Antwort: Re: encipher box
Hi Peter, thank you for the quick response cheers alex Alex Apostolopoulos ___ WebTechnology Smart Card Solutions Secartis AG-eSolutions by Giesecke Devrient Bretonischer Ring 3, D-85630 Grasbrunn, Germany Phone: +49(0)89 4119-7086, Fax: +49(0)89 4119-7403 Email: [EMAIL PROTECTED], Home: www.secartis.com ___ |++| || Peter Viertel || || peter.viertel@itacti| An: | || on.co.uk| [EMAIL PROTECTED]| || Gesendet von:| rg | || owner-modssl-users@mo| Kopie: | || dssl.org || ||| Thema: | || 22.04.2002 19:15 | Re: encipher box | || Bitte antworten an || || modssl-users || |||| |++| Yes, I've done it a few times with apache 1.3 on Solaris, still mucking around with apache 2 though. what you need is: a) the nCipher software for the o/s - these are binary only and will set up a daemon called hardserver, and another package that installs the CHIL library. If they don't have packages for your o/s you are screwed. b) get/compile openssl-engine not the standard openssl. c) test openssl: on a sun it goes like this: # LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk # export LD_LIBRARY_PATH # openssl speed -engine chil d) now you have openssl talking nCipher ok, you need to recompile mod_ssl to use openssl-engine... use apache 1.3.24, and configure with SSL_EXPERIMENTAL option (without this, you cant get it to use nCipher). e) check you built httpd right: # LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk # export LD_LIBRARY_PATH # httpd -L | grep SSLCryptoDevice f) add the following line to httpd.conf: SSLCryptoDevice chil Note this shows you how to get any nCipher to provide hardware acceleration, I think the stuff about getting apache to use keys stored in an nForce HSM is another topic altogether, and best left off-list unless enough people want to hear the gory details... Regards, PeterV. [EMAIL PROTECTED] wrote: Hi, does anybody have any experience, links or hints how connect mod_ssl and enchiper boxes ??? As I am new to this list I am not sure if this is right place to ask this question. cheers Alex Apostolopoulos ___ WebTechnology Smart Card Solutions Secartis AG-eSolutions by Giesecke Devrient Bretonischer Ring 3, D-85630 Grasbrunn, Germany Phone: +49(0)89 4119-7086, Fax: +49(0)89 4119-7403 Email: [EMAIL PROTECTED], Home: www.secartis.com ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem loading mod_ssl.so in Apache 1.3.24
Hi there, For some reason Apache refuses to load the mod_ssl module. It always complains it can't find the module although the required file is in the specifiedpath. Has anyone encountered this problem? Does anyone know a solution? I'm running Apache 1.3.24 on Windows NT service pack 5. Thanks in advance, Stef __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] cannot open pages with ssl (PR#697)
Full_Name: Version: 2-.8.8 1.3.24 OS: w2k server Submission from: (NULL) (195.23.102.93) i have a ie 6 and all pages with ssl works fine but when ie5 with 98se request a page with ssl he read cert we confirm but give a error page? i look to ssl log and i detect this: Connection: Client IP: 213.58.33.218, Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits) [23/Apr/2002 09:57:43 03028] [info] Connection to child 40 closed with standard shutdown (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:57:47 03028] [info] Connection to child 43 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:57:47 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:57:50 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [23/Apr/2002 09:57:59 03028] [info] Connection to child 45 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:57:59 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:58:02 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [23/Apr/2002 09:58:09 03028] [info] Connection to child 47 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:58:09 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:58:11 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [23/Apr/2002 09:58:25 03028] [info] Connection to child 49 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:58:25 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:58:27 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [23/Apr/2002 09:59:15 03028] [info] Connection to child 2 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:59:15 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:59:17 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [23/Apr/2002 09:59:33 03028] [info] Connection to child 8 established (server www.webmail.netexspace.com:443, client 213.58.33.218) [23/Apr/2002 09:59:33 03028] [info] Seeding PRNG with 0 bytes of entropy [23/Apr/2002 09:59:36 03028] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem loading mod_ssl.so in Apache 1.3.24
On Tue, 23 Apr 2002, Aryeh Katz wrote: make sure that ssleay and libeay are both in the path. Um, or libssl and libcrypto from openssl (in the library path, that is). ssleay's getting to be pretty old these days. :) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL-Problem with Mac MSIE
Hi David, there was a discussion in the mod_ssl-group a few weeks ago. Some solutions/workarounds were discussed. Robert Allerstorfer ment he found THE solution. Last week one of our clients tried to access our fixed SSL-server via Mac MSIE 5.13 and still had a problem. The only thing working thing working at our site was disabling SSLv3. Additionally here's an extract of one of my contributions to the mod_ssl-discussion: Hi, i found one (unsatisfying) solution: I disabled SSLv3 by setting SSLProtocol -SSLv3 If i do this MSIE on Mac runs but i worry about other browser that would not run anymore :-( Try also what's posted in http://www.mail-archive.com/modssl-users@modssl.org/msg13577.html -Ursprüngliche Nachricht- Von: David McInnis [mailto:[EMAIL PROTECTED]] Gesendet: Dienstag, 23. April 2002 06:01 An: [EMAIL PROTECTED] Betreff: SSL-Problem with Mac MSIE Did you ever come up with a fix for this? I am having the same problem. Thanks, David McInnis __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem loading mod_ssl.so in Apache 1.3.24
On Tue, 23 Apr 2002, Aryeh Katz wrote: make sure that ssleay and libeay are both in the path. Um, or libssl and libcrypto from openssl (in the library path, that is). ssleay's getting to be pretty old these days. :) poster specified a win32 environment, ssleay32.dll is one of the two openssl libs on win32. Aryeh --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem loading mod_ssl.so in Apache 1.3.24
On Tue, 23 Apr 2002, Aryeh Katz wrote: poster specified a win32 environment, ssleay32.dll is one of the two openssl libs on win32. Ah missed that. Sorry. :) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL-Problem with Mac MSIE
Hi! On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote: i found one (unsatisfying) solution: I disabled SSLv3 by setting SSLProtocol -SSLv3 If i do this MSIE on Mac runs but i worry about other browser that would not run anymore :-( Btw, as for my understanding this does not disable TLSv1: Does IE's TLS1-support work any better than its SSL3 implementation? And what also bothers me: Why do these problems only seem to affect OpenSSL based webservers, and not for example iPlanet? Do these non-affected servers contain other/better workarounds? Or do they only support SSL2? Is it really such a serious drawback to disable SSL3? Most current browsers (e.g. links, Mozilla, Opera) seem to support and default to TLS1, anyway. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL-Problem with Mac MSIE
No I wouldnt want to disable SSL3 either... One case I know of like this is to do with advertising EXPORT56 ciphers on the server side... some variants of IE barf if they're talking to a site with a so called 128 bit certificate (an SGC cert). I have used this when a site has an uber-cert for marketing reasons, and the crypto requirement is not high: SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL the broken clients end up using SSL3 with 40bit keylength, good clients talk SSL3/128bit or TLS, it still gives the option for SSL2 and allows null encryption too. Thomas Binder wrote: Hi! On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote: i found one (unsatisfying) solution: I disabled SSLv3 by setting SSLProtocol -SSLv3 If i do this MSIE on Mac runs but i worry about other browser that would not run anymore :-( Btw, as for my understanding this does not disable TLSv1: Does IE's TLS1-support work any better than its SSL3 implementation? And what also bothers me: Why do these problems only seem to affect OpenSSL based webservers, and not for example iPlanet? Do these non-affected servers contain other/better workarounds? Or do they only support SSL2? Is it really such a serious drawback to disable SSL3? Most current browsers (e.g. links, Mozilla, Opera) seem to support and default to TLS1, anyway. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]