RE: how to generate an authoritive CA Certificate?

2002-09-09 Thread Jose Correia (J)



Hi 
there
 
There 
is nothing wrong with your certificate, the browser is correctly picking up that 
it isn't from a trusted source. If you were to import the certificate on to your 
client machine and add it on to the list of trusted certificates by your client 
machine, then that message will go away.
 
I 
personally, for testing purposes, just say ok when that message pops up, and 
proceed and proceed as normal.
 
Cheers
Jose
 

  -Original Message-From: zhaoxd 
  [mailto:[EMAIL PROTECTED]]Sent: 10 September 2002 
  08:05To: [EMAIL PROTECTED]Subject: how to generate 
  an authoritive CA Certificate?
  
  hello,everybody:
   
   Glad to talk to you! I happen to be a learner,so,if I have 
  some problems let you feel bad,patient to me,please!
   
    When I constructed my web station through 
  apache,I met with some problems!
    
    I made the CA Certificate by myself,and issued a 
  server.crt for my web server using this CA,but I found an unexpected 
  warning happened when I tried to connect my apache server through 
  MSIE&netscape.There is a warning message which says my certificate is 
  not issued by Trusted CA.
   
    I think the CA generated by 
  myself must be have some problems.My question is:can guys make CA by 
  themselves?
   
    If so,the steps I generate 
  my CA are:
   
      1.create a RSA private key for my 
  CA:
          $openssl genrsa -des3 
  -out ca.key 1024
      2.create a self-signed CA Certificate 
  (X509 structure) with the RSA key of the CA.
          $openssl req -new 
  -x509 -day 365 -key ca.key -out ca.crt
      3.sign the certificate of my server using 
  sign.sh provided by mod_ssl/pkg.contrib/
          $sign.sh 
  server.csr
  Then I got my server.crt issued by 
  my CA Certificate.
      
     Is there any problems during the process I 
  generate CA?
   
  Any help are appreciated!:)
              
                  
              
  zhaoxd


httpd.conf

2002-09-09 Thread Cuong Tran

Wondering if some kind soul could help me. I already
have 3 name based
virtual hosts set up correctly. Now I'm in the process
of creating a SSL
host which I have successfully done. The problem I am
having is that all the
normal virtual hosts as a result have been SSL
readable as well.
Where as they once were ok http://localhost, they are
now also viewable as
https://localhost also which I do not want.  My SSL
section is below along
with 1 virtual host :





# This is for mod_ssl. SSLEngine off
ServerName localhost
DocumentRoot /path
ServerAdmin root@localhost
ServerSignature email



##
## SSL Virtual Host Context
##

#  Apache will only listen on port 80 by default. 
Defining the virtual
server
#  (below) won't make it automatically listen on the
virtual server's port.
Listen 443
#   SSL Session Cache:
#   The cache speeds up processing of multiple
parallel requests from
#   the same client.
SSLSessionCache shm:/var/cache/ssl_gcache_data(524288)




ServerName secure
DocumentRoot /path/to/secure
ServerAdmin root@localhost
ServerSignature email
SSLEngine on
SSLCertificateFile
/etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile
/etc/httpd/conf/ssl.key/server.key





http://www.sold.com.au - SOLD.com.au
- Find yourself a bargain!
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



how to generate an authoritive CA Certificate?

2002-09-09 Thread zhaoxd




hello,everybody:
 
 Glad to talk to you! I happen to be a learner,so,if I have 
some problems let you feel bad,patient to me,please!
 
  When I constructed my web station through apache,I 
met with some problems!
  
  I made the CA Certificate by myself,and issued a 
server.crt for my web server using this CA,but I found an unexpected 
warning happened when I tried to connect my apache server through 
MSIE&netscape.There is a warning message which says my certificate is 
not issued by Trusted CA.
 
  I think the CA generated by 
myself must be have some problems.My question is:can guys make CA by 
themselves?
 
  If so,the steps I generate my 
CA are:
 
    1.create a RSA private key for my 
CA:
        $openssl genrsa -des3 
-out ca.key 1024
    2.create a self-signed CA Certificate (X509 
structure) with the RSA key of the CA.
        $openssl req -new -x509 
-day 365 -key ca.key -out ca.crt
    3.sign the certificate of my server using 
sign.sh provided by mod_ssl/pkg.contrib/
        $sign.sh 
server.csr
Then I got my server.crt issued by my 
CA Certificate.
    
   Is there any problems during the process I 
generate CA?
 
Any help are appreciated!:)
            
                
            
zhaoxd


"undefined symbol: X509_free" when starting apache 2.0.40 with mod_ssl

2002-09-09 Thread Joseph Shraibman

I have openssl 0.9.6g installed in /usr/local/ssl. My ld.so.conf has:
/usr/local/ssl/lib as the first line.  When I try to start apache I get:

Syntax error on line 235 of /usr/local/apache2/conf/httpd.conf:
Cannot load /usr/local/apache2/modules/mod_ssl.so into server: 
/usr/local/apache2/modules/mod_ssl.so: undefined symbol: X509_free

[root@d1 /usr/local/apache2/bin] ldd apache2
 libaprutil.so.0 => /usr/local/apache2/lib/libaprutil.so.0 (0x40015000)
 libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x40032000)
 libdb.so.3 => /lib/libdb.so.3 (0x40038000)
 libexpat.so.0 => /usr/local/apache2/lib/libexpat.so.0 (0x40072000)
 libapr.so.0 => /usr/local/apache2/lib/libapr.so.0 (0x4008f000)
 libm.so.6 => /lib/libm.so.6 (0x400aa000)
 libcrypt.so.1 => /lib/libcrypt.so.1 (0x400c7000)
 libnsl.so.1 => /lib/libnsl.so.1 (0x400f5000)
 libresolv.so.2 => /lib/libresolv.so.2 (0x4010b000)
 libdl.so.2 => /lib/libdl.so.2 (0x4011a000)
 libpthread.so.0 => /lib/libpthread.so.0 (0x4011f000)
 libc.so.6 => /lib/libc.so.6 (0x40132000)
 /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000)
[root@d1 /usr/local/apache2/bin] ldd ../modules/mod_ssl.so
 libc.so.6 => /lib/libc.so.6 (0x40031000)
 /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000)

I configured apache with:
./configure --enable-ssl=shared  --enable-info=shared   --enable-include=shared

-- 
Joseph Shraibman
[EMAIL PROTECTED]
Increase signal to noise ratio.  http://xis.xtenit.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



hang in cgid_init

2002-09-09 Thread Rajesh Rajamani

Hi,
I'm having trouble apache 2.0 (HPUX) to work with SSL.   When started with
ssl enabled, the server seems to wait on an accept() call.  Wondering
whether this is due to a misconfiguration or because apache was not compiled
with ssl options.  Appreciate any help on this

Raj

0xc01f6030 in _accept_sys+0x10 () from /usr/lib/libc.2
(gdb) bt
#0  0xc01f6030 in _accept_sys+0x10 () from /usr/lib/libc.2
#1  0xc01feb58 in accept+0xb8 () from /usr/lib/libc.2
#2  0xc4a27044 in cgid_server+0x32c ()
   from /vol1/rrajaman/install_16002/hpapache2/modules/mod_cgid.so
#3  0xc4a275f8 in cgid_init+0x178 ()
   from /vol1/rrajaman/install_16002/hpapache2/modules/mod_cgid.so
#4  0x3734c in ap_run_post_config+0x7c ()
#5  0x3db94 in main+0x8fc ()


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Re: non-repudiation

2002-09-09 Thread chuck

You need to make sure that Apache only accepts connections from presenters of client certificates (which your CA has copies of.)  I think this is documented in mod ssl.


TIA
Chuck Lyon
UTS Enterprise Systems
University Park PC 417A
Florida International University
Miami, FL  33199






Sonu Kishore <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
09/09/2002 06:49 AM
Please respond to openssl-users

        
        To:        openca-users <[EMAIL PROTECTED]>, pala <[EMAIL PROTECTED]>, michael <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Michael Bell <[EMAIL PROTECTED]>
        cc:        [EMAIL PROTECTED], [EMAIL PROTECTED]
        Subject:        non-repudiation


I have successfully issued ca certificate, web server certificate and client
certificate. 
how can i use the issued certificate for non-repudiation.
I want user "x" to access my web site with a certificate issued to him for
accessing the web site.
no one else should be able to access my site using other users web access
certificates.

my web site is configured with apache & tomcat on linux 7.1 redhat

please guide me ..it's urgent

regards
sonu


__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
__
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]




non-repudiation

2002-09-09 Thread Sonu Kishore

I have successfully issued ca certificate, web server certificate and client
certificate. 
how can i use the issued certificate for non-repudiation.
I want user "x" to access my web site with a certificate issued to him for
accessing the web site.
no one else should be able to access my site using other users web access
certificates.

my web site is configured with apache & tomcat on linux 7.1 redhat

please guide me ..it's urgent

regards
sonu


__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



Error Code -12281

2002-09-09 Thread [EMAIL PROTECTED]

Hi, I recently tried installing mod_ssl with my apache server on a Debian
unstable system. I've got my keys and everything in place, but when I try
to access https://zoidian.com i get the following error:

zoidian.com has sent an incorrect or unexpected message: Error Code: -12281

That's from Mozilla. When I try curl https://localhost I get the following:

curl: (35) SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol

And when I try openssl s_client -connect localhost:443 -state -debug i get:

CONNECTED(0003)
SSL_connect:before/connect initialization
write to 0809A270 [0809A2B8] (124 bytes => 124 (0x7C))
 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00   .zQ... .
0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04   .f..
0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00   ...e..d.
0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00   .c..b..a..`.
0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ..@.
0050 - 00 00 06 00 00 03 04 00-80 02 00 80 68 bf 32 a8   h.2.
0060 - 08 cd 08 82 06 dc 2d 6d-9b c0 fe 4e 9b e8 4d f2   ..-m...N..M.
0070 - 5d 73 ce 40 96 25 f0 42-9f 27 64 16   ]s.@.%.B.'d.
SSL_connect:SSLv2/v3 write client hello A
read from 0809A270 [0809F818] (7 bytes => 7 (0x7))
 - 0a 3c 21 2d 2d 20 42  .