Re: Runs on local...but can't see it anywhere else
You say you can connect to the 'actual server address' while on the actual machine but not from across the network. You do not say which operating system you're using - but if it's redhat linux for example, perhaps you've got iptables rules. Otherwise is network routing ok, like does the machien have it's default route set correctly? Alex Earl wrote: >Hi! > >First off I would like to thank you for your help and knowledge! I enjoy >this forum a lot! > >I have set up mod_ssl with Apache 1.3 and everything seems to run just fine >on the local machine. I can curl https://localhost (and the actual server >address) and get the right stuff...but when I try to access it from anywhere >else I get a server not found error. Any ideas?! > >Thanks! > >Alex Earl > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Runs on local...but can't see it anywhere else
A small correction, RedHat Linux is still using ipchains. ipchains -L >From the command line as root will show if you have any ipchains rules. The simplest way to fix is to type "setup", go into firewall configuration and make the interface "trusted". It does neuter ipchains somewhat though. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. > -Original Message- > From: Peter Viertel [mailto:[EMAIL PROTECTED]] > Sent: 17 May 2002 10:45 > To: [EMAIL PROTECTED] > Subject: Re: Runs on local...but can't see it anywhere else > > > You say you can connect to the 'actual server address' while on the > actual machine but not from across the network. > > You do not say which operating system you're using - but if > it's redhat > linux for example, perhaps you've got iptables rules. Otherwise is > network routing ok, like does the machien have it's default route set > correctly? > > Alex Earl wrote: > > >Hi! > > > >First off I would like to thank you for your help and > knowledge! I enjoy > >this forum a lot! > > > >I have set up mod_ssl with Apache 1.3 and everything seems > to run just fine > >on the local machine. I can curl https://localhost (and the > actual server > >address) and get the right stuff...but when I try to access > it from anywhere > >else I get a server not found error. Any ideas?! > > > >Thanks! > > > >Alex Earl > > > >_ > _ > >Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > >User Support Mailing List > [EMAIL PROTECTED] > >Automated List Manager > [EMAIL PROTECTED] > > > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] ssl_rand_seed needs to open in binary mode (PR#705)
Full_Name: EKR Version: 2.8.8-1.3.24 OS: NT 4.0 Submission from: (NULL) (198.144.203.242) ssl_engine_rand.c:ssl_rand_seed() fopens the random file in text mode. On Unix this is fine but on Windows this means that it will stop as soon as it sees an EOD in the file. Since the random file is often random binary data, this means that with high probability the entire file will not be read. This can lead to insufficient amounts of entropy being delivered to OpenSSL. The fix is to change: if ((fp = ap_pfopen(p, pRandSeed->cpPath, "r")) == NULL) continue; to: if ((fp = ap_pfopen(p, pRandSeed->cpPath, "rb")) == NULL) continue; __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: handshake problem with IE
Hi Heribert, are you sure these errors are caused by access/commmunication with the Microsoft Internet Explorer 6.0.2600.000? Do they only occour when the webserver is accessed by a browser (i.e. MS IE6) or on a regulary basis: are you sure your web-servers are not behind any kind of load balancer which is sending "pings" or "keepalive" requests to your webserver? Kind regards, B. Courtin -Original Message- From: Heribert Steuer [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 7:12 PM To: [EMAIL PROTECTED] Subject: handshake problem with IE Hello everybody, i was already reading the posts on this issue, but all suggested tips didnt help at all. server is apache (see version numbers below) running on OpenBSD 3.0stable client is Microsoft Internet Explorer 6.0.2600.000 with 128bit encryption the logs say the following (at least they are full of it): [Thu May 16 18:52:12 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Thu May 16 18:52:12 2002] [error] System: Connection reset by peer (errno: 54) ssl_engine_log is : [16/May/2002 18:52:13 06053] [info] Connection to child 0 established (server cyrus.freiburg.peh:443, client 192.168.30.30) [16/May/2002 18:52:13 06053] [info] Seeding PRNG with 1160 bytes of entropy [16/May/2002 18:52:13 06053] [trace] OpenSSL: Handshake: start [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: before/accept initialization [16/May/2002 18:52:13 06053] [debug] OpenSSL: read 11/11 bytes from BIO#00A259C0 [mem: 00CCE000] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [debug] OpenSSL: read 67/67 bytes from BIO#00A259C0 [mem: 00CCE00B] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write server done A [16/May/2002 18:52:13 06053] [debug] OpenSSL: write 762/762 bytes to BIO#00A259C0 [mem: 00CA3000] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 flush data [16/May/2002 18:52:13 06053] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#00A259C0 [mem: 00CCE000] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A [16/May/2002 18:52:13 06053] [error] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [16/May/2002 18:52:13 06053] [error] System: Connection reset by peer (errno: 54) OpenSSL 0.9.6b [engine] 9 Jul 2001 mod_ssl version 2.8 mod_perl-1.26 Server version: Apache/1.3.19 (Unix) Server built: Oct 15 2001 11:48:41 Server's Module Magic Number: 19990320:10 Server compiled with -D EAPI -D HAVE_MMAP -D HAVE_SHMGET -D USE_MMAP_SCOREBOARD -D USE_MMAP_FILES -D USE_FLOCK_SERIALIZED_ACCEPT -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D HTTPD_ROOT="/var/www" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/httpd.scoreboard" -D DEFAULT_LOCKFILE="logs/httpd.lock" -D DEFAULT_XFERLOG="logs/access_log" -D DEFAULT_ERRORLOG="logs/error_log" -D TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" -D ACCESS_CONFIG_FILE="conf/access.conf" -D RESOURCE_CONFIG_FILE="conf/srm.conf" if theres a need for more details, just let me know. this problem occurs on 3 different machines (all running OpenBSD with different versions of apache/mod_ssl) i hope someone can help. thanks in advance Heribert Steuer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
IE 5.00 - 5.01 SSL Connection Failures
Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive "Page Connot Be Found". With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE 5.00 - 5.01 SSL Connection Failures
MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced with 5.01, mainly for security reasons. You should be able to get any reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has some serious bugs when using SSL and cacheing, so you may be able to tweak all your users caching settings, and also to look at making your pages non-cacheable. I have to say though that in our experience with a group of 10 users of 5.00 it was far easier to get them to switch to Netscape until their 5.01 (in fact they went for 5.5) to arrive. The more SSL connections that are used, the more likely that failures will occur - in downloading stylesheets, javascript, images etc, leading to odd bugs and ugly pages. The problems you describe with 5.01, I have seen when SSL keepalive settings were enabled on the web-server. The SSLKeepAlive settings were invented to speed up a clients access to your site, so that as subsequent requests for images, css, etc etc were made, the SSL negotiation overhead was short-circuited. Unfortunately the MS 5.xx browsers never quite got it right. We use Apache, and this is the setting in httpd.conf SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 You can check your SSL logs to see if the keepalive settings are active - it they are you will see an incrementing number associated with each request from the same user that indicates the SSL negotiation was short-cut, and that previously negotiated keys are being used. 'nokeepalive' is fractionally slower, but at least your users will not get the regular 'page cannot be found' issue. As to sharing Client Certs between IE and NS - we do this happily for NS 4.0-4.75 and MSIE 5.01-6.0 without any issues. Regards Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet Sent: 17 May 2002 13:29 To: [EMAIL PROTECTED] Subject: IE 5.00 - 5.01 SSL Connection Failures Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive "Page Connot Be Found". With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else
Make sure your server is set up in DNS for your domain as well. - "Let me up to get my bat and I'll thank you." -- Calvin ___ Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 779-3360 On Fri, 17 May 2002, DG Speekenbrink wrote: > Hi, > > This sounds more like a general Apache config problem. > is it possible to request pages with the regular http:// request? > > If not, some settings in your httpd.conf are the problem. > > Good luck, > > Dennis > > Alex Earl wrote: > > > > Hi! > > > > First off I would like to thank you for your help and knowledge! I enjoy > > this forum a lot! > > > > I have set up mod_ssl with Apache 1.3 and everything seems to run just fine > > on the local machine. I can curl https://localhost (and the actual server > > address) and get the right stuff...but when I try to access it from anywhere > > else I get a server not found error. Any ideas?! > > > > Thanks! > > > > Alex Earl > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE 5.00 - 5.01 SSL Connection Failures
Just to concur with Jeff, IE5.00 is useless. At the end of June Microsoft are dropping support for IE5.01SP2. I can't remember right now where I found that out, and http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dfh%3 ben-us%3bobsprodi Doesn't list IE5.01 as obsolete, although IE5.5SP2 is listed as a replacement for other versions of IE. Of course, the obsolete list is incomplete anyway (Office 97 is missing, as was mentioned in this weeks Woody's Office Watch. I'm the one who got it in there). A minimum of IE5.5SP2 is required now, although of course people will be using older versions. As an organisation we are dependant on IE (since we use VBScript a lot) and so we are moving up to IE5.5SP2 gradually. Having said that, I've just posted to Bugtraq a comment that the latest update (MS02-23, or Q321232 depending on your preferences) is refusing to install on some Windows 2000 machines. Don't we just love Microsoft? - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. > -Original Message- > From: Jeff [mailto:[EMAIL PROTECTED]] > Sent: 17 May 2002 13:51 > To: [EMAIL PROTECTED] > Subject: RE: IE 5.00 - 5.01 SSL Connection Failures > > > > MS IE 5.00 was a flawed release, that MS very quickly (4 > weeks) replaced > [snip] > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet > Sent: 17 May 2002 13:29 > To: [EMAIL PROTECTED] > Subject: IE 5.00 - 5.01 SSL Connection Failures > > > Hi List, > > I work for a mobile phone retail company in the UK - www.mobiles.co.uk > > Recently we discovered that several of our customers were unable to > complete the secure portions of their orders. The only common factor > with all these problems were that all customers were using IE > 5.00 to IE > 5.01. > > Under Internet Explorer they receive "Page Connot Be Found". With > Netscape all works fine, and with all other recent Internet Explorer > versions, a successful connection can be made. > > I found nothing useful on the Microsoft site other than this: > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 > > It may be the root of the problem, but we cannot ask the 33% of our > customers who use IE5 to patch their machines before > accessing our site. > > It is obvious that MOST connections to https sites can be > made from IE5, > or it would have been better documented. > > I contacted Verisign to find out if there was a reason some > certificates > were useable with IE5, and others weren't, but I found their technical > support to be quite useless. > > My last option is to ask you guys whether this could be a > configuration > issue - or whether there is some configuration tweak I can make to get > around this problem for our IE5 users. > > Best regards, > > Louis > > -- > Louis Sabet <[EMAIL PROTECTED]> > http://www.webtedium.com/ > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
Re: IE 5.00 - 5.01 SSL Connection Failures
On Fri, 17 May 2002 13:51:15 +0100 "Jeff" <[EMAIL PROTECTED]> wrote: > MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced > with 5.01, mainly for security reasons. You should be able to get any > reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has > some serious bugs when using SSL and cacheing, so you may be able to > tweak all your users caching settings, and also to look at making your > pages non-cacheable. I have to say though that in our experience with a > group of 10 users of 5.00 it was far easier to get them to switch to > Netscape until their 5.01 (in fact they went for 5.5) to arrive. Unfortunately in this sector of retail, our target audience is very fickle, and an abundance of similar online retailers in recent years have made this an extremely competitive market. We cannot afford to aggravate any customers at this point. In addition, a large proportion of our customers have little or no previous IT experience and cannot be expected to apply patches no matter how trivial it may seem to us! ***SNIP*** > The problems you describe with 5.01, I have seen when SSL keepalive > settings were enabled on the web-server. The SSLKeepAlive settings were > invented to speed up a clients access to your site, so that as > subsequent requests for images, css, etc etc were made, the SSL > negotiation overhead was short-circuited. Unfortunately the MS 5.xx > browsers never quite got it right. We use Apache, and this is the > setting in httpd.conf > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 I checked our httpd.conf, and indeed we have the same line in all our SSL sites. So this particular problem must lie elsewhere. I'll agree with peoples' comments on IE5 being terrible, but unfortunately as an online retailer we have no choice as to what our customers access our website with, and a disturbing number of customers (33%) happen to be using IE5.00 to 5.01. If anyone else has any comments, they would be very much appreciated at this point! > You can check your SSL logs to see if the keepalive settings are active > - it they are you will see an incrementing number associated with each > request from the same user that indicates the SSL negotiation was > short-cut, and that previously negotiated keys are being used. > > 'nokeepalive' is fractionally slower, but at least your users will not > get the regular 'page cannot be found' issue. > > As to sharing Client Certs between IE and NS - we do this happily for NS > 4.0-4.75 and MSIE 5.01-6.0 without any issues. > > > Regards > Jeff > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet > Sent: 17 May 2002 13:29 > To: [EMAIL PROTECTED] > Subject: IE 5.00 - 5.01 SSL Connection Failures > > > Hi List, > > I work for a mobile phone retail company in the UK - www.mobiles.co.uk > > Recently we discovered that several of our customers were unable to > complete the secure portions of their orders. The only common factor > with all these problems were that all customers were using IE 5.00 to IE > 5.01. > > Under Internet Explorer they receive "Page Connot Be Found". With > Netscape all works fine, and with all other recent Internet Explorer > versions, a successful connection can be made. > > I found nothing useful on the Microsoft site other than this: > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 > > It may be the root of the problem, but we cannot ask the 33% of our > customers who use IE5 to patch their machines before accessing our site. > > It is obvious that MOST connections to https sites can be made from IE5, > or it would have been better documented. > > I contacted Verisign to find out if there was a reason some certificates > were useable with IE5, and others weren't, but I found their technical > support to be quite useless. > > My last option is to ask you guys whether this could be a configuration > issue - or whether there is some configuration tweak I can make to get > around this problem for our IE5 users. > > Best regards, > > Louis > > -- > Louis Sabet <[EMAIL PROTECTED]> > http://www.webtedium.com/ > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl)
RE: IE 5.00 - 5.01 SSL Connection Failures
Simply send them to http://windowsupdate.microsoft.com, and talk them through it if you have to. Things could get worse for them if they don't anyway. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else
My regular server stuff runs fine. I think it has something to do with the ipchains as other people have mentioned. I am looking into it now. Thanks everyone! - Original Message - From: "DG Speekenbrink" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 17, 2002 12:16 AM Subject: Re: Runs on local...but can't see it anywhere else > Hi, > > This sounds more like a general Apache config problem. > is it possible to request pages with the regular http:// request? > > If not, some settings in your httpd.conf are the problem. > > Good luck, > > Dennis > > Alex Earl wrote: > > > > Hi! > > > > First off I would like to thank you for your help and knowledge! I enjoy > > this forum a lot! > > > > I have set up mod_ssl with Apache 1.3 and everything seems to run just fine > > on the local machine. I can curl https://localhost (and the actual server > > address) and get the right stuff...but when I try to access it from anywhere > > else I get a server not found error. Any ideas?! > > > > Thanks! > > > > Alex Earl > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: handshake problem with IE
Dear B. Courtin, all the webservers run in local networks and dont pass any other machines (like proxies or load balancers). the logs show the correct IP of the clients. when running non-ssl connections the error doesnt occur at all (same machine, same pages, same client). I also never discovered this problem using NS4.x So im quite sure its a IE problem. Its known that IE is quite crappy with https, but there must be a way to solve this. Keepalive is turned off for the whole server. So that cannot be the problem. For completeness i attached the virtualhost config section of the httpd.conf Any other ideas ? Regards, Heribert Steuer --SNIP!-- ServerNameoms.freiburg.peh # resolved by internal dns SSLEngine on SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLOptions +StdEnvVars DocumentRoot /webroot/peh.internal.net/htdocs ServerAdmin [EMAIL PROTECTED] ScriptAlias /cgi-bin/ /webroot/peh.internal.net/cgi-bin/ ScriptAlias /perl-bin/ /webroot/peh.internal.net/perl-bin/ LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon CustomLog /webroot/peh.internal.net/logs/access_log vcommon ErrorLog /webroot/peh.internal.net/logs/error_log SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Options FollowSymLinks AllowOverride All SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SetHandler perl-script PerlHandler Apache::Registry PerlSendHeader On Options ExecCGI # Unauthorized ErrorDocument 401 /error_html/401.html # Payment Required ErrorDocument 402 /error_html/402.html # Forbidden ErrorDocument 403 /error_html/403.html # Not Found ErrorDocument 404 /error_html/404.html # Internal Server Error ErrorDocument 500 /error_html/500.html --SNIP!-- Original Message Hi Heribert, are you sure these errors are caused by access/commmunication with the Microsoft Internet Explorer 6.0.2600.000? Do they only occour when the webserver is accessed by a browser (i.e. MS IE6) or on a regulary basis: are you sure your web-servers are not behind any kind of load balancer which is sending "pings" or "keepalive" requests to your webserver? Kind regards, B. Courtin -Original Message- From: Heribert Steuer [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 7:12 PM To: [EMAIL PROTECTED] Subject: handshake problem with IE Hello everybody, i was already reading the posts on this issue, but all suggested tips didnt help at all. server is apache (see version numbers below) running on OpenBSD 3.0stable client is Microsoft Internet Explorer 6.0.2600.000 with 128bit encryption the logs say the following (at least they are full of it): [Thu May 16 18:52:12 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Thu May 16 18:52:12 2002] [error] System: Connection reset by peer (errno: 54) ssl_engine_log is : [16/May/2002 18:52:13 06053] [info] Connection to child 0 established (server cyrus.freiburg.peh:443, client 192.168.30.30) [16/May/2002 18:52:13 06053] [info] Seeding PRNG with 1160 bytes of entropy [16/May/2002 18:52:13 06053] [trace] OpenSSL: Handshake: start [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: before/accept initialization [16/May/2002 18:52:13 06053] [debug] OpenSSL: read 11/11 bytes from BIO#00A259C0 [mem: 00CCE000] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [debug] OpenSSL: read 67/67 bytes from BIO#00A259C0 [mem: 00CCE00B] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 read client hello A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write server hello A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write certificate A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 write server done A [16/May/2002 18:52:13 06053] [debug] OpenSSL: write 762/762 bytes to BIO#00A259C0 [mem: 00CA3000] (BIO dump follows) [...] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Loop: SSLv3 flush data [16/May/2002 18:52:13 06053] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#00A259C0 [mem: 00CCE000] [16/May/2002 18:52:13 06053] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A [16/May/2002 18:52:13 06053] [trace] OpenSSL: Exit: error in SSLv3 read client certificate A
RE: IE 5.00 - 5.01 SSL Connection Failures
> In addition, a large proportion of our customers have little or no > previous IT experience and cannot be expected to apply patches no matter > how trivial it may seem to us! We had some top-notch technical people spend more than three months, setting up an isolated web/client environment to duplicate customers configurations in order to track down, isolate and see if there was a fix for this intermittent problem. We tested a vast range of both client and server configurations, (including win9x/ME/NT clients to see if there were OS specific DLLs causing the issues), to see if there were any combinations that might improve the situation - as I mentioned, you can improve it by fiddling with the client caching settings - but this is actually harder for clients to do than upgrading IE using a free CD. It also requires that you carefully craft your server cache directives for MSIE 5.00 clients. After three months of investigation, testing and email exchanges with MS support, we concluded that there was no practical solution. We will take our hats off for you if you can find one. We believe that MSIE 5.00/SSL goes into the same bucket as the yeti - no-one's ever seen a real commercial version of the beastie, and we aint gonna $pend more time hunting it. The Bad Thing that will happen, is that your site will appear flaky to your customers. If you can live with that, good and well - otherwise, consider not using SSL for some bits [not an option for us]. You can also minimise the issues with some site redesign - make sure there is only ONE thing per request - no images, external JavaScript or external style-sheets etc, then at least the failure is total, rather than indeterminate, and users can get away with pressing refresh. We operate commercial sites on an ASP basis with high user expectations, so this wasn't an option for us. IHMO 33% of your market isn't really buying stuff reliably elsewhere using SSL and MSIE 5.00 On the 5.01 problems I can offer more hope - we have lots of clients happily using 5.01 with certs and SSL, through proxies and firewalls without issues - this one is grokkable. Apart from the early SSL keepalive, we have had no issues with 5.01. Regards Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 5.00 - 5.01 SSL Connection Failures
Let me guess you have a '128 bit' SGC certificate on your server? If you do then change your cipher suite to not offer EXPORT56 for example: SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL This results in most people with older clients using 40 bit encryption, and people who care about security and upgrade their software get 128bit SSL3 or TLS.. You should alter your logs to log the resultant SSL cipher type and length so you can get some info on which clients give you problems - and you could put some warning notes about the browser types on the site somewhere to cover your butts. Louis Sabet wrote: On Fri, 17 May 2002 13:51:15 +0100 "Jeff" <[EMAIL PROTECTED]> wrote: MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced with 5.01, mainly for security reasons. You should be able to get any reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has some serious bugs when using SSL and cacheing, so you may be able to tweak all your users caching settings, and also to look at making your pages non-cacheable. I have to say though that in our experience with a group of 10 users of 5.00 it was far easier to get them to switch to Netscape until their 5.01 (in fact they went for 5.5) to arrive. Unfortunately in this sector of retail, our target audience is very fickle, and an abundance of similar online retailers in recent years have made this an extremely competitive market. We cannot afford to aggravate any customers at this point. In addition, a large proportion of our customers have little or no previous IT experience and cannot be expected to apply patches no matter how trivial it may seem to us! ***SNIP*** The problems you describe with 5.01, I have seen when SSL keepalive settings were enabled on the web-server. The SSLKeepAlive settings were invented to speed up a clients access to your site, so that as subsequent requests for images, css, etc etc were made, the SSL negotiation overhead was short-circuited. Unfortunately the MS 5.xx browsers never quite got it right. We use Apache, and this is the setting in httpd.conf SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 I checked our httpd.conf, and indeed we have the same line in all our SSL sites. So this particular problem must lie elsewhere. I'll agree with peoples' comments on IE5 being terrible, but unfortunately as an online retailer we have no choice as to what our customers access our website with, and a disturbing number of customers (33%) happen to be using IE5.00 to 5.01. If anyone else has any comments, they would be very much appreciated at this point! You can check your SSL logs to see if the keepalive settings are active - it they are you will see an incrementing number associated with each request from the same user that indicates the SSL negotiation was short-cut, and that previously negotiated keys are being used. 'nokeepalive' is fractionally slower, but at least your users will not get the regular 'page cannot be found' issue. As to sharing Client Certs between IE and NS - we do this happily for NS 4.0-4.75 and MSIE 5.01-6.0 without any issues. Regards Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet Sent: 17 May 2002 13:29 To: [EMAIL PROTECTED] Subject: IE 5.00 - 5.01 SSL Connection Failures Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive "Page Connot Be Found". With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List
Runs on local...but can't see it anywhere else...STILL
I went in and changed the ipchains to allow https, but it still will not connect from a remote location. Someone mentioned setting up DNS for my domain. I was wondering what you meant. Again, I appreciate all your help for a new guy! Alex Earl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else...STILL
first, have you registered a domain? does this server have a static IP address that reflects to this domain? Or is this a machine on the campus backbone or student residential systems under the edu domain you are posting from? Thanks, Ron Dufresne On Fri, 17 May 2002, Alex Earl wrote: > I went in and changed the ipchains to allow https, but it still will not > connect from a remote location. Someone mentioned setting up DNS for my > domain. I was wondering what you meant. Again, I appreciate all your help > for a new guy! > > Alex Earl > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ssl proxy
Hello, Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a client (a client that doesn't get involved with any ssl stuff itself) on to an HTTPS site? -george __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl proxy
On Fri, 17 May 2002, Petryczka, George wrote: > Can a httpd be set up as a "secure proxy"? Ie.: forward requests from a > client (a client that doesn't get involved with any ssl stuff itself) on > to an HTTPS site? Yes. With Apache 1.3 / mod_ssl 2.8.x, you _might_ have to enable SSL_EXPERIMENTAL or something like that, I'm not sure. But it can be done. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 1.3.20 and ModSSL
I am trying to use two the Apache NameVirtualHost option with two sites using different certificate files. The two virtual hosts work however only the cert for the first specified virtual host is recognized. Is there anyway that you can get two certificates working in Apache for the same IP address Jason Lawrence __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl and Apache 2.0.36
Can modssl be compiled with Apache 2.0.36 on "Slackware 2.4.18 #14 SMP i586" (2 processor). The following configure line: ./configure --with-apache=../httpd-2.0.36 --with-ssl=../openssl-0.9.6c --prefix=/var/apache/apache2.0 fails with the error: Configuring mod_ssl/2.8.8 for Apache/1.3.24 ./configure:Error: Cannot find Apache 1.3 source tree under ../httpd-2.0.36 ./configure:Hint: Please specify location via --with-apache=DIR __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else...STILL
It has a static IP. I can access non-ssl stuff just fine. Check out http://eagle.cs.usu.edu When I try it with https://eagle.cs.usu.edu though it doesn't work form a remote machine...only the local maching. - Original Message - From: "R. DuFresne" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 17, 2002 9:51 AM Subject: Re: Runs on local...but can't see it anywhere else...STILL > > > first, have you registered a domain? does this server have a static IP > address that reflects to this domain? Or is this a machine on the campus > backbone or student residential systems under the edu domain you are > posting from? > > Thanks, > > Ron Dufresne > > On Fri, 17 May 2002, Alex Earl wrote: > > > I went in and changed the ipchains to allow https, but it still will not > > connect from a remote location. Someone mentioned setting up DNS for my > > domain. I was wondering what you meant. Again, I appreciate all your help > > for a new guy! > > > > Alex Earl > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > -- > ~~ > admin & senior security consultant: sysinfo.com > http://sysinfo.com > > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." > -- Johnny Hart > > testing, only testing, and damn good at it too! > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else...STILL
You probably need to add port 443 into your ipchains file eg /etc/sysconfig/ipchains add -A input -s 0/0 -d 0/0 443 -p tcp -y -j ACCEPT Or you may have some configuration program that will do this for you I do ipchians by hand. - Original Message - From: "Alex Earl" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 17, 2002 9:56 AM Subject: Re: Runs on local...but can't see it anywhere else...STILL > It has a static IP. I can access non-ssl stuff just fine. Check out > http://eagle.cs.usu.edu > > When I try it with https://eagle.cs.usu.edu though it doesn't work form a > remote machine...only the local maching. > > > > - Original Message - > From: "R. DuFresne" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, May 17, 2002 9:51 AM > Subject: Re: Runs on local...but can't see it anywhere else...STILL > > > > > > > > first, have you registered a domain? does this server have a static IP > > address that reflects to this domain? Or is this a machine on the campus > > backbone or student residential systems under the edu domain you are > > posting from? > > > > Thanks, > > > > Ron Dufresne > > > > On Fri, 17 May 2002, Alex Earl wrote: > > > > > I went in and changed the ipchains to allow https, but it still will not > > > connect from a remote location. Someone mentioned setting up DNS for my > > > domain. I was wondering what you meant. Again, I appreciate all your > help > > > for a new guy! > > > > > > Alex Earl > > > > > > __ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager[EMAIL PROTECTED] > > > > > > > -- > > ~~ > > admin & senior security consultant: sysinfo.com > > http://sysinfo.com > > > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." > > -- Johnny Hart > > > > testing, only testing, and damn good at it too! > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else...STILL
I was able to access your site using SSL from iparho.stat.purdue.edu in Netscape 4.76 on Unix AIX just now with no problems. -- Leslie Arvin [EMAIL PROTECTED] Webmaster Purdue Statistics Dept. Alex Earl wrote: > > It has a static IP. I can access non-ssl stuff just fine. Check out > http://eagle.cs.usu.edu > > When I try it with https://eagle.cs.usu.edu though it doesn't work form a > remote machine...only the local maching. > > - Original Message - > From: "R. DuFresne" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Friday, May 17, 2002 9:51 AM > Subject: Re: Runs on local...but can't see it anywhere else...STILL > > > > > > > first, have you registered a domain? does this server have a static IP > > address that reflects to this domain? Or is this a machine on the campus > > backbone or student residential systems under the edu domain you are > > posting from? > > > > Thanks, > > > > Ron Dufresne > > > > On Fri, 17 May 2002, Alex Earl wrote: > > > > > I went in and changed the ipchains to allow https, but it still will not > > > connect from a remote location. Someone mentioned setting up DNS for my > > > domain. I was wondering what you meant. Again, I appreciate all your > help > > > for a new guy! > > > > > > Alex Earl > > > > > > __ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager[EMAIL PROTECTED] > > > > > > > -- > > ~~ > > admin & senior security consultant: sysinfo.com > > http://sysinfo.com > > > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." > > -- Johnny Hart > > > > testing, only testing, and damn good at it too! > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else...STILL
Thanks! I got it working a little while ago. Alex - Original Message - From: "Leslie Arvin" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, May 17, 2002 2:59 PM Subject: Re: Runs on local...but can't see it anywhere else...STILL > I was able to access your site using SSL from > iparho.stat.purdue.edu in Netscape 4.76 on Unix AIX > just now with no problems. > > -- Leslie Arvin >[EMAIL PROTECTED] >Webmaster >Purdue Statistics Dept. > > Alex Earl wrote: > > > > It has a static IP. I can access non-ssl stuff just fine. Check out > > http://eagle.cs.usu.edu > > > > When I try it with https://eagle.cs.usu.edu though it doesn't work form a > > remote machine...only the local maching. > > > > - Original Message - > > From: "R. DuFresne" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Friday, May 17, 2002 9:51 AM > > Subject: Re: Runs on local...but can't see it anywhere else...STILL > > > > > > > > > > > first, have you registered a domain? does this server have a static IP > > > address that reflects to this domain? Or is this a machine on the campus > > > backbone or student residential systems under the edu domain you are > > > posting from? > > > > > > Thanks, > > > > > > Ron Dufresne > > > > > > On Fri, 17 May 2002, Alex Earl wrote: > > > > > > > I went in and changed the ipchains to allow https, but it still will not > > > > connect from a remote location. Someone mentioned setting up DNS for my > > > > domain. I was wondering what you meant. Again, I appreciate all your > > help > > > > for a new guy! > > > > > > > > Alex Earl > > > > > > > > __ > > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > > User Support Mailing List [EMAIL PROTECTED] > > > > Automated List Manager [EMAIL PROTECTED] > > > > > > > > > > -- > > > ~~ > > > admin & senior security consultant: sysinfo.com > > > http://sysinfo.com > > > > > > "Cutting the space budget really restores my faith in humanity. It > > > eliminates dreams, goals, and ideals and lets us get straight to the > > > business of hate, debauchery, and self-annihilation." > > > -- Johnny Hart > > > > > > testing, only testing, and damn good at it too! > > > > > > __ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager[EMAIL PROTECTED] > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Bug in semaphore permission
Title: Bug in semaphore permission
Hi folks,
I've been a probleme with Apache 2.0.36 + mod_ssl 2.8.8, and I think this can be a bug.
In proc_mutex.c line 219, function proc_mutex_sysv_create:
new_mutex->interproc->filedes = semget(IPC_PRIVATE, 1, IPC_CREAT | 0600);
This code is executed as root, during the module init stage, but the semaphore will be used as a common user (nobody), and there is no change of its ownership.
I'm trying to fix this, but I don't know how to get the config user id in the module to call semctl:
if (!geteuid()) {
buf.sem_perm.uid = unixd_config.user_id;
buf.sem_perm.gid = unixd_config.group_id;
buf.sem_perm.mode = 0600;
ick.buf = &buf;
if (semctl(new_mutex->interproc->filedes, 0, IPC_SET, ick) < 0) {
rv = errno;
proc_mutex_sysv_cleanup(new_mutex);
return rv;
}
}
Does anyone have a clue?
[]s
_
Eider Oliveira
ICQ#:116119057
Engenharia de Sistemas - Uol Inc
[EMAIL PROTECTED]
_
