Re: [BugDB] mod_ssl segfaults under Solaris 2.8 (PR#671)
On Sun, Mar 10, 2002 at 11:30:29AM -0500, R. DuFresne wrote: So the engin version should be compatible with the non-engine version unless there has been something I have missed in the list here or elsewhere? It probably is - I just haven't seen that error before, so it was an obvious place to start. BTW: when replying to [BugDB] postings, then please let your replies go to [EMAIL PROTECTED] - that way they will go into the bug database and get sent automagically to the list. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] mod_ssl segfaults under Solaris 2.8 (PR#671)
-==-=-=---=---==-==---==--=-==--=--==- Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed At 03:18 PM 3/10/2002 +0100, you wrote: On Sun, Mar 10, 2002 at 09:04:04AM +0100, [EMAIL PROTECTED] wrote: Full_Name: Ari D Jordon Version: 2.8.7 OS: Solaris 2.8 Submission from: (NULL) (68.49.144.213) using apache 1.3.23, starting httpd with -DSSL immediately seg faults. post mortem revealed it was dying in ssl_cmd_SSLEngine, specifically in that mySrvConfig() was returning 0. not quite sure if this is a problem with mod_ssl or apache itself, as mySrvConfig is a define for ap_get_module_config. any suggestions would be appreciated. Are you using the engine version of openssl? Unless you have a supported crypto accelerator, then you shouldn't be using the engine version. no, this is the normal version (0.9.6b). we've built ssh against this version, and it works fine. i've done some further experimentation, and this is what i've found: after commenting out the macro version of ap_get_module_config in http_config.h (apache source), i was able to get a better idea of the problem the second paramater passed to ap_get_module_config (ssl_module) seems to have an incorrect value for module_index (19 every time i've traced it). and, each time, conf_vector[module_index] is NULL. not sure if it's a coincidence, but there has been consitently a value in conf_vector[module_index+1]. perhaps something is misconfigured in my apache setup? -==-=-=---=---==-==---==--=-==--=--==- Content-Type: application/pgp-signature -BEGIN PGP MESSAGE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA+AwUBPIxRubu5aMb7oqrkEQIJtACg2h/nQkpBCW7lHwrm+0miZi3YbLEAmNX5 8Z6q9F07VQAWaDYs4e2tCvs= =R8kN -END PGP MESSAGE- -==-=-=---=---==-==---==--=-==--=--==--- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem with reading client certificate - downgrade doens't seem to work
Hi Some of our users have the following problem: when users are submiting their order[https and POST], the app send the confirmation page but nothing is displayed on the user's browser. First here is our stting: OS: Solaris 2.7 Web Sever: Apache 1.3.23 + mod_ssl-2.8.7-1.3.23 + openssl-0.9.6c App server: NewAtlanta ServletExec 4.1 apache vhost config: ... SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 ... Our logs show for 2 of the failing requests [I replaced IPs with Browser1 and Browser2]: SSL LOG: [11/Mar/2002:11:21:51 +] Browser1 TLSv1 RC4-MD5 GET /main HTTP/1.1 14514 [11/Mar/2002:15:26:29 +] Browser2 SSLv3 RC4-MD5 POST /main HTTP/1.1 23618 Apache Logs shows the folowing User Agents: -- Browser1: Mozilla/4.0 (compatible;MSIE 6.0; AOL 7.0; Windows 98) Browser2: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) app server logs show: - [Mon Mar 11 11:20:32 GMT 2002] Unknown certificate data: [Mon Mar 11 11:20:32 GMT 2002] ClientCert: oop init: java.util.NoSuchElementException [Mon Mar 11 11:20:32 GMT 2002] java.util.NoSuchElementException [Mon Mar 11 11:20:32 GMT 2002] at java.util.StringTokenizer.nextToken(StringTokenizer.java:235) [Mon Mar 11 11:20:32 GMT 2002] at com.newatlanta.servletexec.ClientCert.parseCert(ClientCert.java:204) Retrieving the client certificate data [Mon Mar 11 15:26:28 GMT 2002] java.net.SocketException: Connection reset by peer: Connection reset by peer [Mon Mar 11 15:26:28 GMT 2002] at java.net.SocketInputStream.socketRead(Native Method) [Mon Mar 11 15:26:28 GMT 2002] at java.net.SocketInputStream.read(SocketInputStream.java:90) It looks like it is not possible to get anything from the client, and the connection is broken. I am a bit confused, according to the SetEnvIf directive IE response should be HTTP/1.0, also we force the form method to POST, which has no effect. Thanks for any help. Bruno Georges __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] About CRL (PR#672)
Full_Name: Shiva murugesan
Version: 2.8.5
OS: unix
Submission from: (NULL) (213.132.36.114)
Env : Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6c.
When IE browser (5.0,5.5, 6.0 )client presents an expired/revoked certficate the
modssl handsake fails and the IE browser does not display the correct error
message, it just displays generic error Page can not be displayed.
Whereas NE displays the correct error message as The certificate has expired /
revoked.
Please help me in finding the solution to display correct error message in IE
browser as well.
Please find the error_log as follows
Certificate Verification: Error (10)
: certificate has expired
[Mon Mar 11 19:01:51 2002] [error] mod_ssl: SSL
handshake failed (server 158.234
.197.20:443, client 158.234.197.53) (OpenSSL library
error follows)
[Mon Mar 11 19:01:51 2002] [error] OpenSSL:
error:140890B2:SSL routines:SSL3_GET
_CLIENT_CERTIFICATE:no certificate returned
Also the httpd.conf file entries as follows
VirtualHost 158.234.197.20:443
ServerName 158.234.197.20
DocumentRoot /usr/local/apache/htdocs
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/veriandgte.pem
SSLCARevocationFile /usr/local/apache/conf/ssl.crl/verisigncacrl.pem
#SSLCARevocationFile /usr/local/apache/conf/ssl.crl/2.pem
SetEnvIf User-Agent .*MSIE.* ssl-unclean-shutdownan-shutdown downgrade-1.0 fo
SSLVerifyClient require:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULLSA-DES-CBC-SHA:EDH-
SSLVerifyDepth 10
Location /
#SSLRequire (%{SSL_CLIENT_I_DN_OU} in { shiva, raja,Comtrust})
SSLRequire %{SSL_CIPHER} = 128
/Location
CustomLog %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
Thanks and regards
shiva
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Problem with reading client certificate - downgrade doens'tseem to work
On Mon, 2002-03-11 at 08:45, Bruno Georges wrote: It looks like it is not possible to get anything from the client, and the connection is broken. I am a bit confused, according to the SetEnvIf directive IE response should be HTTP/1.0, also we force the form method to POST, which has no effect. I had this problem w/ 1.3.20 + 1.3.22 + the appropriate mod_ssl + mod_perl-1.2.26 on linux systems. It magically fixed itself with the release of apache-1.3.23 + mod_ssl-2.8.6. Try this and see what happens (to see if your setenvif is working): [jon@devotchka jon]$ openssl s_client -quiet -connect devotchka:23456 EOF GET / HTTP/1.1 Host: devotchka User-Agent: Mozilla/4.0 Compatible (MSIE) EOF Inside of my reply, I get (among other things): HTTP/1.0 200 OK Date: Mon, 11 Mar 2002 19:27:28 GMT Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6b mod_perl/1.26 I haven't upgraded to 2.8.7 yet, so i wonder if this problem was reintroduced -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: Post ./configure issue with BSD and apache_1.3.22
Hi! On Mon, Mar 11, 2002 at 01:54:58PM -0500, Joe Magee wrote: snortsensor# SSL_BASE=../openssl-0.9.6b/ \ ? ./configure --enable-module=ssl \ ? --enable-module=so \ ? --prefix=/usr/local/www/ SSL_BASE=../openssl-0.9.6b/: Command not found. You're using a csh'ish shell, but for the above construct to work as expected you need to use an sh-compatible one, e.g. sh, ksh, bash, etc. Ciao Thomas -- If you can keep your head when all about you are losing theirs, then you clearly don't understand the situation. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL: error:14094416: SSL routines: SSL3_READ_BYTES:sslv3 alert certificate unknow.
Hi, I have Apache + SSL + Tomcat setup on Solaris 2.8 and try to run some tests. While I try to connect to server by using https://hostname:8443/crfs, The connection is refused. Here is the error message from ssl_engine_log on apache/logs. [11/Mar/2002 10:42:21 28191] [error] SSL handshake failed (server titan.x.com:8443, client 10.1.100.12) (OpenSSL library error follows) [11/Mar/2002 10:42:21 28191] [error] OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Any idea what goes wrong here? Thanks a lot in advance. Lily If you can keep your head when all about you are losing theirs, then you clearly don't understand the situation. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL: error:14094416: SSL routines: SSL3_READ_BYTES:sslv3 alert certificate unknow.
[ Charset ISO-8859-1 unsupported, converting... ] Hi, I have Apache + SSL + Tomcat setup on Solaris 2.8 and try to run some tests. While I try to connect to server by using https://hostname:8443/crfs, The connection is refused. Here is the error message from ssl_engine_log on apache/logs. [11/Mar/2002 10:42:21 28191] [error] SSL handshake failed (server titan.x.com:8443, client 10.1.100.12) (OpenSSL library error follows) [11/Mar/2002 10:42:21 28191] [error] OpenSSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown Any idea what goes wrong here? i was seeing similar errors with apache 1.3.23 + mod_ssl-2.8.6. they went away after i switched to mod_ssl-2.8.7. i only saw the errors when connecting with netscape/mozilla or IE clients. openssl s_client mode and curl could retrieve the SSL page without problem. i was using a test certificate signed by the snake oil CA that comes with apache. -brad -- Brad Burdick | [EMAIL PROTECTED] http://media.org/ | The medium is NOT the message __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
