Re: issuing certificate
hi, i made the certificate and could get the certificate on the display. my actual problem is something like this. I have a http server for my intranet. And I have 4 users as of now. with the present certificate, only one user can get through and i want to be able to issue different certificates to each individual user. Now, I wish to know these things: 1. how will i generate certificate-bundle? 2. How can I make sure that a particular certificate goes to a particular user only? Is there anything like binding a certificate to a particular host or IP address or a particular mail id ? <> 3. Can i automate the process of issuing certificates? << i.e., if any IP address database can be made where i can specify the hosts who can have certificates issued to themand the first time the particular host contacts the server, server will automatically generate the certificate for the client by asking him for all the details>> regards murali krishna vemuri Owen Boyle wrote: "Murali K. Vemuri" wrote: > > hi, > i could make a certificate in the way given by you. > i copied the .crt and .key files into /etc/httpd/conf/ssl.crt/server.crt and > ../ssl.key/server.key respectively and then restarted the httpd. > after that i set the multi.crt ( i created like this instead of your suggested > kiwi.crt) and multi.key > paths in the httpd conf file in the /etc/httpd/conf/httpd.conf file . > i am attaching the relevant portions of the httpd.conf file here. > now, to test whether my certificate works or not, i typed > openssl -x509 -noout -text -in multi.crt > i observe that the certificate is same as was generted by me. > but, when i open netscape and type https://yogi (it is my host name), i get the > same old certificate > which is "snake oil ' etc. > can some one tell me how i can get rid of that "snake oil" certificate for ever ? Double-double-check the path leads to the correct file, i.e. do: openssl -x509 -noout -text -in /etc/httpd/conf/ssl.crt/multi.crt If this is correct then the problem must be caching in the browser. Click on the security icon and delete any certificates you have already accepted. > is there any documentation available out there? http://www.modssl.org/ and click on "Documents"... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- with thanks for your time, Murali Krishna Vemuri off: Multitech Software Systems, #95, 17th'B' Main Road, V Block, Koramangala, BANGALORE 560095 tel: 080 5534471 xtn: 214 res: #12, 6th 'A' Cross, Ramaswamy Palya, Vignana Nagara, Martha Halli Post, Bangalore 560 037.
Re: MSIE POST problem
On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: > Sorry, I have the same situation after using those config lines. I had seen > them on the mailing list before, but just to be sure I've just retested > them. No change. Same symptoms and solutions... And you do have a ssl session cache defined? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Modssl on Openbsd 2.9
SSL doesnt function Doug Dalton wrote: > The problem is that SSL function. > > R/Doug > > Peter Morelli wrote: > > > Those don't look like errors, just notices, or informational events. The > > first one is apache shutting down, looks like from a kill command. The > > second is Apache starting up again. No idea on the third. I get the first to > > all the time in my error_log... > > > > --pete > > > > -Original Message- > > From: Doug Dalton [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, October 24, 2001 5:41 PM > > To: [EMAIL PROTECTED] > > Subject: Modssl on Openbsd 2.9 > > > > Any idea why this error is occuring? > > > > [Wed Oct 24 15:45:29 2001] [notice] caught SIGTERM, shutting down > > [Wed Oct 24 15:47:12 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 > > OpenSSL > > /0.9.6b configured -- resuming normal operations > > [Wed Oct 24 15:47:12 2001] [notice] Accept mutex: flock (Default: flock) > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Modssl on Openbsd 2.9
The problem is that SSL function. R/Doug Peter Morelli wrote: > Those don't look like errors, just notices, or informational events. The > first one is apache shutting down, looks like from a kill command. The > second is Apache starting up again. No idea on the third. I get the first to > all the time in my error_log... > > --pete > > -Original Message- > From: Doug Dalton [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 24, 2001 5:41 PM > To: [EMAIL PROTECTED] > Subject: Modssl on Openbsd 2.9 > > Any idea why this error is occuring? > > [Wed Oct 24 15:45:29 2001] [notice] caught SIGTERM, shutting down > [Wed Oct 24 15:47:12 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 > OpenSSL > /0.9.6b configured -- resuming normal operations > [Wed Oct 24 15:47:12 2001] [notice] Accept mutex: flock (Default: flock) > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Modssl on Openbsd 2.9
Those don't look like errors, just notices, or informational events. The first one is apache shutting down, looks like from a kill command. The second is Apache starting up again. No idea on the third. I get the first to all the time in my error_log... --pete -Original Message- From: Doug Dalton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: Modssl on Openbsd 2.9 Any idea why this error is occuring? [Wed Oct 24 15:45:29 2001] [notice] caught SIGTERM, shutting down [Wed Oct 24 15:47:12 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL /0.9.6b configured -- resuming normal operations [Wed Oct 24 15:47:12 2001] [notice] Accept mutex: flock (Default: flock) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Modssl on Openbsd 2.9
Any idea why this error is occuring? [Wed Oct 24 15:45:29 2001] [notice] caught SIGTERM, shutting down [Wed Oct 24 15:47:12 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL /0.9.6b configured -- resuming normal operations [Wed Oct 24 15:47:12 2001] [notice] Accept mutex: flock (Default: flock) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
Sorry, I have the same situation after using those config lines. I had seen them on the mailing list before, but just to be sure I've just retested them. No change. Same symptoms and solutions... --pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 5:03 PM To: '[EMAIL PROTECTED]' Subject: Re: MSIE POST problem On Wed, Oct 24, 2001 at 03:47:11PM -0700, Peter Morelli wrote: > I've done a little more testing, and it seems like turning OFF the "Show > friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade > the connection to HTTP/1.0 correctly. Turning it back on again leads to a > situation where it is NOT downgraded, and you get the "server not found" > page. Again, this is only for file uploads. It seems that recent versions (5.x+) of MSIE don't like being downgrade to HTTP/1.0. Try this config in place of your current SetEnvIf or BrowserMatch directive: BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown You may be able to get away without having the second line entirely, but I haven't tested it myself. Let us know how it works out. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MSIE POST problem
On Wed, Oct 24, 2001 at 03:47:11PM -0700, Peter Morelli wrote: > I've done a little more testing, and it seems like turning OFF the "Show > friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade > the connection to HTTP/1.0 correctly. Turning it back on again leads to a > situation where it is NOT downgraded, and you get the "server not found" > page. Again, this is only for file uploads. It seems that recent versions (5.x+) of MSIE don't like being downgrade to HTTP/1.0. Try this config in place of your current SetEnvIf or BrowserMatch directive: BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown You may be able to get away without having the second line entirely, but I haven't tested it myself. Let us know how it works out. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
I've done a little more testing, and it seems like turning OFF the "Show friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade the connection to HTTP/1.0 correctly. Turning it back on again leads to a situation where it is NOT downgraded, and you get the "server not found" page. Again, this is only for file uploads. --pete -Original Message- From: Peter Morelli Sent: Wednesday, October 24, 2001 11:59 AM To: '[EMAIL PROTECTED]' Subject: MSIE POST problem I'm having quite a perplexing problem, and I was hoping someone could give me a hint here on this list. First, my environment: - Solaris 2.6 - Apache 1.3.20 - modssl 2.8.4 - openssl 0.9.6b - Weblogic 5.1 - MSIE 5.5 sp1 I'm using apache to frontend WebLogic through a BEA provided module. My problem: It seems similar to some of the archived posts on this list as well as a section of the FAQ, as it is the "Server not found" error from MSIE. I start out with a form retrieved over regular HTTP, and post a file upload to a HTTPS URL. However, even after enabling the various fixes (SetEnvIf to downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I invariably get a server not found page. However, if I go to IE's Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error messages", everything seems to work fine. Very weird. The error posts never even show up in my apache or weblogic logs, though after I turned the modssl log up to debug I can see some activity, and snoop picks up the packets between machines. Some other variables: - I use self generated certificates, which generate an accept certificate box in IE when it does work - Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The SetEnvIf downgrade is out in the main server config. - When I do standard form posts (just fields) this problem rarely crops up, if ever. - From the modssl debug logs, it looks like the multi-part form request (file upload) establishes a regular ssl connection, which closes with a standard shutdown, while a regular post does downgrade and uses an unclean shutdown... I have tried MANY different configurations, and I can't seem to get it to work. Any help would be greatly appreciated, as I'd rather not go back to serving http with weblogic (which doesn't seem to have a problem with IE). --peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MSIE POST problem
I'm having quite a perplexing problem, and I was hoping someone could give me a hint here on this list. First, my environment: - Solaris 2.6 - Apache 1.3.20 - modssl 2.8.4 - openssl 0.9.6b - Weblogic 5.1 - MSIE 5.5 sp1 I'm using apache to frontend WebLogic through a BEA provided module. My problem: It seems similar to some of the archived posts on this list as well as a section of the FAQ, as it is the "Server not found" error from MSIE. I start out with a form retrieved over regular HTTP, and post a file upload to a HTTPS URL. However, even after enabling the various fixes (SetEnvIf to downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I invariably get a server not found page. However, if I go to IE's Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error messages", everything seems to work fine. Very weird. The error posts never even show up in my apache or weblogic logs, though after I turned the modssl log up to debug I can see some activity, and snoop picks up the packets between machines. Some other variables: - I use self generated certificates, which generate an accept certificate box in IE when it does work - Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The SetEnvIf downgrade is out in the main server config. - When I do standard form posts (just fields) this problem rarely crops up, if ever. - From the modssl debug logs, it looks like the multi-part form request (file upload) establishes a regular ssl connection, which closes with a standard shutdown, while a regular post does downgrade and uses an unclean shutdown... I have tried MANY different configurations, and I can't seem to get it to work. Any help would be greatly appreciated, as I'd rather not go back to serving http with weblogic (which doesn't seem to have a problem with IE). --peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
Thank you. - Original Message - From: <[EMAIL PROTECTED]> To: "ComCity" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, October 23, 2001 11:25 PM Subject: Re: New User: must be obvious question > Hi Mike, > > the problem you are observing has a simple explanation. If you define > -DSSL as argument for apachectl or configtest or httpd the according > parts included in > .. are executed. If not defined, they are > ignored. Your LoadModule and AddModule statements are properly nested > with IfDefines, but your VirtualHost for SSL (including mod_ssl > directives like SSLEngine) seems not to be enclosed by IfDefine or > IfModule. > If you start your httpd with -DSSL this is no problem, because mod_ssl > is loaded and interprets these directives. If you don't give -DSSL (as > in your call of configtest) the Apache httpd does not load mod_ssl and > does not understand directives like SSLEngine. > To get rid of the error, you should encapsulate all directives that are > available only if a certain module is loaded into Apache with IfDefine > or IfModule statements. For examples of this have a look in the > standard httpd.conf in the conf directory of your Apache installation. > > > The commented lines have no effect in or out. This was occuring long before > > these line comments were added. I just added those recently to find things > > easier when editing the file to try with this issue. I added these comments > > after the problem started...they where not there originally. Without the > > comment lines, it simply shifts the line # where the error occurs. I have > > always had > > > LoadModule ssl_module modules/libssl.so > > in my httpd.conf but I do not have > > AddModule mod_ssl.c. > > However, upon adding this line AddModule mod_ssl.c, there was no effect. > > Configtest gives the same error on the same line #. > > > > Is there some other way to restart apache when mod_ssl is installed. After > > all, you use apachectl startssl instead of apachectl start. Is there an > > apachectl restartssl? > > > > Thanks > > Mike > > > With best regards > > Georg Oppenberg > Internet Engineer Web Hosting > > UUNET - a WorldCom Company > UUNET Deutschland GmbH > Sebrathweg 20 > 44149 Dortmund > Germany > > Tel. +49 231 972 2280 > Fax. +49 231 972 1180 > [EMAIL PROTECTED] > http://www.worldcom.com/de/ > > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
George, Cool, thanks! Very good description of the need for this statement and the errors it might invovle if certain proceedures are taken to restart httpd and such. I guess the issue has never surfaced here as I have a totally different proceedure for doing restarts after archiving logs and such, but, it has enlightened me enough to go fix all my conf files should someone need to replace me and invoke other means to the end. Thanks, Ron DuFresne On Wed, 24 Oct 2001 [EMAIL PROTECTED] wrote: > Hi Ron, > > Apache does not load the source file mod_ssl.c. Therefore there is no > need for it to know where the source is. > The filename (without path) is part of the module structure (coded in > by the define STANDARD_MODULE_STUFF) used to register handlers, > commands etc. of a module into the core httpd. > > If you have a ClearModuleList directive in your httpd.conf and use > mod_ssl as DSO you will run into problems when you restart your httpd > often. See my former post ( http://marc.theaimsgroup.com/?l=apache-modss > l&m=100280794307819&w=2) > > > Weird, for ssl does function without this statement at least on unix and > > linux systems. also weird in that mod_ssl.c never seems to move in the > > source tree; > > > > darkstar:/usr/local/apache/conf# locate mod_ssl.c > > /usr/local/src/installed/web/apache_1.3.20/src/modules/ssl/mod_ssl.c > > /usr/local/src/installed/web/mod_ssl-2.8.4-1.3.20/pkg.sslmod/mod_ssl.c > > darkstar:/usr/local/apache/conf# > > > > How does httpd find it for lading in addition to the ssl module? > > > > Thanks, > > > > Ron DuFresne > > -- > > ~~ > > admin & senior consultant: darkstar.sysinfo.com > > http://darkstar.sysinfo.com > > > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." > > -- Johnny Hart > > > > testing, only testing, and damn good at it too! > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > With best regards > > Georg Oppenberg > Internet Engineer Web Hosting > > UUNET - a WorldCom Company > UUNET Deutschland GmbH > Sebrathweg 20 > 44149 Dortmund > Germany > > Tel. +49 231 972 2280 > Fax. +49 231 972 1180 > [EMAIL PROTECTED] > http://www.worldcom.com/de/ > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: New User: must be obvious question
Excuse me snipping all the old stuff, but I think I noticed from your logs that you have managed to compile Apache 1.3.12 mod_ssl 2.6.6. against openssl-0.9.6a, which in itself is quite an achievement. ie: > [Tue Oct 23 11:52:05 2001] [notice] Apache/1.3.12 (Unix) PHP/4.0.5 > FrontPage/4.0.4.3 mod_ssl/2.6.6 OpenSSL/0.9.6a configured -- resuming normal > operations > (I wouldn't imagine that such an old version of apache-mod_ssl would compile against the latest openssl, and probably wouldn't ever try). The latest version is Apache 1.3.22, mod_ssl 2.8.5 and openssl-0.9.6a, which is definitely a good idea to upgrade to (notwithstanding that a number of security issues with the Apache server are resolved, eg cross-site scripting which is fixed from 1.3.14 onwards). Getting back to the real issue, that of starting up a secure server. Provided your Apache server has been compiled with ssl support, a valid configuration file always gets a secure server up. (Of course, it is possible to split your configuration file into multiple files if you host hundreds or thousands of sites). First of all, test that mod_ssl is compiled in using "httpd -l". You should then get the following: Compiled-in modules: http_core.c mod_so.c suexec: enabled; valid wrapper /usr/sbin/suexec You might get an error at the last line. I've never understood the suexec part, and apparently it isn't important. Next, check that your server is listening to port 443 (because if it isn't listening, it won't be able to receive secure connections). There should be a line in your httpd.conf saying Listen 443 There may be a Listen 80 which isn't actually required as there is a Port 80 That does exactly the same thing. But it might as well be left in for the sake of completeness. Next, the mod_ssl module must be loaded into the server. It is possible to run an apache-mod_ssl server without ssl support, which is useful for debugging if nothing else. This is what the LoadModule and AddModule lines do, and both are needed as IIRC Apache reads the module list twice. If they are enclosed in statements, then Apache needs to be started with httpd -DSSL. Finally, you'll need at least one virtual host listening on Port 443, with at least these three extra lines defined: SSLEngine on SSLCertificateFile /path/to/ssl.crt SSLCertificateKeyFile /path/to/ssl.key (Non-SSL hosts need only SSLEngine off defined). I have to admit that I rarely use "apachectl", preferring instead to use the following where necessary: /etc/rc.d/init.d/httpd stop /etc/rc.d/init.d/httpd start /etc/rc.d/init.d/httpd restart /etc/rc.d/init.d/httpd reload The last one is the most useful, as it re-reads the configuration file without dropping a single byte. It's useful for moving log files on the fly or minor changes to the httpd.conf file. There's no doubt that this stuff is hard (it's taken me years to get to grips with it), but it's better that running NT any day! (Off Topic: I've spent the last fortnight testing a single CD method of patching NT/IIS that works for all the NT servers and workstations I support, yet the procedure for updating our Linux boxes was written and completed in an afternoon.) - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
ComCity wrote: > > Thank youAustin,Andy and Ron. I thought the purpose of the list was to > get helpI'm sorry if my question seemed stupid. It was not my intention > to post a stupid question in which I had not exhausted other resources or > throughly looked at what I could find on this. I responded honestly and, I thought, helpfully to your problem. Basically, if you get an error message you can be sure that an error has occurred - it's no use telling us that there's nothing wrong with your set-up. However, You chose to disregard my advice in a cheeky way: > Well that doesn't make a lot of sense So I reserve the right to tell you to: > Figure it out for yourself. I appreciate that SSL can be tricky to set up and this list exists to help people out but remember that all respondents are giving up their time voluntarily and are under no obligation to you. You should have some manners and treat them politely - even if they tell you something you don't want to hear. You are just another one of these guys who thinks they've set things up correctly and can't be bothered checking properly. It is obvious you have made a mistake in compilation, installation or configuration - the alternative hypothesis is that you have uncovered a major bug which has not surfaced before in a popular piece of software in use for years on thousands of computers... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]