ ./configure \ --with-apxs=/path/to/apache/bin/apxs $ make $ make install vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: module mod_define.c: not found in module list
On Tue, Jul 11, 2000 at 09:06:29AM -0400, Dave Reichard wrote: The following error messages are showing up in my apache error_logs. Does anyone have an idea on what may be causing this, and if so how do I fix the problem? [Mon Jul 10 18:00:01 2000] [notice] SIGHUP received. Attempting to restart [Mon Jul 10 18:00:01 2000] [error] Cannot remove module mod_define.c: not found in module list Hmmm - this seems very much like a problem that has nothing to do with mod_ssl, and is OT for this list. The right place for this kind of questions would be in news://comp.infosystems.www.servers.unix But most likely it is just a case of having an AddModule but no LoadModule (or the other way around) for mod_define. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Failed to generate temporary 512 bit RSA private key
Hello, I get this error message when i start apache after installing modssl : "Failed to generate temporary 512 bit RSA private key" I have looked in the archive and found people having the same problem... but no answer. How can I fix this ? Thank you very much, Laurent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: which port ? 80 or 443
--- Danilo Nascimento [EMAIL PROTECTED] wrote: From: "Yu, Leo" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] CC: "Yu, Leo" [EMAIL PROTECTED] Subject: which port ? 80 or 443 Date: Mon, 10 Jul 2000 12:30:40 -0700 Hi, I configure a Linux system to run Apache and Jserv and SSL. The server is listening to both port 80 and port 443 (for SSL). I have a servlet running on the system to print out which port is request is coming form The problem is no matter what port ( 80 or 443 ) the URL request is coming in. The servlet always prints out port 80. I use the gerServerPort() function of the request object to retrieve the port number. Any idea why ? Does Apache need to have port 80 open always ? Thanks! Leo Hi Leo, but what´s your Test URL? This question can sound strange, but i have saw many users testing SSL connections using a HTTP URL! Bye, Danilo. A little added clarification -- HTTP always comes o through port 80 by default; httpS comes through port 443. Paul __ Do You Yahoo!? Get Yahoo! Mail Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: which port ? 80 or 443
No, apache doesn't need to listen on port 80. Try this: BindAddress 139.142.87.53 IfDefine SSL Listen 443 /IfDefine Start apache using 'apachectl startssl '. Next, make sure all your users connect to the servlet using https://yourdomain.com/servlets/test I tried the getServerPort() under this config and it worked for me. Cheers, Craig Skelton /* ___ _ ( \ (_) | | ) ) _ _ | | ___ ___ | __ ( / ___) |/ || |/ _ |/ _ )/___)/ ___) _ \|\ | |__) ) | | ( (_| ( ( | ( (/ /|___ ( (__| |_| | | | | |__/|_| |_|\|\_|| |\|___(_))___/|_|_|_| (_| */ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Danilo Nascimento Sent: July 11, 2000 10:25 AM To: [EMAIL PROTECTED] Subject: Re: which port ? 80 or 443 From: "Yu, Leo" [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] CC: "Yu, Leo" [EMAIL PROTECTED] Subject: which port ? 80 or 443 Date: Mon, 10 Jul 2000 12:30:40 -0700 Hi, I configure a Linux system to run Apache and Jserv and SSL. The server is listening to both port 80 and port 443 (for SSL). I have a servlet running on the system to print out which port is request is coming form The problem is no matter what port ( 80 or 443 ) the URL request is coming in. The servlet always prints out port 80. I use the gerServerPort() function of the request object to retrieve the port number. Any idea why ? Does Apache need to have port 80 open always ? Thanks! Leo Hi Leo, but what´s your Test URL? This question can sound strange, but i have saw many users testing SSL connections using a HTTP URL! Bye, Danilo. ___ Analista de Sistemas São Paulo - Brasil Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
2 - Failed to generate temporary 512 bit RSA private key
Thank you very much, but we still couldn't make it work. We made sure the PRNG has been seeded with at least 128 bits of randomness. The error message is still there. How can we fix that ? Thanks, Laurent - Original Message - From: "Mads Toftum" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 11:28 AM Subject: Re: Failed to generate temporary 512 bit RSA private key On Tue, Jul 11, 2000 at 11:15:22AM -0400, Silesky Marketing Inc, Support wrote: Hello, I get this error message when i start apache after installing modssl : "Failed to generate temporary 512 bit RSA private key" I have looked in the archive and found people having the same problem... but no answer. Hm - I know that I've answered this several times, and that the answers are there... it is also in the FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#ToC15 and http://www.openssl.org/support/faq.html#6 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Opinions, please
In looking at my configuration, I noticed that I did not have DSO support enabled and I'm not sure that SSL is enabled correctly. I'm thinking about reconfiguring and recompiling Apache with the following parameters: SSL_BASE="/usr/local/src/openssl-0.9.5a" \ RSA_BASE="/usr/local/src/rsaref-2.0/local" \ ./configure \ "--prefix=/usr/local/apache" \ "--with-layout=Apache" \ "--enable-module=most" \ "--enable-shared=max" \ "--enable-module=ssl" \ "--enable-shared=ssl" \ "--disable-rule=SSL_COMPAT" \ Can you folks see any glaring errors in this configuration? Please let me know what you think. Thanks, Diana __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL configuration with Apache
Remember that when you do a "apachectl startssl", it adds the argument -DSSL. So if you do a "httpd -DSSL -l", you should see ssl in there. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Diana Moreland Sent: Tuesday, July 11, 2000 8:07 AM To: [EMAIL PROTECTED] Subject: SSL configuration with Apache Hi everybody, I followed all the instructions for installing modssl but I'm not confident that everything is where it's supposed to be. When I issue the apachectl startssl command, the daemon starts but I'm not sure that SSL is actually enabled. When I do a httpd -l, I get this: Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_include.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_browser.c I don't see modssl.c in the list. Listed below are the changes I made to the httpd.conf file to accomodate SSL: SSLRANDOMSEED startup egd:/etc/entropy SSLRANDOMSEED connect builtin SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP Also: Port 80 Listen 80 Listen 443 Is there something else I need to do to the conf file? Thanks in advance, Diana __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL configuration with Apache
Thanks for the suggestion. However, when I did it, I got this: httpd -DSSL -l httpd: illegal option -- D Usage: httpd [-d directory] [-f file] [-v] [-h] [-l] -d directory : specify an alternate initial ServerRoot -f file : specify an alternate ServerConfigFile -v : show version number -h : list directives -l : list modules I tried it again without the minus (httpd DSSL -l) and just got the module list I got before. SSL didn't show up. David Rees wrote: Remember that when you do a "apachectl startssl", it adds the argument -DSSL. So if you do a "httpd -DSSL -l", you should see ssl in there. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Diana Moreland Sent: Tuesday, July 11, 2000 8:07 AM To: [EMAIL PROTECTED] Subject: SSL configuration with Apache Hi everybody, I followed all the instructions for installing modssl but I'm not confident that everything is where it's supposed to be. When I issue the apachectl startssl command, the daemon starts but I'm not sure that SSL is actually enabled. When I do a httpd -l, I get this: Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_include.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_browser.c I don't see modssl.c in the list. Listed below are the changes I made to the httpd.conf file to accomodate SSL: SSLRANDOMSEED startup egd:/etc/entropy SSLRANDOMSEED connect builtin SSLProtocol -all +SSLv2 SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP Also: Port 80 Listen 80 Listen 443 Is there something else I need to do to the conf file? Thanks in advance, Diana __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2 - Failed to generate temporary 512 bit RSA private key
On Tue, Jul 11, 2000 at 11:52:32AM -0400, Silesky Marketing Inc, Support wrote: Thank you very much, but we still couldn't make it work. We made sure the PRNG has been seeded with at least 128 bits of randomness. The error message is still there. How can we fix that ? Please make sure to check _all_ logfiles, there is especially the ssl_engine_log. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2 - Failed to generate temporary 512 bit RSA private key
The ssl_engine_log is empty any idea ? Thanks, Laurent - Original Message - From: "Lutz Jaenicke" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 11, 2000 2:06 PM Subject: Re: 2 - Failed to generate temporary 512 bit RSA private key On Tue, Jul 11, 2000 at 11:52:32AM -0400, Silesky Marketing Inc, Support wrote: Thank you very much, but we still couldn't make it work. We made sure the PRNG has been seeded with at least 128 bits of randomness. The error message is still there. How can we fix that ? Please make sure to check _all_ logfiles, there is especially the ssl_engine_log. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL configuration with Apache
Strange, what version of Apache are you using? (httpd -v) -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Diana Moreland Sent: Tuesday, July 11, 2000 10:45 AM To: [EMAIL PROTECTED] Subject: Re: SSL configuration with Apache Thanks for the suggestion. However, when I did it, I got this: httpd -DSSL -l httpd: illegal option -- D Usage: httpd [-d directory] [-f file] [-v] [-h] [-l] -d directory : specify an alternate initial ServerRoot -f file : specify an alternate ServerConfigFile -v : show version number -h : list directives -l : list modules I tried it again without the minus (httpd DSSL -l) and just got the module list I got before. SSL didn't show up. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL configuration with Apache
1.3.12 David Rees wrote: Strange, what version of Apache are you using? (httpd -v) -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Diana Moreland Sent: Tuesday, July 11, 2000 10:45 AM To: [EMAIL PROTECTED] Subject: Re: SSL configuration with Apache Thanks for the suggestion. However, when I did it, I got this: httpd -DSSL -l httpd: illegal option -- D Usage: httpd [-d directory] [-f file] [-v] [-h] [-l] -d directory : specify an alternate initial ServerRoot -f file : specify an alternate ServerConfigFile -v : show version number -h : list directives -l : list modules I tried it again without the minus (httpd DSSL -l) and just got the module list I got before. SSL didn't show up. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Opinions, please
Great idea! I tried it (after I downloaded and installed MM [thanks for the tip]). Everything seemed to go fine until I tried to start Apache. It didn't know what to do with the SSLRandomseed directive, plus it threw up on a couple of other ones. When I did an httpd -l after this compile, the only modules that showed up were http_core.c and mod_so.c. Am I right in assuming there's a bunch of stuff I need to change in the conf file using the LoadModule directive? If so, which modules do I load and in which order? Thanks a bunch! Diana Mads Toftum wrote: On Tue, Jul 11, 2000 at 01:30:14PM -0400, Diana Moreland wrote: In looking at my configuration, I noticed that I did not have DSO support enabled and I'm not sure that SSL is enabled correctly. I'm thinking about reconfiguring and recompiling Apache with the following parameters: SSL_BASE="/usr/local/src/openssl-0.9.5a" \ RSA_BASE="/usr/local/src/rsaref-2.0/local" \ ./configure \ "--prefix=/usr/local/apache" \ "--with-layout=Apache" \ "--enable-module=most" \ "--enable-shared=max" \ "--enable-module=ssl" \ "--enable-shared=ssl" \ "--disable-rule=SSL_COMPAT" \ Can you folks see any glaring errors in this configuration? Please let me know what you think. Hmmm - what about the options passed when you applied mod_ssl to Apache? You could just use "The All-In-One mod_ssl+APACI way [FOR JOE AVERAGE]:" and get it all in one go: $ cd mod_ssl-2.6.5 $ ./configure \ --with-apache=../apache_1.3.x \ --with-ssl=/usr/local/src/openssl-0.9.5a \ --with-rsa=/usr/local/src/rsaref-2.0/local \ --prefix=/usr/local/apache \ --with-layout=Apache \ --enable-shared=ssl \ --enable-module=most \ --disable-rule=SSL_COMPAT \ --enable-shared=max $ cd ../apache_1.3.x $ make $ make certificate $ make install (If I din't do my cut'n paste wrong ;-) BTW: You may wish to try http://www.engelschall.com/sw/mm/ to increase performance vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLMutex
Salut: Arggg! I have been mucking around with this error for quite some time and I must be missing something! [error] System: Permission denied (errno: 13) [Tue Jul 11 13:52:18 2000] [error] mod_ssl: Child could not open SSLMutex lockfile /django/opt/apache_1.3.12/logs/ssl_mutex.8681 as per faq the answer is: "This is usually caused by to restrictive permissions on the parent directories. Make sure that all parent directories (here /opt, /opt/apache and /opt/apache/logs) have the x-bit set at least for the UID under which Apache's children are running" How do I get the x-bit set for all of these directories? I am runnig apache out of a non-standard directory:::/django/opt/apache_1.3.12 Is it a simple chmod -R +x apache_1.3.12/ ?? Do I need to specifiy that the user is nobody? Thanks for any pointers or Solutions! -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLMutex
Do this: chmod 755 /django/opt/apache_1.3.12/logs/ssl_mutex* Or even better, shutdown Apache, delete all the ssl_mutex* files, and restart. The ssl_mutex files should be automatically created with the right permissions. Don't do a chmod -R +x apache_1.3.12, it's not a good idea. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of callen Sent: Tuesday, July 11, 2000 12:01 PM To: [EMAIL PROTECTED] Subject: SSLMutex Salut: Arggg! I have been mucking around with this error for quite some time and I must be missing something! [error] System: Permission denied (errno: 13) [Tue Jul 11 13:52:18 2000] [error] mod_ssl: Child could not open SSLMutex lockfile /django/opt/apache_1.3.12/logs/ssl_mutex.8681 as per faq the answer is: "This is usually caused by to restrictive permissions on the parent directories. Make sure that all parent directories (here /opt, /opt/apache and /opt/apache/logs) have the x-bit set at least for the UID under which Apache's children are running" How do I get the x-bit set for all of these directories? I am runnig apache out of a non-standard directory:::/django/opt/apache_1.3.12 Is it a simple chmod -R +x apache_1.3.12/ ?? Do I need to specifiy that the user is nobody? Thanks for any pointers or Solutions! -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex
David Rees wrote: Or even better, shutdown Apache, delete all the ssl_mutex* files, and restart. -Dave David thanks, I did what you advised with shutting down and restarting: Before start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 67019 Jul 11 14:31 error_log -rw-rw-r-- 1 root root1 Jul 11 14:32 ssl_engine_log After start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 68946 Jul 11 14:34 error_log -rw-r--r-- 1 root root5 Jul 11 14:34 httpd.pid -rw-rw-r-- 1 root root 2810 Jul 11 14:34 ssl_engine_log -rw--- 1 nobody root0 Jul 11 14:34 ssl_mutex.9167 -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.dir -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.pag Whats the deal? After stop drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:35 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 91962 Jul 11 14:35 error_log -rw-rw-r-- 1 root root25250 Jul 11 14:35 ssl_engine_log ??? -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLMutex
Hmmm, I just checked one of my mod_ssl installations, and the ssl_mutex file does not have execute permissions on it, but everything seems to be working properly. What is the exact error message again? -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of callen Sent: Tuesday, July 11, 2000 12:38 PM To: [EMAIL PROTECTED] Subject: Re: SSLMutex David Rees wrote: Or even better, shutdown Apache, delete all the ssl_mutex* files, and restart. -Dave David thanks, I did what you advised with shutting down and restarting: Before start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 67019 Jul 11 14:31 error_log -rw-rw-r-- 1 root root1 Jul 11 14:32 ssl_engine_log After start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 68946 Jul 11 14:34 error_log -rw-r--r-- 1 root root5 Jul 11 14:34 httpd.pid -rw-rw-r-- 1 root root 2810 Jul 11 14:34 ssl_engine_log -rw--- 1 nobody root0 Jul 11 14:34 ssl_mutex.9167 -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.dir -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.pag Whats the deal? After stop drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:35 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 91962 Jul 11 14:35 error_log -rw-rw-r-- 1 root root25250 Jul 11 14:35 ssl_engine_log ??? -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex
David Rees wrote: Hmmm, I just checked one of my mod_ssl installations, and the ssl_mutex file does not have execute permissions on it, but everything seems to be working properly. What is the exact error message again? From error_log: [Tue Jul 11 14:35:29 2000] [error] mod_ssl: Child could not open SSLMutex lockfile /django/opt/apache_1.3.12/logs/ssl_mutex.9167 (System error follows) [Tue Jul 11 14:35:29 2000] [error] System: Permission denied (errno: 13) Same error in the ssl_engine_log. I think I will try this: http://marc.theaimsgroup.com/?l=apache-modsslm=95371538631998w=2 where this person changed user from nobody to another user in their httpd.conf ... But that seems extreme as this is a standard RH OS... with current versions of apache, openssl modssl, rsaref-2.0 ??? -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of callen Sent: Tuesday, July 11, 2000 12:38 PM To: [EMAIL PROTECTED] Subject: Re: SSLMutex David Rees wrote: Or even better, shutdown Apache, delete all the ssl_mutex* files, and restart. -Dave David thanks, I did what you advised with shutting down and restarting: Before start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 67019 Jul 11 14:31 error_log -rw-rw-r-- 1 root root1 Jul 11 14:32 ssl_engine_log After start: drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:34 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 68946 Jul 11 14:34 error_log -rw-r--r-- 1 root root5 Jul 11 14:34 httpd.pid -rw-rw-r-- 1 root root 2810 Jul 11 14:34 ssl_engine_log -rw--- 1 nobody root0 Jul 11 14:34 ssl_mutex.9167 -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.dir -rw--- 1 nobody root0 Jul 11 14:34 ssl_scache.pag Whats the deal? After stop drwxrwxrwx 2 1078 nobody 1024 Jul 11 14:35 . drwxr-xr-x 13 1078 1078 1024 Jul 11 13:18 .. -rwxr-xr-x 1 root nobody 3780 Jul 11 00:05 access_log -rw-rw-r-- 1 root nobody 91962 Jul 11 14:35 error_log -rw-rw-r-- 1 root root25250 Jul 11 14:35 ssl_engine_log ??? -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Christopher C.M. Allen http://design.driver8.org/ Email: [EMAIL PROTECTED] Cell : 1.715.821.4006 Home Phone: 1.715.426.6661 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2 - Failed to generate temporary 512 bit RSA private key
On Tue, Jul 11, 2000 at 02:16:11PM -0400, Silesky Marketing Inc, Support wrote: The ssl_engine_log is empty any idea ? mod_ssl (2.6.5) will initialize the seed (ssl_engine_init.c:348), then immediately call RSA_generate_key(). If this one fails, it will die and log the contents of the error storage, pushed by RSA_generate_key(). I've never seen an OpenSSL routine that fails without message... Good night, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex
[EMAIL PROTECTED] 07/11/00 03:00PM [error] System: Permission denied (errno: 13)[Tue Jul 11 13:52:18 2000] [error] mod_ssl: Child could not openSSLMutex lockfile /django/opt/apache_1.3.12/logs/ssl_mutex.8681as per faq the answer is:"This is usually caused by to restrictive permissions on the parentdirectories. Make sure that all parent directories (here /opt,/opt/apache and /opt/apache/logs) have thex-bit set at least for the UID under which Apache's children arerunning"How do I get the x-bit set for all of these directories? I am runnigapache out of a non-standard directory:::/django/opt/apache_1.3.12Is it a simple chmod -R +x apache_1.3.12/ ?? Do I need to specifiy thatthe user is nobody? All you have to do is set a+x for the directory where you put your ssl mutex and all its parent directories. So for you, you'd do something like this: chmod a+x /django chmod a+x /django/opt chmod a+x /django/opt/apache_1.3.12 chmod a+x /django/opt/apache_1.3.12/logs Hope this helps. --Cliff Cliff WoolleyCentral Systems Software AdministratorWashington and Lee Universityhttp://www.wlu.edu/~jwoolley/ Work: (540) 463-8089Pager: (540) 462-2303
Re: Opinions, please
On Tue, Jul 11, 2000 at 03:07:23PM -0400, Diana Moreland wrote: Great idea! I tried it (after I downloaded and installed MM [thanks for the tip]). Everything seemed to go fine until I tried to start Apache. It didn't know what to do with the SSLRandomseed directive, plus it threw up on a couple of other ones. When I did an httpd -l after this compile, the only modules that showed up were http_core.c and mod_so.c. Am I right in assuming there's a bunch of stuff I need to change in the conf file using the LoadModule directive? If so, which modules do I load and in which order? The easiest thing to do is to remove (or rename) any previous httpd.conf, then you'll get a brand new one all ready for the basic options you compiled your server with - so that if you're using mod_so, then it will automagically add LoadModule and AddModule for the relevant modules. It should also get the ssl stuff more or less right. I'd say that my experience is that the basic httpd.conf created by this procedure works well enough to at least get the server started straight out of the box nine out of ten times. If you do insist on doing it from scratch then take a look at httpd.conf-dist from the Apache source tree and at pkg.sslcfg/sslcfg.patch from the mod_ssl source dir. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] unable to load certificate (PR#410)
Full_Name: Doug Taylor Version: 2.6.4-1.3.12 OS: Linux Submission from: (NULL) (205.179.173.204) Also using OpenSSL version 0.9.4 and Apache version 1.3.12. I create a key pair (.key and .crt files) and update Apache to look for them. No problem, Apache works, SSL works, all is well. I then use my .key file to create a .csr file and send it off to VeriSign. They send me back a file, which I install in place of the .crt file. Apache won't restart. So I take a look at my original .crt file using the following command: openssl x509 -noout -text -in /path/to/my/certificate.crt And it outputs a list of information about the certificate. No problem. All is working well. Then I attempt the same command with my new .crt file, and get the following output: unable to load certificate 26265:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:610: I have tried resolving this with VeriSign to no end. All they will say is "look at Apache/mod_ssl/OpenSSL documentation". So I have done so (again) and still can find no explanation of what might be causing this problem. It almost seems like they're sending me a bad file, but I've tried it 3 times (with three different keys) and all come to the same result. Any help appreciated, I don't really know where else to look... Doug Taylor Enabled Sites __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
