RE: it runs but that's about it

[John . Airey]

It looks to me that you haven't got an entry in your DNS for
"myaddress.com". 

In our DNS we have entries such as this

@   IN  A   194.128.16.4

The "@" is an alias to the domain name, and saves me an awful lot of typing
and potential errors when managing over 20 domains.

Of course, I'm assuming that you don't mean hostname.myaddress.com 

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



 -Original Message-
 From: Justin Naik [mailto:[EMAIL PROTECTED]]
 Sent: 09 March 2001 15:28
 To: '[EMAIL PROTECTED]'
 Subject: it runs but that's about it
 
 
 can anyone please tell me how to search for errors in my SSL 
 installation
 
 Redhat linux 6.2
 apache 1.3.12
 
 i've done all the things i'm told to with Open SSL an MOD SSL.
 
 The apache server starts up ok in normal form and even starts up with
 -startssl parameter.
 
 But I go to https://myaddress.com and I get a doesn't exist error
 
 HELP! - where do I start to look for errors - I have no idea!
 
 Cheers, Justin
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [BugDB] MSIE 5.x connection failure timing issue (PR#528)

[David Rees]

Do you also have a SSLSessionCache defined?  Many MSIE clients will
break without it.

-Dave

On Fri, Mar 02, 2001 at 03:41:04PM +0100, [EMAIL PROTECTED] wrote:
 Full_Name: Martin Dickau
 Version: 2.7.2.2
 OS: Windows 2000
 Submission from: (NULL) (216.57.24.244)
 
 
 We are experiencing an MSIE 5.x connection failure problem similar to what
 others are reporting.  There is a timing aspect to the problem, however.
 
 Environment: OpenSA 1.0.0b3 (Apache 1.3.14, OpenSSL 0.9.6, mod_ssl 2.7.2.2) on
 Windows 2000 Advanced Server.  The various httpd.conf changes suggested in the
 FAQ (nokeepalive/downgrade-1.0 and !EXPORT56 in the cipher list) have been
 applied without effect.
 
 Primary symptom: Some IE 5.x (particularly 5.0x) either cannot connect to our
 site at all ("cannot find server or DNS error") or get through the first couple
 of pages and then get the same error.  The common thread is that these people
 are going over a slow connection (dial-up or relatively low bandwidth DSL). 
 Some of these configurations work fine when connected to a high-speed line (we
 have users with laptops that work at the office and fail at home, for example).

snip
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [BugDB] Compilation problem (PR#525)

[modssl-bugdb]

On Tue, Feb 27, 2001, [EMAIL PROTECTED] wrote:

 Full_Name: Jean-Luc OMS
 Version: 2.8.0
 OS: Solaris 8  gcc 2.95.2
 Submission from: (NULL) (193.49.105.34)
 
 In src/modules/ssl, the generation of the file ssl_expr_scan.c seems 
 to have a mistake.
 
 At line 254 :
 YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *str ));
 
 and for the lines 1750 
 
 should be (I suppose looking at older versions)
 YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
 with se same changes at 1750..1765

Sorry, I don't know where you are looking, but it seems not version
2.8.0:

| rse@en1:/tmp/mod_ssl-2.8.0-1.3.17/pkg.sslmod
| : grep yy_scan_string ssl_expr_scan.c 
| #define yy_scan_string ssl_expr_yy_scan_string
| YY_BUFFER_STATE yy_scan_string YY_PROTO(( yyconst char *yy_str ));
| YY_BUFFER_STATE yy_scan_string( yyconst char *yy_str )
| YY_BUFFER_STATE yy_scan_string( yy_str )
| rse@en1:/tmp/mod_ssl-2.8.0-1.3.17/pkg.sslmod
| :

As you can see, version 2.8.0 contains a correct ssl_expr_scan.c.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

timeouts, errors, oh my...

[John-Marc]

Over my head, and apparently our web master 
also. We have mod_ssl running on a linux box. Netscape usually 
works. IE 4 doesn't load all the references (graphics and .js fils) that 
means it loads SOME and they are all referenced the same. Hit refresh and 
there is an 'error in secured channel' wait a while, and refresh works 
again. Where does one look?

Re: search list?

[rwidmer]

Addressed to: [EMAIL PROTECTED]
  Randy Bush [EMAIL PROTECTED]

** Reply to note from Randy Bush [EMAIL PROTECTED] Sun, 04 Mar 2001 20:53:53 -0800
   
 i am new to mod_ssl and am hitting new-idiot problems, of course. is
 there a serchable archive of the list for when i don't find it in the
 faq or other pages? i hate to bug folk with newbie crap.

I can't help you with the error message, but for a searchable list try:


   http://marc.theaimsgroup.com/


Look for  apache-modssl  in the apache group.  They have quite a
selection of lists, and a good search engine.







Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0

[rwidmer]

** Reply to note from "ModSSL user" [EMAIL PROTECTED] Mon, 5 Mar 2001 10:20:24 +0100
   
 Hi,
   
 What about mod_ssl port to Apache 2.0.
   
 You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree
 but there is still nothing. 

If I remember right, the decision was that NOTHING would be done until
Apache 2.0 made it to beta, in an attempt to minimize the number of
rewrites needed as the software layout changed in alpha and pre-alpha
stages.

I thought I saw mention that they were about to roll out the first beta
version of 2.0 in the Apache Newsletter, but httpd.apache.org still
shows the current 2.0 to be alpha.  I don't expect work on mod_ssl to
START until the beta is released.




Rick Widmer
Internet Marketing Specialists
http://www.developersdesk.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0

[Mats Dufberg]

On Mon, 5 Mar 2001, Ralf S. Engelschall wrote:

  What about mod_ssl port to Apache 2.0.
  You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree
  but there is still nothing.

 Although I offered the whole mod_ssl 2.8 code basis under the ASF
 license to the ASF, there was no group consensus on using mod_ssl for
 Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache
 2.0 and you should be able to imagine yourself why our mod_ssl code was
 not accepted as the code base.

Do I interpret it correctly that SSL/TLS will be included in base Apache
2.0, and that the SSL/TLS code is based on something else but the mod_ssl
code?

I find no sign of SSL/TLS in the Apache documentation for 2.0.


Mats

-
Mats Dufberg +46-8-545 857 06
[EMAIL PROTECTED]   fax: +46-8-545 857 29

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Automatically switch back to HTTP

[Martin Kong]

I have a few pages on a web site that I want to protect with SSL.  I
have changed the links to those pages with fully qualified path, i.e.
https://www.mysite.com/pagename.html instead of just /pagename.html. 
This all works fine.  But onces user is in SSL mode, the whole site will
be in SSL mode since most of the links are based on document root
instead of full qualified.

Is there a way I can configure Apache (Apache 1.3.17 on Linux) so that
it will automatically switch to http when accessing these other pages on
the site?

Thanks in advance.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

2.8.1 Instll bug on win32

[tjww]

Hi, 

When I run configure.bat to patch apache with modssl, it show error msg

 Global symbol "$first2" requires explicit package name at configure.bat line 269.
 BEGIN not safe after errors--compilation aborted at configure.bat line 283.

I am not family with perl, anybody who can tell me how to deal withit?

Thanks.

Bye, Sincerely yours tjww.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] PRIVATE: pkg.eapi/ap_ctx.h macros not 64-bit safe (PR#529)

[modssl-bugdb]

Full_Name: John Wilkins
Version: 2.8.1-1.3.19
OS: Compaq Tru64 4.0E
Submission from: (NULL) (204.186.46.20)


While compiling Apache 1.3.19 with mod_ssl-2.8.1-1.3.19 using gcc 2.8.1 under
Compaq Tru64 4.0E, I got the following warnings:

ssl_engine_kernel.c:803: warning: cast from pointer to integer of different
size

ssl_engine_kernel.c:807: warning: cast to pointer from integer of different
size

The lines in question make use of the AP_CTX_PTR2NUM and AP_CTX_NUM2PTR macros, 
which are defined in mod_ssl-2.8.1-1.3.19/pkg.eapi/ap_ctx.h

These macros are not 64-bit safe since pointers on Alpha machines are 64-bits
long but unsigned int's are only 32, thus the warning when casting either
direction.  The greatest concern, of course, would be PTR2NUM.  Provided that no
significance is lost, this problem is probably of low priority, right?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core filecreated)

[Karlos Z. Smith]

After compiling mod_ssl apache and php as per instructions, running httpd
-DSSL segfaults.  I would normally have thought this a php bug, since it
breaks after adding PHP. But I observed the same behavior when I compiled
Apache+mod_perl+mod_ssl. (yes I compiled mod_perl into apache, _not_ as a
DSO).  (And yes as the FAQ states I made sure PHP was compiled with
-DEAPI)

Apache+mod_ssl works OK
Apache+php4 works OK
Apache+mod_ssl+php4 fails
Apache+mod_perl+mod_ssl fails

For an install log see a 
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.build.txt" 
Apache+mod_ssl+php4.build.txt/a
For a strace log see a
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.strace.txt" 
Apache+mod_ssl+php4.strace.txt/a

I would love to provide a gdb backtrace but apache is _not_ producing a
core file when it segfaults.
(Yes I compiled with "-g -ggdb3"

-- 
"To err is human, to forgive is beyond the scope of the Operating System"



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0

[Cliff Woolley]

On Mon, 5 Mar 2001, Dave Paris wrote:

 Apache has been (arguably) one of the best OS projects to date.  It
 pains me to see the obvious, and most successful current SSL
 implementation not be chosen for the 2.0 revision.  I definitely don't
 recall seeing a user-community vote on the topic of SSL/TLS choice for
 the 2.0 revision.  I'm sure there are many folks who would have
 appreciated the opportunity to have voiced their opinion.  Heck, even
 large companies like Computer Associates take polls of that nature.

Just to throw in an objective perspective in fairness to all (regardless
of my personal preference for mod_ssl):

There is actually a rather big technical problem with just dumping
*either* mod_ssl or Apache-SSL into Apache 2.0.  That is that the I/O
mechanics of Apache 2.0 are *completely* different than those of 1.3.
SSL/TLS in 2.0 can and should be implemented using the new I/O filtering
and bucket-brigades data management system of 2.0, which is a fairly
drastic change from any code out there for SSL/TLS in 1.3.

So, while politics does play a factor (necessarily just by human nature),
it's not that the group just said "We choose not to use mod_ssl for 2.0"
for purely political reasons.  Rather, they said "We need to get a really
basic SSL/TLS implementation set up that uses filtering and bucket
brigades, because there does not currently exist such a beast.  Then we
can pull in all the neat goodies from mod_ssl and Apache-SSL from there."
Hence mod_tls was born.  It's currently in stage 1 -- getting it working
as a filter.  Next is stage 2... pulling in the goodies.

Don't get disappointed or up-in-arms just yet.  =-)

--Cliff Woolley
Apache 2.0/APR contributor



--
   Cliff Woolley
   [EMAIL PROTECTED]
   Charlottesville, VA

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19

[Paul Rubin]

That's interesting if the dbm cache is causing those problems.
Unfortunately
I'm not able to use the shm cache in my installation.  I might try replacing
dbm with Berkeley DB (www.sleepycat.com) which is an upward-compatible dbm
replacement with much better concurrency support.  It might be worth
incorporating
that as an option in the modssl distribution.

-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 03, 2001 3:13 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19



Sorry for the short delay, but here it finally is: mod_ssl 2.8.1 for
Apache 1.3.19. The corresponding CHANGES entries are appended below.
Grab it from:

http://www.modssl.org/source/
 ftp://ftp.modssl.org/source/

Yours,
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com

  Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001)

   *) Conditionally adjusted source to build quietly also under
  latest OpenSSL 0.9.7-dev versions.

   *) Added a bunch of (untested!) adjustments and fixes for 
  the Win32 platform as posted to modssl-users some time
  ago by various people.

   *) Fixed SSLCipherSuite example in httpd.conf-dist: 
  The string EXP56 is actually EXPORT56, although OpenSSL
  internally the variable is named SSL_TXT_EXP56.

   *) Upgraded to Apache 1.3.19 as base version.

   *) Extended FAQ entry for MSIE problems.

   *) Added FAQ entry for questions "Why do I get lots of random SSL
  errors under heavy load?"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
Official Announcement Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Automatically switch back to HTTP

[Chong, Arthur]

In our "experimentation" it helps that the secure vs non-secure 
web pages start on an entirely different document root.
Same server alias, just different doc root.

Try that and please report your results...

Thanks,
-Arthur.

-Original Message-
From: Martin Kong [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 06, 2001 1:25 AM
To: [EMAIL PROTECTED]
Subject: Automatically switch back to HTTP


I have a few pages on a web site that I want to protect with SSL.  I
have changed the links to those pages with fully qualified path, i.e.
https://www.mysite.com/pagename.html instead of just /pagename.html. 
This all works fine.  But onces user is in SSL mode, the whole site will
be in SSL mode since most of the links are based on document root
instead of full qualified.

Is there a way I can configure Apache (Apache 1.3.17 on Linux) so that
it will automatically switch to http when accessing these other pages on
the site?

Thanks in advance.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 2.8.1 Instll bug on win32

[Peter Arrenbrecht]

Just precede it by "my", as in:

if (my $first2 =~ m|^\.\.|) {

(Search for "first2" to find this line.)
I seem to remember that I also had to change the following:

os\win32\MakeModuleMak.mak

to

os\win32\MakeModuleMak.cpp

(Again, just search for it.)

Finally, I had to add an include search path to os\win32 to one of the
mod_ssl makefiles. Don't remember which, however.

Finally, my builds for 1.3.19 (and 1.3.17 binary downloads) crash when
accessed by Netscape 4.7. I logged a detailed debug trace of this to the bug
database.


peo



- Original Message -
From: "tjww" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 06, 2001 8:37 AM
Subject: 2.8.1 Instll bug on win32


 Hi,

 When I run configure.bat to patch apache with modssl, it show error msg

  Global symbol "$first2" requires explicit package name at configure.bat
line 269.
  BEGIN not safe after errors--compilation aborted at configure.bat line
283.

 I am not family with perl, anybody who can tell me how to deal withit?

 Thanks.

 Bye, Sincerely yours tjww.
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Automatically switch back to HTTP

[Brett W. McCoy]

On Tue, 6 Mar 2001, Martin Kong wrote:

 I have a few pages on a web site that I want to protect with SSL.  I
 have changed the links to those pages with fully qualified path, i.e.
 https://www.mysite.com/pagename.html instead of just /pagename.html.
 This all works fine.  But onces user is in SSL mode, the whole site will
 be in SSL mode since most of the links are based on document root
 instead of full qualified.

 Is there a way I can configure Apache (Apache 1.3.17 on Linux) so that
 it will automatically switch to http when accessing these other pages on
 the site?

The best way to do this is to create virtual hosts (one for port and one
for port 443) and put your secure pages under a different document root
than the unsecure pages so that access can't be mixed up.

Another trick is to use mod_alias (or mod_rewrite) and do automatic
redirections from pages in a certain area to a protected area:

Redirect /Login https://www.mydomain.com/Login

This way you don't need to change the links in your HTML, they will
automatically get redirected, even when they are requested as http://  You
should still organize your pages so that secure pages and non-secure
aren't all in the same directory.  It will make your life a lot easier.

These redirects should also be put into a virtual host for port 80:

virtualhost _default_:80

Redirect ...

/virtualhost

-- Brett
http://www.chapelperilous.net/~bmccoy/

You will be held hostage by a radical group.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: timeouts, errors, oh my...

[Deocs Postmaster]

At 10:55 PM 03/04/2001 , you wrote:
Over my head, and apparently our web master also.  We have mod_ssl running 
on a linux box.  Netscape usually works.  IE 4 doesn't load all the 
references (graphics and .js fils) that means it loads SOME and they are 
all referenced the same.  Hit refresh and there is an 'error in secured 
channel'  wait a while, and refresh works again.  Where does one look?


I don't know if this is pertinent, but I am having an intermittent
problem as well.  I submitted this to DavExplorer and mod_dav
yesterday.

I am using DavExplorer 0.71 in SSL mode with:
  Apache_1.3.19
  mod_ssl_2.8.1
  mod_dav_1.1.0
  Windows 98 SE

When I try to write files from the local directory to the
web directory I sometimes get a Java message from DavExplorer:
 Connection error:
 java.net.SocketException: Connection reset by peer: socket write error

The DavExplorer log shows:
= Outbound Message Header =
PUT /davssl/jdk11htm.exe HTTP/1.1
Host: www.deocs.com:443
Connection: TE
TE: trailers, deflate, gzip, compress
User-Agent: UCI DAV Explorer/0.71 RPT-HTTPClient/0.3-2E
Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
Content-type: application/octet-stream
Content-length: 899090

The Apache error log reports a one line error:
  [Sun Mar 11 13:39:18 2001] [error] [client 192.168.1.1]
  An error occurred while reading the request body.  [400, #0]

The error seems to be likely to happen with files of 100K bytes
or more, and some files will work after trying them a few times.

Thanks,
Dave


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 2.8.1 Instll bug on win32

[Deocs Postmaster]

At 02:37 AM 03/06/2001 , you wrote:
Hi,

When I run configure.bat to patch apache with modssl, it show error msg

  Global symbol "$first2" requires explicit package name at configure.bat 
 line 269.
  BEGIN not safe after errors--compilation aborted at configure.bat line 283.

This information was from last week:

  The Apache_1.3.19 and modssl_2.8.1 source file from March 3
  needs the following updates from the CVSWeb:
  (1) [modssl] / mod_ssl / pkg.mod_ssl / configure.bat
  (2) [modssl] / mod_ssl / pkg.mod_ssl / pkg.sslmod / Makefile.win32
 
 Install OpenSSL into $INSTALLTOP. You have do this by hand:
  ...
 $ copy /b inc32\*   p:\openssl\include\openssl
  ...
 I interpreted this to mean that the "p:\openssl\include\openssl"
 directory should contain the *.h files, not another directory
 named openssl that contains those files.

Dave


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: timeouts, errors, oh my...

[Jeffrey Burgoyne]

Over SSL I'd suggest turning keep alives off. We have had awful problems
with IE keepalives under SSL.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown



Jeff

[EMAIL PROTECTED]

On Mon, 12 Mar 2001, Deocs Postmaster wrote:

 At 10:55 PM 03/04/2001 , you wrote:
 Over my head, and apparently our web master also.  We have mod_ssl running 
 on a linux box.  Netscape usually works.  IE 4 doesn't load all the 
 references (graphics and .js fils) that means it loads SOME and they are 
 all referenced the same.  Hit refresh and there is an 'error in secured 
 channel'  wait a while, and refresh works again.  Where does one look?
 
 
 I don't know if this is pertinent, but I am having an intermittent
 problem as well.  I submitted this to DavExplorer and mod_dav
 yesterday.
 
 I am using DavExplorer 0.71 in SSL mode with:
   Apache_1.3.19
   mod_ssl_2.8.1
   mod_dav_1.1.0
   Windows 98 SE
 
 When I try to write files from the local directory to the
 web directory I sometimes get a Java message from DavExplorer:
  Connection error:
  java.net.SocketException: Connection reset by peer: socket write error
 
 The DavExplorer log shows:
 = Outbound Message Header =
 PUT /davssl/jdk11htm.exe HTTP/1.1
 Host: www.deocs.com:443
 Connection: TE
 TE: trailers, deflate, gzip, compress
 User-Agent: UCI DAV Explorer/0.71 RPT-HTTPClient/0.3-2E
 Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
 Content-type: application/octet-stream
 Content-length: 899090
 
 The Apache error log reports a one line error:
   [Sun Mar 11 13:39:18 2001] [error] [client 192.168.1.1]
   An error occurred while reading the request body.  [400, #0]
 
 The error seems to be likely to happen with files of 100K bytes
 or more, and some files will work after trying them a few times.
 
 Thanks,
 Dave
 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] Connection refused (PR#530)

[modssl-bugdb]

Full_Name: Edgar Murguia
Version: mod_ssl-2.8.0-1.3.17
OS: Linux 6.2
Submission from: (NULL) (148.216.6.188)


when i try to connect via internet to https://www.redmorelia.com
I got a the next message:
"Netscape's Network connection was refused by the server
www.redmorelia.com
The server may not be accepting connections or may be busy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL and NameVirtualHosts

[Thomas Leavitt]

I was trapped by the no SSL with name-based virtual hosts as well... has
anyone thought about amending the protocol specification to enable this? ...
back in '95, my company (WebCom, at the time) was at the forefront of
pushing for the HTTP_HOST header to be included in the HTTP 1.1
specification... seems like this would be a similarly logical extension.

Regards,
Thomas Leavitt

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Gotz Babin-Ebell
Sent: Wednesday, February 28, 2001 9:00 AM
To: [EMAIL PROTECTED]
Subject: Re: "key value mismatch" error, but I don't believe it.


Mark Stosberg wrote:

 On Tue, 27 Feb 2001, Michelle Govender wrote:
 
  normally that error means your private key and certificate file does not
  match.
  To test it try using these commands:
  for the private key:
  $ openssl rsa -noout -text -in keyfile -modulus
  for the certficate file:
  $ openssl x509 -noout -text -in keyfile -modulus
 
  If the moduli for the two files are different then you using the
incorrect
  private key and therefore the certificate will NOT work.

 Michelle,

   This was a great tip. Thanks. The moduli were in fact different. I'm
 going to re-initiate the signing request with Equifax and see if that
 straightens things out. Thanks.

But you do know you can't use virtual hosts with different host names
with SSL ?

The certificate containing the host name is send in the SSL handshake
and in the SSL handshake we have no Host:  line...

By

Goetz

--
Goetz Babin-Ebell, TC TrustCenter GmbH, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache 1.319 + modssl 2.8.1 on windows

[Jonathon Douglas]

jan
is there any chance you could post the compiled files to the contrib area on
modssl.org
tia
- Original Message -
From: "Jan Dries" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 11:45 PM
Subject: Re: apache 1.319 + modssl 2.8.1 on windows


 Jonathon Douglas wrote:
 
  has anyone managed to get this comination to compile yet
  (i havent atm)

 I have, using the patches that were posted on this newsgroup (and that
 have in the mean time been checked into CVS). Worked fine for me.
 The only surprise was that it builds dynamic modules with a different
 name and extension than in 1.3.14 (my previous version), i.e. it now
 creates a "mod_ssl.so" instead of an "ApacheModuleSSL.dll".

 Regards,
 Jan
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache 1.319 + modssl 2.8.1 on windows

[Jonathon Douglas]

forgot to say the reason i asked this is because
when i used the patched configure.bat from cvs to build
it comes back with file not found everytime i try to run it

- Original Message - 
From: "Jan Dries" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 07, 2001 11:45 PM
Subject: Re: apache 1.319 + modssl 2.8.1 on windows


 Jonathon Douglas wrote:
  
  has anyone managed to get this comination to compile yet
  (i havent atm)
 
 I have, using the patches that were posted on this newsgroup (and that
 have in the mean time been checked into CVS). Worked fine for me.
 The only surprise was that it builds dynamic modules with a different
 name and extension than in 1.3.14 (my previous version), i.e. it now
 creates a "mod_ssl.so" instead of an "ApacheModuleSSL.dll".
 
 Regards,
 Jan
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] sign.sh missing from mod_ssl rpm (PR#531)

[modssl-bugdb]

Full_Name: Wes Barris
Version: 2.7.1
OS: Redhat 7
Submission from: (NULL) (144.34.33.41)


Hello,

I have installed mod_ssl-2.7.1-3 and apache-1.3.14-3 on a new Redhat 7
system.  I have everything running.  Now I want to create and use my
own CA.  I am following the instructions on this document:

mod_ssl-2.7.1-3: /var/www/html/manual/mod/mod_ssl/ssl_faq.html

Under the question:

"How can I create and use my own Certificate Authority (CA)?[L]"

it says in step 4:

4.Now you can use this CA to sign server CSR's in order to create 
  real SSL Certificates for use inside an
  
  Apache webserver (assuming you already have a server.csr at hand):   

  $ ./sign.sh server.csr

  This signs the server CSR and results in a server.crt file.

The problem is that there is no such file named "sign.sh" in the mod_ssl
rpm.  Where do I get that?



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] error when running sign.sh (PR#532)

[modssl-bugdb]

Full_Name: Wes Barris
Version: 2.7.1
OS: Redha 7
Submission from: (NULL) (144.34.33.41)


Hello,

I am following the instructions in the following file:

mod_ssl-2.7.1-3: /var/www/html/manual/mod/mod_ssl/ssl_faq.html

I am trying to create my own CA as described under the following
heading in that file:

"How can I create and use my own Certificate Authority (CA)?[L]"

All goes well until I use the "sign.sh" command (which, for some reason
is not packaged with the mod_ssl-2.7.1-3.i386.rpm for Redhat 7).  Here
is a transcript of the error:

wes@kirby ./sign.sh server.csr 
CA signing: server.csr - server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName   :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'Minnesota'
localityName  :PRINTABLE:'Minneapolis'
organizationName  :PRINTABLE:'Network Computing Services, Inc.'
organizationalUnitName:PRINTABLE:'Security Division'
commonName:PRINTABLE:'kirby.hpcmp.hpc.mil'
emailAddress  :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Mar  8 16:21:13 2002 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt - CA cert
server.crt: /C=US/ST=Minnesota/L=Minneapolis/O=Network Computing Services,
Inc./OU=Security [EMAIL PROTECTED]
error 18 at 0 depth lookup:self signed certificate
/C=US/ST=Minnesota/L=Minneapolis/O=Network Computing Services, Inc./OU=Security
[EMAIL PROTECTED]
error 7 at 0 depth lookup:certificate signature failure
wes@kirby

I can see two errors but I don't know what they mean or what I am supposed
to do about them.  Im I doing something wrong?



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache 1.319 + modssl 2.8.1 on windows

[Peter Arrenbrecht]

Jonathon,

 forgot to say the reason i asked this is because
 when i used the patched configure.bat from cvs to build
 it comes back with file not found everytime i try to run it

I think it is a reference to os\win32\MakeModuleMak.mak which should be to
.cpp instead of .mak. You can run the configure.bat file with the option -v
to make it output more details.


peo [EMAIL PROTECTED]


- Original Message -
From: "Jonathon Douglas" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, March 08, 2001 11:13 AM
Subject: Re: apache 1.319 + modssl 2.8.1 on windows


 forgot to say the reason i asked this is because
 when i used the patched configure.bat from cvs to build
 it comes back with file not found everytime i try to run it

 - Original Message -
 From: "Jan Dries" [EMAIL PROTECTED]
 To: [EMAIL PROTECTED]
 Sent: Wednesday, March 07, 2001 11:45 PM
 Subject: Re: apache 1.319 + modssl 2.8.1 on windows


  Jonathon Douglas wrote:
  
   has anyone managed to get this comination to compile yet
   (i havent atm)
 
  I have, using the patches that were posted on this newsgroup (and that
  have in the mean time been checked into CVS). Worked fine for me.
  The only surprise was that it builds dynamic modules with a different
  name and extension than in 1.3.14 (my previous version), i.e. it now
  creates a "mod_ssl.so" instead of an "ApacheModuleSSL.dll".
 
  Regards,
  Jan
  __
  Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
  User Support Mailing List  [EMAIL PROTECTED]
  Automated List Manager[EMAIL PROTECTED]
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] gcc include files (Ref. PR#176)

[modssl-bugdb]

Full_Name: Roberto De Luca
Version: 2.8.1
OS: Solaris 7
Submission from: (NULL) (168.96.66.29)


Trying to compile mod_ssl with the gcc compiler I got the same problem
found by Stephen Taylor and stated in report PR#176 (long lines were
broken for readability):

-
gcc -c  -I../../os/unix -I../../include   -DSOLARIS2=270 -DMOD_SSL=208101
-DEAPI -DUSE_EXPAT -I../../lib/expat-lite -fPIC -DSHARED_CORE -O2
`../../apaci` -DSHARED_MODULE -I/usr/include -DMOD_SSL_VERSION=\"2.8.1\"
ssl_engine_log.c  mv ssl_engine_log.o ssl_engine_log.lo
ssl_engine_log.c: In function `ssl_log':
ssl_engine_log.c:201: `__builtin_va_alist' undeclared (first use in this
functio
n)
ssl_engine_log.c:201: (Each undeclared identifier is reported only once
ssl_engine_log.c:201: for each function it appears in.)
*** Error code 1
make: Fatal error: Command failed for target `ssl_engine_log.lo'
--

It believe that, at least in my case, the problem is due to the 
(somewhat) unusual location of the OpenSSL suite in my system.

I put the libraries (both libssl and libcrypto) under /usr/lib and 
the related include files under /usr/include/openssl.

When running the configure script it detects the include files under
/usr/include and adds "-I/usr/include" to the compiler command line.

It seems that locations specified on the command line with "-I" takes
precedence over the internal compiler (preprocessor) defaults. So the
gcc compiler is unable to find the patched version of some include
files, particularly "varargs.h", located in some obscure location,
something like /usr/local/lib/gcc-lib/sparc-sun-solarisX.X/X.XX.X/include.
Instead of that it takes the standard version of this file (located 
in /usr/include) and reports the stated error.

I want to remark that this problem does not occur when using the Sun 
C compiler (there is no need of patched include files in this case!).

I was able to correct the problem with a minor modification in the 
configure procedure. After this, both cc and gcc successfully compile
mod_ssl. In file src/modules/ssl/libssl.module I introduce the
following change:


*** src/modules/ssl/libssl.module.orig  Mon Jan  1 07:48:53 2001
--- src/modules/ssl/libssl.module   Sat Mar  3 14:13:57 2001
***
*** 396,402 
  exit 1
  fi
  fi
! SSL_CFLAGS="$SSL_CFLAGS -I\$(SSL_INCDIR)"

  #
  #  determine location of OpenSSL libraries
--- 396,404 
  exit 1
  fi
  fi
! if [ ".$SSL_INCDIR" != ./usr/include ]; then
! SSL_CFLAGS="$SSL_CFLAGS -I\$(SSL_INCDIR)"
! fi

  #
  #  determine location of OpenSSL libraries


This change prevents the script to add "-I/usr/include" to the
command line. I believe that this modification have no negative
side effects, /usr/include should be among the compiler internal
default list of searched directories.

For your reference, my gcc compiler version is 2.95.2 (19991024) and
my Sun C compiler version is 4.2 (30 Oct 1996)
Finally, my APACI configure command was
"configure --enable-rule=SHARED_CORE --enable-module=most --enable-shared=max
   --enable-module=ssl --enable-shared=ssl --enable-rule=EAPI
   --disable-rule=SSL_COMPAT"
 



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

IBM HTTP/Mod_SSL/Mod_Proxy

[Lane Goolsby]

Hello group,
I have a question that I am at my wits end trying to figure out. I
need to find out if it is possible to setup a proxy with SSL on both
sides (client--proxy and proxy--server). I can get SSL from the
browser to the proxy to work, but SSL from the proxy to the server does
not seem to be working properly or I am not doing something right. I can
get normal HTTP pages through the proxy w/o problems, so the proxy
works. The only thing I can find is when I look in the logs and I notice
that the GET commands are all in HTTP form, not HTTPS, so it would
appear that that is the problem but I am not sure. Any testimonials
saying if it will work or not would be helpful.

Setup:

Browser    Proxy WWW Server
SSLSSLNo SSL

Proxy= AIX 4.3 running IBM HTTPServer with mod_ssl and mod_proxy loaded

WWW Server =Win2k with IIS5

TIA!
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Basic authentication and SSL

[Ranga Nathan]

When in SSL mode, basic authentication does not take place. I am relying on
REMOTE_USER variable set by Apache to set cookies and direct the user to his
data. Since going SSL I find that basic authentication does  not take place,
as a  result of which REMOTE_USER is not set.

I wonder if any setting is missing. I researched SSL and tried the
following:
SSLRequireSSL
SSLVerifyClient optional
SSLVerifyDepth 2
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

# if no user certificate is present, fallback to password-based
authentication
Satisfy any

but that did not work.

Any assistance is appreciated.
Ranga Nathan
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] Apache 1.3.19+mod_ssl-2.8.1(Openssl-0.9.6)+php4.0.1pl1 segfault (PR#533)

[modssl-bugdb]

Full_Name: Karlos Smith
Version: 2.8.1-1.3.19
OS: Linux-2.4.2+gcc-2.95.2 19991024 (release)+glibc 2.2.2
Submission from: (NULL) (208.193.14.36)


After compiling mod_ssl apache and php as per instructions, running httpd -DSSL
segfaults.
I would normally have thought this a php bug, since it breaks after adding PHP.
But I observed the same behavior when I compiled Apache+mod_perl+mod_ssl.
(yes I compiled mod_perl into apache, _not_ as a DSO).

Apache+mod_ssl works OK
Apache+php4 works OK
Apache+mod_ssl+php4 fails
Apache+mod_perl+mod_ssl fails

For an install log see a
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.build.txt"/Apache+mod_ssl+php4.build.txt/a
For a strace log see a
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.strace.txt"/Apache+mod_ssl+php4.strace.txt/a

I would love to provide a gdb backtrace but apache is _not_ producing a core
file when it segfaults.
(Yes I compiled with "-g -ggdb3"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core filecreated)

[Karlos Z. Smith]

After compiling mod_ssl apache and php as per instructions, running httpd
-DSSL segfaults.  I would normally have thought this a php bug, since it
breaks after adding PHP. But I observed the same behavior when I compiled
Apache+mod_perl+mod_ssl. (yes I compiled mod_perl into apache, _not_ as a
DSO).  (And yes as the FAQ states I made sure PHP was compiled with
-DEAPI)

Apache+mod_ssl works OK
Apache+php4 works OK
Apache+mod_ssl+php4 fails
Apache+mod_perl+mod_ssl fails

For an install log see a 
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.build.txt" 
Apache+mod_ssl+php4.build.txt/a
For a strace log see a
HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.strace.txt" 
Apache+mod_ssl+php4.strace.txt/a

I would love to provide a gdb backtrace but apache is _not_ producing a
core file when it segfaults.
(Yes I compiled with "-g -ggdb3"

-- 
"To err is human, to forgive is beyond the scope of the Operating System"

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: it runs but that's about it

[David Dilworth]

At 10:27 AM 03/09/2001 , you wrote:
can anyone please tell me how to search for errors in my SSL installation

Redhat linux 6.2
apache 1.3.12

i've done all the things i'm told to with Open SSL an MOD SSL.

The apache server starts up ok in normal form and even starts up with
-startssl parameter.

But I go to https://myaddress.com and I get a doesn't exist error

HELP! - where do I start to look for errors - I have no idea!

Cheers, Justin

I am not familar with the linux version.  If you haven't already
you may get some info from the access, error, and ssl log files.
They will tell you if you are getting in and some clues as to
what the problems may be.

To get more information you can change the logging level.  For
example in mod_ssl-1.8.1, I have changed the logging level from
info to warn:

 SSLLog logs/SSL.log
 ##SSLLogLevel info
 SSLLogLevel warn
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Configuring ciphers for widest possible acceptance/usability

[Scott Brown]

Ok - I've lurked here since September... and now that I have my server
almost up and ready to go, I have a question - but first a statement:

statement

There seem to be a lot of conflicting views on the best way to set up the
ciphersuite and related SSL configuration parameters to provide the maximum
flexibility with the various browser versions.  Obviously, things change
over the course of 6 months as browsers have evolved... and because of this
I expect some of the older suggestions have been overridden by newer ones.

/statement

The question is - which ones make the most sence for a generalized access
server?  Many of the suggestions I've read were to deal with a specific
browser - but then a day or so later, someone pops up and says that the fix
broke their install for another browser.  Is there no all-encompasing SSL
configuration directives that (today) provide the maximum flexibility for
all SSL aware browsers??

Right now, I'm using the defaults as set by v2.8.0... and have seen no
problems, but I've only used a small subset of browsers in my testing.  I am
of course expecting that every tom-dick-and-harry SSL capable browser in
existance will eventually find it's way onto my server...and as such I'd
like to be ready for them ahead of thier arrival.

Is there a single, standardized set of SSL* configuration directives
somewhere out there that I can just occasionally go and grab and update my
install with?  Does anyone maintain a mailing list which periodically sends
out new changes/tweeks that deal with the new versions of browsers as they
get released?

Thanks
Scott.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

need help !!

[Anish M (EHPT)]

hi 
all,
apche fails to 
compile with mod -ssl on win nt ..says cant find 

ap_aquire_pool
ap_make_shared_pool
in apachecore.def
thnks in 
advcne
anish

-- Choose the Internet payment 
standard!  http://www.jalda.com  http://www.ehpt.com
ANISH.M
Systems Engineerphone +91 116510101
internet payment systems   	mobile +91 9810304174
EHPT India Pvt Ltde:mail [EMAIL PROTECTED]  
 [EMAIL PROTECTED] 

[BugDB] Apache/mod_ssl crash on Win32 with Netscape 4.7 (PR#534)

[modssl-bugdb]

Full_Name: Peter Arrenbrecht
Version: 2.8.1
OS: Windows 2000
Submission from: (NULL) (193.247.162.250)


Description of crash of mod_ssl on Win2K


Netscape 4.7 causes Apache/mod_ssl to crash on Win32 when accessing a secure
page. There seems to be an overwrite of central context data for mod_ssl with
string data ("image/gif" etc.).


 Configuration

apache 1.3.19
mod_ssl 2.8.1-1.3.19
open_ssl 0.9.6
Visual C++ 6.0
Netscape 4.7

 What to do:

Configure a directory with SSLRequireSSL and basic pwd authentication 
required. Access it directly with Netscape, ie. https://127.0.0.1/mydir/
Enter name/pwd. Netscape shows the page, but apache faults with a
bad read access. This happend with both apache 1.3.19 and 1.3.17 with
corresponding versions of mod_ssl. Both in versions built myself and
in binary downloads (I found those only for 1.3.17).

Seems also to happen if the dir does not require password authentication 
(call stack is for case with pwd, however).


 Call stack:

ap_ctx_get(ap_ctx_rec * 0x0002, char * 0x1001a20c) line 125 + 21 bytes
ssl_io_suck_read(ssl_st * 0x040f5a18, char * 0x0088fe38, int 4096) line 265 + 21
bytes
SSL_recvwithtimeout(buff_struct * 0x0088fdf0, char * 0x0088fe38, int 4096) line
566 + 20 bytes
ssl_io_hook_recvwithtimeout(buff_struct * 0x0088fdf0, char * 0x0088fe38, int
4096) line 460 + 17 bytes
ap_hook_call_func(char * 0x036edbac, ap_hook_entry * 0x007bdc50, ap_hook_func *
0x007c7490) line 649 + 26 bytes
ap_hook_call(char * 0x6ffaf4ec `string') line 382 + 26 bytes
buff_read(buff_struct * 0x0088fdf0, void * 0x0088fe38, int 4096) line 299 + 26
bytes
saferead_guts(buff_struct * 0x0088fdf0, void * 0x0088fe38, int 4096) line 702 +
17 bytes
read_with_errors(buff_struct * 0x0088fdf0, void * 0x0088fe38, int 4096) line 753
+ 17 bytes
ap_bgets(char * 0x036ede28, int 8192, buff_struct * 0x0088fdf0) line 906 + 23
bytes
getline(char * 0x036ede28, int 8192, buff_struct * 0x0088fdf0, int 0) line 834 +
17 bytes
read_request_line(request_rec * 0x008b2df0) line 957 + 29 bytes
ap_read_request(conn_rec * 0x008a91e0) line 1119 + 9 bytes
child_sub_main(int 39) line 5561 + 27 bytes
child_main(int 39) line 5638 + 9 bytes
_threadstartex(void * 0x008428b0) line 212 + 13 bytes
KERNEL32! 77e837cd()


 Call chain (=== delimits calls, and introduces problem description;
  indicates current line)

 Problem: ctx is 0x2! ("if (ctx!=0).." was introduced by me.)

API_EXPORT(void *) ap_ctx_get(ap_ctx *ctx, char *key)
{
int i;
if (ctx != 0) {
  for (i = 0; ctx-cr_entry[i] != NULL; i++)
if (strcmp(ctx-cr_entry[i]-ce_key, key) == 0)
return ctx-cr_entry[i]-ce_val;
}
return NULL;
}

 Problem: It seems that only r-pool and r-connection are valid.
 r-pool is 0, r-connection points to meaningful information.
 r-server is already an invalid pointer (0x67616d69), and subsequent
 information is garbage as well. Viewing the values in server, next, prev
 as characters reveals "image/gif". Starting with the_request, I see the
 same sequence again. And then again in protocol. In status_line etc. I see

 "HTTPSon". In sent_bodyct there is again "image/gif".

static int ssl_io_suck_read(SSL *ssl, char *buf, int len)
{
ap_ctx *actx;
struct ssl_io_suck_st *ss;
request_rec *r = NULL;
int rv;

actx = (ap_ctx *)SSL_get_app_data2(ssl);
if (actx != NULL)
r = (request_rec *)ap_ctx_get(actx, "ssl::request_rec");

rv = -1;
if (r != NULL) {
  ss = ap_ctx_get(r-ctx, "ssl::io::suck");
if (ss != NULL) {



static int SSL_recvwithtimeout(BUFF *fb, char *buf, int len)
{
int iostate = 1;
fd_set fdset;
struct timeval tv;
int err = WSAEWOULDBLOCK;
int rv;
int sock = fb-fd_in;
SSL *ssl;

ssl = ap_ctx_get(fb-ctx, "ssl");

if (!(tv.tv_sec = ap_check_alarm()))
return (SSL_read(ssl, buf, len));

rv = ioctlsocket(sock, FIONBIO, iostate);
iostate = 0;
ap_assert(!rv);
  rv = SSL_read(ssl, buf, len);
if (rv = 0) {



static int ssl_io_hook_recvwithtimeout(BUFF *fb, char *buf, int len)
{
SSL *ssl;
int rc;

if ((ssl = ap_ctx_get(fb-ctx, "ssl")) != NULL)
  rc = SSL_recvwithtimeout(fb, buf, len);
else
rc = recvwithtimeout(fb-fd, buf, len, 0);
return rc;
}



ap_hook_call_func
ap_hook_call



static ap_inline int buff_read(BUFF *fb, void *buf, int nbyte)
{
int rv;

#if defined (WIN32) || defined(NETWARE)
if (fb-flags  B_SOCKET) {
#ifdef EAPI
  if (!ap_hook_call("ap::buff::recvwithtimeout", rv, fb, buf, nbyte))
#endif /* EAPI */



static ap_inline int saferead_guts(BUFF *fb, void *buf, int nbyte)
{
int rv;

if (fb-flags  B_SAFEREAD) {
ap_bhalfduplex(fb);
}
do {
  rv = buff_read(fb, buf, nbyte);
} while (rv == -1  errno == EINTR  !(fb-flags  B_EOUT));
return (rv);
}

RE: Apache 1.3.17 - mod_ssl.2.8.0 - openssl.0.9.6 Reverse Proxy SSL

[De Taeye, Herman]

Hi,
I am still struggling with my trials for reverse proxy and hoping to get
help

Meanwhile I have the manual SSL and TLS (Eric Rescorla) on hand, but still I
am not getting much further.
I am doing my tests now between 2 Linux systems.  They are called proxy.ecb
(For the gateway or proxy server)
and app.ecb (for the application server on the intranet).

I have taken some dumps via ssldumps, in the hope to solve my problem.
And I am testing even with  Apache 1.3.19 - mod_ssl-2.8.1 and openssl.0.9.5a

To prove that the SSL connection works between the proxy.ecb and the
app.ecb, I installed the proxy servers certificate and the Verisign CA
certificate in the Netscape browser from the server proxy.ecb.  The
attachment dmp_netscape_proxy_to_app_with_certificate, shows the data and
certificates that pass the wire.

When I start it from the PC with MSIE 5.0, the connection that is not
authenticated to the proxy works, but when the proxy calls the app, it
terminates with a handshake error.  See the file
dmp_pc_proxy_app_failure_dh.

Even after changing the SSLCipherSuite on the application server from
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
To
:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
or
:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
or 
RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
Changes only the chipersSuite used, but I get still the handshake error.

Adding the SSLProtocol and changing it for different setting does not help
neither.

See also an other example this time with Netscape 6 on the PC.
dmp_NS6_from_pc_with_failed+app+SSL+protocl_SSLv2_no_chi_no_exp_no_null .

Can someone explain me more precisely what the dumps mean?
Can you explain me the real reason why the handshake occurs?
Any suggestions on how to solve this problem?

LLL,

Thanks in advanced.

Herman De Taeye
Unisys Belgium


 

-Original Message-
From: De Taeye, Herman 
Sent: Thursday, March 01, 2001 8:17 PM
To: '[EMAIL PROTECTED]'
Subject: Apache 1.3.17 - mod_ssl.2.8.0 - openssl.0.9.6 Reverse Proxy SSL

Hi,

I have setup on two system the apach/openssl/mod_ssl products.
The first system named "gate.ecb" is configured as a reverse proxy.
A Verisign CA test certificate, a verisign signed server certificate and his
private key are installed.
The second system is our application server and is named "serv.ecb". It has
also a Verisign CA test certificate, a verisign signed application server
certificate and this private key.

A PC with browser is connected to the same network for my tests.  The PC has
the verisign CA certificate, but no private key nor a certificate.

What we need is :
  PC --  SSL with no client identification --  Gate --  SSL with
identification of the gate to -- Server.

In the gate "SSLVerifyClient" is not defined or set to none.
In the server SSLVerifyClient require is set.

When the PC tries to connect to the server SERV via reverse proxy on GATE,
it gets an error that the PC needs a client certificate.

On the ssl_engine_log of the server we see following data:
[01/Mar/2001 13:58:37 04468] [info]  Connection to child 0 established
(server serv.ecb:443, client 192.168.1.34)
[01/Mar/2001 13:58:37 04468] [info]  Seeding PRNG with 1160 bytes of entropy
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Handshake: start
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: before/accept
initialization
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: read 11/11 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 read client hello
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write server hello
A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 1024/1024 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write key exchange
A
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 write certificate
request A
[01/Mar/2001 13:58:37 04468] [debug] OpenSSL: write 854/854 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)
[01/Mar/2001 13:58:37 04468] [trace] OpenSSL: Loop: SSLv3 flush data
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 2/2 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Read: SSLv3 read client
certificate A
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 5/5 bytes from
BIO#000698B8 [mem: 000851E0] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: read 134/134 bytes from
BIO#000698B8 [mem: 000851E5] (BIO dump follows)
[01/Mar/2001 13:58:38 04468] [debug] OpenSSL: write 7/7 bytes to
BIO#000698B8 [mem: 00070F38] (BIO dump follows)

HERE IT COMES 
[01/Mar/2001 13:58:38 04468] [trace] OpenSSL: Write: SSLv3 read client
certificate B THIS IS B
[01/Mar/2001 13:58:38 04468] 

Re: [BugDB] error when running sign.sh (PR#532)

[Michael Carter]

You may want to download and try ssl.ca-0.1. I found it in the "Miscellameous
Contributions" area of the OpenSSL web site (www.openssl.org). I've used this set
of scripts successfully to create a root CA, sign the server's certificate, and
create and sign user certs. I've even had great success excporting user certs in
p12 format for Netscape. Ssl.ca is a well-written script set.

[EMAIL PROTECTED] wrote:

 Full_Name: Wes Barris
 Version: 2.7.1
 OS: Redha 7
 Submission from: (NULL) (144.34.33.41)

 Hello,

 I am following the instructions in the following file:

 mod_ssl-2.7.1-3: /var/www/html/manual/mod/mod_ssl/ssl_faq.html

 I am trying to create my own CA as described under the following
 heading in that file:

 "How can I create and use my own Certificate Authority (CA)?[L]"

 All goes well until I use the "sign.sh" command (which, for some reason
 is not packaged with the mod_ssl-2.7.1-3.i386.rpm for Redhat 7).  Here
 is a transcript of the error:

 wes@kirby ./sign.sh server.csr
 CA signing: server.csr - server.crt:
 Using configuration from ca.config
 Enter PEM pass phrase:
 Check that the request matches the signature
 Signature ok
 The Subjects Distinguished Name is as follows
 countryName   :PRINTABLE:'US'
 stateOrProvinceName   :PRINTABLE:'Minnesota'
 localityName  :PRINTABLE:'Minneapolis'
 organizationName  :PRINTABLE:'Network Computing Services, Inc.'
 organizationalUnitName:PRINTABLE:'Security Division'
 commonName:PRINTABLE:'kirby.hpcmp.hpc.mil'
 emailAddress  :IA5STRING:'[EMAIL PROTECTED]'
 Certificate is to be certified until Mar  8 16:21:13 2002 GMT (365 days)
 Sign the certificate? [y/n]:y

 1 out of 1 certificate requests certified, commit? [y/n]y
 Write out database with 1 new entries
 Data Base Updated
 CA verifying: server.crt - CA cert
 server.crt: /C=US/ST=Minnesota/L=Minneapolis/O=Network Computing Services,
 Inc./OU=Security [EMAIL PROTECTED]
 error 18 at 0 depth lookup:self signed certificate
 /C=US/ST=Minnesota/L=Minneapolis/O=Network Computing Services, Inc./OU=Security
 [EMAIL PROTECTED]
 error 7 at 0 depth lookup:certificate signature failure
 wes@kirby

 I can see two errors but I don't know what they mean or what I am supposed
 to do about them.  Im I doing something wrong?

 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]

--
Mike Carter
Pilot/SysAdmin
[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

DavExplorer .. timeouts, errors, oh my...

[Deocs Postmaster]

Jeff,

Thanks for idea.  I set up httpd.conf with:
 KeepAlive Off

The other browser settings don't look for DavExplorer,
so I don't think its getting turned on later.

DavExplorer fails the same with KeepAlive off, but I
did see some other error messages that point to timeouts
and socket problems.  This seems to be a write problem
as I could read large files from the server without any
problems.

I setup a WebDAV directory on the http portion of the server
and ran DavExplorer without SSL enabled.  That worked fine.
Oh well, the whole purpose was to have secure file transfer
with WebDAV, and of course it does everything except but that.

Thanks again, I hadn't been thinking it was an SSL problem,
but now I think the evidence is mounting.  The solution may
be at the Java end as well.

Dave

At 09:54 AM 3/12/01 , you wrote:

Over SSL I'd suggest turning keep alives off. We have had awful problems
with IE keepalives under SSL.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown



Jeff

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core file created)

[Jon Lawrence]

- Original Message -
From: "Karlos Z. Smith" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, March 12, 2001 1:48 PM
Subject: Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core file
created)


 After compiling mod_ssl apache and php as per instructions, running httpd
 -DSSL segfaults.  I would normally have thought this a php bug, since it
 breaks after adding PHP. But I observed the same behavior when I compiled
 Apache+mod_perl+mod_ssl. (yes I compiled mod_perl into apache, _not_ as a
 DSO).  (And yes as the FAQ states I made sure PHP was compiled with
 -DEAPI)

 Apache+mod_ssl works OK
 Apache+php4 works OK
 Apache+mod_ssl+php4 fails
 Apache+mod_perl+mod_ssl fails

 For an install log see a
 HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.build.txt"
 Apache+mod_ssl+php4.build.txt/a
 For a strace log see a
 HREF="http://home.viptx.net/~kazen/Apache+mod_ssl+php4.strace.txt"
 Apache+mod_ssl+php4.strace.txt/a

 I would love to provide a gdb backtrace but apache is _not_ producing a
 core file when it segfaults.
 (Yes I compiled with "-g -ggdb3"

Here's how I compiled exactly what you wanted.
Download apache_1.3.19, mod_ssl, php4.04pl2,openssl-0.9.6. untar all the
files.
cd mod_ssl_dir
./configure --with-apache=../apache_1.3.19
cd ../apache_1.3.19
./configure
cd ../openssl-0.9.6
./configure
make
cd ../php4_Dir
CFLAGS='-02 -I../openssl0.9.6 ./configure --with-apache=../apache_1.3.19
make
make install
cd ../apache_1.3.19
SSL_BASE=../openssl-0.9.6

./configure --enable-module=ssl --activate-module=src/modules/php4/libphp4.a
 --enable-module=php4
make
make certificate
make install
/usr/local/apache/bin/apachectl startssl

this worked on my RedHat 6.2  RedHat 7 boxes. Obviously it installed apache
in the default location.
I did see something about gcc not recognising the -02 flag but it still
worked.
HTH
Jon Lawrece

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

apache+open_dav+mod_ssl upload bug

[Deocs Postmaster]

[EMAIL PROTECTED],

I am using the following:
  Apache_1.3.19
  mod_ssl_2.8.1
  mod_dav_1.1.0
  openssl_0.9.6
  Windows 2K
At mod_dav's request, I recompiled it with EAPI enabled.

When I SSL upload large files (~1MB) from a WebDAV client to the
web server, it fails and I get this error line in the apache
error.log:

 [Mon Mar 12 16:40:27 2001] [error] [client 192.168.1.1]
 An error occurred while reading the request body.  [400, #0]

The problem occurs with both DavExplorer and built-in Win2K clients.
The files that do succeed arrive uncorrupted.
Going from server to client doesn't have the problem.
It fails with Apache KeepAlive ON or OFF.

The problem doesn't occur if I upload to the same webserver
but use a WebDAV http directory instead of an https directory.

Any clues on what to do or where to look would be appreciated.

Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

How do I setup a CA Server?

[Ben Rockwood]

Hello. 

I've recently started playing with mod_ssl
and had done well with it till I descided to switch off
the test certs (SnakeOil) and onto real certs.  I successfully
created and signed my own cert as documented in the mod_ssl
users guide, but ran into trouble when trying to connect with
a browser.

I'm testing with Netscape and Mozilla.  When I hit
the server (https://) I get the normal "This is a secure page
blah, blah", and then another window "No User Certificate: The
server may not let you connect without one".  I click "Next"
there and get a window saying "An IO Error Occured.  Try Connecting
Again".  This happens over and over again each time I try.  I've
tried several diffrent machines and the same result.  I tried
IE on NT, and essentially the same thing happened, except that
instead of an IO error I just got a error page.  (effectively
the same result)  After inspecting my ssl_engine_log I find this
line, which seems to corrispond to the IO error:

[12/Mar/2001 21:08:15 09014] [info]  Connection to child 2 established
(server xxx.blah.com:443, client xxx.xxx.xxx.xxx)
[12/Mar/2001 21:08:15 09014] [info]  Seeding PRNG with 1160 bytes of entropy
[12/Mar/2001 21:08:19 09014] [error] SSL handshake failed (server
xxx.blah.com:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
[12/Mar/2001 21:08:19 09014] [error] OpenSSL: error:140890C7:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
[Hint: No CAs known to server for verification?]

(Note: I did infact block out the hostname and IP for security reasons,
it's not a misconfiged system in that regard grin)

So my problem, as mentioned by the log is that I don't have a CA server.
I've looked through the docs for OpenSSL and mod_ssl and can't find anything
about building/config'ing a CA Server, theres plenty on signing certs AS a
CA, but not actually serving as a CA for requests.  So how do I?  Or is this
in the docs and I simply missed it.  Part of my confusion is in whether the
CA "Server" is a daemon or not.  Do I need to launch a OpenSSL session that
stays open on a given port for requests or does Apache with mod_ssl take
care of the magic?  This is really driving me nuts, and SSL is really
kool... I'm totally thrilled that there is such a good open source SSL tool
kit avalible that everyone can play with it.

Just for kicks, heres some lines from my httpd.conf, all under the default
virtual host on port 443 (ie: modified lines from the origonally placed. 
I've excluded lines that I didn't think were interesting or applied):

VirtualHost _default_:443
DocumentRoot "/usr/local/apache/htdocs"
ServerName xxx.blah.com
SSLEngine on
SSLCipherSuite HIGH:MEDIUM:LOW:RC4+RSA:+SSLv2
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt
SSLCARevocationPath /usr/local/apache/conf/ssl.crl
SSLVerifyClient optional_no_ca 
SSLVerifyDepth  10
/VirtualHost

The directives that I'm not 100% clear about (even after reading the docs,
which were really great) are SSLCipherSuite and SSLVerifyClient.  I've tried
other varients for SSLVerifyClient, but they didn't really help.  It seems
like I can only get this thing to work well when I specify that
no-encryption is an option which is exactly against the point.

So, ultimately the question is, do I have a config problem, a client
problem, a psychological problem, or do I simply lack a CA Server? Any help
if GREATLY appreciated.  Sorry for being so wordy, but I figured I'd just be
complete the first time.

benr.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]