RE: [BugDB] Configuration problems (PR#640)
the following conf might work: ... ... # restrict general server conf to localhost BindAddress 127.0.0.1 ... ... IfDefine HAVE_SSL Listen 80 Listen 443 /IfDefine IfDefine HAVE_SSL ## ## SSL Virtual Host Context ## VirtualHost 20.30.70.40:443 ... ... /VirtualHost VirtualHost 20.30.70.40:80 ... ... /VirtualHost VirtualHost 20.30.70.48:443 ... ... /VirtualHost VirtualHost 20.30.70.48:80 ... ... /VirtualHost /IfDefine -Ursprungliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 10. Dezember 2001 22:52 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Betreff: [BugDB] Configuration problems (PR#640) Full_Name: Version: 2.8.5 OS: Linux Submission from: (NULL) (216.72.177.4) I have defined 2 domains in one server, based on IP address my etc/hosts file is like: 20.30.70.40server_namewww.domain_A domain_A 20.30.70.48 server_name www.domain_B domain_B my httpd.conf is like .. .. .. Listen 80 NameVirtualHost 20.30.70.40 VirtualHost 20.30.70.40 ServerAdmin admin@domain_A DocumentRoot /home/httpd/file_A/www ServerName Domain_A Directory Index htm html cgi ### Directory /home/httpd/file_A/www/ order allow,deny Options Indexes Includes FollowSymLinks ExecCGI deny from all /Directory ErrorLog logs/Domain_A-error_log CustomLog /var/log/httpd/Domain_A-access_log common /VirtualHost VirtualHost 20.30.70.48 DocumentRoot /home/httpd/domain_B ServerName www.domain_B ServerAdmin admin@domain_B ErrorLog /var/log/httpd/domain_B-error_log CustomLog /var/log/httpd/domain_B-access_log common DirectoryIndex index.htm index.html Directory /home/httpd/domain_B AllowOverride None Options Indexes Includes FollowSymLinks ExecCGI Order allow,deny Allow from all /Directory /VirtualHost IfDefine HAVE_SSL ## ## SSL Virtual Host Context ## Listen 443 VirtualHost 20.30.70.40:443 DocumentRoot /home/httpd/domain_A/www ServerName www.domain_A SSLEngine on SSLProtocol all -SSLv3 # Server Certificate: SSLCertificateFile /etc/httpd/conf/propio/certisur_A.crt # Server Private Key: SSLCertificateKeyFile /etc/httpd/conf/propio/server_A.key Files ~ \.(cgi|shtml)$ SSLOptions +StdEnvVars /Files Directory /var/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost VirtualHost 20.30.70.48:443 ServerName www.Domain_B DocumentRoot /home/httpd/domain_B Directory /home/httpd/domain_B AllowOverride None Options Indexes Includes FollowSymLinks ExecCGI Order allow,deny Allow from all /Directory SSLEngine on SSLProtocol all -SSLv3 SSLCertificateFile /etc/httpd/conf/mallgallery/certisur_B.crt SSLCertificateKeyFile /etc/httpd/conf/mallgallery/server_B.key Files ~ \.(cgi|shtml)$ SSLOptions +StdEnvVars /Files Directory /var/www/cgi-bin SSLOptions +StdEnvVars /Directory CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost /IfDefine If I call Domain_A or Domain_B in non secure operation(hhttp) I haven't problems, but if in secure conditions (https) the server only respond to Domain_A calls I waiting for some comments please __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Name-Based Virtual Hosting via a Single IP and SSL implementation
Dr. Peter Kanyion wrote: Hello folks, I'll greatly appreciate any help you could offer in getting to the right solution to my problems. I'm acquainted with Apche and SSL, but I'm not a GURU. I have two domains, let say mydomain1.com and mydomain2.com and a single registered IP address. Both domains are mapped to the single IP address and the domain lookup is working perfectly. I've installed Apache 1.3.19 with mod_ssl version 2.8. Using the default configuration, I could access the domain mydomain1.com via http(80) and https(443) without problems. Now I'm in the process of modifying the configuration to incorporate both domains. I've not been very succesful in getting this accomplihed. Here is in summary what I actually want to accomplish. I want to access mydomain1.com via http (80) and https (443) and mydomain2.com via http(80) and http(444). I have a single certificate. Based on information gathered via threads in this mailing list, I understand that I could accomplish this using name-based virtual host. Not quite. Name-based virtual-hosting doesn't work with SSL (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 - the basic probelm is that you don't get the Host: header until everything is encrypted but you can't encrypt anything until you know what cert to use - and that's defined by the host header!). However, this is not what you are doing. Since you are happy to use port 444, you are using port-based virtual-hosting which works fine with SSL. The following should work: Listen 80 Listen 443 Listen 444 VirtualHost *:443 SSLEngine On SSLCertificateFile ssl/server1.cert SSLCertificateKeyFile ssl/server1.key DocumentRoot C:/websites/confidential_1 /VirtualHost VirtualHost *:444 SSLEngine On SSLCertificateFile ssl/server2.cert SSLCertificateKeyFile ssl/server2.key DocumentRoot C:/websites/confidential_2 /VirtualHost Note that although you want to use a single certificate, this will lead to problems - the cert contains the FQDN and this can only match one site. So the other, non-matching site will generate cert doesn't match FQDN warnings in the browser. If this doesn't work, please explain what is going wrong. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Multiple CRLs with same CA
Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Regards, Alec Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Mads, Thanks for your answer. I took a look to the web page of mod_authz_ldap but couldn't figure out how it could help me, can you explain me a bit more your thoughs? Regards, Alec From Mads Toftum [EMAIL PROTECTED] on 11 December 2001 23:45:53 To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA On Tue, Dec 11, 2001 at 05:32:42PM -0500, [EMAIL PROTECTED] wrote: Hello there, Is mod_ssl supporting having multiple CRLs for 1 CA? It seems it's not, and that's very anoying in my situation. I'm using Entrust PKI software which splits the CRL list when it reaches a defined size (for scalability). mod_ssl seems to check only the first CRL and don't care about the others, which means that users with revocated certificates can use them... Hmmm - perhaps you could use mod_authz_ldap - AFAICT it should be a useable solution in an Entrust setup. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Problem
Hi all, We are also using the same app. server and experiencing similar problems. I looked at some of the mailing list documetns / mod_ssl FAQ and changed the configuration files, but its of no use. Is there any work arouund, or any one know which browsers are causing this (So, that I can tell the users not to use them). Thanks, Rajidhar Etta eComServer, Inc 770.750.6594 (Till Friday) 609.203.3697 (Cell) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Waleed Shaalan Sent: Monday, December 10, 2001 5:33 PM To: [EMAIL PROTECTED] Subject: SSL Problem Dear sir, I installed 9iAS which is Apache web server based using mod_ssl mod_jserv. I have a problem in my application some clients through IE version 5.5 who access the login page(https://www.application.com/login.jsp) which use HTTPS protocol give them Page can not dispalyed error though many others clients can view this page without any problem. This problem appears as a random problem because the same user who face this problem can view this page sometimes and others can never view this page all the time. I want to know what is the problem ? Is there a bug which make this random behavier for the IE clients ? Eng. Waleed Shaalan Senior Developer Mega For Software Development Subsidiary of RAYA Holding __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
make certificate Doesn't Work, Apache 2.0.28, Unix, and mod_ssl
Hi Group: I want to create a dummy self-signed certificate. Despite the Apache documentation, make certificate in the top-level source directory doesn't work. There's no certificate: target in the Makefile. Obviously once I have things working I'll be off to Verisign or Thawte for a real cert. I am working with Apache 2.0.28 under FreeBSD. I tried searching the list archive for this problem with no luck. Any info appreciated, TIA. Kevin --- Kevin McQuiggin VE7ZD [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Win32 mod_ssl runs on one Win2000 box but not on another..
The problem wasn't really with Apache or mod_ssl but with OpenSSL. The DLLs were compiled with assembly code (ms\do_masm). This apparently ran different on the other Win2000 machine and caused it to crash. When I comiled OpenSSL by only using the c compiler (ms\do_ms) it works fine. Hope this helps some one else out. It cost me a few days. Patrick - Original Message - From: Patrick Willart [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, December 08, 2001 7:27 PM Subject: Win32 mod_ssl runs on one Win2000 box but not on another.. The compiled version of Apache/1.3.22 (Win32) mod_ssl/2.8.5 OpenSSL/0.9b PHP4.0.6 is running stable on my development machine. When moving it to my production environment Apache stops without showing any error. It doesn't produce the error.log file. The only thing I get is these four errors in the ssl.log file. [08/Dec/2001 19:18:00 01464] [info] Server: Apache/1.3.22, Interface: mod_ssl/2.8.5, Library: OpenSSL/0.9.6b [08/Dec/2001 19:18:00 01464] [warn] You are using mod_ssl under Win32. This combination is *NOT* officially supported. Use it at your own risk! [08/Dec/2001 19:18:00 01464] [info] Init: 1st startup round (still not detached) [08/Dec/2001 19:18:00 01464] [info] Init: Initializing OpenSSL library [08/Dec/2001 19:18:00 01464] [info] Init: Loading certificate private key of SSL-aware server www.myserver.com:443 I thought I had conquered all possible problems (KeepAlive Off - to work around the multithreading problem and the openSSL dlls in the PATH) but apparently not. Patrick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Problem
Waleed I has this problem with iAS and I Turned off EXPORT ciphers and HTTP/1.1 keepalive http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie fixed it I think that the default Oracle iAS httpd.conf is not as good as the standard Apache hjttpd.conf. Mikey Waleed Shaalan [EMAIL PROTECTED] on 10/12/2001 22:32:55 Please respond to [EMAIL PROTECTED] To: [EMAIL PROTECTED] cc:(bcc: Mike Innes/Virgin Direct/GB) Subject: SSL Problem Dear sir, I installed 9iAS which is Apache web server based using mod_ssl mod_jserv. I have a problem in my application some clients through IE version 5.5 who access the login page(https://www.application.com/login.jsp) which use HTTPS protocol give them Page can not dispalyed error though many others clients can view this page without any problem. This problem appears as a random problem because the same user who face this problem can view this page sometimes and others can never view this page all the time. I want to know what is the problem ? Is there a bug which make this random behavier for the IE clients ? Eng. Waleed Shaalan Senior Developer Mega For Software Development Subsidiary of RAYA Holding __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] E-mail communication is not secure and may be intercepted by a third party. This message is confidential to the intended addressee. If you are not the intended addressee, please inform us immediately and then delete this message. Virgin Direct does not accept responsibility for changes made to this message after it was sent. Although Virgin Direct believes this e-mail is free of any virus or other defect which may affect a computer, it is the responsibility of the recipient to ensure that it is virus free and Virgin Direct does not accept any responsibility for any loss or damage arising in any way from it's use. Virgin Direct Personal Financial Service Ltd is regulated by the Personal Investment Authority for life insurance, pension and unit trust business and represents only the Virgin Direct marketing group. Registered office: Discovery House, Whiting Road, Norwich NR4 6EJ, UK. Registered in England No. 3072766. The Virgin One account is a secured personal bank account with The Royal Bank of Scotland plc. It is provided by Virgin Direct Personal Finance Ltd which is a representative only of Virgin Direct Personal Financial Service Ltd. Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. Registered in England no 3414708. The Virgin Deposit Account is a personal deposit account with The Royal Bank of Scotland plc administered by Virgin Direct Personal Financial Service Ltd. All telephone calls are recorded and may be monitored. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] Wasteful use of /dev/urandom (PR#642)
Full_Name: Charles Jardine Version: 2.8.4 OS: Solaris 8 Submission from: (NULL) (131.111.8.103) While trussing my Apache to trace another problem, I noticed reads of 8k bytes from /dev/urandom. My configuration has SSLRandomSeed connect file:/dev/urandom 32 so I was hoping for reads of 32 bytes. The cause of the profilgate use of /dev/urandom is stdio read-ahead. The code is using fread to read 32 bytes, but fread is buffered, and 8k bytes are read. I have tested the following patch. It fixes the problem, but at the expense of single-byte reads. *** ssl_engine_rand.c.orig Mon Jan 1 10:48:58 2001 --- ssl_engine_rand.c Tue Dec 11 15:58:03 2001 *** *** 102,107 --- 102,108 */ if ((fp = ap_pfopen(p, pRandSeed-cpPath, r)) == NULL) continue; + setbuf(fp, NULL); nDone += ssl_rand_feedfp(p, fp, pRandSeed-nBytes); ap_pfclose(p, fp); } __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] graceful needed after CRL update? (PR#641)
Full_Name: robert joop Version: 2.8.0 OS: Submission from: (NULL) (193.175.135.28) on an apache 1.3.17 with mod_ssl 2.8.0, i installed new CRLs, called make in the ssl.crl directory, but even days later, it still considers the CRLs as expired (which they aren't). is it necessary to restart the apache (graceful seems to be sufficient)? i didn't find this documented anywhere nor addressed in the bug database. btw, i think but #6 can be moved from suspended to closed, don't ya think? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Question
We just recently upgraded Apache (1.3.19) and Mod_SSL (2.8.1) for one of our dedicated customers who is using secure certificates from Equifax. Soon after the upgrade 2 of his sites were receiving Root Certificate Warnings meaning that Equifax's certificates were not being recognized correctly. However, this problem only seems to be occurring on certain browsers if the browsers themselves do not have 128 bit encryption. But then some of these browsers report a warning and some do not. If you want to look, the sites are https://www.dells.com and https://www.ad-lit.com. I have already contacted Equifax regarding this problem when it first occurred about 2 weeks ago, but they haven't really been all that helpful in this matter. I asked one our Development guys here who was the one to the upgrade on his server and he said that the upgrade could have caused the problem but as of yet are not sure what that maybe yet. We were wondering if you guys have heard of anything similar occur to other people. I'm not sure if you guys can help, but if you have any information that maybe useful, we would be extremely grateful. Please get back to us at your earliest convenience. Thank You, Julian [EMAIL PROTECTED] DreamHost.com NewDream.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]