Re: prebuilt for Solaris 8

2000-07-31 Thread Diana Shepard

I successfully built on Solaris 8.  Sorry, I do not know of
a prebuilt binary.

It was really quit easy to build myself though.  Downloaded gcc from
the sunfreeware.com site.  Then:

install rsaref

cd openssl-0_9_5a  (or to your openssl home dir)

cp /rsaref home dir/source/rsaref.a librsaref.a  (copy RSAREF library to 
openssl root dir)
./Configure rsaref solaris-sparcv9-gcc  (notice the capital C in Configure, 
this lets you specify the gcc compiler)

edit the resulting makefile to use gcc
make
make test
make install

Much success to you.

 Diana Shepard
 University of Colorado, Boulder



At 11:18 PM 7/31/00 +0200, you wrote:
>On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote:
> > Can anyone point me to a prebuilt binary distribution of Apache and modssl
> > for Solaris 8/sparc?
> >
>There's been a couple of reports on the openssl lists that openssl doesn't
>build on Solaris 8. I'm just doing some final testing on my Solaris 7
>packages which will be finished Real Soon Now(tm) (next week)  - and unless
>the package system has changed too much, then it would be fairly easy for
>somebody with a solaris 8 box to use my template files to make a binary.
>
>vh
>
>Mads Toftum
>--
>`Darn it, who spiked my coffee with water?!' - lwall
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: prebuilt for Solaris 8

2000-07-31 Thread Lynette Bellini


> There's been a couple of reports on the openssl lists that openssl doesn't 
> build on Solaris 8. I'm just doing some final testing on my Solaris 7
> packages which will be finished Real Soon Now(tm) (next week)  - and unless 
> the package system has changed too much, then it would be fairly easy for
> somebody with a solaris 8 box to use my template files to make a binary.

I have a solaris 8 box and just built openssl-0.9.4 + modssl-2.6.5 +
apache 1.3.12 and they work fine.

For that report, can someone please get me off this list? I've tried
everything, including messages to owner etc. and no one every
responds.

Lynette Bellini
Systems Administrator
University of Minnesota
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Strange mod_ssl core dump

2000-07-31 Thread Martin Kraemer

On Mon, Jul 24, 2000 at 09:12:20PM +0200, Martin Kraemer wrote:
> Is there a known bug in Apache-1.3.12 + mod_ssl-2.6.4 which can cause a
> core dump when accessing a typical page like https://servername/

Thanks for the tip. No, it's not Solaris, it's a mainframe OS (BS2000).
The actual cause for the dump was that during patching, one mod_ssl patch
got lost (because of local source differences), and the resulting Apache
forgot to set the context in subrequests correctly.

Sorry for bothering the list,

Martin
-- 
<[EMAIL PROTECTED]> | Fujitsu Siemens
Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730  Munich,  Germany
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



SSL protection on different directory

2000-07-31 Thread Bryan



 Hi,
 
    How to configure the mod_ssl so that it can 
allow some of the directories to be SSL protected? I have tried configuring 
SSLRequireSSL and SSLRequire but failed. I ran the HTTP as well as HTTPS on one 
apache server.
 
    The situation is that there is a admin 
module in our system and everything under the /admin directory would be SSL 
protected. Would you suggest a method for configuration?
 
 
 Thank you very much.


Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"

2000-07-31 Thread Simon Dubey
Lutz Jaenicke wrote:

> On Mon, Jul 31, 2000 at 04:46:55PM +0900, Simon Dubey wrote:
> > > /etc/entropy is not a plain file but a socket accross which mod_ssl and
> > > EGD will communicate, so you have to instruct mod_ssl to use the egd interface.
> > >   SSLRandomSeed startup egd:/etc/entropy
> > > ...
> > >
> > > Best regards,
> > > Lutz
> >
> > Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using
> > egd:/etc/entropy :
> >
> > SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists
> >
> > All egc.pl tests work OK, openssl works OK
>
> According to the ChangeLog egd support was only added in mod_ssl-2.6.1.
> Older versions of mod_ssl cannot handle EGD sockets.
>

Ah !!! I updated to Apache 1.3.12 and mod_ssl 2.6.5-1.3.12 and all my problems go away 
-
no need for EGD even though system does not have /dev/random or /dev/urandom

In shock
Simon.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: prebuilt for Solaris 8

2000-07-31 Thread Mads Toftum

On Mon, Jul 31, 2000 at 05:31:40PM -0400, Kirk Benson wrote:
> Can anyone point me to a prebuilt binary distribution of Apache
> and modssl for Solaris 7/sparc?

I'll have one next week - if that isn't too late for you (I've actually
already got a 2.6.4 package, but it has some nonstandard file locations that
we use internally).
> 
> OTOH, I've downloaded all of the necessary tarballs, so maybe I should just
> dive into a scratch build myself.
> 
That shouldn't be too hard - let me know if you need any help building it.
The "The All-In-One mod_ssl+APACI way [FOR JOE AVERAGE]" method usually works
quite fine - make sure that you get the MM package also ... --enable-shared=max
and --enable-module=most are usually nice too.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



RE: prebuilt for Solaris 8

2000-07-31 Thread Kirk Benson

Thanks for the info on openssl (I'm not subscribed on that list).

I'm working on a "clean" machine, and we can reinstall Solaris 7 on it w/o
any problem.

So now the question is:

Can anyone point me to a prebuilt binary distribution of Apache
and modssl for Solaris 7/sparc?

OTOH, I've downloaded all of the necessary tarballs, so maybe I should just
dive into a scratch build myself.

cheers
Kirk

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum
> Sent: Monday, July 31, 2000 5:18 PM
> To: [EMAIL PROTECTED]
> Subject: Re: prebuilt for Solaris 8
>
>
> On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote:
> > Can anyone point me to a prebuilt binary distribution of Apache
> and modssl
> > for Solaris 8/sparc?
> >
> There's been a couple of reports on the openssl lists that
> openssl doesn't
> build on Solaris 8. I'm just doing some final testing on my Solaris 7
> packages which will be finished Real Soon Now(tm) (next week)  -
> and unless
> the package system has changed too much, then it would be fairly easy for
> somebody with a solaris 8 box to use my template files to make a binary.
>
> vh
>
> Mads Toftum
> --
> `Darn it, who spiked my coffee with water?!' - lwall
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: prebuilt for Solaris 8

2000-07-31 Thread Mads Toftum

On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote:
> Can anyone point me to a prebuilt binary distribution of Apache and modssl
> for Solaris 8/sparc?
> 
There's been a couple of reports on the openssl lists that openssl doesn't 
build on Solaris 8. I'm just doing some final testing on my Solaris 7
packages which will be finished Real Soon Now(tm) (next week)  - and unless 
the package system has changed too much, then it would be fairly easy for
somebody with a solaris 8 box to use my template files to make a binary.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



prebuilt for Solaris 8

2000-07-31 Thread Kirk Benson

Can anyone point me to a prebuilt binary distribution of Apache and modssl
for Solaris 8/sparc?

Kirk Benson

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



RE: Still MSIE

2000-07-31 Thread David Rees

Please refer to the FAQ:

http://www.modssl.org/docs/2.6/ssl_faq.html#ToC48

In short, adding the lines:

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

in the appropriate section should fix all known problems with MSIE.

-Dave

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Hugues Pisapia
> Sent: Monday, July 31, 2000 3:49 AM
> To: [EMAIL PROTECTED]
> Subject: Still MSIE
> 
> 
> 
> Hi!
> 
> I've seen in the mailing list archive that turning SSLProtocols 
> to SSLv2 resolved
> the problem with IE. But, SSLv2 is known to be weak, isn't it? So 
> does it exist
> a finer tunning to use SSLv3 with IE?
> 
> Best Regards.
> 
> -- 
>  ( )-   Hugues Pisapia -( )
>  /~\ [EMAIL PROTECTED] /~\
> |  \)http://linuxfr.org/ DaLinuxFrenchPage (/  |
>  \_|_  Bienvenue dans la vie.org   _|_/
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Frames & Javascript -> insecure?

2000-07-31 Thread Paul


--- Lee Feigenbaum <[EMAIL PROTECTED]> wrote:
> the page gives the warning
> "this page contains both secure and insecure elements" 

This will happen if ANYTHING is accessed by a nonsecure protocol, even
so much as a single banner from another site.

You did say all links were relative, though
Anything offsite being accessed through that JS?
Or maybe are you loading images for flyover changes?
That *might* count as nonsecure, though I don't know the internal implementation

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Still MSIE

2000-07-31 Thread Hugues Pisapia


Hi!

I've seen in the mailing list archive that turning SSLProtocols to SSLv2 resolved
the problem with IE. But, SSLv2 is known to be weak, isn't it? So does it exist
a finer tunning to use SSLv3 with IE?

Best Regards.

-- 
 ( )-   Hugues Pisapia -( )
 /~\ [EMAIL PROTECTED] /~\
|  \)http://linuxfr.org/ DaLinuxFrenchPage (/  |
 \_|_  Bienvenue dans la vie.org   _|_/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: : : apache+modssl+... got SEGVs

2000-07-31 Thread Hugues Pisapia


Hi!

Thanks a lot everybody! I did not think my question would raise such an issue :)

Indeed, i resolved my problem finding something strange : I made a backtrace and
i found that :
| Current directory is /usr/sbin/
| GNU gdb 19991004
| [snip]
| This GDB was configured as "i386-redhat-linux"...
| (no debugging symbols found)...
| (gdb) set args -X
| (gdb) run
| Starting program: /usr/sbin/httpd -X
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x4048d9b8 in ?? () from /usr/lib/libcrypto.so.0
| (gdb) bt
| #0  0x4048d9b8 in ?? () from /usr/lib/libcrypto.so.0
| #1  0x404b67c0 in ?? () from /usr/lib/libcrypto.so.0
| #2  0x404b691a in ?? () from /usr/lib/libcrypto.so.0
| #3  0x404b72a6 in ?? () from /usr/lib/libcrypto.so.0
| #4  0x4033afce in ssl_rand_seed () from /usr/lib/apache/libssl.so
| #5  0x40338e68 in ssl_hook_NewConnection () from /usr/lib/apache/libssl.so
| #6  0x805ab53 in ap_start_restart ()
| #7  0x805b913 in ap_child_terminate ()
| #8  0x805baa7 in ap_child_terminate ()
| #9  0x805bba8 in ap_child_terminate ()
| #10 0x805c058 in ap_child_terminate ()
| #11 0x805c65f in main ()
| #12 0x400bb9cb in __libc_start_main (main=0x805c3e0 , argc=2, 
| argv=0xb954, init=0x804f014 <_init>, fini=0x807b99c <_fini>, 
| rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xb94c)
| at ../sysdeps/generic/libc-start.c:92
| (gdb) 

Quite strange eh?!
So i switched SSLRandomSeed from 'builtin' to 'file:/dev/urandom 512' and
it worked fine. This segfault was triggered by a request made by MSIE after
3 or 4 requests to a dummy page.

Hope this helps.

Regards.

-- 
 ( )-   Hugues Pisapia -( )
 /~\ [EMAIL PROTECTED] /~\
|  \)http://linuxfr.org/ DaLinuxFrenchPage (/  |
 \_|_  Bienvenue dans la vie.org   _|_/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Problem with "Failed to generate temporary 512 bit RSAprivatekey"

2000-07-31 Thread Simon Dubey


[EMAIL PROTECTED] wrote:

> Simon,
>  If you created the file $HOME/.rnd

Check

> you don't need the entropy daemon,
> you can disable it.

 Check

> Change SSLRandomSeed back to the default settings
> SSLRandomSeed startup builtin AND SSLRandomSeed connect builtin.

Check

>
>  I assume that when you created the .rnd file that you were successful
> in generating your key and cert.

Check

> Now you just need to make sure your SSL
> Directives are OK. ie make the change noted above.

Check

>
>  This is the easiest way I know to get this to work.  I haven't
> bothered playing around with the entropy daemon, i am sure it works fine,
> but this will get you going initally.
>

Still no go :-(

Simon.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"

2000-07-31 Thread Lutz Jaenicke

On Mon, Jul 31, 2000 at 04:46:55PM +0900, Simon Dubey wrote:
> > /etc/entropy is not a plain file but a socket accross which mod_ssl and
> > EGD will communicate, so you have to instruct mod_ssl to use the egd interface.
> >   SSLRandomSeed startup egd:/etc/entropy
> > ...
> >
> > Best regards,
> > Lutz
> 
> Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using
> egd:/etc/entropy :
> 
> SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists
> 
> All egc.pl tests work OK, openssl works OK

According to the ChangeLog egd support was only added in mod_ssl-2.6.1.
Older versions of mod_ssl cannot handle EGD sockets.

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"

2000-07-31 Thread Simon Dubey
> /etc/entropy is not a plain file but a socket accross which mod_ssl and
> EGD will communicate, so you have to instruct mod_ssl to use the egd interface.
>   SSLRandomSeed startup egd:/etc/entropy
> ...
>
> Best regards,
> Lutz

Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using
egd:/etc/entropy :

SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists

All egc.pl tests work OK, openssl works OK

Regards Simon.


>
> --
> Lutz Jaenicke [EMAIL PROTECTED]
> BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
> Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
> Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"

2000-07-31 Thread Lutz Jaenicke

On Mon, Jul 31, 2000 at 01:01:08PM +0900, Simon Dubey wrote:
> - change SSLRandomSeed in httpd.conf to SSLRandomSeed startup
> file:/etc/entropy 512 and SSLRandomSeed connect file:/etc/entropy 512
> - cursed alot

/etc/entropy is not a plain file but a socket accross which mod_ssl and
EGD will communicate, so you have to instruct mod_ssl to use the egd interface.
  SSLRandomSeed startup egd:/etc/entropy
...

Best regards,
Lutz
-- 
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus   http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus  Fax. +49 355 69-4153
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"

2000-07-31 Thread mjackson

Simon,
 If you created the file $HOME/.rnd you don't need the entropy daemon,
you can disable it.  Change SSLRandomSeed back to the default settings
SSLRandomSeed startup builtin AND SSLRandomSeed connect builtin.
 I assume that when you created the .rnd file that you were successful
in generating your key and cert.  Now you just need to make sure your SSL
Directives are OK. ie make the change noted above.
 This is the easiest way I know to get this to work.  I haven't
bothered playing around with the entropy daemon, i am sure it works fine,
but this will get you going initally.

 Good luck..
Mark






Simon Dubey <[EMAIL PROTECTED]> on 07/31/2000 02:01:08 PM

Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:
Subject:  Re: Problem with "Failed to generate temporary 512 bit RSAprivate
  key"




OK I think some-one is going to have to speak to me like I am an idiot (I
certainly feel like one at the moment).

What I have done is (from the beginning) :
- installed openssl
- installed mod-ssl
- installed jserv
- installed apache

OK now I encountered above mentioned error, so I :
- got feedback from this NG
- installed egd (socket is /etc/entropy)
- started egd
- created $HOME/.rnd
- recreated test key and certificate
- change SSLRandomSeed in httpd.conf to SSLRandomSeed startup
file:/etc/entropy 512 and SSLRandomSeed connect file:/etc/entropy 512
- cursed alot

Please tell me what am I missing (not understanding) - do I need to
re-install
openssl, mod-ssl and apache after downloading egd  - do I need to curse
more ??? am I hitting the keybaord too hard ??

Regards Simon.

[EMAIL PROTECTED] wrote:

> Simon,
>
>  You need to create a file called $HOME/.rnd, open it with your
editor
> and enter in random key strokes.  Enter a few lines of random data.  This
> is the easiest way to get it to work.  Then run "openssl genrsa .../etc."
> to generate your key file pair.
> Cheers
> Mark Jackson
> [EMAIL PROTECTED]
>
> Simon Dubey <[EMAIL PROTECTED]> on 07/31/2000 01:00:47 PM
>
> Please respond to [EMAIL PROTECTED]
>
> To:   [EMAIL PROTECTED]
> cc:
> Subject:  Re: Problem with "Failed to generate temporary 512 bit RSA
>   private key"
>
> Mads Toftum wrote:
>
> > On Fri, Jul 28, 2000 at 06:01:33PM +0900, Simon Dubey wrote:
> > > Hello
> > >
> > > I have just installed mod-ssl on a solaris /sparc machine and get the
> > > above error.
> > >
> > > I have read the FAQ and tried to following what it is suggesting with
> > > $HOME/.rnd but do not quite follow it - well what I did, did not
work.
> > >
> > > I have also tried truerand as well but that did not work either.
> > >
> > Also check http://www.openssl.org/support/faq.html#6 and
> > http://www.openssl.org/docs/crypto/RAND_egd.html
> >
>
> OK - so I have installed egd - what do I have to do to get mod_ssl to use
> it
> ?
>
> I have it running with socket parameter of /etc/entropy and tried setting
> SSLRandomSeed to this value.
>
> Please help
>
> Simon.
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
> **
> Important Note
> This email (including any attachments) contains information which is
> confidential and may be subject to legal privilege.  If you are not
> the intended recipient you must not use, distribute or copy this
> email.  If you have received this email in error please notify the
> sender immediately and delete this email. Any views expressed in this
> email are not necessarily the views of AXA.   Thank you.
> **
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]






**
Important Note
This email (including any attachments) contains information which is 
confidential and may be subject to legal privilege.  If you are not 
the intended recipient you must not use, distribute or copy this 
email.  If you have received this email in error please notify the 
sender immediately and delete this email. Any views expressed in this 
email are not necessarily the views of AXA.   Thank you.
**
___