Re: Apache 1.3.26 Upgrade Question - Thanks
I just upgraded (win32) from 1.3.20 to 1.3.26 and everything works fine using the binaries on http://www.mod-ssl.com/contrib/. Just unzipped 1.3.26, stopped apache, made a copy of the original, copied over the original, restarted apache. No problems. Justin > -Original Message- > From: Steve Romero [mailto:[EMAIL PROTECTED]] > Sent: Friday, June 21, 2002 3:51 PM > To: [EMAIL PROTECTED] > Subject: MODSSL: Re: Apache 1.3.26 Upgrade Question - Thanks > > Jim, > > It would probably be a good idea to back up your old > certificate before > upgrading. The certificate is bound to the name of your > server or the URL > of your website, and not the version of Apache that is > running, so you can > reuse it. At least this is true with UNIX. I'm not a > Windows man myself. > > Regards, > Steve Romero > > At 07:00 PM 6/21/2002 +, you wrote: > > >Hi, > > > >If i upgrade our current Apache 1.3.20 server with mod_ssl > built using: > > > >Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip > > > >to Apache 1.3.26 server with mod_ssl built using the following file: > > > >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip, > > > >would i have to re-create my SSL certificate. > > > >My question is in light of the fact that the OpenSSL > versions is different > >in each of these files. > > > >Any feedback on the stability of the new file would be very helpful. > > > >Thanks in advance. > > > >Bye, > >-Jim. > > > > > >Sorry Jim > > > >You'd have to wait for Monday. I haven't installed perl > anymore and the > >build script require that unfortunatley. First got to install perl on > >monday in my W2K VMWare. > > > > > >Bye > >Tim > > > >On Thu, 20 Jun 2002 20:12:00 + > >"Jim Lee" <[EMAIL PROTECTED]> wrote: > > > > > >Thanks a lot Tim. > > > >Words cannot express the sense of relief and gratitude that > i am feeling > > > >right now. > > > >I would be eagerly looking tomorrow for the file : > >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip > >at the following location : > >http://www.modssl.org/contrib/ > > > >Thanks a million again. > > > >Bye, > >-Jim. > > > > > >Hi Jim > > > >On Thu, 20 Jun 2002 17:48:38 + > >"Jim Lee" <[EMAIL PROTECTED]> wrote: > > > >Hi, > > > >Please forgive my ignorance. > > > >I wish to create a file similar to the following one: > >Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip, > > > >namely, > >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6c-WIN32.zip, > > > >I need this file so that i can upgrade my current Apache > 1.3.20 server > >with mod_ssl to Apache 1.3.26 server with mod_ssl. > > > >I do not have a VC++ 5.0 compiler on my desk and have no idea how i > >could get the above file from the apache_1.3.26.tar.gz and the > >mod_ssl-2.8.9-1.3.26.tar.gz and the openssl-0.9.6c.tar.gz files. > > > >I've got a VC++ 6.0 compiler at my desk and have already compiled the > >stuff myself before on W32. I will do this tomorrow, however > I will use > >openssl 0.9.6d > > > >I'll try to put it in the contrib area. > > > >Bye > >Tim > > > > > > > >Any help from my friends would be highly appreciated. > > > >Thanks. > > > >Bye, > >-Jim. > > > > > > > >From: "Gilles Gros" <[EMAIL PROTECTED]> > > > >What is really your question ? > > > >Just download the source and compile it. > > > >apache 1.3.26 : http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz > >mod SSL 2.8.9-1.3.26 : > >http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz > > > >Gilles > > > >Hi, > > > >Could somebody help me create the > Apache_1.3.26-Mod_SSL_x-OpenSSL_x file > >from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released > >recently. > > > >Thanks. > > > >Bye, > >-Jim. > > > > > >On Wed, 19 Jun 2002, Jim Lee wrote: > > > >We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in > >the http://www.modssl.org/contrib/ area. > > > >Nobody's contributed one yet. I imagine it won't be that far off, it > >usually doesn't take too long. > > > >We also wish to know if the SSL certificate has to be > re-created after > >Apache is upgraded to 1.3.26 with the new mod_SSL. > > > >No. > > > >--Cliff > > > > > > > >_ > >Send and receive Hotmail on your mobile device: http://mobile.msn.com > > > >_ > _ > >Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > >User Support Mailing List > [EMAIL PROTECTED] > >Automated List Manager > [EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modss
Re: Apache 1.3.26 Upgrade Question - Thanks
Jim, It would probably be a good idea to back up your old certificate before upgrading. The certificate is bound to the name of your server or the URL of your website, and not the version of Apache that is running, so you can reuse it. At least this is true with UNIX. I'm not a Windows man myself. Regards, Steve Romero At 07:00 PM 6/21/2002 +, you wrote: >Hi, > >If i upgrade our current Apache 1.3.20 server with mod_ssl built using: > >Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip > >to Apache 1.3.26 server with mod_ssl built using the following file: > >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip, > >would i have to re-create my SSL certificate. > >My question is in light of the fact that the OpenSSL versions is different >in each of these files. > >Any feedback on the stability of the new file would be very helpful. > >Thanks in advance. > >Bye, >-Jim. > > >Sorry Jim > >You'd have to wait for Monday. I haven't installed perl anymore and the >build script require that unfortunatley. First got to install perl on >monday in my W2K VMWare. > > >Bye >Tim > >On Thu, 20 Jun 2002 20:12:00 + >"Jim Lee" <[EMAIL PROTECTED]> wrote: > > >Thanks a lot Tim. > >Words cannot express the sense of relief and gratitude that i am feeling > >right now. > >I would be eagerly looking tomorrow for the file : >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip >at the following location : >http://www.modssl.org/contrib/ > >Thanks a million again. > >Bye, >-Jim. > > >Hi Jim > >On Thu, 20 Jun 2002 17:48:38 + >"Jim Lee" <[EMAIL PROTECTED]> wrote: > >Hi, > >Please forgive my ignorance. > >I wish to create a file similar to the following one: >Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip, > >namely, >Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6c-WIN32.zip, > >I need this file so that i can upgrade my current Apache 1.3.20 server >with mod_ssl to Apache 1.3.26 server with mod_ssl. > >I do not have a VC++ 5.0 compiler on my desk and have no idea how i >could get the above file from the apache_1.3.26.tar.gz and the >mod_ssl-2.8.9-1.3.26.tar.gz and the openssl-0.9.6c.tar.gz files. > >I've got a VC++ 6.0 compiler at my desk and have already compiled the >stuff myself before on W32. I will do this tomorrow, however I will use >openssl 0.9.6d > >I'll try to put it in the contrib area. > >Bye >Tim > > > >Any help from my friends would be highly appreciated. > >Thanks. > >Bye, >-Jim. > > > >From: "Gilles Gros" <[EMAIL PROTECTED]> > >What is really your question ? > >Just download the source and compile it. > >apache 1.3.26 : http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz >mod SSL 2.8.9-1.3.26 : >http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz > >Gilles > >Hi, > >Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x file >from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released >recently. > >Thanks. > >Bye, >-Jim. > > >On Wed, 19 Jun 2002, Jim Lee wrote: > >We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in >the http://www.modssl.org/contrib/ area. > >Nobody's contributed one yet. I imagine it won't be that far off, it >usually doesn't take too long. > >We also wish to know if the SSL certificate has to be re-created after >Apache is upgraded to 1.3.26 with the new mod_SSL. > >No. > >--Cliff > > > >_ >Send and receive Hotmail on your mobile device: http://mobile.msn.com > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
The problem here as usual is that he HAS got a SGC certificate - and some ie's barf unless you drop EXPORT56 from your offering when you have one of those certs. not worth the money as far as I'm concerned, not even when getting thawte's one. I feel its a scam the way they sell SGC's as some sort of premium security prouct when all they're doing is enabling functionality the browser already has. These were designed for another purpose altogether before the USA relaxed its crypto export rules a few years ago. Thomas Binder wrote: >Hi! > >On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote: > > >>You could also consider getting a Thawte "super cert" which has >>a capability to allow the 56-bit export version of IE to not be >>so stupid and connect at the higher 128-bit when accessing your >>site. >> >> > >Just for the record, Thawte's "Super Certs" are what VeriSign >calls "Secure Site Server Pro (Global) ID". But they are quite a >lot cheaper. > > >Ciao > >Thomas >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
Are there still export restriction on the 128bit browsers? I was under the impression those export restrictions had been lifted a few years back. Thanks, Ron DuFresne On Fri, 21 Jun 2002, Thomas Binder wrote: > Hi! > > On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote: > > You could also consider getting a Thawte "super cert" which has > > a capability to allow the 56-bit export version of IE to not be > > so stupid and connect at the higher 128-bit when accessing your > > site. > > Just for the record, Thawte's "Super Certs" are what VeriSign > calls "Secure Site Server Pro (Global) ID". But they are quite a > lot cheaper. > > > Ciao > > Thomas > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
Hi! On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote: > You could also consider getting a Thawte "super cert" which has > a capability to allow the 56-bit export version of IE to not be > so stupid and connect at the higher 128-bit when accessing your > site. Just for the record, Thawte's "Super Certs" are what VeriSign calls "Secure Site Server Pro (Global) ID". But they are quite a lot cheaper. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 Upgrade Question - Thanks
Hi, If i upgrade our current Apache 1.3.20 server with mod_ssl built using: Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip to Apache 1.3.26 server with mod_ssl built using the following file: Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip, would i have to re-create my SSL certificate. My question is in light of the fact that the OpenSSL versions is different in each of these files. Any feedback on the stability of the new file would be very helpful. Thanks in advance. Bye, -Jim. Sorry Jim You'd have to wait for Monday. I haven't installed perl anymore and the build script require that unfortunatley. First got to install perl on monday in my W2K VMWare. Bye Tim On Thu, 20 Jun 2002 20:12:00 + "Jim Lee" <[EMAIL PROTECTED]> wrote: Thanks a lot Tim. Words cannot express the sense of relief and gratitude that i am feeling right now. I would be eagerly looking tomorrow for the file : Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip at the following location : http://www.modssl.org/contrib/ Thanks a million again. Bye, -Jim. Hi Jim On Thu, 20 Jun 2002 17:48:38 + "Jim Lee" <[EMAIL PROTECTED]> wrote: Hi, Please forgive my ignorance. I wish to create a file similar to the following one: Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip, namely, Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6c-WIN32.zip, I need this file so that i can upgrade my current Apache 1.3.20 server with mod_ssl to Apache 1.3.26 server with mod_ssl. I do not have a VC++ 5.0 compiler on my desk and have no idea how i could get the above file from the apache_1.3.26.tar.gz and the mod_ssl-2.8.9-1.3.26.tar.gz and the openssl-0.9.6c.tar.gz files. I've got a VC++ 6.0 compiler at my desk and have already compiled the stuff myself before on W32. I will do this tomorrow, however I will use openssl 0.9.6d I'll try to put it in the contrib area. Bye Tim Any help from my friends would be highly appreciated. Thanks. Bye, -Jim. From: "Gilles Gros" <[EMAIL PROTECTED]> What is really your question ? Just download the source and compile it. apache 1.3.26 : http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz mod SSL 2.8.9-1.3.26 : http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz Gilles Hi, Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x file from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released recently. Thanks. Bye, -Jim. On Wed, 19 Jun 2002, Jim Lee wrote: We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in the http://www.modssl.org/contrib/ area. Nobody's contributed one yet. I imagine it won't be that far off, it usually doesn't take too long. We also wish to know if the SSL certificate has to be re-created after Apache is upgraded to 1.3.26 with the new mod_SSL. No. --Cliff _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache + Modssl mod_log_config.so bug
after upgrading to Apache 1.3.26 and ModSSL 2.8.9, the webserver seems to die after/during log rotation with the following errors. It appears that when the logs either don't exists, or some other scenario, the webserver dies after receiving a -HUP or -SIGUSR1. [Sat Jun 22 04:00:16 2002] [notice] SIGUSR1 received. Doing graceful restart Syntax error on line 62 of /var/www/conf/httpd.conf: Cannot load /var/www/modules/mod_log_config.so into server: /var/www/modules/mod_log_config.so: undefined symbol: ap_escape_logitem Anyone else experiencing this? seems to even happen with standard RedHat apache version 1.3.22 also. Thanks, Karl -- Karl Grindley Senior Systems Analyst Terra Lycos, Inc. -( Disclaimer )-- This message is intended exclusively for its addressee and may contain information that is CONFIDENTIAL. If this message has been received in error, please immediately notify us via e-mail and delete it. Please note that Internet e-mail does not guarantee the confidentiality or the proper receipt of the messages sent. If the addressee of this message does not consent to the use of Internet e-mail, please communicate it to us immediately. --( Disclaimer )- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How do I extend the expiration day of the self generated CA certificate andall the certs issued by that CA. Please help
We have created our own CA certificate and signed few more certs using it. The CA is about to expire and with that all the certificates signed using it. Is there a way to extend the expiration day with out recreating the CA and reissuing the certs? Please help Thanks in advance. Ilya --- This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be liable for the improper or incomplete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 Upgrade Question - Thanks
Sorry Jim You'd have to wait for Monday. I haven't installed perl anymore and the build script require that unfortunatley. First got to install perl on monday in my W2K VMWare. Bye Tim On Thu, 20 Jun 2002 20:12:00 + "Jim Lee" <[EMAIL PROTECTED]> wrote: > > Thanks a lot Tim. > > Words cannot express the sense of relief and gratitude that i am feeling > > right now. > > I would be eagerly looking tomorrow for the file : > Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6d-WIN32.zip > at the following location : > http://www.modssl.org/contrib/ > > Thanks a million again. > > Bye, > -Jim. > > > Hi Jim > > On Thu, 20 Jun 2002 17:48:38 + > "Jim Lee" <[EMAIL PROTECTED]> wrote: > > Hi, > > Please forgive my ignorance. > > I wish to create a file similar to the following one: > Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip, > > namely, > Apache_1.3.26-Mod_SSL_2.8.9-OpenSSL_0.9.6c-WIN32.zip, > > I need this file so that i can upgrade my current Apache 1.3.20 server > with mod_ssl to Apache 1.3.26 server with mod_ssl. > > I do not have a VC++ 5.0 compiler on my desk and have no idea how i > could get the above file from the apache_1.3.26.tar.gz and the > mod_ssl-2.8.9-1.3.26.tar.gz and the openssl-0.9.6c.tar.gz files. > > I've got a VC++ 6.0 compiler at my desk and have already compiled the > stuff myself before on W32. I will do this tomorrow, however I will use > openssl 0.9.6d > > I'll try to put it in the contrib area. > > Bye > Tim > > > > Any help from my friends would be highly appreciated. > > Thanks. > > Bye, > -Jim. > > > > From: "Gilles Gros" <[EMAIL PROTECTED]> > > What is really your question ? > > Just download the source and compile it. > > apache 1.3.26 : http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz > mod SSL 2.8.9-1.3.26 : > http://www.modssl.org/source/mod_ssl-2.8.9-1.3.26.tar.gz > > Gilles > > Hi, > > Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x file > from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released > recently. > > Thanks. > > Bye, > -Jim. > > > On Wed, 19 Jun 2002, Jim Lee wrote: > > We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in > the http://www.modssl.org/contrib/ area. > > Nobody's contributed one yet. I imagine it won't be that far off, it > usually doesn't take too long. > > We also wish to know if the SSL certificate has to be re-created after > Apache is upgraded to 1.3.26 with the new mod_SSL. > > No. > > --Cliff > > _ > Get your FREE download of MSN Explorer at > http://explorer.msn.com/intl.asp. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Two certificates in apache and mod_ssl
Are you using IP Based virtual hosting? I don't think you can have multiple certificates on a since IP on the same port. On Fri, 2002-06-21 at 10:34, Kirchner Stefan wrote: > Hello, > > I defined two virtual hosts in apache + mod_ssl with two different server > certificates. > I tried to access the https connection and I got for both virtual hosts the > certificate of the first virtual host. > > How do I have to configure it to get the right certificate of each virtual > host. > > Or is it not possible? Or how? > > Stefan > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system "Windows" is like naming an automobile "Wheels." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Two certificates in apache and mod_ssl
Try adding the following directive to your definition: SSLCertificateFile /path/to/file SSLCertificateKeyFile /path/to/file Also make sure that the above directives are not configured for the main server. That's it. Brian Vaughan -Original Message- From: Kirchner Stefan [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 10:34 AM To: '[EMAIL PROTECTED]' Subject: Two certificates in apache and mod_ssl Hello, I defined two virtual hosts in apache + mod_ssl with two different server certificates. I tried to access the https connection and I got for both virtual hosts the certificate of the first virtual host. How do I have to configure it to get the right certificate of each virtual host. Or is it not possible? Or how? Stefan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
Hi Louis, It may be the troublesome 56bit cypher itself, try adding !EXPORT56 to your SSLCipherSuite, have a look at the faq http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie Although that does not explain the IE6 problem, unless that's a red herring. Mikey Louis Sabet <[EMAIL PROTECTED]> on 21/06/2002 14:31:41 Please respond to [EMAIL PROTECTED] To:[EMAIL PROTECTED] cc: Subject:56-bit/128-bit IE problems Hi all, Encryption isn't a strong point for me unfortunately... We have a website at http://www.mobiles.co.uk, which as part of the ordering process connects to our Apache 1.3.22/mod_ssl RedHat machine, and speaks SSL (the point at which it changes to https://secure.mobiles.co.uk ). We have had a few complaints from customers that they have been unable to connect to the secure parts of our sites. Having ruled out connectivity issues, and done some VMWare testing at home, I concluded that the affected versions were (I think) all versions of IE with cypher strengths of 56-bits. As soon as I patched the virtual machines with the high-encryption pack, they sprung into life. So my question really is this: Do I need to look for a problem in the httpd.conf of our server, do I look for a problem with the certificate/intermediate certificate, or do I just give up, and just live with the fact that half our customers can't connect to our site? I had originally assumed this was to do with a bug in early implementations of IE5, but since then we have had reports of the same behaviour in IE6 (which initially comes in 56-bit flavour under win2k unless patched). I have had no help from verisign, other than the usual confused gibberings I have come to expect from them, so I hoped someone out there might have a clue I can carry on with? Thanks, L -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] All telephone calls are recorded and may be monitored. E-mail communication is not secure and may be intercepted by a third party. This message is confidential to the intended addressee. If you are not the intended addressee, please inform us immediately and then delete this message. Virgin One account does not accept responsibility for changes made to this message after it was sent. Although Virgin One account believes this e-mail is free of any virus or other defect which may affect a computer, it is the responsibility of the recipient to ensure that it is virus free and Virgin One account does not accept any responsibility for any loss or damage arising from its use. The Virgin One account is a secured personal bank account with The Royal Bank of Scotland plc administered by Virgin Direct Personal Finance Ltd. It is an Introducer representative only of Virgin Money Personal Financial Service Ltd, which is authorised by the Financial Services Authority for life insurance, pension and unit trust business and represents only the Virgin Money marketing group. Registered office: Waterhouse Square, 138-142 Holborn, London EC1N 2TH, UK. Registered in England no 3414708. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Two certificates in apache and mod_ssl
Hello, I defined two virtual hosts in apache + mod_ssl with two different server certificates. I tried to access the https connection and I got for both virtual hosts the certificate of the first virtual host. How do I have to configure it to get the right certificate of each virtual host. Or is it not possible? Or how? Stefan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
> I had originally assumed this was to do with a bug in early > implementations of IE5, but since then we have had reports of the same > behaviour in IE6 (which initially comes in 56-bit flavour under win2k > unless patched). You should read the mod ssl documentation as it describes things like he 'CipherSuite' configuration parameter to use in your Apache httpd.conf file as defines what ciphers the client is permitted to negotiate when connecting to your site. Specifically, there's two I see a lot !EXP56:!EXPORT56 that perhaps would be turnning off such support. You could also consider getting a Thawte "super cert" which has a capability to allow the 56-bit export version of IE to not be so stupid and connect at the higher 128-bit when accessing your site. Good luck... David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Trouble building on Win32
> This is just a guess, but try putting your openssl path in quotes. It > might not > like /Ic:..., and it might prefer /i "c:" [Noah White] Nope, no dice. -Noah __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Expired and Revoked Certificates
Thank you for your input! >>> [EMAIL PROTECTED] 06/20/02 06:22PM >>> On Thu, Jun 20, 2002 at 10:04:40AM -0500, Mary Peterson wrote: > I have two issues that I wondered if anyone could assist me with: > > When I test a revoked client certificate against the CRL I get a > Security Alert Message that says 'The security certificate for this site > has been revoked. This site should not be trusted.' It's a bug with Internet Explorer. I noticed it too. If you used Mozilla - you'd see it report "your certificate has expired" - i.e. a correct response. > Also, when I test an expired client certificate it brings back a 'Page > Cannot be Displayed' error message. Does anyone know how I can get it > to return a 'Your certificate has expired' error message in place of the > 'Page Cannot be Displayed' message? Pretty hard. As your cert has expired, then there is no channel over which to send you that HTML :-) Nope, I'm afraid nothing but the client can give that information. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
56-bit/128-bit IE problems
Hi all, Encryption isn't a strong point for me unfortunately... We have a website at http://www.mobiles.co.uk, which as part of the ordering process connects to our Apache 1.3.22/mod_ssl RedHat machine, and speaks SSL (the point at which it changes to https://secure.mobiles.co.uk ). We have had a few complaints from customers that they have been unable to connect to the secure parts of our sites. Having ruled out connectivity issues, and done some VMWare testing at home, I concluded that the affected versions were (I think) all versions of IE with cypher strengths of 56-bits. As soon as I patched the virtual machines with the high-encryption pack, they sprung into life. So my question really is this: Do I need to look for a problem in the httpd.conf of our server, do I look for a problem with the certificate/intermediate certificate, or do I just give up, and just live with the fact that half our customers can't connect to our site? I had originally assumed this was to do with a bug in early implementations of IE5, but since then we have had reports of the same behaviour in IE6 (which initially comes in 56-bit flavour under win2k unless patched). I have had no help from verisign, other than the usual confused gibberings I have come to expect from them, so I hoped someone out there might have a clue I can carry on with? Thanks, L -- Louis Sabet <[EMAIL PROTECTED]> http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Trouble building on Win32
> The server build OK, it only croaks when trying to build with mod_ssl. > Here's my include PATH, I don't notice anything in particular wrong > with it. > > Thanks, > > -Noah > > INCLUDE=c:\Program Files\Microsoft Visual Studio > .NET\FrameworkSDK\include\;c:\Program Files\Microsoft Visual Studio > .NET\FrameworkSDK\include\;c:\Program Files\Microsoft Visual Studio > .NET\VC7\ATLMFC\INCLUDE;c:\Program Files\Microsoft Visual Studio > .NET\VC7\INCLUDE;c:\Program Files\Microsoft Visual Studio > .NET\VC7\PlatfromSDK\include\prerelease;c:\Program Files\Microsoft > Visual Studio .NET\VC7\PlatformSDK\include;C:\Program > Files\WMI\include This is just a guess, but try putting your openssl path in quotes. It might not like /Ic:..., and it might prefer /i "c:" --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Trouble building on Win32
The server build OK, it only croaks when trying to build with mod_ssl. Here's my include PATH, I don't notice anything in particular wrong with it. Thanks, -Noah INCLUDE=c:\Program Files\Microsoft Visual Studio .NET\FrameworkSDK\include\;c:\Program Files\Microsoft Visual Studio .NET\FrameworkSDK\include\;c:\Program Files\Microsoft Visual Studio .NET\VC7\ATLMFC\INCLUDE;c:\Program Files\Microsoft Visual Studio .NET\VC7\INCLUDE;c:\Program Files\Microsoft Visual Studio .NET\VC7\PlatfromSDK\include\prerelease;c:\Program Files\Microsoft Visual Studio .NET\VC7\PlatformSDK\include;C:\Program Files\WMI\include > -Original Message- > From: Aryeh Katz [mailto:[EMAIL PROTECTED]] > Sent: Thursday, June 20, 2002 5:29 PM > To: [EMAIL PROTECTED] > Subject: Re: Trouble building on Win32 > > Is your win32 build environment set on the command line? > It looks like something is wrong with your include path. > run set, and see whether or not the correct value for include shows up. > > > > I'm trying to bld 2.8.9-1.3.26 on Windows 2000 server with VC++ 7.0 > > installed. I'm running into the following issues: > > > > 1) When patching the sources I get the following: > > > > |+ > > -- - || First patch APACI's configuration script to pass a `ssl' > > flag || to the Makefile.tmpl file which indicated whether mod_ssl is > > || activated or not. Second we add support for the SSL_BASE and || > > RSA_BASE variables. Third we provide the configuration || adjustments > > of the HTTPS port (443) similar to what is || already done by APACI > > for the HTTP port (80). > > |+ > > -- - |Index: configure |--- configure 19 Jun 2002 07:20:10 - > > 1.1.1.14 |+++ configure 19 Jun 2002 07:29:07 - 1.26 > > -- File to patch: > > > > If I ignore that and skip that patch I get another issue here: > > > > |+ > > -- - || Here we first incorporate support for the `make > > certificate' || procedure and second support for the `make install' > > procedure || where SSL directives in the configuration files are now > > also || adjusted and SSL certs/keys and support programs are now || > > additionally installed. > > |+ > > -- - |Index: Makefile.tmpl |--- Makefile.tmpl 27 Mar 2002 > > 15:22:49 - 1.1.1.12 |+++ Makefile.tmpl 27 Mar 2002 > > 15:30:01 - 1.44 -- File to patch: > > > > If I skip/ignore that I get another one: > > > > | > > |+ > > -- - || Add additional SSL configuration directives which provide > > a || robust default configuration: virtual server on port 443 || which > > speaks SSL. > > |+ > > -- - |Index: conf/httpd.conf-dist |--- conf/httpd.conf-dist > > 27 Mar 2002 15:22:49 - 1.1.1.14 |+++ conf/httpd.conf-dist > > 27 Mar 2002 15:30:01 - 1.65 -- File > > to patch: > > > > For this one I directed it to patch conf/httpd.conf-dist-win and that > > seemed to work ok. > > > > After this the rest of the patch process completes and I am directed > > to build Apache. > > > > While building apache I get the following error: > > > > > > cl.exe /nologo /c /O2 /MD /W3 /GX /DNDEBUG /DWIN32 /D_WINDOWS > > /DSHARED_M ODULE /DEAPI /DMOD_SSL=208109 /DMOD_SSL_VERSION=\"2.8.9\" > > /I..\..\include /I..\. .\os\win32 /Ic:\silverback\openssl\include > > mod_ssl.c mod_ssl.c c:\Program Files\Microsoft Visual Studio > > .NET\Vc7\PlatformSDK\Include\WinCrypt.h (37) : error C2061: syntax > > error : identifier 'HRESULT' c:\Program Files\Microsoft Visual Studio > > .NET\Vc7\PlatformSDK\Include\WinCrypt.h (37) : error C2059: syntax > > error : ';' c:\Program Files\Microsoft Visual Studio > > .NET\Vc7\PlatformSDK\Include\WinCrypt.h (243) : error C2061: syntax > > error : identifier 'HCRYPTPROV' c:\Program Files\Microsoft Visual > > Studio .NET\Vc7\PlatformSDK\Include\WinCrypt.h (243) : error C2059: > > syntax error : ';' c:\Program Files\Microsoft Visual Studio > > .NET\Vc7\PlatformSDK\Include\WinCrypt.h (244) : error C2061: syntax > > error : identifier 'HCRYPTKEY' c:\Program Files\Microsoft Visual > > Studio .NET\Vc7\PlatformSDK\Include\WinCrypt.h (244) : error C2059: > > syntax error : ';' c:\Program Files\Microsoft Visual Studio > > .NET\Vc7\PlatformSDK\Include\WinCrypt.h > > > > Any thoughts on these issues? Thanks, > > > > -Noah > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager
apache 2.0.39 w/SSL on HP-UX 11.0 ignores SSLRandomSeed setting
Hello, A recently built 2.0.39 fails to start with: [Fri Jun 21 12:42:47 2002] [info] Init: Initializing OpenSSL library [Fri Jun 21 12:42:47 2002] [info] Init: Seeding PRNG with 0 bytes of entropy [Fri Jun 21 12:42:47 2002] [warn] Init: PRNG still contains not sufficient entropy! [Fri Jun 21 12:42:47 2002] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Fri Jun 21 12:42:47 2002] [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Tracing revealed this behaviour: [..] write(8, "[ F r i J u n 2 1 1 2 : 4 ".., 77) ... = (77) getpid() . = 23638 (23637) open("/dev/urandom", O_RDONLY, 0666) . ERR#2 ENOENT getuid() . = 0 (0) time(NULL) ... = 1024656167 gettimeofday(0x7f7f8c08, NULL) ... = 0 write(8, "[ F r i J u n 2 1 1 2 : 4 ".., 84) ... = 84 [..] To my surprise, this happens with the default configuration where SSLRandomSeed is set to "builtin" and also when I change this particular setting to point to the existing egd socket. It also appears when the SSL include is commented out from httpd.conf . Is there a bug in apache or mod_ssl or am I missing something here? System is HP-UX 11.0, my build was: CC=cc CFLAGS='+O3 +Onolimit -Ae' ./configure --enable-ssl --with-ssl=/opt/openssl/0.9.6d --enable-so --prefix=/opt/apache2 TIA, Volker - Volker T. Mueller Continum AG Tel. +49 761 4794090 Boetzinger Strasse 29a Fax. +49 761 4794099 79111 Freiburg i. Br.http://continum.net - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Docs to complie Apache + VC++ + Other Modules?
Hello I am using Apache 1.3.24 on Win98 and I would like to upgrade it. If I install the Binary Version then Some of the other Binary Modules file did not work due to Version Conflict or other reasons. So, I decided the Complie the Source . My Problem I could not found any Documentation for "How to compile Apache Source on Win98 + VC++ with some extra module sources like [PHP, Perl etc.] ". Can any one suggest a like to me Thanks is advance. Prachait Saxena WebMaster [SitesOnTesting.Com] If you do for other's ! Other's will do for you !! Visit me at http://www.sitesontesting.com/prachait __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
error 18 at 0 depth lookup (in "make certificate")
When invoking (at the end of the apache+mod_ssl build process) the suggested "make certificate TYPE=custom", I see an error message flashing by (``error 18 at 0 depth lookup:self signed certificate'') followed by a line ``OK''. Which one is correct? The error (well, root certificates are always self-signed, aren't they?) or the "OK"? > STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] > Certificate Version (1 or 3) [3]: > Signature ok > subject=/C=DE/ST=Bavaria/L=Munich/O=Fujitsu-Siemens Intranet/OU=Certificate >Authority/CN=Apache Web Server Development >[EMAIL PROTECTED] > Getting Private key > Verify: matching certificate & key modulus > Verify: matching certificate signature > ../conf/ssl.crt/ca.crt: /C=DE/ST=Bavaria/L=Munich/O=Fujitsu-Siemens >Intranet/OU=Certificate Authority/CN=Apache Web Server Development >[EMAIL PROTECTED] > error 18 at 0 depth lookup:self signed certificate > OK Is there a trick to suppress the "error 18"? Martin -- <[EMAIL PROTECTED]> | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault
My library update hadn't completely propigated across our network from the fileserver, so parts of my mish-mash compiled against different versions of openssl. All better. Maybe this will help someone else down the road. On Thu, Jun 20, 2002 at 06:09:17PM -0400, Cliff Woolley wrote: > On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: > > > Per the recently announced vulnerability in versions of apache < 1.3.26, > > I decided to be a happy little prole and update all of my webservices. > > > > Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded > > the packages like I always do: > > > > write(15, "[20/Jun/2002 16:50:05 04493] [in"..., 95) = 95 > > brk(0x8109000) = 0x8109000 > > open("./php.ini", O_RDONLY) = -1 ENOENT (No such file or > > directory) > > open("/usr/lib/php.ini", O_RDONLY) = -1 ENOENT (No such file or > > directory) > > brk(0x810a000) = 0x810a000 > > brk(0x810b000) = 0x810b000 > > brk(0x810c000) = 0x810c000 > > brk(0x810d000) = 0x810d000 > ... > > brk(0x8123000) = 0x8123000 > > brk(0x8125000) = 0x8125000 > > brk(0x8126000) = 0x8126000 > > --- SIGSEGV (Segmentation fault) --- > > +++ killed by SIGSEGV +++ > > > Sounds like PHP is borked. Try building a new copy. > > --Cliff > Garrett -- Garrett Kuchta [gkuchta[at]astro.umn.edu] Assistant System Manager Dept. of Astronomy University of Minnesota, Twin Cities http://www.astro.umn.edu/~gkuchta msg14417/pgp0.pgp Description: PGP signature
correctly setting SSL_LDFLAGS under Solaris
I haven't dissected the configure process well enough to figure out who's responsible for setting SSL_LDFLAGS in src/modules/ssl/Makefile when building mod_ssl + Apache per INSTALL:The flexible APACI-only way but it would be cool if SSL_LDFLAGS automagically included-R$(SSL_LIBDIR) for Solaris and any other OS that supports runtime linker flags. Thanks, John [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] Pb start apacheSSL (PR#722)
Full_Name: Rebolj Version: openssl 9.6a OS: Solaris Submission from: (NULL) (171.16.0.60) when i start it writes Init: Loading certificate & private key of SSL-aware server pise.:443[19/Jun/2002 11:24:06 00536] [error] Init: Unable to read server certificate from file /HOME/webadm/Config/ssl.crt/IntRec.web-riva.cra (OpenSSL library error follows) [19/Jun/2002 11:24:06 00536] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]