Re: mod_ssl for apache 1.3.24?

[Ralf S. Engelschall]

In article <[EMAIL PROTECTED]> you wrote:

> Just wanted to know if there's a mod_ssl version for apache 1.3.24?
> Since the current version will not compile with apache 1.3.24.

Will be released within the next 48 hours.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

No solution for bug with IE on Mac?

[Robert Allerstorfer]

Hi,

I have searched the archive and it seems that there is still no
solution on how to make a https page viewable with MSIE on MacOS.
It has been reported at
http://www.mail-archive.com/modssl-users@modssl.org/msg13314.html
a month ago and even back in 2000 at
http://www.mail-archive.com/modssl-users@modssl.org/msg08560.html

This annoying popup window stating
"Security failure: Data decryption error" also comes with the latest
Apache SSL environment (Apache/1.3.23 + mod_ssl/2.8.7 +
OpenSSL/0.9.6c) on the latest Mac (OS 10.1) using the latest IE
(5.1.3). You can see it yourself here: https://secure.anet.at/

Any help would be greatly appreciated.

Kind regards,
rob.




--
Robert Allerstorfer <[EMAIL PROTECTED]>
ANET - New Media Solutions
Allerstorfer & Beutel OEG
A-1070 Wien, Apollogasse 9/7
Fon: (+43 1) 929133-1
Fax: (+43 1) 929133-2
http://www.anet.at   [EMAIL PROTECTED]
PGP Public key: http:[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Odd interaction between mod_ssl, mod_rewrite and mod_proxy

[Merton Campbell Crockett]

On Tue, 26 Mar 2002, Patrick Herborn wrote:

> I have been trying to configure the following setup:
> 
>   PRIVATE LAN   |  INTERNET 
>   |
>   back_end <--HTTP--> Apache <--HTTPS--> Client
>   |
>   |
> 
> Ie the Apache box is acting as a bastion host between the Internet and a
> private LAN segment. I have a valid cert and key on the Apache box, and SSL
> negotiation works fine. I also have the whole thing working with pure HTTP (no
> SSL) but with both, ie running SSL to the Apache box, then plain HTTP to the
> back end, it breaks.

I assume that you have a virtual host defined on the Apache server with
the same name as the back_end.  Use mod_rewrite's [P] flag to generate the
HTTP request to back_end.  Use mod_proxy's ProxyPassReverse to capture the
response from back_end and return it to the client.

Re-read Ralph Engelshall's notes on mod_rewrite 3 or 4 times.  It takes
time for what my grandmother would have called "jookery-pookery" to sink
in.

When I developed a system running Stronghold several years ago, I recall
running into problems with SSL (ssleay) until I realized that you needed
to simulate ProxyPass using mod_rwrite.  I don't think this is a mod_ssl
problem.  It's more of a problem of under which shell is the pea.

Merton Campbell Crockett


-- 
BEGIN:  vcard
VERSION:3.0
FN: Merton Campbell Crockett
ORG:General Dynamics Advanced Information Systems;
Intelligence Solutions
N:  Crockett;Merton;Campbell
EMAIL;TYPE=internet:[EMAIL PROTECTED]
TEL;TYPE=work,voice,msg,pref:   +1(805)497-5045
TEL;TYPE=pager,msg: +1(877)528-0049
TEL;TYPE=fax,work:  +1(805)497-5050
TEL;TYPE=cell,voice,msg:+1(805)377-6762
END:vcard

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Certificate Verification: Error (20): unable to get local issuer certificate (LONG)

[Peter Chiu]

Sorry to everybody, this is a long post. I am having trouble getting client
auth going (been trying it for 8hrs). I am running fbsd4.5-release, apache
1.3.23 and mod_ssl 2.8.7.


Error Log
=
[26/Mar/2002 12:45:19 14664] [info]  Connection to child 5 established (server w
ebmail.ipfw.org:443, client 192.168.111.254)
[26/Mar/2002 12:45:19 14664] [info]  Seeding PRNG with 23177 bytes of entropy  
[26/Mar/2002 12:45:19 14664] [error] Certificate Verification: Error (20): unabl
e to get local issuer certificate


I enclosed the steps that I did to create CA, Server and client cert and my
httpd.conf.

Pls take you time and read it. Any help will be greatly appreciated. TIA.



Create CA
=

zeus:incoming# openssl genrsa -des3 -out ca.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..++
.++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw CA
Organizational Unit Name (eg, section) []:Certificate Authorize^C
zeus:incoming# openssl req -new -x509 -days 365 -key ca.key -out ca.crt 
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:webmail.ipfw.org
Email Address []:[EMAIL PROTECTED]

zeus:incoming# ll
total 19
drwxr-xr-x  2 webbie  webbie512 Mar 26 12:21 .
drwx--  9 webbie  webbie   1024 Mar 26 00:57 ..
-rw-r--r--  1 rootwebbie   1346 Mar 26 12:21 ca.crt
-rw-r--r--  1 rootwebbie963 Mar 26 12:19 ca.key
-rwxr-xr-x  1 webbie  webbie   1784 Mar 26 03:11 sign.sh


CA creation done, now make the server key.
===

zeus:incoming# openssl genrsa -des3 -out server.key 1024 
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
..++
++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:

zeus:incoming# openssl req -new -key server.key -out server.csr
Using configuration from /etc/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:Ontario
Locality Name (eg, city) []:Mississauga
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ipfw.org
Organizational Unit Name (eg, section) []:WebServer Team
Common Name (eg, YOUR name) []:webmail.ipfw.org
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

zeus:incoming# ll -rt
total 21
drwx--  9 webbie  webbie   1024 Mar 26 00:57 ..
-rwxr-xr-x  1 webbie  webbie   1784 Mar 26 03:11 sign.sh
-rw-r--r--  1 rootwebbie963 Mar 26 12:19 ca.key
-rw-r--r--  1 rootwebbie   1346 Mar 26 12:21 ca.crt
-rw-r--r--  1 rootwebbie963 Mar 26 12:22 server.key
-rw-r--r--  1 rootwebbie716 Mar 26 12:23 server.csr
drwxr-xr-x  2 webbie  webbie512 Mar 26 12:23 .


Now, I am going to sign my server cert using my own CA
==

zeus:incoming# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
T

Odd interaction between mod_ssl, mod_rewrite and mod_proxy

[Patrick Herborn]

I have been trying to configure the following setup:

  PRIVATE LAN   |  INTERNET 
|
  back_end <--HTTP--> Apache <--HTTPS--> Client
|
|

Ie the Apache box is acting as a bastion host between the Internet and a
private LAN segment. I have a valid cert and key on the Apache box, and SSL
negotiation works fine. I also have the whole thing working with pure HTTP (no
SSL) but with both, ie running SSL to the Apache box, then plain HTTP to the
back end, it breaks.

This is with Apache 2.0.32 (so the API is somewhat different), but here's a
brief trace from the SSL engine log

[26/Mar/2002 16:38:34 19733] [info]  Connection to child 4 established (server 
www.test.com:443, client 1.2.3.4)
[26/Mar/2002 16:38:34 19733] [info]  Seeding PRNG with 136 bytes of entropy
[26/Mar/2002 16:38:34 19733] [info]  Connection: Client IP: 1.2.3.4, Protocol: TLSv1, 
Cipher: RC4-MD5 (128/128 bits)
[26/Mar/2002 16:38:34 19733] [info]  Connection to child 4 established (server 
www.test.com:443, client 10.46.101.101)
[26/Mar/2002 16:38:34 19733] [info]  Seeding PRNG with 136 bytes of entropy
[26/Mar/2002 16:38:34 19733] [error] SSL error on writing data (OpenSSL library error 
follows)
[26/Mar/2002 16:38:34 19733] [error] OpenSSL: error:140D0114:SSL 
routines:SSL_write:uninitialized
[26/Mar/2002 16:38:34 19733] [error] failed to write 16 of 16 bytes (reason unknown)

Client IP address has been changed, as has the site name... OK, so everything
is going really well up to line 4. 10.46.101.101 is the back end server, but
it would appear that the SSL engine thinks that the back end server has
connected to it as a client (odd...). It then all goes pear shaped.

>From what I can remember, this type of setup should work, and I seem
to recall getting it to work before (with Apache 1.3.x ?). Has anyone else
had any success at getting this type of bastion host to work with 
Apache 2.0.32 (and the mod_ssl supplied with that) ? Is it supposed to
work at all? Is this a bug, feature, or just my poor configuration skills?

>From what I can tell from the source code, it would appear that mod_ssl calls
ap_hook_pre_connection to register the function which builds the SSL session, my
gut feeling is that this is being inherited by mod_proxy, and as mod_proxy
tries to send the HTTP/1.1 request to the back end, mod_ssl is trying to
negotiate an SSL with a client (which does not exist). But I may well be 
barking up the wrong tree. Any help / advice / known good configs most
appreciated.

Regards,
Patrick Herborn. 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

A Question ...

[Kingsland, Haden]

*  This electronic document (comprising text and any attachments)
*  is confidential and intended solely for the use of the individual
*  or entity to whom it is addressed.
*
*  If you have received this document in error please notify the
*  System Manager .
**


Good Afternoon,

I have recently downloaded the appropriate mod_ssl*tar.gz
file for my version of Apache as well as the associated latest version of
the open_ssl*tar.gz libraries. I now need to 'unpack' these files in order
to be able to create the mod_ssl loadable module. Can anyone help. I am
using Apache within Microsoft Windows NT.

Thankyou in advance for your help.

Regards 

Haden.

Haden Kingsland
P&O Stena Line
Technical Support Analyst



**
*  P&O Stena Line Ltd disclaims all legal responsibility for the
*  accuracy or otherwise of any information contained within this
*  electronic document (comprising text and any attachments).
*
*  Any view expressed about individuals or other companies is that
*  of the originator of the document and in no way represents the
*  corporate view of P&O Stena Line Ltd.
*
*  This footnote also confirms that the document has been swept
*  by MIMEsweeper for the presence of computer viruses.
*
*  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL_CLIENT_CERT in the access check phase

[Mads Toftum]

On Tue, Mar 26, 2002 at 10:46:42AM -0800, Himanshu Soni wrote:
> Hi
> 
> Thanx for the info.
> I see that you call ssl_var_lookup(..) which internally calls ap_table_get
> on the SSL_CLIENT_CERT_DN enviornment variable.
> When I compile my module with ssl_var_lookup(..), it fails during linking.
> This is because ssl_var_lookup(..) is not exported.
> 
> How did you manage to resolve this symbol in your builds?
> 
I don't remember doing anything special - except what you see in the module/
makefile. IIRC I just looked at the code in mod_ssl and found the appropriate
function by looking at what was being used elsewhere.
The module is close to two years old and I haven't used it much lately, so
YMMV.

vh

Mads Toftum
-- 
With a rubber duck, one's never alone.
  -- "The Hitchhiker's Guide to the Galaxy"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL_CLIENT_CERT in the access check phase

[Himanshu Soni]

Hi

Thanx for the info.
I see that you call ssl_var_lookup(..) which internally calls ap_table_get
on the SSL_CLIENT_CERT_DN enviornment variable.
When I compile my module with ssl_var_lookup(..), it fails during linking.
This is because ssl_var_lookup(..) is not exported.

How did you manage to resolve this symbol in your builds?

Thanx


Himanshu Soni

-Original Message-
From: Mads Toftum [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 25, 2002 11:38 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL_CLIENT_CERT in the access check phase


On Mon, Mar 25, 2002 at 06:47:26PM -0800, Himanshu Soni wrote:
> Hi
> 
> I am writing a module for apache which relies on mod_ssl. This module
> provides certificate authentication in addition to functionality provided
by
> mod_access.
> Basically, its a copy of mod_access with certificate validation
> functionality. I rely on SSL_CLIENT_CERT environment variable being set
but
> my module fails to read this environment variable.
> I read somewhere in this email-list that SSL_CLIENT_CERT is not set until
> the fix-up state.
> 
> Is that correct? and if so, is there a way to get the client cert by other
> means?
> 
I have an old, simple and sligthly b0rken example at
http://www2.toftum.dk/apache/
It should at least give you a general idea about how to get at the relevant
variables from an Apache module.

vh

Mads Toftum
-- 
With a rubber duck, one's never alone.
  -- "The Hitchhiker's Guide to the Galaxy"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Session cache and IDs

[Bray, Mike]

Further investigation has resulted in an answer. See
http://www.mail-archive.com/modssl-users@modssl.org/msg09443.html

We are using a temporary certificate for testing and the address in the
certificate does not match the address we are using for access to our test
system.

Thanks for the interest.
Mike Bray

-Original Message-
From: Bray, Mike 
Sent: Tuesday, March 26, 2002 8:09 AM
To: '[EMAIL PROTECTED]'
Subject: RE: SSL Session cache and IDs


Thanks all for the replies.  I have done some experimenting with a
SSLCachetimeout of 15s.  Even though I can send a request within 15s with
the same session id I get a status of
request=GET status=MISSED id=... (session renewal) 
followed by
request=SET status=OK id= timeout=15s (session caching)
with a completely new id.

The problem is that our content switch (Cisco) is going sticky on SSL ID and
because the client has a new id it can do what it likes with it.  Under load
the switch could send the next request to a different machine.  We are not
sharing caches as SSL sessions should be on same machine.

I can understand getting a new ID when the session is dead, i.e.
request=REM status=OK id= (session dead)

I have tried this with nokeepalive and without, no difference.

My browsermatch statements are:

BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

My SetEnvIf is
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Regards
Mike Bray
SBS UK

-Original Message-
From: Cliff Woolley [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 25, 2002 8:10 PM
To: [EMAIL PROTECTED]
Subject: Re: SSL Session cache and IDs


On Mon, 25 Mar 2002, Mads Toftum wrote:

> The defaults are nokeepalive IIRC - if that affects the session, then
> shouldn't it cut the session short even after the initial request?

nokeepalive doesn't really imply no session caching at all... that's not
exactly what I meant to say.  What I was trying to say was that IE doesn't
deal well with sessions in general, which is why kept-alive sessions cause
even more headaches -- IE just does bad things with them.  I can't be much
more specific than that because I haven't studied it in depth... but I
just feel like things that would make IE behave better with sessions in
general might make it do the right thing the server asks for a
renegotation in this case.

> Setting SSLLogLevel to something like debug and looking for cache
> hits/misses would probably be a good place to start.

This and testing with/without load balancing both sound like a good
plan...

--Cliff

--
   Cliff Woolley
   [EMAIL PROTECTED]
   Charlottesville, VA


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: After Install: Apache working, modssl not

[Owen Boyle]

Michael Connors wrote:
> 
> I have followed the installation procedures exactly for SSL. This is what I
> have configured in this order
> 1) openssl 0.9.6.c
> 2) mod_ssl 2.8.7
> 3) Apache 1.3.23
> onto a Linux Mandrake 8.0 (redhat) OS. I chose NOT to install MM Shared
> Memory.
> The whole configure and install worked without any errors and the 'make
> certificate' went fine.
> When I execute '/path/to/apache/bin/apachectl startssl I get this response
> 
> apachectl startssl: httpd started
> 
> When I check the open listening ports (443 and/or 8443) on this same
> machine they are closed and the 8081 (cause my ISP blocks port 80) is open.
> 
> And here is the error_log from apache logs after a start (apachectl
> startssl)
> 
> [Mon Mar 25 12:40:24 2002] [notice] Apache/1.3.23 (Unix) mod_ssl/2.8.7
> OpenSSL/0.9.6c configured -- resuming normal operations
> [Mon Mar 25 12:40:24 2002] [notice] Accept mutex: sysvsem (Default:
> sysvsem)
> 
> What does this mean? Does anyone know what may be wrong?

Starting with the obvious questions: Did you define an SSL virtual host
(with SSLEngine on) and switch on port 443/8443 with a Listen directive?

Rgds,

Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]