Re: CA installation
andrew reid wrote: > > Hi i created a certificate to used by apache but cant figure out how & > were to install it help please. You need a cert and a key. When you compiled apache with mod_ssl, and did "make install", they should have been installed for you. Anyway, they go in your apache conf dir (e.g. /usr/local/apache/conf) in their own directories ssl.crt and ssl.key - then you have to point to the key and cert in httpd.conf: SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key Make sure the key and the ssl.key directory are readable ONLY by root - i.e. permissions 400. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate
Hong Tian wrote: > > Hi, > > I have installed "make certificate TYPE=custom" during the build of > mod_ssl-2.8.5-1.3.22 with Apache successfully as the followings: > > # cd ../apache_1.3.22 > # ./config ... --enable-module=ssl > # make > # make certificate TYPE=custom > ... > > After I installed mod_ssl certificate, is there any quick methods to > change some information of Common Name, Email Address, and Certificate > Validity days of certificate again? > > Should I change the whole certificate again after making certificate > if only some items of certificate need to be changed? Think about it. If you could edit a certificate after it had been issued, you could change its identity. So you could get a cert from Verisign for your own site, set up a fake amazon.com site, then edit your certificate to pretend it was for amazon.com... Or you could extend your certificate's life after it had expired (Verisign would love that!). You cannot edit a certificate it has been signed, it is a one-way encryption. The only way is to make a new certificate. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: DSO problems
On Thu, 20 Dec 2001, Simon Ritchie wrote: > I don't think you have to go that far. No, but the computer does the work, and scrubbing and replacing the entire distribution takes much less time than trying to find a faster solution. === JJ = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
invalid request question
Hello all I am having some problems with mod_ssl,i am getting invalid method in request in my logs when i try to access The server by using https://localhost. The module seems to work when I try http://localhost:443 ,my Listen directives in httpd.conf are the followingListen 443 IfDefine> thanks in advance Hernan
problem while giving url HTTPS
hello myself is bineet and i am developer in osprey software technology in india actually just recently i have configured apache v 1.3.22 with mod+ssl and my lynx browser is 2.8.4 i am able to test through http://localhost but when i give https://localhost so it giving me "This client does not contain support for https urls" i have done all the configuration which have mentioned in installation file now i am really helpless so please reply me or send me the appropriate configuartion and required file as soon as possible i will be very oblige to you Thanks Bineet __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
undefined symbol
Hi there. I just compiled mod_ssl 2.8.5 with apache 1.3.22, php4.1.0 and ApacheJserv 1.2.0, openssl-0.96 Everything works except of mod_ssl. i compiled everything statically into my apache and am getting the following error in the error log httpd: error while loading shared libraries: httpd: undefined symbol: OpenSSL_add_all_ciphers the same setup but with older versions works perfectly. Thanks Uli P.S.: I also tried the enable-rule=EAPI config for apache. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
loading private key? urgent.... please help if you can
Hi all... Before upgrading, one of my virtual domains (ip based) had SSL setup and was working fine. The second domain did not work. The error was odd according to people in IRC support channels, and I was told to upgrade to all of the latest versions. I did that. Now when I try to run startssl, I get errors on BOTH virtual domains. The domain that had once worked produces these errors: [Mon Dec 17 16:41:46 2001] [error] mod_ssl: Init: (.com:443) Unable to configure RSA server private key (OpenSSL library error follows)[Mon Dec 17 16:41:46 2001] [error] OpenSSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch The domain2, that I couldn't get to work before the upgrade, produces these errors: [Mon Dec 17 16:45:43 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows)[Mon Dec 17 16:45:43 2001] [error] OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long - For domain1, I tried to check the md5's of each of the key and crt... The md5 for the crt shows up fine. When I try to get the md5 for the .key, I get this error: # openssl rsa -noout -modulus -in server.key | openssl md5read RSA keyunable to load keyd41d8cd98f00b204e9800998ecf8427e I get this same "unable to load key" error for any key I try to get the md5 checksum for Any help in getting both of my virtual domain's (the two that need SSL) working is greatly appreciated. Thanks. -Mike PS: Here is the Virtual Server entry from httpd.conf for domain2... domain1 has the exact same (but updated ip and paths) NamevirtualHost xxx.xxx.xxx.44:443 SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile /www/conf/ssl.key/domain2_server.key SSLCertificateFile /www/conf/ssl.crt/domain2.com.crt DocumentRoot /home/hosting/domain2.com/public_html ServerName domain2.com CustomLog /www/logs/domain2.com combined ErrorLog /www/logs/domain2_error_log SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLOptions +StdEnvVars SSLOptions +StdEnvVars
Re: hi
There is an SSL Certificates HOWTO on www.linuxdoc.org which explain the whole process. If you have problems then let me know so I can improve the HOWTO. Cheers Franck On Mon, 2001-12-17 at 09:29, Geoff Thorpe wrote: Hi there, This *really* should be on modssl-users ... please take any further questions and discussion there. This list is for users of OpenSSL. Your problem and any solutions to it are specific to modssl. I am on modssl-users too - so if you are not already subscribed, please do so, and reply to this post on that list (if you wish to reply that is). I have CC'd that list for your convenience.
Re: loading private key? urgent...please help!
I'm having the same trouble, same versions of the daemons/openssl/modssl, I'm using FreeBSD ports collection to install apache/modssl, openssl comes as part of the FreeBSD install. My FreeBSD install is sync'd with the - STABLE source as of yesterday, and apache was rebuilt as such. The port i'm using is "apache13-modssl". Ports collection sync'd as of today. Exact same error as you, creating my certs using the methods both the port offers and from various FAQ sites. I don't have any commercial certs to test with. I have no clue on a solution, and web searches have turned up nothing. Just wanted to post so people (and you) knew it was not just a problem that you experienced, I am also experiencing it as well. Cheers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE6 Base ca-bundle
Title: IE6 Base ca-bundle I have uploaded a IE6 based new ca-bundle.crt containing all root cert's. http://www.modssl.org/contrib/ca-bundle.crt.tar.gz With Kind Regards, Martin Brülisauer Systime Informatik AG Engineering & Support Bruggacherstrasse 26 CH-8117 Fällanden Phone: +411-806-8650 Fax: +411-806-8622 http://www.systime.ch/
Re: Cipher suit problem
Patrick Li wrote: Hello Paric, > Looks like openssl doesn't like the "!" operation even though the openssl > man page said "!" is supported. > http://www.openssl.org/docs/apps/ciphers.html# > > oscar% openssl ciphers -v ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > ADH: Event not found Please read the manual for your shell. Your shell interprets the command line and finds the "!". If you retry the command line with single quotes, you will get the expected results: > ./openssl ciphers -v 'ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP' DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 [...] Bye Goetz -- Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de Sonninstr. 24-28, 20097 Hamburg, Germany Tel.: +49-(0)40 80 80 26 -0, Fax: +49-(0)40 80 80 26 -126 smime.p7s Description: S/MIME Cryptographic Signature
[BugDB] SSL handshake error (PR#647)
Full_Name: Tom Watson Version: 2.5.1 OS: Solaris 2.8 Submission from: (NULL) (152.135.230.4) The following message is continuously being written to the error_log (approx. every second) [Tue Dec 18 13:41:26 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Tue Dec 18 13:41:26 2001] [error] System: Connection reset by peer (errno: 131) What is wrong here? The web app still works. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Change certificate
I installed mod_ssl X.509 certificate signing request for Apache server already. Is there anyway to change information of Common Name, Email Address, and Certificate Validity days of certificate? Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hi
Hi there,
This *really* should be on modssl-users ... please take any further
questions and discussion there. This list is for users of OpenSSL. Your
problem and any solutions to it are specific to modssl.
I am on modssl-users too - so if you are not already subscribed, please do
so, and reply to this post on that list (if you wish to reply that is). I
have CC'd that list for your convenience.
[snip]
> /usr/local/apache/logs/error_log contains the following two lines
>
>
> [Mon Dec 17 14:39:17 2001] [error] mod_ssl: Init: (192.168.1.98:443)
> Unable to configure RSA server private key (OpenSSL library error
> follows) [Mon Dec 17 14:39:17 2001] [error] OpenSSL: error:0B080074:x509
> certificate routines:X509_check_private_key:key values mismatch
Look at the "OpenSSL library error";
- the area of code is "x509 certificate routines",
- the specific function is "X509_check_private_key"
- the reason is "key values mismatch".
It looks like the certificate you've specified and the private key you've
specified don't match one another. That's why the certificate code
("x509"), when checking the private key ("X509_check_private_key"), found a
mismatch.
> i could not make out anything from these
then you didn't read them. The line before the one I disected also
mentioned "Unable to configure RSA server private key". This suggests of
course that it was in the midst of trying to "configure the RSA private
key" when it failed. Moving on to that second line - it clearly suggests
that the *reason* the private key was rejected was because it did not match
up with the provided certificate.
Cheers,
Geoff
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
make certificate
Hi, I have done "make certificate TYPE=custom" during compiling. I hope to know what is the correct procedures if I want to change PEM pass phrase and other information to get the new certificate of RSA. Should I run "make certificate TYPE=custom" again or should I uninstall or delete keys and use the command "openssl" to create the new certificate? Which is the better way to create new certificate: using "make certificate TYPE=custom" during compiling or using command "openssl" later? Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] Can't load mod_ssl module (PR#649)
Full_Name: Franck Beulé Version: 2.8.5 OS: WinNT4 Submission from: (NULL) (194.2.208.236) I have somme trouble with the installation of SSL on apache. I downloaded and installed the files : apache_1.3.22-win32-x86.exe Apache_1.3.22-Mod_SSL_2.8.5-OpenSSL_0.9.6b-WIN32.zip following exactly the instructions on the How-To page given in the second file. When I start my server, I obtain : Syntax Error on line 196 of c:/program files/apache/conf/httpd.conf: Cannot load c:/program files/apache/modules/mod_ssl.so into server: <126> Le mod ule spécifié est introuvable: I checked the file. Definitely, it's here ! on the right directory !!! I checked to log files, nothing more is given, even if LogLevel is set to Debug. Can you help me a little to identify the bug ??? Thank you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem while giving url HTTPS
Bineet Suri wrote: > > hello > > myself is bineet and i am developer in osprey software > technology in india actually just recently i have > configured apache v 1.3.22 with mod+ssl and my lynx > browser is 2.8.4 i am able to test through > http://localhost but when i give https://localhost so > it giving me "This client does not contain support for > https urls" Hi Bineet, The problem is in your browser (lynx). The message is very clear: "This client does not contain support for https urls" - it means lynx does not know how to make an HTTPS request (as opposed to an HTTP request). The HTTPS protocol is quite different from HTTP - you need a browser which can support it. I don't know much about lynx, maybe you can get a module or something to extend its functionality. If not, why not try Opera or Netscape which have SSL support built-in. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Help with Certificates
Hello Everyone I need to create the key for my secure server I am just starting out with SSL so do not want to pay verisign yet later yes but now right now I am reading a decent webpage that tells you how to do it but there is a few paragraphs that I dont understand Here is the website. **begin paste* How can I create and use my own Certificate Authority (CA)?[L] The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this: Create a RSA private key for your CA (will be Triple-DES encrypted and PEM formatted): $ openssl genrsa -des3 -out ca.key 1024 Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. You can see the details of this RSA private key via the command $ openssl rsa -noout -text -in ca.key And you can create a decrypted PEM version (not recommended) of this private key via: $ openssl rsa -in ca.key -out ca.key.unsecure Create a self-signed CA Certificate (X509 structure) with the RSA key of the CA (output will be PEM formatted): $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt You can see the details of this Certificate via the command: $ openssl x509 -noout -text -in ca.crt Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming you already have a server.csr at hand): $ ./sign.sh server.csr This signs the server CSR and results in a server.crt file. *end paste* I dont understand what they meen about preparing a script for signing. can someone help me created my first certificates thank you so much. Luc - This message sent using EMUmail -- http://www.emumail.com - Jumping through hoops to get E-mail on the road? You've got two choices: Join the circus, or use MollyMail. Molly Mail -- http://www.mollymail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL I/O error causing "Page cannot be displayed" in browser
Here is the combination that did the trick for us: SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(1024000) SSLSessionCacheTimeout 600 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SetEnvIf ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 Aaron Gee wrote: > > We tried that also. Below is a short list of the combinations and variations > we have tried > Notice some lines from the conf file do the same as others, just trying all > possibilities > the comments (#) in front are my addition. I have tried almost every > iteration of the following > to get SOMETHING to work. > > Tried all of the following. > > #SSLProtocol SSLv2 > #SSLProtocol all -SSLv3 > #SSLProtocol all > #SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > > Tried both of these: > > #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 > > Also tried these in various combinations with above: > > #SSLSessionCachenone > #SSLSessionCacheshmht:logs/ssl_scache(512000) > #SSLSessionCacheshmcb:logs/ssl_scache(512000) > #SSLSessionCache shm:logs/ssl_scache(512000) > #SSLSessionCacheshmht:logs/ssl_scache > #SSLSessionCacheshmcb:logs/ssl_scache > #SSLSessionCache shm:logs/ssl_scache > #SSLSessionCacheTimeout 300 > #SSLMutex file:logs/ssl_mutex > > AG > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > Behalf Of Bryan Field-Elliot > Sent: Tuesday, December 18, 2001 12:57 > To: [EMAIL PROTECTED] > Subject: RE: OpenSSL I/O error causing "Page cannot be displayed" in browser > > Sorry you already gave up, but I believe the lines below should fix your > problem (in addition to the SetEnvIf line you already added): > > SSLSessionCache dbm:/var/ssl_cache > SSLSessionCacheTimeout 300 > > (change the path in the first line to one which makes sense on your server) > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Robin P. Blanchard IT Program Specialist Georgia Center for Continuing Ed. fon: 706.542.2404 fax: 706.542.6546 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Help with Certificates
[EMAIL PROTECTED] wrote: > > Hello Everyone > I need to create the key for my secure server > I am just starting out with SSL so do not want to pay verisign yet later > yes but now right now > $ ./sign.sh server.csr > > This signs the server CSR and results in a server.crt file. > *end paste* > > I dont understand what they meen about preparing a script for signing. Just use the script you've been given (sign.sh). Follow each step in the instructions just as it is written. The main steps are: - make a Certificate Authority (CA) key and certificate (this allows you to pretend you are Verisign). - make a website key for your site. - make a website Certificate Signing Request for your website (this is the thing you would send to Verisign and which turns into a certificate). - sign the CSR using the CA cert -> outputs a certificate. You need a key and a certificate for your site to work. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
cypher suit error message
hello all I am getting this error when I do a apachectl startssl SSLCipherSuite takes one argument, Colon-delimited list of permitted SSL Ciphers (`XXX:...:XXX' - see manual)/usr/sbin/apachectl startssl: httpd could not be started what does this meen? can someone give me a example cipher line? thanks Luc
RE: make certificate
Owen, I created my own CA for signing certificate, not by a commercial CA like Verisign. Now I try to make certificate again by "openssl" command on Solaris and still have PRNG problem: # openssl genrsa 0des3 -out ca.ket 1024 ...PRNG not seeded... I try to resolve it by looking at http://www.modssl.org/docs/2.8/sslfaq.html (Thanks Samir Hatri), but still not clear about the solution. How to set up SSLRandomSeed directives and create a $HOME/.rnd file? Thanks, Hong -Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: Friday, December 21, 2001 3:30 AM To: [EMAIL PROTECTED] Subject: Re: make certificate > > Hi, > > I have installed "make certificate TYPE=custom" during the build of > mod_ssl-2.8.5-1.3.22 with Apache successfully as the followings: > > # cd ../apache_1.3.22 > # ./config ... --enable-module=ssl > # make > # make certificate TYPE=custom > ... > > After I installed mod_ssl certificate, is there any quick methods to > change some information of Common Name, Email Address, and Certificate > Validity days of certificate again? > > Should I change the whole certificate again after making certificate > if only some items of certificate need to be changed? Think about it. If you could edit a certificate after it had been issued, you could change its identity. So you could get a cert from Verisign for your own site, set up a fake amazon.com site, then edit your certificate to pretend it was for amazon.com... Or you could extend your certificate's life after it had expired (Verisign would love that!). You cannot edit a certificate it has been signed, it is a one-way encryption. The only way is to make a new certificate. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: invalid request question
Hernan Salvarezza wrote: > >Part 1.1Type: Plain Text (text/plain) Please post in plain-text, I can't quote your message... If http://localhost:443 works, serving plain HTTP, and https://localhost doesn't work, producing "invalid method" then you must have accidentally created a plain HTTP VirtualHost on port 443. You need to have "SSLEngine on" inside the SSL VH. Do you? Rdgs, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL I/O error causing "Page cannot be displayed" in browser
I am using a RedHat 7.2 with Server Version: Apache/1.3.22 (Unix) PHP/4.0.6 mod_perl/1.26 mod_ssl/2.8.5 OpenSSL/0.9.6b For at least a year we have been getting complaints about people getting "Page cannot be displayed" when using IE. We have tried disabling certain ciphers, and disabling keep alive to no avail. I have read MANY openssl, modssl and apache suggestions on how to prevent this problem and none have worked. When I turn on trace for the cipher engine I received [17/Dec/2001 15:33:08 11905] [info] Connection to child 6 established (server www.cartmanager.net:443, client 66.91.21.92) [17/Dec/2001 15:33:08 11905] [info] Seeding PRNG with 2184 bytes of entropy [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Handshake: start [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: before/accept initialization [17/Dec/2001 15:33:08 11905] [debug] OpenSSL: read 11/11 bytes from BIO#092E12D8 [mem: 09A1F068] (BIO dump follows) [17/Dec/2001 15:33:08 11905] [debug] OpenSSL: read 43/43 bytes from BIO#092E12D8 [mem: 09A1F073] (BIO dump follows) [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: SSLv3 read client hello A [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: SSLv3 write server hello A [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: SSLv3 write certificate A [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: SSLv3 write server done A [17/Dec/2001 15:33:08 11905] [debug] OpenSSL: write 712/712 bytes to BIO#092E12D8 [mem: 099E78B0] (BIO dump follows) [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Loop: SSLv3 flush data [17/Dec/2001 15:33:08 11905] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#092E12D8 [mem: 09A1F068] [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A [17/Dec/2001 15:33:08 11905] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A [17/Dec/2001 15:33:08 11905] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [17/Dec/2001 15:33:08 11905] [error] System: Connection reset by peer (errno: 104) I have notice that it always fails in the same place with either a 5 bytes expected to read or 2 bytes expected to read This seems to be a somewhat sporadic event... if the person presses reload repeatedly, the page will eventually display. However, obviously not all users will press reload until it works Any ideas on how to correct this problem would be appreciated... I have seen it in both SSLv2 and SSLv3 connections. And, if needed I can get a complete debug dump of a connection. Thanks in advance. -Jason
Re: problem while giving url HTTPS
Try useing https://localhost:443 as the url instead of just https://localhost At 02:29 PM 12/21/2001 +0100, you wrote: Bineet Suri wrote: > > hello > > myself is bineet and i am developer in osprey software > technology in india actually just recently i have > configured apache v 1.3.22 with mod+ssl and my lynx > browser is 2.8.4 i am able to test through > http://localhost but when i give https://localhost so > it giving me "This client does not contain support for > https urls" Hi Bineet, The problem is in your browser (lynx). The message is very clear: "This client does not contain support for https urls" - it means lynx does not know how to make an HTTPS request (as opposed to an HTTP request). The HTTPS protocol is quite different from HTTP - you need a browser which can support it. I don't know much about lynx, maybe you can get a module or something to extend its functionality. If not, why not try Opera or Netscape which have SSL support built-in. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Installing a certificate
Hi group i made a certificate with the CA.pl script and need some info in how to install it . Any ideas anyone? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate
Hong Tian wrote: > > Owen, > > I created my own CA for signing certificate, not by a commercial CA like > Verisign. Now I try to make certificate again by "openssl" command on > Solaris > and still have PRNG problem: > > # openssl genrsa 0des3 -out ca.ket 1024 > ...PRNG not seeded... 1) Make a random data file and set it up as $RANDFILE # cd /usr/local/apache/ssl/certs # PATH=$PATH:/usr/local/apache/bin # export PATH # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/usr/local/apache/ssl/certs/random_data # export RANDFILE __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Robin P.Blanchard OpenSSL I/O error causing "Page cannot be displayed" in browser
Your SetEnvIf directive is not functioning it reads SetEnvIf ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 it should be SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 - Original Message - From: "Robin P. Blanchard" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 18, 2001 11:21 AM Subject: Re: OpenSSL I/O error causing "Page cannot be displayed" in browser > Here is the combination that did the trick for us: > > SSLSessionCache shmcb:/usr/local/apache/logs/ssl_scache(1024000) > SSLSessionCacheTimeout 600 > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > SetEnvIf ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 > force-response-1.0 > > > > Aaron Gee wrote: > > > > We tried that also. Below is a short list of the combinations and variations > > we have tried > > Notice some lines from the conf file do the same as others, just trying all > > possibilities > > the comments (#) in front are my addition. I have tried almost every > > iteration of the following > > to get SOMETHING to work. > > > > Tried all of the following. > > > > #SSLProtocol SSLv2 > > #SSLProtocol all -SSLv3 > > #SSLProtocol all > > #SSLCipherSuite > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > > > > Tried both of these: > > > > #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > > downgrade-1.0 force-response-1.0 > > > > Also tried these in various combinations with above: > > > > #SSLSessionCachenone > > #SSLSessionCacheshmht:logs/ssl_scache(512000) > > #SSLSessionCacheshmcb:logs/ssl_scache(512000) > > #SSLSessionCache shm:logs/ssl_scache(512000) > > #SSLSessionCacheshmht:logs/ssl_scache > > #SSLSessionCacheshmcb:logs/ssl_scache > > #SSLSessionCache shm:logs/ssl_scache > > #SSLSessionCacheTimeout 300 > > #SSLMutex file:logs/ssl_mutex > > > > AG > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On > > Behalf Of Bryan Field-Elliot > > Sent: Tuesday, December 18, 2001 12:57 > > To: [EMAIL PROTECTED] > > Subject: RE: OpenSSL I/O error causing "Page cannot be displayed" in browser > > > > Sorry you already gave up, but I believe the lines below should fix your > > problem (in addition to the SetEnvIf line you already added): > > > > SSLSessionCache dbm:/var/ssl_cache > > SSLSessionCacheTimeout 300 > > > > (change the path in the first line to one which makes sense on your server) > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > -- > > Robin P. Blanchard > IT Program Specialist > Georgia Center for Continuing Ed. > fon: 706.542.2404 fax: 706.542.6546 > email: [EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Using more then one CERT on a server?
Hello, How can i setup more then one cert on a apache web server? thank you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: loading private key? urgent...please help!
I got this fixed by re-installing OpenSSL from ports, then apache-modssl from ports. I also re-generated the keys/csr's and purchased new certificates from www.freessl.com (geotrust's quickssl $99). -Mike - Original Message - From: "David Orman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 19, 2001 10:15 AM Subject: Re: loading private key? urgent...please help! > I'm having the same trouble, same versions of the daemons/openssl/modssl, > I'm using FreeBSD ports collection to install apache/modssl, openssl comes > as part of the FreeBSD install. My FreeBSD install is sync'd with the - > STABLE source as of yesterday, and apache was rebuilt as such. The port > i'm using is "apache13-modssl". Ports collection sync'd as of today. Exact > same error as you, creating my certs using the methods both the port > offers and from various FAQ sites. I don't have any commercial certs to > test with. I have no clue on a solution, and web searches have turned up > nothing. Just wanted to post so people (and you) knew it was not just a > problem that you experienced, I am also experiencing it as well. > > Cheers. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
