Can't get https connections to work DSA Server certificate?

2000-08-03 Thread [EMAIL PROTECTED] 

[03/Aug/2000 01:55:29 13696] [error] OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrict
ive SSLCipherSuite or using DSA server certificate?

Both netscape and ie4 fail to contact using https - netscape says 'no
common encryption algorithms' 

I am using apache 3.1.12 with the corresponding ssl_mod and the latest
openssl.

I also have a certificate from Thawte...

Any help would be greatly appreciated.

Andrew

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

httpd dies on restart with SSL defined

2000-08-03 Thread Robert stutes 

I am running Apache 1.3.12 with MOD_SSL 2.6.5-1.3.12. and OpenSSL
0.9.5a.

When I start apache without the -DSSL option, I can successfully
"apachectl restart" the server with no problem.  If I start apache WITH
-DSSL, a restart will cause all the daemon processes to just die.

I cannot find any core files to help with diagnosing the problem nor are
there any log entries in the httpd logs of syslog.

BTW, the SSL facility works just fine, I just can't restart the server
with -DSSL defined.

Also, does MOD_SSL use port 216 for anything?  I am seeing the httpd
listening on port 216 but I have not defined this port anywhere in the
httpd.conf file (at least I can't find it anywhere).

Environment:
OS: HPUX 11.00
Hardware: HP N4000 (PA-RISC 8xxx 32/64 bit chip set)
Memory: 8GB 
Disk: more than I need (GIGS..)

any suggestions?

TIA!

-- 
Robert T. Stutes

Robert Stutes
Senior Unix Administrator
Phoenix Networks, Inc.  http://www.phoenixdsl.com

Toll Free (877) 7DSL-NOW - Direct (314) 983-6161 - Fax (314) 983-7100

Email:<>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Unable to Contact the server Configured thru JSSE1.0.1

2000-08-03 Thread Sai Krishnan . K. 


Hi,
    Iam trying to run an Apache
server with SSL support and access this server using JSSE.
    I have installed the following
components in my RedHat5.2 Machine
    apache-1.3.12 + mod_ssl-2.6.5-1.3.12
+ openssl-0.9.5a. I followed the installations instructions given in the
modssl web-site and installed them and when i connected to it via Netscape
iam able to get the It-Worked ! page.
    Then i tried to connect to
this SSL server from a sample program for JSSE, which is below
import java.io.*;
import java.net.*;
import java.security.Security;
import javax.net.ssl.*;
public class PrintSession {
    public static void main(String[] args) throws
    IOException {
   
// Connect to the web server.
   
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());
   
SSLSocket s =
   
(SSLSocket)SSLSocketFactory.getDefault().
   
createSocket(args[0], Integer.parseInt(args[1]));
    //
What's the cipher suite?
   
System.out.println(s.getSession().getCipherSuite());
    //
Clean up.
   
s.close();
    }
}
~
And i get the following output:
    SSL_NULL_WITH_NULL_NULL
But when i try to connect to some site like www.sun.com:443
iam getting a proper response like
SSL_RSA_EXPORT_WITH_RC4_40_MD5
iam getting the same error when it is using RSA or DSA(not possible
to connect thru Netscape). And even i downloaded rsaref20.tar.Z and installed
everything fresh iam facing the same problem.
And in the Apache logs i get these message after each request
in error_log
[Fri Aug  4 11:09:27 2000] [error] mod_ssl: SSL handshake failed
(server krishnan.ramana.india.adventnet.com:8443, client 192.168.5.8) (OpenSSL
library error follows)
[Fri Aug  4 11:09:27 2000] [error] OpenSSL: error:14094416::lib(20)
:func(148) :reason(1046)
 in ssl_engine_log
[04/Aug/2000 11:09:26 10481] [info]  Connection to child 7 established
(server krishnan.ramana.india.adventnet.com:8443, client 192.168.5.8)
[04/Aug/2000 11:09:26 10481] [info]  Seeding PRNG with 1160 bytes
of entropy
[04/Aug/2000 11:09:27 10481] [error] SSL handshake failed (server krishnan.ramana.india.adventnet.com:8443,
client 192.168.5.8) (OpenSSL library error follows)
[04/Aug/2000 11:09:27 10481] [error] OpenSSL: error:14094416::lib(20)
:func(148) :reason(1046)
When i use the following program which does a HandShake
import java.io.*;
import java.net.*;
import java.security.Security;
import javax.net.ssl.*;
public class HandShake {
    public static void main(String[] args) throws
    IOException {
   
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider()); 
// Connect to the web server.
   
SSLSocket s =
   
(SSLSocket)SSLSocketFactory.getDefault().
   
createSocket("krishnan", 8443);
   
// Add a handshake listener.
   
s.addHandshakeCompletedListener(new
HandshakeCompletedListener() {
   
public void
handshakeCompleted(HandshakeCompletedEvent hce) {
   
System.out.println("Handshake:");
   
System.out.println("  " + hce.getCipherSuite());
   
}
   
});
    //
Force the handshake.
   
s.startHandshake();
    //
Clean up.
   
s.close();
    }
}
 
iam getting this exception:
 
Exception in thread "main" javax.net.ssl.SSLException: untrusted server
cert chain
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.a(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Compiled
Code)
    at java.io.OutputStream.write(Compiled
Code)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Compiled
Code)
    at HandShake.main(Compiled
Code)
 
with the same logs,
 
Is there any help reference to interpret these error message codes easily?
 
Thanks,
Sai.

no shared cipher after usual MSIE fix OpenSSL/0.9.4, mod_ssl/2.6.2

2000-08-03 Thread Ben Hyde 


Sorry for the hit and run Question, it's hard to search
for questions like this one:

When I setup the usual MSIE FAQ recomendation...

 SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
 
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

in each of my vhosts running "Apache/1.3.12 (Unix) mod_ssl/2.6.2 
OpenSSL/0.9.4 ApacheJServ/1.1.2"  I get "no shared cipher", other
than the DSA certificate thang is there something obvious I
should have figured out myself?

 - ben

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

One more time -- How do I set up a redirect or error page for < 128-bit connections

2000-08-03 Thread [EMAIL PROTECTED] 

I didn't see any replies to this the first time (and I still haven't 
figured it), so let's try again...

I have my server configured to only accept 128-bit+ SSL/TLS connections.

How can I configure things to display an error page or do a redirect if a 
user attempts to connect at a lower encryption level?  I had this working 
with Apache-SSL by intercepting the "403" error and displaying an error 
page.  However, I recently switched to mod_ssl and this trick does not work.

The examples I have seen show how to set up different levels of encryption 
for different directories, but this is not what I need.  I need to display 
an error page for anyone who attempts a low-encryption connection on any page.

Thanks,

Jeff 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Certificate revocation ignored?

2000-08-03 Thread Dag Legernæs 

Hi,

I'm testing the use of revocation lists in mod-ssl, using the
SSLCARevocationFile directive in httpd.conf.
Apache/mod-ssl is set up to require client authentication, and should reject
client certificates which have been revoked.

When I issue my own certificates and CRLs using the OpenSSL command line
tool, everything works as expected;
that is, access is denied when the certificate has been revoked.

However, the "real" users will be issued certificates (on smart cards,
incidentally) from our own CA.
These are standard X509v3 certificates, and I can see no significant
differences when I compare them to test certs 
generated by OpenSSL. Our own certificates work fine for client
authentication, but when I revoke one of them and add
the corresponding CRL to the SSLCARevocationFile, the client cert is still
considered valid.

No errors or warning messages are produced, even with SSLLogLevel set to
"trace".
I have tested this on both WinNT and AIX and observed the same behaviour on
both platforms.

When comparing our own CRLs to those generated by OpenSSL, the only
difference I can see is that the signature 
algorithm used by OpenSSL is md5RSA, while we sign our CRLs using sha1RSA.
They are both standard V1 CRLs.

All relevant issuer certificates are present in the SSLCACertificateFile
(otherwise, client authentication would not have worked)...

Questions:

1) Are there any specific requirements concerning attributes/extensions in
the user- or CA certificates
   that must be observed for CRL checking to work?
2) Are there any specific requirements concerning CRL signature algorithm?
3) Any other possible reason why CRL checking would be skipped for a
particular certificate,
given that a valid CRL is present?

4) Does mod_ssl handle Version 2 CRLs?
5) What is mod_ssl's defined behaviour when a CRL is present but has expired
?

In case anyone should feel like looking into this matter, I enclose samples
of certificates/CRLs


Cert/CRL issued by OpenSSL tool:
===
-BEGIN CERTIFICATE-
MIICfzCCAimgAwIBAgICAR4wDQYJKoZIhvcNAQEFBQAwYDELMAkGA1UEBhMCQVUx
DDAKBgNVBAgTA1FMRDEZMBcGA1UEChMQTWluY29tIFB0eS4gTHRkLjELMAkGA1UE
CxMCQ1MxGzAZBgNVBAMTElNTTGVheSBkZW1vIHNlcnZlcjAeFw0wMDA4MDMxMjM2
NTdaFw0wMTA4MDMxMjM2NTdaMEExCzAJBgNVBAYTAk5PMRMwEQYDVQQKEwpQb3N0
ZW4gU0RTMR0wGwYDVQQDExREYWcgT3BlblNTTCBMZWdlcm5lczCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAxPOHKpABmCZp5JTDNJI54GylB90qeLf+gcJGDh4Y
jHKaQX+hX98LRyTrj9Sq/WBwO0D6EUR+qXE3QBoFNYbOYNV7IhTJ1uQS5L0A0LsQ
8vZmE1oSdaaKXTMcGlDaPYjLq26OuCS+7yFlmQXj4F4e37zW7GC/kWoY750XB1N7
KukCAwEAAaOBpzCBpDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUDw8sLmFNYew1AoSb+kYo
N5uyIS4wSgYDVR0jBEMwQaE8pDowODELMAkGA1UEBhMCQVUxDDAKBgNVBAgTA1FM
RDEbMBkGA1UEAxMSU1NMZWF5L3JzYSB0ZXN0IENBggEEMA0GCSqGSIb3DQEBBQUA
A0EAfAPTK+jH+zsuzc+Xe7KdJmULcPyFlpZW9zLYT+ZTms6E5Bg7XSzCTyD80fjx
N3uzRUnnFn8IpLG0fgmD6RWkGA==
-END CERTIFICATE-

CRL Issued by OpenSSL where the above certificate has been revoked

-BEGIN X509 CRL-
MIIBIzCBzjANBgkqhkiG9w0BAQQFADBgMQswCQYDVQQGEwJBVTEMMAoGA1UECBMD
UUxEMRkwFwYDVQQKExBNaW5jb20gUHR5LiBMdGQuMQswCQYDVQQLEwJDUzEbMBkG
A1UEAxMSU1NMZWF5IGRlbW8gc2VydmVyFw0wMDA4MDMxMzMwMTRaFw0wMDA4MDMx
ODMwMTRaMD0wEgIBARcNOTUxMDA5MjMzMjA1WjASAgEDFw05NTEyMDEwMTAwMDBa
MBMCAgEeFw0wMDA4MDMxMzI4MDNaMA0GCSqGSIb3DQEBBAUAA0EAkOJtn+RqmBM2
Wsu2KmicY2SoKlqDGRUoNXV3BsYXUr6uO2quz72iSdZ7cXTPrbtTm4/5fsQxkovl
frCXE4OkSA==
-END X509 CRL-

The certificate in this case works for client authentication until revoked.


Cert/CRL issued by our own CA:

-BEGIN CERTIFICATE-
MIICSjCCAbOgAwIBAgICAv4wDQYJKoZIhvcNAQEFBQAwMDELMAkGA1UEBhMCTk8x
EDAOBgNVBAoUB1RFU1QtQ0ExDzANBgNVBAMUBkNSTC1DQTAeFw0wMDA4MDExMTI3
MzRaFw0wMjA4MDExMTI3MzRaMCgxCzAJBgNVBAYTAk5PMRkwFwYDVQQDFBBEYWcg
Q1JMIExlZ2VybuZzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCU0FfHZAMo
glwFJj56ST3lxQPORsgqD1e7mbxz6UayZDqofpYwu60AYVmnCKCa6m6520ry2UsE
YGVgjB89WfbKJvRAj7FWKM9fp9oCe5kai05Pz031ni1kuC6Ls6Qq6ibmEJsgjgQv
elXMP0KmFgvzO7Sty0jnqOdHcc015km8LQIDAQABo3sweTARBgNVHSAECjAIMAYG
BCt0YAMwCQYDVR0TBAIwADARBgNVHQ4ECgQITr1eiTui9qIwMQYDVR0fBCowKDAm
oCSgIoYgaHR0cDovL3BlaWQuc2RzLm5vL0NSTC9jcmxjYS5jcmwwEwYDVR0jBAww
CoAIR2VuS2V5U1cwDQYJKoZIhvcNAQEFBQADgYEAxt0jJJFaiAaoifpZbrGmAAqR
7j1Ve4wGXOGo+R3aNMg2w9ChnUocsDSr7AiTnNz2xDTMwv4+zJEEMhASNSjvCJif
3r08FKCmmVNZtm9AYTVCnohXYT6GyK1ode6CYybN2sqCUdksOWNrOoGu0ZPi4osA
VOxXQFdDBG/4AsDbx4Y=
-END CERTIFICATE-

-BEGIN X509 CRL-
MIIBCzB2MA0GCSqGSIb3DQEBBQUAMDAxCzAJBgNVBAYTAk5PMRAwDgYDVQQKEwdU
RVNULUNBMQ8wDQYDVQQDEwZDUkwtQ0EXDTAwMDgwMzIxMDI0MVoXDTAwMDgwMzIy
MDI0MVowFTATAgIC/hcNMDAwODAxMjAzNjAxWjANBgkqhkiG9w0BAQUFAAOBgQCM
Qj70Qzv7a38CDlLyo5Dmf6E+sHN58qPqxXOri46iaKoaD0tJ3LCh9lMAyYtwl93v
wT11w87q1WgApgobv8fXINAXRyO3E0a1T+0x7mFwi3xTHVimtKZNyIWnG/4srWI1
1HktrKvf8q+g3+8tKYIbcSrWE20xkLeTHwhtLkC6UA==
-END X509 CRL-

This certificate works for client authentication, even _after_ it has bee

Re: Segmentation fault (11) when using DSO support, works as static

2000-08-03 Thread Michael Hojnowski 

David (& gang),

Well, AIX doesn't support the -KPIC or -fPIC options.  I'm not finding any 
tracks of someone building OPENSSL with DSO on AIX.  I guess I'll have to 
figure out how to build it as a DSO myself.

Thanks,
Mike


At 03:14 PM 8/2/00 -0500, David Talkington wrote:
>-BEGIN PGP SIGNED MESSAGE-
>
>
>mod_ssl documentation at
>
>http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL
>
>has this to say:
>
>"Additionally OpenSSL has problems under DSO situations on some
>platforms. For instance under smart ix86 platforms like Linux
>and FreeBSD when you compile a the standard OpenSSL
>libcrypto.a/libssl.a libraries and link those to a mod_ssl DSO
>libssl.so all works fine.  While on other platforms like Solaris
>2.6 on a SPARC OpenSSL's code will dump core under run-time.
>When this is the case for you, then try to recompile OpenSSL
>with Position Independent Code (PIC) by adding a `-fPIC' (for
>GCC) or `-KPIC' (for SVR4-style compilers) to the platform
>configuration line in OpenSSL's `Configure' script.  The
>- -fPIC option above when you build OpenSSL."
>
>
>- --
>David Talkington
>Community Networking Initiative
>[EMAIL PROTECTED]
>244-1962
>
>Michael Hojnowski wrote:
>
> >Hi gang,
> >
> >It seems like this should be FAQ, but I can't find an answer.  I've looked
> >through the mail list archives.  I'm running:
> >
> >   AIX 4.3.2
> >   AIX C compiler 3.6.4.0
> >   Apache 1.3.12
> >   mod_ssl 2.6.5-1.3.12
> >   mod_perl 1.22
> >   openssl 0.9.5.a
> >
> >I can build this whole deal static, and everything works.  SSL works fine
> >on my HTTPS port.
> >
> >After some fuss, I am also able to build it all as a DSO.  I had to
> >manually twiddle a Perl makefile to get it to build.
> >
> >As a DSO, Apache starts fine:
> >
> >   [notice] Apache/1.3.12 (Unix) ApacheJServ/1.1.1 mod_perl/1.22
> >mod_ssl/2.6.5 OpenSSL/0.9.5a configured --
> >   resuming normal operations
> >
> >but when I connect to the HTTPS port, I get:
> >
> >   [notice] child pid 42032 exit signal Segmentation fault (11)
> >
> >I found a hint suggesting building mod_ssl with
> >"--enable-rule=SSL_SDBM".  That did not help.
> >
> >I also tried building just mod_ssl in as a static, with the rest
> >dynamic.  I have the same problem.  It seems I have to make my entire
> >apache build static to have mod_ssl work.
> >
> >I don't seem to be getting a core dump.  I haven't done enough research to
> >figure out how to turn one on yet.  Any help would be appreciated.
> >
> >Thanks,
> >Mike
> >---
> >Michael Hojnowski - Sr Prog/Analyst - Cornell University   (607) 
> 255-7407
> >[EMAIL PROTECTED]: http://mqh.cit.cornell.edu/~mqh/ Fax:  (607) 
> 255-8521
> >PGP Public Key: Can be found on my home page
> >
> >__
> >Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >User Support Mailing List  [EMAIL PROTECTED]
> >Automated List Manager[EMAIL PROTECTED]
> >
>
>-BEGIN PGP SIGNATURE-
>Version: PGP 6.5.2
>Comment: Made with pgp4pine 1.75
>
>iQCVAwUBOYiBOvqoQuXwdgStAQEAaAQAsQeVMyHVDypvLR2PcMRjim7JCp1ad37j
>M0GRAoATfwkcRRfwB76hZwdqLzhMxMSElzL/INAwuQviYUuw7VWQK5R15aUhj8B5
>erB4igB5e3K1SZSltqr+kAEcWup3VvcAuqba4QmlOe5V/0jLBRp2n9jbk3OUr0QV
>3LcBXw2roVc=
>=2NVQ
>-END PGP SIGNATURE-
>
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]

---
Michael Hojnowski - Sr Prog/Analyst - Cornell University (607) 255-7407
[EMAIL PROTECTED]: http://mqh.cit.cornell.edu/~mqh/  Fax:  (607) 255-8521
PGP Public Key: Can be found on my home page

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: spurious SSL handshake interrupt / msie / possible lead!

2000-08-03 Thread Mads Toftum 

On Thu, Aug 03, 2000 at 09:53:34AM -0700, David Rees wrote:
> 
> Upgrading to 2.6.5, but keep in mind that there is a known bug in 2.6.5
> which prevents restarts when mod_ssl is compiled statically into Apache.  If

That would be _graceful restart_ - if you're doing a plain restart, then there
is no problem.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] PRIVATE: SSL handshake failed (PR#436)

2000-08-03 Thread modssl-bugdb 

Full_Name: Deidy Rosales
Version: 2.6.5-1.3.12
OS: FreeBSD 3.4
Submission from: (NULL) (192.231.90.254)


I can succesfully compile and run OpenSSL 0.9.5, Apache 1.3.12 with 
mod_perl 1.24, and mod_ssl 2.6.5-1.3.12. Though when trying to 
establish a secured connection from Netscape 4.08 under Windows NT 
the handshake fails. And I get the message below:

"The security library has experienced an out of memory error.
Please try to reconnect."

When I access the same https://url with MSIE5 everything 
works fine.

ssl_engine_log:

[03/Aug/2000 14:22:42 25572] [info]  Connection to child 0 established
(server fbsd1.advtech.uswest.com:443, client 130.13.41.141)
[03/Aug/2000 14:22:42 25572] [info]  Seeding PRNG with 1160 bytes 
of entropy
[03/Aug/2000 14:22:43 25572] [error] SSL handshake failed 
(server fbsd1.advtech.uswest.com:443, client 130.13.41.141) 
(OpenSSL library error follows)
[03/Aug/2000 14:22:43 25572] [error] 
OpenSSL: error:14094412::lib(20) :func(148):reason(1042)




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

ssl_scache

2000-08-03 Thread Paul 

I have my session caching set to about 5 minutes, and now it's working
*but* -- I've had some trouble getting the system to *keep* the
ssl_scache file.  At this point I have a nightly process doing a
">>ssl_scache.pag" and ">>ssl_scache.dir" and "chmod 777
ssl_scache.???", but that certainly doesn't seem to be the optimal
solution.  never mind the security problem with the 777 mode, why
should I have to keep manually creating the file every night?  How was
it getting deleted, or the permissions changed?  Has anybody else seen
anything like this, or is it just another ridiculous quirk of this old
system on which I work?

__
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: spurious SSL handshake interrupt / msie / possible lead!

2000-08-03 Thread David Rees 

> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Simon Weijgers
>
> I'm getting spurious SSL handshake interrupts with MSIE (alot with msie4
> (i tried 4.72.3110.4 and 4.72.3612.1713) and sometimes with MSIE
> 5.00.2614.3500. But this is old news. What I discovered today is that if I
> disable the sessioncache (SSLSessionCache none) none of the above clients
> can make ssl connections at all to my server (a spurious SSL handhake
> interrupt error in the ssl_engine_log for all the requests).
> Netscape, of course, still works fine.
>
> I run apache 1.3.12/mod_ssl-2.6.2 as shipped with Red Hat 6.2.
>
> I'm going to upgrade to 2.6.5 and see if that improves anything.

I'm betting that it won't, but there are other bug fixes included that
you'll want anyway.

Do you have the lines:

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

in your httpd.conf?
You can read more about it here:
http://www.modssl.org/docs/2.6/ssl_faq.html#ToC48

Upgrading to 2.6.5, but keep in mind that there is a known bug in 2.6.5
which prevents restarts when mod_ssl is compiled statically into Apache.  If
you need to compile mod_ssl statically into Apache, I have a patch, email me
for it.

-Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Running Apache+mod_ssl as an NT service

2000-08-03 Thread Mads Toftum 

On Thu, Aug 03, 2000 at 02:01:02PM +0100, Steve Hay wrote:
> 
> This outputs the following line (once) to ppfilter.txt when starting as a
> Console App, and the same (also once) when trying to start as a Service:
> 
> Called with arguments: pilchard.uk.radan.com:443, RSA.
> 
> So the program DOES get called, and with the same arguments too!

Cool, then at least that is not what happens.
> 
> Perhaps the Apache Service doesn't pick up the STDOUT from the program
> properly? 

That would be my second guess. It shouldn't be too hard to debug if
you've got a compiler nearby. In the file ssl_engine_pphrase.c - 
http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.sslmod/ssl_engine_pphrase.c?rev=1.31&hideattic=1&sortbydate=0
look for "   * Filter program" - you could just change that block
to log some of all the variables available - the ssl_log function
would be an easy way.

I just looked a bit back in the cvs logs ... diffs between version
1.30 and 1.31 of that file has a small change to handle a path 
with ' ' differently - does your path contain a space?
Going back even further might also provide some ideas.


vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Running Apache+mod_ssl as an NT service

2000-08-03 Thread Steve Hay 

Mads Toftum wrote:

> I know next to nothing about NT, but I've sort of got a feeling that
> this has to do with something being different in what is being
> passed to your ppfilter when it is being run as a service. How
> about having that program make a small logfile, where it prints
> the contents of @ARGV ? Does the program even run at all?

I changed the ppfilter.pl program to:

if (scalar @ARGV == 2 and $ARGV[0] =~ /pilchard/i and $ARGV[0] =~
/443/ and $ARGV[1] =~ /rsa/i) {
print "ntpc99\n";
open FH, '>>D:\tmp\ppfilter.txt' or exit 1;
print FH 'Called with arguments: ' . join(', ', @ARGV) . ".\n";
close FH;
}
else {
exit 2;
}

This outputs the following line (once) to ppfilter.txt when starting as a
Console App, and the same (also once) when trying to start as a Service:

Called with arguments: pilchard.uk.radan.com:443, RSA.

So the program DOES get called, and with the same arguments too!

Perhaps the Apache Service doesn't pick up the STDOUT from the program
properly?  Kirk Benson's patch which I needed to get SSLPassPhraseDialog
working at all was to do with child processes not correctly inheriting
STDOUT/STDERR, and his e-mail at the time (2000-05-10 18:17:44) mentioned
something about him not being sure what was supposed to happen when
running as a Service.

> It might also be worth a try to look through apache.org's new-httpd
> mailing list archives from june and july - there's been some
> discussion on how to make Apache work a bit better as an NT service
> (I don't know enough about NT to tell if those are related).

I'll have a look at this when I get a chance.

Thanks,

Steve Hay


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Running Apache+mod_ssl as an NT service

2000-08-03 Thread Mads Toftum 

I know next to nothing about NT, but I've sort of got a feeling that 
this has to do with something being different in what is being 
passed to your ppfilter when it is being run as a service. How
about having that program make a small logfile, where it prints
the contents of @ARGV ? Does the program even run at all?
It might also be worth a try to look through apache.org's new-httpd
mailing list archives from june and july - there's been some 
discussion on how to make Apache work a bit better as an NT service
(I don't know enough about NT to tell if those are related).

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

spurious SSL handshake interrupt / msie / possible lead!

2000-08-03 Thread Simon Weijgers 

Hi,

I'm getting spurious SSL handshake interrupts with MSIE (alot with msie4
(i tried 4.72.3110.4 and 4.72.3612.1713) and sometimes with MSIE
5.00.2614.3500. But this is old news. What I discovered today is that if I
disable the sessioncache (SSLSessionCache none) none of the above clients
can make ssl connections at all to my server (a spurious SSL handhake
interrupt error in the ssl_engine_log for all the requests).
Netscape, of course, still works fine.

I run apache 1.3.12/mod_ssl-2.6.2 as shipped with Red Hat 6.2.

I'm going to upgrade to 2.6.5 and see if that improves anything.

Regards,

Simon Weijgers

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Running Apache+mod_ssl as an NT service

2000-08-03 Thread Steve Hay 

Jan Dries wrote:

> Steve Hay wrote:
> >
> > I still can't get Apache+mod_ssl running as a service under NT.
> >
> > When trying to start the service I either get "Error 1067: The process
> > terminated unexpectedly" or else my machine hangs completely.
>
> What happens here is probably that Apache spawns a child process, and
> subsequently it dies, after which Apache will spawn a new process that
> again dies etc. I've seen this a few times on my machine when playing
> with Apache + NT Service. The real nice thing is when the service is on
> automatic, because then it will hang your machine as soon as you reboot
> it.
>
> What are the log files saying?

Nothing at all is written to error.log or access.log.

Adding the configuration lines:

SSLLoglogs/ssl_error.log
SSLLogLeveldebug

to my httpd.conf file I get the following lines written into ssl_error.log:

[info]  Init: Loading certificate & private key of SSL-aware server
pilchard.uk.radan.com:443
[info]  Init: Requesting pass phrase from dialog filter program
(d:/apache/conf/ppfilter.exe)
[error] Init: Pass phrase incorrect (OpenSSL library error follows)
[error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad
tag
[error] OpenSSL: error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing
[error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib

The PassPhraseDialog program ppfilter.exe is just a compiled version of the
following Perl script (obviously intended only for testing purposes...):

if (scalar @ARGV == 2 and $ARGV[0] =~ /pilchard/i and $ARGV[0] =~ /443/
and $ARGV[1] =~ /rsa/i) {
print "ntpc99\n";
}
else {
exit 1;
}

This program works fine when starting Apache as a Console App, so I don't know
where the "Pass phrase incorrect" error above is coming from.  The
ssl_error.log gets the following lines written to it when starting Apache as a
Console App:

[info]  Init: Loading certificate & private key of SSL-aware server
pilchard.uk.radan.com:443
[info]  Init: Requesting pass phrase from dialog filter program
(d:/apache/conf/ppfilter.exe)
[trace] Init: (pilchard.uk.radan.com:443) encrypted RSA private key - pass
phrase requested
[info]  Init: Configuring server pilchard.uk.radan.com:443 for SSL
protocol
[trace] Init: (pilchard.uk.radan.com:443) Creating new SSL context
(protocols: SSLv2, SSLv3, TLSv1)
[trace] Init: (pilchard.uk.radan.com:443) Configuring RSA server
certificate
[trace] Init: (pilchard.uk.radan.com:443) Configuring RSA server private
key
[info]  Init: Loading certificate & private key of SSL-aware server
pilchard.uk.radan.com:443
[info]  Init: Requesting pass phrase from dialog filter program
(d:/apache/conf/ppfilter.exe)
[trace] Init: (pilchard.uk.radan.com:443) encrypted RSA private key - pass
phrase requested
[info]  Init: Configuring server pilchard.uk.radan.com:443 for SSL
protocol
[trace] Init: (pilchard.uk.radan.com:443) Creating new SSL context
(protocols: SSLv2, SSLv3, TLSv1)
[trace] Init: (pilchard.uk.radan.com:443) Configuring RSA server
certificate
[trace] Init: (pilchard.uk.radan.com:443) Configuring RSA server private
key

I'm using the same certificate and key files, the same
PassPhraseDialog-emitting program and the same httpd.conf file when trying to
run as a Service and as a Console App.  The ONLY difference is whether I type
"net start apache" or "apache" to start it.

> > Has anyone else got this running as a service or can shed any more light
> > on the problem?
>
> I planned to take a look at this when I read your previous posting, but
> I haven't yet found time to do so. And I probably won't have time for it
> until the weekend.

I hope you do get some time sometime.  I'd really appreciate any help I can
get.

Thanks,

Steve Hay


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]