Re: prebuilt for Solaris 8
I successfully built on Solaris 8. Sorry, I do not know of a prebuilt binary. It was really quit easy to build myself though. Downloaded gcc from the sunfreeware.com site. Then: install rsaref cd openssl-0_9_5a (or to your openssl home dir) cp /rsaref home dir/source/rsaref.a librsaref.a (copy RSAREF library to openssl root dir) ./Configure rsaref solaris-sparcv9-gcc (notice the capital C in Configure, this lets you specify the gcc compiler) edit the resulting makefile to use gcc make make test make install Much success to you. Diana Shepard University of Colorado, Boulder At 11:18 PM 7/31/00 +0200, you wrote: >On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote: > > Can anyone point me to a prebuilt binary distribution of Apache and modssl > > for Solaris 8/sparc? > > >There's been a couple of reports on the openssl lists that openssl doesn't >build on Solaris 8. I'm just doing some final testing on my Solaris 7 >packages which will be finished Real Soon Now(tm) (next week) - and unless >the package system has changed too much, then it would be fairly easy for >somebody with a solaris 8 box to use my template files to make a binary. > >vh > >Mads Toftum >-- >`Darn it, who spiked my coffee with water?!' - lwall > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: prebuilt for Solaris 8
> There's been a couple of reports on the openssl lists that openssl doesn't > build on Solaris 8. I'm just doing some final testing on my Solaris 7 > packages which will be finished Real Soon Now(tm) (next week) - and unless > the package system has changed too much, then it would be fairly easy for > somebody with a solaris 8 box to use my template files to make a binary. I have a solaris 8 box and just built openssl-0.9.4 + modssl-2.6.5 + apache 1.3.12 and they work fine. For that report, can someone please get me off this list? I've tried everything, including messages to owner etc. and no one every responds. Lynette Bellini Systems Administrator University of Minnesota __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Strange mod_ssl core dump
On Mon, Jul 24, 2000 at 09:12:20PM +0200, Martin Kraemer wrote: > Is there a known bug in Apache-1.3.12 + mod_ssl-2.6.4 which can cause a > core dump when accessing a typical page like https://servername/ Thanks for the tip. No, it's not Solaris, it's a mainframe OS (BS2000). The actual cause for the dump was that during patching, one mod_ssl patch got lost (because of local source differences), and the resulting Apache forgot to set the context in subrequests correctly. Sorry for bothering the list, Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730 Munich, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL protection on different directory
Hi, How to configure the mod_ssl so that it can allow some of the directories to be SSL protected? I have tried configuring SSLRequireSSL and SSLRequire but failed. I ran the HTTP as well as HTTPS on one apache server. The situation is that there is a admin module in our system and everything under the /admin directory would be SSL protected. Would you suggest a method for configuration? Thank you very much.
Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"
Lutz Jaenicke wrote: > On Mon, Jul 31, 2000 at 04:46:55PM +0900, Simon Dubey wrote: > > > /etc/entropy is not a plain file but a socket accross which mod_ssl and > > > EGD will communicate, so you have to instruct mod_ssl to use the egd interface. > > > SSLRandomSeed startup egd:/etc/entropy > > > ... > > > > > > Best regards, > > > Lutz > > > > Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using > > egd:/etc/entropy : > > > > SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists > > > > All egc.pl tests work OK, openssl works OK > > According to the ChangeLog egd support was only added in mod_ssl-2.6.1. > Older versions of mod_ssl cannot handle EGD sockets. > Ah !!! I updated to Apache 1.3.12 and mod_ssl 2.6.5-1.3.12 and all my problems go away - no need for EGD even though system does not have /dev/random or /dev/urandom In shock Simon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: prebuilt for Solaris 8
On Mon, Jul 31, 2000 at 05:31:40PM -0400, Kirk Benson wrote: > Can anyone point me to a prebuilt binary distribution of Apache > and modssl for Solaris 7/sparc? I'll have one next week - if that isn't too late for you (I've actually already got a 2.6.4 package, but it has some nonstandard file locations that we use internally). > > OTOH, I've downloaded all of the necessary tarballs, so maybe I should just > dive into a scratch build myself. > That shouldn't be too hard - let me know if you need any help building it. The "The All-In-One mod_ssl+APACI way [FOR JOE AVERAGE]" method usually works quite fine - make sure that you get the MM package also ... --enable-shared=max and --enable-module=most are usually nice too. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: prebuilt for Solaris 8
Thanks for the info on openssl (I'm not subscribed on that list). I'm working on a "clean" machine, and we can reinstall Solaris 7 on it w/o any problem. So now the question is: Can anyone point me to a prebuilt binary distribution of Apache and modssl for Solaris 7/sparc? OTOH, I've downloaded all of the necessary tarballs, so maybe I should just dive into a scratch build myself. cheers Kirk > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum > Sent: Monday, July 31, 2000 5:18 PM > To: [EMAIL PROTECTED] > Subject: Re: prebuilt for Solaris 8 > > > On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote: > > Can anyone point me to a prebuilt binary distribution of Apache > and modssl > > for Solaris 8/sparc? > > > There's been a couple of reports on the openssl lists that > openssl doesn't > build on Solaris 8. I'm just doing some final testing on my Solaris 7 > packages which will be finished Real Soon Now(tm) (next week) - > and unless > the package system has changed too much, then it would be fairly easy for > somebody with a solaris 8 box to use my template files to make a binary. > > vh > > Mads Toftum > -- > `Darn it, who spiked my coffee with water?!' - lwall > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: prebuilt for Solaris 8
On Mon, Jul 31, 2000 at 05:01:48PM -0400, Kirk Benson wrote: > Can anyone point me to a prebuilt binary distribution of Apache and modssl > for Solaris 8/sparc? > There's been a couple of reports on the openssl lists that openssl doesn't build on Solaris 8. I'm just doing some final testing on my Solaris 7 packages which will be finished Real Soon Now(tm) (next week) - and unless the package system has changed too much, then it would be fairly easy for somebody with a solaris 8 box to use my template files to make a binary. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
prebuilt for Solaris 8
Can anyone point me to a prebuilt binary distribution of Apache and modssl for Solaris 8/sparc? Kirk Benson __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Still MSIE
Please refer to the FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#ToC48 In short, adding the lines: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP in the appropriate section should fix all known problems with MSIE. -Dave > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Hugues Pisapia > Sent: Monday, July 31, 2000 3:49 AM > To: [EMAIL PROTECTED] > Subject: Still MSIE > > > > Hi! > > I've seen in the mailing list archive that turning SSLProtocols > to SSLv2 resolved > the problem with IE. But, SSLv2 is known to be weak, isn't it? So > does it exist > a finer tunning to use SSLv3 with IE? > > Best Regards. > > -- > ( )- Hugues Pisapia -( ) > /~\ [EMAIL PROTECTED] /~\ > | \)http://linuxfr.org/ DaLinuxFrenchPage (/ | > \_|_ Bienvenue dans la vie.org _|_/ > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Frames & Javascript -> insecure?
--- Lee Feigenbaum <[EMAIL PROTECTED]> wrote: > the page gives the warning > "this page contains both secure and insecure elements" This will happen if ANYTHING is accessed by a nonsecure protocol, even so much as a single banner from another site. You did say all links were relative, though Anything offsite being accessed through that JS? Or maybe are you loading images for flyover changes? That *might* count as nonsecure, though I don't know the internal implementation __ Do You Yahoo!? Kick off your party with Yahoo! Invites. http://invites.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Still MSIE
Hi! I've seen in the mailing list archive that turning SSLProtocols to SSLv2 resolved the problem with IE. But, SSLv2 is known to be weak, isn't it? So does it exist a finer tunning to use SSLv3 with IE? Best Regards. -- ( )- Hugues Pisapia -( ) /~\ [EMAIL PROTECTED] /~\ | \)http://linuxfr.org/ DaLinuxFrenchPage (/ | \_|_ Bienvenue dans la vie.org _|_/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: : : apache+modssl+... got SEGVs
Hi! Thanks a lot everybody! I did not think my question would raise such an issue :) Indeed, i resolved my problem finding something strange : I made a backtrace and i found that : | Current directory is /usr/sbin/ | GNU gdb 19991004 | [snip] | This GDB was configured as "i386-redhat-linux"... | (no debugging symbols found)... | (gdb) set args -X | (gdb) run | Starting program: /usr/sbin/httpd -X | | Program received signal SIGSEGV, Segmentation fault. | 0x4048d9b8 in ?? () from /usr/lib/libcrypto.so.0 | (gdb) bt | #0 0x4048d9b8 in ?? () from /usr/lib/libcrypto.so.0 | #1 0x404b67c0 in ?? () from /usr/lib/libcrypto.so.0 | #2 0x404b691a in ?? () from /usr/lib/libcrypto.so.0 | #3 0x404b72a6 in ?? () from /usr/lib/libcrypto.so.0 | #4 0x4033afce in ssl_rand_seed () from /usr/lib/apache/libssl.so | #5 0x40338e68 in ssl_hook_NewConnection () from /usr/lib/apache/libssl.so | #6 0x805ab53 in ap_start_restart () | #7 0x805b913 in ap_child_terminate () | #8 0x805baa7 in ap_child_terminate () | #9 0x805bba8 in ap_child_terminate () | #10 0x805c058 in ap_child_terminate () | #11 0x805c65f in main () | #12 0x400bb9cb in __libc_start_main (main=0x805c3e0 , argc=2, | argv=0xb954, init=0x804f014 <_init>, fini=0x807b99c <_fini>, | rtld_fini=0x4000ae60 <_dl_fini>, stack_end=0xb94c) | at ../sysdeps/generic/libc-start.c:92 | (gdb) Quite strange eh?! So i switched SSLRandomSeed from 'builtin' to 'file:/dev/urandom 512' and it worked fine. This segfault was triggered by a request made by MSIE after 3 or 4 requests to a dummy page. Hope this helps. Regards. -- ( )- Hugues Pisapia -( ) /~\ [EMAIL PROTECTED] /~\ | \)http://linuxfr.org/ DaLinuxFrenchPage (/ | \_|_ Bienvenue dans la vie.org _|_/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with "Failed to generate temporary 512 bit RSAprivatekey"
[EMAIL PROTECTED] wrote: > Simon, > If you created the file $HOME/.rnd Check > you don't need the entropy daemon, > you can disable it. Check > Change SSLRandomSeed back to the default settings > SSLRandomSeed startup builtin AND SSLRandomSeed connect builtin. Check > > I assume that when you created the .rnd file that you were successful > in generating your key and cert. Check > Now you just need to make sure your SSL > Directives are OK. ie make the change noted above. Check > > This is the easiest way I know to get this to work. I haven't > bothered playing around with the entropy daemon, i am sure it works fine, > but this will get you going initally. > Still no go :-( Simon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"
On Mon, Jul 31, 2000 at 04:46:55PM +0900, Simon Dubey wrote: > > /etc/entropy is not a plain file but a socket accross which mod_ssl and > > EGD will communicate, so you have to instruct mod_ssl to use the egd interface. > > SSLRandomSeed startup egd:/etc/entropy > > ... > > > > Best regards, > > Lutz > > Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using > egd:/etc/entropy : > > SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists > > All egc.pl tests work OK, openssl works OK According to the ChangeLog egd support was only added in mod_ssl-2.6.1. Older versions of mod_ssl cannot handle EGD sockets. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"
> /etc/entropy is not a plain file but a socket accross which mod_ssl and > EGD will communicate, so you have to instruct mod_ssl to use the egd interface. > SSLRandomSeed startup egd:/etc/entropy > ... > > Best regards, > Lutz Using mod_ssl-2.4.10-1.3.9 and openssl-0.9.5a gives the following error when using egd:/etc/entropy : SSLRandomSeed: source path '/opt/apache/egd:/etc/entropy' not exists All egc.pl tests work OK, openssl works OK Regards Simon. > > -- > Lutz Jaenicke [EMAIL PROTECTED] > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"
On Mon, Jul 31, 2000 at 01:01:08PM +0900, Simon Dubey wrote: > - change SSLRandomSeed in httpd.conf to SSLRandomSeed startup > file:/etc/entropy 512 and SSLRandomSeed connect file:/etc/entropy 512 > - cursed alot /etc/entropy is not a plain file but a socket accross which mod_ssl and EGD will communicate, so you have to instruct mod_ssl to use the egd interface. SSLRandomSeed startup egd:/etc/entropy ... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with "Failed to generate temporary 512 bit RSAprivate key"
Simon, If you created the file $HOME/.rnd you don't need the entropy daemon, you can disable it. Change SSLRandomSeed back to the default settings SSLRandomSeed startup builtin AND SSLRandomSeed connect builtin. I assume that when you created the .rnd file that you were successful in generating your key and cert. Now you just need to make sure your SSL Directives are OK. ie make the change noted above. This is the easiest way I know to get this to work. I haven't bothered playing around with the entropy daemon, i am sure it works fine, but this will get you going initally. Good luck.. Mark Simon Dubey <[EMAIL PROTECTED]> on 07/31/2000 02:01:08 PM Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc: Subject: Re: Problem with "Failed to generate temporary 512 bit RSAprivate key" OK I think some-one is going to have to speak to me like I am an idiot (I certainly feel like one at the moment). What I have done is (from the beginning) : - installed openssl - installed mod-ssl - installed jserv - installed apache OK now I encountered above mentioned error, so I : - got feedback from this NG - installed egd (socket is /etc/entropy) - started egd - created $HOME/.rnd - recreated test key and certificate - change SSLRandomSeed in httpd.conf to SSLRandomSeed startup file:/etc/entropy 512 and SSLRandomSeed connect file:/etc/entropy 512 - cursed alot Please tell me what am I missing (not understanding) - do I need to re-install openssl, mod-ssl and apache after downloading egd - do I need to curse more ??? am I hitting the keybaord too hard ?? Regards Simon. [EMAIL PROTECTED] wrote: > Simon, > > You need to create a file called $HOME/.rnd, open it with your editor > and enter in random key strokes. Enter a few lines of random data. This > is the easiest way to get it to work. Then run "openssl genrsa .../etc." > to generate your key file pair. > Cheers > Mark Jackson > [EMAIL PROTECTED] > > Simon Dubey <[EMAIL PROTECTED]> on 07/31/2000 01:00:47 PM > > Please respond to [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > cc: > Subject: Re: Problem with "Failed to generate temporary 512 bit RSA > private key" > > Mads Toftum wrote: > > > On Fri, Jul 28, 2000 at 06:01:33PM +0900, Simon Dubey wrote: > > > Hello > > > > > > I have just installed mod-ssl on a solaris /sparc machine and get the > > > above error. > > > > > > I have read the FAQ and tried to following what it is suggesting with > > > $HOME/.rnd but do not quite follow it - well what I did, did not work. > > > > > > I have also tried truerand as well but that did not work either. > > > > > Also check http://www.openssl.org/support/faq.html#6 and > > http://www.openssl.org/docs/crypto/RAND_egd.html > > > > OK - so I have installed egd - what do I have to do to get mod_ssl to use > it > ? > > I have it running with socket parameter of /etc/entropy and tried setting > SSLRandomSeed to this value. > > Please help > > Simon. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > ** > Important Note > This email (including any attachments) contains information which is > confidential and may be subject to legal privilege. If you are not > the intended recipient you must not use, distribute or copy this > email. If you have received this email in error please notify the > sender immediately and delete this email. Any views expressed in this > email are not necessarily the views of AXA. Thank you. > ** > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ** Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA. Thank you. ** ___
