RE: ErrorLog not allowed here
Title: Message Options FollowSymLinks AllowOverride None This is the Standard Syntax Right ?So I added one here the Below# This should be changed to whatever you set DocumentRoot to.#So If this is above correct... Now I am getting this is not allowed here for## This controls which options the .htaccess files in directories can# override. Can also be "All", or any combination of "Options", "FileInfo",# "AuthConfig", and "Limit"### AllowOverride None-Original Message-From: Jeff Bert [mailto:[EMAIL PROTECTED]]Sent: Friday, October 04, 2002 9:56 PMTo: [EMAIL PROTECTED]Subject: Re: ErrorLog not allowed hereDid you put it inside a Directory tag? It's not allowed there. Jeff> Hello,> ./httpd -t> Syntax error on line 469 of /apache/conf/httpd.conf:> ErrorLog not allowed here>> Why is this not allowed here.. ?? Do all the Tags have> to match ? Is this the issue ?>> __> Apache Interface to OpenSSL (mod_ssl) www.modssl.org> User Support Mailing List [EMAIL PROTECTED]> Automated List Manager [EMAIL PROTECTED]>__Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing List [EMAIL PROTECTED]Automated List Manager [EMAIL PROTECTED]
Re: ErrorLog not allowed here
Did you put it inside a Directory tag? It's not allowed there. Jeff > Hello, > ./httpd -t > Syntax error on line 469 of /apache/conf/httpd.conf: > ErrorLog not allowed here > > Why is this not allowed here.. ?? Do all the Tags have to > match ? > Is this the issue ? > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ErrorLog not allowed here
Hello, ./httpd -t Syntax error on line 469 of /apache/conf/httpd.conf: ErrorLog not allowed here Why is this not allowed here.. ?? Do all the Tags have to match ? Is this the issue ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl 2.8.11-1.3.27
Ok, I finally got it .. I hope.. I am now getting configuration errors again.. Line 340 # Controls who can get stuff from this server. 339 # 340 Order allow,deny 341 Allow from all 342 343 -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 8:39 PM To: '[EMAIL PROTECTED]' Subject: mod_ssl 2.8.11-1.3.27 I am getting the following error [04/Oct/2002 20:35:32 00056] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence [04/Oct/2002 20:30:52 29344] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6g On Solaris 9, Also Everytime I compile and make apache shared core -- boom I am getting core Bus Bombs.. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl 2.8.11-1.3.27
I am getting the following error [04/Oct/2002 20:35:32 00056] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence [04/Oct/2002 20:30:52 29344] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6g On Solaris 9, Also Everytime I compile and make apache shared core -- boom I am getting core Bus Bombs.. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
Thanks Andreas, I appreciate the thought. Jeff > ok, > > i just wanted to say that to prevent any confusions you may have been a > victim off. Your post read like it. > > andreas > > > > well, I already upgraded to openssl- > 0.9.6g back with apache-1.3.26 and > > modssl 2.8.10 > > > Jeff > > > this new release has AFAIK nothing to do with the openssl-vulns. > > > > It is a release for the today released apache-1.3.27 which fixes 3 vulns > in > > the apache itself. > > > > If you want to fix the vulns in SSL you have to upgrade or patch your > > openssl-package. > > > > Andreas > > > > > > e-admin internet gmbh > > andreas gietl > > ludwig-thoma-strasse 35 > > 93051 Regensburg > > > > > > -Ursprüngliche Nachricht- > > Von: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]Im Auftrag von Jeff Bert > > Gesendet: Freitag, 4. Oktober 2002 18:56 > > An: [EMAIL PROTECTED] > > Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27 > > > > > > Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a > hobby > > for friends' websites and have been actually having quite a number of > people > > trying the ssl hack on my server. > > > > Jeff > > > > > As you've hopefully recognized, the ASF released Apache 1.3.27, which > > > includes important security fixes. The corresponding mod_ssl 2.8.11 for > > > this version is now available, too. > > > > > > Fetch it from: > > > > > > http://www.modssl.org/source/ > > > ftp://ftp.modssl.org/source/ > > >Ralf S. Engelschall > > >[EMAIL PROTECTED] > > >www.engelschall.com > > > > > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) > > > > > >*) Upgraded to Apache 1.3.27. > > > > > >*) Fixed internal error handling for CRL verification. > > > > > >*) Initialize OpenSSL ENGINE before initializing OpenSSL > > > to workaround problems with the PRNG. > > > > > >*) Also find "openssl" executable in "sbin" directories. > > > > > >*) Honor specified number of maximum bytes on SSLRandomSeed > > > if reading from EGD. > > > > > >*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. > > > __ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager[EMAIL PROTECTED] > > > > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MSIE fail in SSLV3 connection with trusted intermediate authority.
Apache: httpd-2.0.40 OpenSSL: openssl-0.9.6g On a same HTTPS Apache server and with same client certificate, all connections from MSIE have failed, but all NS connections are issued properly. MSIE with same client certificate, and same trusted intermediate authority one HTTPS Iplanet server 4 connect properly. MSIE connect properly to HTPPS Apache sever when i use a certificate that is signed directly by root CA not from intermediate CA. I use SSLV3 Protocol to protect a sub-directory with this setting: SSLVerifyDepth 2 SSLVerifyClient require SSLCACertificateFile R:\PDCI\dciweb\Apache2\dciwebca.crt SSLOptions +ExportCertData +OptRenegotiate Log file with debug setting gives: God connection with NSE V4.7 [Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test [EMAIL PROTECTED], issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test [EMAIL PROTECTED] [Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 0, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=RCF User [EMAIL PROTECTED], issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test [EMAIL PROTECTED] [Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client certificate A [Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read client key exchange A [Mon Sep 30 14:39:24 2002] [debug] ssl_engine_kernel.c(1854): OpenSSL: Loop: SSLv3 read certificate verify A Bad connection vith MSIE 6 [Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1294): Certificate Verification: depth: 1, subject: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=RCF User [EMAIL PROTECTED], issuer: /C=FR/ST=France/L=Puteaux/O=Reuters/OU=Reuters Financial SoftWare/CN=Reuters Financial SoftWare test [EMAIL PROTECTED] [Mon Sep 30 14:55:01 2002] [error] Certificate Verification: Error (24): invalid CA certificate [Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1864): OpenSSL: Write: SSLv3 read client certificate B [Mon Sep 30 14:55:01 2002] [debug] ssl_engine_kernel.c(1883): OpenSSL: Exit: error in SSLv3 read client certificate B Best regards [EMAIL PROTECTED] - --- Visit our Internet site at http://www.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
ok, i just wanted to say that to prevent any confusions you may have been a victim off. Your post read like it. andreas > well, I already upgraded to openssl- > 0.9.6g back with apache-1.3.26 and > modssl 2.8.10 > Jeff > this new release has AFAIK nothing to do with the openssl-vulns. > > It is a release for the today released apache-1.3.27 which fixes 3 vulns in > the apache itself. > > If you want to fix the vulns in SSL you have to upgrade or patch your > openssl-package. > > Andreas > > > e-admin internet gmbh > andreas gietl > ludwig-thoma-strasse 35 > 93051 Regensburg > > > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]Im Auftrag von Jeff Bert > Gesendet: Freitag, 4. Oktober 2002 18:56 > An: [EMAIL PROTECTED] > Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27 > > > Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby > for friends' websites and have been actually having quite a number of people > trying the ssl hack on my server. > > Jeff > > > As you've hopefully recognized, the ASF released Apache 1.3.27, which > > includes important security fixes. The corresponding mod_ssl 2.8.11 for > > this version is now available, too. > > > > Fetch it from: > > > > http://www.modssl.org/source/ > > ftp://ftp.modssl.org/source/ > >Ralf S. Engelschall > >[EMAIL PROTECTED] > >www.engelschall.com > > > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) > > > >*) Upgraded to Apache 1.3.27. > > > >*) Fixed internal error handling for CRL verification. > > > >*) Initialize OpenSSL ENGINE before initializing OpenSSL > > to workaround problems with the PRNG. > > > >*) Also find "openssl" executable in "sbin" directories. > > > >*) Honor specified number of maximum bytes on SSLRandomSeed > > if reading from EGD. > > > >*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
well, I already upgraded to openssl-0.9.6g back with apache-1.3.26 and modssl 2.8.10 Jeff > this new release has AFAIK nothing to do with the openssl-vulns. > > It is a release for the today released apache-1.3.27 which fixes 3 vulns in > the apache itself. > > If you want to fix the vulns in SSL you have to upgrade or patch your > openssl-package. > > Andreas > > > e-admin internet gmbh > andreas gietl > ludwig-thoma-strasse 35 > 93051 Regensburg > > > -Ursprüngliche Nachricht- > Von: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]Im Auftrag von Jeff Bert > Gesendet: Freitag, 4. Oktober 2002 18:56 > An: [EMAIL PROTECTED] > Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27 > > > Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby > for friends' websites and have been actually having quite a number of people > trying the ssl hack on my server. > > Jeff > > > As you've hopefully recognized, the ASF released Apache 1.3.27, which > > includes important security fixes. The corresponding mod_ssl 2.8.11 for > > this version is now available, too. > > > > Fetch it from: > > > > http://www.modssl.org/source/ > > ftp://ftp.modssl.org/source/ > >Ralf S. Engelschall > >[EMAIL PROTECTED] > >www.engelschall.com > > > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) > > > >*) Upgraded to Apache 1.3.27. > > > >*) Fixed internal error handling for CRL verification. > > > >*) Initialize OpenSSL ENGINE before initializing OpenSSL > > to workaround problems with the PRNG. > > > >*) Also find "openssl" executable in "sbin" directories. > > > >*) Honor specified number of maximum bytes on SSLRandomSeed > > if reading from EGD. > > > >*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple _identical_ servers with different server names
Hi there, On Thursday 03 Oct 2002 4:18 am, Boyle Owen wrote: > You mean you have one IP address and one FQDN but many physical machines? > > Then you need a load-balancer. That is, the LB carries the external IP > address so all packets are routed initially to it. Then it re-routes the > packets to one of the internal servers according to various rules (e.g. > randomly, round-robin, based on IP range etc.). > > There are several complications in an SSL environment: > > - the LB can't look inside the packets to see any HTTP attributes (such as > Host header). It can only work with the IP and port (this is why name-based > virtual hosting doesn't work with SSL). - SSL servers usually keep-alive > the session so that the session key does not have to be renegotiated for > every transaction. Obviously, if you have more than one server, the LB has > to make sure that each client always gets the same server on subsequent > requests. Or you use any non-SSL-sensitive load-balancing you like (eg. regular NAT load-balancing in your gateway) and replace the SSL session cache with; http://www.distcache.org/ :-) Yes, such a shameless plug. However, on that subject I expect to be updating the httpd integration soon for the latest apache2 (currently the patching is only known to work "out-of-the-box" with 2.0.39 but may well work fine with later versions). I've had distcache working with apache 1.3.*-mod_ssl but the problem is producing a patchkit against mod_ssl which is itself, essentially, a patch kit. If there are actually people who will clearly state an interest in having this, it might stimulate me to work on the apache 1.3.* integration more. :-) Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
this new release has AFAIK nothing to do with the openssl-vulns. It is a release for the today released apache-1.3.27 which fixes 3 vulns in the apache itself. If you want to fix the vulns in SSL you have to upgrade or patch your openssl-package. Andreas e-admin internet gmbh andreas gietl ludwig-thoma-strasse 35 93051 Regensburg -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von Jeff Bert Gesendet: Freitag, 4. Oktober 2002 18:56 An: [EMAIL PROTECTED] Betreff: Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27 Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby for friends' websites and have been actually having quite a number of people trying the ssl hack on my server. Jeff > As you've hopefully recognized, the ASF released Apache 1.3.27, which > includes important security fixes. The corresponding mod_ssl 2.8.11 for > this version is now available, too. > > Fetch it from: > > http://www.modssl.org/source/ > ftp://ftp.modssl.org/source/ >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) > >*) Upgraded to Apache 1.3.27. > >*) Fixed internal error handling for CRL verification. > >*) Initialize OpenSSL ENGINE before initializing OpenSSL > to workaround problems with the PRNG. > >*) Also find "openssl" executable in "sbin" directories. > >*) Honor specified number of maximum bytes on SSLRandomSeed > if reading from EGD. > >*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.11-1.3.27
Thanks Ralf for keeping up on this. I run apache/mod_ssl server as a hobby for friends' websites and have been actually having quite a number of people trying the ssl hack on my server. Jeff > As you've hopefully recognized, the ASF released Apache 1.3.27, which > includes important security fixes. The corresponding mod_ssl 2.8.11 for > this version is now available, too. > > Fetch it from: > > http://www.modssl.org/source/ > ftp://ftp.modssl.org/source/ >Ralf S. Engelschall >[EMAIL PROTECTED] >www.engelschall.com > > Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) > >*) Upgraded to Apache 1.3.27. > >*) Fixed internal error handling for CRL verification. > >*) Initialize OpenSSL ENGINE before initializing OpenSSL > to workaround problems with the PRNG. > >*) Also find "openssl" executable in "sbin" directories. > >*) Honor specified number of maximum bytes on SSLRandomSeed > if reading from EGD. > >*) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl with apache 1.3.27 ?
On Fri, Oct 04, 2002 at 04:35:58PM +, Stefan Nicolin wrote: > Hi, > > Apache 1.3.27 was released. Is there a way to build it with > the actual mod_ssl-2.8.10 ? Well this is more a rhetoric > question. My only concern is the possibility to build > apache with mod_ssl soon. > As "http://www.modssl.org/news/state.html"; states, the next > release of mod_ssl will be triggerd when apache 1.3.28 cames > out. So with apache 1.3.27 there is no go ? > It has already been released - see http://www.modssl.org/source/ it is just the front page that has not been updated yet. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl with apache 1.3.27 ?
Ralf has just announced in this list the new relased version of mod_ssl: 2.8.11 -Original Message- From: Stefan Nicolin [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 18:36 To: [EMAIL PROTECTED] Subject: mod_ssl with apache 1.3.27 ? Hi, Apache 1.3.27 was released. Is there a way to build it with the actual mod_ssl-2.8.10 ? Well this is more a rhetoric question. My only concern is the possibility to build apache with mod_ssl soon. As "http://www.modssl.org/news/state.html"; states, the next release of mod_ssl will be triggerd when apache 1.3.28 cames out. So with apache 1.3.27 there is no go ? Thanks, Stefan -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone bind them. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl with apache 1.3.27 ?
Hi, Apache 1.3.27 was released. Is there a way to build it with the actual mod_ssl-2.8.10 ? Well this is more a rhetoric question. My only concern is the possibility to build apache with mod_ssl soon. As "http://www.modssl.org/news/state.html"; states, the next release of mod_ssl will be triggerd when apache 1.3.28 cames out. So with apache 1.3.27 there is no go ? Thanks, Stefan -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone bind them. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.11-1.3.27
As you've hopefully recognized, the ASF released Apache 1.3.27, which includes important security fixes. The corresponding mod_ssl 2.8.11 for this version is now available, too. Fetch it from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) *) Upgraded to Apache 1.3.27. *) Fixed internal error handling for CRL verification. *) Initialize OpenSSL ENGINE before initializing OpenSSL to workaround problems with the PRNG. *) Also find "openssl" executable in "sbin" directories. *) Honor specified number of maximum bytes on SSLRandomSeed if reading from EGD. *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled"
Yes it's AJPv13 Olivier. - Original Message - From: "Jose Correia (J)" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 12:09 PM Subject: RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" By the way you are using AJPv13 and not AJPv12 on Tomcat right? Tomcat needs AJPv13 to identify requests made via HTTPS. Regards Jose -Original Message- From: ROUITS Olivier [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 12:05 To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" Our application is only in HTTPS, there is no unsecured content because all is forwarded to Tomcat (JSP/Images/HTML) in a virtual host that listen to 443 port. 80 port is not open on apache front machine. On IE 5.5 with 700Mhz pentium there is no problem On IE 6 the problem is systematic for certain multi frame pages. All the frames are updated simultaneously by "onLoad" javascript event on one of the frames. When only one frame is updated, no problem. Sometimes in navigation, some frames are not refreshed, requests are broken... I think that send requests at the same time (with javascript) to refresh a lot of frames (4 or 5) on the browser, breaks theses requests (in HTTPS on our configuration). Then the message "Navigation Canceled" is sent on a blank page in theses frames, but not in HTTPS mode (?), it's here that the message is shown in IE: "unsecured and secured data in page" (something like that, i'm french...). We have also this configuration (2 Linux machines interconnected by AJP) on Linux/390 (2 virtual linux/390 on IBM mainframe under zVM) with the front apache server in DMZ (internet access) and Tomcat server in PRODUCTION ZONE. Here it's worse, because of latency introduced by FIREWALLS, rooters, virtual machines wake up, and mainframe overload (many users connected on others virtual machines), ... in ssl_engine_log i see: Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) in mod_jk.log i have a lot of error like: [Wed Oct 02 10:53:01 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 10:56:02 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:16 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:52 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:33:07 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:34:21 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:44:43 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:48:39 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed Best regards. - Original Message - From: "Clayton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 10:54 AM Subject: RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I don't think the problem is about any thing u mentioned which is IE6 and apache+mod_ssl+mod_jk+tomcat HTTPS. The common sense tell me that we shouldn't put unsecured and secured content together, you did mention those errors happened in some frame pages, within one page which u like users to connect. So, if u tried not to put those content together, I think u probably won't see the error message any more. Wish u make it solved. Best regards, Clayton Chen : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ROUITS Olivier Sent: Friday, October 04, 2002 3:53 PM To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: "Harald Koch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" > On some frames of web pages we have the message: "Navigation Canceled" = > and IE says that the page has secured and unsecured elements. > > This pages are JSP pages from an front Apache Linux server that forward = > requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = > server. > > In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = > fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry _
RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled"
By the way you are using AJPv13 and not AJPv12 on Tomcat right? Tomcat needs AJPv13 to identify requests made via HTTPS. Regards Jose -Original Message- From: ROUITS Olivier [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 12:05 To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" Our application is only in HTTPS, there is no unsecured content because all is forwarded to Tomcat (JSP/Images/HTML) in a virtual host that listen to 443 port. 80 port is not open on apache front machine. On IE 5.5 with 700Mhz pentium there is no problem On IE 6 the problem is systematic for certain multi frame pages. All the frames are updated simultaneously by "onLoad" javascript event on one of the frames. When only one frame is updated, no problem. Sometimes in navigation, some frames are not refreshed, requests are broken... I think that send requests at the same time (with javascript) to refresh a lot of frames (4 or 5) on the browser, breaks theses requests (in HTTPS on our configuration). Then the message "Navigation Canceled" is sent on a blank page in theses frames, but not in HTTPS mode (?), it's here that the message is shown in IE: "unsecured and secured data in page" (something like that, i'm french...). We have also this configuration (2 Linux machines interconnected by AJP) on Linux/390 (2 virtual linux/390 on IBM mainframe under zVM) with the front apache server in DMZ (internet access) and Tomcat server in PRODUCTION ZONE. Here it's worse, because of latency introduced by FIREWALLS, rooters, virtual machines wake up, and mainframe overload (many users connected on others virtual machines), ... in ssl_engine_log i see: Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) in mod_jk.log i have a lot of error like: [Wed Oct 02 10:53:01 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 10:56:02 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:16 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:52 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:33:07 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:34:21 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:44:43 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:48:39 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed Best regards. - Original Message - From: "Clayton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 10:54 AM Subject: RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I don't think the problem is about any thing u mentioned which is IE6 and apache+mod_ssl+mod_jk+tomcat HTTPS. The common sense tell me that we shouldn't put unsecured and secured content together, you did mention those errors happened in some frame pages, within one page which u like users to connect. So, if u tried not to put those content together, I think u probably won't see the error message any more. Wish u make it solved. Best regards, Clayton Chen : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ROUITS Olivier Sent: Friday, October 04, 2002 3:53 PM To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: "Harald Koch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" > On some frames of web pages we have the message: "Navigation Canceled" = > and IE says that the page has secured and unsecured elements. > > This pages are JSP pages from an front Apache Linux server that forward = > requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = > server. > > In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = > fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __
Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled"
Our application is only in HTTPS, there is no unsecured content because all is forwarded to Tomcat (JSP/Images/HTML) in a virtual host that listen to 443 port. 80 port is not open on apache front machine. On IE 5.5 with 700Mhz pentium there is no problem On IE 6 the problem is systematic for certain multi frame pages. All the frames are updated simultaneously by "onLoad" javascript event on one of the frames. When only one frame is updated, no problem. Sometimes in navigation, some frames are not refreshed, requests are broken... I think that send requests at the same time (with javascript) to refresh a lot of frames (4 or 5) on the browser, breaks theses requests (in HTTPS on our configuration). Then the message "Navigation Canceled" is sent on a blank page in theses frames, but not in HTTPS mode (?), it's here that the message is shown in IE: "unsecured and secured data in page" (something like that, i'm french...). We have also this configuration (2 Linux machines interconnected by AJP) on Linux/390 (2 virtual linux/390 on IBM mainframe under zVM) with the front apache server in DMZ (internet access) and Tomcat server in PRODUCTION ZONE. Here it's worse, because of latency introduced by FIREWALLS, rooters, virtual machines wake up, and mainframe overload (many users connected on others virtual machines), ... in ssl_engine_log i see: Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) in mod_jk.log i have a lot of error like: [Wed Oct 02 10:53:01 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 10:56:02 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:16 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:52 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:33:07 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:34:21 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:44:43 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:48:39 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed Best regards. - Original Message - From: "Clayton" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, October 04, 2002 10:54 AM Subject: RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I don't think the problem is about any thing u mentioned which is IE6 and apache+mod_ssl+mod_jk+tomcat HTTPS. The common sense tell me that we shouldn't put unsecured and secured content together, you did mention those errors happened in some frame pages, within one page which u like users to connect. So, if u tried not to put those content together, I think u probably won't see the error message any more. Wish u make it solved. Best regards, Clayton Chen : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ROUITS Olivier Sent: Friday, October 04, 2002 3:53 PM To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: "Harald Koch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" > On some frames of web pages we have the message: "Navigation Canceled" = > and IE says that the page has secured and unsecured elements. > > This pages are JSP pages from an front Apache Linux server that forward = > requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = > server. > > In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = > fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl)
RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled"
I don't think the problem is about any thing u mentioned which is IE6 and apache+mod_ssl+mod_jk+tomcat HTTPS. The common sense tell me that we shouldn't put unsecured and secured content together, you did mention those errors happened in some frame pages, within one page which u like users to connect. So, if u tried not to put those content together, I think u probably won't see the error message any more. Wish u make it solved. Best regards, Clayton Chen : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ROUITS Olivier Sent: Friday, October 04, 2002 3:53 PM To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: "Harald Koch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" > On some frames of web pages we have the message: "Navigation Canceled" = > and IE says that the page has secured and unsecured elements. > > This pages are JSP pages from an front Apache Linux server that forward = > requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = > server. > > In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = > fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled"
I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: "Harald Koch" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: "Navigation Canceled" > On some frames of web pages we have the message: "Navigation Canceled" = > and IE says that the page has secured and unsecured elements. > > This pages are JSP pages from an front Apache Linux server that forward = > requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = > server. > > In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = > fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch <[EMAIL PROTECTED]> "It takes a child to raze a village." -Michael T. Fry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]