problem with SSL installation??
hello everyone, i want the apache server to serve listen only on port 443(i.e https) and not on port 80(www request) i.e apache server should serve only ssl requests by not acting as a virtual host. i followed the instruction given in http://www.modssl.org/example/ i have installed with a few changes like 1) after performing step 3 i removed all the AddModule statements from the apache_1.3.20/src/Configuration file i resumed all the remaining steps given. in the module.c i still see other modules specified, how can i over come it???. idea ?? inorder to overcome other modules being specified i manually edited the modules.c(though strictly prohibited) and removed all modules except ssl_module preformed the steps 1) make 2) make certificate 3) make install there was no error reported so i am very happy. damn its a failure!! i am getting the error the following error on starting apache with ssl. $./apachectl startssl Syntax error on line 52 of /home/gkgodava/testapache/conf/httpd.conf: Invalid command 'ServerType', perhaps mis-spelled or defined by a module not included in the server configuration /home/gkgodava/testapache/bin/apachectl startssl: httpd could not be started line 52 happens to be servertype which is standalone(no spelling mistake) Reason?? i donot know what are the core modules necessary for the basic working of apache?. if any one knows please let me know. Thanks a lot ganesh Buy Feng Shui Package for Rs. 151/- only, at http://shopping.rediff.com/shopping/fengshui_mailer.htm __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse Proxy SSL
#3. People who have done it are too busy to reply. I've done it before to get mod_gzip working under mod_ssl. Unfortunately, I don't have a sample config handy. Search the mod_gzip archives and you should find your answer. -Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roy PreeceSent: Wednesday, July 11, 2001 4:52 AMTo: [EMAIL PROTECTED]Subject: Reverse Proxy SSL OK, from the lack of response to my previous email (SSLClient Browser <--> Apache Proxypassreverse <--> https://192.168.xxx.xxx) I can deduce one of two cases is true. 1. Nobody has successfully achieved a reverse proxy of SSL in the way I am describing, (Hard to believe) or... 2. You are really sick of this question.(Sorry) If you chose 2, I have read through all of the mail archives on this list and others with regard to reverse proxying https. The most popular config seems to be to run SSL between the browser and the proxy server and then plain old http between the proxy server and the backend private servers. However, I want the client browser to use a cert to authenticate directly on the back end server on a private network, therefore I just want the reverse proxy to pass the encrypted traffic back and forth. Is this possible..How? Tips and pointers greatly appreciated. TIA, Roy Preece
SSL Authentication Issues
Let me propose the following hypothetical situation. I am running a apache/mod_ssl server (or anyother server for that matter) with a secure directory that requies client authentication. Two types of clients access this directory. There is a group of clients that only trust Verisign as a CA, and a group that only trusts Thwart as a CA. I have certificates signed by both CAs. Is there a way to set my server up so that it can send the correct certificate to every client? I believe the answer is no, but I thought I would check just in case. Perhaps there exists some sort of work around. Thanks. Chompsky _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Reverse Proxy SSL
OK, from the lack of response to my previous email (SSLClient Browser <--> Apache Proxypassreverse <--> https://192.168.xxx.xxx) I can deduce one of two cases is true. 1. Nobody has successfully achieved a reverse proxy of SSL in the way I am describing, (Hard to believe) or... 2. You are really sick of this question.(Sorry) If you chose 2, I have read through all of the mail archives on this list and others with regard to reverse proxying https. The most popular config seems to be to run SSL between the browser and the proxy server and then plain old http between the proxy server and the backend private servers. However, I want the client browser to use a cert to authenticate directly on the back end server on a private network, therefore I just want the reverse proxy to pass the encrypted traffic back and forth. Is this possible..How? Tips and pointers greatly appreciated. TIA, Roy Preece
Re: Apache don't start with SSL
Mads Toftum wrote: > > SSL_BASE should point to /usr/local/ssl - not to the openssl binary. > Ohhh! I 've solved with your help. Thanks a lot. Joachim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does this CA process make sense?
On Tue, Jul 10, 2001 at 06:12:09PM -0400, Dan Langille wrote: ... > I imported iestuff.p12 into my MSIE browser and select that certificate > when prompted by the browser. > > I then used the following SSL related values in my SSL vhost: > > SSLEngine on > SSLCertificateFile /home/dan/CA/demoCA/cacert.pem > SSLCertificateKeyFile /home/dan/CA/demoCA/private/cakey.key > > SSLCACertificatePath/home/dan/CA/demoCA/ > SSLCACertificateFile/home/dan/CA/demoCA/cacert.pem > > > SSLVerifyClient require > SSLVerifyDepth 1 > > > Note that I'm using the CA certificate and key for the SSL and the > SSLCA information. Does that make sense? I tried this: > > SSLCACertificatePath/home/dan/CA/ > SSLCACertificateFile/home/dan/CA/newcert.pem > > But if I use that combination, my browser certificate is not listed in the > "Client Authentication" dialog box presented by the browser when I go > to /securelocation. > > Why? What have I misunderstood? You should use three distinct certificates (and corresponding private keys): * The CA certificate. You already have one, use it with SSLCACertificateFile * The server's certificate. You don't have one by now. Create a new one signed from your CA. Issue it for CommonName (CN) being the FQDN (fully qualified domain name) of your server: Use it with mv newkey.pem server_key.pem mv newcert.pem server_cert.pem SSLCertificateFile /path/to/server_cert.pem SSLCertificateKeyFile /path/to/server_key.pem * The client key. You already put it into iestuff.p12... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
