Re: Ready for Prime Time ?
If its absolutely essential that you have a "supported product" then you might want to look at Stronghold from C2Net. This is a packaged product that includes Apache, OpenSSL, and mod_ssl. C2Net provides a "whining rights" service as does Microsoft but with much better response times. C2Net was acquired by Red Hat earlier this year so I would expect their Linux support to have improved. I have specified and used Stronghold at customer sites where the MIS/IS/IT Manager was concerned about support issues. The support services have never been used but it satisfied his need for assurance. I also specified BSD/OS instead of Linux but that was more for my comfort level than his. It also eliminated any training concerns as BSD/OS was the operating system used on his firewall systems. Merton Campbell Crockett On Thu, 2 Nov 2000, Keith Parkansky wrote: I recently joined the list and posted a message about missing environment variables and never found an answer to my problem. I've noticed other such messages in the last week and a couple re-posts from people still searching for answers also. Now I'm wondering if someone in my position is justified in using Linux/Apache for a mission- critical Web server. The only support options I've found are Web-based documentation and FAQs and lists such as this one. If these venues don't provide the answer, is there a commercial support alternative available, or commercial versions of Apache/SSL and mod_ssl that have formal (i.e. pay-per-incident or service contract) support operations available, or Unix/Linux-based commercial alternatives to Apache and mod_ssl, that offer it ? Without such a thing, the Evil Empire will never be wiped off the face of the earth because corporate IS managers can't base systems on products where one *might* find an answer to an issue on a list or Web site. Linux distributors will only go so far in offering support for the applications included in their distributions. If there are any commercial support operations available, where can I find contact information for them ? -- Keith Parkansky [EMAIL PROTECTED] http://www.execpc.com/~keithp http://www.goingtovegas.com http://www.squawkware.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
The others have answered one part of your question, but I wanted to mention another very significant part of the whole support issue. What is your experience with paid, supported software from companies like 'the evil empire'? Personally, I have been in many situations where I was ready, willing and able to pay someone large amounts of money for a solution to a problem. The lesson I have learned: If I have found what appears to be a bug, it generally is. The end result of paying someone for support is you spend endless time on the phone going through an "idiot list" of questions until you either 1) get blown off, or 2) finally get to speak to a developer who simply says, yes, it's a bug. But either way, it won't get fixed. Basically, I have found that free support from other users on the internet, and searching archives of mailing lists and resources like deja.com, to be far superior in quality, timeliness, (and price) to paid telephone support for commercial products. In the open source world, it is true that nobody is accountable, and you are never guaranteed a response. Although it defies reason, though, the support available on resources such as this one is in practice far more useful than paid support. Perhaps there are some things that money just can't buy - e.g. being part of a discussion forum with technical people who are innately familiar with the software (as well as the ones who _wrote_ it) and probably like what they are doing a lot more than the guy answering the tech support line for Microsoft. Jamie At 01:03 AM 11/2/00, Keith Parkansky wrote: Without such a thing, the Evil Empire will never be wiped off the face of the earth because corporate IS managers can't base systems on products where one *might* find an answer to an issue on a list or Web site. Linux distributors will only go so far in offering support for the applications included in their distributions. If there are any commercial support operations available, where can I find contact information for them ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
I just have to chip in my tuppence-worth... My (long) experience with Microsoft is that they have three possible answers to your problem: (1) Reboot (2) Re-install the program (3) Re-install Windows If none of these works, you're stuck. We widely use OSS in mission-critical applications (apache, CVS, htdig etc.) and I find that the OSS approach with the willing help of competent contributors is far more valuable than having a "professional" (in the sense that they are paid money) help-line. In any event, at the end of the day, you always have the freedom to investigate the source-code and fix the bugs yourself. At the risk of mouthing a cliche: Professional services rarely fix the problem, they just fix the blame. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Sharing SSLSessionCache in load balanced environment
We have a server running mod_ssl that requires client certificates. I would like implement some sort of load balancing for this site. I've done this before for sites without client certificates, but it occurs to me that I will run into problems since the SSLSessionCache will need to be shared somehow across separate physical hosts. Is their any way at all to do this? Thanks Mike __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Sharing SSLSessionCache in load balanced environment
"Wohlgemuth, Michael J." wrote: I would like to implement some sort of load balancing for this site. ...the SSLSessionCache will need to be shared somehow across separate physical hosts. This is an interesting question which we have been considering since we are planning to use load-balancing in the future. We have a different approach and what we plan to do is to configure the load-balancer so that all transactions within the same session are routed to the same server. Since we haven't yet decided what to use for load balancing, we haven't yet discovered how to do this... :-) Regards, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Sharing SSLSessionCache in load balanced environment
I have not played around with the session cache stuff, but a quick look on my system seems to indicate it is a file. Would it be possible to NSF mount this file among multiple machine making it shared? It would be useful for myself as we are adding a second server to our installation and all our pertinant files are on a shared HDS drive. If this could be shared as well, it would be quite helpful. Thoughts? Jeff [EMAIL PROTECTED] On Thu, 2 Nov 2000, Owen Boyle wrote: "Wohlgemuth, Michael J." wrote: I would like to implement some sort of load balancing for this site. ...the SSLSessionCache will need to be shared somehow across separate physical hosts. This is an interesting question which we have been considering since we are planning to use load-balancing in the future. We have a different approach and what we plan to do is to configure the load-balancer so that all transactions within the same session are routed to the same server. Since we haven't yet decided what to use for load balancing, we haven't yet discovered how to do this... :-) Regards, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
Owen Boyle wrote: I just have to chip in my tuppence-worth... My (long) experience with Microsoft is that they have three possible answers to your problem: (1) Reboot (2) Re-install the program (3) Re-install Windows If none of these works, you're stuck. snip At the risk of mouthing a cliche: Professional services rarely fix the problem, they just fix the blame. Overall that hasn't been my experience. I'm the last one in the office to say anything good about Microsoft, but their support people were excellent in helping us resolve an issue when we tried to set up a Terminal Server connection to a client over a VPN connection set up with Windoze 2000 (ended up being a router misconfiguration on the client's end). And Seagate's tech support (for Backup Exec) saved me with a problem during a Christmas day Novell server upgrade in a previous life. Even Red Hat's "installlation support" was great with an OS-related when I installed it on an HP Vectra (Vectra BIOS issue). I got the "I don't know" when I contacted them about the Apache environment variable problem. Obviously there are some cases where what you say is true, but an IS manager is leaving themselves wide open politically if they commit to products that don't even offer support. It's a CYA thing. Thanks to all for the info on C2Net and Covalent. -- Keith Parkansky [EMAIL PROTECTED] http://www.execpc.com/~keithp http://www.goingtovegas.com http://www.squawkware.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Compilation Problems on Solaris 2.6
I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: "ssl_util_ssl.c", line 145: identifier redeclared: d2i_PrivateKey_bio current : static function(pointer to struct bio_st {pointer to struct bio_method_st {..} method, pointer to function(pointer to struct... previous: function(pointer to struct bio_st {pointer to struct bio_method_st {..} method, pointer to function(pointer to struct bio_st... : "/dbms/oracle/home/oracle/src/openssl-0.9.6/include/openssl/x509.h", line 779 cc: acomp failed for ssl_util_ssl.c This is being compiled under Sun SPARC Solaris 2.6 with SUNWspro (Workshop 5.0) patch 107357-09. mod_ssl was configured with... ./configure \ --with-apache=../apache_1.3.6 \ --with-ssl=../openssl-0.9.6 \ --prefix=$HOME/app/apache-1.3.6 \ --disable-rule=SSL_COMPAT \ --enable-shared=ssl Any ideas why d2i_PrivateKey_bio is being re-declared? Unfortunatly, I -must- use apache 1.3.6. -Brian -- [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compilation Problems on Solaris 2.6
Also, I tried the same compile on Linux with gcc-2.95.2 so that I could test GCC before putting it on the Solaris box and got the same error: ssl_util_ssl.c:145: conflicting types for `d2i_PrivateKey_bio' /usr/src/apache/openssl-0.9.6/include/openssl/x509.h:779: previous declaration of `d2i_PrivateKey_bio' -Brian Brian Rectanus wrote: I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: "ssl_util_ssl.c", line 145: identifier redeclared: d2i_PrivateKey_bio current : static function(pointer to struct bio_st {pointer to struct bio_method_st {..} method, pointer to function(pointer to struct... previous: function(pointer to struct bio_st {pointer to struct bio_method_st {..} method, pointer to function(pointer to struct bio_st... : "/dbms/oracle/home/oracle/src/openssl-0.9.6/include/openssl/x509.h", line 779 cc: acomp failed for ssl_util_ssl.c This is being compiled under Sun SPARC Solaris 2.6 with SUNWspro (Workshop 5.0) patch 107357-09. mod_ssl was configured with... ./configure \ --with-apache=../apache_1.3.6 \ --with-ssl=../openssl-0.9.6 \ --prefix=$HOME/app/apache-1.3.6 \ --disable-rule=SSL_COMPAT \ --enable-shared=ssl Any ideas why d2i_PrivateKey_bio is being re-declared? Unfortunatly, I -must- use apache 1.3.6. -Brian -- [EMAIL PROTECTED] -- [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compilation Problems on Solaris 2.6
I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: Why are you using such an old version of mod_ssl? Please try the latest combo: apache_1.3.14/mod_ssl-2.7.1/openssl-0.9.6 But if you MUST use apache_1.3.6, try using openssl-0.9.3a or openssl-0.9.4. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compilation Problems on Solaris 2.6
David Rees wrote: I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: Why are you using such an old version of mod_ssl? Please try the latest combo: apache_1.3.14/mod_ssl-2.7.1/openssl-0.9.6 Unfortunatly, Oracle only has certified using apache 1.3.6 with their Application Server (OAS) v4.0.8.2 and OAS v4.0.8.2 is the latest we can use with our web applications. If we were to have any problems with OAS and apache 1.3.6, then Oracle would just reply "Sorry, can't help you. Use 1.3.6". Sucks, doesn't it ;) But if you MUST use apache_1.3.6, try using openssl-0.9.3a or openssl-0.9.4. Thanks, I'll try this. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
Keith Parkansky wrote: Overall that hasn't been my experience. I'm the last one in the office to say anything good about Microsoft, but their support people were excellent in helping us resolve an issue when we tried to set up a Terminal Server connection to a client over a VPN connection set up with Windoze 2000 (ended up being [...] I'd have to concur. I don't like using MS products at all, but when I've had really obscure problems and bothered to call them, their technical support people have managed to figure things out with me over the phone and got things working again. They're especially helpful for those registry keys that don't exist, or shouldn't ;-). -- Michael T. Babcock, C.T.O. FibreSpeed http://www.fibrespeed.net/~mbabcock __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compilation Problems on Solaris 2.6
I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: Why are you using such an old version of mod_ssl? Please try the latest combo: apache_1.3.14/mod_ssl-2.7.1/openssl-0.9.6 Unfortunatly, Oracle only has certified using apache 1.3.6 with their Application Server (OAS) v4.0.8.2 and OAS v4.0.8.2 is the latest we can use with our web applications. If we were to have any problems with OAS and apache 1.3.6, then Oracle would just reply "Sorry, can't help you. Use 1.3.6". Sucks, doesn't it ;) Yep. Good reason, though. What you might want to consider is setting up both apache 1.3.14 and apache 1.3.6. When you encounter problems with their OAS using apache 1.3.14, show them that the same problem exists under apache 1.3.6. Running the old apache on a non-standard port such as 8080 may be one way to do it. But if you MUST use apache_1.3.6, try using openssl-0.9.3a or openssl-0.9.4. Thanks, I'll try this. Let us know if it works. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Connection to mod_ssl 2.7.1 blocked on WinNT
I've seen this behavior too. Do you have a pass phrase enabled on the key? I did and when I stripped the pass phrase out of the key, I was able to get the server started OK. Haven't figure out much more yet. Hope that helps, Bruce "Andrew C. Wong" wrote: Hi, I just have the latest and greatest Apache1.3.14 + mod_ssl2.7.1 compiled on NT 4.0. It worked fine without loading SSL module. However, when SSL was enabled, it worked only if -X was specified on command line. Otherwise, any HTTP or HTTPS connection to it would be blocked and never return. The forked child seemed getting into a funny state. Any idea? Thanks! Andrew --- CONNECTED(0004) SSL_connect:before/connect initialization write to 0017F0C0 [00181788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 f5 6a 27 fa 37 f1-15 4c aa 7e 48 c7 11 74 ...j'.7..L.~H..t 0070 - cb f8 10 b2 61 8a be a8-35 d3 9e 77 a2 45 56 b8 a...5..w.EV. 0080 - 72 ce r. SSL_connect:SSLv2/v3 write client hello A blocked __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] begin:vcard n:; x-mozilla-html:FALSE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] fn: end:vcard
RE: Connection to mod_ssl 2.7.1 blocked on WinNT
Wasn't there some bugs related to the NT version in the latest release? You might want to try the last CVS snapshot. -Dave I've seen this behavior too. Do you have a pass phrase enabled on the key? I did and when I stripped the pass phrase out of the key, I was able to get the server started OK. Haven't figure out much more yet. Hope that helps, Bruce "Andrew C. Wong" wrote: Hi, I just have the latest and greatest Apache1.3.14 + mod_ssl2.7.1 compiled on NT 4.0. It worked fine without loading SSL module. However, when SSL was enabled, it worked only if -X was specified on command line. Otherwise, any HTTP or HTTPS connection to it would be blocked and never return. The forked child seemed getting into a funny state. Any idea? Thanks! Andrew --- CONNECTED(0004) SSL_connect:before/connect initialization write to 0017F0C0 [00181788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 f5 6a 27 fa 37 f1-15 4c aa 7e 48 c7 11 74 ...j'.7..L.~H..t 0070 - cb f8 10 b2 61 8a be a8-35 d3 9e 77 a2 45 56 b8 a...5..w.EV. 0080 - 72 ce r. SSL_connect:SSLv2/v3 write client hello A blocked __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compilation Problems on Solaris 2.6
David Rees wrote: I am trying to compile mod_ssl-2.3.11-1.3.6 with apache 1.3.6 and openssh-0.9.6 (tried 0.9.5 as well) and I get the following compile error: Why are you using such an old version of mod_ssl? Please try the latest combo: apache_1.3.14/mod_ssl-2.7.1/openssl-0.9.6 Unfortunatly, Oracle only has certified using apache 1.3.6 with their Application Server (OAS) v4.0.8.2 and OAS v4.0.8.2 is the latest we can use with our web applications. If we were to have any problems with OAS and apache 1.3.6, then Oracle would just reply "Sorry, can't help you. Use 1.3.6". Sucks, doesn't it ;) Yep. Good reason, though. What you might want to consider is setting up both apache 1.3.14 and apache 1.3.6. When you encounter problems with their OAS using apache 1.3.14, show them that the same problem exists under apache 1.3.6. Running the old apache on a non-standard port such as 8080 may be one way to do it. Yes, I am debating running two versions like this, but may not be able to on the production box. But if you MUST use apache_1.3.6, try using openssl-0.9.3a or openssl-0.9.4. Thanks, I'll try this. Let us know if it works. -Dave Worked with openssl-0.9.4. I got sick of going back a version after 0.9.5. One more and I would have had it...doh! -- [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Connection to mod_ssl 2.7.1 blocked on WinNT
This may be the same problem for which I submitted a fix several months ago. Since the problem was in the Apache code and not mod_ssl, Ralf can't fix it in mod_ssl releases. You can check the list archive for the fix, which has two parts: a) don't prompt for the passphrase in the parent process unless the -X parameter is set; this is because mod_ssl is not invoked by the parent in a 2-process runmode. b) correctly propagate STDOUT/STDIN/STDERR to the child process so that the passphrase prompt is visible in the apache console window. The child process is in fact prompting for the passphrase, but because it does not inherit the handles, the prompt isn't displayed. One way to verify that this is in fact the problem is to run apache, enter the passphrase on the initial prompt, and then enter it again "blind" several seconds later. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Rees Sent: Thursday, November 02, 2000 3:03 PM To: [EMAIL PROTECTED] Subject: RE: Connection to mod_ssl 2.7.1 blocked on WinNT Wasn't there some bugs related to the NT version in the latest release? You might want to try the last CVS snapshot. -Dave I've seen this behavior too. Do you have a pass phrase enabled on the key? I did and when I stripped the pass phrase out of the key, I was able to get the server started OK. Haven't figure out much more yet. Hope that helps, Bruce "Andrew C. Wong" wrote: Hi, I just have the latest and greatest Apache1.3.14 + mod_ssl2.7.1 compiled on NT 4.0. It worked fine without loading SSL module. However, when SSL was enabled, it worked only if -X was specified on command line. Otherwise, any HTTP or HTTPS connection to it would be blocked and never return. The forked child seemed getting into a funny state. Any idea? Thanks! Andrew --- CONNECTED(0004) SSL_connect:before/connect initialization write to 0017F0C0 [00181788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 f5 6a 27 fa 37 f1-15 4c aa 7e 48 c7 11 74 ...j'.7..L.~H..t 0070 - cb f8 10 b2 61 8a be a8-35 d3 9e 77 a2 45 56 b8 a...5..w.EV. 0080 - 72 ce r. SSL_connect:SSLv2/v3 write client hello A blocked __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Connection to mod_ssl 2.7.1 blocked on WinNT
Yes, you were right. I found this out when I was examining the log this morning. I put a fix so that the pass phase will be asked only once and get passed to the child. I am also interested in your fix, but searched the archieve without success. Can you point me to it directly? Thanks! Andrew - Original Message - From: "Kirk Benson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 02, 2000 2:01 PM Subject: RE: Connection to mod_ssl 2.7.1 blocked on WinNT This may be the same problem for which I submitted a fix several months ago. Since the problem was in the Apache code and not mod_ssl, Ralf can't fix it in mod_ssl releases. You can check the list archive for the fix, which has two parts: a) don't prompt for the passphrase in the parent process unless the -X parameter is set; this is because mod_ssl is not invoked by the parent in a 2-process runmode. b) correctly propagate STDOUT/STDIN/STDERR to the child process so that the passphrase prompt is visible in the apache console window. The child process is in fact prompting for the passphrase, but because it does not inherit the handles, the prompt isn't displayed. One way to verify that this is in fact the problem is to run apache, enter the passphrase on the initial prompt, and then enter it again "blind" several seconds later. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Rees Sent: Thursday, November 02, 2000 3:03 PM To: [EMAIL PROTECTED] Subject: RE: Connection to mod_ssl 2.7.1 blocked on WinNT Wasn't there some bugs related to the NT version in the latest release? You might want to try the last CVS snapshot. -Dave I've seen this behavior too. Do you have a pass phrase enabled on the key? I did and when I stripped the pass phrase out of the key, I was able to get the server started OK. Haven't figure out much more yet. Hope that helps, Bruce "Andrew C. Wong" wrote: Hi, I just have the latest and greatest Apache1.3.14 + mod_ssl2.7.1 compiled on NT 4.0. It worked fine without loading SSL module. However, when SSL was enabled, it worked only if -X was specified on command line. Otherwise, any HTTP or HTTPS connection to it would be blocked and never return. The forked child seemed getting into a funny state. Any idea? Thanks! Andrew --- CONNECTED(0004) SSL_connect:before/connect initialization write to 0017F0C0 [00181788] (130 bytes = 130 (0x82)) - 80 80 01 03 01 00 57 00-00 00 20 00 00 16 00 00 ..W... . 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 07 00 00 05 .f.. 0020 - 00 00 04 05 00 80 03 00-80 01 00 80 08 00 80 00 0030 - 00 65 00 00 64 00 00 63-00 00 62 00 00 61 00 00 .e..d..c..b..a.. 0040 - 60 00 00 15 00 00 12 00-00 09 06 00 40 00 00 14 `...@... 0050 - 00 00 11 00 00 08 00 00-06 00 00 03 04 00 80 02 0060 - 00 80 f5 6a 27 fa 37 f1-15 4c aa 7e 48 c7 11 74 ...j'.7..L.~H..t 0070 - cb f8 10 b2 61 8a be a8-35 d3 9e 77 a2 45 56 b8 a...5..w.EV. 0080 - 72 ce r. SSL_connect:SSLv2/v3 write client hello A blocked __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FW: password - ask_twice - proposed bugfix
Here is a report of my bugfix for NT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kirk Benson Sent: Wednesday, May 10, 2000 2:18 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: password - ask_twice - proposed bugfix This posting concerns only Apache and mod_ssl on Win32. After posting the following messages on the mod_ssl mail list, I did some more poking around with the debugger. My findings follow: 1) The password prompting originates in routine post_parse_init() in http_main.c. It would seem to me that the call to "ap_init_modules(pconf, server_conf);" could be skipped if this is not a child process (-Z parameter) AND not running in single process mode (-X parameter). This would mean that mod_ssl would normally not be initialized in the parent process, and hence would not prompt for a passphrase. I considered just adding parameters to post_parse_init() conveying the child/one-process booleans; however, it appears that the routine is also called from service_init(), and I can't tell what is supposed to happen when Apache runs as a NT service. Therefore, I implemented the fix as follows: a) created routine post_parse_init2(int child) as a copy of post_parse_init b) #ifdef WIN32 post_parse_init2(child); #else post_parse_init(); #endif c) The code for post_parse_init2 is: #ifdef WIN32 void post_parse_init2(int child) { ap_set_version(); if (child || one_process) ap_init_modules(pconf, server_conf); ap_suexec_enabled = init_suexec(); version_locked++; ap_open_logs(server_conf, plog); set_group_privs(); } #endif 2) When a child is created, the code in create_process() does not fill in si.hStdOutput or si.hStdError. When I modified the code to set these fields via: si.hStdOutput = GetStdHandle(STD_OUTPUT_HANDLE); si.hStdError = GetStdHandle(STD_ERROR_HANDLE); I then saw the prompt string! It appears that it is the stderr handle that is needed. 3) Finally, ap_init_modules() is also called in subroutine master_main(). I enclosed the call as follows: #ifndef WIN32 ap_init_modules(pconf, server_conf); #endif With these changes to http_main.c, I was able to start Apache, enter a single passphrase at the prompt, and then connect via SSL. I also submitted this as a bug report via the main apache web page. regards Kirk Benson BROKAT -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kirk Benson Sent: Wednesday, May 10, 2000 8:43 AM To: [EMAIL PROTECTED] Subject: RE: password - ask_twice (noch einmal) Yesterday I downloaded the latest OpenSA Win32 source distribution for Apache-1.3.12/mod_ssl-2.6.3 and built a debug version. I incorporated the 1-line fix I previously suggested to Ralf (original message below) to see if the problem was actually fixed. It was not! However, I did discover the cause of why the passphrase must be entered twice. The Apache executable creates a single child process, (which inherits the parent console), and it is the child which is hanging waiting for entry of the passphrase. This also explains why a single entry does work when Apache is started with the -X command line parameter. I'm not yet familiar with the source code, so I can't suggest a fix. I assume that this is not a problem in UNIX because a forked child gets a copy of the parent's memory and thus inherits a decrypted key, while in NT CreateProcess() does not give a memory copy. One idea that comes to mind is for the parent to put the passphrase into an environment variable; since the environment is inheritable, the child could obtain the passphrase therefrom. It is not clear as well why the child process is not able to write a prompt string before reading, at least making it clear what is needed. In the meanwhile, I'm just going to go with an unencrypted key 8-P regards Kirk -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kirk Benson Sent: Thursday, April 27, 2000 11:58 AM To: [EMAIL PROTECTED] Subject: Re: password - ask_twice After verifying Jan's suggestion, I was sufficiently intrigued to look at the source code, and downloaded the 2.6.3 tarball. Inspection shows that line 492 in ssl_engine_pphrase.c is: if ((i = EVP_read_pw_string(buf, bufsize, prompt, ask_twice)) != 0) { The variable ask_twice is an input parameter to the containing function: int ssl_pphrase_Handle_CB(char *buf, int bufsize, int ask_twice) Which in turn is a callback from open_ssl. Since the second input is apparently unnecessary, I'd suggest changing line 492 to be: if ((i = EVP_read_pw_string(buf, bufsize, prompt, FALSE)) != 0) { Comments? Ralf? cheers Kirk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
Virtual Hosting weirdness
Hi All Newbie Alert!! Ok... I looked through the archives and found some info on setting up ssl and non ssl virtual domains: This is what I found: NameVirtualHost 192.168.200.1:80 VirtualHost 192.168.200.1:80 ServerName banana.fruit.com DocumentRoot /home/banana /VirtualHost VirtualHost 192.168.200.1:80 ServerName kiwi.fruit.com DocumentRoot /home/kiwi /VirtualHost VirtualHost 192.168.200.1:443 ServerName ssl.fruit.com DocumentRoot /home/ssl SSLEngineOn SSLCertificateFile/apache_conf_dir/ssl.crt/your_site.crt SSLCertificateKeyFile /apache_conf_dir/ssl.key/your_site.key /VirtualHost I have set 3 virtual hosts up in a fashion mimicking the above. I have "www.perlnerd.com" and "www.dbgrafx.com" set up as non ssl virtual domains and "shop.perlnerd.com" set up as my ssl vitual domain. One thing I find strange is that the URL https://www.perlnerd.com or https://www.dbgrafx.com takes me to the document root of the ssl enabled virtual domain while http://www.perlnerd.com etal. takes me to the proper document root. Should this be happening? I am running apache 1.3.14, php 4.2, and modssl 2.7.1. compiled from source on a FreeBSD UNIX 3.4 server. I have the SSL enable virtual host within the IfDefine SSL /IfDefine container and have removed the default ssl virtual host setup that was in the file thinking that that may have caused the problem. Any help is appreciated Thanks Clint -- Clint Gilders Servermaster Onlinehobbyist Inc. [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Hosting weirdness
At 06:37 PM 11/2/00 -0500, Clint Gilders wrote: Hi All Newbie Alert!! Ok... I looked through the archives and found some info on setting up ssl and non ssl virtual domains: CLIP I have set 3 virtual hosts up in a fashion mimicking the above. I have "www.perlnerd.com" and "www.dbgrafx.com" set up as non ssl virtual domains and "shop.perlnerd.com" set up as my ssl vitual domain. One thing I find strange is that the URL https://www.perlnerd.com or https://www.dbgrafx.com takes me to the document root of the ssl enabled virtual domain while http://www.perlnerd.com etal. takes me to the proper document root. Should this be happening? Yes. The https:// part of the URL causes the browser to make a TCP connection to port 443 on your server machine. Since your names all resolve to the same IP address, the request goes to the virtual host. One solution (I'm sure there are others...) is to set up a separate IP address (alias) on your box, point the shop.perlnerd.com name to that address, and adjust your virtual host settings to match. John Helmuth [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Virtual Hosting weirdness
Newbie Alert!! Ah, then you should refer to: http://www.modssl.org/docs/ in particular the FAQ. :-) Ok... I looked through the archives and found some info on setting up ssl and non ssl virtual domains: snip It is working as it should, take a look a the FAQ and you will see why. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How to get the value of SSL_* env vars?
I use mod_ssl 2.7.1 for Apache 1.3.14 on Solaris 2.6. I'm writing an authentication module that needs to get the DN from user's certificate when the user is trying to access a resource within the DocumentRoot. In httpd.conf, I specify something like this: ... Directory "/usr/local/apache/htdocs" IfDefine SSL SSLOptions +StdEnvVars +CompatEnvVars +ExportCertData /IfDefine /Directory ... IfDefine SSL VirtualHost _default_:8443 DocumentRoot "/usr/local/apache/htdocs" ServerName boanetra.acme.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key SSLCACertificatePath /usr/local/apache/conf/ssl.crt SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-root.crt SSLVerifyClient require SSLVerifyDepth 10 Files ~ "\.(cgi|shtml|phtml|php3?)$" SSLOptions +StdEnvVars /Files Directory "/usr/local/apache/cgi-bin" SSLOptions +StdEnvVars /Directory /VirtualHost /IfDefine In my authentication module, I try to access the SSL_* env vars, for example, SSL_CLIENT_S_DN, with: char *userDN = (char *)ap_table_get(request-subprocess_env, "SSL_CLIENT_S_DN"); It returns null. I then move the Directory "/usr/local/apache/htdocs" block into the VirtualHost _default_:8443 block. Same, I got nothing back. When I access a perl script (under cgi-bin) that prints out all the env vars, I can see all the SSL_* env vars. Why can I get the same thing when user is accessing a resource under the DocumentRoot? What's the correct way to get the SSL_* values within my own module? Any help would be appreciated. -Muwon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Hosting weirdness
On Thu, 2 Nov 2000, Clint Gilders wrote: Ok... I looked through the archives and found some info on setting up ssl and non ssl virtual domains: This is what I found: NameVirtualHost 192.168.200.1:80 VirtualHost 192.168.200.1:80 ServerName banana.fruit.com DocumentRoot /home/banana /VirtualHost VirtualHost 192.168.200.1:80 ServerName kiwi.fruit.com DocumentRoot /home/kiwi /VirtualHost VirtualHost 192.168.200.1:443 ServerName ssl.fruit.com DocumentRoot /home/ssl SSLEngineOn SSLCertificateFile/apache_conf_dir/ssl.crt/your_site.crt SSLCertificateKeyFile /apache_conf_dir/ssl.key/your_site.key /VirtualHost This problem has been raised quite frequently in recent days. You are listening for HTTPS connections on one socket, 192.168.200.1:443. You have further defined that this connects to SSL.FRUIT.COM I have set 3 virtual hosts up in a fashion mimicking the above. I have "www.perlnerd.com" and "www.dbgrafx.com" set up as non ssl virtual domains and "shop.perlnerd.com" set up as my ssl vitual domain. One thing I find strange is that the URL https://www.perlnerd.com or https://www.dbgrafx.com takes me to the document root of the ssl enabled virtual domain while http://www.perlnerd.com etal. takes me to the proper document root. Should this be happening? I am running apache 1.3.14, php 4.2, and modssl 2.7.1. compiled from source on a FreeBSD UNIX 3.4 server. I have the SSL enable virtual host within the IfDefine SSL /IfDefine container and have removed the default ssl virtual host setup that was in the file thinking that that may have caused the problem. Any help is appreciated Thanks Clint -- Clint Gilders Servermaster Onlinehobbyist Inc. [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to get the value of SSL_* env vars?
At 09:45 PM 11/2/2000 , Muwon Lum wrote: I use mod_ssl 2.7.1 for Apache 1.3.14 on Solaris 2.6. I'm writing an authentication module that needs to get the DN from user's certificate when the user is trying to access a resource within the DocumentRoot. In my authentication module, I try to access the SSL_* env vars, for example, SSL_CLIENT_S_DN, with: char *userDN = (char *)ap_table_get(request-subprocess_env, "SSL_CLIENT_S_DN"); It returns null. What's the correct way to get the SSL_* values within my own module? The following could probably be much simpler, but as a starting point... int get_user_dn( request_rec *r ) { SSLSrvConfigRec *sc = mySrvConfig(r-server); /* * Make sure SSL is enabled, connected, and client-authenticated */ if (!sc-bEnabled) return NULL; if (ap_ctx_get(r-connection-client-ctx, "ssl") == NULL) return NULL; if (ap_ctx_get(r-connection-client-ctx, "ssl::client::dn") == NULL) return NULL; return ssl_var_lookup(r-pool, r-server, r-connection, r, "SSL_CLIENT_S_DN"); } __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Hosting weirdness
Merton Campbell Crockett wrote: I have set 3 virtual hosts up in a fashion mimicking the above. I have "www.perlnerd.com" and "www.dbgrafx.com" set up as non ssl virtual domains and "shop.perlnerd.com" set up as my ssl vitual domain. One thing I find strange is that the URL https://www.perlnerd.com or https://www.dbgrafx.com takes me to the document root of the ssl enabled virtual domain while http://www.perlnerd.com etal. takes me to the proper document root. Should this be happening? In addition to the replies that you got, I would suggest that you put your SSL Virtual Host as the first host of each series, and that you make sure that the document root is the correct one in that VH. That might actually fix your specific problem. -- Cheers, Balázs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Sharing SSLSessionCache in load balanced environment
Jeffrey Burgoyne wrote: On Thu, 2 Nov 2000, Owen Boyle wrote: "Wohlgemuth, Michael J." wrote: I would like to implement some sort of load balancing for this site. ...the SSLSessionCache will need to be shared somehow across separate physical hosts. the current proven approach is not to share the session cache, but to inspect the packets, and route them to the same server for a given session. We have a different approach and what we plan to do is to configure the load-balancer so that all transactions within the same session are routed to the same server. Since we haven't yet decided what to use for load balancing, we haven't yet discovered how to do this... :-) There are two routes: software or hardware. Software: you can use an off the shelf product, e.g. "Resonate" that will install on your severs or on a separate server, and be careful in the case of sessions, to direct them to the right place. I heard that TuboLinux and RedHat also have a product that might do that... Hardware: SlashDotOrg uses Alteon load balancers that do well with SSL as well as with cookies. Other hardware solutions are available from Cisco, Rockridge and probably others. I have not played around with the session cache stuff, but a quick look on my system seems to indicate it is a file. Would it be possible to NSF mount this file among multiple machine making it shared? It would be useful for myself as we are adding a second server to our installation and all our pertinant files are on a shared HDS drive. If this could be shared as well, it would be quite helpful. With NFS, you would have a serious bottleneck due to file locking, and not even a shared RAID could help you there... (PS: if you were kind enough to put your comments at the bottom of the thread, it would make it easier to follow for others. I took the liberty to cut it an paste it to the bottom...) -- Cheers, Balázs thenewpush, LLC / 303-523-5729 / 720-283-2873 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]