Latest RPMs for mod_ssl

2001-03-05 Thread ModSSL user

Hi,

Just a quick note to say that Redhat users could find up to date RPMs for

Apache 1.3.19 with latest mod_ssl 2.8.1 at :

ftp://ftp.falsehope.com/home/gomez/

There is two versions :

* The good old apache-mod_ssl derived from Magnus Stenman and I works.

For those of you who want to upgrade from previous release.

Mainly for Redhat 6.x system with DocumentRoot at /home/httpd/httpd

Note that manual goes in their own RPM now, since production site

didn't need it online ;-)

ftp://ftp.falsehope.com/home/gomez/apache-mod_ssl/

* For Redhat 7.x users, there is also an updated version of the standard

Redhat Redhat 7 distrib, which introduce a split between apache and mod_ssl

packages and change DocumentRoot to /var/www/html.

ftp://ftp.falsehope.com/home/gomez/apache/



Not related but there is also pre-version of Apache 2.0 there.

You could use this package at the same time that standard 1.3 since

it listen at port 8092 and is homed at /home/httpd2/

This version, from alpha12 distro, works well under Redhat 6.2/7.0,

and ever support preliminary SSL/TLS support via mod_tls.

Sadly there is not yet mod_ssl included in Apache 2.0 but I really hope

to see Ralf excellent works included.

ftp://ftp.falsehope.com/home/gomez/apache2/

Regards


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Apache 2.0

2001-03-05 Thread ModSSL user

Hi,

What about mod_ssl port to Apache 2.0.

You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree
but there is still nothing. 

Will you instead works with Ben Laurie on mod_tls ?

Regards

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



error 14094412

2001-03-05 Thread Joerg Bruenner

Hi,  
my appache sends the error code 14094412 if I try client  
authentication with a certificate. See log below:  
 
ap229537.zdv.commerzbank.com:443, client 140.60.2.106)   
(OpenSSL library error follows)  
[Mon Mar 05 10:03:52 2001] [error] OpenSSL: error:14094412:  
SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate   
[Hint: Subject CN in certificate not server name or   
identical to CA!?]  
  
The hint doesn't say anything: It's not a server name  
because it's a user certificate. There are user  
certificates without servernames in DN that will work.  
It's not an certificate with SubjectDN same as IssuerDN.  
  
What does the errorcode want to say?   
  
Thanks a lot  
Joerg 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: error 14094412

2001-03-05 Thread Erdmut Pfeifer

On Mon, Mar 05, 2001 at 10:43:21AM +0100, Joerg Bruenner wrote:
 Hi,  
 my appache sends the error code 14094412 if I try client  
 authentication with a certificate. See log below:  
  
 ap229537.zdv.commerzbank.com:443, client 140.60.2.106)   
 (OpenSSL library error follows)  
 [Mon Mar 05 10:03:52 2001] [error] OpenSSL: error:14094412:  
 SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate   
 [Hint: Subject CN in certificate not server name or   
 identical to CA!?]  

Hi,

have you already tried setting SSLLogLevel in httpd.conf to some high
verbosity, e.g. trace or debug? That might yield some more useful
information / context about the error (output goes to ssl_engine_log by
default).

Erdmut


-- 
Erdmut Pfeifer
science+computing gmbh

-- Bugs come in through open windows. Keep Windows shut! --
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: search list?

2001-03-05 Thread Simon_Wilcox


Hi Randy, welcome.

  No idea about your specific problem I'm afraid but you'll find a couple of
  archives linked from the Support page at modssl.org:

http://www.modssl.org/support/

HTH,

Simon Wilcox.






Please respond to [EMAIL PROTECTED]

   From   Randy Bush [EMAIL PROTECTED] Date   5 March
2001


To  
[EMAIL PROTECTED] Time  04:53 



  Copy to (bcc: Simon Wilcox/BASE/WilliamsLea)



  Bcc Simon Wilcox/BASE/WilliamsLea



  Fax to



  Subject   search list?








i am new to mod_ssl and am hitting new-idiot problems, of course.  is there
a serchable archive of the list for when i don't find it in the faq or other
pages?  i hate to bug folk with newbie crap.

but, since i have this message anyway, how do i chase down the cause of the
following log entry

[Sun Mar  4 20:44:34 2001] [error] [client 1.2.3.4] Invalid method in
request €F`b

this is when i access the page via https.  with http it works.  i have two
virtual server entries, one for 80 and one for 443.

randy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]











   __


   This document should only be read by those persons to whom it is addressed
   and is not intended to be relied upon by any person without subsequent
   written confirmation of its contents. Accordingly, our company disclaim all
   responsibility and accept no liability (including in negligence) for the
   consequences for any person acting, or refraining from acting, on such
   information prior to the receipt by those persons of subsequent written
   confirmation.

   If you have received this E-mail message in error, please notify us
   immediately by telephone. Please also destroy and delete the message from
   your computer.

   Any form of reproduction, dissemination, copying, disclosure, modification,
   distribution and/or publication of this E-mail message is strictly
   prohibited.



Re: Apache 2.0

2001-03-05 Thread Ralf S. Engelschall

On Mon, Mar 05, 2001, ModSSL user wrote:

 What about mod_ssl port to Apache 2.0.
 You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree
 but there is still nothing. 

Although I offered the whole mod_ssl 2.8 code basis under the ASF
license to the ASF, there was no group consensus on using mod_ssl for
Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache
2.0 and you should be able to imagine yourself why our mod_ssl code was
not accepted as the code base.

Actually the whole "SSL/TLS for Apache 2.0" situation over the last
months was finally "solved" by a rather clever trick by someone of the
group - and this was not obvious even to me until recently. But because
of this, as a result, we failed to bring mod_ssl directly into Apache
2.0. Sorry, perhaps my fault in being to optimistic and thinking that
political things inside the group were already gone. Seems like someone
else was a lot more clever than me...

 Will you instead works with Ben Laurie on mod_tls ?

I still don't know. As I said, the whole SSL/TLS issue again is a
_highly_ political thing in Apache 2.0 and I certainly will try hard to
stay out of those things as far as I can. Whether it finally means that
mod_ssl has to be externally maintained again, I still don't know.

The only thing I currently know is that with Apache 2.0 it seems that we
again will have the same SSL/TLS problem as we had three years ago with
Apache 1.3 (means: an unpolished 70% percent solution). And I also know
that someone (not necessarily me) will again find this not satisfactory.
What approach then is used to change this we all still don't know...

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: search list?

2001-03-05 Thread Joachim Feise

Randy Bush wrote:
 
 i am new to mod_ssl and am hitting new-idiot problems, of course.  is there
 a serchable archive of the list for when i don't find it in the faq or other
 pages?  i hate to bug folk with newbie crap.
 
 but, since i have this message anyway, how do i chase down the cause of the
 following log entry
 
 [Sun Mar  4 20:44:34 2001] [error] [client 1.2.3.4] Invalid method in request 
€F`b
 
 this is when i access the page via https.  with http it works.  i have two
 virtual server entries, one for 80 and one for 443.

That looks as if you tried to use https, but connect to an insecure port.
Either your virtual server listening on port 443 is not using SSL or
you are actually connecting to port 80.

-Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0

2001-03-05 Thread Dave Paris

[..snip a bunch of sane pondering at completely inexplicable behavior by
third parties..]

 The only thing I currently know is that with Apache 2.0 it seems that we
 again will have the same SSL/TLS problem as we had three years ago with
 Apache 1.3 (means: an unpolished 70% percent solution). And I also know
 that someone (not necessarily me) will again find this not satisfactory.
 What approach then is used to change this we all still don't know...

Ralf, take heart that you're not alone here.  As much as I believe in
and work for OpenSource projects, this is the achilies heel of them
all.  They completely forget they are still developing applications for
a USER BASE.  When their internal politics flies in the face of what's
best for that user base, the project comes off looking like it was done
by a gaggle of immature, clue-challenged fruckwits who cannot grasp the
basics of how to run a successful project.

mutters something about forgetting and repeating history...

Apache has been (arguably) one of the best OS projects to date.  It
pains me to see the obvious, and most successful current SSL
implementation not be chosen for the 2.0 revision.  I definitely don't
recall seeing a user-community vote on the topic of SSL/TLS choice for
the 2.0 revision.  I'm sure there are many folks who would have
appreciated the opportunity to have voiced their opinion.  Heck, even
large companies like Computer Associates take polls of that nature.

After all, if the project doesn't do its best to increasingly serve the
user base that's grown along with it, what's the point?  Surely the
point can't be politics - that's reserved for those extra-special folks
who speak far more and work far less.

just my $0.02 at the state of some recent, mind-bogglingly stupid moves
in the OpenSource community.

--dsp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0

2001-03-05 Thread Balázs Nagy

Dave Paris wrote:

[snip]


 just my $0.02 at the state of some recent, mind-bogglingly stupid moves
 in the OpenSource community.

[Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet some want to 
reinvent the wheel.)

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Lost of session after redirect from https to http?

2001-03-05 Thread Jens Vonderheide

 I'm using mod_ssl 2.8.0 + apache 1.3.17 + tomcat 3.2.1.
 The problem i encountered is: after redirect the user back to
 http page from
 an https page, the session variables were gone.

If you're using cookies for session management, it might be that tomcat sets
the cookie to be only send with https when starting the session on a secure
server. I have not yet used tomcat with https so I'm not sure about that,
but it might be a point to look at.

Jens

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0

2001-03-05 Thread Austin Gonyou

The use of the work "superior" is a subjective one. Just as some say that
Picaso is superior to Michaelangelo. Because there are different styles to
doing the same thing, does not mean that they should be criticized in a
manner which solves nothing, but adds fuel to fire. Saying x is superior
over y, while on the surface may appear true, only after looking at
tangible evidence and reasons behind why x is superior to why and vice
versa can we atain enlightenment about that which we claim. I realize this
because I work in an office which is sometimes painful. Plenty of claims
about this is better than that, but no real substantiation about anything.
People can talk from experience, but sometimes that's not enough. Proof of
the pudding and all that.

I thing what you are saying here is good feedback, but let's try to debate
the reasons, rather than speculate. I think it is a mistake not to use
mod_ssl code in Apache 2.0, but with no truly objective debate happening
in the Apache list(from what I've seen I don't consider 'mod_ssl is
spaghetti' as objective), then both projects suffer. Mod_ssl less than the
ASF I think, but that's the way it is. Does it mean that this won't
change? Not really, it just means that _if_ it changes, it will take a
while and probably be painful.

Thank you all for your ear, and sorry if it's a bit long. I'm quite
passionate about OpenSource and what it's potentials are. It simply
breaks my heart to see people who are usually enlightened enough to
believe in freedom and openness breed politics into something so good.


-- 
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]

On Mon, 5 Mar 2001, Balzs Nagy wrote:

 Dave Paris wrote:

 [snip]


  just my $0.02 at the state of some recent, mind-bogglingly stupid
 moves
  in the OpenSource community.

 [Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet
 some want to
 reinvent the wheel.)

 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0

2001-03-05 Thread Balázs Nagy

Austin Gonyou wrote:

 
 Thank you all for your ear, and sorry if it's a bit long. I'm quite
 passionate about OpenSource and what it's potentials are. It simply
 breaks my heart to see people who are usually enlightened enough to
 believe in freedom and openness breed politics into something so good.

Thank you for not assasinating me for the flamebait.

The question is, what do you suggest we do to encourage ASF to
(re)consider mod_ssl?

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0

2001-03-05 Thread Austin Gonyou

I think the biggest thing we can do is take a wait and see attitude, but
keep on top of the ssl issue as a whole. The other thing to do is to
review the technical reasons why mod_ssl should not be incorporated at
all, to try and dispell any and all political issues people in that group
may have. Politics doesn't belong in the OS community, not this type of
politics anyway. We need to show both parties that a balance can be
reached, but that it takes both parties, not one, working in tandem to
achieve something useable to both. I believe that mod_ssl, and apache_ssl
are 2 projects which should exist, and never be the same project. Freedom
of choice is what drove most of us to OpenSource, we should embrace this
as an opportunity to continue that tradition.

-- 
Austin Gonyou
Systems Architect
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]

On Mon, 5 Mar 2001, Balzs Nagy wrote:

 Austin Gonyou wrote:

 
  Thank you all for your ear, and sorry if it's a bit long. I'm quite
  passionate about OpenSource and what it's potentials are. It simply
  breaks my heart to see people who are usually enlightened enough to
  believe in freedom and openness breed politics into something so good.

 Thank you for not assasinating me for the flamebait.

 The question is, what do you suggest we do to encourage ASF to
 (re)consider mod_ssl?

 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: Apache 2.0 (fwd)

2001-03-05 Thread Cliff Woolley


  [ Message reposted because I accidentally sent the original under
an alternate address which wasn't accepted by the list software ]

-- Forwarded message --
Date: Mon, 5 Mar 2001 16:50:33 -0500 (EST)
From: Cliff Woolley [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: Apache 2.0

On Mon, 5 Mar 2001, Dave Paris wrote:

 Apache has been (arguably) one of the best OS projects to date.  It
 pains me to see the obvious, and most successful current SSL
 implementation not be chosen for the 2.0 revision.  I definitely don't
 recall seeing a user-community vote on the topic of SSL/TLS choice for
 the 2.0 revision.  I'm sure there are many folks who would have
 appreciated the opportunity to have voiced their opinion.  Heck, even
 large companies like Computer Associates take polls of that nature.

Just to throw in an objective perspective in fairness to all (regardless
of my personal preference for mod_ssl):

There is actually a rather big technical problem with just dumping
*either* mod_ssl or Apache-SSL into Apache 2.0.  That is that the I/O
mechanics of Apache 2.0 are *completely* different than those of 1.3.
SSL/TLS in 2.0 can and should be implemented using the new I/O filtering
and bucket-brigades data management system of 2.0, which is a fairly
drastic change from any code out there for SSL/TLS in 1.3.

So, while politics does play a factor (necessarily just by human nature),
it's not that the group just said "We choose not to use mod_ssl for 2.0"
for purely political reasons.  Rather, they said "We need to get a really
basic SSL/TLS implementation set up that uses filtering and bucket
brigades, because there does not currently exist such a beast.  Then we
can pull in all the neat goodies from mod_ssl and Apache-SSL from there."
Hence mod_tls was born.  It's currently in stage 1 -- getting it working
as a filter.  Next is stage 2... pulling in the goodies.

Don't get disappointed or up-in-arms just yet.  =-)

--Cliff Woolley
Apache 2.0/APR contributor



--
   Cliff Woolley
   [EMAIL PROTECTED]
   Charlottesville, VA



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]