Re: Re: Security Checker
Hi, I was aiming at your second and third area.Good points. One additional topic would be to check for intrusion protection in general with a library of known methods and bugs etc Since the server is in my case running on Windows environment, the intrusion protection issue feels rather important... /// Gudmund -Ursprungligt meddelande- Från: J. Johnson [mailto:[EMAIL PROTECTED]] Skickat: den 11 december 2001 07:43 Till: [EMAIL PROTECTED] Kopia: [EMAIL PROTECTED] Ämne: Re: Security Checker? Did you have some particular kind of security check in mind, or were you interested in security overall? For security overall (and security does have have to be done over all) there is excellent material on Internet. Start with CERT or CIAC. For Web specific security see 'http://www.w3.org/Security/FAQ' for "The WWW Security FAQ". More specifically, it would be nice to have a script that would read the httpd.conf file to figure out where all the components exist, then go through and check ownerships and permissions to see that CGI files weren't world writeable, etc. Probably would need to specify some kind or level of security policy. Has anyone tried anything like that? === JJ = On 10 Dec 2001 [EMAIL PROTECTED] wrote: Hi, Does anyone know if there is any way of runnig a security check (locally) on a Apache server with mod_ssl ? I am perhaps a bit too paranoid but I use the Win32 port and I have respect for this environment.. Perhaps there exists a tool that can be run locally that performs some basic tests ? Regards Gudmund B __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] graceful needed after CRL update? (PR#641)
[EMAIL PROTECTED] wrote: Full_Name: robert joop Version: 2.8.0 OS: Submission from: (NULL) (193.175.135.28) on an apache 1.3.17 with mod_ssl 2.8.0, i installed new CRLs, called make in the ssl.crl directory, but even days later, it still considers the CRLs as expired (which they aren't). is it necessary to restart the apache (graceful seems to be sufficient)? By experience, I find that a graceful isn't sufficient to reload a cert and that you need a full restart. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
Hello Rich, Do you have more information about OCSP? Do you think it could solve my problem? Regards, Alec No, openssl does not yet support the (infinite:) ways to split CRL's that Entrust likes. OCSP is simpler. :) /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Question
This doesn't seem to be a mod_ssl question as such. What I suspect is the older browsers don't have the root certificate for Equifax installed. I am guessing that you are referring to IE, since Netscape has had 128bit support since 4.67 (IIRC). In the case of IE, check out Tools/Internet Options/Content/Certificates and click the Trusted Root Certification Authorities. If Equifax isn't listed, then that is your problem. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. -Original Message- From: Juce [mailto:[EMAIL PROTECTED]] Sent: 12 December 2001 02:34 To: [EMAIL PROTECTED] Subject: Question We just recently upgraded Apache (1.3.19) and Mod_SSL (2.8.1) for one of our dedicated customers who is using secure certificates from Equifax. Soon after the upgrade 2 of his sites were receiving Root Certificate Warnings meaning that Equifax's certificates were not being recognized correctly. However, this problem only seems to be occurring on certain browsers if the browsers themselves do not have 128 bit encryption. But then some of these browsers report a warning and some do not. If you want to look, the sites are https://www.dells.com and https://www.ad-lit.com. I have already contacted Equifax regarding this problem when it first occurred about 2 weeks ago, but they haven't really been all that helpful in this matter. I asked one our Development guys here who was the one to the upgrade on his server and he said that the upgrade could have caused the problem but as of yet are not sure what that maybe yet. We were wondering if you guys have heard of anything similar occur to other people. I'm not sure if you guys can help, but if you have any information that maybe useful, we would be extremely grateful. Please get back to us at your earliest convenience. Thank You, Julian [EMAIL PROTECTED] DreamHost.com NewDream.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
No, openssl does not yet support the (infinite:) ways to split CRL's that Entrust likes. OCSP is simpler. :) /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re:
Hello Rich, Thanks for the tip. Alec From Rich Salz [EMAIL PROTECTED] on 12 December 2001 9:46:13 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Using OCSP transfer the complexity of CRL processing from all clients to a few servers. Entrust believes in CRLs :), so I don't think they have an OCSP responder. You'd need to find one that understood the various CRL extensions used by Entrust. (Or implement it yourself for your clients, of course.) As for how to find such a product, I would post a brief note on the IETF PKIX mailing list askign for pointers to a product that can handle the various Entrust CRLs. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mutex warnings
Hi Group I'm running the following: Apache/1.3.22 (Win32) mod_jk/1.1.0 tomcat/1.0 mod_ssl/2.8.5 OpenSSL/0.9.6b with the standard settings for win32. everything fine with this, except that I get a lot (up to 7 per second) warnings: [10/Dez/2001 09:23:45 00393] [warn] Failed to release global mutex lock could anybody explain what this means, and if there's anything that can be done about it - besides setting log level to error;-) thanks Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: (Virus Alert)
This is an automatic response to a message received from your address: An e-mail received from your account (see To: field) matches the signature of a known virus. Your message has been placed in a quaranteen area. IT IS POSSIBLE THIS MESSAGE WAS SENT WITHOUT YOUR KNOWLEDGE It is also possible that your e-mail address was faked and that the message did not orignate from your account. If this is the case please ignore this auto-reply. If your message was not generated by the virus, please » re-send without the word 'Homepage' in the subject line or » re-send with a subject which contains more than just 'Re:' » let me know and I'll retrieve the message from the quaranteen area. Regards, Chr!s - - - - - - Chris Cooper [EMAIL PROTECTED] Student Service Centre [EMAIL PROTECTED] Edith Cowan University http://www.ecu.edu.au/ Pearson Street Tel: +61 8 9273 8652 Churchlands Fax: +61 8 9273 8000 - - - - - - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Hello Lorrayne, Thanks for your input. By any chance, do you know if i can use OCSP with an Entrust CA (instead of CRLs)? Regards, Alec From Schaefer,Lorrayne J. [EMAIL PROTECTED] on 12 December 2001 9:07:02 To : [EMAIL PROTECTED] Copy To : [EMAIL PROTECTED] Subject : Re: Multiple CRLs with same CA Hi everyone. I was chatting with an Entrust engineer yesterday about partitioned CRLs (this is where you can break it down my something such as size). The only CA that currently do this to my knowledge is Entrust. I agree with Rich Salz's response. OCSP is a great way to go (and, Valicert offers an Apache plug-in). :-) Lorrayne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Alec Barea PKI engineering team Equant Tel: +1 514 847-3436 CVS: 225 3436 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate Doesn't Work, Apache 2.0.28, Unix, and mod_ssl
On Wed, 12 Dec 2001, Cliff Woolley wrote: On Tue, 11 Dec 2001, Kevin McQuiggin wrote: I want to create a dummy self-signed certificate. Despite the Apache documentation, make certificate in the top-level source directory doesn't work. There's no certificate: target in the Makefile. This was not present in the 2.0.28 beta, but it or an equivalent should be present in 2.0 final when it is released (it might even be in the next beta, but it hasn't been checked into CVS yet). Whoops, a little bad information there. My fault. I had forgotten that `make certificate` was a thing to generate a _test_ certificate (Snake Oil), not a real certificate. To generate a real CSR under Apache 2.0.28 is the same as in Apache 1.3, because you do it all with OpenSSL directly. See http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real . Thanks, Cliff PS: I checked with the group, and it looks like `make certificate` is _unlikely_ to be in Apache 2.0 final because we're trying to get rid of test pages (ie It Worked!) and test certificates and the like because they are very confusing to end users. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple CRLs with same CA
Does Valicert support the various Entrust CRL extensions and partitioning? If not, then they're useless for this problem. /r$ -- Zolera Systems, Your Key to Online Integrity Securing Web services: XML, SOAP, Dig-sig, Encryption http://www.zolera.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Security Checker
I too am interested in this topic. Is there anything out there that does these kinds of checks? Anyone writing or want to write such a thing? I'd sure be interested in contributing to such a project were it necessary. Lajos Gudmund Berggren wrote: Hi, I was aiming at your second and third area. Good points. One additional topic would be to check for intrusion protection in general with a library of known methods and bugs etc Since the server is in my case running on Windows environment, the intrusion protection issue feels rather important... /// Gudmund -Ursprungligt meddelande- Från: J. Johnson [mailto:[EMAIL PROTECTED]] Skickat: den 11 december 2001 07:43 Till: [EMAIL PROTECTED] Kopia: [EMAIL PROTECTED] Ämne: Re: Security Checker? Did you have some particular kind of security check in mind, or were you interested in security overall? For security overall (and security does have have to be done over all) there is excellent material on Internet. Start with CERT or CIAC. For Web specific security see 'http://www.w3.org/Security/FAQ' for The WWW Security FAQ. More specifically, it would be nice to have a script that would read the httpd.conf file to figure out where all the components exist, then go through and check ownerships and permissions to see that CGI files weren't world writeable, etc. Probably would need to specify some kind or level of security policy. Has anyone tried anything like that? === JJ = On 10 Dec 2001 [EMAIL PROTECTED] wrote: Hi, Does anyone know if there is any way of runnig a security check (locally) on a Apache server with mod_ssl ? I am perhaps a bit too paranoid but I use the Win32 port and I have respect for this environment.. Perhaps there exists a tool that can be run locally that performs some basic tests ? Regards Gudmund B __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with SHMCB session caching
Hi, With Session Cache size = 7864432 bytes, here's a log that I'm seeing : [12/Dec/2001 13:36:51 05786] [trace] for 7864424 bytes, recommending 65536 indexes [12/Dec/2001 13:36:51 05786] [trace] shmcb_init_memory choices follow [12/Dec/2001 13:36:51 05786] [trace] division_mask = 0x7F [12/Dec/2001 13:36:51 05786] [trace] division_offset = 52 [12/Dec/2001 13:36:51 05786] [trace] division_size = 61440 [12/Dec/2001 13:36:51 05786] [trace] queue_size = 8 [12/Dec/2001 13:36:51 05786] [trace] index_num = 0 [12/Dec/2001 13:36:51 05786] [trace] index_offset = 8 [12/Dec/2001 13:36:51 05786] [trace] index_size = 12 [12/Dec/2001 13:36:51 05786] [trace] cache_data_offset = 8 [12/Dec/2001 13:36:51 05786] [trace] cache_data_size = 61424 [12/Dec/2001 13:36:51 05786] [trace] leaving shmcb_init_memory() the INDEX_NUM value is 0 ! is this a bug or a feature ?.. I think the data structures needs another round of verificiation : ssl_scache_shmcb.c : typedef struct { unsigned char index_num; ... } SHMCBHeader; ... ... static BOOL shmcb_init_memory(server_rec *s, void *shm_mem, unsigned int shm_mem_size) { ... unsigned int temp, loop, granularity; ... ... header-index_num = temp; // WOAH .. HOW DO WE HANDLE OVERFLOWS ... } Thx -Madhu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]