Re: Some question about modssl
James Treworgy wrote: I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) and can be switched off. Users have to choose for themselves how they want to use SSL. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do browsers cache ssl pages?
Hi Wohlgemuth, here is what Netscape is saying about caching SSL pages --- Disabling Caching for SSL-Transferred Documents By default, Navigator doesn't store SSL-transferred pages in its disk cache, although an option in the Preferences dialog box allows them to do so. You can permanently disallow SSL document caching with the following preference. browser.cache.disk_cache_ssl The default for this preference is false (SSL pages are not retained in disk cache). Set false with the lockPref() function to make the setting permanent. A value of true would cause such pages to be retained. - To change this you have to edit your prefs.js file Maybe this helps you further. "Wohlgemuth, Michael J." wrote: First off, I'd like to thank everyone that offered help with the load balancing question. The ssl3 sticky sessions on the LocalDirectors should do the trick for us. Now, on to my new question, and I hope I can explain it without thoroughly confusing everyone: We have modssl configured with an SSLSessionCacheTimeout of 300 seconds. One of the web applications running on the server uses frames, with one frameset containing an HTTP form, and the other frameset having navigation buttons, including the submit button. The design and implementation of these pages is out of my control. When the user hits the submit button, the page runs some JavaScript that performs an HTTP post on the frameset with the form. This works fine as long as the user doesn't take longer that 300 seconds to fill out the form and hit submit. If modssl expires the session cache, the browser clears all the entries in the HTML form. This leads me to believe that the browser is somehow limiting access from one frameset to the other based on the session id, and since the session ids don't match, it is clearing the form data. We see this behavior in both IE and Netscape. So, on to my questions: 1. How, in general, do browsers manage access to locally cached secure pages. Does my interpretation above make any sense? 2. If my interpretation above is correct, is there any way to change this behavior in the browser's configuration? 3. If my interpretation is not correct, does anyone have any idea why the forms data is getting cleared? 4. The obvious workaround here is to increase the SSLSessionCacheTimeout. Is their any recommended maximum value for this? Thanks Mike __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- * Linux Viruscan. Windows 95/98/NT/WIN2000 Found Remove it ? (Y/y) * Marcus Lachmanez System Analyst INTERNET PRODUCTS TEAM Oracle Germany * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do browsers cache ssl pages?
On Mon, Nov 06, 2000 at 02:34:36PM -0500, Wohlgemuth, Michael J. wrote: ... (There have been answers and hints for the other questions.) 4. The obvious workaround here is to increase the SSLSessionCacheTimeout. Is their any recommended maximum value for this? Please check out the TLS standard RFC2246. There a maximum lifetime of 24 hours is recommended (based on security considerations) (F.1.4): Sessions cannot be resumed unless both the client and server agree. If either party suspects that the session may have been compromised, or that certificates may have expired or been revoked, it should force a full handshake. An upper limit of 24 hours is suggested for session ID lifetimes, since an attacker who obtains a master_secret may be able to impersonate the compromised party until the corresponding session ID is retired. Applications that may be run in relatively insecure environments should not write session IDs to stable storage. I have never tried whether e.g. Netscape actually enforces some timeout. If I have long lasting sessions on my server, Netscape always tries to resume them on the same day (and I shut down Netscape when going home :-). You should however be aware, that there is no other means (besides restarting Netscape) to get rid of a session from the client side. [I personally would only recommend these long timeout values for "domestic" aka 128bit ciphers, not for 40bit ciphers with possibly short (512bit) RSA keys... Breaking 40bit keys within a day doesn't seem completele unreasonable in the near future.] Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do browsers cache ssl pages?
"Wohlgemuth, Michael J." wrote: First off, I'd like to thank everyone that offered help with the load balancing question. The ssl3 sticky sessions on the LocalDirectors should do the trick for us. Hmmm. We're using LD 416 with v3.2.3 of the OS. With LD's sticky option, you can either do sticky SSL, or sticky generic. Sticky SSL breaks M$ Exploder 5 for Windoze. Haven't fully investigated this. We have a slightly weird config of HTTPDs here. Adam. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Major Problem with IE / Apache / modssl / openssl
Hi, the scenario for my problem is the following: x86 Linux 2.2.16 apache 1.3.12 mod_ssl 2.6.5 openssl 0.9.5a netscape 4.7x ie = 5.0 ssl-connections with netscape work fine. ssl-connections with ie don´t. i have done the "SetEnvIf - Thing" in httpd.conf, and configured apache not to require client certificates. but it doesn´t work. if if drive ie in "default-config" the ssl_engine_ssl_log says the following: [07/Nov/2000 13:41:37 13519] [info] Connection to child 5 established (server www2.xxx.yyy:443, client XXX.XXX.XXX.XXX) [07/Nov/2000 13:41:37 13519] [info] Seeding PRNG with 1160 bytes of entropy [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Handshake: start [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: before/accept initialization [07/Nov/2000 13:41:37 13519] [debug] OpenSSL: read 11/11 bytes from BIO#081F30C0 [mem: 081FA820] (BIO dump follows) +-+ | : 80 6a 01 03 01 00 51 00-00 00 10 .jQ | +-+ [07/Nov/2000 13:41:37 13519] [debug] OpenSSL: read 97/97 bytes from BIO#081F30C0 [mem: 081FA82B] (BIO dump follows) +-+ | : 8f 80 01 80 00 03 80 00-01 81 00 01 81 00 03 82 | | 0010: 00 01 00 00 04 00 00 05-00 00 0a 83 00 04 84 80 | | 0020: 40 01 00 80 07 00 c0 03-00 80 00 00 09 06 00 40 @..@ | | 0030: 00 00 64 00 00 62 00 00-03 00 00 06 83 00 04 84 ..d..b.. | | 0040: 28 40 02 00 80 04 00 80-00 00 13 00 00 12 00 00 (@.. | | 0050: 63 18 9c 3e 82 01 35 de-6d aa cb 10 63 b8 99 ad c5.m...c... | | 0060: ba .| +-+ [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 read client hello A [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write server hello A [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write certificate A [07/Nov/2000 13:41:37 13519] [trace] OpenSSL: Loop: SSLv3 write server done A [07/Nov/2000 13:41:37 13519] [debug] OpenSSL: write 842/842 bytes to BIO#081F30C0 [mem: 08207CB8] (BIO dump follows) +-+ | : 16 03 01 00 4a 02 00 00-46 03 01 3a 07 f8 81 72 J...F..:...r | | 0010: 0d 7a 76 fd d6 18 5d b5-c2 f5 ea 9b 25 61 66 d3 .zv...].%af. | | 0020: f0 c0 10 6d ba fe ef 01-10 37 89 20 22 7e 37 34 ...m.7. "~74 | | 0030: 75 8a 7a 31 67 f9 71 4a-f8 78 e5 d4 a4 0c 59 8d u.z1g.qJ.xY. | | 0040: 35 53 ef 7a 90 ca d1 43-53 24 c1 8c 00 04 00 16 5S.z...CS$.. | | 0050: 03 01 02 ed 0b 00 02 e9-00 02 e6 00 02 e3 30 82 ..0. | | 0060: 02 df 30 82 02 48 a0 03-02 01 02 02 03 01 5e be ..0..H^. | | 0070: 30 0d 06 09 2a 86 48 86-f7 0d 01 01 04 05 00 30 0...*.H0 | | 0080: 81 c4 31 0b 30 09 06 03-55 04 06 13 02 5a 41 31 ..1.0...UZA1 | | 0090: 15 30 13 06 03 55 04 08-13 0c 57 65 73 74 65 72 .0...UWester | | 00a0: 6e 20 43 61 70 65 31 12-30 10 06 03 55 04 07 13 n Cape1.0...U... | | 00b0: 09 43 61 70 65 20 54 6f-77 6e 31 1d 30 1b 06 03 .Cape Town1.0... | | 00c0: 55 04 0a 13 14 54 68 61-77 74 65 20 43 6f 6e 73 UThawte Cons | | 00d0: 75 6c 74 69 6e 67 20 63-63 31 28 30 26 06 03 55 ulting cc1(0..U | | 00e0: 04 0b 13 1f 43 65 72 74-69 66 69 63 61 74 69 6f Certificatio | | 00f0: 6e 20 53 65 72 76 69 63-65 73 20 44 69 76 69 73 n Services Divis | | 0100: 69 6f 6e 31 19 30 17 06-03 55 04 03 13 10 54 68 ion1.0...UTh | | 0110: 61 77 74 65 20 53 65 72-76 65 72 20 43 41 31 26 awte Server CA1 | | 0120: 30 24 06 09 2a 86 48 86-f7 0d 01 09 01 16 17 73 0$..*.Hs | | 0130: 65 72 76 65 72 2d 63 65-72 74 73 40 74 68 61 77 erver-certs@thaw | | 0140: 74 65 2e 63 6f 6d 30 1e-17 0d 30 30 30 39 31 38 te.com0...000918 | | 0150: 30 38 31 34 31 37 5a 17-0d 30 31 31 30 30 32 30 081417Z..0110020 | | 0160: 38 31 34 31 37 5a 30 6e-31 0b 30 09 06 03 55 04 81417Z0n1.0...U. | | 0170: 06 13 02 41 54 31 0d 30-0b 06 03 55 04 08 13 04 ...XX1.0...U | | 0180: 57 49 45 4e 31 0d 30 0b-06 03 55 04 07 13 04 57 1.0...UX | | 0190: 49 45 4e 31 1a 30 18 06-03 55 04 0a 13 11 4c 4f XXX1.0...UXX | | 01a0: 4d 4f 47 52 41 50 48 49-53 43 48 45 20 41 47 31 XXX1 | | 01b0: 0e 30 0c 06 03 55 04 0b-13 05 53 41 4c 45 53 31 .0...USALES1 | | 01c0: 15 30 13 06 03 55 04 03-13 0c 77 77 77 2e 6c 6f .0...Uwww.XX | | 01d0: 6d 6f 2e 63 6f 6d 30 81-a3 30 0d 06 09 2a 86 48 XX0..0...*.H | | 01e0: 86 f7 0d 01 01 01 05 00-03 81 91 00 30 81 8d 02 0...
Re: Some question about modssl
True, there's nothing in protocol against it, and users can switch it off, but if you're trying to sell something over the internet (which is the reason a lot of poeple use SSL) then you really need to cater to the least common denominator. Trying to explain frightening messages to the 60% or whatever of your users who use Internet Explorer is not a good way to go about that. You shouldn't rely on users to "know" how to use SSL, since the technology is far beyond most of their comprehensions. You should do everything possible to ensure that the fewest number of people possible are presented with any difficult or confusing questions, and "this site contains both secure and insecure objects. do you want to proceed?" is *defintely* a confusing question to the average user. It will absolutely cause an e-businessperson to lose customers and there's no good reason to purposely implement a site this way. Jamie At 03:13 AM 11/7/00, Owen Boyle wrote: I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) and can be switched off. Users have to choose for themselves how they want to use SSL. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How do browsers cache ssl pages?
-Original Message- From: Paul McGarry [mailto:[EMAIL PROTECTED]] Can you run your app in straight http mode to check that SSL is really involved in causing the problem? The app was originally developed without SSL support, and no one had this problem. Also, we are using client certs, and the only times this happens is when the user gets prompted for the certificate again. So, I am almost positive that it is somehow related to SSL. I've increased the timeout to 30 minutes. Hopefully that will eliminate most of the problems. Thanks Mike __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Migration from iPlanet to Apache
Hi, I am interested in converting the certificates and key files stored by iPlanet webserver in its properitary format to certificate and key files that can be used by Apache. I would like to know if there are any tools that can convert certificates in netscape format to .pem format. Any pointers in that direction is highly appreciated. regards, Sai __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Migration from iPlanet to Apache
On Tue, Nov 07, 2000 at 05:04:34PM -, Saicharan K wrote: I am interested in converting the certificates and key files stored by iPlanet webserver in its properitary format to certificate and key files that can be used by Apache. I would like to know if there are any tools that can convert certificates in netscape format to .pem format. Any pointers in that direction is highly appreciated. An explanation of how to do this is at: http://www.drh-consultancy.demon.co.uk/nskey.html Although it involves a lot of messing around with Netscape browsers, it worked when I tried it. Olly. _ This message has been checked for all known viruses by UUNET delivered through the MessageLabs Virus Control Centre. For further information visit http://www.uk.uu.net/products/security/virus/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
James Treworgy wrote: I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. --- Owen Boyle [EMAIL PROTECTED] wrote: Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) Which NetScape? I could swear I got this message from my Navigator a few times when I was first setting up our site, and hadn't cleared up the messes Our intranet site uses a modperl PerlPostReadRequest handler to reroute requests that *should* have been on the secure protocol, but doesn't bother with .jpg's or .gif's or certain directories or pages that are generally OK. That regularly means pages with mixed content, but the user never gets those messages. On the other hand, we're a small enough site (an intranet) that we can afford the extra performance hit of all the 302's for correcting the protocol on restricted pages. On any high volume site, you'd want to handle it differently, but I think I've seen some posts where someone suggested mod_rewrite as an option. Paul __ Do You Yahoo!? Thousands of Stores. Millions of Products. All in one Place. http://shopping.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache em NT/Oracle
I using Apache mod-ssl (two servers) in NT with an aplication in Oracle PL/SQL, v.8.0.5 In first Apache Server i have 15 conections and in second i have 30 or more, when the second get 30 conections it has been very slowly, the first with 15 conections works well and the second server (30 conections slowly) is a machine more powerfull. Wha can help me ?? Thanks, Tadeu David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Several SSL certificats with Apache under FreeBSD ??
Hi Everybody, I have some questions for you, I have some FreeBSD servers with Apache mod_ssl running. Those servers have one (Thawte wilcard *.domain) SSL cettificat and several virtualhosts. But some browsers does not have a good support of wilcard (SSL certificat [*.domain]). So i want to get some "normal" SSL certicats. So as i have two virtual host on one server, i need two certificats. Is it possible to have several SSL certificats with only one IP address ? Someone told me that my server must have two IPs for two certificats, is it true ? Is there another way ? Have you any documention about to have one IP address for each ssl certificat ? Thank's a lot in advance for your help, :-) Best regards, Jacques __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Some question about modssl
Of course, only Exploder users get this :-P -Original Message- From: James Treworgy [mailto:[EMAIL PROTECTED]] Sent: Monday, November 06, 2000 2:01 PM To: [EMAIL PROTECTED] Subject: Re: Some question about modssl I would absolutely *not* do this, unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. -- Jamie At 06:03 AM 11/6/00, Owen Boyle wrote: Note that SSL is quite heavy on the system (all that encryption and decryption) so you might like to send some content (such as logo GIFs) by plain HTTP. To do this you can either refer to them explicitly, e.g. img src=http:/your.site.com/images/my_logo.gif __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IP-based virtualhost problem ** Ha, I know NBVH is impossible!!!******
Dear all, Although I am new to mod_ssl and apache, I 've been digging the old messages for a few days to get my problem solved. Finally, I can't help but post this annoying message to seek help from all of you. I can't make my IP-based virtual host to work, the browser keep complianing I don't have permission to view the page. Since I don't know which one went wrong, and I suppose the problem can be find in the httpd.conf file, I put it here to see if someone can help. Dave ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://www.apache.org/docs/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /usr/local/conf/srm.conf and then /usr/local/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with "/" (or "drive:/" for Win32), the # server will use that explicit path. If the filenames do *not* begin # with "/", the value of ServerRoot is prepended -- so "logs/foo.log" # with ServerRoot set to "/usr/local/apache" will be interpreted by the # server as "/usr/local/apache/logs/foo.log". # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://www.apache.org/docs/mod/core.html#lockfile); # you will save yourself a lot of trouble. # # Do NOT add a slash at the end of the directory path. # ServerRoot "/usr/local" # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # #LockFile /usr/local/logs/httpd.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile /usr/local/logs/httpd.pid # # ScoreBoardFile: File used to store internal server process information. # Not all architectures require this. But if yours does (you'll know because # this file will be created when you run Apache) then you *must* ensure that # no two invocations of Apache share the same scoreboard file. # ScoreBoardFile /usr/local/logs/httpd.scoreboard # # In the standard configuration, the server will process httpd.conf (this # file, specified by the -f command line option), srm.conf, and access.conf # in that order. The latter two files are now distributed empty, as it is # recommended that all directives be kept in a single file for simplicity. # The commented-out values below are the built-in defaults. You can have the # server ignore these files altogether by using "/dev/null" (for Unix) or # "nul" (for Win32) for the arguments to the directives. # #ResourceConfig conf/srm.conf #AccessConfig conf/access.conf # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to
Undefined symbol
Well, I'm new to mod_ssl, so this may be a gimme for some of you, but I've been unable to find the answer in any FAQ or in the list archives. What I'm trying to do is install mod_perl and mod_ssl with apache. Yes, I have the latest versions of all three, as well as openssl0.9.6. Openssl is installed in its default dir, /usr/local/ssl. I've been using the Apache + mod_ssl/OpenSSL + mod_perl/Perl example in mod_ssl's INSTALL file. Both mod_perl and mod_ssl seem to install fine... The only option I gave to mod_ssl's ./configure was the --with-apache=.../apache_1.3.14 I gave mod_perl's Makefile.PL the following options... USE_APACI=1 EVERYTHING=1 DO_HTTPD=1 APACHE_SRC=../apache_1.3.14/src PREP_HTTPD=1 and now finally to apache... SSL_BASE=/usr/local/ssl (I've tried this with both source and installed) ./configure --prefix=/usr/local/apSSL (yes I defined this layout in config.layout --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=rewrite --enable-module=perl then make gives me the following errors... Undefined first referenced symbol in file sk_X509_NAME_find modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_NAME_push modules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_free modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_ENTRY_valuemodules/ssl/libssl.a(ssl_engine_vars.o) sk_X509_NAME_ENTRY_num modules/ssl/libssl.a(ssl_engine_vars.o) sk_X509_NAME_set_cmp_func modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_NAME_nummodules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_num modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_value modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_num modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_newmodules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_value modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_value modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_pop_freemodules/ssl/libssl.a(ssl_util_ssl.o) sk_SSL_CIPHER_dup modules/ssl/libssl.a(ssl_engine_kernel.o) sk_SSL_CIPHER_find modules/ssl/libssl.a(ssl_engine_kernel.o) ld: fatal: Symbol referencing errors. No output written to httpd collect2: ld returned 1 exit status make[2]: *** [target_static] Error 1 make[2]: Leaving directory `/home/justin/newerbetterfaster/apache_1.3.14/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/home/justin/newerbetterfaster/apache_1.3.14' make: *** [build] Error 2 Please help, I'm stumped and have been stuck on this for a few days now, and nothing I change seems to help! Thanks in advance -JH __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Undefined symbol
woops, correction when configuring mod_ssl my ./configure options were --with-apache=../apache_1.3.14 \ --with-ssl=../openssl-0.9.6 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with ssl_scache
I'm experiencing a problem with starting Apache w. modssl. For some reason, the ssl cache file doesn't seem to be created. Below are the logs: [Tue Nov 7 23:04:24 2000] [error] mod_ssl: Cannot open SSLSessionCache DBM file `/usr/local/apache/conf/ssl/ssl_scache' for scannin g (System error follows) [Tue Nov 7 23:04:24 2000] [error] System: No such file or directory (errno: 2) [Tue Nov 7 23:04:24 2000] [error] mod_ssl: Cannot open SSLSessionCache DBM file `/usr/local/apache/conf/ssl/ssl_scache' for reading (fetch) (System error follows) [Tue Nov 7 23:04:24 2000] [error] System: No such file or directory (errno: 2) [Tue Nov 7 23:04:25 2000] [error] mod_ssl: Cannot open SSLSessionCache DBM file `/usr/local/apache/conf/ssl/ssl_scache' for writing (store) (System error follows) [Tue Nov 7 23:04:25 2000] [error] System: No such file or directory (errno: 2) Anyone had this problem and know of a fix? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ca-bundle.crt
Hi, There is a file named "ca-bundle.crt" in the mod-ssl distribution. This file basically contains a bundle of X.509 certificates of all Certificate authorities. Does anybody know how this file is created and if there is a location where I can find the source for this? thanks, Sai __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Undefined symbol
On Tue, 7 Nov 2000, Justin Hinrichs wrote: Well, I'm new to mod_ssl, so this may be a gimme for some of you, but I've been unable to find the answer in any FAQ or in the list archives. What I'm trying to do is install mod_perl and mod_ssl with apache. Yes, I have the latest versions of all three, as well as openssl0.9.6. Openssl is installed in its default dir, /usr/local/ssl. I've been using the Apache + mod_ssl/OpenSSL + mod_perl/Perl example in mod_ssl's INSTALL file. Both mod_perl and mod_ssl seem to install fine... The only option I gave to mod_ssl's ./configure was the --with-apache=.../apache_1.3.14 I gave mod_perl's Makefile.PL the following options... USE_APACI=1 EVERYTHING=1 DO_HTTPD=1 APACHE_SRC=../apache_1.3.14/src PREP_HTTPD=1 and now finally to apache... SSL_BASE=/usr/local/ssl (I've tried this with both source and installed) ./configure --prefix=/usr/local/apSSL (yes I defined this layout in config.layout --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=rewrite --enable-module=perl then make gives me the following errors... Undefined first referenced symbol in file sk_X509_NAME_find modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_NAME_push modules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_free modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_ENTRY_valuemodules/ssl/libssl.a(ssl_engine_vars.o) sk_X509_NAME_ENTRY_num modules/ssl/libssl.a(ssl_engine_vars.o) sk_X509_NAME_set_cmp_func modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_NAME_nummodules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_num modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_value modules/ssl/libssl.a(ssl_engine_init.o) sk_X509_num modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_NAME_newmodules/ssl/libssl.a(ssl_engine_init.o) sk_SSL_CIPHER_value modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_value modules/ssl/libssl.a(ssl_engine_kernel.o) sk_X509_pop_freemodules/ssl/libssl.a(ssl_util_ssl.o) sk_SSL_CIPHER_dup modules/ssl/libssl.a(ssl_engine_kernel.o) sk_SSL_CIPHER_find modules/ssl/libssl.a(ssl_engine_kernel.o) ld: fatal: Symbol referencing errors. No output written to httpd collect2: ld returned 1 exit status make[2]: *** [target_static] Error 1 make[2]: Leaving directory `/home/justin/newerbetterfaster/apache_1.3.14/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/home/justin/newerbetterfaster/apache_1.3.14' make: *** [build] Error 2 How did you build the openssl library? Jie __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[repost]garbled redirects
Hi all. A while back I posted a similar problem. My error logs have frequent entries showing erroneous redirect strings, like this: [Tue Nov 7 08:57:45 2000] [error] [client 90.14.50.41] Invalid error redirection directive: üØ@ Sometimes *most* of the redirect is fine; I found one where nothing was garbled but the protocol -- instead of "https" it had several binary characters, but from the :// on the address was fine. Here's one: [Tue Nov 7 09:05:56 2000] [error] [client 96.80.9.46] Invalid error redirection »xs://buda.bst.bls.com/dres/dres.cgi What would cause that? It's a secure intranet, btw -- you have to be inside the company firewall to hit it. That "s" is probably valid -- it's an Perl*Handler in mod_perl that's checking requests, and routing those to restricted parts of the server to the secure protocol. It was easier than wading through the mod_rewrite docs. ~sheepish grin~ Still, it's a simple handler, and works other than this occasional glitch. In the hopes that I'm not providing too *much* info, here's the handler code (minimally edited): #~~ # module for Apache/mod_perl PerlPostReadRequestHandler to redirect # users on the nonsecure port over to SSL (hopefully saving bookmarks) #__ package Apache::PortCorrect; use strict; use Apache::Constants qw( :response :methods ); sub handler { my($r,$s,$url,$args,$uri,$subr); $r = shift;# the request object return OK if 443 == $r-get_server_port; (undef,$url,undef) = split(/\s+/o, $r-the_request); return OK if $url =~ m{ ^(?:/ # allow home | .*[.](?:gif|jpg) # graphics ok | /(?:list|of|open|dirs).* # inefficient... | /(?:home|cook)[.]shtml # special cases )$ }ixo; $uri = "https://buda.bst.bls.com" . $url; $uri .= "?$args" if $args = $r-args; $r-custom_response(MOVED,$uri); return MOVED; } 1; # guarantee return code for load #__ Also, I'm still having *constant* segfaults for no reason I can tell: [Tue Nov 7 09:03:41 2000] [notice] child pid 8201 exit signal Segmentation fault (11) [Tue Nov 7 09:05:56 2000] [error] [client 96.80.9.46] Invalid error redirection »xs://buda.bst.bls.com/dres/dres.cgi [Tue Nov 7 09:06:23 2000] [notice] child pid 2176 exit signal Segmentation fault (11) [Tue Nov 7 09:06:27 2000] [notice] child pid 13445 exit signal Segmentation fault (11) [Tue Nov 7 09:06:39 2000] [notice] child pid 16884 exit signal Segmentation fault (11) [Tue Nov 7 09:10:15 2000] [error] [client 90.17.208.181] Invalid error redirection directive: [Tue Nov 7 09:11:23 2000] [notice] child pid 8158 exit signal Segmentation fault (11) [Tue Nov 7 09:15:33 2000] [notice] child pid 18409 exit signal Segmentation fault (11) [Tue Nov 7 09:15:33 2000] [notice] child pid 17990 exit signal Segmentation fault (11) [Tue Nov 7 09:15:57 2000] [notice] child pid 27829 exit signal Segmentation fault (11) [Tue Nov 7 09:15:59 2000] [notice] child pid 18001 exit signal Segmentation fault (11) [Tue Nov 7 09:16:01 2000] [notice] child pid 18817 exit signal Segmentation fault (11) [Tue Nov 7 09:24:33 2000] [notice] child pid 17962 exit signal Segmentation fault (11) [Tue Nov 7 09:24:35 2000] [notice] child pid 16004 exit signal Segmentation fault (11) [Tue Nov 7 09:24:38 2000] [notice] child pid 18008 exit signal Segmentation fault (11) [Tue Nov 7 09:26:46 2000] [notice] child pid 17928 exit signal Segmentation fault (11) [Tue Nov 7 09:26:59 2000] [notice] child pid 17993 exit signal Segmentation fault (11) [Tue Nov 7 09:42:34 2000] [notice] child pid 19186 exit signal Segmentation fault (11) [Tue Nov 7 09:42:42 2000] [notice] child pid 19187 exit signal Segmentation fault (11) The server is serving, but sometimes we get a string of timeouts or "document contained no data" errors (which I'm *assuming*yeah, I know...are the results of segfaults.) Anybody else out there using HP-UX B.10.20? An old HP 9000/891 midrange? If it matters, I'm running: Server: Apache/1.3.12 (Unix) mod_perl/1.23 mod_ssl/2.6.4 OpenSSL/0.9.5a Server compiled with -D EAPI -D HAVE_SHMGET -D USE_SHMGET_SCOREBOARD -D USE_FCNTL_SERIALIZED_ACCEPT -D HTTPD_ROOT="/usr/local/apache" -D SUEXEC_BIN="/usr/local/apache/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard" -D DEFAULT_LOCKFILE="logs/httpd.lock" -D DEFAULT_XFERLOG="logs/access_log" -D DEFAULT_ERRORLOG="logs/error_log" -D TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" -D ACCESS_CONFIG_FILE="conf/access.conf" -D RESOURCE_CONFIG_FILE="conf/srm.conf" Summary of my perl5 (revision 5.0 version 6 subversion