No Subject
Hi everybody ! Is there anybody to tell me : How can i force in the apache configuration file the use of a ssl connection for a particular directory without using virtual hosts ? Have you any sample configuration file ? Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl connection for a particular directory
Sorry the previous message was sent without the subject ! Hi everybody ! Is there anybody to tell me : How can i force in the apache configuration file the use of a ssl connection for a particular directory without using virtual hosts ? Have you any sample configuration file ? Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
Hi. I had the same error signalation "suexec: disabled; invalid wrapper /usr/local/apache/bin/suexec" (everytime I do ./httpd -l) when I tried, in a wrong way, to add ssl module and jrun module to apache configuration. I think, but I'm not sure, that the error is inside the APACI_ARGS. I solved my problem by editing the src/Configuration uncommenting (or adding) the corresponding AddModule directive. Bye romolo -Original Message- From: Paul [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 12:54 AM To: modssl; modperl Subject: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key Hi, all. I've been trying to add a couple of modules to my Apache, and just can't seem to get it to do it's thing. Forgive me if I tell you too much, but I'm just trying to be thorough. STEP 1: === perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1 \ DO_HTTPD=1 SSL_BASE=/usr/local/ssl \ APACHE_SRC=../apache_1.3.12/src\ APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul e=info,--enable-module=rewrite,--enable-module=usertrack This runs smoothly. STEP 2: make This, too, runs smoothly. == STEP 3: make test Here's the problem. It runs fine till t/TEST tries to spawn a server and hit it. The server fails at init because it can't generate a temporary 512 bit RSA private key. I've moved to the apache directory and run "make certificate" before the "make test", but it doesn't help. If I'm not mistaken, I had this problem when I was first installing the server, and ended up skipping the test. It installed and has been working fine. I'd just rather have a clean test before I try installing and using the new binary now that it's in production. Anybody got a suggestion? [ROOT] /dart26/mod_perl-1.23: uname -a HP-UX uap5 B.10.20 C 9000/891 373319211 32-user license [ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -V Server version: Apache/1.3.12 (Unix) Server built: Feb 8 2001 16:04:39 Server's Module Magic Number: 19990320:7 Server compiled with -D EAPI -D HAVE_SHMGET -D USE_SHMGET_SCOREBOARD -D USE_FCNTL_SERIALIZED_ACCEPT -D HTTPD_ROOT="/usr/local/apache" -D SUEXEC_BIN="/usr/local/apache/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard" -D DEFAULT_LOCKFILE="logs/httpd.lock" -D DEFAULT_XFERLOG="logs/access_log" -D DEFAULT_ERRORLOG="logs/error_log" -D TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" -D ACCESS_CONFIG_FILE="conf/access.conf" -D RESOURCE_CONFIG_FILE="conf/srm.conf" [ROOT] /dart26/mod_perl-1.23: ../apache_1.3.12/src/httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_info.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_rewrite.c mod_access.c mod_auth.c mod_auth_dbm.c mod_usertrack.c mod_setenvif.c mod_ssl.c mod_perl.c suexec: disabled; invalid wrapper /usr/local/apache/bin/suexec(Also, anybody got an idea why this suexec message? is it something to worry about?) __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re:
I am sure there is a way, but I just added a virtual host and changed the document root to the one directory I wanted to have SSL only. Instead of the domain name, I used the ip address. Dunno if that is what you are looking for, but I thought I would throw my two cents in. Matt Williams On Friday 09 February 2001 05:24, you wrote: > Hi everybody ! > > Is there anybody to tell me : How can i force in the apache configuration > file the use of a ssl connection for a particular directory without using > virtual hosts ? > Have you any sample configuration file ? > > Thanks > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl connection for a particular directory
[EMAIL PROTECTED] wrote: > Is there anybody to tell me : How can i force in the apache configuration file > the use of a ssl connection for a particular directory without using virtual > hosts ? This isn't possible. The directive which switches on SSL functionality is "SSLEngine on" and this directive works only in the context of the global server config (so the whole server is SSL) or in a VirtualHost - you cannot operate it in a Directory, for example. What is the big problem with having an extra VirtualHost? Something simple like the following is all you need: ... Main config .. DocumentRoot /main/document/root ..etc. Listen 443 SSLEngine on DocumentRoot /special/ssl/directory/path SSLCertificateFile/home/apache/conf/ssl.crt/my_site.crt SSLCertificateKeyFile /home/apache/conf/ssl.key/my_site.key You still need a whole bunch of other SSL directives (check the manual to see what they do): AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLMutex file:/home/apache/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog/home/apache/logs/ssl_engine_log SSLLogLevel info Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
standard shutdown
can anybody solve my problem? i have a unix server with apache 1.3.12 and mod_ssl 2.6.6. the ssl connections are working. but when i click on a link and wait for 15 seconds i get the following in my ssl-logs: [09/Feb/2001 14:36:11 13385] [info] Connection to child 5 closed withstandard shutdown (server vie-wwwtest1.intranet.caibon.com:443, client10.50.30.43)[09/Feb/2001 14:36:11 13383] [info] Connection to child 3 closed withstandard shutdown (server vie-wwwtest1.intranet.caibon.com:443, client10.50.30.43) after this a immediate click on a link will come to an "Cannot find Server or DNS Error" page (on internet explorer)! but when i wait for about 30 sec the link will work. so there is a frame between the "standard shutdown" message and 30 sec in which link will work (no log entries)! can somebody help me? thanks, matthias
SSL-induced loading errors
(mod_ssl 2.8.0-1.3.17 on Unix) I'm getting desperate -- the site rolls out today. I'm getting decryption errors in the browser, or just images and stylesheets refusing to load when trying to load pages. It's random, and needless to say, unacceptable. Anyone have any idea what's going on? This happens in IE5/Mac, IE4.5/Mac, and some versions of Netscape/Mac. IE on PC works perfectly, and Netscape on PC works most of the time. The Apache error log shows: [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [error] System: Connection reset by peer (errno: 54) I've tried the FAQ and looked thru the archives and tried some of the things I found in there, but no success thus far. Any suggestions? Much thanks, John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: standard shutdown
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC48 -Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthias PreiszlSent: Friday, February 09, 2001 6:59 AMTo: [EMAIL PROTECTED]Subject: standard shutdown can anybody solve my problem? i have a unix server with apache 1.3.12 and mod_ssl 2.6.6. the ssl connections are working. but when i click on a link and wait for 15 seconds i get the following in my ssl-logs: [09/Feb/2001 14:36:11 13385] [info] Connection to child 5 closed withstandard shutdown (server vie-wwwtest1.intranet.caibon.com:443, client10.50.30.43)[09/Feb/2001 14:36:11 13383] [info] Connection to child 3 closed withstandard shutdown (server vie-wwwtest1.intranet.caibon.com:443, client10.50.30.43) after this a immediate click on a link will come to an "Cannot find Server or DNS Error" page (on internet explorer)! but when i wait for about 30 sec the link will work. so there is a frame between the "standard shutdown" message and 30 sec in which link will work (no log entries)! can somebody help me? thanks, matthias
RE:
You will need to setup a virtualhost. You may use mod_rewrite to redirect request to a specific directory to the HTTPS virtual host. See: http://www.modssl.org/docs/apachecon2000/slide-016-n.html > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Friday, February 09, 2001 11:24 AM > To: [EMAIL PROTECTED] > Subject: > > > Hi everybody ! > > Is there anybody to tell me : How can i force in the apache > configuration file > the use of a ssl connection for a particular directory without > using virtual > hosts ? > Have you any sample configuration file ? > > Thanks > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL-induced loading errors
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of John Kestner > Sent: Friday, February 09, 2001 9:49 AM > To: [EMAIL PROTECTED] > Subject: SSL-induced loading errors > > > (mod_ssl 2.8.0-1.3.17 on Unix) > > I'm getting desperate -- the site rolls out today. I'm getting decryption > errors in the browser, or just images and stylesheets refusing to load > when trying to load pages. It's random, and needless to say, unacceptable. > Anyone have any idea what's going on? > > This happens in IE5/Mac, IE4.5/Mac, and some versions of Netscape/Mac. IE > on PC works perfectly, and Netscape on PC works most of the time. > > The Apache error log shows: > > [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button > pressed in browser?!] (System error follows) > [error] System: Connection reset by peer (errno: 54) > > I've tried the FAQ and looked thru the archives and tried some of the > things I found in there, but no success thus far. Any suggestions? Can you post the config for your SSL virtual host without comments? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Access to web page with suspended certificate possible!
Hi, I guess I discovered a bug in the CRL checking of mod_ssl, or I just misconfigured my system. The symptoms are the following: I have a web server using SSL on port 443 without access control. I do require client certificates of a CA that I trust to access a sub directory. I told Apache to check for CRLs in a directory. When I start IE, delete its cache and hit the server I get the main page. When I click on the link for the restricted area I get prompted to select a certificate. I select the certificate that I suspended and I can access the page. When I press the "reload" button in IE a couple of times I don't get the page but an error code: 80090320. And the ssl_engine_log shows that my certificate has been revoked. When I press reload again, I get the page, the Apache log shows that it sent the page again. Restarting Apache does not help. Now my question is, why does Apache only sometimes discover that my certificate has been revoked? I think this is a sever security bug! I use Internet Explorer Version 5.00.2014.0216CO with 128 bit encryption and update 3725, German. The web server is Apache Version 1.3.14 with Mod-SSL 2.7.1 and OpenSSL 0.9.6 on Solaris 2.6. Any ideas? Jens The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. This message and any attachments have been scanned for viruses. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl connection for a particular directory
> [EMAIL PROTECTED] wrote: > > Is there anybody to tell me : How can i force in the apache > > configuration file the use of a ssl connection for a particular > > directory without using virtual hosts ? You'll probably have to run a whole seperate server if you aren't using vhosts. The choice of protocol is done before the connection is established; path translation is way later. What you *could* do, however, is to have the index page in that directory check the port number or something. mod_perl makes that pretty easy; Apache::Request probably does, too. I'm not sure off the top of my head how you'd do it without perl. If it's not secure, redirect to the secure server. You could kind of do it anyway, just as a matter of course. Have the index page (I'd recommend a CGI) do an external redirect to the secure socket. Obviously, you have to have an SSL server running somewhere, either as another server or as a vhost or *something*, but then the default page in that directory will redirect to the https:// other-page. But you can't have just one directory be SSL on one server, because the SSL protocol has to be established *WAY* before the server knows what directory the user wants. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl connection for a particular directory
Hi Samuel, I'm sorry if my error reporting was a little confusing. The whole server on port 443 runs SSL and has a server certificate. But for one subdirectory I am requiring a client certificate of a certificate authority that I trust. Apache should always check these client certificates against the CRLs. In my set up it only checks it sometimes (average every third request). Jens -Original Message- From: Paul [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 3:03 PM To: [EMAIL PROTECTED] Subject: Re: ssl connection for a particular directory > [EMAIL PROTECTED] wrote: > > Is there anybody to tell me : How can i force in the apache > > configuration file the use of a ssl connection for a particular > > directory without using virtual hosts ? You'll probably have to run a whole seperate server if you aren't using vhosts. The choice of protocol is done before the connection is established; path translation is way later. What you *could* do, however, is to have the index page in that directory check the port number or something. mod_perl makes that pretty easy; Apache::Request probably does, too. I'm not sure off the top of my head how you'd do it without perl. If it's not secure, redirect to the secure server. You could kind of do it anyway, just as a matter of course. Have the index page (I'd recommend a CGI) do an external redirect to the secure socket. Obviously, you have to have an SSL server running somewhere, either as another server or as a vhost or *something*, but then the default page in that directory will redirect to the https:// other-page. But you can't have just one directory be SSL on one server, because the SSL protocol has to be established *WAY* before the server knows what directory the user wants. __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This footnote confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. - The information contained in this message is confidential and is intended for the addressee(s) only. If you have received this message in error or there are any problems please notify the originator immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Baltimore Technologies plc will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. In addition, certain Marketing collateral may be added from time to time to promote Baltimore Technologies products, services, Global e-Security or appearance at trade shows and conferences. This footnote confirms that this email message has been swept by Baltimore MIMEsweeper for Content Security threats, including computer viruses. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
--- Ges Seger <[EMAIL PROTECTED]> wrote: > Paul wrote: > > > Hi, all. > > > > I've been trying to add a couple of modules to my Apache, and just > > can't seem to get it to do it's thing. Forgive me if I tell you > too > > much, but I'm just trying to be thorough. > > > > STEP 1: > > === > > perl Makefile.PL USE_APACI=1 USE_DSO=0 EVERYTHING=1 \ > > DO_HTTPD=1 SSL_BASE=/usr/local/ssl \ > > APACHE_SRC=../apache_1.3.12/src\ > > > > > APACI_ARGS=--enable-module=ssl,--enable-module=auth_dbm,--enable-modul > > e=info,--enable-module=rewrite,--enable-module=usertrack > > > > This runs smoothly. > > > > STEP 2: make > > This, too, runs smoothly. > > == > > STEP 3: make test > > Here's the problem. It runs fine till t/TEST tries to spawn a > server > > and hit it. The server fails at init because it can't generate a > > temporary 512 bit RSA private key. I've moved to the apache > directory > > and run "make certificate" before the "make test", but it doesn't > help. > > > > > > If I'm not mistaken, I had this problem when I was first installing > the > > server, and ended up skipping the test. It installed and has been > > working fine. I'd just rather have a clean test before I try > installing > > and using the new binary now that it's in production. > > > > Anybody got a suggestion? > > Recent versions of mod_ssl compiled for HPUX require an equivalent to > Linux's /dev/random. You can get this by downloading and installing > an Entropy Gathering Daemon (egd), which can be found at: > > http://www.lothar.com/tech/crypto/ > > I ran into the same problem last month upgrading my team's website, > until trawling through various mailing list archives pointed me to > egd. > If 10.20 is anything like 11.x, this should get you through "make > test" with flying colors. > > Apologies for being sort of off-topic here... > > Ges > Senior Perl Hacker > Ingenium Corporation EGD is great -- thanks for the suggestion -- but the "make test" is still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs pointed me) says if the socket is /dev/egd-pool it'll use it automatically, but it's a no-go so far. I'm at wit's end. Could it be something in the test httpd.conf? As a test I backed up the old httpd and replaced it with the new one, and it seems to be working fine. All that took less than a minute, and we're a small enough server that it was a tolerable interruption even if it hadn't worked, but I'd still like to do the install, just to update everything. Is that safe? What else does it change? __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl: Init: Failed to generate temporary 512 bit RSA private key
On Fri, Feb 09, 2001 at 01:04:51PM -0800, Paul wrote: > EGD is great -- thanks for the suggestion -- but the "make test" is > still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs > pointed me) says if the socket is /dev/egd-pool it'll use it > automatically, but it's a no-go so far. The automatic usage is brand new and only included in the version to become 0.9.7 one fine day. If you have <=0.9.6 you have to explicitly specify the place in httpd.conf SSLRandomSeed startup egd:/var/run/egd-pool Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes:
>Can you post the config for your SSL virtual host without comments?
>
>-Dave
Actually, I just tried adding:
SSLRequire %{SSL_CIPHER} >= 128
And it appears to work on just about every new and old browser/platform!
Hope this helps some future newbie...
Thanks anyway,
John
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: RE: SSL-induced loading errors
> [EMAIL PROTECTED] writes:
> >Can you post the config for your SSL virtual host without comments?
>
> Actually, I just tried adding:
>
> SSLRequire %{SSL_CIPHER} >= 128
>
> And it appears to work on just about every new and old browser/platform!
> Hope this helps some future newbie...
Even on non-128 bit browsers?
-Dave
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: RE: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes:
>> Actually, I just tried adding:
>>
>> SSLRequire %{SSL_CIPHER} >= 128
>>
>> And it appears to work on just about every new and old browser/platform!
>> Hope this helps some future newbie...
>
>Even on non-128 bit browsers?
Yes - it drops back to 40-bit. Doesn't seem quite right, I know - perhaps
I'm misinterpreting it. But this was a suggestion in the archives at
http://www.mail-archive.com/modssl-users@modssl.org/msg10187.html
If this isn't as secure as I think, please point it out to me.
John
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[OT] make test fail [WAS mod_ssl: Init: Failed to generate temporary 512 bit RSA private key]
--- Lutz Jaenicke <[EMAIL PROTECTED]> wrote: > On Fri, Feb 09, 2001 at 01:04:51PM -0800, Paul wrote: > > EGD is great -- thanks for the suggestion -- but the "make test" is > > still no go. The OpenSSL manpage for RAND_egd (to which egd.pl docs > > pointed me) says if the socket is /dev/egd-pool it'll use it > > automatically, but it's a no-go so far. > > The automatic usage is brand new and only included in the version to > become 0.9.7 one fine day. If you have <=0.9.6 you have to explicitly > specify the place in httpd.conf > SSLRandomSeed startup egd:/var/run/egd-pool First, that was exactly the problem. May you and all who contributed to its resolution receive skillfully rendered the prurient favors you prefer most from the individual(s) of your choosing. Now, I have a slightly different point of confusion. The "make test" still fails, but leaves the spawned httpd running on the test port. The error log says: [notice] Destruction->DESTROY called for $global_object [Fri Feb 9 16:29:43 2001] [warn] [notice] child_init for process 23323, report any problems to [no address given] But if I hit the port with a browser I can pull the test.shtml page with all the SSI mod_perl calls working fine. I feel a lot better about doing the install now, but I still want to know what the problem is here. FYI, there was an suexec problem before, but I think that's just because this box doesn't have a user "nobody". I edited the test httpd.conf to run as our actual server id and it was happy, at least for that. It's just that I keep coming back to various suexec problems But since the current server runs and suexec's as it should, I'm not too worried about that. I just hate leaving *any* loose ends. _ On a seperate note, the main reason I was doing the recompile was to add in mod_auth_dbm. I finally got a test directory to do a simple request for authentication by ID/password, but now I can't get it to accept my password. I built the file with Apache's dbmmanage, importing a list of id/passwords from a script which used a perl crypt() to encrypt the passwords as it fed them to dbmmanage via pipe in the specified "id:encpwd" format. Everything seems to have gone smoothly enough, but it won't accept the password. What now? :o/ The .htaccess file is: === AuthDBMUserFile /dart10/web/docs/public/test/test AuthType Basic AuthName "password test site" Require valid-user === The DBM is in the directory I'm accessing, just as a test. *sigh* __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: SSL-induced loading errors
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of John Kestner
>
> [EMAIL PROTECTED] writes:
> >> Actually, I just tried adding:
> >>
> >> SSLRequire %{SSL_CIPHER} >= 128
> >>
> >> And it appears to work on just about every new and old
> browser/platform!
> >> Hope this helps some future newbie...
> >
> >Even on non-128 bit browsers?
>
> Yes - it drops back to 40-bit. Doesn't seem quite right, I know - perhaps
> I'm misinterpreting it. But this was a suggestion in the archives at
> http://www.mail-archive.com/modssl-users@modssl.org/msg10187.html
>
> If this isn't as secure as I think, please point it out to me.
Curious, according to the docs, it shouldn't allow those browsers to
connect. Are you using one of the step-up certificates from Verisign?
Do you also have the following lines installed?
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
If you do, could you try it without "SSLRequire %{SSL_CIPHER} >= 128", I'm
not convinced that the SSLRequire makes a difference.
-Dave
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
(newbie q) second-level domain certificate?
I think I know the answer, but if I get a certificate for mysite.com, will it cover www.mysite.com, or do I have to get a separate certificate for every explicit domain name? John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: RE: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes:
>Curious, according to the docs, it shouldn't allow those browsers to
>connect. Are you using one of the step-up certificates from Verisign?
So I'm told by the guy who acquired our certificates from Verisign. How do
I tell?
>
>Do you also have the following lines installed?
>
>SSLCipherSuite
>ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
>SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
>If you do, could you try it without "SSLRequire %{SSL_CIPHER} >= 128", I'm
>not convinced that the SSLRequire makes a difference.
I do have those lines installed, and it was giving me all the decryption
errors, which only went away once I added the SSLRequire.
John
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
> >Curious, according to the docs, it shouldn't allow those browsers to
> >connect. Are you using one of the step-up certificates from Verisign?
>
> So I'm told by the guy who acquired our certificates from Verisign. How do
> I tell?
I'm not sure, does anyone else know?
> >Do you also have the following lines installed?
> >
> >SSLCipherSuite
> >ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> >SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> >If you do, could you try it without "SSLRequire %{SSL_CIPHER} >=
> 128", I'm
> >not convinced that the SSLRequire makes a difference.
>
> I do have those lines installed, and it was giving me all the decryption
> errors, which only went away once I added the SSLRequire.
OK, Looks like another item for the FAQ. Ralf, can you add something for
Decryption errors when using Verisign Step Up certs? It looks like when
using Verisign step-up certs, they require the line: "SSLRequire
%{SSL_CIPHER} >=
> 128" to work properly on all browsers.
-Dave
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: (newbie q) second-level domain certificate?
It is my understanding that you need a seperate certificate for each subdomain. I seem to remember something about wildcard certificates, but a quick inspection of Thawte/Verisign doesn't show anything. regards, Peter Scott __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Two VirtualHosts?
Greetings, After searching the archives and reading the docs front-to-back, I have come to the conclusion that I must create two separate s for the same domain in order to use https on 443 and http on 80. Is that not completely insane? Why should I have to mirror mod_rewrite and mod_auth info in both of the virtual host's configuration info? The only possible solution (which seems really smart) I've seen is: http://marc.theaimsgroup.com/?l=apache-modssl&m=91582350819059&w=2 But it doesn't appear this has made it into mod_ssl officially. Using mod_ssl 2.8.0, Apache 1.3.17. Is there any other way to keep from having to duplicate VirtualHost configurations for every single SLL Enabled domain? -- Brian Clark <[EMAIL PROTECTED]> PGP is spoken here: 0xE4D0C7C8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
