[BugDB] Compiling error with apache_1.3.9, modssl-2.4.10-1.3.9, openssl-0.9.5a (PR#442)
Full_Name: Walter Jahn Version: modssl-2.4.10-1.3.9 OS: Solaris 2.6 Submission from: (NULL) (194.121.102.41) Hello, we have a problem when compiling apache_1.3.9 with mod_ssl (version 2.4.10-1.3.9) and openssl (version 0.9.5a). We were following the INSTALL-instructions step by step. Everything worked fine with openssl and modssl. But when compiling apache_1.3.9 the following error occured: gcc -c -I../../os/unix -I../../include -DSOLARIS2=260 -DMOD_SSL=204110 -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fPIC -DSHARED_MODULE -DSSL_CO MPAT -I/opt/app/sybase/intershop/isroot4/webserver/apache_1.3.9/src/openssl-0.9. 5a/include -DMOD_SSL_VERSION=\"2.4.10\" ssl_util_ssl.c mv ssl_util_ssl.o ssl_ util_ssl.lo ssl_util_ssl.c:145: conflicting types for `d2i_PrivateKey_bio' /opt/app/sybase/intershop/isroot4/webserver/apache_1.3.9/src/openssl-0.9.5a/incl ude/openssl/x509.h:696: previous declaration of `d2i_PrivateKey_bio' *** Error code 1 make: Fatal error: Command failed for target `ssl_util_ssl.lo' Current working directory /opt/app/sybase/intershop/isroot4/webserver/apache_1.3 .9/src/apache_1.3.9/src/modules/ssl *** Error code 1 make: Fatal error: Command failed for target `all' Current working directory /opt/app/sybase/intershop/isroot4/webserver/apache_1.3 .9/src/apache_1.3.9/src/modules *** Error code 1 make: Fatal error: Command failed for target `subdirs' Current working directory /opt/app/sybase/intershop/isroot4/webserver/apache_1.3 .9/src/apache_1.3.9/src *** Error code 1 make: Fatal error: Command failed for target `build-std' Current working directory /opt/app/sybase/intershop/isroot4/webserver/apache_1.3 .9/src/apache_1.3.9 *** Error code 1 make: Fatal error: Command failed for target `build' Though it seems to be an openssl mistake I want to ask, if somebody has experience with this problem. We tried serveral versions of openssl and the problem was reproducable. The version we used the first time: openssl_0.9.5a, modssl_2.4.10-1.3.9, apache_1.3.9 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using https can't get images from other sites?
AFAIK you can't solve this without serving the images over ssl too. Having been in this situation I found that most browsers will NOT mix content from secure and unsecured sites. This is a security feature ;-) You might be able to use ProxyPass to get the images via your server and then redirect them over ssl if the image site doesn't support ssl but I've never tried that myself. Anyone on the list know anything different ? HTH Simon Wilcox. From "Sandy Yung" [EMAIL PROTECTED] Date02:09:41 23 August 2000 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Simon Wilcox/BASE/WilliamsLea) Fax to: Subject: Using https can't get images from other sites? I have installed apache, mod_ssl. Some of my images are from other web sites. In my html, i coded img src='http://othersite.com/image/image.gif'. The page is get by https. The result is the image can't be retrieved.. How to solve this? thanks a lot! Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using https can't get images from other sites?
Thanks. And one more question is that for the local image, does the server and browse do encription too? We don't need encription on image, but only the html content. How to configure it? Thanks. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Using https can't get images from other sites? Date: Wed, 23 Aug 2000 09:00:33 +0100 AFAIK you can't solve this without serving the images over ssl too. Having been in this situation I found that most browsers will NOT mix content from secure and unsecured sites. This is a security feature ;-) You might be able to use ProxyPass to get the images via your server and then redirect them over ssl if the image site doesn't support ssl but I've never tried that myself. Anyone on the list know anything different ? HTH Simon Wilcox. From "Sandy Yung" [EMAIL PROTECTED] Date02:09:41 23 August 2000 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Simon Wilcox/BASE/WilliamsLea) Fax to: Subject: Using https can't get images from other sites? I have installed apache, mod_ssl. Some of my images are from other web sites. In my html, i coded img src='http://othersite.com/image/image.gif'. The page is get by https. The result is the image can't be retrieved.. How to solve this? thanks a lot! Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using https can't get images from other sites?
Yes - both image and html must be transmitted over ssl. The browser will usually not allow non-ssl parts of a page. Unfortunately, you can't avoid it. HTH From "Sandy Yung" [EMAIL PROTECTED] Date09:07:56 23 August 2000 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Simon Wilcox/BASE/WilliamsLea) Fax to: Subject: Re: Using https can't get images from other sites? Thanks. And one more question is that for the local image, does the server and browse do encription too? We don't need encription on image, but only the html content. How to configure it? Thanks. From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Using https can't get images from other sites? Date: Wed, 23 Aug 2000 09:00:33 +0100 AFAIK you can't solve this without serving the images over ssl too. Having been in this situation I found that most browsers will NOT mix content from secure and unsecured sites. This is a security feature ;-) You might be able to use ProxyPass to get the images via your server and then redirect them over ssl if the image site doesn't support ssl but I've never tried that myself. Anyone on the list know anything different ? HTH Simon Wilcox. From "Sandy Yung" [EMAIL PROTECTED] Date02:09:41 23 August 2000 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Simon Wilcox/BASE/WilliamsLea) Fax to: Subject: Using https can't get images from other sites? I have installed apache, mod_ssl. Some of my images are from other web sites. In my html, i coded img src='http://othersite.com/image/image.gif'. The page is get by https. The result is the image can't be retrieved.. How to solve this? thanks a lot! Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Compiling error with apache_1.3.9, modssl-2.4.10-1.3.9, openssl-0.9.5a (PR#442)
On Wed, Aug 23, 2000 at 09:26:49AM +0200, [EMAIL PROTECTED] wrote: we have a problem when compiling apache_1.3.9 with mod_ssl (version 2.4.10-1.3.9) and openssl (version 0.9.5a). mod_ssl-2.4.10 is not compatible with openssl-0.9.5a ... you should use a more recent version of Apache+mod_ssl (or if you have a _really good reason to use an old version, then you should be using openssl-0.9.4). vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Compiling error with apache_1.3.9, modssl-2.4.10-1.3.9, openssl-0.9.5a (PR#442)
On Wed, Aug 23, 2000 at 09:26:49AM +0200, [EMAIL PROTECTED] wrote: we have a problem when compiling apache_1.3.9 with mod_ssl (version 2.4.10-1.3.9) and openssl (version 0.9.5a). mod_ssl-2.4.10 is not compatible with openssl-0.9.5a ... you should use a more recent version of Apache+mod_ssl (or if you have a _really good reason to use an old version, then you should be using openssl-0.9.4). vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache unable to generate temp 512 bit RSA key
I have compiled and setup mod_ssl with open_ssl on a few systems in the past, but I'm having some trouble today. I'm using the latest stable version of mod_ssl, open_ssl and apache on Solaris 2.7. Apache is unable to start, via a the "apachectl startssl" or the regular "apachectl start" commands. I see the following entry in the error_log: [Mon Aug 21 11:01:04 2000] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key Has anyone else encountered this error, and if so, could you give some hints about how to resolve it? Many thanks in advance. It's a FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#ToC15 and http://www.openssl.org/support/faq.html#6 I just wanted to give an update. I was able to solve this problem with a free third party /dev/random and /dev/urandom implementation: http://www.cosy.sbg.ac.at/~andi/ I hope this helps some others. Duane Gran spinweb.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Certs and IP-Based Virtual Hosting
I am trying to figure out to what is an SSL Certificate tied. Is it the value of ServerName or the canonical name from a reverse DNS lookup or the forward lookup? Or do all virtual hosts use the same certificate? For example: I want to run multiple virtual servers on a single system: ServerName IP first.mydomain.com 192.168.10.1 second.mydomain.com192.168.10.2 however, let use say that the DNS says: first.mydomain.com. IN CNAMEserver.mydomain.com server.mydomain.com.IN A192.168.10.1 second.mydomain.com.IN A192.168.10.2 1.10.168.192.in-addr.arpa. IN PTR server.mydomain.com. 2.10.168.192.in-addr.arpa. IN PTR second.mydomain.com. In other words, server.mydomain.com already exists and I just want to use its IP address as first.mydomain.com. So, what do I register with the Certificate Authority? If it is tied to the reverse DNS, would I be better not running the web server on the main IP address of server.mydomain.com and then put first.mydomain.com on its own address? I have seen messages to the effect that if one uses a web hosting service it is their responsibility to get the certficate as it is tied to their IP addresses in some way, however this does not make sense to me in that if I do a forward and reverse lookup of our company's web server (hosted outside), it looks like it is ours: % host www.ulticom.com www.ulticom.com has address 207.106.32.104 % host 207.106.32.104 104.32.106.207.IN-ADDR.ARPA domain name pointer www.ulticom.com (I control the A record, they control the PTR record). I have also seen mention in the archives (and FAQ) that name-based virtual hosting does not work, but I am using IP-based virtual hosting. -- Gary Algier, WB2FWZ [EMAIL PROTECTED] +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 This space intentionally left blank by the censors. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Certs and IP-Based Virtual Hosting
There are two ways to solve this. 1. Buy a certificate for each site you are securing, ie each specific hostname. 2. Buy a wildcard certificate from Thawte. This is only cost effective for 5 or more sites. It doesn't matter whether the hostname is an A or CNAME type record in your DNS, but I'd recommend you use an A type where you can. I don't believe that web browsers do any reverse lookup. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Gary Algier [mailto:[EMAIL PROTECTED]] Sent: 23 August 2000 16:25 To: modssl-users Subject: SSL Certs and IP-Based Virtual Hosting I am trying to figure out to what is an SSL Certificate tied. Is it the value of ServerName or the canonical name from a reverse DNS lookup or the forward lookup? Or do all virtual hosts use the same certificate? For example: I want to run multiple virtual servers on a single system: ServerName IP first.mydomain.com 192.168.10.1 second.mydomain.com192.168.10.2 however, let use say that the DNS says: first.mydomain.com. IN CNAMEserver.mydomain.com server.mydomain.com.IN A192.168.10.1 second.mydomain.com.IN A192.168.10.2 1.10.168.192.in-addr.arpa. IN PTR server.mydomain.com. 2.10.168.192.in-addr.arpa. IN PTR second.mydomain.com. In other words, server.mydomain.com already exists and I just want to use its IP address as first.mydomain.com. So, what do I register with the Certificate Authority? If it is tied to the reverse DNS, would I be better not running the web server on the main IP address of server.mydomain.com and then put first.mydomain.com on its own address? I have seen messages to the effect that if one uses a web hosting service it is their responsibility to get the certficate as it is tied to their IP addresses in some way, however this does not make sense to me in that if I do a forward and reverse lookup of our company's web server (hosted outside), it looks like it is ours: % host www.ulticom.com www.ulticom.com has address 207.106.32.104 % host 207.106.32.104 104.32.106.207.IN-ADDR.ARPA domain name pointer www.ulticom.com (I control the A record, they control the PTR record). I have also seen mention in the archives (and FAQ) that name-based virtual hosting does not work, but I am using IP-based virtual hosting. -- Gary Algier, WB2FWZ [EMAIL PROTECTED] +1 856 787 2758 Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033 This space intentionally left blank by the censors. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Certs and IP-Based Virtual Hosting
Hi Gary,
The crux of your question (If I read it correctly), is about what
the SSL cert is supposed to match. The cert matches the server name
specified in the ServerName directive for the specified virtual host...DNS
(other than leading a browser to your IP address) has nothing to do with it.
SSL uses the host header info to send the browser to the right virtual host.
I have never seen anything saying it's the web hosting service's
responsibility to get you the correct certificate, although I'm sure some
hosting firms will do this for you. As long as you know how to make your
cert correctly, and have access to what you need access to on the web
server, you can do it yourself without too much heartache.
Synopsis: Tie the cert to the name of the site ("first.mydomain.com") not
to the DNS info.
-Original Message-
From: Gary Algier [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 23, 2000 10:25 AM
To: modssl-users
Subject: SSL Certs and IP-Based Virtual Hosting
I am trying to figure out to what is an SSL Certificate tied. Is it
the value of ServerName or the canonical name from a reverse DNS
lookup or the forward lookup? Or do all virtual hosts use the same
certificate?
For example:
I want to run multiple virtual servers on a single system:
...
however, let use say that the DNS says:
first.mydomain.com. IN CNAMEserver.mydomain.com
server.mydomain.com.IN A192.168.10.1
second.mydomain.com.IN A192.168.10.2
1.10.168.192.in-addr.arpa. IN PTR server.mydomain.com.
2.10.168.192.in-addr.arpa. IN PTR second.mydomain.com.
...
So, what do I register with the Certificate Authority? If it is
tied to the reverse DNS, would I be better not running the web
server on the main IP address of server.mydomain.com and then put
first.mydomain.com on its own address?
I have seen messages to the effect that if one uses a web hosting
service it is their responsibility to get the certficate as it is
tied to their IP addresses in some way, however this does not make
sense to me in that if I do a forward and reverse lookup of our
company's web server (hosted outside), it looks like it is ours:
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Apache unable to generate temp 512 bit RSA key
On Wednesday, August 23, 2000, at 09:02 AM, Duane Gran wrote: I just wanted to give an update. I was able to solve this problem with a free third party /dev/random and /dev/urandom implementation: http://www.cosy.sbg.ac.at/~andi/ I want to add my 2 cents here. I'm using Andi's package as well and it's working fine for me under Solaris 2.6. Bill __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache unable to generate temp 512 bit RSA key
Oswaldo, I'll confess that I took the lazy way out and used the pre-packaged version he already had made and it worked fine for me. The $HOME/.rnd file is associated with when you do the "make certificate" step, not the web server error I originally wrote about. The problem is similar, but not quite the same. If you haven't done so already, you should change your httpd.conf with the following lines uncommented: SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 Duane Gran http://spinweb.net -- Servlet Hosting I just wanted to give an update. I was able to solve this problem with a free third party /dev/random and /dev/urandom implementation: http://www.cosy.sbg.ac.at/~andi/ I hope this helps some others. I tried to use the random.c, I compiled it but didnt attached: devfsadm: driver failed to attach: random Warning: Driver (random) successfully added to system but failed to attach It says something about creating a script so at startup it gets initialized: * The random pool can be initialized at system startup by * a script containing a line simmilar to: * dd if=$random_seed_file of=/dev/urandom which is this script ? a /etc/init.d/startup_random ? what's $random_seed_file ? I have read the FAQ and the docs but still have the same problem, I tried with apache 1.3.9 and apache 1.3.12 (with the corresponding openssl source, 0.9.4 and 0.9.5a) but for some reason I still cannot get it to work with ssl, it works fine without -DSSL, I posted this in the bug page in the modssl site .. I have just entering this list so I dont know the posting got here, but I'm posting it anyway: I read the FAQ and did the what it said there, created a .rnd under /usr/local/apache (the serverroot) and under /home/WWW (the document root), the one that make certificate filled is the one I copied to the other places ... I have compiled apache with and without other modules but the problem still persists ... I did a truss and this is what I got: [snip] in the logfile: [Fri Aug 18 17:18:28 2000] [notice] Apache/1.3.12 (Unix) configured -- resuming normal operations [Fri Aug 18 17:22:43 2000] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key I put debug and trace in the SSLLogLevel, but it gives no more info :-/ apache runs well without -DSSL, of course ... this is my last configure: ./configure --add-module=src/modules/extra/mod_auth_msql.c \ --prefix=/usr/local/apache --enable-shared=ssl --enable-module=ssl \ --activate-module=src/modules/perl/libperl.a \ --activate-module=src/modules/fastcgi/libfastcgi.a but I tried it without the mod_* but made no difference ... I'm using openssl-0.9.5a. I read about the randon device and left it to default in the Configuration.tmpl.. I noticed there are other report about the same problem: 354 384 395 396 407 We really need the SSL working here, so please respond ASAP. -- ! __ __ _ __ __ _ _ _ _(@)| The opinions here are expressed ! ! /__) /_ /_\/ // / / /| /| "as is", with no warranty of any! ! / \ /__/ /\__\___/_ /_/ _/ |/ | kind. Use them at your own risk.! !|! \ Oswaldo E. Aguirre M. \ / Computer Science Engineer / \ Internet Services Coordinator \ / [EMAIL PROTECTED]/ ~~ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] #! /bin/bash echo -n "Enter site URL : " read site openssl req -out ssl.csr/$site.csr -keyout ssl.key/$site.key -newkey rsa:1024 -new -config RCSCA/rcsnet.cnf -extensions v3_req openssl x509 -in ssl.csr/$site.csr -out ssl.crt/$site.crt -days 365 -req -CA ssl.crt/CA.rcsnet.net.crt -CAkey ssl.key/CA.rcsnet.net.key -CAserial RCSCA/serial -sha1 -extensions svr_cert Creer une demande et une clef: [root@xfiles conf]# openssl req -out ssl.csr/www.rcsnet.net.csr -keyout ssl.key/www.rcsnet.net.key -newkey rsa:1024 -new Creer un certificat CA: [root@xfiles conf]# openssl x509 -in ssl.csr/CA.rcsnet.net.csr -out ssl.crt/CA.rcsnet.net.crt -days 365 -signkey ssl.key/CA.rcsnet.net.key -req -sha1 Signe une demande avec un CAcert: [root@xfiles conf]# openssl x509 -in ssl.csr/www.rcsnet.net.csr -out ssl.crt/www.rcsnet.net.crt -days 365 -req -CA ssl.crt/CA.rcsnet.net.crt -CAkey ssl.key/CA.rcsnet.net.key -CAserial RCSCA/serial -sha1 Affiche un certificat: [root@xfiles conf]# openssl x509 -in ssl.crt/www.rcsnet.net.crt -noout -text Voir gen_site_cert. Signature cryptographique S/MIME
RE: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Oops, my mistake of asking something I did not understand. Basically, the result of the extraction procedure is the cert.p12 (which is the dummy certificate containing the original private key). And in the final step of using pkcs12 (or using the openssl wrapper - openssl pkcs12) to extract the private key from the p12 certificate, it actually allows you to specify a password to the private key. This will actually requires me to put in the password when I issue 'apachectl startssl'. Sorry to bother the group. But then again this prove the procedure actually works! ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] -Original Message- From: Remi Cohen-Scali [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23, 2000 1:44 PM To: [EMAIL PROTECTED] Subject: Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Ed Yu a écrit : Oops, my mistake of asking something I did not understand. Basically, the result of the extraction procedure is the cert.p12 (which is the dummy certificate containing the original private key). And in the final step of using pkcs12 (or using the openssl wrapper - openssl pkcs12) to extract the private key from the p12 certificate, it actually allows you to specify a password to the private key. This will actually requires me to put in the password when I issue 'apachectl startssl'. Sorry to bother the group. But then again this prove the procedure actually works! ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] -Original Message- From: Remi Cohen-Scali [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23, 2000 1:44 PM To: [EMAIL PROTECTED] Subject: Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] So You need something like: openssl pkcs12 -in yourfile.p12 -out thechain.pem You will obtain (after entering passphrase) a pem encoded file which contains all key/certs enclosed in the p12 armor. I use it to extract/transform netscape repository exported p12. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] Signature cryptographique S/MIME
Re: Apache unable to generate temp 512 bit RSA key
On Wed, Aug 23, 2000 at 12:20:22PM -0400, Bill Garrison wrote: On Wednesday, August 23, 2000, at 09:02 AM, Duane Gran wrote: I just wanted to give an update. I was able to solve this problem with a free third party /dev/random and /dev/urandom implementation: http://www.cosy.sbg.ac.at/~andi/ I want to add my 2 cents here. I'm using Andi's package as well and it's working fine for me under Solaris 2.6. thanks for the responses .. I got the source for random from the site you told me and compiled, then did the pkgadd for the package it created and got installed fine .. but I didnt change the lines in httpd.conf, and it's working fine again ... well, seems that I wont bother you guys anymore for this ... read you on another bug ;-) regards -Oswaldo -- ! __ __ _ __ __ _ _ _ _(@)| The opinions here are expressed ! ! /__) /_ /_\/ // / / /| /| "as is", with no warranty of any! ! / \ /__/ /\__\___/_ /_/ _/ |/ | kind. Use them at your own risk.! ! | ! \ Oswaldo E. Aguirre M. \ / Computer Science Engineer / \ Internet Services Coordinator \ / [EMAIL PROTECTED] / ~~ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
how do i generate CA/certs : esp with CA.pl
hi all i've been trying to generate certificates - following mod_ssl user manual. unfortunately i can't find sign.sh to sign my server.csr. p.s. i'm using suse6.4,kernel2.2.16;installed with mod_ssl/2.62 openssl/0.95. anyway i've downloaded openssl/0.95a install it. i've found CA.pl: as i know this is one program to generate certificates. but when i tried CA.pl -newca it only come up with a dir (demoCA) with some .pem files inside. i want a real SSL cert with names which i specify. how do i go about doing that?...the man page of CA.pl is so massive i don't know what to do to have -x509(just like the one used by openssl). pls advise me what to do with CA.pl/how to get other scripts that enable me to create cert. thanks a lot for your help. tk = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how do i generate CA/certs : esp with CA.pl
You should be able to find the sign.sh under the pkg.contrib in the openssl source directory. -Original Message- From: tk dev [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, August 23, 2000 11:36 PM To: modssluser; openssluser; suse-security Subject: how do i generate CA/certs : esp with CA.pl hi all i've been trying to generate certificates - following mod_ssl user manual. unfortunately i can't find sign.sh to sign my server.csr. p.s. i'm using suse6.4,kernel2.2.16;installed with mod_ssl/2.62 openssl/0.95. anyway i've downloaded openssl/0.95a install it. i've found CA.pl: as i know this is one program to generate certificates. but when i tried CA.pl -newca it only come up with a dir (demoCA) with some .pem files inside. i want a real SSL cert with names which i specify. how do i go about doing that?...the man page of CA.pl is so massive i don't know what to do to have -x509(just like the one used by openssl). pls advise me what to do with CA.pl/how to get other scripts that enable me to create cert. thanks a lot for your help. tk = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
