date:20011211

RE: [BugDB] Configuration problems (PR#640)

2001-12-11 Thread Michael . Straessle


the following conf might work:

...
...
# restrict general server conf to localhost
BindAddress 127.0.0.1
...
...
IfDefine HAVE_SSL
Listen 80
Listen 443
/IfDefine

IfDefine HAVE_SSL
##
## SSL Virtual Host Context
##

VirtualHost 20.30.70.40:443
...
...
/VirtualHost

VirtualHost 20.30.70.40:80
...
...
/VirtualHost

VirtualHost 20.30.70.48:443
...
...
/VirtualHost
VirtualHost 20.30.70.48:80
...
...
/VirtualHost

/IfDefine


 -Ursprungliche Nachricht-
 Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Gesendet: Montag, 10. Dezember 2001 22:52
 An: [EMAIL PROTECTED]
 Cc: [EMAIL PROTECTED]
 Betreff: [BugDB] Configuration problems (PR#640)
 
 
 Full_Name: 
 Version: 2.8.5
 OS: Linux
 Submission from: (NULL) (216.72.177.4)
 
 
 I have defined 2 domains in one server, based on IP address
 my etc/hosts file is like:
 20.30.70.40server_namewww.domain_A  domain_A
 20.30.70.48   server_name   www.domain_B   domain_B
 
 my httpd.conf is like
 ..
 ..
 ..
 Listen 80
 NameVirtualHost 20.30.70.40
 
 VirtualHost 20.30.70.40
 ServerAdmin admin@domain_A
 DocumentRoot /home/httpd/file_A/www
 ServerName Domain_A
 Directory Index htm html cgi
 ###
 Directory /home/httpd/file_A/www/
 order allow,deny
 Options Indexes Includes FollowSymLinks ExecCGI
 deny from all
 /Directory
 
 ErrorLog logs/Domain_A-error_log
 CustomLog /var/log/httpd/Domain_A-access_log common
 /VirtualHost
 
 VirtualHost 20.30.70.48
 DocumentRoot /home/httpd/domain_B
 ServerName www.domain_B
 ServerAdmin admin@domain_B
 ErrorLog /var/log/httpd/domain_B-error_log
 CustomLog /var/log/httpd/domain_B-access_log common
 DirectoryIndex index.htm index.html
 
 Directory /home/httpd/domain_B
 AllowOverride None
 Options Indexes Includes FollowSymLinks ExecCGI
 Order allow,deny
 Allow from all
 /Directory
 
 
 /VirtualHost
 
 IfDefine HAVE_SSL
 ##
 ## SSL Virtual Host Context
 ##
 Listen 443
 VirtualHost 20.30.70.40:443
 DocumentRoot /home/httpd/domain_A/www
 ServerName www.domain_A
 SSLEngine on
 SSLProtocol all -SSLv3
 #   Server Certificate:
  SSLCertificateFile /etc/httpd/conf/propio/certisur_A.crt
 #   Server Private Key:
 SSLCertificateKeyFile /etc/httpd/conf/propio/server_A.key
 
 Files ~ \.(cgi|shtml)$
 SSLOptions +StdEnvVars
 /Files
 Directory /var/www/cgi-bin
 SSLOptions +StdEnvVars
 /Directory
 
 SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
 CustomLog /var/log/httpd/ssl_request_log \
   %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
 
 /VirtualHost
 
 VirtualHost 20.30.70.48:443
  ServerName www.Domain_B
  DocumentRoot /home/httpd/domain_B
  Directory /home/httpd/domain_B
   AllowOverride None
   Options Indexes Includes FollowSymLinks ExecCGI
   Order allow,deny
   Allow from all
  /Directory
  SSLEngine on
  SSLProtocol all -SSLv3
  SSLCertificateFile /etc/httpd/conf/mallgallery/certisur_B.crt
  SSLCertificateKeyFile /etc/httpd/conf/mallgallery/server_B.key
 
  Files ~ \.(cgi|shtml)$
 SSLOptions +StdEnvVars
  /Files
  Directory /var/www/cgi-bin
  SSLOptions +StdEnvVars
  /Directory
  CustomLog /var/log/httpd/ssl_request_log \
   %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
 
 /VirtualHost
 /IfDefine
 
  If I call Domain_A or Domain_B in non secure 
 operation(hhttp) I haven't
 problems, but if in secure conditions (https) the server only 
 respond to
 Domain_A calls 
 I waiting for some comments please 
 
 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Name-Based Virtual Hosting via a Single IP and SSL implementation

2001-12-11 Thread Owen Boyle


Dr. Peter Kanyion wrote:
 
 Hello folks,
 
 I'll greatly appreciate any help you could offer in getting to the right
 solution to my problems. I'm acquainted with Apche and SSL, but I'm not a
 GURU.
 I have two domains, let say mydomain1.com and mydomain2.com and a single
 registered IP address. Both domains are mapped to the single IP address and
 the domain lookup is working perfectly.
 
 I've installed Apache 1.3.19 with mod_ssl version 2.8. Using the default
 configuration, I could access the domain mydomain1.com via http(80) and
 https(443) without problems.
 
 Now I'm in the process of modifying the configuration to incorporate both
 domains. I've not been very succesful in getting this accomplihed.
 
 Here is in summary what I actually want to accomplish.
 
 I want to access mydomain1.com via http (80) and https (443) and
 mydomain2.com via http(80) and http(444). I have a single certificate.
 
 Based on information gathered via threads in this mailing list, I understand
 that I could accomplish this using name-based virtual host.

Not quite. Name-based virtual-hosting doesn't work with SSL (see
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 - the basic probelm is
that you don't get the Host: header until everything is encrypted but
you can't encrypt anything until you know what cert to use - and that's
defined by the host header!).

However, this is not what you are doing. Since you are happy to use port
444, you are using port-based virtual-hosting which works fine with SSL.
The following should work:

Listen 80
Listen 443
Listen 444

VirtualHost *:443 
SSLEngine On
SSLCertificateFile ssl/server1.cert
SSLCertificateKeyFile ssl/server1.key
DocumentRoot C:/websites/confidential_1
/VirtualHost

VirtualHost *:444 
SSLEngine On
SSLCertificateFile ssl/server2.cert
SSLCertificateKeyFile ssl/server2.key
DocumentRoot C:/websites/confidential_2
/VirtualHost

Note that although you want to use a single certificate, this will lead
to problems - the cert contains the FQDN and this can only match one
site. So the other, non-matching site will generate cert doesn't match
FQDN warnings in the browser.

If this doesn't work, please explain what is going wrong.

Rgds,

Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Multiple CRLs with same CA

2001-12-11 Thread Alec . Barea


Hello there,

Is mod_ssl supporting having multiple CRLs for 1 CA?
It seems it's not, and that's very anoying in my situation.
I'm using Entrust PKI software which splits the CRL list when it reaches
a defined size (for scalability). mod_ssl seems to check only the first
CRL and don't care about the others, which means that users with
revocated certificates can use them...

Regards,

Alec



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

2001-12-11 Thread Mads Toftum


On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote:
 Hello there,
 
 Is mod_ssl supporting having multiple CRLs for 1 CA?
 It seems it's not, and that's very anoying in my situation.
 I'm using Entrust PKI software which splits the CRL list when it reaches
 a defined size (for scalability). mod_ssl seems to check only the first
 CRL and don't care about the others, which means that users with
 revocated certificates can use them...
 
Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable
solution in an Entrust setup. 

vh

Mads Toftum
-- 
With a rubber duck, one's never alone.
  -- The Hitchhiker's Guide to the Galaxy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Multiple CRLs with same CA

2001-12-11 Thread Alec . Barea



Hello Mads,

Thanks for your answer.
I took a look to the web page of mod_authz_ldap but couldn't figure out how
it could help me, can you explain me a bit more your thoughs?

Regards,

Alec


From Mads Toftum [EMAIL PROTECTED] on 11 December 2001 23:45:53
To : [EMAIL PROTECTED]
Subject : Re: Multiple CRLs with same CA


On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote:
 Hello there,

 Is mod_ssl supporting having multiple CRLs for 1 CA?
 It seems it's not, and that's very anoying in my situation.
 I'm using Entrust PKI software which splits the CRL list when it reaches
 a defined size (for scalability). mod_ssl seems to check only the first
 CRL and don't care about the others, which means that users with
 revocated certificates can use them...

Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable
solution in an Entrust setup.

vh

Mads Toftum
--
With a rubber duck, one's never alone.
  -- The Hitchhiker's Guide to the Galaxy
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Alec Barea
PKI engineering team
Equant
Tel:  +1 514 847-3436
CVS: 225 3436

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Problem

2001-12-11 Thread Rajidhar Etta


Hi all,
We are also using the same app. server and experiencing similar
problems. I looked at some of the mailing list documetns / mod_ssl FAQ
and changed the configuration files, but its of no use. 
Is there any work arouund, or any one know which browsers are causing
this (So, that I can tell the users not to use them). 

Thanks,


Rajidhar Etta 
eComServer, Inc 
770.750.6594 (Till Friday)
609.203.3697 (Cell) 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Waleed Shaalan
Sent: Monday, December 10, 2001 5:33 PM
To: [EMAIL PROTECTED]
Subject: SSL Problem


Dear sir,
I installed 9iAS which is Apache web server based using mod_ssl 
mod_jserv.
I have a problem in my application some clients through IE version 5.5
who access the login page(https://www.application.com/login.jsp) which
use HTTPS protocol give them Page can not dispalyed error though many
others clients can view this page without any problem.
This problem appears as a random problem because the same user who face
this problem can view this page sometimes and others can never view this
page all the time.
I want to know what is the problem ? Is there a bug which make this
random behavier for the IE clients ?

Eng. Waleed Shaalan
Senior Developer
Mega For Software Development
Subsidiary of RAYA Holding
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

make certificate Doesn't Work, Apache 2.0.28, Unix, and mod_ssl

2001-12-11 Thread Kevin McQuiggin


Hi Group:

I want to create a dummy self-signed certificate.  Despite the Apache
documentation, make certificate in the top-level source directory doesn't
work.  There's no certificate: target in the Makefile.

Obviously once I have things working I'll be off to Verisign or Thawte for
a real cert.

I am working with Apache 2.0.28 under FreeBSD.  I tried searching the list
archive for this problem with no luck.  Any info appreciated, TIA.

Kevin

---
Kevin McQuiggin VE7ZD
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Win32 mod_ssl runs on one Win2000 box but not on another..

2001-12-11 Thread Patrick Willart


The problem wasn't really with Apache or mod_ssl but with OpenSSL. The DLLs
were compiled with assembly code (ms\do_masm). This apparently ran different
on the other Win2000 machine and caused it to crash. When I comiled OpenSSL
by only using the c compiler (ms\do_ms) it works fine.

Hope this helps some one else out. It cost me a few days.

Patrick
- Original Message -
From: Patrick Willart [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, December 08, 2001 7:27 PM
Subject: Win32 mod_ssl runs on one Win2000 box but not on another..


 The compiled version of Apache/1.3.22 (Win32) mod_ssl/2.8.5 OpenSSL/0.9b
 PHP4.0.6 is running stable on my development machine. When moving it to my
 production environment Apache stops without showing any error. It doesn't
 produce the error.log file. The only thing I get is these four errors in
the
 ssl.log file.

 [08/Dec/2001 19:18:00 01464] [info]  Server: Apache/1.3.22, Interface:
 mod_ssl/2.8.5, Library: OpenSSL/0.9.6b
 [08/Dec/2001 19:18:00 01464] [warn]  You are using mod_ssl under Win32.
This
 combination is *NOT* officially supported. Use it at your own risk!
 [08/Dec/2001 19:18:00 01464] [info]  Init: 1st startup round (still not
 detached)
 [08/Dec/2001 19:18:00 01464] [info]  Init: Initializing OpenSSL library
 [08/Dec/2001 19:18:00 01464] [info]  Init: Loading certificate  private
key
 of SSL-aware server www.myserver.com:443

 I thought I had conquered all possible problems (KeepAlive Off - to work
 around the multithreading problem and the openSSL dlls in the PATH) but
 apparently not.

 Patrick

 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  [EMAIL PROTECTED]
 Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL Problem

2001-12-11 Thread Mike_Innes




Waleed
 I has this problem with iAS and I Turned off EXPORT ciphers and HTTP/1.1
keepalive

http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie
fixed it

I think that the default Oracle iAS httpd.conf is not as good as the standard
Apache hjttpd.conf.
Mikey






Waleed Shaalan [EMAIL PROTECTED] on 10/12/2001 22:32:55

Please respond to [EMAIL PROTECTED]

To:   [EMAIL PROTECTED]
cc:(bcc: Mike Innes/Virgin Direct/GB)

Subject:  SSL Problem



Dear sir,
I installed 9iAS which is Apache web server based using mod_ssl 
mod_jserv.
I have a problem in my application some clients through IE version 5.5
who access the login page(https://www.application.com/login.jsp) which
use HTTPS protocol give them Page can not dispalyed error though many
others clients can view this page without any problem.
This problem appears as a random problem because the same user who face
this problem can view this page sometimes and others can never view this
page all the time.
I want to know what is the problem ? Is there a bug which make this
random behavier for the IE clients ?

Eng. Waleed Shaalan
Senior Developer
Mega For Software Development
Subsidiary of RAYA Holding
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]











E-mail communication is not secure and may be intercepted by a third party. This 
message is confidential to the intended addressee. If you are not the intended 
addressee, please inform us immediately and then delete this message. Virgin 
Direct does not accept responsibility for changes made to this message after it
was sent. Although Virgin Direct believes this e-mail is free of any virus or other
defect which may affect a computer, it is the responsibility of the recipient to 
ensure 
that it is virus free and Virgin Direct does not accept any responsibility for any 
loss 
or damage arising in any way from it's use.

Virgin Direct Personal Financial Service Ltd is regulated by the Personal 
Investment Authority for life insurance, pension and unit trust business and 
represents only the Virgin Direct marketing group. Registered office: Discovery
House, Whiting Road, Norwich NR4 6EJ, UK. Registered in England No. 3072766.

The Virgin One account is a secured personal bank account with The Royal Bank 
of Scotland plc. It is provided by Virgin Direct Personal Finance Ltd which is
a representative only of Virgin Direct Personal Financial Service Ltd. 
Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. 
Registered in England no 3414708.

The Virgin Deposit Account is a personal deposit account with The Royal Bank of 
Scotland plc administered by Virgin Direct Personal Financial Service Ltd.

All telephone calls are recorded and may be monitored. 



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] Wasteful use of /dev/urandom (PR#642)

2001-12-11 Thread modssl-bugdb


Full_Name: Charles Jardine
Version: 2.8.4
OS: Solaris 8
Submission from: (NULL) (131.111.8.103)


While trussing my Apache to trace another problem, I noticed
reads of 8k bytes from /dev/urandom. My configuration has

  SSLRandomSeed connect file:/dev/urandom 32

so I was hoping for reads of 32 bytes.

The cause of the profilgate use of /dev/urandom is stdio
read-ahead. The code is using fread to read 32 bytes, but
fread is buffered, and 8k bytes are read.

I have tested the following patch. It fixes the problem,
but at the expense of single-byte reads.

*** ssl_engine_rand.c.orig  Mon Jan  1 10:48:58 2001
--- ssl_engine_rand.c   Tue Dec 11 15:58:03 2001
***
*** 102,107 
--- 102,108 
   */
  if ((fp = ap_pfopen(p, pRandSeed-cpPath, r)) == NULL)
  continue;
+ setbuf(fp, NULL);
  nDone += ssl_rand_feedfp(p, fp, pRandSeed-nBytes);
  ap_pfclose(p, fp);
  }

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[BugDB] graceful needed after CRL update? (PR#641)

2001-12-11 Thread modssl-bugdb


Full_Name: robert joop
Version: 2.8.0
OS: 
Submission from: (NULL) (193.175.135.28)


on an apache 1.3.17 with mod_ssl 2.8.0, i installed new CRLs, called
make in the ssl.crl directory, but even days later, it still considers
the CRLs as expired (which they aren't).

is it necessary to restart the apache (graceful seems to be sufficient)?

i didn't find this documented anywhere nor addressed in the bug 
database.
btw, i think but #6 can be moved from suspended to closed, don't ya 
think?

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Question

2001-12-11 Thread Juce


We just recently upgraded Apache (1.3.19) and Mod_SSL (2.8.1) for one of our
dedicated customers who is using secure certificates from Equifax.  Soon after
the upgrade 2 of his sites were receiving Root Certificate Warnings meaning that
Equifax's certificates were not being recognized correctly.  However, this
problem only seems to be occurring on certain browsers if the browsers
themselves do not have 128 bit encryption.  But then some of these browsers
report a warning and some do not.  If you want to look, the sites are
https://www.dells.com and https://www.ad-lit.com.

I have already contacted Equifax regarding this problem when it first occurred
about 2 weeks ago, but they haven't really been all that helpful in this matter.
I asked one our Development guys here who was the one to the upgrade on his
server and he said that the upgrade could have caused the problem but as of yet
are not sure what that maybe yet.

We were wondering if you guys have heard of anything similar occur to other
people.  I'm not sure if you guys can help, but if you have any information that
maybe useful, we would be extremely grateful.   Please get back to us at your
earliest convenience.

Thank You,

Julian
[EMAIL PROTECTED]
DreamHost.com
NewDream.net

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: [BugDB] Configuration problems (PR#640)

Re: Name-Based Virtual Hosting via a Single IP and SSL implementation

Multiple CRLs with same CA

Re: Multiple CRLs with same CA

Re: Multiple CRLs with same CA

RE: SSL Problem

make certificate Doesn't Work, Apache 2.0.28, Unix, and mod_ssl

Re: Win32 mod_ssl runs on one Win2000 box but not on another..

Re: SSL Problem

[BugDB] Wasteful use of /dev/urandom (PR#642)

[BugDB] graceful needed after CRL update? (PR#641)

Question

12 matches

Site Navigation

Mail list logo

Footer information