Latest RPMs for mod_ssl
Hi, Just a quick note to say that Redhat users could find up to date RPMs for Apache 1.3.19 with latest mod_ssl 2.8.1 at : ftp://ftp.falsehope.com/home/gomez/ There is two versions : * The good old apache-mod_ssl derived from Magnus Stenman and I works. For those of you who want to upgrade from previous release. Mainly for Redhat 6.x system with DocumentRoot at /home/httpd/httpd Note that manual goes in their own RPM now, since production site didn't need it online ;-) ftp://ftp.falsehope.com/home/gomez/apache-mod_ssl/ * For Redhat 7.x users, there is also an updated version of the standard Redhat Redhat 7 distrib, which introduce a split between apache and mod_ssl packages and change DocumentRoot to /var/www/html. ftp://ftp.falsehope.com/home/gomez/apache/ Not related but there is also pre-version of Apache 2.0 there. You could use this package at the same time that standard 1.3 since it listen at port 8092 and is homed at /home/httpd2/ This version, from alpha12 distro, works well under Redhat 6.2/7.0, and ever support preliminary SSL/TLS support via mod_tls. Sadly there is not yet mod_ssl included in Apache 2.0 but I really hope to see Ralf excellent works included. ftp://ftp.falsehope.com/home/gomez/apache2/ Regards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0
Hi, What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. Will you instead works with Ben Laurie on mod_tls ? Regards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
error 14094412
Hi, my appache sends the error code 14094412 if I try client authentication with a certificate. See log below: ap229537.zdv.commerzbank.com:443, client 140.60.2.106) (OpenSSL library error follows) [Mon Mar 05 10:03:52 2001] [error] OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] The hint doesn't say anything: It's not a server name because it's a user certificate. There are user certificates without servernames in DN that will work. It's not an certificate with SubjectDN same as IssuerDN. What does the errorcode want to say? Thanks a lot Joerg __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: error 14094412
On Mon, Mar 05, 2001 at 10:43:21AM +0100, Joerg Bruenner wrote: Hi, my appache sends the error code 14094412 if I try client authentication with a certificate. See log below: ap229537.zdv.commerzbank.com:443, client 140.60.2.106) (OpenSSL library error follows) [Mon Mar 05 10:03:52 2001] [error] OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] Hi, have you already tried setting SSLLogLevel in httpd.conf to some high verbosity, e.g. trace or debug? That might yield some more useful information / context about the error (output goes to ssl_engine_log by default). Erdmut -- Erdmut Pfeifer science+computing gmbh -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: search list?
Hi Randy, welcome. No idea about your specific problem I'm afraid but you'll find a couple of archives linked from the Support page at modssl.org: http://www.modssl.org/support/ HTH, Simon Wilcox. Please respond to [EMAIL PROTECTED] From Randy Bush [EMAIL PROTECTED] Date 5 March 2001 To [EMAIL PROTECTED] Time 04:53 Copy to (bcc: Simon Wilcox/BASE/WilliamsLea) Bcc Simon Wilcox/BASE/WilliamsLea Fax to Subject search list? i am new to mod_ssl and am hitting new-idiot problems, of course. is there a serchable archive of the list for when i don't find it in the faq or other pages? i hate to bug folk with newbie crap. but, since i have this message anyway, how do i chase down the cause of the following log entry [Sun Mar 4 20:44:34 2001] [error] [client 1.2.3.4] Invalid method in request F`b this is when i access the page via https. with http it works. i have two virtual server entries, one for 80 and one for 443. randy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Accordingly, our company disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation. If you have received this E-mail message in error, please notify us immediately by telephone. Please also destroy and delete the message from your computer. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited.
Re: Apache 2.0
On Mon, Mar 05, 2001, ModSSL user wrote: What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. Although I offered the whole mod_ssl 2.8 code basis under the ASF license to the ASF, there was no group consensus on using mod_ssl for Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache 2.0 and you should be able to imagine yourself why our mod_ssl code was not accepted as the code base. Actually the whole "SSL/TLS for Apache 2.0" situation over the last months was finally "solved" by a rather clever trick by someone of the group - and this was not obvious even to me until recently. But because of this, as a result, we failed to bring mod_ssl directly into Apache 2.0. Sorry, perhaps my fault in being to optimistic and thinking that political things inside the group were already gone. Seems like someone else was a lot more clever than me... Will you instead works with Ben Laurie on mod_tls ? I still don't know. As I said, the whole SSL/TLS issue again is a _highly_ political thing in Apache 2.0 and I certainly will try hard to stay out of those things as far as I can. Whether it finally means that mod_ssl has to be externally maintained again, I still don't know. The only thing I currently know is that with Apache 2.0 it seems that we again will have the same SSL/TLS problem as we had three years ago with Apache 1.3 (means: an unpolished 70% percent solution). And I also know that someone (not necessarily me) will again find this not satisfactory. What approach then is used to change this we all still don't know... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: search list?
Randy Bush wrote: i am new to mod_ssl and am hitting new-idiot problems, of course. is there a serchable archive of the list for when i don't find it in the faq or other pages? i hate to bug folk with newbie crap. but, since i have this message anyway, how do i chase down the cause of the following log entry [Sun Mar 4 20:44:34 2001] [error] [client 1.2.3.4] Invalid method in request F`b this is when i access the page via https. with http it works. i have two virtual server entries, one for 80 and one for 443. That looks as if you tried to use https, but connect to an insecure port. Either your virtual server listening on port 443 is not using SSL or you are actually connecting to port 80. -Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
[..snip a bunch of sane pondering at completely inexplicable behavior by third parties..] The only thing I currently know is that with Apache 2.0 it seems that we again will have the same SSL/TLS problem as we had three years ago with Apache 1.3 (means: an unpolished 70% percent solution). And I also know that someone (not necessarily me) will again find this not satisfactory. What approach then is used to change this we all still don't know... Ralf, take heart that you're not alone here. As much as I believe in and work for OpenSource projects, this is the achilies heel of them all. They completely forget they are still developing applications for a USER BASE. When their internal politics flies in the face of what's best for that user base, the project comes off looking like it was done by a gaggle of immature, clue-challenged fruckwits who cannot grasp the basics of how to run a successful project. mutters something about forgetting and repeating history... Apache has been (arguably) one of the best OS projects to date. It pains me to see the obvious, and most successful current SSL implementation not be chosen for the 2.0 revision. I definitely don't recall seeing a user-community vote on the topic of SSL/TLS choice for the 2.0 revision. I'm sure there are many folks who would have appreciated the opportunity to have voiced their opinion. Heck, even large companies like Computer Associates take polls of that nature. After all, if the project doesn't do its best to increasingly serve the user base that's grown along with it, what's the point? Surely the point can't be politics - that's reserved for those extra-special folks who speak far more and work far less. just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. --dsp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
Dave Paris wrote: [snip] just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. [Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet some want to reinvent the wheel.) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Lost of session after redirect from https to http?
I'm using mod_ssl 2.8.0 + apache 1.3.17 + tomcat 3.2.1. The problem i encountered is: after redirect the user back to http page from an https page, the session variables were gone. If you're using cookies for session management, it might be that tomcat sets the cookie to be only send with https when starting the session on a secure server. I have not yet used tomcat with https so I'm not sure about that, but it might be a point to look at. Jens __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
The use of the work "superior" is a subjective one. Just as some say that Picaso is superior to Michaelangelo. Because there are different styles to doing the same thing, does not mean that they should be criticized in a manner which solves nothing, but adds fuel to fire. Saying x is superior over y, while on the surface may appear true, only after looking at tangible evidence and reasons behind why x is superior to why and vice versa can we atain enlightenment about that which we claim. I realize this because I work in an office which is sometimes painful. Plenty of claims about this is better than that, but no real substantiation about anything. People can talk from experience, but sometimes that's not enough. Proof of the pudding and all that. I thing what you are saying here is good feedback, but let's try to debate the reasons, rather than speculate. I think it is a mistake not to use mod_ssl code in Apache 2.0, but with no truly objective debate happening in the Apache list(from what I've seen I don't consider 'mod_ssl is spaghetti' as objective), then both projects suffer. Mod_ssl less than the ASF I think, but that's the way it is. Does it mean that this won't change? Not really, it just means that _if_ it changes, it will take a while and probably be painful. Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: [EMAIL PROTECTED] On Mon, 5 Mar 2001, Balzs Nagy wrote: Dave Paris wrote: [snip] just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. [Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet some want to reinvent the wheel.) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
Austin Gonyou wrote: Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. Thank you for not assasinating me for the flamebait. The question is, what do you suggest we do to encourage ASF to (re)consider mod_ssl? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
I think the biggest thing we can do is take a wait and see attitude, but keep on top of the ssl issue as a whole. The other thing to do is to review the technical reasons why mod_ssl should not be incorporated at all, to try and dispell any and all political issues people in that group may have. Politics doesn't belong in the OS community, not this type of politics anyway. We need to show both parties that a balance can be reached, but that it takes both parties, not one, working in tandem to achieve something useable to both. I believe that mod_ssl, and apache_ssl are 2 projects which should exist, and never be the same project. Freedom of choice is what drove most of us to OpenSource, we should embrace this as an opportunity to continue that tradition. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: [EMAIL PROTECTED] On Mon, 5 Mar 2001, Balzs Nagy wrote: Austin Gonyou wrote: Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. Thank you for not assasinating me for the flamebait. The question is, what do you suggest we do to encourage ASF to (re)consider mod_ssl? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 (fwd)
[ Message reposted because I accidentally sent the original under an alternate address which wasn't accepted by the list software ] -- Forwarded message -- Date: Mon, 5 Mar 2001 16:50:33 -0500 (EST) From: Cliff Woolley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Apache 2.0 On Mon, 5 Mar 2001, Dave Paris wrote: Apache has been (arguably) one of the best OS projects to date. It pains me to see the obvious, and most successful current SSL implementation not be chosen for the 2.0 revision. I definitely don't recall seeing a user-community vote on the topic of SSL/TLS choice for the 2.0 revision. I'm sure there are many folks who would have appreciated the opportunity to have voiced their opinion. Heck, even large companies like Computer Associates take polls of that nature. Just to throw in an objective perspective in fairness to all (regardless of my personal preference for mod_ssl): There is actually a rather big technical problem with just dumping *either* mod_ssl or Apache-SSL into Apache 2.0. That is that the I/O mechanics of Apache 2.0 are *completely* different than those of 1.3. SSL/TLS in 2.0 can and should be implemented using the new I/O filtering and bucket-brigades data management system of 2.0, which is a fairly drastic change from any code out there for SSL/TLS in 1.3. So, while politics does play a factor (necessarily just by human nature), it's not that the group just said "We choose not to use mod_ssl for 2.0" for purely political reasons. Rather, they said "We need to get a really basic SSL/TLS implementation set up that uses filtering and bucket brigades, because there does not currently exist such a beast. Then we can pull in all the neat goodies from mod_ssl and Apache-SSL from there." Hence mod_tls was born. It's currently in stage 1 -- getting it working as a filter. Next is stage 2... pulling in the goodies. Don't get disappointed or up-in-arms just yet. =-) --Cliff Woolley Apache 2.0/APR contributor -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
