Re: apache, modssl, win32
On Thu, 5 Apr 2001, Joachim Feise wrote: > Amazing. For some time now, all modules, even on Windows, have the > extension .so, and they are all called mod_whatever.so, to have > consistency between Unix and Windows. > If you have a .dll module, you are using an old version. I'm using 1.3.14, with the stuff I got from the contrib directory on the mod_ssl website. It all works, that's the important thing. -- Brett http://www.chapelperilous.net/btfwk/ Woman inspires us to great things, and prevents us from achieving them. -- Dumas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache, modssl, win32
"Brett W. McCoy" wrote: > > On Thu, 5 Apr 2001, Shain Miley wrote: ... > file matches up, it doesn't matter where you put them. I don't know if > Windows requires dynamic libraries to have the .DLL extension or not. No, it doesn't. -Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache, modssl, win32
On Thu, 5 Apr 2001, Shain Miley wrote: > hey, I see that alot of people are having this problem. I found out > that the docs say to copy the .dll files into c:/winnt/system32, but > if you copy them into your apache root dir then it should work fine. > Shain I put them under %APACHE_ROOT%\modules. As long as the path in the config file matches up, it doesn't matter where you put them. I don't know if Windows requires dynamic libraries to have the .DLL extension or not. -- Brett http://www.chapelperilous.net/btfwk/ Many receive advice, few profit by it. -- Publilius Syrus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Unexplained http_main.c patch
On Thu, Apr 05, 2001, Harrington, Thomas wrote:
> The mod_ssl patch file changes a bunch of things, most of which make sense.
> One has me scratching my head. In http_main.c, in the setup_listeners()
> function, it adds the following lines:
>
> if (fd >= 0) {
> FD_SET(fd, &listenfds);
> if (fd > listenmaxfd)
> listenmaxfd = fd;
> }
>
> This wouldn't be odd except for a couple of things:
> * setup_listeners() already does all of this, so once patched, it happens
> twice. Granted, the existing one does not check the fd value first, and
> this might be considered broken. But then the patch doesn't stop values
> less than zero from being used, so it doesn't actially fix this behavior.
> * Most patches are clearly delineated by "#ifdef EAPI". This one has no
> "#ifdef".
>
> What gives? Why do this twice?
This should be already gone with 2.8.2.
I guess you are looking at an older version, right?
Please use the latest one.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: ApacheCon 2001...
On Tue, Apr 03, 2001, Ralf S. Engelschall wrote: > I'm now leaving for attending ApacheCon 2001 in Santa Clara, CA. > For the modssl-user's who also attend ApacheCon: freel free to > share our interest by visiting our talk W24 on Wednesday evening. > For those of us who are not attending ApacheCon: you can go to > http://www.modssl.org/docs/apachecon2001/ and at least watch the > presentation's slide-set. Thanks to all of you who attended our SSL presentation yesterday here at ApacheCon 2001 in Santa Clara, CA. Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: swamp
Hi there, On Wed, 4 Apr 2001 [EMAIL PROTECTED] wrote: > Thanks for this utility, it works well for me in testing SSL acceleration > cards (which I still haven't completed. What a slacker). In fact, this > program works so well, I could give you a big sloppy kiss, but I'll refrain > from doing so. However, if you were female... Thanks, that won't be necessary. :-) Of course, if you spot any problems, or just feel like improving the code or docs (the latter being especially easy to do), that would be very welcome. > Just to show how dense I can be, does the setting for users and requests > mean that it simulates x users making y requests, ie xy (or x*y depending on > your notation preferences) requests? umm ... users? "num" refers to concurrency if that's what you meant. IIRC, the requests limit is total requests, independant of what level of concurrency you're using. (Ie. 1000 requests is absolute, whether they're done one after another or 10 at a time). However, I cared less about that stuff when I was developing it - the most useful test, for me at least, is leaving it running indefintely. The "-updates" and "-csv" switches give me the stats, and by leaving it going I can do things like starting up multiple copies, including possibly using multiple test client machines (and/or the same machine but going through different network interfaces, etc). It's also useful of course to script it so all the tests start simultaneously, but by leaving it going you can be sure you get the stats you require before terminating. Then you suck in all those "csv" files into Excel or something and start drawing pretty graphs. > Thanks again. I'll be putting my results of the Rainbow card on the list > soon (provided I can get the kernel module to compile for an SMP kernel). OK. It's also useful BTW for thrashing away and profiling session cache characteristics. If you set a shmht cache size and timeout such that a full "swamping" can fill the cache slightly under the expiry time, and you use the "srrsr" session sequence (ie. new session, resume, resume, new session, resume, etc), you should notice that performance isn't consistent - moreover, every "expiry" seconds the performance will take a nose-dive before picking up. You will also notice failed session resumes coming in little bursts (these also correspond with an obvious slow-down, every request is forced to negotiate a new session). If you try the same with "shmcb" hopefully you'll notice that it's generally slightly faster most of the time, but doesn't have those 'down' moments nor should it fail resumes. It's recommended you use some concurrency for this sort of testing though ... between 10 and 20 is a good guide. NB: to work out the cache-size/timeout required to fill a cache just under the expiry time - just run swamp with the "srrsr" sequence and measure the average speed. A typical session (if you use a cipher suite like RC4-SHA and no client cert) is around 130 bytes IIRC, so you can devide the cache size by that to work out how many sessions it can hold (and lower the number slightly to cover minor overheads, byte-alignment fragments, etc). Given 2/5 of the requests (srrsr) create new sessions, you can work out how many sessions are attempting to store themselves in the cache per second/minute and adjust the timeout or size appropriately. You should find that when the cache fills, but before the expiry timeout comes round, you will start to get failed session resumes. That expiry round happens approximately (n * 'expiry') seconds after the very first access to the cache BTW (for n=1,2,3...) - so dont preview the site using a browser 1 minute before you start the "swamp"ing - it'll still misbehave but at a different (and weirder) time to what you expect. Ie. stop the server, start it, then launch your test. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: explusion?
On Thu, Apr 05, 2001, Paul wrote: > I have been looking at this for a while, and must be looking in the > wrong places. From httpd.conf: > > # Semaphore: > # Configure the path to the mutual explusion semaphore the > # SSL engine uses internally for inter-process synchronization. > > "mutual eplusion semaphore"? OK, expulsion I would understand. > Exclusion I would understand even better. Explusion? > > Is it just a typo? Or if not, what the hell is "explusion", and where > can I find docs on it? =o) Sure, it's a typo. "exclusion" is the word. Now fixed for 2.8.3 Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Rewrite not working when SSLEngine is on
Please ignore that post. the problem is now solved. Gaetan Delahousse wrote: > Hi Everyone, > > I am trying to set a reverse-proxy, it worked fine until I started to use > rewrite > rules. All my rewrite rules are working fine when SSLEngine off, but > doesn't > work when SSLEngine is on. Not a thing is logged, not even the init of the > rewrite engine. > > I am using apache-1.3.12, mod-ssl-2.6.6 and openssl-0.9.5a. I tried with > apache-1.3.19 and mod-ssl-2.8.2 and got exactly the same problem. > > I am now fighting 3 days with that and I started to debug httpd to see what > > is going on. > > Thanks, > Gaetan > > here an extract of the httpd.conf > > RewriteEngine on > RewriteLog /tmp/rewrite.log > RewriteLogLevel 9 > RewriteRule /base/images /images > > # snip > > > SSLEngineon > SSLCipherSuite > ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /home/base/conf/ssl.crt/base-server.crt > SSLCertificateKeyFile/home/base/conf/ssl.key/base-server.key > SSLSessionCacheTimeout 300 > SSLLog /home/base/logs/SSLEngineLog.proxy > SSLLogLevel debug > RewriteEngine on > RewriteOptions inherit > ProxyPass /base https://localhost:8443/base > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Unexplained http_main.c patch
The mod_ssl patch file changes a bunch of things, most of which make sense.
One has me scratching my head. In http_main.c, in the setup_listeners()
function, it adds the following lines:
if (fd >= 0) {
FD_SET(fd, &listenfds);
if (fd > listenmaxfd)
listenmaxfd = fd;
}
This wouldn't be odd except for a couple of things:
* setup_listeners() already does all of this, so once patched, it happens
twice. Granted, the existing one does not check the fd value first, and
this might be considered broken. But then the patch doesn't stop values
less than zero from being used, so it doesn't actially fix this behavior.
* Most patches are clearly delineated by "#ifdef EAPI". This one has no
"#ifdef".
What gives? Why do this twice?
--
Tom Harrington
Cybernetic Entomologist
EMC Colorado Springs
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: repeatedly asking for authentication
On Thu, Apr 05, 2001 at 11:19:49AM -0400, Robert Buckley wrote: > Thank you for your response, > If you take a look at a later post, I wrote that a link outside the root, > will shutdown the connection to the child. This makes the browser think its > a fresh connection to the site. So even if you turned off "Ask Every Time", > the outcome would still be the same. For every "new" connection, you'll need > to identify yourself. > If we could stop the connection from closing on the child, you probably > wouldn't have to authenticate again. I am not sure that I would follow your conclusion. Please use ssldump to verify this assumption. If the browser wants to re-negotiate, it will not propose a session to be reused. Whether a connection to a child is closed or not however does influence the session caching. If the external session cache can not cache the session, childs can not exchange the session data, so if a new connection to another child is opened, a new session will be negotiated (with new cert request). Of course in this case the browser will drop all other old sessions for this site. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: repeatedly asking for authentication
Thank you for your response, If you take a look at a later post, I wrote that a link outside the root, will shutdown the connection to the child. This makes the browser think its a fresh connection to the site. So even if you turned off "Ask Every Time", the outcome would still be the same. For every "new" connection, you'll need to identify yourself. If we could stop the connection from closing on the child, you probably wouldn't have to authenticate again. Again see the later post on the same RE: with New INFO attached. Thanx again, Robert -Original Message- From: Paul [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 05, 2001 10:55 AM To: [EMAIL PROTECTED] Subject: RE: repeatedly asking for authenticataion --- Robert Buckley <[EMAIL PROTECTED]> wrote: > Ive created a CA, one server cert and one client cert. > All works well, however, every time I click a cgi script, it asks for > authentication. Are you sure it's the server? Netscape's default behavior for digital certificates is "Ask Every Time" before sending the cert info. It may just be that the browser is asking which cert to use every time before sending the data to the server. You can change that property, though I tend not to -- I like to see it. > Even if I authenticate, the script will run, if I "reload" or > "submit" it will again ask for authentication, every single time on > every single link to the cgi. > What is going on here? On the other hand, maybe it's your SSLSessionCache. Mine has gotten corrupted a time or two, and then the server had to go through the motions on every request. Make sure you get a clean SSLSessionCache and the problem might go away. Good luck. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple Verisign Certificates cause error
I am running Apache Apache/1.3.12 (Unix) Red-Hat-Secure/3.2 When I add a second secure certificate to the server for a second secure domain name, on a different IP address, the Apache server will not start. It generates an error message shown at the bottom of this message. It has been suggested that I should download and install the lastest mod_ssl to fix this problem. So, I have two questions: 1) Does the latest mod_ssl fix this problem? 2) On the mod_ssl site, it says the latest mod_ssl is based on Apache 1.3.19 Will it compile and function correctly with my Apacheversion 1.3.12? Below is some descriptive info on the problem: ** In the httpd.conf file, we've got name virtual hosts ** set up. NameVirtualHost 192.168.2.110:80 NameVirtualHost 192.168.2.110:443 NameVirtualHost 192.168.2.111:80 NameVirtualHost 192.168.2.111:443 ** Also, we've got the two virtual hosts set up, each ** with their own key files. ServerName www.domainone.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/domainone/www ScriptAlias /cgi-bin/ /usr/local/apache/domainone/cgi-bin/ ErrorLog /usr/local/apache/domainone_logs/error_log-ssl TransferLog /usr/local/apache/domainone_logs/access_log-ssl SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile/etc/httpd/conf/ssl.crt/domainone.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domainone.key ServerName www.domaintwo.com ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/domaintwo/www ScriptAlias /cgi-bin/ /usr/local/apache/domaintwo/cgi-bin/ ErrorLog /usr/local/apache/domaintwo_logs/error_log-ssl TransferLog /usr/local/apache/domaintwo_logs/access_log-ssl SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown SSLEngine on SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile/etc/httpd/conf/ssl.crt/domaintwo.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/domaintwo.key ** Server won't start. It generates this error message ** in the SSL error log for domaintwo. [Wed Apr 4 15:48:12 2001] [error] mod_ssl: Couldn't recover size of server key www.domaintwo.com:443/KEY_LENGTH __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Init:Private Key not found errors on startup
Please disregard...figured it out. Curt "Curtis J. Peredina" wrote: > > OS: Solaris 2.7 > Apache: 1.3.19 > OpenSSL: 0.9.6 > Mod_ssl: latest > > I get the following error on startup (in the error log): > > [Thu Apr 5 10:22:51 2001] [error] mod_ssl: Init: Private key not found > (OpenSSL library error follows) > [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D084069:asn1 encoding > routines:d2i_ASN1_SET:bad tag > [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D09D082:asn1 encoding > routines:d2i_RSAPrivateKey:parsing > [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D09B00D:asn1 encoding > routines:d2i_PrivateKey:ASN1 lib > > My Config contains the following: > > SSLEngine on > SSLCertificateKeyFile > /usr/local/apache/1.3.19/certs/www.mycompany.com.key > SSLCertificateFile /usr/local/apache/1.3.19/certs/www.mycompany.com.crt > > If I really move the files, apache bombs on the command line (correct), > but as is it just hangs. The files are there, and Ive looked through the > faqs, manuals, etc, and havent found any info. Anyone have suggestions, > or point to some info? > > Is it a problem with the key generation? > > Thanks... > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache, modssl, win32
"Brett W. McCoy" wrote: > > On Wed, 4 Apr 2001, Shain Miley wrote: > > > Hi, > > I am trying to figure out how to get Apache and ModSSL to work with > > Windows 2000. I went to modssl.org/contrib and downloaded the newest > > version of modssl,apache and openssl. I can get apache to start without > > SSL support, but if I try to uncomment the line: > > > > LoadModule ssl_module modules/mod_ssl.so > > This should be a .dll on Windows: > > LoadModule ssl_module modules/ApacheModuleSSL.dll > > I'm using the same bundle and this is what worked for me. Amazing. For some time now, all modules, even on Windows, have the extension .so, and they are all called mod_whatever.so, to have consistency between Unix and Windows. If you have a .dll module, you are using an old version. -Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache, modssl, win32
hey, I see that alot of people are having this problem. I found out that the docs say to copy the .dll files into c:/winnt/system32, but if you copy them into your apache root dir then it should work fine. Shain "Brett W. McCoy" wrote: > > On Wed, 4 Apr 2001, Shain Miley wrote: > > > Hi, > > I am trying to figure out how to get Apache and ModSSL to work with > > Windows 2000. I went to modssl.org/contrib and downloaded the newest > > version of modssl,apache and openssl. I can get apache to start without > > SSL support, but if I try to uncomment the line: > > > > LoadModule ssl_module modules/mod_ssl.so > > This should be a .dll on Windows: > > LoadModule ssl_module modules/ApacheModuleSSL.dll > > I'm using the same bundle and this is what worked for me. > > -- Brett >http://www.chapelperilous.net/btfwk/ > > Wishing without work is like fishing without bait. > -- Frank Tyger > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache mod_ssl and openssl - I messed up
Hi John, I removed several of the packages and forced new installation of opensll and reinstalled mod_ssl. It is working now - kind of - still httpd dies though when I'm using the -HUP command twice consecutively; - one time is OK though - has to do with this "children things" - I believe. Something is not correct between RH 7.0 - Apache 1.3.14 and mod_sll. If I remove mod_sll and hatch out the command lines in httpd.conf - the server operates and rotates the logs without any problems. Regards, Aage J. Skjolingstad [EMAIL PROTECTED] wrote: > > You can always try using > > rpm -ivh --force package-name > > ie, this reinstalls a package even if the RPM database says it is already > installed. Unlike Windoze, this really does work. I use this often, for > instance installing an older kernel when a newer one is installed. > > With the latest mod_ssl I had to use > > rpm -Uvh --oldpackage apache-mod_ssl... > > Because it said the latest was older than the installed version, even though > it wasn't. I suspect changes to the apache-mod_ssl.spec are to blame with > this one. > > Not really a modssl question though. > > - > John Airey > Internet Systems Support Officer, ITCSD, Royal National Institute for the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] > > > -Original Message- > > From: Aage J. Skjolingstad [mailto:[EMAIL PROTECTED]] > > Sent: 05 April 2001 00:07 > > To: [EMAIL PROTECTED] > > Subject: Apache mod_ssl and openssl - I messed up > > > > > > Dear List > > > > I messed up my openssl file (RH 7.0 rpm) last night when I > > tried to get > > openSSH and mod_ssl working as I had a problem with debugging openssh > > saying it could not connect to port 22. > > > > No I get an error referring to "Name" and x509 and I had to remove all > > this stuff on my Apache server to get it up and running (without ssl) > > over night. > > > > Is there any way to reinstall openssl - think it is 0.9.5.2 ? > > > > When I try to remove to reinstall it if refers to; - needed by: samba, > > rtunnel etc.. > > > > Help very much appreciated, > > > > Aage J. Skjolingstad > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
explusion?
I have been looking at this for a while, and must be looking in the wrong places. From httpd.conf: # Semaphore: # Configure the path to the mutual explusion semaphore the # SSL engine uses internally for inter-process synchronization. "mutual eplusion semaphore"? OK, expulsion I would understand. Exclusion I would understand even better. Explusion? Is it just a typo? Or if not, what the hell is "explusion", and where can I find docs on it? =o) (FYI, a web search turned up lots of typos; requiring SSL in addition to "explusion" gave me a bunch of quotes from httpd.conf! lol! ;o) __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex error
Maarten van Lieshout wrote: > [04/Apr/2001 23:46:57 97322] [error] Child could not open SSLMutex > lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System error > > > ^^ > See what I mean? It cannot find the file ssl_mutex.89573 which DOES > exist. I think this is a bug in modssl. I saw that before and it seems to me that apache is clearly trying to access a file which is called "/home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573". Does this path really exist? Rgds, OWen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: repeatedly asking for authenticataion
--- Robert Buckley <[EMAIL PROTECTED]> wrote: > Ive created a CA, one server cert and one client cert. > All works well, however, every time I click a cgi script, it asks for > authentication. Are you sure it's the server? Netscape's default behavior for digital certificates is "Ask Every Time" before sending the cert info. It may just be that the browser is asking which cert to use every time before sending the data to the server. You can change that property, though I tend not to -- I like to see it. > Even if I authenticate, the script will run, if I "reload" or > "submit" it will again ask for authentication, every single time on > every single link to the cgi. > What is going on here? On the other hand, maybe it's your SSLSessionCache. Mine has gotten corrupted a time or two, and then the server had to go through the motions on every request. Make sure you get a clean SSLSessionCache and the problem might go away. Good luck. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Init:Private Key not found errors on startup
OS: Solaris 2.7 Apache: 1.3.19 OpenSSL: 0.9.6 Mod_ssl: latest I get the following error on startup (in the error log): [Thu Apr 5 10:22:51 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing [Thu Apr 5 10:22:51 2001] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib My Config contains the following: SSLEngine on SSLCertificateKeyFile /usr/local/apache/1.3.19/certs/www.mycompany.com.key SSLCertificateFile /usr/local/apache/1.3.19/certs/www.mycompany.com.crt If I really move the files, apache bombs on the command line (correct), but as is it just hangs. The files are there, and Ive looked through the faqs, manuals, etc, and havent found any info. Anyone have suggestions, or point to some info? Is it a problem with the key generation? Thanks... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLMutex error
> -Original Message- > From: Maarten van Lieshout [mailto:[EMAIL PROTECTED]] > Sent: 05 April 2001 15:04 > To: [EMAIL PROTECTED] > Subject: Re: SSLMutex error > > > Owen Boyle wrote: > > > > Maarten van Lieshout wrote: > > > > > > This problem has been reported previously, but I am using > different > > > software versions. > > > SSLMutex file:chroot/tmp/ssl_mutex > > > > What all this "chroot" stuff? This is supposed to be a full > path to a > > filename. Try something simple like: > > > > SSLMutex file:/home/apache/logs/ssl_mutex > > chroot means it runs in its own root-enviroment, so there is > no need to > enter the full pathname. I have tried it just to be sure, but > it didn't > work. Surely if you are running a chrooted server you should be using file:/tmp/ssl_mutex Wouldn't that write the "chrooted" tmp directory anyway? - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Rewrite not working when SSLEngine is on
Hi Everyone, I am trying to set a reverse-proxy, it worked fine until I started to use rewrite rules. All my rewrite rules are working fine when SSLEngine off, but doesn't work when SSLEngine is on. Not a thing is logged, not even the init of the rewrite engine. I am using apache-1.3.12, mod-ssl-2.6.6 and openssl-0.9.5a. I tried with apache-1.3.19 and mod-ssl-2.8.2 and got exactly the same problem. I am now fighting 3 days with that and I started to debug httpd to see what is going on. Thanks, Gaetan here an extract of the httpd.conf RewriteEngine on RewriteLog /tmp/rewrite.log RewriteLogLevel 9 RewriteRule /base/images /images # snip SSLEngineon SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /home/base/conf/ssl.crt/base-server.crt SSLCertificateKeyFile/home/base/conf/ssl.key/base-server.key SSLSessionCacheTimeout 300 SSLLog /home/base/logs/SSLEngineLog.proxy SSLLogLevel debug RewriteEngine on RewriteOptions inherit ProxyPass /base https://localhost:8443/base __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex error
On Thu, 5 Apr 2001, Maarten van Lieshout wrote: > > > [04/Apr/2001 23:46:57 97322] [error] Child could not open SSLMutex > > > lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System error >follows) > > See what I mean? It cannot find the file ssl_mutex.89573 which DOES > exist. I think this is a bug in modssl. What may be happening (this happened to me this week) is that there is a path mismatch somewhere else. It may be creating the mutex file properly, but there is a semaphore file being used for shared memory that isn't being created properly and mod_ssl can't allocate the shared memory. I banged my head on the desktop for an hour trying to figure this out and found out my semaphore wasn't being created because I had a path set wrong. Be very careful about the paths and make sure they exist beacuse they don't get created automatically by Apache. -- Brett http://www.chapelperilous.net/btfwk/ If we don't survive, we don't do anything else. -- John Sinclair __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex error
Owen Boyle wrote: > > Maarten van Lieshout wrote: > > > > This problem has been reported previously, but I am using different > > software versions. > > SSLMutex file:chroot/tmp/ssl_mutex > > What all this "chroot" stuff? This is supposed to be a full path to a > filename. Try something simple like: > > SSLMutex file:/home/apache/logs/ssl_mutex chroot means it runs in its own root-enviroment, so there is no need to enter the full pathname. I have tried it just to be sure, but it didn't work. > > NB apache appends the child process id to this so each lock-file is > unique - you don't need to worry about assiging different locks to > different VHs or servers. > > > [04/Apr/2001 23:46:57 97322] [error] Child could not open SSLMutex > > lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System error >follows) ^^ See what I mean? It cannot find the file ssl_mutex.89573 which DOES exist. I think this is a bug in modssl. > > [04/Apr/2001 23:46:57 97322] [error] System: No such file or directory > > (errno: 2) > > It means what is says: tried to open a file called > "/home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573" but couldn't > because the directory doesn't exist... > > Rgds, > > Owen Boyle. Regards, Maarten van Lieshout __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: repeatedly asking for authentication - NEW INFO
Howdy, In an earlier post I wote how a client (linux-netscape) is being asked for authentication by the SSL enabled server (Has a CA signed cert) constantly on every link. (I havent even got to IE clients yet) Tailing the ssl_engine_log here is the following: INITIAL CONNECTION: [date] [info] Connection to child 1 established (server bleh.bleh.com:443, client 1.2.3.4) [date] [info] Seeding PRNG with 1160 bytes of entropy [date] [info] Connection: Client IP: 1.2.3.4 Protocol: SSL:v3, Cipher: RC4-MD5 (128/128 bits) [date] [info] Initial (No.1) HTTPS request received for child 1 (server bleh.bleh.com:443) Now Click some links that dont take you out of the root dir [date][info] Subsequent (No. 2) HTTPS request received for child 1 (server bleh.bleh.com:443) [date][info] Subsequent (No. 3) HTTPS request received for child 1 (server bleh.bleh.com:443) . find and dandy there. Now click a link to some other different directory, in this case a directory off root called /usr/local/www/data/test [date] [info] Subsequent (No. 4) HTTPS request received for child 1 (server bleh.bleh.com:443) [date] [info] Connection to child 1 closed with standard shutdown (server bleh.bleh.com:443, client 1.2.3.4) Resubmit or keep clicking links to directories outside of root, and the connection to child "ALWAYS" shuts down. This is the problem. Is there a solution? Robert Robert Buckley Security Administration Synapse Group, Inc. Four High Ridge Park Stamford, CT 06902 (203) 614-3279 (phone) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLMutex error
Maarten van Lieshout wrote: > > This problem has been reported previously, but I am using different > software versions. > SSLMutex file:chroot/tmp/ssl_mutex What all this "chroot" stuff? This is supposed to be a full path to a filename. Try something simple like: SSLMutex file:/home/apache/logs/ssl_mutex NB apache appends the child process id to this so each lock-file is unique - you don't need to worry about assiging different locks to different VHs or servers. > [04/Apr/2001 23:46:57 97322] [error] Child could not open SSLMutex > lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System > error follows) > [04/Apr/2001 23:46:57 97322] [error] System: No such file or directory > (errno: 2) It means what is says: tried to open a file called "/home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573" but couldn't because the directory doesn't exist... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLMutex error
This problem has been reported previously, but I am using different
software versions.
I'm trying to install a certificate on an apache server. We are using
apache-1.3.12, mod-ssl-2.6.4 and openssl-0.9.4.
This is the apache.conf piece:
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCacheTimeout 300
SSLMutex file:chroot/tmp/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl_engine_log
SSLLogLevel info
DocumentRoot "/htdocs"
ServerName www.nottherealname.com
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile
/home/www.notherealname.com/conf/ssl.crt/www.notherealname.com.crt
SSLCertificateKeyFile
/home/www.notherealname.com/conf/ssl.key/www.notherealname.com.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
# Per-Server Logging:
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
SSLProtocol SSLv2
Something seems to go wrong as you can see below when the child
processes are starting, but I can't find the problem. I've checked
apache.conf and the permissions of the various directories. Has anyone
had this problem before??
bash-2.03# less ssl_engine_log
[04/Apr/2001 23:46:55 89635] [info] Init: 1st restart round (already
detached)
[04/Apr/2001 23:46:55 89635] [info] Init: Reinitializing OpenSSL
library
[04/Apr/2001 23:46:56 89635] [info] Init: Seeding PRNG with 1160 bytes
of entropy
[04/Apr/2001 23:46:56 89635] [info] Init: Configuring temporary RSA
private keys (512/1024 bits)
[04/Apr/2001 23:46:56 89635] [info] Init: Configuring temporary DH
parameters (512/1024 bits)
[04/Apr/2001 23:46:56 89635] [info] Init: Initializing (virtual)
servers for SSL
[04/Apr/2001 23:46:56 89635] [info] Init: Configuring server
www.nottherealname.com:443 for SSL protocol
[04/Apr/2001 23:46:57 97322] [error] Child could not open SSLMutex
lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System
error follows)
[04/Apr/2001 23:46:57 97322] [error] System: No such file or directory
(errno: 2)
[04/Apr/2001 23:46:57 97323] [error] Child could not open SSLMutex
lockfile /home/www.nottherealname.com/chroot/tmp/ssl_mutex.89573 (System
error follows)
Thanks,
Maarten van lieshout
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
