IP Masquerding and Virtual Host SSL
Hi, I would like to know, is it possible to use IP Masquerding technics to host SSL web server in an internal IP address such as 192.168.0.1. If possible, we can host multiple SSL server with only one real IP address. Am I right ?? Thank You Mark Lo
Resend(No Replay)
Hi, I would like to know the difference between DSA or RSA certificate. and which one should I use? Thank You Mark Lo
Re: Continuing issues with MultiCert Requests
Hi The only time that I have seen this is when there are HTTP 1.0 requests instead of 1.1. With 1.0 the tcp connections are not persistent. This causes the SSL to be renegotiated each time the tcp/ip connection is re-established. This was happening as a result of using the Apache cache/proxy services which where converting 1.1 calls to 1.0 Simon Haddon x3174 "Dr. David J. Knowles" To: [EMAIL PROTECTED] <[EMAIL PROTECTED]cc: .nz> Subject: Continuing issues with MultiCert Requests Sent by: owner-modssl-users@ modssl.org 29/08/2000 07:34 am Please respond to modssl-users Hi, A little while ago I ran into a problem where an apache/modssl system was configured to verify incoming client certificates. The verification worked fine, however the web server appeared to require the certificate to be represented for every HTTP GET, this included not only the html page but the images. Thus there was something like 7 certificate requests for the first page alone. A number of people responded to this request with very useful information about the certificate caching etc. The problem became more complex: -The server which fails is compiled on a Solaris SPARC system running version SunOS 5.6 of the operating system. -A Linux i386 server compiled in the same way works correctly. This is using the same configuration files as the faulty system. -The modules are the following versions: Apache/1.3.12, ApacheJServ/1.1.2, modl_ssl/2.6.4, OpenSSL/0.9.5a Is there something I am missing in the differences between the two operating systems or how mod_ssl/OpenSSL is compiled which could cause this fault? Thanks in advance. Dr. David J. Knowles __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How can I secure private keys?
On Wed, Aug 30, 2000 at 10:40:01AM -0500, [EMAIL PROTECTED] wrote: > > I could probably burn the keys on to a CD and use that when I reboot. The > rest of the time, I could store the CD in a secure location. > And if you're really paranoid you could unplug your network cable, start apache with a minimum number of processes running and do all sorts of verifications of the apache binary (tripwire or similar). > I have also been reading about how it is relatively easy to scan through > memory (assuming you have root permission) and locate a key. If the attacker didn't get root, then regular file system permissions should keep the key safe... but once you've got a shell, then getting root access usually isn't such a big problem ;-) > I'm not sure > how to defend against this kind of attack, except to make sure that your > system is secure. If an attacker can gain root access, he can probably get > the private key somehow. > Exactly, and then we're back to the point of you not getting much extra security with a software solution. But even with a hardware solution somebody with root access to your machine would be "a bad idea"(tm) ;-) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How can I secure private keys?
I agree, NFS would be a bad idea. I could probably burn the keys on to a CD and use that when I reboot. The rest of the time, I could store the CD in a secure location. I have also been reading about how it is relatively easy to scan through memory (assuming you have root permission) and locate a key. I'm not sure how to defend against this kind of attack, except to make sure that your system is secure. If an attacker can gain root access, he can probably get the private key somehow. Jeff At 06:28 PM 8/30/00 +0200, you wrote: >On Wed, Aug 30, 2000 at 09:53:04AM -0500, [EMAIL PROTECTED] wrote: > > Does anyone have any information about how to secure the private keys for > > my websites? If someone manages to hack my webserver, I don't want > them to > > be able to access my private keys. > >They will still be loaded in memory as long as the webserver is running. > > > > I would like to store the private keys on a separate high-security system > > and have mod_ssl read them via a network connnection when I start the > server. > > >You could of course place the files on an NFS share, but that would IMHO >be a very bad idea. If you want something automatic, that will allow your >webserver to connect to a remote system and read the keys from that every >time it is restarted, then it would be really easy for an attacker to fire >up a sligthly modified version of Apache and just have it save a copy of >the key. If you don't mind a bit of manual labor when the server is restarted, >then you could just put the key on a floppy (or other removable media) and >only have that media in the machine on those rare occasions where you need >to restart apache. > >vh > >Mads Toftum >-- >`Darn it, who spiked my coffee with water?!' - lwall >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Port number to choose
MT> Almost any port will do - you just have to make sure that nothing else MT> is on that port already - and that the port number is not above ~64000 MT> Just remember that your url's will have to look something like: MT> https://www.example.com:12345/ MT> where 12345 is the port number. But (of course), don't expect your site to be as generically accessible. Our firewall, for instance, allows direct connections through ports 80 and 443. Non-standard SSL won't fly. - Iain __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: installation of mod_ssl on windows2000
Hi David, I had similar problems with Win2000. I tried many configurations but nothing works. I guess there must be a special problem with Win2000 and Apache. If you find a solution in the future, please let me know. Susmitha. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Niu Sent: Monday, August 28, 2000 9:36 AM To: '[EMAIL PROTECTED]' Subject: installation of mod_ssl on windows2000 Hi,Sir: Could some body help me? When I install the mod-ssl2.6.6-1.3.12 and apche1.3.12 on windows 2000, I can't run https request, I did the configure file just as the document suggested, but some times I even can't start apache, I installed them on my local machine. Could some body email me the sample httpd.con file or tell me how to do? Thanks. David August28th,2000 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How can I secure private keys?
On Wed, Aug 30, 2000 at 09:53:04AM -0500, [EMAIL PROTECTED] wrote: > Does anyone have any information about how to secure the private keys for > my websites? If someone manages to hack my webserver, I don't want them to > be able to access my private keys. They will still be loaded in memory as long as the webserver is running. > > I would like to store the private keys on a separate high-security system > and have mod_ssl read them via a network connnection when I start the server. > You could of course place the files on an NFS share, but that would IMHO be a very bad idea. If you want something automatic, that will allow your webserver to connect to a remote system and read the keys from that every time it is restarted, then it would be really easy for an attacker to fire up a sligthly modified version of Apache and just have it save a copy of the key. If you don't mind a bit of manual labor when the server is restarted, then you could just put the key on a floppy (or other removable media) and only have that media in the machine on those rare occasions where you need to restart apache. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Port number to choose
On Wed, Aug 30, 2000 at 11:50:05PM +0800, Mark Lo wrote: > Hi, > > I have read the mailing list achive about name base virtual host with SSL >enabled. As from my understanding, we can use the same IP address with different >Port Number for different domain name (for secure web server). Now, I have come up a >question. Can anyone tell me which port should i use other than 443. > Almost any port will do - you just have to make sure that nothing else is on that port already - and that the port number is not above ~64000 Just remember that your url's will have to look something like: https://www.example.com:12345/ where 12345 is the port number. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Port number to choose
> Mark Lo wrote: > > I have read the mailing list achive about name base virtual host > with SSL enabled. As from my understanding, we can use the same IP > address with different Port Number for different domain name (for > secure web server). Now, I have come up a question. Can anyone tell > me which port should i use other than 443. > Now things get tricky. There is only one port defined by default for SSL and that is port 443. To get more thatn one SSL host on the same IP address, you have set up your server to Listen to another port. Use any number you like, but avoid numbers already in use (check /etc/services for a list). Usually, you should use high numbers > 1024 to avoid clashes with "standard" services. So you can have; ...SSL host 1 ...SSL host 2 ...SSL host 3 and so on. The problem is that you have to specify port numbers other than 443 in the URL - a lot of people don't like funny port numbers appearing in their URLs. Another, possibly more serious problem, is that many of your customers will have firewalls which block traffic on anything other than standard services ports (some people even block 443!). The conclusion is that it is quite difficult to have many SSL hosts on one server. The three methods of VirtualHosting pan out like this: (1) Name-based VirtualHosting: Doesn't work at all since SSL starts before the ServerName is discovered. (2) Port-based VirtualHosting: Need to specify port numbers in URLs and some Firewalls block "funny" port numbers. (3) IP-based VirtualHosting: The only reliable method. You can stick to port 443 but you have only one SSL host per IP number. Best of luck anyway, Owen Boyle. -- SWX Swiss Exchange, 10 Cours de Rive, 1211 Geneve 3 --+- Phone: +41 (0)22 849 5648 | Fax: +41 (0)22 849 5643 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: french crypto
On Wed, Aug 30, 2000 at 05:48:00PM +0300, Florin Andrei wrote: > I see. So, i'll have to use 40 bit key in order to allow everyone in France > to access my site, right? Wrong - the webserver will figure out how to downgrade. There is no one using 40 certificates anywhere. Basically when doing an SSL session, there is two types of keys: The certificate keys (either 512 or 1024 bits in standard setups) and the symmetric session keys (either 40, 56 or 128 bits). You should read: http://www.modssl.org/docs/2.6/ssl_intro.html When verisign write about 128 bits certificates, then they're actually talking Global ID/Server Gated Crypto ... see http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.GlobalID Bescause of the rather special French rules, then French browser version from last year or older probably does not support Server Gated Crypto - and new versions will most likely not need it because they support strong crypto by default... You can use whichever of verisigns Secure Site or Secure Site Pro (http://www.verisign.com/products/site/ss/index.html) you like, but because of the old French restrictions, then you will not gain very much by choosing the expensive version. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How can I secure private keys?
Does anyone have any information about how to secure the private keys for my websites? If someone manages to hack my webserver, I don't want them to be able to access my private keys. I would like to store the private keys on a separate high-security system and have mod_ssl read them via a network connnection when I start the server. I know I could use one of the hardware key-management cards, but I'm trying to figure out a software solution. Thanks, Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Port number to choose
Hi, I have read the mailing list achive about name base virtual host with SSL enabled. As from my understanding, we can use the same IP address with different Port Number for different domain name (for secure web server). Now, I have come up a question. Can anyone tell me which port should i use other than 443. Thank you so much Mark Lo
Re: french crypto
> > We have tested it out here at Lucent (I haven't myself so I can only say > > what happend, not why). Installing a 128bits certificate on the > > web server, > > and using 40bits french Netscape (v 4.5 or 4.6) on NT4 to access it : > > computer crash ! > > As I've said, I only share my experience, so maybe Florin will be better > > fitted out with a 40bits certificate after all > > Here we use both 128 and 40 bits browsers without any problem ! Lucky you are :-) > AFAIK, during the SSL handshake, the browser and the server decides what > strength they are going to us during their communication. So, the one that > has the shortest key length will impose it for their comm. That's all I > think! It seems logical to me, but what about certificates, are you using only one (128bits) certificate or 2 (40bits too) ? Sorry if I'm wrong, I'm not the cleverest on earth about SSL stuff (that's why I've subscribed, to learn) Marc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: french crypto
> We have tested it out here at Lucent (I haven't myself so I can only say > what happend, not why). Installing a 128bits certificate on the > web server, > and using 40bits french Netscape (v 4.5 or 4.6) on NT4 to access it : > computer crash ! > As I've said, I only share my experience, so maybe Florin will be better > fitted out with a 40bits certificate after all Here we use both 128 and 40 bits browsers without any problem ! AFAIK, during the SSL handshake, the browser and the server decides what strength they are going to us during their communication. So, the one that has the shortest key length will impose it for their comm. That's all I think! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: french crypto
> I think you misunderstand the answer. You can use a 128bit key on your > server, but the end users will probably be connecting using a 40bit browser. > So they won't be getting the maximum level of encryption available. We have tested it out here at Lucent (I haven't myself so I can only say what happend, not why). Installing a 128bits certificate on the web server, and using 40bits french Netscape (v 4.5 or 4.6) on NT4 to access it : computer crash ! As I've said, I only share my experience, so maybe Florin will be better fitted out with a 40bits certificate after all Marc van Leeuwen Lucent Technologies __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: french crypto
"Airey, John" wrote: > > I think you misunderstand the answer. You can use a 128bit key on your > server, but the end users will probably be connecting using a 40bit browser. > So they won't be getting the maximum level of encryption available. Wait a second... If i buy the 128 bit Verisign key, the clients will be able to connect with 40-bit-only browsers? Isn't necessary for this to buy the 40-bit key too? -- Florin Andrei mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/ tel: +40-93-261162 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: french crypto
I think you misunderstand the answer. You can use a 128bit key on your server, but the end users will probably be connecting using a 40bit browser. So they won't be getting the maximum level of encryption available. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Florin Andrei [mailto:[EMAIL PROTECTED]] Sent: 30 August 2000 15:48 To: [EMAIL PROTECTED] Subject: Re: french crypto Daniel Montalibet wrote: > > However note that most of the browsers used by french people are still 40 > bits browsers due to earlier restrictions. I see. So, i'll have to use 40 bit key in order to allow everyone in France to access my site, right? I guess the big https-enabled sites in France use 40 bit too, isn't so? -- Florin Andrei mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/ tel: +40-93-261162 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: french crypto
Daniel Montalibet wrote: > > However note that most of the browsers used by french people are still 40 > bits browsers due to earlier restrictions. I see. So, i'll have to use 40 bit key in order to allow everyone in France to access my site, right? I guess the big https-enabled sites in France use 40 bit too, isn't so? -- Florin Andrei mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/ tel: +40-93-261162 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: french crypto
Bonjour Florin, French law is now (since the very beginning of this year) more cool on key length! You can use 128 bits. However note that most of the browsers used by french people are still 40 bits browsers due to earlier restrictions. Daniel. > This is kinda off-topic, but maybe not... > > I'll have a https website in Paris very soon. I know there > are some problems > with the law in France, regarding crypto software. So, what i > wanna know is > what key length should i choose, 40 bit or 128 bit? > French people usually use 128 bit browsers? > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
french crypto
This is kinda off-topic, but maybe not... I'll have a https website in Paris very soon. I know there are some problems with the law in France, regarding crypto software. So, what i wanna know is what key length should i choose, 40 bit or 128 bit? French people usually use 128 bit browsers? -- Florin Andrei mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/ tel: +40-93-261162 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-SSL Configuration
hi kai yin, > we are using Apache + openssl + mod_ssl > and i have installed all of stuff > but i dont know how to activated it > if i have webpages wanted to run under ssl. > > i know that i should place pages in htdocs if such > pages don't run > ssl. don't know what u meant by activating, do u mean u want to run apache with ssl? if that's the case then u can try /path/to/apachectl startssl (stop,start) or u check your /usr/local/apache/bin/httpd file make sure the following line is there: startproc /usr/local/apache/bin/httpd -f \ /usr/local/apache/conf/httpd.conf -D SSL if u've that it should automatically b started when u start your linux. pls customize the directories according to your setup. anor assumption is that your apache is 'standalone', i.e. not started by inetd. good luck! tk = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Continuing issues with MultiCert Requests
On Tue, Aug 29, 2000 at 09:34:58AM +1200, Dr. David J. Knowles wrote: > Hi, > > A little while ago I ran into a problem where an apache/modssl system > was configured to verify incoming client certificates. The verification > worked fine, however the web server appeared to require the certificate > to be represented for every HTTP GET, this included not only the html > page but the images. Thus there was something like 7 certificate > requests for the first page alone. > > A number of people responded to this request with very useful > information about the certificate caching etc. > > The problem became more complex: > -The server which fails is compiled on a Solaris SPARC system > running version SunOS 5.6 of the operating system. > -A Linux i386 server compiled in the same way works correctly. This > is using the same configuration files as the faulty system. > -The modules are the following versions: Apache/1.3.12, > ApacheJServ/1.1.2, modl_ssl/2.6.4, OpenSSL/0.9.5a > > Is there something I am missing in the differences between the two > operating systems or how mod_ssl/OpenSSL is compiled which could cause > this fault? > I don't think it is the os - at least I've had no trouble at all on Solaris 7. Which kind of session chache mechanism is it? On Sun I'd definetely recommend using mm for your session caching, but that's strictly a performance issue. To get a bit more info about what is happening, you could set SSLLogLevel to trace - that way you will be able to see in the logfile what the cache is doing. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [SLE] apache & SSL
tk dev wrote: > > Hi all, > > previously i installed suse6.4(kernel2.2.14) with > apache etc. > since the bundled openssl & modssl didn't really > work..i reinstalled it again myself..in the prefix > directory /usr/local/apache. > > my ques: > 1.everytime i restart my server, it'll default to the > original apache, so each time i need to command > #/etc/rc.d/init.d/apache stop > then i restart my new server with > #/usr/local/apache/bin/apachectl startssl > -how do i make sure that apachectl will restart > automatically each time my server is restarted instead > of the 'old' httpd? Don't use the scripts in /sbin/init.d to start or stop apache, that starts up the suse version. Turn apache off in Yast. Simply start apache with apachectl start (stop,reload). Copy apachectl to your /root/bin or put it in your root path somewhere. > -why is it that after i run startssl(as above), when i > checked > #/etc/rc.d/init.d/apache status > it'll report ..ok & how long httpd has started. if i > put "/etcapache stop" my apachectl is also > stopped. > can anyone tell me what's the connection between this > apache & apachectl(ps.i did cp apachectl into > /etc/rc.d/init.d) apachectl is the startup script that comes with apache and it starts the httpd deamon in /usr/local/apache/bin. It uses the configuration file from /usr/local/apache/conf. apache starts up the suse httpd daemon (location?), and it uses the configuration file in /etc/httpd > 2.the default apache comes with many modules e.g. > php3,perl etc & i found out that i need to recompile > apache to include them into my 'new' apachectl. does > it mean that in the future if i were to add new > modules, i've to recompile apache & also reconfigure > httpd.conf? Yep, and if you look closely at the configuration file that comes with suse, you can see it isn't easy to write a conf that will load the modules correctly. I have been using the suse apache and it loads all it's modules properly. You do need to track down the mod_ssl.rpm, openssl.rpm, the updated jserv.rpm, and get the jdk1.22 from sun.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod-ss2.6.6l,apache1.3.12 and open-ssl 0.9.5a on windows2000
Hi,sir: I have installed mod-ss2.6.6,apache1.3.12 and open-ssl 0.9.5a on windows2000, they all running, but I can't access the server from my bowser by https://localhost/, when I use openssl s_client -connect localhost:443 -debug, it's says: Loading 'sceen' into random state - done connect: bad file descriptor, connect ero:10061 Could some body give me a sample httpd.conf file, or tell me what's wrong. Thanks. David august 29th 2000 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ques re pass phrase
tk dev a écrit : > > hi all > > according the mod_ssl user guide, if i use "sslpass > phrasedialog exec:/xx/xx/xx ", i need to have an > external program. unfortunately i can't find pp-filter > (in chap 3-sslpassphrasedialog) in my system. can > anyone please tell me where i can get a sample program > with provides the pass phrase on stdout? > Write a little shell script as # echo "Your pass phrase" This is the simpler I know > thanks in advance for your assistance. > tk > > = > 0Oo~~:o) > Smile! You'r Alive!!! > > Q:What's peacefulness? > A:What's confusion? Peacefulness is the end of confusion. > > o.0.Oo.o May there be peace in every step we take :o):tk > > __ > Do You Yahoo!? > Yahoo! Mail - Free email you can access from anywhere! > http://mail.yahoo.com/ > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] Signature cryptographique S/MIME
./configure --with-apxs=/usr/sbin/apxs
When running the configure with apxs command on mandrake
7.1 helium with apache 1.3.12 already installed from rpm
I recieved the following message.
Configuring mod_ssl/2.6.6 for Apache/1.3.12
./configure:Error: The mod_ssl/2.6.6 can be used for
Apache/1.3.12 only.
./configure:Error: Your Apache source tree under /usr is
version Server.
./configure:Hint: Please use an extracted
apache_1.3.12.tar.gz tarball
./configure:Hint: with the --with-apache option,
only.
I dug through the configure script and fell on line 289
after breaking it up I found that the mandrake version
is a bit fouled up.
This is the first line of output from httpd -v
Server version: Apache-AdvancedExtranetServer/1.3.12
(NetRevolution/Linux-Mandrake)
I retouched line 289 to read
APV=`/usr/sbin/httpd -v | grep \"Server version:\" | awk
{print\'$3\'} | sed -e \'s/.*\\///\' -e \'s/ .*//\'`
and all was well.
I\'m posting this so maybe it can be fixed and so people
can find it in the mail archives. I know that was one
of the first places I looked.
-->> http://edispatch.timespace.org
-->> mailto:[EMAIL PROTECTED]
Running ... Cos anything else would be a waste...
`:::\' ... ..
::: * `::.::\'
::: .:: .:.::. .:: .:: `::. :\'
::: :: :: :: :: :::::.
::: .::. .:: ::. `. .:\' ::.
.:::.::\' ...
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Continuing issues with MultiCert Requests
Hi, A little while ago I ran into a problem where an apache/modssl system was configured to verify incoming client certificates. The verification worked fine, however the web server appeared to require the certificate to be represented for every HTTP GET, this included not only the html page but the images. Thus there was something like 7 certificate requests for the first page alone. A number of people responded to this request with very useful information about the certificate caching etc. The problem became more complex: -The server which fails is compiled on a Solaris SPARC system running version SunOS 5.6 of the operating system. -A Linux i386 server compiled in the same way works correctly. This is using the same configuration files as the faulty system. -The modules are the following versions: Apache/1.3.12, ApacheJServ/1.1.2, modl_ssl/2.6.4, OpenSSL/0.9.5a Is there something I am missing in the differences between the two operating systems or how mod_ssl/OpenSSL is compiled which could cause this fault? Thanks in advance. Dr. David J. Knowles __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
