automatically startup
Dear all, I would like to create a shell script which automatically startup the apache-mod_ssl server. I have a difficulty in getting around the interactive prompt for the access key. Does anyone have any idea? Herbert __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Quick Question Regarding Certificates
Sorry if this question sounds moronic but I am what would be considered a linux newbie. I am running Apache 1.3.12 on a Netmax linux server. I have the latest version of mod_ssl and openssl installed. Being that I am a newbie I chose to install the RPM versions of each of these after several hours of compile errors. The packages all installed fine through RPM's. I created and authorize my own certificates. I followed all of the steps in the mod_ssl how to on the subject and created the certificates (server.crt and server.key) just fine. My problem begins when I replace the default server.crt and server.key that were created when the programs were installed with the ones that I created. After the default files are replaced with my files upon reboot the system hangs indefinitely when starting the httpd daemon. I have to telnet in, replace the original server.crt and server.key and reboot and then things are fine. Has anyone else encountered this problem? Any help will be appreciated. Nathan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 1.3.9 crashing w/modssl 2.4 ?
Hi ! I´m using Apache 1.3.9 together with mod_ssl 2.4 and OpenSSL 0.9.4 - I compiled mod_ssl as a DSO and Apache was compiled with mod_so before, so I thougt everything was alright and - using the "standard" - ssl - config from the recently compiled apache - I enabled the SSLengine, and whoops, I got the following error in Apache´s error_log and Apache wasn´t able to start: [Mon Aug 14 16:57:36 2000] [error] mod_ssl: Init: Unable to read server certificate from file /etc/httpd/ssl.crt/server.crt (OpenSSL library error follows) [Mon Aug 14 16:57:36 2000] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence The main problem is the 2nd line... would just adding a test - certificate fix this, too ? Sound so cryptic ;) Thanks for your help ! Oh, and I´m using SUSE 6.3 ... Bye, Chrisss (http://www.crion.de/ - http://www.cci.de/) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl 2.6.6 + old flex = compile error
The latest mod_ssl 2.6.6 fails to compile when using an old flex version (which used to work for 2.6.5). Here are the details: OS: Solaris 7 Compiler: gcc 2.95.2 Apache: 1.3.12 flex: 2.4.6 The error: foo:/usr/local/src/apache_1.3.12# make [...] ===> src/modules/ssl flex -Pssl_expr_yy -s -B ssl_expr_scan.l "ssl_expr_scan.l", line 89: bad character: % "ssl_expr_scan.l", line 90: unknown error processing section 1 "ssl_expr_scan.l", line 90: bad character: % "ssl_expr_scan.l", line 91: unknown error processing section 1 *** Error code 1 With the latest flex 2.5.4a it compiles cleanly. For mod_ssl 2.6.5 the old flex 2.4.6 was sufficient. Hope this helps, Thomas -- Thomas Anders <[EMAIL PROTECTED]> Hahn-Meitner-Institut Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FAQ: Failed to generate temporary 512 bit RSA private key
A modest proposal: Since "Failed to generate temporary 512 bit RSA private key" is such an FAQ on this list (even though it's in the FAQ ;-), perhaps some defensive coding might be order that detects possible errors earlier and so gives a more informative error message? An easy one would to die with an error if there are no random sources defined in the conf file . This for example can happen with the mod_perl test suite's default httpd.conf Harder would be to cause an error like the the above to be logged as "Failed to generate temporary 512 bit RSA private key: insufficient entropy available from the random source(s) " or similar? [ There are probably good reasons why this cant be done; if so, I'll just shut up and go away :-) ] Dave M. * Dave Mitchell, Operations Manager, * Fretwell-Downing Facilities Ltd, UK. [EMAIL PROTECTED] * Tel: +44 114 281 6113.The usual disclaimers * * Standards (n). Battle insignia or tribal totems __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Vhosts behavior question (1 SSL, 1 non-SSL)
I'll apologize now if this is off-topic, but I looked over the mail lists at MARC & didn't see another list that matched well. If I'm barking up the wrong tree please point me to the correct one. Anyway, here goes: I've set up a webserver w/ 2 name-based virtual hosts: 1) an http server (http://name1.mydom.com/), and 2) an https server (https://namessl.mydom.com/). I've declared the document root directories as shown in my config file snippets below. Both servers serve the files I expect them to (the files from their own doc root). But what I don't understand is why the servers behave as they do when the VirtualHost and ServerName are "mis-matched"; i.e.: 1) why does the secure server serve docs from the regular server's doc root? In other words: https://name1.mydom.com/ ---> index.html file from namessl's doc root 2) Why does the http server serve docs from its own doc root even when used with the https server's name? http://namessl.mydom.com/ ---> index.html file from name1's doc root I had expected an error message for these mis-matches between VirtualHost and ServerName. Clearly I'm either confused about how Apache is _supposed_ to operate, OR I've bonked the config file. I'd appreciate it if someone could straighten me out. --- config file snippets follow: - For the http server: DocumentRoot /home/webfoot/public_html ServerName name1.mydom.com ScriptAlias /cgi-bin/ "/home/webfoot/cgi-bin/" ... For the https server: DocumentRoot /home/webfoot/secure_html ServerName namessl.mydom.com ScriptAlias /cgi-ssl/ "/home/webfoot/cgi-ssl/" ... ... --- Thanks, James Moore __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem!
I have a bit of a problem here. My Apache+mod_ssl dies a short while after I start it. I'm running a Red Hat 6.2, kernel 2.2.16 system, with Apache 1.3.12 and the latest tar.gz mod_ssl. I compiled the sources and everything was working until recently. What I did that might have caused this: * I have overwritten the /etc/httpd/conf/ssl* directories with the /usr/src/apache/conf/ssl* ones How it happens: If I run 'apachectl startssl', I see the 'Server foo.com:443 (RSA), Enter pass phrase:' prompt. If I just wait, without entering anything, I get this a couple of seconds later: Apache:mod_ssl:Error: Private key not found. **Stopped /usr/sbin/apachectl startssl: httpd could not be started It just pops up spontaneously, without me doing anything. If, however, I go ahead and enter the passphrase, it just returns me to the prompt, and as I check out, there's no httpd running. Same happens if I run 'apachectl start' (silent return to prompt, no run). Is it because of the certificate files? If so, how can I make it work? Thanks in advance. --GZ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: automatically startup
Read the *fine* manual! Look in the reference section for the pass phrase directive. (the mod ssl manual online at www.modssl.org) Build a program to spit out the pass phrase when the server prompts for it. "Herbert Leung (NTL - Senior System Analyst, PNTL)" wrote: > > Dear all, > > I would like to create a shell script which > automatically startup the apache-mod_ssl server. > I have a difficulty in getting around the interactive > prompt for the access key. Does anyone have > any idea? > > Herbert > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Craig Shaver, Productivity Group POB 60458 Sunnyvale, CA 94088 (650)390-0654 http://www.progroup.com/ mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Port 443
I have a server with the following: ServerName something.hello.com DocumentRoot /export/home/webdocs/main SSLDisable ServerName something-ssl.hello.com DocumentRoot /export/home/webdocs/members #SSLDisable SSLEnable SSLCertificateFile /usr/local/apache/conf/ssl/costello-ssl.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl/costello-ssl.key SSLCACertificatePath /usr/local/apache/conf/ssl/ SSLCACertificateFile /usr/local/apache/conf/ssl/ca-bundle.crt This seems not to work at all for SSL, but if I get rid of the port 443, and do a https://something-ssl.hello.com:80 it works fine. Reasons? Thanks, JMS
[BugDB] can not sign my certificate (PR#439)
Full_Name: Version: 2.6.4 OS: RedHat 6.2 Submission from: (NULL) (212.160.25.76) I wanted to create and use my own CA. So I read documentation included to mod-ssl and when I typed : sign.sh server.csr something went wrong because I got this: Certificate will not be Certified CA verifying: server.crt <-> CA cert server.crt: unable to load certificate file 753: error: 0906D06C: PEM routines: PEM_read_bio: no start line: pem_lib.c. 662: Expecting: Certificate. And I don't know what is this all about. Thanks 4 help in advance. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Vhosts behavior question (1 SSL, 1 non-SSL)
This is an extension of the SSL name based virtual host problem. I posted a long explanation of SSL virtual host resolution earlier, but the simple answer is - if you try to access port 80 - you'll get your http (1st VirtualHost) environment, and if you try to access port 443 - you'll get your https (2nd VirtualHost) environment. This is because Virtual Hosts are setup based on IP+Port. Think of it as 2 separate Virtual Host groups - if you just had 1 Virtual Host, you could still access that virtual host with an ip address, or a fake /etc/hosts entry or a different dns CNAME or A record - all of these would still put you in the documentroot of your 1 virtualhost entry. I dont have a good suggestion for getting your desired behaviour right now, I'll have to think about it for a bit. Dana On Mon, 14 Aug 2000, Plamen Gribachev wrote: > Hi! > Try with : > NameVirtualHost 111.22.33.44 > in Section1 Global Environment of httpd.conf > Plamen > > > For the http server: > > > > > > DocumentRoot /home/webfoot/public_html > > ServerName name1.mydom.com > > ScriptAlias /cgi-bin/ "/home/webfoot/cgi-bin/" > > > > ... > > > > > > > > For the https server: > > > > > > DocumentRoot /home/webfoot/secure_html > > ServerName namessl.mydom.com > > ScriptAlias /cgi-ssl/ "/home/webfoot/cgi-ssl/" > > > > ... > > > > ... > > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Error or Warn?
The following keeps repeating in the ssl_engine_log: [14/Aug/2000 23:09:10 07041] [error] System: Connection reset by peer (errno: 54) [14/Aug/2000 23:14:16 07044] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) Oddly enough, all seems to be running fine despite this scary message. I am running apache 1.3.12 with openssl-0.9.5a and mod_ssl-2.6.5 on FreeBSD 3.4. Can anyone set my poor mind at rest or help me to fix this problem? I also have an embarrassing question, re: certificate pass phrase - I seem to have fat-fingered it (this is a different server than above but same config) on install, because the pass phrase does not work. Any thoughts on how to fix? Thanks in advance for the kind and gentle responses I hope to get!!! Penny Rand __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Internut Exploder
Hurm.. Well, here it goes: I have a site where the server has an SSL section using Apache and Mod_SSL Apache Version: 1.3.12 MOD_SSL Version: 2.6.5 OpenSSL Version: 0.9.5a There is a navigation bar that has a "members" area that links to a Virtual Host on port 443. On IE5.5 and most versions of Netscape, everything works perfectly. On many versions of Internet Explorer below 5.5, pages under SSL seem to work briefly, then suddenly "Server or DNS Entry Not Found" type errors pop up. Sometimes if you clear the cash it works for a bit again. I am lost on which direction to look as I don't know if it is a MOD_SSL, an SSL, an Apache or simply an IE error.. Thanks, JMS
RE: Internut Exploder
Can you specify an exact version of IE which this occurs at? How many bit encryption browser and certificate are you using? Are you using the specified IE workarounds listed on the FAQ? It sounds like you're running into the MSIE keep-alive bug. -Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Joshua SkainsSent: Tuesday, August 15, 2000 11:59 AMTo: [EMAIL PROTECTED]Subject: Internut Exploder Hurm.. Well, here it goes: I have a site where the server has an SSL section using Apache and Mod_SSL Apache Version: 1.3.12 MOD_SSL Version: 2.6.5 OpenSSL Version: 0.9.5a There is a navigation bar that has a "members" area that links to a Virtual Host on port 443. On IE5.5 and most versions of Netscape, everything works perfectly. On many versions of Internet Explorer below 5.5, pages under SSL seem to work briefly, then suddenly "Server or DNS Entry Not Found" type errors pop up. Sometimes if you clear the cash it works for a bit again. I am lost on which direction to look as I don't know if it is a MOD_SSL, an SSL, an Apache or simply an IE error.. Thanks, JMS
Re: Vhosts behavior question (1 SSL, 1 non-SSL)
On 15 Aug 00, Dana Powers wrote: > This is an extension of the SSL name based virtual host problem. I > posted a long explanation of SSL virtual host resolution earlier, but > the simple answer is - if you try to access port 80 - you'll get your > http (1st VirtualHost) environment, and if you try to access port 443 - > you'll get your https (2nd VirtualHost) environment. This is because > Virtual Hosts are setup based on IP+Port. Think of it as 2 separate > Virtual Host groups - if you just had 1 Virtual Host, you could still > access that virtual host with an ip address, or a fake /etc/hosts entry > or a different dns CNAME or A record - all of these would still put you > in the documentroot of your 1 virtualhost entry. I dont have a good > suggestion for getting your desired behaviour right now, I'll have to > think about it for a bit. > > Dana > > On Mon, 14 Aug 2000, Plamen Gribachev wrote: > > Hi! > > Try with : > > NameVirtualHost 111.22.33.44 > > in Section1 Global Environment of httpd.conf > > Plamen > > Thanks, Dana - I'd appreciate it if you'd let me know if you have an idea on how to do this. FWIW I'm surprised the Apache docs don't go into this - at least I couldn't find anything. Based on Plamen's suggestion (thanks, Plamen) I dug out & re-read the virtual hosts section of O'Reilly's "Apache: The Definitive Guide" (2nd ed) book by the Lauries. They mention use of the 'NameVirtualHost' directive & suggest it might be important in controlling access to servers under an alternate name. I hadn't been using this directive, so I tried it - but the results were identical to what I saw without it; i.e.: https://name1.mydom.com/ ---> index.html file from namessl's doc root http://namessl.mydom.com/ ---> index.html file from name1's doc root The directives I added were: NameVirtualHost 111.22.33.44:80 NameVirtualHost 111.22.33.44:443 I don't understand what these directives are supposed to do... Finally, correct me if I'm wrong, but wouldn't IP-based virtual hosts eliminate this problem? Maybe that's the best solution for me since I've got a few "extras". Thanks Again, James Moore > > > For the http server: > > > > > > > > > DocumentRoot /home/webfoot/public_html > > > ServerName name1.mydom.com > > > ScriptAlias /cgi-bin/ "/home/webfoot/cgi-bin/" > > > > > > ... > > > > > > > > > > > > For the https server: > > > > > > > > > DocumentRoot /home/webfoot/secure_html > > > ServerName namessl.mydom.com > > > ScriptAlias /cgi-ssl/ "/home/webfoot/cgi-ssl/" > > > > > > ... > > > > > > ... > > > > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL CGI variables created after coldfusion runs
Hi, I'm new to this mailing list so I might be asking a question that has previously answered. It is to do with running ColdFusion as a module and not having any of the SSL_ CGI variables. I remember reading somewhere that it was a race condition between coldfusion starting and the second phase of the the mod_ssl processing but I'm able to find a resolutions. For now, I use a rewrite rule to change any call to a ".cfm" file to http://my.domain.name/cgi-bin/cfml?template=? which seems to be semi OK but it has its own set of problems. I'm using RedHat Linux 6.2 Apache 1.3.12 Open SSL 0.9.5a mod_ssl 2.6.5 coldfusion 4.5 If anyone knows about this problem and how to fix it I would be really greatfull Thanks, Simon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
> > Based on Plamen's suggestion (thanks, Plamen) I dug out & re-read the > virtual hosts section of O'Reilly's "Apache: The Definitive Guide" (2nd > ed) book by the Lauries. They mention use of the 'NameVirtualHost' > directive & suggest it might be important in controlling access to > servers under an alternate name. I hadn't been using this directive, so > I tried it - but the results were identical to what I saw without it; > i.e.: > > https://name1.mydom.com/ ---> index.html file from namessl's doc root > http://namessl.mydom.com/ ---> index.html file from name1's doc root > > The directives I added were: > > NameVirtualHost 111.22.33.44:80 > NameVirtualHost 111.22.33.44:443 > > I don't understand what these directives are supposed to do... > > Finally, correct me if I'm wrong, but wouldn't IP-based virtual hosts > eliminate this problem? Maybe that's the best solution for me since > I've got a few "extras". Your NameVirtualHost directive should read: NameVirtualHost 111.22.33.44 -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
Argh, I should have read your original post, here's a better answer than my last: > > Based on Plamen's suggestion (thanks, Plamen) I dug out & re-read the > > virtual hosts section of O'Reilly's "Apache: The Definitive Guide" (2nd > > ed) book by the Lauries. They mention use of the 'NameVirtualHost' > > directive & suggest it might be important in controlling access to > > servers under an alternate name. I hadn't been using this directive, so > > I tried it - but the results were identical to what I saw without it; > > i.e.: > > > > https://name1.mydom.com/ ---> index.html file from namessl's doc root > > http://namessl.mydom.com/ ---> index.html file from name1's doc root > > > > The directives I added were: > > > > NameVirtualHost 111.22.33.44:80 > > NameVirtualHost 111.22.33.44:443 > > > > I don't understand what these directives are supposed to do... > > > > Finally, correct me if I'm wrong, but wouldn't IP-based virtual hosts > > eliminate this problem? Maybe that's the best solution for me since > > I've got a few "extras". You're right, IP-based virtual hosts will eliminate your problem. For name based virtual hosts, what you really need to do is add another pair of virtual hosts: NameVirtualHost 111.22.33.44 ServerName name1.mydom.com DocumentRoot /home/webfoot/public_html ServerName namessl.mydom.com DocumentRoot /home/webfoot/secure_html ServerName name1.mydom.com DocumentRoot /home/webfoot/public_html ServerName namessl.mydom.com DocumentRoot /home/webfoot/secure_html Of course, the main problem with this is that only one SSL certificate will be used between the ssl virtual hosts (the first one listed I think), so the browser on the client will most likely pop up a certificate/servername mismatch warning. Hope this helps more than my last post. :-) -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
i am having the same problem and i followed your suggestion but i am getting this error. [Wed Aug 16 10:10:35 2000] [warn] VirtualHost 203.177.26.5:443 overlaps with VirtualHost 203.177.26.5:443, the first has precedence, perhaps you need a NameVirtualHost directive /var/lib/apache/bin/apachectl startssl: httpd started my NameVirtualHost directive is: NameVirtualHost 203.177.26.5 raymond >You're right, IP-based virtual hosts will eliminate your problem. > >For name based virtual hosts, what you really need to do is add another pair >of virtual hosts: > >NameVirtualHost 111.22.33.44 > > > ServerName name1.mydom.com > DocumentRoot /home/webfoot/public_html > > > ServerName namessl.mydom.com > DocumentRoot /home/webfoot/secure_html > > > > ServerName name1.mydom.com > DocumentRoot /home/webfoot/public_html > > > ServerName namessl.mydom.com > DocumentRoot /home/webfoot/secure_html > > >Of course, the main problem with this is that only one SSL certificate will >be used between the ssl virtual hosts (the first one listed I think), so the >browser on the client will most likely pop up a certificate/servername >mismatch warning. > >Hope this helps more than my last post. :-) > >-Dave > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
Right, That warning is expected, as SSL name based virtual hosts do not work (the wrong certificate will be served for one vhost, see FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#ToC46). But now you should at least get the expected documents served. -Dave > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Raymond > Sent: Tuesday, August 15, 2000 7:27 PM > To: [EMAIL PROTECTED] > Subject: RE: Vhosts behavior question (1 SSL, 1 non-SSL) > > > i am having the same problem and i followed your suggestion but i am > getting this error. > > [Wed Aug 16 10:10:35 2000] [warn] VirtualHost 203.177.26.5:443 overlaps > with VirtualHost 203.177.26.5:443, the first has precedence, perhaps you > need a NameVirtualHost directive > /var/lib/apache/bin/apachectl startssl: httpd started > > my NameVirtualHost directive is: > > NameVirtualHost 203.177.26.5 > > raymond > > >You're right, IP-based virtual hosts will eliminate your problem. > > > >For name based virtual hosts, what you really need to do is add > another pair > >of virtual hosts: > > > >NameVirtualHost 111.22.33.44 > > > > > > ServerName name1.mydom.com > > DocumentRoot /home/webfoot/public_html > > > > > > ServerName namessl.mydom.com > > DocumentRoot /home/webfoot/secure_html > > > > > > > > ServerName name1.mydom.com > > DocumentRoot /home/webfoot/public_html > > > > > > ServerName namessl.mydom.com > > DocumentRoot /home/webfoot/secure_html > > > > > >Of course, the main problem with this is that only one SSL > certificate will > >be used between the ssl virtual hosts (the first one listed I > think), so the > >browser on the client will most likely pop up a certificate/servername > >mismatch warning. > > > >Hope this helps more than my last post. :-) > > > >-Dave > > > >__ > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >User Support Mailing List [EMAIL PROTECTED] > >Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
On 15 Aug 00, David Rees wrote: > Argh, I should have read your original post, here's a better answer than > my last: <<< snip, snip >>> > For name based virtual hosts, what you really need to do is add another > pair of virtual hosts: I must be missing something - correct me if I'm wrong, but... > NameVirtualHost 111.22.33.44 > > > ServerName name1.mydom.com > DocumentRoot /home/webfoot/public_html > > > ServerName namessl.mydom.com > DocumentRoot /home/webfoot/secure_html > Won't the above pair of vhost entries result in the following? URL entered: file served: http://namessl.mydom.com ---> /home/webfoot/secure_html/index.html As it is now, this URL causes /home/webfoot/public_html/index.html to be served. But, this is a better situation than serving the files from secure_html via an unencrypted link. What I want is to serve nothing (except an error message). Sorry if I'm being dense. Thanks, James Moore __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
> I must be missing something - correct me if I'm wrong, but... > > > NameVirtualHost 111.22.33.44 > > > > > > ServerName name1.mydom.com > > DocumentRoot /home/webfoot/public_html > > > > > > ServerName namessl.mydom.com > > DocumentRoot /home/webfoot/secure_html > > > > Won't the above pair of vhost entries result in the following? > > URL entered: file served: > > http://namessl.mydom.com ---> /home/webfoot/secure_html/index.html > > As it is now, this URL causes /home/webfoot/public_html/index.html to > be served. But, this is a better situation than serving the files from > secure_html via an unencrypted link. What I want is to serve nothing > (except an error message). > > Sorry if I'm being dense. Oh, I thought you just wanted the appropriate servername to serve the right files. How about redirecting from the wrong vhost to the right one like this? ServerName name1.mydom.com DocumentRoot /home/webfoot/public_html ServerName namessl.mydom.com Redirect / https://namessl.mydom.com ServerName namessl.mydom.com DocumentRoot /home/webfoot/secure_html ServerName name1.mydom.com # You man want to change this to redirect to # http://name1.mydom.com But know that a certificate # warning will appear before the redirection (I think) Redirect / https://namessl.mydom.com -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
Hi David, actually i have configured it using ip-based virtual host because i am aware of that part in the FAQ. using your example as a pattern, i got that error message. then i tried to define my NameVirtualHost using the ports to be used and it seems to work fine now. NameVirtualHost 203.177.26.5:443 NameVirtualHost 203.177.26.5:80 thanks for the tip though. my question now is, since the virtual host domain is configured to use port 80 and 443, then its possible that you can access the site thru http and https? raymond At 07:50 PM 8/15/00 -0700, you wrote: >Right, > >That warning is expected, as SSL name based virtual hosts do not work (the >wrong certificate will be served for one vhost, see FAQ: >http://www.modssl.org/docs/2.6/ssl_faq.html#ToC46). But now you should at >least get the expected documents served. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Vhosts behavior question (1 SSL, 1 non-SSL)
> > actually i have configured it using ip-based virtual host because i am > aware of that part in the FAQ. using your example as a pattern, i > got that > error message. then i tried to define my NameVirtualHost using > the ports to > be used and it seems to work fine now. > > NameVirtualHost 203.177.26.5:443 > NameVirtualHost 203.177.26.5:80 Ah, I did not realize that you had to specify both ports specifically. > thanks for the tip though. my question now is, since the virtual host > domain is configured to use port 80 and 443, then its possible > that you can > access the site thru http and https? Yes. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: automatically startup
there is a solution for it but it is not so secure if u can beleive that nobody has physical access of your computer you can use it "You can create an unencrypted copy of the key as follows: openssl rsa -in file1.key -out file2.key Now file2.key will contain an unencrypted copy of the key. If you point your server at this it will not prompt you for a pass phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the Net. PLEASE make sure that the permissions on that file are such that only root or the Web server user can read it (preferably get your Web server to start as root but run as another server, and have the key readable only by root)." regds, Kuldeep >From: "Herbert Leung (NTL - Senior System Analyst, PNTL)" ><[EMAIL PROTECTED]> >Reply-To: [EMAIL PROTECTED] >To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> >Subject: automatically startup >Date: Mon, 14 Aug 2000 10:36:20 +0800 > >Dear all, > >I would like to create a shell script which >automatically startup the apache-mod_ssl server. >I have a difficulty in getting around the interactive >prompt for the access key. Does anyone have >any idea? > >Herbert >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Port 443
On Tue, Aug 15, 2000, Joshua Skains wrote: > I have a server with the following: > > > ServerName something.hello.com > DocumentRoot /export/home/webdocs/main > SSLDisable > > > ServerName something-ssl.hello.com > DocumentRoot /export/home/webdocs/members > #SSLDisable > SSLEnable > SSLCertificateFile /usr/local/apache/conf/ssl/costello-ssl.crt > SSLCertificateKeyFile /usr/local/apache/conf/ssl/costello-ssl.key > SSLCACertificatePath /usr/local/apache/conf/ssl/ > SSLCACertificateFile /usr/local/apache/conf/ssl/ca-bundle.crt > > > This seems not to work at all for SSL, but if I get rid of the port 443, and > do a https://something-ssl.hello.com:80 it works fine. I'm sure you have forgotten the corresponding "Listen 192.168.1.101:443" directive, haven't you? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl 2.6.6 + old flex = compile error
On Tue, Aug 15, 2000, Thomas Anders wrote: > The latest mod_ssl 2.6.6 fails to compile when using an old flex version > (which used to work for 2.6.5). Here are the details: > > OS: Solaris 7 > Compiler: gcc 2.95.2 > Apache: 1.3.12 > flex: 2.4.6 > > The error: > > foo:/usr/local/src/apache_1.3.12# make > [...] > ===> src/modules/ssl > flex -Pssl_expr_yy -s -B ssl_expr_scan.l > "ssl_expr_scan.l", line 89: bad character: % > "ssl_expr_scan.l", line 90: unknown error processing section 1 > "ssl_expr_scan.l", line 90: bad character: % > "ssl_expr_scan.l", line 91: unknown error processing section 1 > *** Error code 1 > > With the latest flex 2.5.4a it compiles cleanly. > For mod_ssl 2.6.5 the old flex 2.4.6 was sufficient. Err... no, first there was no change between 2.6.5 and 2.6.6 related to the ssl_expr_scan.l stuff, so it cannot be that Flex likes the one from 2.6.5 and not the one from 2.6.6. Second, independent whether flex likes or dislikes the file, flex should never be called for end-users. If it is run by the Makefile, your timestamps are garbled. Start from scratch and especially make sure that the ssl_expr_scan.c file has a newer timestamp than the ssl_expr_scan.l file (do a "touch ssl_expr_scan.c" if you want to make sure!). Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: What's this error?
Paul <[EMAIL PROTECTED]> writes: > > > I have also noted a fair amount of > > > [Wed Jul 19 16:01:58 2000] [notice] child pid 24703 exit signal > > > Segmentation Fault (11) > > I get this, too, a *LOT*. > > > Err... I'm convinced that our current mod_ssl 2.6.5 is 100% stable > > and does not produce any segfaults. If you really get segfaults, some > > other component causes it. Let me guess: You're running PHP or > > mod_ssl+OpenSSL as a DSO underf Solaris, right? > > Forgive the "me, too"-ism, here, but this problem just won't seem to go > away. I'm running on HP-UX B.10.20 (best the company will spring for) > on a PARISC1.1 9000/891. I probably did build DSO, though, and I > really don't need it. Hmm think the same prob might apply here? > > > If no, then I've no clue and you have to attach a debugger to find > out > > where it segfaults. > > Somebody suggest a debugger? I'm feeling pretty ignorant, here, and > unfortunately won't have any time to RTFM for a few weeks yet. > (~mumblegrumble~) Recently, I had such a concurrence and traced it to a module (loaded with startup.pl) that was bombing at the initialization when first run by an access. Dropping the modules from startup.pl improved the debug output and allowed tracing its failure. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Server Certificate Verification via Proxy
Hi everyone, I'm trying to get apache with mod_proxy and mod_ssl (1.3.12/2.6.4) to verify certificates on remote servers. It would automaticaly accept self-signed certificates which is clearly a vulnerability. I activated SSL_EXPERIMENTAL mode, and the program compiled without incident, but when I try to start httpd it quits. Using gdb I discovered that during the proxy initialization in ssl_ext_mp_init the SSL_CTX_new call returns a null context. Does anyone know what might be causing this problem and if there is any obvious solution? I noticed that the new version of mod_ssl (2.6.6) which came out yesterday has a bugfix relating to the HTTPS proxy experimental code, but the description of the bugfix seems unrelated to my problem. I would appreciate any help, either to get the implementation of mod_ssl working correctly, or to give me some tips as to how I can write my own verification code using the openssl crypto library. Thanks, -Kevin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]