Re: MOD SSL over NAT
Response to Response: Yes, the Firewall is configured to allow port 443. In fact we are able to reach our web server from outside(internet) by typing in the following url. http://www.website.com:443 But the moment we try the following url, it fails https://www.website.com The same above steps works successfully from within out network(intranet) without any problems. Both http and https work fine. Any clues would be higly appreciated. Original Posting: On Sat, 2002-01-26 at 07:26, Jim Lee wrote: We have an apache server with mod_ssl. The SSL works fine within our network(intranet). But for internet users, who access the apache server over NAT, the SSL does not work. Response to Posting: are you sure your nat setup is allowing traffic on port 443 (or whatever port your ssl is running on)? try telneting to port 443 on the external interface from someplace outside the firewall; if you can't you need to reconfigure your firewall.. -jon _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MOD SSL over NAT
Jim Lee wrote: Response to Response: Yes, the Firewall is configured to allow port 443. In fact we are able to reach our web server from outside(internet) by typing in the following url. http://www.website.com:443 But the moment we try the following url, it fails https://www.website.com The same above steps works successfully from within out network(intranet) without any problems. Both http and https work fine. Any clues would be higly appreciated. Original Posting: On Sat, 2002-01-26 at 07:26, Jim Lee wrote: We have an apache server with mod_ssl. The SSL works fine within our network(intranet). But for internet users, who access the apache server over NAT, the SSL does not work. Response to Posting: are you sure your nat setup is allowing traffic on port 443 (or whatever port your ssl is running on)? try telneting to port 443 on the external interface from someplace outside the firewall; if you can't you need to reconfigure your firewall.. I had the same problem, and it resolved when I added an appropriate iptables rule with the flags: -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu I was told to add this rule by others who had the same problem too with SSL connections. I can't promise you that the problem is the same, nor that such a rule will end your troubles (and I even don't know if your firewall is based on iptables); I just tell from my experience. By the way: If this is the cuase of the problem, then most of the problems will be with SSL, but not only: a lack of such a rule, when there are conflicting MTU's, may have other effects. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MOD SSL over NAT
you will need separate VirtualHost sections for both port 80 and port 443: example (not real): NameVirtualHost 10.10.10.10 VirtualHost 10.10.10.10:443 Servername my.server.com DocumentRoot /path/to/docs IfModule SSL) SSLEngine On SSLCertificateFile /path/to/crt (other ssl stuff) /IfModule /VirtualHost VirtualHost 10.10.10.10:80 ServerName my.server.com DocumentRoot /path/to/htdocs ServerAdmin [EMAIL PROTECTED] (etc...) /VirtualHost On Sun, Jan 27, 2002 at 05:48:40PM +, Jim Lee wrote: Response to Response: Yes, the Firewall is configured to allow port 443. In fact we are able to reach our web server from outside(internet) by typing in the following url. http://www.website.com:443 But the moment we try the following url, it fails https://www.website.com The same above steps works successfully from within out network(intranet) without any problems. Both http and https work fine. Any clues would be higly appreciated. Original Posting: On Sat, 2002-01-26 at 07:26, Jim Lee wrote: We have an apache server with mod_ssl. The SSL works fine within our network(intranet). But for internet users, who access the apache server over NAT, the SSL does not work. Response to Posting: are you sure your nat setup is allowing traffic on port 443 (or whatever port your ssl is running on)? try telneting to port 443 on the external interface from someplace outside the firewall; if you can't you need to reconfigure your firewall.. -jon _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Glen S Mehn Lead Systems Administrator SquareTrade, Inc [EMAIL PROTECTED]Building Trust in Transactions (sm) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
??? 1.3.23
Is there a procedure that is known to be worth attempting to put a modssl-X onto an apache-X+1? Is there any intention or plan of releasing it within X days of the apache release? Is there any documentation of what is involved in doing it myself? I saw mention of people having done it successfully... Without details... I thought I could just get the CVS for modssl and figure it out, but the CVS source doesn't seem designed to be portably built, for example, the scripts look for perl in /sw/bin/perl, which must work on at least .01% of installed *nix systems... the other target fails because it expects a pgp key in a place I don't have one... there is a README file, but... And, the mod_ssl I get from CVS is for 1.3.20, which is *less* than the one that is downloadable already built for 1.3.22, shooting holes in my initial theory that going to the CVS was even getting me closer to now... -Tom __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
unable to configure the client authentication,why?
Dear all: I have installed apache+mod_ssl+openssl on the windows 2000,and I also create the server cert and key,and the apache with openssl can works well. but when I want to configure the client authentication,it can not start. my configure looks like: SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel debug SSLVerifyClient requie SSLVerifyDepth 2 SSLCACertificateFile conf/ssl/cacert.der VirtualHost 172.26.3.11:443 SSLEngine On SSLCertificateFile conf/ssl/server.der #cert SSLCertificateKeyFile conf/ssl/server2.key /VirtualHost = http://news.163.com/editor/etalk.html ÍøÑÔÒ×ÓÆß×ì°ËÉà´ó¼Ò˵ http://love.163.com ´ºÌ컨»á¿ª£¬Äк¢Å®º¢ÒªÁµ°®¡« http://vip.163.com ÍøÒ×VIPÓÊÏä 30ÃëÁ¢µÃ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
unable to configure the client authentication,why?
Dear all: I have installed apache+mod_ssl+openssl on the windows 2000,and I also create the server cert and key,and the apache with openssl can works well. but when I want to configure the client authentication,it can not start. my configure looks like: SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel debug SSLVerifyClient requie SSLVerifyDepth 2 SSLCACertificateFile conf/ssl/cacert.der VirtualHost 172.26.3.11:443 SSLEngine On SSLCertificateFile conf/ssl/server.der SSLCertificateKeyFile conf/ssl/server2.key /VirtualHost and when I look the error log ,the ssl.log looks like: Init: Generating temporary RSA private keys (512/1024 bits) Init: Configuring temporary DH parameters (512/1024 bits) Init: Seeding PRNG with 136 bytes of entropy Init: Configuring temporary RSA private keys (512/1024 bits) Init: Configuring temporary DH parameters (512/1024 bits) Init: Initializing (virtual) servers for SSL Init: Configuring server bigworm:443 for SSL protocol Init: (bigworm:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) Init: (bigworm:443) Configuring client authentication [error] Init: (bigworm:443) Unable to configure verify locations for client authentication = http://news.163.com/editor/etalk.html ÍøÑÔÒ×ÓÆß×ì°ËÉà´ó¼Ò˵ http://love.163.com ´ºÌ컨»á¿ª£¬Äк¢Å®º¢ÒªÁµ°®¡« http://vip.163.com ÍøÒ×VIPÓÊÏä 30ÃëÁ¢µÃ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
P.S. I found the documentation on how to upgrade *modssl* later, using apxs. But that method doesn't seem to apply to upgrading *apache*... -Tom __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
On Sun, Jan 27, 2002, Tom Oehser wrote: [...] And, the mod_ssl I get from CVS is for 1.3.20, which is *less* than the one that is downloadable already built for 1.3.22, shooting holes in my initial theory that going to the CVS was even getting me closer to now... Ops, my fault. The rsync cronjob was broken which updated the CVS copy from my master machine. Now fixed. For Apache 1.3.23: Expect an mod_ssl update for 1.3.23 within the next days. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
On Sun, 27 Jan 2002, Tom Oehser wrote: I found the documentation on how to upgrade *modssl* later, using apxs. But that method doesn't seem to apply to upgrading *apache*... The short answer is that while it *can* be done, it's a very manual process and it's highly prone to mistakes. If you insist on doing it by hand, there's a flag you can give to mod_ssl's configure to force it to try to apply itself to a version it wasn't designed to work with (--force), but don't be surprised if you get patching errors and have to manually tweak the Apache source afterward to get it to (a) compile and (b) run correctly. The safest bet by far is to just wait on the new version of mod_ssl to be released. --Cliff -- Cliff Woolley [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
