Re: SSL reverse proxy + Client Cert auth
Hi Danny, I guess I understood your doubt. If not, please ignore this. There should be 'ca-bundle.crt' file in which you can put the third party's certificate and you could make a try. Rgds, Anbu --- Danny Kruitbosch [EMAIL PROTECTED] wrote: Hi, We want to build the following situation: - Apache with mod_ssl as a reverse SSL proxy (Client --- SSL/HTTPS --- Rev. proxy --- HTTP --- Web/App server) - We need to check for client certificates. These certs are handed out by another party (not a real TTP). We need to check the signature on the client certs and the validity of the client certs. What's the best way to do this. I've read the mod_ssl manual, but I don't understand how I can check client certs from another (third) party. How do I setup Apache as an SSL reverse proxy? Any help on this would be great! Cheers, Danny Kruitbosch __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Directing users wihtou enough encryption capability
Hi, I'm trying to do the following: I have a site with strong encryption, demanding 128 bit encryption with: SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 A lot of users don't have browsers with 128 bits encryption capabilities, so wat I would to do is: When a user cannot use 128 bits encryption, he/she should be redirected to a page with info about upgrading, in stead of just getting no connection. Any idea how to do that? Cheers, Jeroen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
redirecting users part 2
Hi, I'm trying to redirect users who don't have enough encryption capabilities for 128 bit (see previous mail). I've tried the following (but it doesn't work): Add upgrade.html (the text users with old browsers are supposed to get) to index: DirectoryIndex index.html index.htm Index.html Index.htm INDEX.HTML INDEX.HTM upgrade.html Initiallay allow all strengths: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL And then: Location /upgrade.html SSLRequire %{SSL_CIPHER_USEKEYSIZE} 128 /Location Location / SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 /Location But it doesn't work, any idea why it doesn't work? Cheers, Jeroen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with Thawte freemail certificate and Apache
Hello, I would appreciate any help on this please. I am using Apache 1.3.23 on RedHat 7.3 with mod_ssl 2.8.7 and openssl 0.9.6b-28. This web server provides access to our internal Bugzilla database. I have set up a CA on my server using /usr/share/ssl/misc/CA.pl and I issue browser certificates from it. I have copied the CA certificate and appended it to /etc/httpd/conf/ssl.crt/ca-bundle.crt. I have the following configuration in httpd.conf: Directory /var/www/html/bugzilla Options ExecCGI FollowSymLinks SSLVerifyClient require SSLVerifyDepth 1 SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_OU} in {Support, Bugzilla} /Directory I have also uncommented: SSLCACertificatePath /etc/httpd/conf/ssl.crt SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt in httpd.conf. I generated an Apache server certificate using make testcert in /etc/httpd/conf so that the correct machine name was in the CN attribute. This is all working fine. However, my colleague and I both have Thawte freemail certificates installed and that's when we get a problem. Using Mozilla with the configuration set to prompt for a certificate, both the browser certificate and the Thawte certificate are displayed with the Thawte certificate being listed first. If the configuration is set to automatically select a certificate, the Thawte certificate is chosen. The behaviour is similar using IE. The symptoms we see in Bugzilla is that we seem to be circulating through the same of 3-4 pages (depending upon what we choose). The ssl_engine_log file shows: [19/Aug/2002 12:35:23 01206] [error] Re-negotiation handshake failed: Not accepted by client!? [19/Aug/2002 12:35:23 01206] [error] SSL error on writing data (OpenSSL library error follows) [19/Aug/2002 12:35:23 01206] [error] OpenSSL: error:1409E0E5:lib(20):func(158):reason(229) When we remove the Thawte certificate, everything works. The Thawte certificate has no O or OU specified so why do the browsers find a match with it ? Cheers Dave. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: redirecting users part 2
I don't have the time to investigate this fully in the context of SSL but from a general understanding of how apache combines nested directives like this, I think you might need to change the order of the Location containers. The rules for combining directives are a bit complicated and (I have to say) not entirely well-documented. I think you need to consider the line in sections.html document (look for a link in docs from the Location doc): ... each group is processed in the order that they appear in the configuration files ... This would imply that apache loads the rule for /upgrade.html then overrides it with the rule for /. I am assuming here that order refers to the order in which apache reads data from the config during startup and not the order in which applies directives to incoming requests... Confused? Me too... Rgds, Owen Boyle -Original Message- From: Jeroen Vriesman [mailto:[EMAIL PROTECTED]] Sent: Montag, 19. August 2002 12:28 To: [EMAIL PROTECTED] Subject: redirecting users part 2 Hi, I'm trying to redirect users who don't have enough encryption capabilities for 128 bit (see previous mail). I've tried the following (but it doesn't work): Add upgrade.html (the text users with old browsers are supposed to get) to index: DirectoryIndex index.html index.htm Index.html Index.htm INDEX.HTML INDEX.HTM upgrade.html Initiallay allow all strengths: SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL And then: Location /upgrade.html SSLRequire %{SSL_CIPHER_USEKEYSIZE} 128 /Location Location / SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 /Location But it doesn't work, any idea why it doesn't work? Cheers, Jeroen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache and MSIE on Macs
Title: Apache and MSIE on Macs Hi, I have an issue where all web browser clients can connect to my Apache web server securly using https:// EXCEPT for MAC MSIE (5.0 or 5.1 etc..) clients. The ssl certificate that I have installed also uses an intermediate certificate for chaining. When the MAC MSIE browser connects .. users get a pop up saying .. The issuer of the certificate is unknown however, if you look in the prefs of MAC MSIE under security, you can clearly see the issuer. Netscape on the MAC works fine. Does anyone know the cause? I know this is Apache and Microsoft related. There is something on the server that I probably need to change to adapt to MAC MSIE users but I don't know what it is... Since I cannot find any articles in the MS KB.. and cannot find any in Apache newsgroups.. I am lost. I am Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.0.4pl1
Re: Directing users wihtou enough encryption capability
Hi! On Mon, Aug 19, 2002 at 11:02:08AM +0200, Jeroen Vriesman wrote: I have a site with strong encryption, demanding 128 bit encryption with: SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 A lot of users don't have browsers with 128 bits encryption capabilities, so wat I would to do is: When a user cannot use 128 bits encryption, he/she should be redirected to a page with info about upgrading, in stead of just getting no connection. Any idea how to do that? Use mod_rewrite. I've posted several examples some weeks ago, they should still be in the list's archive, search for RewriteRule. Ciao Thomas -- For a light heart lives long. -- Shakespeare, Love's Labour's Lost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
can't load /usr/local/apach2/modules/mod_sll.so into server undefined symbol x509_free
Hi, I installed openssl 0.9.6g engine on redhat 7.3 over which i installed apache 2.0.39, It seems installation to be successful, but when i tried to start apache with sll ./apachecntl startssl iam getiing can't load /usr/local/apache2/modules/mod_ssl.so into server /usr/local/apache2/modules/mod_ssl.so Can you just help me how to install openssl with sharedlibs option Any help greatly apprecitated Thks in advance Venkat __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Resetting passphrase
I (stupidly) forgot what my passphrase is for a server cert I have created using OpenSSL. The cert is certified by verisign. Is there a way I can reset the passphrase WITHOUT recreating the cert? Ben Ricker Wellinx, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Directing users wihtou enough encryption capability
One way option is along these lines: ErrorDocument 403 path to error page Location / SSLOptions +StrictRequire SSLRequire %{SSL_CIPHER_USEKEYSIZE} 128 /Location I have a site with strong encryption, demanding 128 bit encryption with: SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 A lot of users don't have browsers with 128 bits encryption capabilities, so wat I would to do is: When a user cannot use 128 bits encryption, he/she should be redirected to a page with info about upgrading, in stead of just getting no connection. Any idea how to do that? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: can't load /usr/local/apache2/modules/mod_ssl.sointoserver/usr/local/apache2/modules/mod_ssl.so undefined symbol x509_free
On Mon, 19 Aug 2002, Venkat Reddy Valluri wrote: As you told I checked the directory /usr/local/lib for libcrypto.so and libssl.so, but I found out only libcrypto.a and libssl.a, can you please let me know how to configure openssl to get these modules shared like libcrypto.so and libssl.so Frankly it's always been a bit of a pain for me. The default Makefile doesn't seem to behave quite right. You can try this: make build-shared But then you have to install them by hand because the $(SHARED_LIBS) variable has no value in the default Makefile so make install doesn't see them. Alternatively, you can edit the Makefile as follows: --- Makefile2002-03-17 20:03:36.0 -0500 +++ Makefile.new2002-08-19 12:44:49.0 -0400 @@ -183,7 +183,7 @@ LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) -SHARED_LIBS= +SHARED_LIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so GENERAL=Makefile and then run: make clean make make install and it should just work. I think. Haven't tried it recently. :) Let me know how it goes. And if anybody else out there knows something about this that I'm missing (which is possible), please speak up. :-] --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: cannot load modssl
Getting libssl.so to load correctly has revealed a new problem, which I suppose is likely just a problem in our httpd.conf. When I start my new httpd, I can retrieve pages on both 80 and 443, but both only do http, neither does https. Is there a way to fix this? Thanks. On Thu, Aug 15, 2002 at 01:28:09PM -0700, Dan Stromberg wrote: I built (tried to build) modssl as a module for apache. When I try to run apache, I get: decalpha-root /usr/bin/httpd -d /Web -DSSL Syntax error on line 206 of /Web/conf/httpd.conf: Cannot load /dcs/packages/infosys/apache/libexec/libssl.so into server: dlopen: cannot load /dcs/packages/infosys/apache/libexec/libssl.so A system call trace shows (please pardon me if I didn't get the line wrapping undone correctly) : mmap ( 0x3004382e000, 4048, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_VA RIABLE|MAP_PRIVATE, -1, 0 ) = 0x4382e000 close (5) = 0 stat (/dcs/packages/infosys/apache/libexec/libssl.so, 0x3ffc0001d30) = 0 [ , 129.0.39381905 -rwxr-xr-x 1 dcslib users 221184 1029433580,1029433580,1029433580 ] getrlimit ( RLIMIT_DATA, 0x11fffce48 ) = 0 [ , {134217728,1073741824} ] mmap ( 0x3ffc0016000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_VA RIABLE|MAP_PRIVATE, -1, 0 ) = 0xc0016000 open (/dcs/packages/MySQL/lib/mysql/libssl.so, O_RDONLY, 3211552) = -1, Er rno 2 (No such file or directory) open (/dcs/packages/infosys/php-ext/pdflib/lib/libssl.so, O_RDONLY, 321155 7) = -1, Errno 2 (No such file or directory) open (/dcs/packages/infosys/php-ext/freetds-0.53/lib/libssl.so, O_RDONLY, 3000 0211551) = -1, Errno 2 (No such file or directory) open (/dcs/packages/perl-5.6.0/lib/5.6.0/alpha-dec_osf/CORE/libssl.so, O_RDONL Y, 3211552) = -1, Errno 2 (No such file or directory) /dcs/packages/infosys/apache/libexec/libssl.so is indeed where the SO in question lives. Also: decalpha-root file /dcs/packages/infosys/apache/libexec/libssl.so /dcs/packages/infosys/apache/libexec/libssl.so: COFF format alpha shared library, demand paged executable or object module stripped - version 3.11-10 I'm using apache 1.3.26, mod_ssl 2.8.10-1.3.26, and openssl 0.9.6e. mod_ssl was ./configured with: ./configure --with-apache=/dcslibsrc/infosys/apache-httpd/apache/`systype` \ --prefix=/dcs/packages/infosys/apache-$vers \ --with-ssl=/dcs/packages/openssl The OS I'm on is Tru64 4.0D, but I hope to run the resulting binary on a variety of more recent Tru64 machines. I'm not getting a core dump, in fact httpd doesn't even start. I just get the error mentioned above. The daemon runs fine without -DSSL. As probably happens too often on this list, this matter is rather urgent for us. Thanks. -- Dan Stromberg UCI/NACS/DCS -- Dan Stromberg UCI/NACS/DCS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: cannot load modssl
I ran into the same problem on Solaris. If I change the ssl module's SSL_LDFLAGS to -L$(SSL_LIBDIR) -R$(SSL_LIBDIR), then it works - the -R was missing. I now suspect this was the same problem I was seeing on tru64, where it would instead be -Wl,-rpath -Wl,/dir/ect/ory . I now have two questions directly related to this: 1) What is the right place to add this? I imagine it's not the most pleasing of methods to manually add this to the Makefile after configure'ing, which unfortunately is what I've done to get the ssl module to work (sort of, see below). 2) Can something like this be added to the Makefile? Or am I really the only person in the world who doesn't put openssl in a standard place like /usr/lib or /usr/local/lib? It seems to me that libtool or something should be taking care of this the most thorough way, instead of assuming the openssl libraries are on your run-time loader path. Thanks. On Thu, Aug 15, 2002 at 01:28:09PM -0700, Dan Stromberg wrote: I built (tried to build) modssl as a module for apache. When I try to run apache, I get: decalpha-root /usr/bin/httpd -d /Web -DSSL Syntax error on line 206 of /Web/conf/httpd.conf: Cannot load /dcs/packages/infosys/apache/libexec/libssl.so into server: dlopen: cannot load /dcs/packages/infosys/apache/libexec/libssl.so A system call trace shows (please pardon me if I didn't get the line wrapping undone correctly) : mmap ( 0x3004382e000, 4048, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_VA RIABLE|MAP_PRIVATE, -1, 0 ) = 0x4382e000 close (5) = 0 stat (/dcs/packages/infosys/apache/libexec/libssl.so, 0x3ffc0001d30) = 0 [ , 129.0.39381905 -rwxr-xr-x 1 dcslib users 221184 1029433580,1029433580,1029433580 ] getrlimit ( RLIMIT_DATA, 0x11fffce48 ) = 0 [ , {134217728,1073741824} ] mmap ( 0x3ffc0016000, 8192, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_VA RIABLE|MAP_PRIVATE, -1, 0 ) = 0xc0016000 open (/dcs/packages/MySQL/lib/mysql/libssl.so, O_RDONLY, 3211552) = -1, Er rno 2 (No such file or directory) open (/dcs/packages/infosys/php-ext/pdflib/lib/libssl.so, O_RDONLY, 321155 7) = -1, Errno 2 (No such file or directory) open (/dcs/packages/infosys/php-ext/freetds-0.53/lib/libssl.so, O_RDONLY, 3000 0211551) = -1, Errno 2 (No such file or directory) open (/dcs/packages/perl-5.6.0/lib/5.6.0/alpha-dec_osf/CORE/libssl.so, O_RDONL Y, 3211552) = -1, Errno 2 (No such file or directory) /dcs/packages/infosys/apache/libexec/libssl.so is indeed where the SO in question lives. Also: decalpha-root file /dcs/packages/infosys/apache/libexec/libssl.so /dcs/packages/infosys/apache/libexec/libssl.so: COFF format alpha shared library, demand paged executable or object module stripped - version 3.11-10 I'm using apache 1.3.26, mod_ssl 2.8.10-1.3.26, and openssl 0.9.6e. mod_ssl was ./configured with: ./configure --with-apache=/dcslibsrc/infosys/apache-httpd/apache/`systype` \ --prefix=/dcs/packages/infosys/apache-$vers \ --with-ssl=/dcs/packages/openssl The OS I'm on is Tru64 4.0D, but I hope to run the resulting binary on a variety of more recent Tru64 machines. I'm not getting a core dump, in fact httpd doesn't even start. I just get the error mentioned above. The daemon runs fine without -DSSL. As probably happens too often on this list, this matter is rather urgent for us. Thanks. -- Dan Stromberg UCI/NACS/DCS -- Dan Stromberg UCI/NACS/DCS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Pls help
Any help on this will be highly appreciated...thanx. Hi there, I've a linux box running - Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.6d The box gets extremely loaded when I have - ... SSLRandomSeed startup buildin SSLRandomSeed connect buildin ... in httpd.conf file. As soon as I change the connect line with SSLRandomSeed connect file:/dev/urandom 1024 everything seems fine. Any idea what was causing the server busy? Thanx - Jays. Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL reverse proxy + Client Cert auth
On Sun, Aug 18, 2002 at 11:40:13PM -0700, Anbuchezhian Chelliah wrote: Hi Danny, I guess I understood your doubt. If not, please ignore this. There should be 'ca-bundle.crt' file in which you can put the third party's certificate and you could make a try. Whoa! If you are running your own CA and only want your https server to accept certs signed by that CA, then YOU MUST NOT USE THE ca-bundle.crt FILE!!! Replace it with your own cacert instead. Otherwise you are actually telling your https server that *any* cert signed by *any* CA is valid - which may not be what you want... This is especially pertinent given the huge SSL hole found in IE/Konqueror recently... -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]