Re: -DEAPI compiled version from ApacheModuleJServ.dll available?
Sebastian Schulz wrote: > hi, > > i successfully installed > Apache_1.3.14-mod_ssl_2.7.2-openssl_0.9.6-WIN32 > from modssl "Contrib" and everything works fine 'til now. > > I use Jakarta's Tomcat in conjunction with Apache, > therefor i downloaded the modul ApacheModuleJServ.dll. > > Apache now states, that this version was compiled for > the "normal" version of Apache (and uses plain Apache 1.3 API), > which might leads to problems with EAPI. > > Is there a -EAPI - compiled version of ApacheModuleJServ.dll > available or do i have to compile it by myself? > (the problem is, i have no MS Visual C++-Compiler available ...) > > many thanks in advance! > > basti > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] I have done it for apache1.3.14 - just compile mod_jk like it is in howto with added -DEAPI before -DSOLARIS (I've done it for solaris). Works for me. Wojtek __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Opinion on SSL/Virtual Hosting problem
I'd like to get an opinion from the experts on a problem we've ran into. We use Redhat 6.1 at the moment and Apache/1.3.9 (Unix) Red-Hat-Secure/3.1 mod_ssl/2.4.10 OpenSSL/0.9.4 as installed by our hosting company on our dedicated machine. When we first kicked the server into life we were using only one domain name, and it pointed to that machine from our own DNS and from our hosting companies DNS. We had our SSL up and running with only a few hitches, but were able to work on both port 80 and 443 without any problem. As we launched the site, we had no problems with our SSL working properly - we were taking orders via e-commerce as the site should have. Recently though the server was used to add other name-based virtual domains. Now the SSL through HTTPS is totally unavailable, and when we tried to view anything over HTTPS we get a blank "Page Not Found" page. We have no problem on port 80 for any of the sites. Initially we could hit the same site on HTTP and HTTPS and the SSL would activate. Now on HTTP it works fine, but we get that "Page Not Found" error on HTTPS. I'd just like to confirm that this is a problem because we're not using IP-based virtual machines, but name-based virtual machines so that we can get the SSL up and running again ASAP. I've checked the HOW-TOs and FAQS, and I know that it mentions that SSL won't work with MOD_SSL, but it doesn't tell me what I should or shouldn't see through hitting a HTTPS web page . Any help or comments are appreciated. -- Jason Paul McCartan - [EMAIL PROTECTED] CEO/President MindShift Design LLC http://www.mindshiftdesign.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MOD_SSL + MSIE 5.x
We have a similar problem using . We use Apache/1.3.12 (Win32) tomcat/1.0 mod_ssl/2.6.1 OpenSSL/0.9.5 We get SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) in the log file when a Netscape Client connects using non 128-bit capable browser. We use a chain file. All other client are working fine (IE all versions and Netscape 128-bit) JF - Original Message - From: "John Siracusa" <[EMAIL PROTECTED]> To: "Mod SSL" <[EMAIL PROTECTED]> Sent: Tuesday, November 14, 2000 9:17 AM Subject: Re: MOD_SSL + MSIE 5.x > I have a similar problem. I'm using apache 1.3.14, openssl 0.9.6, and > mod_ssl 2.7.1 on Solaris 2.7. Bone-stock config, but IE5 chokes (and IE4, > actually). I searched and found the following suggested config changes: > > --- > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > > --- > > But that didn't help at all. I tried it with a both a self-signed > certificate and a legit VeriSign cert with all the correct info. All > versions of Netscape work just fine with this setup. Frustrating. > > In the interest of completeness, an attempted connection from Mac IE5 is > shown at the debug log level below: > > --- > > [13/Nov/2000 11:52:19 02090] [info] Server: Apache/1.3.14, Interface: > mod_ssl/2.7.1, Library: OpenSSL/0.9.6 > [13/Nov/2000 11:52:19 02090] [info] Init: 1st startup round (still not > detached) > [13/Nov/2000 11:52:19 02090] [info] Init: Initializing OpenSSL library > [13/Nov/2000 11:52:19 02090] [info] Init: Loading certificate & private key > of SSL-aware server xxx.com:443 > [13/Nov/2000 11:52:19 02090] [info] Init: Requesting pass phrase via > builtin terminal dialog > [13/Nov/2000 11:52:22 02090] [trace] Init: (xxx.com:443) encrypted RSA > private key - pass phrase requested > [13/Nov/2000 11:52:22 02090] [info] Init: Wiped out the queried pass > phrases from memory > [13/Nov/2000 11:52:22 02090] [info] Init: Seeding PRNG with 136 bytes of > entropy > [13/Nov/2000 11:52:22 02090] [info] Init: Generating temporary RSA private > keys (512/1024 bits) > [13/Nov/2000 11:52:35 02090] [info] Init: Configuring temporary DH > parameters (512/1024 bits) > [13/Nov/2000 11:52:35 02104] [info] Init: 2nd startup round (already > detached) > [13/Nov/2000 11:52:35 02104] [info] Init: Reinitializing OpenSSL library > [13/Nov/2000 11:52:35 02104] [warn] Init: Session Cache is not configured > [hint: SSLSessionCache] > [13/Nov/2000 11:52:35 02104] [info] Init: Seeding PRNG with 136 bytes of > entropy > [13/Nov/2000 11:52:35 02104] [info] Init: Configuring temporary RSA private > keys (512/1024 bits) > [13/Nov/2000 11:52:35 02104] [info] Init: Configuring temporary DH > parameters (512/1024 bits) > [13/Nov/2000 11:52:35 02104] [info] Init: Initializing (virtual) servers > for SSL > [13/Nov/2000 11:52:35 02104] [info] Init: Configuring server xxx.com:443 > for SSL protocol > [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Creating new SSL > context (protocols: SSLv2, SSLv3, TLSv1) > [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring > permitted SSL ciphers > [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP] > [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring RSA > server certificate > [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring RSA > server private key > [13/Nov/2000 11:53:01 02105] [info] Connection to child 0 established > (server xxx.com:443, client xxx.xxx.xxx.xxx) > [13/Nov/2000 11:53:01 02105] [info] Seeding PRNG with 0 bytes of entropy > [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Handshake: start > [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: before/accept > initialization > [13/Nov/2000 11:53:01 02105] [debug] OpenSSL: read 11/11 bytes from > BIO#00224B18 [mem: 0023DAF0] (BIO dump follows) > +-+ > | : 16 03 00 00 35 01 00 00-31 035...1. | > | 000b - > +-+ > [13/Nov/2000 11:53:01 02105] [debug] OpenSSL: read 47/47 bytes from > BIO#00224B18 [mem: 0023DAFB] (BIO dump follows) > +-+ > | : bd ba 54 9f 7c 7a df e8-22 3b 8a c0 7a 40 90 22 ..T.|z..";..z@." | > | 0010: 49 3e 9e 54 63 dc fe b7-55 40 ab 9f 4b 66 f3 1e I>.Tc...U@..Kf.. | > | 0020: 00 00 0a 00 04 00 0a 00-09 00 03 00 06 01.. | > | 002f - > +-+ > [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 read client hello > A > [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 write server hello > A > [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 write ce
Detecting encryption level then redirecting....
I am trying to make my server use 128 bit encryption across
the board.. Then what I would like to do is have a subdirectory that accepts, at
the minimum, 40 bit encryption... I would like to force the users
into using 128 bit encryption... But, if they go to this one
directory with a browser that has 40 bit encryption it will allow them
access.
So far I have tried setting the following options in the
httpd.conf.
SSLCipherSuite HIGH:MEDIUM
SSLRequire %{SSL_CIPHER_USEKEYSIZE} <=
56
This doesn't work... I tried accessing it with Netscape
3.0 (40 bit encryption)... It still gains access to it... I turned off the
56/128 bit encryption levels in the security preferences... Any
suggestions?
- Larry Hoffman
-DEAPI compiled version from ApacheModuleJServ.dll available?
hi, i successfully installed Apache_1.3.14-mod_ssl_2.7.2-openssl_0.9.6-WIN32 from modssl "Contrib" and everything works fine 'til now. I use Jakarta's Tomcat in conjunction with Apache, therefor i downloaded the modul ApacheModuleJServ.dll. Apache now states, that this version was compiled for the "normal" version of Apache (and uses plain Apache 1.3 API), which might leads to problems with EAPI. Is there a -EAPI - compiled version of ApacheModuleJServ.dll available or do i have to compile it by myself? (the problem is, i have no MS Visual C++-Compiler available ...) many thanks in advance! basti __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Anyone using Oracle OAS/Apache/modssl combo?
Brian Rectanus wrote: > I was told that the EAPI problems were > _supposed_to_be_ fixed with OAS 4.0.8.2. I am not getting *any* errors > in *any* logs, apache simply does not transfer it's PL/SQL requests to > OAS all of the time (it does do it sometimes, if you hit reload a few > times). Wild guess: If it works sometimes if you hit reload, then maybe some Apache child is authorized and others not? > Of course this is probably not (at least not entirly) a mod_ssl > related problem -- so I'll leave it at that ;) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: redhat6.2: apache-1.3.12 can't start! (mod_ssl-2.6..6)
>and then download the latest apache and mod_ssl together from >http://www.modssl.org/contrib/apache_mod_ssl-1.3.14.2.7.1-1.i386.rpm I have the same problem on RH7, with the above package and OpenSSL 0.9.6. Vincenzo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: somebody shoot me, please
Good call. I'll bet that's it. If the certificate was generated for
snakeoil.dom and that is not the name of the site or IE does not have the
root certificate for the SnakeOil CA, IE will raise flags and have
problems. Try getting a test certificate from http://www.thawte.com (have
them sign your .csr file and copy the result into your .crt)
Have you tried connecting with Netscape 4.x? What were the results?
Glenn Strauss
<[EMAIL PROTECTED]>
Systems Administrator, E-Quill Corporation
---
Mark up and draw on web pages! http://www.e-quill.com/
On Thu, 16 Nov 2000, David Rees wrote:
> Can you comment out SSLCertificateKeyFile?
>
> How was the certifcate generated?
>
> -Dave
>
> On Thu, Nov 16, 2000 at 01:22:54AM -0600, Brendon Maragia wrote:
> > Thanks everyone for your suggestions :) but its still not working :( I
> > will do anything to get this working :( here is my new virtual host i took
> > your suggestions to heart, however, some of them are giving me errors. For
> > instance if I try to use strictly sslv2 I get this error when trying to
> > connect with a msie5.x brower...
> >
> > [error] OpenSSL: error:1407D0AF:SSL routines:SSL2_READ:non sslv2 initial
> > packet
> >
> > here are some additional errors i've recieved when using sslv3..
> >
> > [error] OpenSSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> > unknown ca
> >
> > ok here is the most important part of my httpd.conf... again hehe
> >
> >
> > Listen 216.186.181.230:443
> > NameVirtualHost 216.186.181.230:443
> >
> >
> >
> >
> > DocumentRoot /home/commaflex/public_html/checkout
> > ServerAdmin [EMAIL PROTECTED]
> > ServerName checkout.commaflex.com
> > ErrorLog /home/commaflex/public_html/checkout/.error.log
> > TransferLog /home/commaflex/public_html/checkout/.transfer.log
> >
> > SSLEngine on
> > SSLCertificateFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
> > SSLCertificateKeyFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
> > SSLCipherSuite
> >
>!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > SSLCertificateChainFile
> > /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> >nokeepalive ssl-unclean-shutdown \
> >downgrade-1.0 force-response-1.0
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > CustomLog /var/log/apache_ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >SSLLogLevel debug
> >
> >
> >
> >
> > ..I went ahead and 'deleted the SSLCertificateChainFile', 'deleted the
> > SSLCipherSuite', and changed it to SSLProtocol SSLv2, however all these
> > resulted in where errors :(. I would appreciate so very much any more
> > suggestions that anyone has.
> >
> > P.S. with the virtual host configuration i'm using above, the server
> > reports NO errors it completess the hand shake successfully and then shuts
> > the connection leaving me with a 'page cannot be displayed'.
> >
> > brendon
> >
> > >From: Austin Gonyou <[EMAIL PROTECTED]>
> > >Reply-To: [EMAIL PROTECTED]
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: somebody shoot me, please
> > >Date: Wed, 15 Nov 2000 22:42:56 GMT
> > >
> > >Have you tried not loading the chain file and commentint out the
> > >SSLCipherSuite stuff?
> > >Austin
> > >
> > > >> Original Message <<
> > >
> > >On 11/15/00, 4:15:59 PM, Brendon Maragia <[EMAIL PROTECTED]> wrote
> > >regarding Re: somebody shoot me, please:
> > >
> > >
> > > > Thanks for the idea, Dan but it didn't work :( . Anybody else have any
> > >
> > > > suggestions? This is getting to be ridiculous lol :( Am I doomed? Am
> > > > I
> > > > going to have to use Apache-SSL? Ahh god please say no!!!
> > >
> > >
> > > > >From: Dan Roscigno <[EMAIL PROTECTED]>
> > > > >Reply-To: [EMAIL PROTECTED]
> > > > >To: [EMAIL PROTECTED]
> > > > >Subject: Re: somebody shoot me, please
> > > > >Date: Wed, 15 Nov 2000 08:05:00 -0800 (PST)
> > > > >
> > > > >
> > > > >I think you might need to limit the ciphers you accept. To get all of
> > > > my
> > > > >(known) clients working I wathed my logs to see what cipher was being
> > > > used
> > > > >by the clients which failed and then removed that from the list (with a
> > > > >`!'). Here is what I ended up with:
> > > > >
> > > > >SSLCipherSuite
> > > > >!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+ME
> > > > DIUM:+LOW:+SSLv2:+EXP:+eNULL
> > > > >
> > > > >The EXP1024-* ciphers were my problems.
> > > > >
> > > > >Dan Roscigno [EMAIL PROTECTED]
> > > > >(425)864-5540
> > > > >
> > > > >On Wed, 15 Nov 2000, Brendon Maragia wrote:
> > > > >
> > > > > > First i'd like to thank everyone for their advice about my MOD_SSL +
> > >
> > > > >MSIE5.x
> >
[BugDB] libsafe breaks mod_ssl installation errors, completion (PR#487)
Full_Name: jose nazario Version: 2.7.1 (for apache 1.3.14) OS: Linux (RH6.2/x86) Submission from: (NULL) (129.22.152.109) environment: $ uname -a Linux test 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686 unknown $ rpm -qa | grep egcs egcs-1.1.2-30 $ rpm -qa | grep libsafe libsafe-1.3-4 problem: with libsafe installed and in use (export LD_PRELOAD=/lib/libsafe.so.1), errors generted by the configuration of apache for mod_ssl are supressed. this will cause the installation of mod_ssl to fail for unseen reasons. to duplicate: install libsafe and set, install pristne apache and mod_ssl sources, when you configure mod_ssl point it to the wrong OpenSSL directory so it will fail, and it will fail without any error messages. no src/ Makefile tree will be generated. workaround: unset LD_PRELOAD when configuring mod_ssl to see errors and why an installation would fail. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: somebody shoot me, please
Title: RE: somebody shoot me, please
Brendon,
I'm going to take a couple of guesses here, so don't shoot me if you've checked these already... ;->
I noticed below that you are using the SSLCertificateChainFile directive. This leads me to believe that you are using a Verisign cert. Do you know if you are using the Verisign 'Global' ID cert? (i.e. Server Gated Cryptograpy (SGC))?
If you are, you must ensure that your fully qualified domain name matches the name in the certificate EXACTALLY! (I don't know if putting the port number after the domain name matters or not).
I had the same problem when we went from the testing certificate (i.e. SnakeOil) to the cert from Verisign. Only IE stopped working. Apparently, they do some additional checking in the case of a SGC cert. So, as opposed to presenting a dialog asking if you still want to continue, they just shut down the connection.
Netscape continued to work as expected.
I'd recommend switching back to a SnakeOil cert to see if it can be this or not.
- Bob
> -Original Message-
> From: Brendon Maragia [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 15, 2000 4:16 AM
> To: [EMAIL PROTECTED]
> Subject: somebody shoot me, please
>
>
> First i'd like to thank everyone for their advice about my
> MOD_SSL + MSIE5.x
> problem. I recompiled everything WITHOUT rsaref-2.0 and I
> still cannot get
> a connection with MSIE5.5 only MSIE4.0 & 5.0. Heres a quick
> run down of
> what i'm running and the virtual host i'm trying to connect to...
>
> apache_1.3.14
> mod_ssl-2.7.1-1.3.14
> openssl-0.9.6
>
> My Virtual Host:
>
>
> DocumentRoot /home/commaflex/public_html/checkout
> ServerAdmin [EMAIL PROTECTED]
> ServerName checkout.commaflex.com
> ErrorLog /home/commaflex/public_html/checkout/.error.log
> TransferLog /home/commaflex/public_html/checkout/.transfer.log
> SSLEngine on
>
> SSLCertificateFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.csr/server.crt
>
> SSLCertificateKeyFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.key/server.key
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateChainFile
> /usr/local/ssl.keys/checkout.commaflex.com/ssl.crt/ca.crt
>
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/apache_ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> SSLLogLevel debug
>
>
> ...I've checked all my logs upon trying to connect with
> MSIE5.0 and the
> server seems to execute a standard hand shake, and then
> gracefully execute a
> standard shutdown with no complaints.
>
> All I get from MSIE5.x is "Page Could Not Be Displayed".
> Could someone
> pleassee pleaseee help :)
>
> Brendon
> __
> ___
> Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Solaris+DSO+SSL+Jrun+etc.=Segfault
Yes, I'm yet another person having segmentation fault problems with
Apache,
mod_ssl, openssl, DSO, and . :-) Adding the
newest
jrun (3.0.1) triggered this for me; the older jrun connector module
(2.3.3)
worked just fine with all of the other modules.
Here's my environment:
I started with:
Solaris 2.6
apache 1.3.12
mod_ssl 2.6.2
openssl 0.9.5 (built with -fPIC)
rsaref 2.0
mm 1.0.12 (built with --disable-shared)
mod_php 3.0.16
mod_dav 1.0.1
mod_jrun 2.3.3
Everything worked great. But of course we need the new features of jrun
3.0.1... so I upgraded only that module and it caused never-ending
[notice] child pid exit signal Segmentation Fault (11)
errors in /usr/local/apache/logs/error_log .
So, I started upgrading things, because getting ahold of allaire tech
support
was taking a while, and I just knew that they were going to say to do
this first.
So now I'm at:
Solaris 2.6
apache 1.3.14
mod_ssl 2.7.1
openssl 0.9.6 (built with -fPIC)
rsaref 2.0
mm 1.1.3 (built with --disable-shared)
mod_php 3.0.16 (I did not want to get involved w/ php4 at this
point)
mod_dav 1.0.2
mod_jrun 3.0.1
and this has not helped at all.
(turning off mod_php and/or mod_dav make no difference, BTW.)
Turning off SSL ("apachectl start" rather than "startssl") makes JRun
happy,
but I need SSL of course.
I've been poring through the list archives all day and come to the
following
hypotheses:
Lots of people have these types of problems, though the specific module
involved may change (perl, php, jrun, jserv, etc.)
It may be a Solaris-specific problem (shared library loader), but other
OSs
have similar issues, so it's hard to say conclusively
No version of Solaris (2.6, 7, 8) appears to be immune
There aren't a lot of solutions, so I assume everyone is still
struggling
with this to this day :-(
Are any of these incorrect?
Incidentally, I'm configuring mod_ssl like this:
./configure \
--with-apache=/usr/local/apache_1.3.14 \
--with-crt=/usr/local/ssl/certs/server.crt \
--with-key=/usr/local/ssl/certs/server.key
and building apache like this:
setenv SSL_BASE /usr/local/src/openssl-0.9.6
setenv RSA_BASE /usr/local/src/rsaref-2.0/local
setenv EAPI_MM /usr/local/src/mm-1.1.3
setenv OPTIM "-g -ggdb3"
setenv LD_RUN_PATH /usr/local/lib
./configure \
--prefix=/usr/local/apache_1.3.14 \
--enable-module=ssl --enable-shared=ssl \
--enable-module=status \
--enable-module=info
Finally, here's my stack trace:
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.6"...
(gdb) set args -X -DSSL
(gdb) run
Starting program: /usr/local/apache_1.3.14/bin/./httpd -X -DSSL
Program received signal SIGSEGV, Segmentation fault.
0xef5a423c in strcmp () from /usr/lib/libc.so.1
(gdb) bt
#0 0xef5a423c in strcmp () from /usr/lib/libc.so.1
#1 0xef35d328 in getPropertyValue (props=0x171618,
name=0xefffee00 "/jobpost.use-webserver-root")
at ../connector/jrun_property.c:199
#2 0xef35b80c in loadMappings (pxy=0x1397e0, r=0xe648,
props=0x171618)
at ../connector/jrun_proxy.c:1153
#3 0xef35c1a0 in initInetProxy (pxy=0x1397e0, r=0xe648,
jvmname=0x11fd90 "default",
localProps=0xe160
"/var/local/www/jrun3.01/servers/default/local.properties",
global=0x169688) at ../connector/jrun_proxy.c:1284
#4 0xef35c4ec in addJvms (pxy=0x131f68, r=0xe648,
jrunroot=0x131ff0 "/var/local/www/jrun3.01/bin/..",
jvmlist=0x132020 "default") at ../connector/jrun_proxy.c:1344
#5 0xef35c898 in initProxy (pxy=0x131f68, r=0xe648,
jrunroot=0x131ff0 "/var/local/www/jrun3.01/bin/..",
jvms=0x132020 "default") at ../connector/jrun_proxy.c:1397
#6 0xef355e4c in jrun_child_init (s=0x12d388, p=0x15a348) at
mod_jrun.c:52
#7 0x4a818 in ap_child_init_modules (p=0x15a348, s=0xd81e0)
at http_config.c:1678
#8 0x57840 in child_main (child_num_arg=0) at http_main.c:3972
#9 0x58290 in make_child (s=0xd81e0, slot=0, now=974244739)
at http_main.c:4411
#10 0x584ac in startup_children (number_to_start=2) at http_main.c:4493
#11 0x58e98 in standalone_main (argc=3, argv=0xebd4) at
http_main.c:4781
#12 0x59aac in main (argc=3, argv=0xebd4) at http_main.c:5123
Does anyone have any ideas or insights into further debugging I can do?
Is my only hope to static-build everything?
- Dave Caplinger, IT Manager, Orent Graphics
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Suppo
Re: MOD_SSL + MSIE 5.x
I have a similar problem. I'm using apache 1.3.14, openssl 0.9.6, and mod_ssl 2.7.1 on Solaris 2.7. Bone-stock config, but IE5 chokes (and IE4, actually). I searched and found the following suggested config changes: --- SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP --- But that didn't help at all. I tried it with a both a self-signed certificate and a legit VeriSign cert with all the correct info. All versions of Netscape work just fine with this setup. Frustrating. In the interest of completeness, an attempted connection from Mac IE5 is shown at the debug log level below: --- [13/Nov/2000 11:52:19 02090] [info] Server: Apache/1.3.14, Interface: mod_ssl/2.7.1, Library: OpenSSL/0.9.6 [13/Nov/2000 11:52:19 02090] [info] Init: 1st startup round (still not detached) [13/Nov/2000 11:52:19 02090] [info] Init: Initializing OpenSSL library [13/Nov/2000 11:52:19 02090] [info] Init: Loading certificate & private key of SSL-aware server xxx.com:443 [13/Nov/2000 11:52:19 02090] [info] Init: Requesting pass phrase via builtin terminal dialog [13/Nov/2000 11:52:22 02090] [trace] Init: (xxx.com:443) encrypted RSA private key - pass phrase requested [13/Nov/2000 11:52:22 02090] [info] Init: Wiped out the queried pass phrases from memory [13/Nov/2000 11:52:22 02090] [info] Init: Seeding PRNG with 136 bytes of entropy [13/Nov/2000 11:52:22 02090] [info] Init: Generating temporary RSA private keys (512/1024 bits) [13/Nov/2000 11:52:35 02090] [info] Init: Configuring temporary DH parameters (512/1024 bits) [13/Nov/2000 11:52:35 02104] [info] Init: 2nd startup round (already detached) [13/Nov/2000 11:52:35 02104] [info] Init: Reinitializing OpenSSL library [13/Nov/2000 11:52:35 02104] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [13/Nov/2000 11:52:35 02104] [info] Init: Seeding PRNG with 136 bytes of entropy [13/Nov/2000 11:52:35 02104] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [13/Nov/2000 11:52:35 02104] [info] Init: Configuring temporary DH parameters (512/1024 bits) [13/Nov/2000 11:52:35 02104] [info] Init: Initializing (virtual) servers for SSL [13/Nov/2000 11:52:35 02104] [info] Init: Configuring server xxx.com:443 for SSL protocol [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP] [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring RSA server certificate [13/Nov/2000 11:52:35 02104] [trace] Init: (xxx.com:443) Configuring RSA server private key [13/Nov/2000 11:53:01 02105] [info] Connection to child 0 established (server xxx.com:443, client xxx.xxx.xxx.xxx) [13/Nov/2000 11:53:01 02105] [info] Seeding PRNG with 0 bytes of entropy [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Handshake: start [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: before/accept initialization [13/Nov/2000 11:53:01 02105] [debug] OpenSSL: read 11/11 bytes from BIO#00224B18 [mem: 0023DAF0] (BIO dump follows) +-+ | : 16 03 00 00 35 01 00 00-31 035...1. | | 000b - +-+ [13/Nov/2000 11:53:01 02105] [debug] OpenSSL: read 47/47 bytes from BIO#00224B18 [mem: 0023DAFB] (BIO dump follows) +-+ | : bd ba 54 9f 7c 7a df e8-22 3b 8a c0 7a 40 90 22 ..T.|z..";..z@." | | 0010: 49 3e 9e 54 63 dc fe b7-55 40 ab 9f 4b 66 f3 1e I>.Tc...U@..Kf.. | | 0020: 00 00 0a 00 04 00 0a 00-09 00 03 00 06 01.. | | 002f - +-+ [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 read client hello A [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 write server hello A [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 write certificate A [13/Nov/2000 11:53:01 02105] [trace] OpenSSL: Loop: SSLv3 write server done A [13/Nov/2000 11:53:01 02105] [debug] OpenSSL: write 663/663 bytes to BIO#00224B18 [mem: 0022E8C8] (BIO dump follows) +-+ | : 16 03 00 00 2a 02 00 00-26 03 00 3a 10 1c 6d 37 *...&..:..m7 | | 0010: fc 55 de 79 2e f3 89 04-95 71 cd 0f 71 c8 4c 51 .U.y.q..q.LQ | | 0020: 1b 88 52 f1 2a b7 32 10-85 e5 62 00 00 04 00 16 ..R.*.2...b. | | 0030: 03 00 02 5a 0b 00 02 56-00 02 53 00 02 50 30 82 ...Z...V..S..P0. | | 0040: 02 4c 30 82 01 b9 02 10-24 4d 34 1b d1 5c e8 90 .L0.$M4..\.. | | 0050: f8 9c cc 4f e2 9b 0e af-30 0d 06 09 2a 86 48 86 ...O0...*.H. | | 0
MacOS-X Problem with temporary RSA-Key
Hi, I compiled OpenSSL 0.9.6/mod_ssl-2.7.1-1.3.14/Apache 1.3.14 successfully (with one easy patch, which I posted just before), under MacOS-X-Server, but when I try to start Apache I get the following error-msg in my error-log file: [Tue Nov 14 12:04:18 2000] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key I know, that this problem is mentioned in the Mod_SSL FAQ, but this didn't resolve my problem. I have tried SSLRandomSeed startup builtin SSLRandomSeed connect builtin with an ".rnd" file in the home-Directory of the Webserver-User and I tried SSLRandomSeed startup file:/Local/Library/WebServer/.rnd SSLRandomSeed connect file:/Local/Library/WebServer/.rnd which is exactly that file, but both don't work. The problem still persists. What else can I do ? Thanks in advance, Stephan ___ Stephan BauerInhaber/Director Bauer Internetprojects.deTel: +49 172 9795002 Software-Design & Implementation Fax: +49 9421 31471 ___ Web: http://www.internetprojects.de E-Mail: [EMAIL PROTECTED] http://www.ask-the-guru.com The Home of Mod_Redundancy - The Apache-Module for High Availability ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does it cache?
-Original Message- From: Owen Boyle <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Monday, November 13, 2000 1:33 AM Subject: Re: Does it cache? >First of all, do you have two sets of HTML (e.g. a development directory >and a published directory)? This is usually the root cause of these >types of problems. Nope, I just have one directory, and one server running. I don't understand where its getting the old documents from. -Keith Stropus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] unable to run apache with ssl funtionality (PR#486)
Full_Name: Veerendra Version: mod_ssl/2.7.2 OS: Winnt 4.0 Submission from: (NULL) (209.157.27.201) I have used Apache Server version 1.3.14 (Win32) I have used folowing for generation the private key openssl genrsa -des3 -rand d:\veerendra\download\nmi\NJCV483.zip;d:\veerendra\download\itopstuffs\images.zip;d:\veerendra\download\itopstuffs\iTop_jsp.zip;d:\veerendra\download\itopstuffs\jsp.zip;d:\veerendra\download\itopstuffs\Admin.jsp -out itopecl.netpace.com.key 1024 After that I have used folowing for generaing the CSR openssl req -new -key ./itopecl.netpace.com.key -out itopecl.netpace.com.csr I have csr file as -BEGIN RSA PRIVATE KEY- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,3C33F42A02F4661F 1NuanChpTWwBATmUtrb6I+z8GIGCKS7maXZ+3WiIYKqjYjYv5H4yT02+ZIR6ZY9Y UgQe9dukmCgAde5fVh2dcgMEBM5sFRYRFn6ONgSTLvV/wBGub8y+iOJPpMO7ur2O FMFEKD92ujbHXwwaNgcLNcryQ1GxsqUnLkGC50+utckAGLJP+eA3k0Htj7rPV/F/ XDMTzGOpT5MVq0PiaVnF+6kGdYvhWhgdHwRPzheIIFUh+Js67B8gXnGGYh7kF3hP 77bdqK+rP+9XNeIcPbABc0qsJRxVVvn0Fd1jcB0WR2iTVjmuvE3Dv1jEOtELXNTO 06moB0xVKwlFubAMJmvnv9GA6/3vK3SOtoRMH4RkJ+y7kJI1Tr+mCXitc9VRRhVb LtziG1eNnn9ByHEds7P+IXCDLKvm+lCfyq6ufKSyGg//cwRc9BMzWidsgMbTOfK3 ZgwwH4fGO0mv8tZsBQucPZR2dRg/3y2yf/yVZMoHK1Z23IOlDA3CwMbcA2czu/50 dduaQRric6+5oSTmWcqzXn9CeVO9Il1zCIRpgGQf7Nb7G+hpTVnGkHLdzzxfuIjW sg0X1mq/qqsN+6+iyMdTioiT9h6AZKeZtpRy3E6WmZ0twACOvxf9lp1nVWu5WY+A Ss5QIYaIm5EGR/416zQscd5urOigSCU44PsnLvFBeK9OHJtWdFvMcbKE/5JurP5t JDMHubdwHp+ltBvOWNhB/50u/NRrBA/xp7eKY1RzwWh1/bfNpkNpzlEZIHf9aGzp ecc0LvoqFZu2Fh0U9TsGIY1FoaCcyWtLwz2X659oMjTisikcWKtCQw== -END RSA PRIVATE KEY- I have coped the block beginning with -BEGIN RSA PRIVATE KEY- and ending with -END RSA PRIVATE KEY- I have got the certifiacte from Verisign that is shown below: -BEGIN CERTIFICATE- MIICZjCCAhACEAmgBJmgVQ22h/JHOJnIMIswDQYJKoZIhvcNAQEEBQAwgakxFjAU BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAwMTExNDAwMDAwMFoXDTAwMTEyODIz NTk1OVowfzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEzARBgNV BAcUClVuaW9uIENpdHkxFTATBgNVBAoUDE5ldHBhY2UgSW5jLjERMA8GA1UECxQI U29mdHdhcmUxHDAaBgNVBAMUE2l0b3BlY2wubmV0cGFjZS5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBALs46GdMah8154vZSVti4mVHrEBwWoGl7KQLVMok Mzyl2u9f6jTZvglw7N2UTetSCHOXyTRRJp7qcNeW9MQITMbHL+fTh9pk1/6S7w9t l3FSqL5LansaHAuqod34qYjkFCv+duCryvQtEcvJhMnTwV/lbNYr5RHif7ZCXS/V UuVLAgMBAAEwDQYJKoZIhvcNAQEEBQADQQBpzS8rTD1UnjFn9hyMuDYtp8sOzHy6 UP4AUQf1ZEO49cEemaw12/50gkUYEKMTQ53//oxxCMCgu6qzEg1HvRGG -END CERTIFICATE- I have saved this block as itopecl.netpace.com.crt in d:\aserver\conf\ssl folder. I have saved itopecl.netpace.com.key file in the in d:\aserver\conf\ssl folder. I changed the httpd.conf as follows: LoadModule ssl_module modules/ApacheModuleSSL.dll Port 80 Port 443 Listen 443 Listen 80 SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel info # You can later change "info" to "warn" if everything is OK SSLEngine On SSLCertificateFile conf/ssl/itopecl.netpace.com.crt SSLCertificateKeyFile conf/ssl/itopecl.netpace.com.key After running I got the console as follows: ** D:\aserver>apache -f "d:\aserver\conf\httpd.conf" -D SSL [Mon Nov 13 21:24:02 2000] [warn] Loaded DSO \appjserv\ApacheModuleJServ.dll use s plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) [Mon Nov 13 21:24:03 2000] [warn] pid file d:/aserver/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? Apache/1.3.14 mod_ssl/2.7.2 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server ITOPECL:443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. Apache/1.3.14 (Win32) ApacheJServ/1.1.2 mod_ssl/2.7.2 OpenSSL/0.9.6 running... * It seems that the apacheserver is running. but in SSL.log of d:\aserver\logs folder I am getting varous texts with also (ITOPECL:443) RSA server certificate CommonName (CN) `itopecl.netpace.com' does NOT match server name!? where my server name if ITOPECL which is in different domain. when I am making hit to my site My webbrowser is showing web site found ..but it waits for time out. It is happening on IE5.0 and NS4.5 But for self signed certificate there was no problem. I am worried with this o/p with Verisign certifiacte. Whether the problem with certificate or my way of doing. but if there was prob with certificate the console o/p would have shown me the error. so I think the certificate is okay bu the way I have done I am not sure. please help me .. Thanking You. It is urgentPlease reply ASAP. Regards, ..Veerendra _
Is MSIE 5.5 SSL braindead?
All over the list and FAQ I've read about MSIE's braindead implementation of SSL -- even in MSIE 5.0x -- which necessitates using: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Is MSIE 5.5 still braindead in this respect? Or can I increase the quality of service for MSIE 5.5 (leaving the regressive behavior for all prior versions of MSIE)? Thank you in advance. PS: Is MS really this bad, or is MSIE "more compatible" with IIS because of something "special" MS put into both MSIE and IIS? Glenn Strauss <[EMAIL PROTECTED]> Systems Administrator, E-Quill Corporation -- Mark up and draw on web pages! http://www.e-quill.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] mod_ssl/OpenSSL and Macs (PR#485)
Full_Name: Brian O'Neill Version: 2.7.1 OS: Solaris Submission from: (NULL) (64.14.77.2) This happens with Apache 1.3.14/mod_ssl 2.7.1 and Apache 1.3.12/mod_ssl 2.6.6. Both with OpenSSL 0.9.6. It did not happen with 1.3.9/2.4.9 using OpenSSL 0.9.4, but various things require us to upgrade. When a user with a Mac 128-bit IE 5.0 client connects to the site, they get a "Data Decryption Error". The only remedy seems to be to remove SSLv3, but this results in the Mac client getting the page without encryption (or so claimed by IE). None of the other remedies mentioned for 56-bit IE seem to work. Downgrading to OpenSSL 0.9.4 does not work. Mac users with various Netscape version result in VERY SLOW page gets. PC users seem unaffected. Any ideas? This is a showstopper bug for us... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
