RE: Netscape + ModSSL=Dead slow.

[Marcel Erkens]

7.0 may be old but it's better then 7.1

Just install 7.0, update some programs and build the latest kernel and
things are good :)

At 06:56 PM 5/31/01 -0400, you wrote:
>On Thu, 31 May 2001, David Rees wrote:
>
>> > -Original Message-
>> > From: [EMAIL PROTECTED]
>> > [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
>> > 
>> > Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
>> > B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
>> > work fine.
>> > 
>> > Anyone have a mod_ssl server I can try against? mod_ssl version number
>> > different and same as mine for comparison would be excellent.
>> > 
>> > Slackware 7.0
>> > Apache 1.2.13
>> > mod_ssl-2.6.6-1.3.12
>> > openssl-0.9.6
>> 
>> Any reason you're running an old version of Apache/mod_ssl and openssl?
>
>Might as well address the old version of slackware as well.
>
>Thanks,
>
>Ron DuFresne
>-- 
>~~
>admin & senior consultant:  darkstar.sysinfo.com
>  http://darkstar.sysinfo.com
>
>"Cutting the space budget really restores my faith in humanity.  It
>eliminates dreams, goals, and ideals and lets us get straight to the
>business of hate, debauchery, and self-annihilation."
>-- Johnny Hart
>
>testing, only testing, and damn good at it too!
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[Mads Toftum]

On Thu, May 31, 2001 at 10:56:04AM -0700, DAve Goodrich wrote:
> Current update on this problem;
> 
> I've been sniffing the TCP stream while logging in with Netscape/PC and
> Netscape/Mac. Interestingly the Mac version appears to load three objects
> (images) and then wait for 18 seconds. Then load another three objects and
> again wait 18 seconds. Etc etc etc.

Hmmm - what is your SSLSessionCache set to? And when looking at your Apache
logs, does it show session cache hits or misses? In Netscape under 
"Security/Passwords/Netscape will ask for this Password:" 
what is it set to?

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl vs. Stronghold 3

[Mads Toftum]

On Thu, May 31, 2001 at 10:43:41AM -0500, Woodraska, Robert J. wrote:
> My company is looking at going to Stronghold 3, partly because of the commercial 
>aspect.
> Is it possible to run mod_ssl for commercial purposes now?

Yes. The issue with the RSA patent ended in September last year.

>  Does anybody know if their are major differences in the way Stronghold 3 is set up 
>that
> would prevent us from using mod_ssl instead?  Thanks in advance.

Take a look at http://www.modssl.org/docs/apachecon2001/slide-002-l.html

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

SSL confusion http works ssl won't

[Jamby]

Hi

I have 
redhat linux 7.0
apache 1.3.14
openssl 0.9.5a
mod_ssl 2.6.6
mod_perl 1.24   

all from rpm's 


http is working but if I turn on the mod_ssl, I turn this on and off by
renameing the file /usr/lib/apache/libssl.so is there a better way?,
 then I get back " the document contained no data - try again later, or
contact the server's administrator". The 443 port is responding and
appears to be working. So I rename the file restart httpd without the
mod_ssl and http is working and the 443 port is not responding. Clearly
something isn't right but I don't know yet where the error lies.

I have this in the /var/log/httpd/error_log

[Wed May 30 16:19:21 2001] [notice] Apache/1.3.14 (Unix) 
(Red-Hat/Linux) mod_ssl/2.6.6 OpenSSL/0.9.5a mod_perl/1.24 configured --
resuming normal operations
[Wed May 30 16:19:32 2001] [notice] child pid 1232 exit signal
Segmentation fault (11)
[Wed May 30 16:19:53 2001] [notice] child pid 1233 exit signal
Segmentation fault (11)
[Wed May 30 16:20:14 2001] [notice] child pid 1234 exit signal
Segmentation fault (11)
[Wed May 30 16:22:32 2001] [notice] child pid 1236 exit signal
Segmentation fault (11)

A new error messages is added each time I try to connect to the server
when mod_ssl is running.


Has anyone run into this on before...???

Thanks for your time...
Jim H.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Netscape + ModSSL=Dead slow.

[David Rees]

> Of course ;^)  Our web app is built around PHP+CPDF+GD+Openlink, to get
> everything to compile without errors I can't use bleeding edge
> releases. I'm
> running Apache 1.2.13 and PHP 4.0.0 because they are rock solid
> for me. CPDF
> and GD compile best against PHP 4.0.0, and Openlink compiles best against
> Slack 7.0 (actually, kernel 2.2.13).
>
> As to mod_ssl and openssl, well they were current when I started
> this..
> I've also discovered that staying one version behind (provided it has no
> major flaws) greatly increases ones chance of finding info in
> FAQ, mail list
> archives, etc.
>
> Is there a known problem with either of these versions? Jeeez I hope I
> didn't miss a message.

Well, PHP 4.0.0 has known security holes, so you might want to avoid that.
Upgrading to PHP 4.0.5 is recommended, although this shouldn't have any
affect on your particular problem.

You also really should be using a version of OpenSSL which matches Apache, I
didn't even know that modssl-2.6.6-1.3.12 would work against Apache 1.2.13.
I would at the very least upgrade to Apache 1.3.12.  Upgrading to Apache
1.3.20 is also recommended because of some security holes found in older
releases as well.

If you really want to use modssl 2.6.6, you probably should stick with
OpenSSL 0.9.5a which was available at the time of release of 2.6.6.  OpenSSL
0.9.6 wasn't released until Sep 24, a month after modssl 2.6.6.

-Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[R. DuFresne]

On Thu, 31 May 2001, DAve Goodrich wrote:

> on 5/31/01 2:08 PM, David Rees at [EMAIL PROTECTED] wrote:
> 
> >> -Original Message-
> >> From: [EMAIL PROTECTED]
> >> [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
> >> 
> >> Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
> >> B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
> >> work fine.
> >> 
> >> Anyone have a mod_ssl server I can try against? mod_ssl version number
> >> different and same as mine for comparison would be excellent.
> >> 
> >> Slackware 7.0
> >> Apache 1.2.13
> >> mod_ssl-2.6.6-1.3.12
> >> openssl-0.9.6
> > 
> > Any reason you're running an old version of Apache/mod_ssl and openssl?
> > 
> > -Dave
> Of course ;^)  Our web app is built around PHP+CPDF+GD+Openlink, to get
> everything to compile without errors I can't use bleeding edge releases. I'm
> running Apache 1.2.13 and PHP 4.0.0 because they are rock solid for me. CPDF
> and GD compile best against PHP 4.0.0, and Openlink compiles best against
> Slack 7.0 (actually, kernel 2.2.13).

Yet the security focus site has numerous vulnerabilities listed, some
quite recent for php up to and including 4.0.4, and some dating back at
least to the end of last year for 4.0.0 and earlier versions in particular.


I can understand and agree with not jumping on a "bleeding edge release",
at least not for the first day or two of release in some situations and
for certain release related updates, but, looking at the documentation for
-=why=-, the rational of the updated release certainly is a good point to
follow with a focus upon issues relating to security.  Especially on those
systems exposed to the internet in general.  


Thanks,

Ron DuFresne
-- 
~~
admin & senior consultant:  darkstar.sysinfo.com
  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Netscape + ModSSL=Dead slow.

[R. DuFresne]

On Thu, 31 May 2001, David Rees wrote:

> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
> > 
> > Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
> > B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
> > work fine.
> > 
> > Anyone have a mod_ssl server I can try against? mod_ssl version number
> > different and same as mine for comparison would be excellent.
> > 
> > Slackware 7.0
> > Apache 1.2.13
> > mod_ssl-2.6.6-1.3.12
> > openssl-0.9.6
> 
> Any reason you're running an old version of Apache/mod_ssl and openssl?

Might as well address the old version of slackware as well.

Thanks,

Ron DuFresne
-- 
~~
admin & senior consultant:  darkstar.sysinfo.com
  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: RE: mod_ssl vs. Stronghold 3

[George Walsh]

Stronghold is now owned by Red Hat and is most definitely NOT free, as I mentioned in 
the original posting. But Stronghold does use mod_ssl and it really is Apache anyway. 
Unless the whole process terrifies you, why would you not prefer the support of this 
community, which from personal experience I can say has been wonderful!

George

[EMAIL PROTECTED] wrote:
>
> Hmm.. also, is stronghold free?  The price of Apache can't be beat.
>
--
George Walsh,
Managing Director,
Travel Seewise Pacific Corp
Vancouver Canada
__
Get your own FREE, personal Netscape Webmail account today at 
http://webmail.netscape.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 5/31/01 2:08 PM, David Rees at [EMAIL PROTECTED] wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
>> 
>> Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
>> B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
>> work fine.
>> 
>> Anyone have a mod_ssl server I can try against? mod_ssl version number
>> different and same as mine for comparison would be excellent.
>> 
>> Slackware 7.0
>> Apache 1.2.13
>> mod_ssl-2.6.6-1.3.12
>> openssl-0.9.6
> 
> Any reason you're running an old version of Apache/mod_ssl and openssl?
> 
> -Dave
Of course ;^)  Our web app is built around PHP+CPDF+GD+Openlink, to get
everything to compile without errors I can't use bleeding edge releases. I'm
running Apache 1.2.13 and PHP 4.0.0 because they are rock solid for me. CPDF
and GD compile best against PHP 4.0.0, and Openlink compiles best against
Slack 7.0 (actually, kernel 2.2.13).

As to mod_ssl and openssl, well they were current when I started this..
I've also discovered that staying one version behind (provided it has no
major flaws) greatly increases ones chance of finding info in FAQ, mail list
archives, etc.

Is there a known problem with either of these versions? Jeeez I hope I
didn't miss a message.

DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Netscape + ModSSL=Dead slow.

[David Rees]

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
> 
> Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
> B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
> work fine.
> 
> Anyone have a mod_ssl server I can try against? mod_ssl version number
> different and same as mine for comparison would be excellent.
> 
> Slackware 7.0
> Apache 1.2.13
> mod_ssl-2.6.6-1.3.12
> openssl-0.9.6

Any reason you're running an old version of Apache/mod_ssl and openssl?

-Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Private key not found--d2i_ASN1_SET:bad class

[Carl Bowden]

Hi I'm hoping someone may be able to help.

we have installed apache:mod_ssl 
got the CA cert and carefully set up httpd.conf to point to
the correct .key & .crt files

as we startup 'apachectl startssl', this is the error :
Apache:mod_ssl:Error: Private key not found.
**Stopped

the error log as this:

mod_ssl: Init: Private key not found (OpenSSL library error
follows)
OpenSSL: error:0D084064:asn1 encoding
routines:d2i_ASN1_SET:bad class
OpenSSL: error:0D09D082:asn1 encoding
routines:d2i_RSAPrivateKey:parsing
OpenSSL: error:0D09B00D:asn1 encoding
routines:d2i_PrivateKey:ASN1 lib

the paths in httpd.conf are correct full paths, we can 'cat'
the key from a comandline with the same path

I have no idea what this means, if anyone could point us in
the right direction it would be a big help.

thanks in advance 

carl.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
work fine.

Anyone have a mod_ssl server I can try against? mod_ssl version number
different and same as mine for comparison would be excellent.

Slackware 7.0
Apache 1.2.13
mod_ssl-2.6.6-1.3.12
openssl-0.9.6

DAve

on 5/31/01 11:42 AM, McCaffity, Ray at [EMAIL PROTECTED] wrote:

> We several Mac's all running OS 9.1 using MSIE 5,
> Web server is Apache1.3.20+mod_ssl+openSSL0.9.6a
> We don't have any problems.  Maybe it's a Netscape thing?
> 
> -Original Message-
> From: DAve Goodrich [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 31, 2001 12:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Netscape + ModSSL=Dead slow.
> 
> 
> Current update on this problem;
> 
> I've been sniffing the TCP stream while logging in with Netscape/PC and
> Netscape/Mac. Interestingly the Mac version appears to load three objects
> (images) and then wait for 18 seconds. Then load another three objects and
> again wait 18 seconds. Etc etc etc.
> 
> Very strange, the PC Netscape loads the entire page in under a second.
> 
> I have also tried using Netscape/Mac with differing security levels. Using
> the security tool in Netscape I have tried turning off SSLv2 or SSLv3 at the
> client, including changing the requested ciphers. Any combination of the
> below, on or off, makes no difference, Netscape/Mac still crawls.
> 
> RC4 encryption with a 128-bit key and an MD5 MAC
> FIPS 140-1 compliant triple DES encryption and SHA-1 MAC
> Triple DES encryption with a 168-bit key and a SHA-1 MAC
> FIPS 140-1 compliant DES encryption and SHA-1 MAC
> DES encryption with a 56-bit key and a SHA-1 MAC
> RC4 encryption with a 56-bit key and a SHA-1 MAC
> DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
> RC4 encryption with a 40-bit key and an MD5 MAC
> RC2 encryption with a 40-bit key and an MD5 MAC
> No encryption with an MD5 MAC
> 
> Any clues yet? Is there anything I can do, record, reconfig, chant, to try
> and find an answer for this?
> 
>   Hello?
> 
> on 5/29/01 1:22 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> More information on this. I have dropped down to SSLv2 with no change.
>> Netscape is still slow. Testing on a local LAN (100mb duplex, only my
>> client), server config unchanged.
>> 
>> Netscape 4.75 on a Mac G4 running MacOS 9.1. A test page loads in slightly
>> more than three minutes, the same page when viewed on a PC running Win2K
> and
>> Netscape 4.75 loads in under 1/2 second.
>> 
>> I have ssl_engine_log files available run in  mode if
>> someone would look at them. It appears, "appears", that the Mac Netscape
> is
>> doing many things twice.
>> 
>> DAve
>> 
>> TS continues...
>> 
>> on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
>> 
>>> I'll throw my hat in on this one. I also have looked high and low for an
>>> answer without luck. The logs tell me nothing about what might be going
>>> wrong. I did read and use the suggestions from the FAQ and Ref manual
> before
>>> searching the list.
>>> 
>>> Slackware 7.0
>>> Apache 1.2.13
>>> mod_ssl-2.6.6-1.3.12
>>> openssl-0.9.6
>>> 
>>> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
>>> problems. Netscape on a PC seems OK as does Netscape on Unix.
>>> 
>>> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Netscape + ModSSL=Dead slow.

[McCaffity, Ray]

We several Mac's all running OS 9.1 using MSIE 5,
Web server is Apache1.3.20+mod_ssl+openSSL0.9.6a
We don't have any problems.  Maybe it's a Netscape thing?

-Original Message-
From: DAve Goodrich [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 12:56 PM
To: [EMAIL PROTECTED]
Subject: Re: Netscape + ModSSL=Dead slow.


Current update on this problem;

I've been sniffing the TCP stream while logging in with Netscape/PC and
Netscape/Mac. Interestingly the Mac version appears to load three objects
(images) and then wait for 18 seconds. Then load another three objects and
again wait 18 seconds. Etc etc etc.

Very strange, the PC Netscape loads the entire page in under a second.

I have also tried using Netscape/Mac with differing security levels. Using
the security tool in Netscape I have tried turning off SSLv2 or SSLv3 at the
client, including changing the requested ciphers. Any combination of the
below, on or off, makes no difference, Netscape/Mac still crawls.

RC4 encryption with a 128-bit key and an MD5 MAC
FIPS 140-1 compliant triple DES encryption and SHA-1 MAC
Triple DES encryption with a 168-bit key and a SHA-1 MAC
FIPS 140-1 compliant DES encryption and SHA-1 MAC
DES encryption with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 56-bit key and a SHA-1 MAC
DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 40-bit key and an MD5 MAC
RC2 encryption with a 40-bit key and an MD5 MAC
No encryption with an MD5 MAC

Any clues yet? Is there anything I can do, record, reconfig, chant, to try
and find an answer for this?

  Hello?

on 5/29/01 1:22 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> More information on this. I have dropped down to SSLv2 with no change.
> Netscape is still slow. Testing on a local LAN (100mb duplex, only my
> client), server config unchanged.
> 
> Netscape 4.75 on a Mac G4 running MacOS 9.1. A test page loads in slightly
> more than three minutes, the same page when viewed on a PC running Win2K
and
> Netscape 4.75 loads in under 1/2 second.
> 
> I have ssl_engine_log files available run in  mode if
> someone would look at them. It appears, "appears", that the Mac Netscape
is
> doing many things twice.
> 
> DAve
> 
> TS continues...
> 
> on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> I'll throw my hat in on this one. I also have looked high and low for an
>> answer without luck. The logs tell me nothing about what might be going
>> wrong. I did read and use the suggestions from the FAQ and Ref manual
before
>> searching the list.
>> 
>> Slackware 7.0
>> Apache 1.2.13
>> mod_ssl-2.6.6-1.3.12
>> openssl-0.9.6
>> 
>> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
>> problems. Netscape on a PC seems OK as does Netscape on Unix.
>> 
>> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Real SSL Server Certificate

[Hu, Meng P (Meng Pei)]

Hi,

i have successfully installed Apache_1.3.19 + mod_ssl-2.8.2 + openssl-0.9.6a
on Solaris with a testing certificate signed by Snake Oil CA.

After reading the FAQ of how to install a real SSL server Certificate, there
are few steps confused me :

1. Since i can see both  /apache/conf/ssl.key/server.key and
/apache/conf/ssl.csr/server.csr files, i will assume that i don't have to go
through creating CSR and private key again. Is that right ?

2. i send /apache/conf/ssl.csr/server.csr to the third party CA, they
generated a certificate (cernew.cer) for my web server. Should i just rename
the cernew.cer to server.crt ?

Thanks for your help,
Mengpei Hu



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: mod_ssl vs. Stronghold 3

[McCaffity, Ray]

Hmm.. also, is stronghold free?  The price of Apache can't be beat.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 12:51 PM
To: [EMAIL PROTECTED]
Subject: Re: mod_ssl vs. Stronghold 3


Believe me, it is not a very time consuming job to configure and get
Apache/OpenSSL/mod_ssl up and running. If an applications guy like me can do
it ... and there are benefits, similar to those accruing from learning to
drive a car with a standard transmission versus an automatic. As a bonus you
always end up with the latest versions of the components. Strnghold is just
a commercial repackaging - albeit a clean one - but you STILL have to
configure.  Presently I oversee an older version of Stronghold as well as
secure Apache. Neither has faltered. 

And ... in tribute to this group, the one problem I did have was related to
the lack of a /dev/random device on my o/s. That was promptly diagnosed and
a permanent fix provided by the author of prngd for which I remain grateful.

Balance about 2/3 hours of your time against the $1000+ for Stronghold. (In
Canada with our Cretin Currency, thats more like $1600 and just not
acceptable, so my decision was even easier when the second system required
configuring!) Its your time and your money, I guess, but the alternative is
not a scary one.

George



[EMAIL PROTECTED] wrote:
>
> My company is looking at going to Stronghold 3, partly because of the
commercial aspect.  Is it possible to run mod_ssl for commercial purposes
now?  Does anybody know if their are major differences in the way Stronghold
3 is set up that would prevent us from using mod_ssl instead?  Thanks in
advance.
> 
> > BoB Woodraska
> > IB Systems Administrator
> > Precision Computer Systems
> > (605) 362-1260
> > 
> > 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
--
George Walsh,
Managing Director,
Travel Seewise Pacific Corp
Vancouver Canada
__
Get your own FREE, personal Netscape Webmail account today at
http://webmail.netscape.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Current update on this problem;

I've been sniffing the TCP stream while logging in with Netscape/PC and
Netscape/Mac. Interestingly the Mac version appears to load three objects
(images) and then wait for 18 seconds. Then load another three objects and
again wait 18 seconds. Etc etc etc.

Very strange, the PC Netscape loads the entire page in under a second.

I have also tried using Netscape/Mac with differing security levels. Using
the security tool in Netscape I have tried turning off SSLv2 or SSLv3 at the
client, including changing the requested ciphers. Any combination of the
below, on or off, makes no difference, Netscape/Mac still crawls.

RC4 encryption with a 128-bit key and an MD5 MAC
FIPS 140-1 compliant triple DES encryption and SHA-1 MAC
Triple DES encryption with a 168-bit key and a SHA-1 MAC
FIPS 140-1 compliant DES encryption and SHA-1 MAC
DES encryption with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 56-bit key and a SHA-1 MAC
DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 40-bit key and an MD5 MAC
RC2 encryption with a 40-bit key and an MD5 MAC
No encryption with an MD5 MAC

Any clues yet? Is there anything I can do, record, reconfig, chant, to try
and find an answer for this?

  Hello?

on 5/29/01 1:22 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> More information on this. I have dropped down to SSLv2 with no change.
> Netscape is still slow. Testing on a local LAN (100mb duplex, only my
> client), server config unchanged.
> 
> Netscape 4.75 on a Mac G4 running MacOS 9.1. A test page loads in slightly
> more than three minutes, the same page when viewed on a PC running Win2K and
> Netscape 4.75 loads in under 1/2 second.
> 
> I have ssl_engine_log files available run in  mode if
> someone would look at them. It appears, "appears", that the Mac Netscape is
> doing many things twice.
> 
> DAve
> 
> TS continues...
> 
> on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> I'll throw my hat in on this one. I also have looked high and low for an
>> answer without luck. The logs tell me nothing about what might be going
>> wrong. I did read and use the suggestions from the FAQ and Ref manual before
>> searching the list.
>> 
>> Slackware 7.0
>> Apache 1.2.13
>> mod_ssl-2.6.6-1.3.12
>> openssl-0.9.6
>> 
>> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
>> problems. Netscape on a PC seems OK as does Netscape on Unix.
>> 
>> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl vs. Stronghold 3

[George Walsh]

Believe me, it is not a very time consuming job to configure and get 
Apache/OpenSSL/mod_ssl up and running. If an applications guy like me can do it ... 
and there are benefits, similar to those accruing from learning to drive a car with a 
standard transmission versus an automatic. As a bonus you always end up with the 
latest versions of the components. Strnghold is just a commercial repackaging - albeit 
a clean one - but you STILL have to configure.  Presently I oversee an older version 
of Stronghold as well as secure Apache. Neither has faltered. 

And ... in tribute to this group, the one problem I did have was related to the lack 
of a /dev/random device on my o/s. That was promptly diagnosed and a permanent fix 
provided by the author of prngd for which I remain grateful.

Balance about 2/3 hours of your time against the $1000+ for Stronghold. (In Canada 
with our Cretin Currency, thats more like $1600 and just not acceptable, so my 
decision was even easier when the second system required configuring!) Its your time 
and your money, I guess, but the alternative is not a scary one.

George



[EMAIL PROTECTED] wrote:
>
> My company is looking at going to Stronghold 3, partly because of the commercial 
>aspect.  Is it possible to run mod_ssl for commercial purposes now?  Does anybody 
>know if their are major differences in the way Stronghold 3 is set up that would 
>prevent us from using mod_ssl instead?  Thanks in advance.
> 
> > BoB Woodraska
> > IB Systems Administrator
> > Precision Computer Systems
> > (605) 362-1260
> > 
> > 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
--
George Walsh,
Managing Director,
Travel Seewise Pacific Corp
Vancouver Canada
__
Get your own FREE, personal Netscape Webmail account today at 
http://webmail.netscape.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

certificate signature failure

[Doug . Johnson]

Hi!

I have two servers: Server A and Server B. This is how they are configured:

Server A: Apache 1.3.12 mod_ssl 2.6.6 OpenSSL 0.9.5a
Server B: Apache 1.3.19 mod_ssl 2.8.3 OpenSSL 0.9.6a

Server A has a valid server.crt file, along with a server.key file that it
has been using for months. I want to restrict access to a certain directory
to allow acces only to clients with a valid personal certificate, so at the
end of the SSL tags I added these lines:


Options all
SSLVerifyClient require
SSLVerifyDepth 9
Allow from all
SSLRequireSSL
SSLOptions +StrictRequire +StdEnvVars +ExportCertData


The other lines I have within the  tags are
these:

  SSLVerifyClient none
  SSLVerifyDepth 10
  SSLEnable
  DocumentRoot "/home/httpsd/html"
  SSLEngine on
  SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  SSLCertificateFile /path/to/my/cert.cert
  SSLCertificateKeyFile /path/to/my/cert.key
  SSLCACertificateFile /path/to/my/ca-bundle.crt
  
SSLOptions +StdEnvVars
  
  
SSLOptions +StdEnvVars
  
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
  CustomLog /usr/local/apache/logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

Before my SSL  tags I have these lines:

 
  SSLPassPhraseDialog builtin
  SSLLog /usr/local/apache/logs/ssl_engine_log
  SSLLogLevel warn
  SSLMutex file:/usr/local/apache/ssl_mutex
  SSLSessionCache dbm:/usr/local/apache/ssl_scache
  SSLSessionCacheTimeout 300
 

When I try to connect (using IE5) I am asked which personal certificate I'd
like to use, but then I get "Page cannot be displayed" with the following in
the error log:

[Thu May 31 08:58:52 2001] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Thu May 31 08:58:52 2001] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu May 31 08:58:52 2001] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[Thu May 31 08:58:54 2001] [error] mod_ssl: Certificate Verification:
Error (7): certificate signature failure
[Thu May 31 08:58:54 2001] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Thu May 31 08:58:54 2001] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Thu May 31 08:58:54 2001] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still re
membered details of a re-created server certificate?]

So, I copy httpd.conf, cert.crt, cert.key and ca-bundle from Server A to
Server B. I make the necessary changes to the paths in Server B's httpd.conf
file, and BINGO! Using the same browser I connect to Server B and all of a
sudden it works fine! A dialog box appears telling me the server certificate
is not intended for use on this server (ok), I am prompted for which
personal certificate I wish to use (fine), and then my page appears
(excellent)!

Only problem is, I want it to work on Server A, not Server B!

Can anyone suggest what I may be missing? I really don't want to upgrade
apache and modssl unless I absolutely HAVE to, as I really don't want to
believe that that is where the problem lies.

All suggestions will be gratefully received!

Thanks,

Doug






__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: mod_ssl vs. Stronghold 3

[David.Marshall]

I'm using stronghold. Besides providing ssl, it provides useful utilities
like certificate/key creation and submission to a ca. It also came with
binaries, I'm so busy, that I don't have time to build configure and build
apache. In addition, stronghold was supported by my other APACHE DSO vendors
that I'm integrating with.

To switch from stronghold to mod_ssl would require another install of apache
and mod-ssl, then you would migrate the http content settings from your
stronghold httpd.conf to your apache/mod_ssl httpd.conf.

I do not know if there would be any impact on your certificates. i'm sure
that you could reuse them, i just haven't done it.

David Marshall

-Original Message-
From: Woodraska, Robert J. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 8:44 AM
To: '[EMAIL PROTECTED]'
Subject: mod_ssl vs. Stronghold 3


My company is looking at going to Stronghold 3, partly because of the
commercial aspect.  Is it possible to run mod_ssl for commercial purposes
now?  Does anybody know if their are major differences in the way Stronghold
3 is set up that would prevent us from using mod_ssl instead?  Thanks in
advance.

> BoB Woodraska
> IB Systems Administrator
> Precision Computer Systems
> (605) 362-1260
> 
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: cannot connect to remote secure server

[McCaffity, Ray]

I think it's supposed to work this way.
When you created the certificate, did you create it
using the DNS name of your website or your IP?


-Original Message-
From: Emma Wermström (EMW) [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 9:35 AM
To: '[EMAIL PROTECTED]'
Subject: cannot connect to remote secure server


Hi!

RedHat Linux7.1
Apache1.3.19
Perl 5.005
mod_perl
embperl
mod_ssl and openssl (precompiled from RedHat)

I've tried to set up a secure server for my web site and I thought I had
succeeded. The entire site is "secure". I've made the server listen only on
port 443. Other than that I've basically not made any modifications from my
non-secure server (which obviously no longer exists).
However, when I try to access the server from a remote machine over the
intranet (using only https://ipadress), I can't connect any longer. With
httpd://ipadress it worked fine.
yes, my remote browser has SSL enabled. I'm not getting anywhere.

has anyone else experienced this?

Thanks,

Emma
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: "ERR_load_RSAREF_strings"?

[Marcel Erkens]

hrrmmm... but I got it working now :)  to rebuild or not to rebuild? that's
the question.   I may just wait until apache 1.3.21 comes around.. REALLY
want to get done with this project, you know :)


-
(SYSERR0599) Press any key to continue or any other key to quit...
- Original Message -
From: Mads Toftum <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 10:38 AM
Subject: Re: "ERR_load_RSAREF_strings"?


> On Thu, May 31, 2001 at 08:54:59AM -0500, Marcel Erkens wrote:
> >
> > It's apache 1.3.20/modssl 2.8.4/openssl 0.9.6a/rsaref-2.0.
> >
> You shouldn't be using RSAREF - exclude that and you'll be fine.
> The "patent issues" have not been a problem since September
> last year.
>
> vh
>
> Mads Toftum
> --
> `Darn it, who spiked my coffee with water?!' - lwall
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

"ERR_load_RSAREF_strings" - UPDATE

[Marcel Erkens]

Just thought I'd share the fix I found on a devshed forum :)

Apparently the mod_ssl Makefile was missing something that causes this error
to occur.

I added "-lRSAglue -L/pathto/rsaref-2.0/local/ -lrsaref" (no quotes) to the
SSL_LIBS= line in apache_1.3.20/src/modules/ssl, ran make, make install
and things work!

Time to remove another project off my ever growing to-do list!
Have a good one!
Marcel

-
(SYSERR0599) Press any key to continue or any other key to quit...
- Original Message -
From: Marcel Erkens <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, May 31, 2001 8:54 AM
Subject: "ERR_load_RSAREF_strings"?


> Hi!
>
> Does anybody have any idea what causes this error and what to do to fix
it?
>
> Syntax error on line 206 of /etc/httpd/httpd.conf:
> Cannot load /usr/lib/apache/libssl.so into server:
> /usr/lib/apache/libssl.so: undefined symbol: ERR_load_RSAREF_strings
>
> 
> LoadModule ssl_module  /usr/lib/apache/libssl.so  <- you guessed it: 206
> 
>
> It's apache 1.3.20/modssl 2.8.4/openssl 0.9.6a/rsaref-2.0.
>
> Thanks!
> Marcel
>
> -
> (SYSERR0599) Press any key to continue or any other key to quit...
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: cannot connect to remote secure server

[Owen Boyle]

Emma Wermström (EMW) wrote:
> I've tried to set up a secure server for my web site and I thought I had succeeded. 
> The entire site is "secure". I've made the server listen only on port 443.

I wouldn't worry too much - it sounds like you *did* succeed. 

Remember you have to separate SSL and non-SSL content - do you still
have a non-SSL virtualhost defined? Your basic config should be:

Listen 80

  DocumentRoot /path/to/plain/HTTP/content
  ...
 

Listen 443

  DocumentRoot /path/to/SSL/content
  ...
 

Rgds,

Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: "ERR_load_RSAREF_strings"?

[Mads Toftum]

On Thu, May 31, 2001 at 08:54:59AM -0500, Marcel Erkens wrote:
> 
> It's apache 1.3.20/modssl 2.8.4/openssl 0.9.6a/rsaref-2.0.
> 
You shouldn't be using RSAREF - exclude that and you'll be fine.
The "patent issues" have not been a problem since September
last year.

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl vs. Stronghold 3

[Woodraska, Robert J.]

My company is looking at going to Stronghold 3, partly because of the commercial 
aspect.  Is it possible to run mod_ssl for commercial purposes now?  Does anybody know 
if their are major differences in the way Stronghold 3 is set up that would prevent us 
from using mod_ssl instead?  Thanks in advance.

> BoB Woodraska
> IB Systems Administrator
> Precision Computer Systems
> (605) 362-1260
> 
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

cannot connect to remote secure server

[Emma Wermström (EMW)]

Hi!

RedHat Linux7.1
Apache1.3.19
Perl 5.005
mod_perl
embperl
mod_ssl and openssl (precompiled from RedHat)

I've tried to set up a secure server for my web site and I thought I had succeeded. 
The entire site is "secure". I've made the server listen only on port 443. Other than 
that I've basically not made any modifications from my non-secure server (which 
obviously no longer exists).
However, when I try to access the server from a remote machine over the intranet 
(using only https://ipadress), I can't connect any longer. With httpd://ipadress it 
worked fine.
yes, my remote browser has SSL enabled. I'm not getting anywhere.

has anyone else experienced this?

Thanks,

Emma
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

cisco 11155 load balancer problems

[Frumious Bandersnatch]

I'm having trouble with load-balancing on a cisco content switch.

The details are that I've got two servers running Apache 1.3.19 / 
mod_ssl/2.8.1 OpenSSL/0.9.6 and a cisco 11155 content switch (formerly 
known as an Arrowpoint) set up to load balance between them, and I'm 
browsing with MS Internet Explorer 5.5

I've got the switch set to use cookie-based balancing for HTTP. This 
works great.

The switch is set to use the SSL session ID for HTTPS balancing. This 
doesn't work so well. Most of the time it works, but every once in a 
while, I get moved to the other server and my application breaks (since 
the state data is on the first server). Watching the logs and the switch 
itself confirms that I'm bouncing between them.

I reported the problem to Cisco, and they suggested updating to a recent 
version of Apache, claiming that older versions regenerated the session 
ID too often and upgrading would fix this, but it seems that I've got 
fairly current versions and none of the mod_ssl changelogs mention this 
where I could find it. Perhaps they meant apache-ssl instead (I'm still 
trying to clarify this with them).

While doing google searches to research the problem, I found a similar 
problem reported that laid the blame on IE 5 (which I'm also using), 
claiming that it resets the SSL connection every 90 seconds as part of 
an attempt to make IIS show up better in benchmarks.

Does anyone have any idea what's really going on, or if either of the 
above statements are true?

I'm using a fairly standard httpd.conf file, but I set SSLProtocol to 
+SSLv3 since the load balancer only supports that version. The 
ssl-unclean-shutdown and downgrade-1.0 settings for MSIE are still at 
their default values.


-- [EMAIL PROTECTED] 



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Sun Crypto Accelerator Board?

[Geoff Thorpe]

Hi there,

On Thu, 31 May 2001, James Bromberger wrote:

> > > I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
> > > Sun ships a library called "libswift.so" (a link to "libswift.so.5.2.2"),
> > > along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
> > > iPlanet (cryptoki.jar, libcryptoki22.so).
> > > 
> 
> > > > 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request 
> > > > failed:hw_cswift.c:524:CryptoSwift error number is -10004
> > > > 1 1024 bit private RSA's in 0.90s
> > > > Doing 1024 bit public rsa's for 10s: RSA verify failure
> > > > 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request 
> > > > failed:hw_cswift.c:413:CryptoSwift error number is -10004
> > > > 1 1024 bit public RSA's in 0.71s
> 
> 
> The above errors were with the engine "cswift". The following is the output
> from the speed test without the engine, which completed with no error messages
> being displayed (which is why I chomped it first time around; see below for a
> complete output).

Yep - it's just that, as you can see from that output, only 1 private RSA
operation took place (and that was probably the one that failed too so in fact
no successful operations took place). Hence the stats really can be disregarded
- something is failing more fundamentally. [NB: See below, as I worked through
your mail, I started to wonder if in fact this was the case]

> The second output is re-run and quoted in full below:
> 
> > # ./openssl speed rsa1024
> > Doing 1024 bit private rsa's for 10s: 349 1024 bit private RSA's in 10.20s
> > Doing 1024 bit public rsa's for 10s: 6402 1024 bit public RSA's in 10.00s
> > OpenSSL 0.9.6a [engine] 5 Apr 2001
> > built on: Wed May 30 12:44:49 WST 2001
> > options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) 
>blowfish(ptr) 
> > compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -> DB_ENDIAN -DBN_DIV2W -DULTRASPARC 
>-DMD5_ASM
> >   signverifysign/s verify/s
> > rsa 1024 bits   0.0287s   0.0016s 34.8640.2

Weird, something is screwy in your version of speed ... the tests do run
(successfully) for 10s, and the sign/s and verify/s stats are right, but the
timings for sign/verify are wrong (should be 10.20s and 10.00s, not 0.0***).
That reminds me, the BIGNUM performance of the software implementation on sparc
is *lame* ... any sparc assembly wizards out there?

> > Yes, for the "openssl ***" commands (such as speed, s_client, etc), you use the
> > "-engine " switch to specify an engine. There is also an "openssl engine"
> > command for listing (and if you want, testing) the engines available. 
> 
> I tried the "engine" option to get a listing:
> 
> > # ./openssl engine
> > openssl:Error: 'engine' is an invalid command.

Ah ... maybe it's not in your version of OpenSSL. Sorry.

> If you specify -engine with no engine specified, it says just as much... "no
> engine given".

Yeah, you need to specify "-engine ", ie. in your case; "-engine cswift"

> > I'd
> > recommend playing with that until you can see that openssl-based apps are using
> > your card OK, and only then start worrying about "speed" (which is obviously
> > less help in testing that the hardware is working).
> 
> Speed isn't really what I want; using the card is. The OpenSSL speed test was
> just a way of trying to determine if the lower layer in the whole Apache +
> mod_ssl + OpenSSL + crypto card are working. 

Yeah ... FYI: Even once this is up and running, you'll probably still find
"speed" purporting errors because sparcs + cswift (IIRC) bail out of any
in-progress operations with an error when a timer interrupt arrives (which is
how speed works). However, you'd still see hundreds of operations succeeding
before that failure - right now you are seeing nothing really. At least that's
what it seems...

Try running s_server with the engine, eg.
   openssl s_server -accept 9001 -cert  -CAfile  \
   -engine cswift -www

where "cert.pem" and "cacert.pem" would be changed to refer to the server cert
and the CA cert of your modssl installation. If the private key is stored
outside the cert file, you'll need to add "-key " as well.

Then you should be able to hit it with a browser (https://localhost:9001/) or
s_client if you want more info;

   openssl s_client -connect localhost:9001 -CAfile 
  (then type "GET /" followed by [ENTER])

> > For other applications (eg. mod_ssl, Apache-SSL, mail-server embellishments,
> > etc) you'll have to see what support, if any, they have for doing the same
> > thing. OpenSSL has to be instructed to use a given ENGINE - and it's possible to
> > have multiple ENGINEs in use at the same time for different roles and/or keys,
> > so it's not sufficient for openssl to just try and "pick" an ENGINE par default.
> > (Also, given it's generally *other* applications using the openssl libraries,
> > it's not a good idea to ta

RE: https - port problem

[zze-BOGATIRSKY Jeremy apprenti FTRD/DMI/LAN]

Thanks you very much Ray. It seems to be that.

Jeremy

-Message d'origine-
De : McCaffity, Ray [mailto:[EMAIL PROTECTED]]
Envoye : jeudi 31 mai 2001 15:13
A : '[EMAIL PROTECTED]'
Objet : RE: https - port problem


I had to add suexec to get around this.  I created another
user and group (like www and www) and run Apache as this user.
(edit your httpd.conf, change from "nobody") also compile in
a suexec user.  If you've done if successfully, when you do a
httpd -l, you'll see a line that says "suexec wrapper created successfully".
Then chown all of the cgi-bin files to this user.

-Original Message-
From: zze-BOGATIRSKY Jeremy apprenti FTRD/DMI/LAN
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 4:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: https - port problem


Hi everyone,

I have just installed an Apache server with SSL.
It works, but I can only read my html pages, I can't access to my cgi
scripts in /usr/local/apache/cgi-bin.
My browser says : "You don't have the permission to access /cgi-bin".
May be this problem comes from the SSL configuration in the httpd.conf.

Does someone know if there is something especially to change ?
I only change Port and Listen directives in the httpd.conf.

Configuration :
Red Hat 6.2
Apache 1.3.20
OpenSSL 0.9.6a
ModSSL 2.8.4-1.3.20

Thanks...:)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

"ERR_load_RSAREF_strings"?

[Marcel Erkens]

Hi!

Does anybody have any idea what causes this error and what to do to fix it?

Syntax error on line 206 of /etc/httpd/httpd.conf:
Cannot load /usr/lib/apache/libssl.so into server:
/usr/lib/apache/libssl.so: undefined symbol: ERR_load_RSAREF_strings


LoadModule ssl_module  /usr/lib/apache/libssl.so  <- you guessed it: 206


It's apache 1.3.20/modssl 2.8.4/openssl 0.9.6a/rsaref-2.0.

Thanks!
Marcel

-
(SYSERR0599) Press any key to continue or any other key to quit...

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: https - port problem

[McCaffity, Ray]

I had to add suexec to get around this.  I created another
user and group (like www and www) and run Apache as this user.
(edit your httpd.conf, change from "nobody") also compile in
a suexec user.  If you've done if successfully, when you do a
httpd -l, you'll see a line that says "suexec wrapper created successfully".
Then chown all of the cgi-bin files to this user.

-Original Message-
From: zze-BOGATIRSKY Jeremy apprenti FTRD/DMI/LAN
[mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 31, 2001 4:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: https - port problem


Hi everyone,

I have just installed an Apache server with SSL.
It works, but I can only read my html pages, I can't access to my cgi
scripts in /usr/local/apache/cgi-bin.
My browser says : "You don't have the permission to access /cgi-bin".
May be this problem comes from the SSL configuration in the httpd.conf.

Does someone know if there is something especially to change ?
I only change Port and Listen directives in the httpd.conf.

Configuration :
Red Hat 6.2
Apache 1.3.20
OpenSSL 0.9.6a
ModSSL 2.8.4-1.3.20

Thanks...:)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Invalid command 'SSLRequireSSL'

[McCaffity, Ray]

Are you using mod_ssl as static or dynamic module?

> >> --enable-shared=ssl

I don't believe you want this, if...

> >> --enable-module=ssl \

You are doing this.  I notice you have this line
in both your mod_ssl and your apache ./configure

Try it without this line.

-Original Message-
From: Firas [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 30, 2001 7:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Invalid command 'SSLRequireSSL'


Thanks for the advice Tobias,

unfortunately that didn't work either.
Something is seriously broken with mod_ssl , I just don't what,
and how to fix it.


- Original Message -
From: "]R[Target" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, May 30, 2001 12:01 PM
Subject: Re: Invalid command 'SSLRequireSSL'


> Hiho there...
>
> I got the same error inside the httpd.conf file so i tried SSLRequire
> inside a .htaccess file in the directory to be secured...that worked..
>
> Hope that helps...
>
> - tobias
>
> > Hi Thierry ,
> >
> >  Unfortunately I get the same kind of error :
> >
> > Invalid command 'SSLRequire', perhaps mis-spelled or defined by a
> > module not included in the server configuration
> >
> > Something is obviously broken here, but if mod_ssl wasn't working at
> > all then I shouldn't be able to access the secure server at all right ?
> >
> > - Firas
> > - Original Message -
> > From: "BERWART Thierry" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, May 30, 2001 7:46 AM
> > Subject: RE: Invalid command 'SSLRequireSSL'
> >
> >
> >>
> >> Hello,
> >>
> >>  The "SSLRequireSSL" command doesn't exist !!
> >>
> >>   try :
> >>
> >> 
> >>SSLRequire true
> >> 
> >>
> >>
> >> Thierry
> >>
> >> -Message d'origine-
> >> De : Firas [mailto:[EMAIL PROTECTED]]
> >> Envoyé : mercredi 30 mai 2001 12:00
> >> A : [EMAIL PROTECTED]
> >> Objet : Invalid command 'SSLRequireSSL'
> >>
> >>
> >> Hi everyone,
> >>
> >> I'm trying to use SSLRequireSSL to protect a directory but I keep
> >> getting
> >> the following error on apachectl configtest :
> >>
> >> Syntax error on line 1267 of /usr/local/apache/conf/httpd.conf:
> >> Invalid command 'SSLRequireSSL', perhaps mis-spelled or defined by a
> >> module
> >> not included in the server configuration
> >>
> >> These are the lines that I added, they're in the main server
> >> configuration :
> >>
> >> 
> >> SSLRequireSSL
> >> 
> >>
> >> SSL is working fine on the server, I can connect to
> >> https://myserver.com ,
> >> but SSLRequireSSL doesn't seem to be working for some strange reason.
> >> mod_ssl-2.8.2-1.3.19 was configured as follows :
> >>  ./configure --with-apache=../apache_1.3.20 \
> >> --with-ssl \
> >> --enable-shared=ssl
> >>
> >> and apache_1.3.20  :
> >> SSL_BASE=../openssl-0.9.6a \
> >> ./configure \
> >> --enable-module=ssl \
> >> --activate-module=src/modules/php4/libphp4.a \
> >> --enable-module=php4 \
> >> --prefix=/usr/local/apache \
> >> --enable-shared=ssl \
> >> --add-module=src/modules/standard/mod_auth_db.c \
> >> --activate-module=src/modules/perl/libperl.a \
> >> --enable-module=perl \
> >> --add-module=src/modules/standard/mod_auth_dbm.c \
> >> --enable-module=so
> >>
> >> Can anyone help out ?
> >>
> >> Thanks in advance,
> >> Firas
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> __
> >> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >> User Support Mailing List  [EMAIL PROTECTED]
> >> Automated List Manager[EMAIL PROTECTED]
> >> __
> >> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >> User Support Mailing List  [EMAIL PROTECTED]
> >> Automated List Manager[EMAIL PROTECTED]
> >>
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EM

RE: https - port problem

[zze-BOGATIRSKY Jeremy apprenti FTRD/DMI/LAN]

Hi everyone,

I have just installed an Apache server with SSL.
It works, but I can only read my html pages, I can't access to my cgi
scripts in /usr/local/apache/cgi-bin.
My browser says : "You don't have the permission to access /cgi-bin".
May be this problem comes from the SSL configuration in the httpd.conf.

Does someone know if there is something especially to change ?
I only change Port and Listen directives in the httpd.conf.

Configuration :
Red Hat 6.2
Apache 1.3.20
OpenSSL 0.9.6a
ModSSL 2.8.4-1.3.20

Thanks...:)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

https - port problem

[Patrik Renout]

Hi everybody,

Configuration:
Windows NT 4.0, SP6a
Opensa 0.20
Apache 1.3.12
OpenSSL 0.9.5

I have create 2 Virtual Host on my Apache Server, these 2 Host are working
with SSL.
On host is on port 443 and the other on port 444.

All work perfectly when i try to load each site on different browser, but
when i try to go from one to the other with the same browser (instance), i
get this "doctor watson" error:

"The application, , generated an application error The error occurred on
5/29/2001 @  9: 0:52.750 The exception generated was c005 at address
009d8760 ()"

If somebody can help...

I join the virtual host config in http.conf.

Best Regards


  DocumentRoot "d:/programs/apachegroup/apache/htdocs/server1"
  ServerName localhost
  ServerAdmin webmaster@localhost
  ErrorLog logs/ssl/error.log
  TransferLog logs/ssl/access.log

  SSLEngine on

  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  SSLCertificateFile
"d:/programs/apachegroup/apache/conf/ssl.crt/server1.crt"
  SSLCertificateKeyFile
"d:/programs/apachegroup/apache/conf/ssl.key/server1.key"

  SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
  
SSLOptions +StdEnvVars
  

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

  CustomLog logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"




  DocumentRoot "d:/programs/apachegroup/apache/htdocs/webxml/server2"
  ServerName localhost
  ServerAdmin webmaster@localhost
  ErrorLog logs/ssl/error.log
  TransferLog logs/ssl/access.log

  SSLEngine on

  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  SSLCertificateFile
"d:/programs/apachegroup/apache/conf/ssl.crt/server2.crt"
  SSLCertificateKeyFile
"d:/programs/apachegroup/apache/conf/ssl.key/server2.key"

  SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
  
SSLOptions +StdEnvVars
  

  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

  CustomLog logs/ssl/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x
\"%r\" %b"



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Sun Crypto Accelerator Board?

[James Bromberger]

Ta Geoff,

I'll try to fill in the answers below...


On Wed, 30 May 2001, Geoff Thorpe wrote:
> On Wed, 30 May 2001, James Bromberger wrote:


> > I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
> > Sun ships a library called "libswift.so" (a link to "libswift.so.5.2.2"),
> > along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
> > iPlanet (cryptoki.jar, libcryptoki22.so).
> > 

> > > 4189:error:26067072:engine routines:CSWIFT_MOD_EXP_CRT:request 
> > > failed:hw_cswift.c:524:CryptoSwift error number is -10004
> > > 1 1024 bit private RSA's in 0.90s
> > > Doing 1024 bit public rsa's for 10s: RSA verify failure
> > > 4189:error:26066072:engine routines:CSWIFT_MOD_EXP:request 
> > > failed:hw_cswift.c:413:CryptoSwift error number is -10004
> > > 1 1024 bit public RSA's in 0.71s


The above errors were with the engine "cswift". The following is the output from the 
speed test without the engine, which completed with no error messages being displayed 
(which is why I chomped it first time around; see below for a complete output).

> > Compared to without trying to use the cswift:
> > >   signverifysign/s verify/s
> > > rsa 1024 bits   0.0287s   0.0016s 34.9642.1
> > 
> 
> Actually, the output you quoted showed errors in first operation (for both
> signing and verifying). So the stats can effectively be disregarded. As you
> quote a second set of stats (without its preceding output) it's difficult to
> know whether that failed also - I think it probably did because normally the
> sign/verify times are close to 10.000 s, not 0.0*** s! Please check your error
> output and run any diagnostics that go with your card+drivers to check the card
> and support software is working OK.


The second output is re-run and quoted in full below:

> # ./openssl speed rsa1024
> Doing 1024 bit private rsa's for 10s: 349 1024 bit private RSA's in 10.20s
> Doing 1024 bit public rsa's for 10s: 6402 1024 bit public RSA's in 10.00s
> OpenSSL 0.9.6a [engine] 5 Apr 2001
> built on: Wed May 30 12:44:49 WST 2001
> options:bn(64,32) md2(int) rc4(ptr,char) des(idx,cisc,16,long) idea(int) 
>blowfish(ptr) 
> compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H 
>-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -> DB_ENDIAN -DBN_DIV2W -DULTRASPARC 
>-DMD5_ASM
>   signverifysign/s verify/s
> rsa 1024 bits   0.0287s   0.0016s 34.8640.2




> Yes, for the "openssl ***" commands (such as speed, s_client, etc), you use the
> "-engine " switch to specify an engine. There is also an "openssl engine"
> command for listing (and if you want, testing) the engines available. 

I tried the "engine" option to get a listing:

> # ./openssl engine
> openssl:Error: 'engine' is an invalid command.
> 
> Standard commands
> 

If you specify -engine with no engine specified, it says just as much... "no engine 
given".


> I'd
> recommend playing with that until you can see that openssl-based apps are using
> your card OK, and only then start worrying about "speed" (which is obviously
> less help in testing that the hardware is working).


Speed isn't really what I want; using the card is. The OpenSSL speed test was just a 
way of trying to determine if the lower layer in the whole Apache + mod_ssl + OpenSSL 
+ crypto card are working. 

> For other applications (eg. mod_ssl, Apache-SSL, mail-server embellishments,
> etc) you'll have to see what support, if any, they have for doing the same
> thing. OpenSSL has to be instructed to use a given ENGINE - and it's possible to
> have multiple ENGINEs in use at the same time for different roles and/or keys,
> so it's not sufficient for openssl to just try and "pick" an ENGINE par default.
> (Also, given it's generally *other* applications using the openssl libraries,
> it's not a good idea to take control away from the application developer of such
> things.)


Eeek. I haven't seen anything for mod_ssl to use a specific ENGINE; can someone please 
point me to some doco on this?


> > Interestingly, http://morpheus.dcs.it.mtu.edu/~tcpiket/cryptocard/ claims
> > success compiling OpenSSL with the Sun board with "Configure
> > solaris-sparcv8-cc -L/usr/local/lib threads shared -ldl", and while I have
> > gcc, I tried solaris-sparcv9-gcc instead, but this failed (ld doesn't like the
> > options generated). I rebuild OpenSSL with the -ldl option to "config", and
> > retested, using both an LD_LIBRARY_PATH that included the directory containing
> > the Sub supplied "libswift.so", and then with LD_PRELOAD for the exact
> > library, but with no joy.
> 
> OK. Please try going through it again, but first running any tests you have to
> ensure your hardware and support software is functioning as expected. 

Well, I have the "cstest" binary that Sun ships, which probes the card and tells it's 
state. It reports the number of interrupts attempted & serviced and the number of 
requests attempted &