Re: how to configure it?
zhong duhang wrote: I want one directory can be visited by https,while others visit by http,how should I configure it? Use port-based virtualhosts. Something like (where 192.168.1.1 = server ip-addr): Listen 192.168.1.1:80 VirtualHost 192.168.1.1:80 DocumentRoot /path/to/http/content /VirtualHost Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 DocumentRoot /path/to/ssl/content SSL directives... /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
The ony other issue one really has that Owen has not covered, is trsting the issuing CA to do things correctly. There's an incident not too long in the past whence a site not Microsoft affilliated obtained a fake microsoft cert. Of course there are also man in the middle exploits, even with ssl and ssh, though they tend to be rare and hard to impliment, for the most part. With wireless being the new toy in use by many, there are issues of information leakage too, but these are different topics in and of themselves... Cool writeup Owen, we;re saving it here to send out as common requests come in. Thanks, Ron DuFresne On Tue, 7 May 2002, Owen Boyle wrote: Steve Leach wrote: Owen, I just followed this thread - thanks for that condensed 'how it works' for certificates - I picked up two things I did not know, and as they say knowledge is power :) I am wondering at the last statement as to whether the limitation lies in the ability to produce a certificate that could verify all hosted domains, or whether Apache (or indeed any HTTPS server) could work with such a beast? As I understand it, the trouble is that there are two aspects to SSL: encryption and authentication. If it was only about encryption, you wouldn't have to tie your certificates to the different sites - so you could just serve up a general server-certificate which would contain your public key (which is, after all, just a big long number). The client would use this to send you a session-key and you'd have established the secure channel. Then you could exchange the HTTPS packets in confidence and use the Host: fields therein to select virtualhosts. Indeed, this is what happens when people naively set up NBVHs on port 443 - the server just uses the certificate from the first VH for any request it receives. However, we've forgotten about authentication. If you really want a secure connection, it is no use just encrypting the datastream; you have to be sure that the packets are really going to the destination you want. If you send your credit card details to www.amazon.com how can you be sure that the server at the other end really does belong to Amazon Books Inc. and is not a fake server with a copy of their site and that some crook has not hijacked a router somewhere along the way? The answer is that when you get the cert from amazon.com it contains not only the public key but also their site name. Their cert has also been signed by Verisign or somesuch and so can be verified. Now you can't just make a self-signed cert which says you're amazon.com because the browser does not recognise the authority which signed this certificate. Really, these problems are all client-side. The server is only interested in setting up a secure channel so will use any cert that seems appropriate. The trouble only starts when the browser starts checking out the cert and finds that it can't verify it because the signing authority is unknown or that it looks fishy because the site-name on the request doesn't match the site-name in the cert. This is really just the browser manufacturers protecting you from being conned and themselves from being sued. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests
-Original Message- From: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Sent: 04 May 2002 18:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests snip] No question: I would also prefer to develop under LINUX SOO MUCH (!) but I have no choice: the project is bound to windows NT hosts and I was not able to convince the company to take LINUX (or UNIX) - I tried all the arguments as you stated above. So what I need are other people with the same problem, that they MUST develop under windows NT and have a RELIABLE apache running on such a machine. Are there any people out there - stating that they have a apache mod_ssl running on windows NT RELIABLE ??? johannes We have an expression in the UK that you can't make a silk purse out of a sow's ear. I have had blue screen logging in with Windows NT and reboots on logging in to Windows 2000, both fully patched. We are regularly rebooting our Windows NT servers on an almost monthly basis. If you look at Microsoft's own web site via Netcraft (www.netcraft.co.uk), you'll see that none of their servers has run for more than about 90 days. One server managed to get to 143 days before a reboot. So much for 99.999% availability. They boasted that they'd run 99.98% availability during the Winter Games, which sounds good till you realise that this is over a period of about two weeks. You don't hear them talk about the five nines any more, simply because they can't do it. If you look at our site, www.rnib.org.uk you'll see we just passed 150 days. It would have been longer if it weren't for a power cut. I've had a Linux server pass 497 days uptime, before it was moved to a new site: 2:43pm up 497 days, 2:27, 0 users, load average: 0.00, 0.00, 0.00 2:44pm up 0 min, 0 users, load average: 0.00, 0.00, 0.00 The uptime counter on Linux resets after 497 days, whereas on NT it resets after 49.7 days. It's still possible to track uptime for longer though. The longest uptimes in the world are nearly all Apache servers on BSD or IRIX (http://uptime.netcraft.com/up/today/top.avg.htm). You won't find an NT server staying up for long. What is running on the host is irrelevant. We use Samba to publish our web pages from Windows clients. We have had occasional Samba crashes, but the web server has been totally reliable. In over six years, I've seen only one spurious crash of the web server, all other downtime has been for maintainence. Why spend money on Microsoft's licenses, when you can install Linux or any other type of UNIX for far less money? In Latin you would say res ips a loquitor (I'm not sure of the spelling, but it means the thing speaks for itself. It's used a lot in law). - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Repudiability
-Original Message- From: Andrew McNaughton [mailto:[EMAIL PROTECTED]] Sent: 06 May 2002 16:55 To: [EMAIL PROTECTED] Subject: Repudiability Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. Andrew McNaughton Provided you know the time of the transaction, the web server logs will give you details of the IP address all the web transactions are coming from. You can find who owns this IP address via the Ripe (www.ripe.net), Arin (www.arin.net) or Apnic (www.apnic.net) websites. From this you can find which ISP this address belongs to, and that ISP can verify who was using that IP address at the time. How much assistance you receive from each ISP will vary. That may give you sufficient information to press a case against the person who alleges they didn't access your website, but IANAL. I'm not sure what you mean about information being signed with a given key. Do you mean a personal key like a digital signature, or do you mean the SSL key? - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests
-Ursprüngliche Nachricht- Von: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Gesendet: Samstag, 4. Mai 2002 19:27 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Betreff: Re: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests (cut) Are there any people out there - stating that they have a apache mod_ssl running on windows NT RELIABLE ??? johannes hmm.. now this calls for an answer. we are running ssl-enabled apache on NT since end 99, first ibm http server 1.3.6.2 with 56bit ssl encryption, since december 01 Apache/1.3.22 (Win32) mod_jk/1.2.0 ApacheJServ/1.1.2 mod_ssl/2.8.5 OpenSSL/0.9.6b. there were some crashes with mod_ssl in the beginning, but none since i set KeepAlive Off in httpd.conf. average hits per day on the webserver are 100k. availability ist 99.97% over the past 2 months, the remaining 0.03% are caused by hardware changes. the only unplanned reboot since start of production on this machine in may 99 was due to someone pulling out the power cable between server and ups. michael -Ursprüngliche Nachricht- Von: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Gesendet: Samstag, 4. Mai 2002 19:27 An: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Betreff: Re: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests (cut) Are there any people out there - stating that they have a apache mod_ssl running on windows NT RELIABLE ??? johannes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
N/A
Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) Forse SSL for some directories Description: Binary data
Re: N/A
Use VirtualHost stanzas: ie: VirtualHost _default_:80 ServerName www.foo.com Redirect/private https://www.foo.com/private DocumentRoot htdocs /VirtualHost ifdefine SSL VirtualHost _default_:443 ServerName www.foo.com SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLEngine on DocumentRoot secure /VirtualHost /ifdefine David Flanigan wrote: Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Repudiability
[EMAIL PROTECTED] wrote: Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. Andrew McNaughton Provided you know the time of the transaction, the web server logs will give you details of the IP address all the web transactions are coming from. You can find who owns this IP address via the Ripe (www.ripe.net), Arin (www.arin.net) or Apnic (www.apnic.net) websites. From this you can find which ISP this address belongs to, and that ISP can verify who was using that IP address at the time. How much assistance you receive from each ISP will vary. That may give you sufficient information to press a case against the person who alleges they didn't access your website, but IANAL. John, unfortunately IP hijacking is so trivial (see threads on bugtrack) that this method will not work with reasonable certainty. I'm not sure what you mean about information being signed with a given key. Do you mean a personal key like a digital signature, or do you mean the SSL key? The Andrew is right. Repudiation or rather non-repudiation can be achieved with public-private-private public encryption. Owen is right SSL/HTTPS doesn't support that in itself. Here is how public-private auth/encoding should work: Message = M Transmitted = T Public Key = pub Private Key = priv Transmision of Message M: M-T--transmit--T-M pub-priv enc works like T = enc(pub, M) = M = dec(priv, T) T = enc(priv, M) = M = dec(pub, T) Non repudiation: send T = enc(priv_sender, enc(pub_receiver, M)) receive M = dec(pub_sender, dec(priv_receiver, T)) Of course this is simplifed, but holds the principle. With HTTPS, the only way to authenticate for sure the message sender, is with the sender's cert (CLIENT CERT). If you log that auth, then you know for sure who came to the site. For that, you need to restrict that part of the site to auth with client certs. The astute reader noticed that all this digital signature shebang works only if solely the owner uses his cert. Hope this helps. Cheers, Balázs - Balázs Nagy TheNewPush, LLC Managing Partner tel. +1-303-523-5729 Research Development fax. +1-720-294-0933 ===Internet Infrastructure and Presence Provider __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Repudiability
-Original Message- From: Balázs Nagy [mailto:[EMAIL PROTECTED]] Sent: 07 May 2002 14:58 To: [EMAIL PROTECTED] Subject: Re: Repudiability [EMAIL PROTECTED] wrote: Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. Andrew McNaughton Provided you know the time of the transaction, the web server logs will give you details of the IP address all the web transactions are coming from. You can find who owns this IP address via the Ripe (www.ripe.net), Arin (www.arin.net) or Apnic (www.apnic.net) websites. From this you can find which ISP this address belongs to, and that ISP can verify who was using that IP address at the time. How much assistance you receive from each ISP will vary. That may give you sufficient information to press a case against the person who alleges they didn't access your website, but IANAL. John, unfortunately IP hijacking is so trivial (see threads on bugtrack) that this method will not work with reasonable certainty. I don't think the question involved IP address hijacking, but I take your point. I also forgot to factor in AOL users who apparently (urban myth?) change IP addresses every few seconds. I haven't seen anything on Bugtraq recently about IP hijacking, but then again I delete more emails from Bugtraq than I do from this list. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: N/A
Peter: This server is not running with virtual hosts (only a single domain), the doc root for SSL and non-SSL is the same. Anyway I can do the automatic redirect without moving the doc roots around? Thanks for your help. -- Kind Regards, David A. Flanigan -- Original Message --- From: Peter Viertel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tue, 07 May 2002 12:55:04 +0100 Subject: Re: N/A Use VirtualHost stanzas: ie: VirtualHost _default_:80 ServerName www.foo.com Redirect/private https://www.foo.com/private DocumentRoot htdocs /VirtualHost ifdefine SSL VirtualHost _default_:443 ServerName www.foo.com SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLEngine on DocumentRoot secure /VirtualHost /ifdefine David Flanigan wrote: Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] --- End of Original Message --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: N/A
You shouldnt be afraid of virtual hosts. If you split them up as vhosts, then you can do what you want. If you don't, you can't. In my example i used seperate DocRoot's, but this is not necessary. P.S. can you fix your PC's clock? your timezone is 13 hours out. David Flanigan wrote: Peter: This server is not running with virtual hosts (only a single domain), the doc root for SSL and non-SSL is the same. Anyway I can do the automatic redirect without moving the doc roots around? Thanks for your help. -- Kind Regards, David A. Flanigan -- Original Message --- From: "Peter Viertel" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tue, 07 May 2002 12:55:04 +0100 Subject: Re: N/A Use VirtualHost stanzas: ie: VirtualHost _default_:80 ServerName www.foo.com Redirect/private https://www.foo.com/private DocumentRoot "htdocs" /VirtualHost ifdefine SSL VirtualHost _default_:443 ServerName www.foo.com SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLEngine on DocumentRoot "secure" /VirtualHost /ifdefine David Flanigan wrote: Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] --- End of Original Message --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (OpenSSL library error follows) - in Apache 2.0.35 with mod_ssl
On Mon, 6 May 2002, MegaZone wrote: (Wisdom I relearned today - use explicit paths. You never know when someone else has left an old install laying around earlier in your build path. Like, say, a non-shared openssl which makes a shared apache+mod_ssl sad... Not that I wasted a lot of time on that...) Bummer, yeah, that's a kind of nasty one. We're trying to figure out a clean way to get around that problem, but haven't gotten anything in yet. Glad you got it. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL with mod_ssl in Apache 2.0.35
Hello, The platform is Solaris 8. I've installed OpenSSL 0.9.6c, and then Apache 2.0.35 using ./configure --prefix=/local/webhome/apache-2.0.35 --enable-mods-shared=ssl I can start Apache without SSL, but when I try to use SSL I receive this message: [malarkey:/local/webhome/apache/conf]458 % /local/webhome/apache/bin/apachectl startssl Syntax error on line 219 of /local/webhome/apache-2.0.35/conf/httpd.conf: Cannot load /local/webhome/apache-2.0.35/modules/mod_ssl.so into server: ld.so.1: /local/webhome/apache-2.0.35/bin/httpd: fatal: relocation error: file /local/webhome/apache-2.0.35/modules/mod_ssl.so: symbol X509_INFO_free: referenced symbol not found /local/webhome/apache/bin/apachectl startssl: httpd could not be started There is nothing in the logs directory. The line in httd.conf is simply the loadmodule for SSL: IfDefine SSL LoadModule ssl_module modules/mod_ssl.so /IfDefine I've spent some time searching the list archives, google, etc, but I haven't found a good pointer for this. I'd appreciate a kick in the right direction. Thanks. -MZ, CISSP #3762, RHCE #806199299900541 -- URL:mailto:[EMAIL PROTECTED], Discordian, Author, Engineer, me.. A little nonsense now and then, is relished by the wisest men 781-788-0130 URL:http://www.megazone.org/ URL:http://www.eyrie-productions.com/Eris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re-negotiation handshake failed: Not accepted by cient!?
Hi, I had instaled apache with openssl, modssl and php the last two as
modules of apache, I had created my own CA certificate, Server
certificate and User certificate, using openssl functions, and i'm
trying to use it for test my server with SSL and i'm loosing hair
rapidly.
I had some problems with the handsake secuence, at first when i load my
secure site everything work, but i been asked for two times for my user
certificate, i don't know for what but if the second time i cancel the
presentation of certificate some of the images of my site don't load. My
page use frames, and everything is keeped in the same page, my images
are simple gifts and there's no diferrence aparently between the images
that load or the ones that not.
I think this could be a problem with the SSL Cache but i had it
activated in my httpd.conf
SSLSessionCache dbm:/opt/apache1.3.22/logs/ssl_scache
SSLSessionCacheTimeout 300
when i start apache i get the two files ssl_cache.dir and ssl_cache.pag,
but i still had to presentate my user certificate for every link that i
use in my site, and every time that i use it. Sometimes witouth aparent
relation with the operations that i had made my netscape closes and i
get in my error_log the next:
[Tue May 7 17:42:39 2002] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Tue May 7 17:42:39 2002] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Tue May 7 17:42:39 2002] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode [Hint: Browser still remembered
details of a re-created server certificate?]
I don't know what to do, I'm using SSL_Require sentencies and maybe the
problem be there, I don't know I use the next sintax an i think it's ok
Directory /opt/apache1.3.22/htdocs
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire ( %{SSL_CLIENT_S_DN_O} in {TEST} )
/Directory
Help please, and sorry for the English ...
Pako.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: [BugDB] Client Authentication BUG with FakeBasicAuth (PR#695)
After discussing this with the author I realized I had misread the patch.
The new code moves the check in question from before the if (!SC-bEnabled) to later
in the sequence:
(check used to be here)
/*
* We decline operation in various situations...
*/
if (!sc-bEnabled)
return DECLINED;
if (ap_ctx_get(r-connection-client-ctx, ssl) == NULL)
return DECLINED;
if (!(dc-nOptions SSL_OPT_FAKEBASICAUTH))
return DECLINED;
if (r-connection-user)
return DECLINED;
if ((clientdn = (char *)ap_ctx_get(r-connection-client-ctx, ssl::client::dn))
== NULL)
{
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* (/XX=YYY/XX=YYY/..) as the username and password as the
* password.
*/
if ((cpAL = ap_table_get(r-headers_in, Authorization)) != NULL) {
.
.
.
This fixes the problem where the check fails the second time through on a subrequest
or internal redirect and catches a spoof attempt in the situation when there is no
client certificate DN.
My only question is: Can a user still spoof a FakeBasicAuth request when one of the
other four previous DECLINED conditions are true?
Another way to approach the problem might be to keep the check where it was, but
enforce it only when (ap_is_initial_req(r)) is true. The spoof can only be attempted
on the initial request - not on any subrequests or internal redirects and will catch
spoof attempts for all of the DECLINED conditions.
Anyone with more experience with this code care to comment?
Rick Barry
Compaq Computer Corporation Compaq Secure Web Server Project Team
110 Spit Brook Road OpenVMS System Software Group
Nashua, NH 03062 Business Critical Server Group
(603) 884-0634
-Original Message-
From: Barry, Richard
Sent: Wednesday, April 24, 2002 10:42 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [BugDB] Client Authentication BUG with FakeBasicAuth
(PR#695)
This submission is missing a conditional expression before line 1161.
What test is performed prior to executing the DN/password check in the
new code?
Rick Barry
Compaq Computer Corporation Compaq Secure Web Server Project Team
110 Spit Brook Road OpenVMS System Software Group
Nashua, NH 03062 Business Critical Server Group
(603) 884-0634
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 6:54 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [BugDB] Client Authentication BUG with FakeBasicAuth (PR#695)
Full_Name: Sergio Rabellino
Version: 2.8.8
OS: Solaris 7
Submission from: (NULL) (130.192.239.73)
The if in ssl_engine_kernel.c at line 1130 to check against DN/password
authorization
directly form a client, break also the internal redirect done by apache under
some conditions, as the directory indexing ...
So if you use client auth, with fake basic auth and require an index, you get a
301 followed by a 403 (Forbidden)...
Below i've attached a diff patch to correct this behaviour; i've tested it on my
hosts
and all things should be fine now.
Thanks to Nick Miles for pinpointing me to the solution.
Bye.
---snip
1130,1147d1129
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* (/XX=YYY/XX=YYY/..) as the username and password as the
* password.
*/
if ((cpAL = ap_table_get(r-headers_in, Authorization)) != NULL) {
if (strcEQ(ap_getword(r-pool, cpAL, ' '), Basic)) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
cpAL = ap_pbase64decode(r-pool, cpAL);
cpUN = ap_getword_nulls(r-pool, cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' strEQ(cpPW, password))
return FORBIDDEN;
}
}
/*
1158a1141,1161
{
/*
* Make sure the user is not able to fake the client certificate
* based authentication by just entering an X.509 Subject DN
* (/XX=YYY/XX=YYY/..) as the username and password as the
* password.
*/
if ((cpAL = ap_table_get(r-headers_in, Authorization)) != NULL) {
if (strcEQ(ap_getword(r-pool, cpAL, ' '), Basic)) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
cpAL = ap_pbase64decode(r-pool, cpAL);
cpUN = ap_getword_nulls(r-pool, cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' strEQ(cpPW, password))
{
ssl_log(r-server, SSL_LOG_INFO, WARNING: Old mod_ssl
breakthrough solicited (FakeBasicAuth by DN) !);
return FORBIDDEN;
}
}
}
1159a1163
}
1160a1165
--snip
Re: OpenSSL with mod_ssl in Apache 2.0.35
Once upon a time MegaZone shaped the electrons to say... The platform is Solaris 8. [snip] Whoa, that got stuck in the Ether for a while - I sent this out earlier last night than the message that came through then. This was the issue with the non-shared OpenSSL. -MZ, CISSP #3762, RHCE #806199299900541 -- URL:mailto:[EMAIL PROTECTED] Gweep, Discordian, Author, Engineer, me.. A little nonsense now and then, is relished by the wisest men 781-788-0130 URL:http://www.megazone.org/ URL:http://www.eyrie-productions.com/ Eris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
