hwo to force apache+ssl use CryptoSwift

[mod_ssl_cn]

Hi 

I have installed openssl_engine_0.9.6 , mod_ssl , apache_1.3.14 in my linux platform .
I have installed hardware crypto device : CryptoSwift and it's driver 

I have test it by openssl0.9.3  + swift_patch + mod_ssl.
It works normal.

How can I force the apache_1.3.14 + openssl_engine_0.9.6 server to use CryptoSwift .

I have update some source code to implement it ; it works normal.

but how can I force apache to use CryptoSwift by config file or command line arg



__

===
ÐÂÀËÃâ·Ñµç×ÓÓÊÏä http://mail.sina.com.cn
ÐÂÀËÍƳö°ÂÔ˶ÌÐÅÏ¢ÊÖ»úµã²¥·þÎñ 
http://sms.sina.com.cn/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

after install of mod-ssl, stunnel broken

[RCURTIS]

I have been using stunnel on an apache 1.3 webserver to connect to the web
interface of SAMBA called SWAT.  After install of mod-ssl, I cannot connect
via https: to SWAT i.e.  https://xxx.xxx.xxx.xxx:901
  If connecting to swat outside stunnel,
all works fine.  Any ideas as to what the mod-ssl install changed or how to
make it so that I can continue to use stunnel to connect while at the same
time using mod-ssl on the web server?  Any help appreciated ..   Thanks!
 

Richard Curtis 
[EMAIL PROTECTED] 

 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: benchmarks SSL vs non-SSL

[David Rees]

> Can anyone point me to a document that compares SSL performance
> to non-SSL performance?
> I recently compiled up modssl-2.6.1 against 1.3.12 on Win32, and
> I get speeds about 1/20th of what I get from the same server
> without SSL enabled.  That doesn't seem right.

Depending on how much CPU power you have, its not too far off.  I usually
see about 1/5th the performance when running SSL vs unsecure pages.

> I have read Mark Cox's document at
>  , it is very good, but it
> didn't solve my problem, as it doesn't talk about non-SSL.
> Although to be fair, I am not compiling RC4 into openssl, so I am
> probably using 3DES, which will hurt me a bit according to the
> above document.
>
> I have enabled dbm SSLSessionCache, and I doubt if enabled a
> shared memory cache will improve my performance greatly.
> (Especially since my real quick benchmark that I used only made 1
> keepalive connection.

You should run better tests.  Get a couple machines as clients, (not the
same one as the web server!) and go download WebBench from ZDNet or
something similar.

Serving SSL pages is mainly CPU power limited, so multiple fast CPUs will
help a lot.

I found that using openssl-0.9.6 gave me a significant speed boost over
previous versions, about 50-60% if I remember correctly.

FWIW, on a SGI Origin 200 with dual 180MHz CPUs, it topped out around 145
hits/second on a small static data set (small files, most around 1K in size)
running Apache/1.3.14 mod_ssl/2.7.1 OpenSSL/0.9.6.

-Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: benchmarks SSL vs non-SSL

[Eric Rescorla]

Jeff Costlow <[EMAIL PROTECTED]> writes:
> Can anyone point me to a document that compares SSL performance to
> non-SSL performance?  I recently compiled up modssl-2.6.1 against
> 1.3.12 on Win32, and I get speeds about 1/20th of what I get from
> the same server without SSL enabled.  That doesn't seem right.
This actually sounds quite plausible. 

-Ekr
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

benchmarks SSL vs non-SSL

[Jeff Costlow]

Can anyone point me to a document that compares SSL performance to non-SSL performance?
I recently compiled up modssl-2.6.1 against 1.3.12 on Win32, and I get speeds about 
1/20th of what I get from the same server without SSL enabled.  That doesn't seem 
right.

I have read Mark Cox's document at  , it is very 
good, but it didn't solve my problem, as it doesn't talk about non-SSL.  Although to 
be fair, I am not compiling RC4 into openssl, so I am probably using 3DES, which will 
hurt me a bit according to the above document.

I have enabled dbm SSLSessionCache, and I doubt if enabled a shared memory cache will 
improve my performance greatly.  (Especially since my real quick benchmark that I used 
only made 1 keepalive connection.

The only thing special about my configuration is that I am using mod_auth_digest and 
mod_dav.

Thanks.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: unsecure objects with IE5.5

[Paul McGarry]

David Rees wrote:

> > We've got no problems with NS or other IE versions.
> >
> > Maybe a reason: We use extensively javascript within the pages.
> 
> This is a known bug in IE 5.5.  I don't know of any work arounds.

Does anyone know where (if) this bug is documented. I couldn't find
anything on MS's site (I'd just like something to point to when 
people ask what the error means).

In further bad news, a similar bug exists in Mozilla:

http://bugzilla.mozilla.org/show_bug.cgi?id=58180

This is all somewhat annoying, having the most recent versions of the
two leading browsers screw up an application I spent some time 
crafting out of entirely standards based technology (HTML4, CSS,
ecmascript and DOM).

-- 
Paul McGarrymailto:[EMAIL PROTECTED] 
Systems Integrator  http://www.opentec.com.au 
Opentec Pty Ltd http://www.iebusiness.com.au
6 Lyon Park RoadPhone: (02) 9878 1744 
North Ryde NSW 2113 Fax:   (02) 9878 1755
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] PRIVATE: SSLSessionCache (PR#479)

[modssl-bugdb]

Full_Name: Steve Gailey
Version: mod_ssl-2.7.1-1.3.14
OS: Solaris 5.7
Submission from: (NULL) (158.152.223.68)


I have a problem with shared memory -(MM) I am compiling with
Mod Perl and MM. What I get is...
 SSLSessionCache: shared memory cache not useable on this platform
I have checked and this seems to indicate that MM is not compiled in and
that the stubs are returning FALSE.

I have tried forcing this, but then I get linking problems.

Here is my build script. You will see that I am building a dynamic Mod_SSL,
perhaps this is the problem?

 snip 

# Configure Open SSL
STATUS="start"
cd openssl-0.9.6
sh config no-idea -fPIC
make
#make test
make install
cd ..
STATUS="Done Open SSL"
date > setup.txt
echo $STATUS >> setup.txt

# Configure MM
cd mm-1.1.3
./configure --disable-shared
make
make install
cd ..
EAPI_MM=../mm-1.1.3
SSL_BASE=../openss-0.9.6

STATUS=" Done MM"
date > setup.txt
echo $STATUS >> setup.txt

# Configure mod SSL
cd mod_ssl-2.7.1-1.3.14
SSL_BASE=../openss-0.9.6 lEAPI_MM=../mm-1.1.3 ./configure
--with-apache=../apach
e_1.3.14 --with-ssl=../openssl-0.9.6 --with-mm=../mm-1.1.3
STATUS="Done Mod_SSL"
date > setup.txt
echo $STATUS >> setup.txt

# configure Mod Perl
cd ..
cd mod_perl-1.24_01
perl Makefile.PL USE_APACI=1 EVERYTHING=1 ALL_HOOKS=1 DO_HTTPD=1
SSL_BASE=/usr/l
ocal/ssl APACHE_PREFIX=/usr/local/apachessl APACHE_SRC=../apache_1.3.14
APACI_AR
GS=--enable-module=ssl,--enable-module=rewrite,--enable-shared=ssl
STATUS="Done Config Mod_Perl"
date > setup.txt
echo $STATUS >> setup.txt

make && make install
cd ..
STATUS="Done Mod_Perl"
date > setup.txt
echo $STATUS >> setup.txt

# Build apache
cd apache_1.3.14
make cerificate
make install
STATUS="Finished
date > setup.txt
echo $STATUS >> setup.txt

 snip  

Not very pretty I know, but it does build the source.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: EAPI and 3rd party products

[Avi Green]

This probably isn't SSL-related, but I hope you won't mind my asking
since we're talking about EAPI problems already:

Our company has some servers running JRun, Allaire's Java servlet
engine.  When I start Apache, it gives the following warning when
loading the JRun DSO:

   Loaded DSO
/usr/local/apacissl/Jrun_2.3.2.build158-connector/mod_jrun.so
   uses plain Apache 1.3 API, this module might crash under EAPI!
   (please recompile it with -DEAPI)

Following Allaire's instructions on "Configuring JRun 2.3 with secure
Apache web servers," I recompiled the DSO using EAPI (apxs -c -DEAPI
...).  But I still get the warning every time I start the server.  And
server seems to work fine.

Any ideas why I'm getting this error?

Thanks a lot,
Avi

p.s.  I tried playing with ld to see if I could figure out if the
  symbol was in the SO, but I didn't really know what I was doing.
  I'd appreciate a thought or two from the experts.

==
= Avi Green :-) avi at sputnik7.com (-: 212 217-1147 =
  Unix SysAdmin & System Specialist  =
=  http://www.sputnik7.com  ==
= Netcasting Music, Videos, Film & Anime 24/7 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Permanent re-direct

[Biggs, Jody]

RedirectMatch (.*) https://my-server$1

 - Jody Biggs


-Original Message-
From: John Markunas [mailto:[EMAIL PROTECTED]]
Sent: Monday, October 30, 2000 11:43 AM
To: [EMAIL PROTECTED]
Subject: Permanent re-direct


Hello
What Apache directive do I use to make 

http://my-server

always go to

https://my-server

Thank You

John Markunas
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Basic Question...Key Pair and CSR generation

[Alex Farber]

Rick Dunetz wrote:
> 
> I just got to the ../openssl-0.9.6/apps directory and type in "openssl" and I get
> openssl not found.

How about:  ./openssl
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] client authentification (PR#478)

[modssl-bugdb]

Full_Name: winni
Version: 2.4.2
OS: AIX 4.3.3 (AIX4.3.2)
Submission from: (NULL) (129.181.209.36)


Hi togehther,

well I have problems to understand the verification process within client
authentification 
:-((

If I have these certifiate structure :

ROOT-CA (selfsign cert)
|
Intermediate1 CA ( sign by ROOT-CA)
|   
Client Certificate1 (sign by Intermediate1 CA)
|
Client Certificate2 (sign by Intermediate1 CA)
|
|
Intermediate2 CA ( sign by ROOT-CA)
|   
Client Certificate3 (sign by Intermediate2 CA)
|
Client Certificate4 (sign by Intermediate2 CA)


Within the apache-Server I define Client Authentification like :

httpd.conf:

...
Listen 443
Listen 444
...

# Application No.1

... 
DocumentRoot /usr/local/apache/htdocs

SSLEngine on

# Server Cert
SSLCertificateFile /usr/local/apache/conf/ssl.crt/Server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/Server.key
 
# Client Authentification !!
SSLVerifyClient require
  # Depth = 2 because I have to use two signer and on client cert !!
SSLVerifyDepth 2
  # Within these file there are placed the ROOT-CA and the Intermediate1 CA
SSLCACertificateFile /usr/local/apache/443/CAcert.pem
SSLCARevocationPath /usr/local/apache/443
SSLCARevocationFile /usr/local/apache/443/crl.pem

  # I use also the ProxyPass for redirection !! 
ProxyPass / http://myOtherIP1
ProxyPassReverse / http://myOtherIP1 


# Application No.2

... 
DocumentRoot /usr/local/apache/htdocs

SSLEngine on

# Server Cert
SSLCertificateFile /usr/local/apache/conf/ssl.crt/Server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/Server.key
 
# Client Authentification !!
SSLVerifyClient require
  # Depth = 2 because I have to use two signer and on client cert !!
SSLVerifyDepth 2
  # Within these file there are placed the ROOT-CA and the Intermediate2 CA
SSLCACertificateFile /usr/local/apache/444/CAcert.pem
SSLCARevocationPath /usr/local/apache/444
SSLCARevocationFile /usr/local/apache/444/crl.pem

  # I use also the ProxyPass for redirection !! 
ProxyPass / http://myOtherIP2
ProxyPassReverse / http://myOtherIP2 




If I access Application No.1 (https://myIP:443) with the correct
Client-Certificate (Client 
Certificate 1 or 2) the access is allow !!  That's OK  :-)

Bt
If I access Application No.1 (https://myIP:443) with the  Client-Certificate
(Client 
Certificate 3 or 4)the access is also allow !! That's NOT OK  :-((  
The Intermediate1 CA and the ROOT-CA are only known by the virtualhost:443. So
modssl can't 
verify Intermediate2 CA   
It looks like that only the verification of the (same) ROOT-CA is 
sufficient to verify the client certificates and not the signer certificate of
the client certificate !!! 
I think that can't be a feature ! I would assume that ALL certificates whithin a
chain
have to be verify correctly befor an access could be established !! 

Well I have also use the ProxyPass within the httpd.conf. That is important to
know because 
if I don't use 
these feature I can fix the problem with the following additional definitions in
httpd.conf:

# Application No.1

...

SSLRequire  %{SSL_CLIENT_I_DN_CN} eq "Intermediate1 CA"


# Application No.2

...

SSLRequire  %{SSL_CLIENT_I_DN_CN} eq "Intermediate2 CA"


Because of the priority within the apache server parse definitions the ProxyPass
definiton 
are first parsed and the 
 definition. If I use both of them only the ProxyPass defintion are
used and the 

definiton has no meaning :-((   
(I have to use the / within the ProxyPass because all request are redirected !
)



Releases :
apache  : 1.3.9
modssl  : 2.4.2
openssl : 0.9.4
OS  : AIX 4.3.2


Any ideas to solve this problem ???

hope of support 

/winni
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List

[BugDB] Phantom CRLs (PR#477)

[modssl-bugdb]

Full_Name: Emiliano De Simoni
Version: 2.7.1
OS: RedHat 7.0
Submission from: (NULL) (62.110.171.30)


I use client authentication with certificates and all works fine but seems that
CRLs aren't verified. In detail I succeded to login when I got a revoked
certificate and so my certificate serial number is present in the CRL file. Why
that?
Thanks
Emiliano De Simoni
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Repost: Possible bug - 2.7.1 and MacOS NS 7.4 SSL error?

[Hans Lohmander]

Hi,
please help me out on this one.
Have an OpenSSL error using NS communicator 4.74 for Macintosh.
We do need the NS MacOS to work. All other browsers seem ok.
Is this a bug or a misconfiguration?
Following from the ssl_engine_log...

[27/Oct/2000 12:56:27 32679] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Oct/2000 12:56:30 32679] [error] SSL handshake failed (server
front242.ei.sigma.se:443, client 10.13.1.115) (OpenSSL library error follows)
[27/Oct/2000 12:56:30 32679] [error] OpenSSL: error:0407106B:rsa
routines:RSA_padding_check_PKCS1_type_2:block type is not 02
[27/Oct/2000 12:56:30 32679] [error] OpenSSL: error:04065072:rsa
routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed
[27/Oct/2000 12:56:30 32679] [error] OpenSSL: error:1408B076:SSL
routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt
[27/Oct/2000 12:57:09 32678] [info]  Connection to child 2 established (server
front242.ei.sigma.se:443, client 10.13.1.115)
[27/Oct/2000 12:57:09 32678] [info]  Seeding PRNG with 1160 bytes of entropy
[27/Oct/2000 12:57:09 32678] [error] SSL handshake interrupted by system
[Hint:Stop button pressed in browser?!] (System error follows)
[27/Oct/2000 12:57:09 32678] [error] System: Connection reset by peer (errno: 104)
...
Config:
Apache/1.3.14 (Unix) 
PHP/4.0.3pl1 
mod_perl/1.24_01 
mod_ssl/2.7.1 
OpenSSL/0.9.3a
with a self signed cert.

Have tried with OpenSSL 0.9.6 and back to 0.9.3a.
Greatful for any input on how to proceed.

Thanks
Hans
-- 
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Hans Lohmander -- Sigma Exallon Information AB
Research & Development
Talkto:+46 (0)40 665 91 65
Faxto:+46 (0)40 24 99 50
Mobile# +46 (0)703-79 09 51
mailto:[EMAIL PROTECTED]
http://www.ei.sigma.se/
ICQ# 9319123
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] Malloc Error under load (PR#476)

[modssl-bugdb]

Full_Name: Andres Rios
Version: see bellow
OS: solaris 8
Submission from: (NULL) (165.89.84.242)


Server Version: Apache/1.3.12 (Unix) mod_perl/1.24 mod_ssl/2.6.4 OpenSSL/0.9.5
Server Built: Jun 6 2000 14:50:57
API Version: 19990320:7


Under heavy load some of the sessions are closed and the mod_ssl
logs :
[Fri Oct 27 16:42:48 2000] [error] OpenSSL: error:07064021:memory buffer
routines:BUF_MEM_grow:Malloc failure
[Fri Oct 27 16:42:48 2000] [error] OpenSSL: error:1409C021:SSL
routines:SSL3_SETUP_BUFFERS:Malloc failure

Seems a configuration issue of my servers reaching alimit in memory usage.
Please advise

Andres Rios
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [BugDB] Segmentation Fault with SSLOptions (PR#474)

[modssl-bugdb]

On Sun, Oct 29, 2000 at 09:29:28PM +0100, [EMAIL PROTECTED] wrote:
> Full_Name: Keith Parkansky
> Version: 2.6.2
> OS: Red-Hat-Secure/3.2
> Submission from: (NULL) (169.207.134.182)
> 
> 
> SERVER_SOFTWARE environment variable reports:
> Apache/1.3.12 (Unix) Red-Hat-Secure/3.2 mod_ssl/2.6.2 BSAFE-SSL-C/1.0.0i
> This is the software that came in the Red Hat 6.2 Professional package.
> 
> With an https connection SSL the only environment variable available is HTTPS
> (which is set to "on").  None of the other SSL variables (such as KEY_SIZE) are
> generated.
> 
> I tried using the following in the httpsd.conf file:
> SSLOptions +CompatEnvVars
> SSLOptions +StdEnvVars
> SSLOptions CompatEnvVars
> SSLOptions StdEnvVars
> 
> Using any of the above, Netscape 4.x reports "Document contains no data" when
> trying to access the server via https and the following error is generating in
> the error_log file:
> child pid x exit signal Segmentation fault (11)
> 

It is a bit difficult to know exactly what is wrong with this RedHat hacked
up version of mod_ssl - but try following the standard recommendations for
getting a backtrace in case of core dumps:

http://www.modssl.org/docs/2.7/ssl_faq.html#report-backtrace

Alternatively try starting apache as a single process under strace (something
like):

strace ./httpd -X -DSSL


vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [BugDB] mod_ssl + explorer + local director woes (PR#475)

[modssl-bugdb]

On Mon, Oct 30, 2000 at 12:15:41AM +0100, [EMAIL PROTECTED] wrote:
> Full_Name: karl berry
> Version: 2.7.1-1.3.14
> OS: solaris 2.7
> Submission from: (NULL) (63.227.208.155)
> 
> 
> when connecting to a mod_ssl-enabled server with versions of
> internet explorer 5.00.2614.3500IC or below, going through a cisco
> local director, we get broken images or page-not-found errors
> with some frequency, on something like 1% of the connections.
> 
> it is not reproducible in the sense that the same images will break
> every time through. it is reproducible in the sense that, sooner
> or later, some connection will be dropped.
> 
> the problem only happens when all three of the above elements are
> present.  if we use a later version of explorer, the bug does not
> happen. if we use dns round robin instead of the local director,
> the bug does not happen.  unfortunately, we need to find a workaround
> that *includes* the affected explorer versions (very common), and the 
> local director, due to circumstances beyond my control. so i am
> looking for a solution that just involves apache and mod_ssl.
> 
> we are already doing the steps mentioned in the faq, specifically
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
> f$
> (without that, things are much worse).
> 
> snooping the network interface shows that a tcp connection is opened
> for every image to the server, but that the connection for the broken
> image does not make it back out from apache. i do not know whether
> it gets into apache in the first place, or whether it is apache-level
> code or the solaris kernel that is dropping the connection.
> 
> if anyone has any clues on how to determine that, as in what apache
> or ssl files/functions are the most likely avenues to pursue, i'd
> be grateful.  or any other approaches to the problem, of course.
> 
I have a feeling that this might be because the Local Director is sending
requests from the client to different servers, and then the previously
negotiated session is not valid on the other server. Start by checking
yourr Cisco setup to make sure that all requests from one client is sent
to the same server. Next set SSLLogLevel to debug (which will tell you
wether there is a session cache hit or not) and try it out both with
and without SSLSessionCache. BTW which type of session cache have you
set up the server to use now?

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL-aware Apache on Solaris-x86-cc

[Austin Gonyou]

What I was trying to get is Don't use SUN's compiler. It's optimizations 
for x86 are Nil if any. GCC offers better optimizations. That's all. I've 
got over 60 x86 Apache webservers running right now with Mod_ssl and PHP 
4, they were all compiled the way I described, with no issues in the 
webservers to date.
Austin 

>> Original Message <<

On 10/31/00, 10:05:39 AM, Gary Mills <[EMAIL PROTECTED]> wrote 
regarding Re: SSL-aware Apache on Solaris-x86-cc:


> Austin Gonyou writes:
> >
> >Go to sunfreeware.com and get GCC. Add it to your path and
> >LD_LIBRARY_PATH and then compile to your heart's content.

> Don't use LD_LIBRARY_PATH on Solaris.  It's evil.  The correct solution
> is to set the runpath in the executable with the `-R' linker flag.
> To compile apache with Sun's compiler, just configure it like this:

> env CC=cc OPTIM=-xO3 \
> LDFLAGS="-R/usr/local/lib" \
> SSL_BASE=/usr/local/src/OpenSSL/openssl-0.9.5a \
> ./configure \
> --server-uid=server --server-gid=staff \
> --prefix=/usr/local/apache \
> --sysconfdir=/usr/local/apache/etc \
> --datadir=/usr/local/apache/share \
> --sbindir=/usr/local/apache/sbin \
> --localstatedir=/var/apache \
> --enable-module=rewrite --enable-shared=rewrite \
> --enable-module=usertrack --enable-shared=usertrack \
> --enable-module=ssl --enable-shared=ssl


> --
> -Gary Mills--Unix Support--U of M Academic Computing and
> Networking-
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: unsecure objects with IE5.5

[David Rees]

> we've got some problems with IE 5.5 and ssl.
> We use Apache 1.3.12, mod_ssl 2.6.2, OpenSSL 0.9.5.
> 
> Only when using IE5.5 we get a dialog from IE which says that
> there are unsecure objects within the page and asks if they should
> become shown or not.
> 
> We've got no problems with NS or other IE versions.
> 
> Maybe a reason: We use extensively javascript within the pages.

This is a known bug in IE 5.5.  I don't know of any work arounds.

-Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Permanent re-direct

[Dave Paris]

Before blindly screaming "It's broken!", think about *why* you need
suexec first.  If you aren't going to use it, then don't bother enabling
it.  I run configurations with a heavily modified (for values, not for
additional defines or typedefs) apache_[ver]/src/include/httpd.h.  These
typically have SUEXEC_BIN linked to /dev/null as well as SHELL_PATH. 
The reasoning is pretty obvious;  if I'm not going to use it, why should
I leave even a remotely possible attack point in the server if I lose my
mind and do Something Stupid [tm]?

Apache allows for large amounts of tweaking.  There are some things
which are prudent to disable if you're not going to use them.  (where
"disable" means: "no, you *can't* change this behaviour without
rebuilding the executable").  The bulk of the folks out there will *not*
get suexec calls right, which, more often than not, will put a nice, big
security hole in the box.  I don't point SHELL_PATH to anything but
/dev/null since I don't use anything but mod_perl environments.  YMMV.

Be alert, the world needs more lerts.
--dsp


"Robert L. Yelvington" wrote:
> 
> regarding 'suexec'..
> 
> you must have misconfigured suEXEC when you compiled...where is your
> suexec log file .AND. what does it say .OR. what other useful suexec log
> information can you forward to the list?
> 
> your configure flags would also be helpful...
> 
> thanx,
> rob
> 
> John Markunas wrote:
> >
> > Hi
> > I do a httpd -l and get
> > compiled in modules
> > http_core.c
> > mod_so.c
> > suexec: disabled;invalid wrapper /usr/sbin/suexec
> >
> >  Can someone tell me why I get the suexec error and what to do to
> >  fix it ?*
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

unsecure objects with IE5.5

[andreas . sprickmann]

Hi,
we've got some problems with IE 5.5 and ssl.
We use Apache 1.3.12, mod_ssl 2.6.2, OpenSSL 0.9.5.

Only when using IE5.5 we get a dialog from IE which says that
there are unsecure objects within the page and asks if they should
become shown or not.

We've got no problems with NS or other IE versions.

Maybe a reason: We use extensively javascript within the pages.

Any solutions ?

Thanks !
Andreas Sprickmann


TWT GmbH
Bernhäuser Str. 40 - 42
73765 Neuhausen

Tel: +49 - 7158 - 17 15 - 53
Fax: +49 - 7158 - 17 15 - 32
E-Mail: [EMAIL PROTECTED]

http://www.twt-gmbh.de

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Permanent re-direct

[Robert L. Yelvington]

regarding 'suexec'..

you must have misconfigured suEXEC when you compiled...where is your
suexec log file .AND. what does it say .OR. what other useful suexec log
information can you forward to the list?

your configure flags would also be helpful...


thanx,
rob


John Markunas wrote:
> 
> Hi
> I do a httpd -l and get
> compiled in modules
> http_core.c
> mod_so.c
> suexec: disabled;invalid wrapper /usr/sbin/suexec
> 
>  Can someone tell me why I get the suexec error and what to do to
>  fix it ?*
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Permanent re-direct

[John Markunas]

Hi
I do a httpd -l and get 
compiled in modules
http_core.c
mod_so.c
suexec: disabled;invalid wrapper /usr/sbin/suexec

 Can someone tell me why I get the suexec error and what to do to
 fix it ?


I look in my httpd.conf and find mod_alias and many others on
LoadModule and AddModule directives

I do a httpd -v and get
Apache/1.3.12 (Unix) (RedHat/Linux)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Martin Lichtin
Sent: Monday, October 30, 2000 4:24 PM
To: [EMAIL PROTECTED]
Subject: Re: Permanent re-direct


>  Invalid command 'RedirectPermanent' perhaps mis-spelled or defined by a
> module not included in the server configuration.
> What am I doing wrong ?

Do you have the "mod_alias" module? It's part of the
base configuration:

http://www.apache.org/docs/mod/mod_alias.html

Run "httpd -l" to see what modules you have available.
What version of Apache are you running? ("httpd -v")
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

1710 error

[David . Smith]

Folks,

I'm trying to get Apache 1.3.14 running on a Solaris 2.6 system. I've build the
server with mod_ssl 2.7.1 and open_ssl 0.9.6. It appears to start fine, but when
I run:
openssl s_client -connect localhost:443 -state -debug
as suggested in the FAQ I get the following:

SSL_connect:error in SSLv2/v3 read server hello A
1710:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:460:

Please - what have I done wrong???

I'm also having a heck of a job getting a randomiser that works on Solaris. I've
tried the SUNWski package and /dev/random. I've tried egd pointing at
/etc/entropy. When I run the openssl above with RANDFILE set to /etc/entropy it
just hangs. If I set RANDFILE to /dev/random I get the following:

unable to load 'random state'
This means that the random number generator has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to point at a file that
'random' data can be kept in (the file will be overwritten).

In both cases any attempt to connect via Netscape (v 4.7) just hangs. (using
https://:443>).

Guidance on this one also very gratefully received.

Cheers for now,

Dave Smith


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL-aware Apache on Solaris-x86-cc

[Gary Mills]

Austin Gonyou writes:
>
>Go to sunfreeware.com and get GCC. Add it to your path and 
>LD_LIBRARY_PATH and then compile to your heart's content.

Don't use LD_LIBRARY_PATH on Solaris.  It's evil.  The correct solution
is to set the runpath in the executable with the `-R' linker flag.
To compile apache with Sun's compiler, just configure it like this:

env CC=cc OPTIM=-xO3 \
LDFLAGS="-R/usr/local/lib" \
SSL_BASE=/usr/local/src/OpenSSL/openssl-0.9.5a \
./configure \
--server-uid=server --server-gid=staff \
--prefix=/usr/local/apache \
--sysconfdir=/usr/local/apache/etc \
--datadir=/usr/local/apache/share \
--sbindir=/usr/local/apache/sbin \
--localstatedir=/var/apache \
--enable-module=rewrite --enable-shared=rewrite \
--enable-module=usertrack --enable-shared=usertrack \
--enable-module=ssl --enable-shared=ssl


-- 
-Gary Mills--Unix Support--U of M Academic Computing and Networking-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL-aware Apache on Solaris-x86-cc

[Austin Gonyou]

Go to sunfreeware.com and get GCC. Add it to your path and 
LD_LIBRARY_PATH and then compile to your heart's content.
Austin 

>> Original Message <<

On 10/31/00, 4:24:47 AM, Hiendl Elke <[EMAIL PROTECTED]> wrote 
regarding SSL-aware Apache on Solaris-x86-cc:


> Hi everybody,

> I want to set up Apache-1.3.14 with mod_ssl-2.7.1 and openssl-0.9.6 on
> Solaris 8.0 (Intel x86). I have done all my downloads, but when I want to
> compile the openssl I get following message:
> This system (solaris-x86-cc) is not supported.
> The compiler on my system is cc, no gcc available.
> Any hints or ideas, how to solve (or bypass) this problem?
> Thanx in advance

> Elke




> Elke Hiendl
> Beraterin für System- und Netzwerkmanagement
> iteratec
> Gesellschaft für iterative Softwaretechnologien mbH
> Inselkammerstraße 4
> 82008 München-Unterhaching

> Telefon +49 89  61 45 51 - 35
> Fax  +49 89  61 45 51 - 10
> wwwhttp://www.iteratec.de
> mailto:[EMAIL PROTECTED]



> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

failed in SSLv3 read client certificate with IE5

[Carole HEBRARD]

Hi.

I test Apache (1.3.12) + mod_ssl (2.6.1) on Windows NT4.
When trying to access the server with Netscape, it is ok. But with IE5.0
I have the following error:

[31/Oct/2000 11:57:12 00422] [info]  Connection to child 4 established
(server ZINNEMAN:443, client 10.11.1.6)
[31/Oct/2000 11:57:12 00422] [info]  Seeding PRNG with 0 bytes of
entropy
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Handshake: start
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: before/accept
initialization
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write key
exchange A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write server
done A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 flush data
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read client
key exchange A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 read finished
A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write change
cipher spec A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 write finished
A
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Loop: SSLv3 flush data
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Handshake: done
[31/Oct/2000 11:57:12 00422] [info]  Connection: Client IP: 10.11.1.6,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[31/Oct/2000 11:57:12 00422] [trace] OpenSSL: Write: SSL negotiation
finished successfully
[31/Oct/2000 11:57:12 00422] [info]  Connection to child 4 closed with
standard shutdown (server ZINNEMAN:443, client 10.11.1.6)
[31/Oct/2000 11:57:25 00422] [info]  Connection to child 5 established
(server ZINNEMAN:443, client 10.11.1.6)
[31/Oct/2000 11:57:25 00422] [info]  Seeding PRNG with 0 bytes of
entropy
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Handshake: start
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: before/accept
initialization
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 read client
hello A
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write server
hello A
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write
certificate A
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write key
exchange A
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 write server
done A
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Loop: SSLv3 flush data
[31/Oct/2000 11:57:25 00422] [trace] OpenSSL: Exit: failed in SSLv3 read
client certificate A
[31/Oct/2000 11:57:25 00422] [info]  Spurious SSL handshake
interrupt[Hint: Usually just one of those OpenSSL confusions!?]

In my httpd.conf, I put:
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLVerifyClient none

So I do not understand why the server tries to verify the client
certificate (this is not the case with Netscape Navigator)

Can someone help me?

Best regards.
Carole Hébrard.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

optional_no_ca

[Janus Liebregts]

Hi,

I try to upgrade my modssl from:
Apache/1.3.6 (Unix) mod_ssl/2.3.11 OpenSSL/0.9.3a

to:
Apache/1.3.14 (Unix) mod_ssl/2.7.1 OpenSSL/0.9.6

but the nice feature optional_no_ca doesn't work anymore.
Some nice scripts (e.g. show every presented certificate:
https://sslap.wind.surfnet.nl:8889/cgi-bin/viewcert.pl )

doesn't work on mod_ssl/2.3.11, it requires me to present the
SSLCACertificatePath or SSLCACertificateFile for accepting a
certificate.

I saw that also the modssl-test on
https://www.modssl.org/example/test.phtml doesn't show the client
certificate anymore.

I have included the old working configuration


DocumentRoot /usr/local/httpsd/htdocs
ServerName sslap.wind.surfnet.nl
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/httpsd/logs/error_log
TransferLog /usr/local/httpsd/logs/access_log
SSLEngine on
SSLCertificateFile/usr/local/httpsd/conf/ssl.crt/sslap.crt
SSLCertificateKeyFile /usr/local/httpsd/conf/ssl.key/sslap.key.unsecure
#SSLCACertificatePath/usr/local/httpsd/conf/ssl.crt
#SSLCACertificateFile   
/usr/local/httpsd/conf/ssl.crt/testca-mayjune99.crt
SSLVerifyClient optional_no_ca
SSLVerifyDepth  10

SSLOptions +ExportCertData 
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /usr/local/httpsd/logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


regards,
Janus Liebregts
SURFnet
 S/MIME Cryptographic Signature

SSL-aware Apache on Solaris-x86-cc

[Hiendl Elke]

Hi everybody,

I want to set up Apache-1.3.14 with mod_ssl-2.7.1 and openssl-0.9.6 on
Solaris 8.0 (Intel x86). I have done all my downloads, but when I want to
compile the openssl I get following message:
This system (solaris-x86-cc) is not supported.
The compiler on my system is cc, no gcc available.
Any hints or ideas, how to solve (or bypass) this problem?
Thanx in advance

Elke
 



Elke Hiendl
Beraterin für System- und Netzwerkmanagement
iteratec
Gesellschaft für iterative Softwaretechnologien mbH
Inselkammerstraße 4
82008 München-Unterhaching

Telefon +49 89  61 45 51 - 35 
Fax  +49 89  61 45 51 - 10
wwwhttp://www.iteratec.de
mailto:[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]