RE: SSL Not Working from Outside LAN
Have you also ran ipchains -L to see what you get? You may well have set up a firewall that prevents packets coming in. If you get this: ipchains: Incompatible with this kernel, then you don't have a firewall on the server. If you get anything else, it could be stopping packets coming in. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 06 October 2002 16:03 To: [EMAIL PROTECTED] Subject: Re: SSL Not Working from Outside LAN Good idea! I'll have to wait until tomorrow to try that. I did however do some packet sniffing and noticed that tcp packets from outside the firewall do get to the web server and the web server returns tcp packets. But never returns any SSL ( actually SSLv2 protocol I think) packets. Watching the packets for http the tcp and http packets pass back and forth. Thanks -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 6 Oct 2002 at 10:10, Jeffrey Burgoyne wrote: How about a simple test to ensure it is not the firewall. Set apache to listen to HTTPS across port 80, which you already know works outside the firewall. Then you can easily test to ensure it is not the firewall. Jeff On Sun, 6 Oct 2002, Jeff Umstead wrote: I've recently added a Red Hat 7.3 Linux server to our network running Apache and mod_ssl. My problem is I can't make an https (over standard port 443) connection from outside our network. I can connect via http (port 80) from both inside and outside our LAN. I have the necessary port pass throughs, firewall rules etc in place for both ports. It works perfectly from inside our lan (subnet) to either http or https but not from our other sites (different subnets) or from the internet. I believe the problem is either an incorrect setting in httpd.conf or perhaps in a network configuration file I've overlooked. Or ??? Any help / tips would be greatly appreciated. This e-mail (and attachment(s)) has been virus scanned by McAfee WebShield. This message is intended only for use of the individual or entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or copying of this e-mail or attachments, in whole or in part is strictly prohibited and may be unlawful. If you have received this message in error, please inform the sender by replying to this message and then delete the message and any attachments from your system and destroy all copies. Thank You __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Installing mod_ssl
You actually have several options: 1. Use the mod_ssl, mm and apache package that come with the Red Hat Linux 7.3 system. These are out of date, but you can get the latest by registering with https://rhn.redhat.com. Some people don't like the fact that these are not the latest versions, merely backported to the latest fix. It doesn't bother me though. The latest openssl update from Red Hat prevents the linux slapper worm from infecting your systems. 2. Remove the apache, mm and mod_ssl rpm packages and recompiling them. In the second case, you have two options: 1. Compile against the openssl that comes with 7.3. In this case you'll need to install the openssl-devel rpm package. 2. Compile against the latest openssl files. In that case I believe you'd need to install the openssl binary into a directory other than /usr/bin (see http://www.openssl.org/support/faq.cgi#BUILD8). If I'm wrong on this hopefully someone will correct me, but I've always believed that you need the same version of openssl installed somewhere that you used to compile mod_ssl. There is always the option of creating RPMs from either of the above options. Don't remove the openssl package that comes with 7.3 though. You'll break several packages that come with 7.3 such as ssh, sendmail and nearly all the email programs. I used to compile apache and mod_ssl, but now I prefer to wait for the packages from Red Hat. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Dan Sabo [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 00:31 To: [EMAIL PROTECTED] Subject: Installing mod_ssl Hi Folks, mod_ssl newbie here. I'm running RH Linux 7.3 and apache 1.3.23. I have been reading the archives and Kabir's book - Red Hat Linux 7 Server, and from what I understand, correct me if I'm wrong, is that in order to install mod_ssl on my machine, I will have to start from scratch and re install and compile a fresh copy of apache. Is this true? Or can I install mod_ssl on an existing apache machine that has already been configured and set up with e-commerce sites? If I can install mod_ssl on my machine without re compiling apache, can anyone direct me to any step by step documentation as to how to install and configure mod_ssl and secure sites/Thawte certificates on a Linux 7.x box already set up with apache? Lastly, if it is possible to install mod_ssl on a server already configured with apache with e-commerce sites already set up, are there any security risks in installing mod_ssl on an already configured server? Is it better, to install mod_ssl on an empty server? Also I read somewhere that this mod_ssl worm is a big problem. Is that true? Should I upgrade my apache software to prevent such an attack, and if I do, will upgrading apache cause any problems with my current set up of my sites? Thanks much Dan Sabo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-1.3.26 w/mod_proxy and mod_ssl-2.8.10 problems
Duh ... I found the answer here though: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q316431 Which basically says that I need to disable the Pragma: no-cache Apache sends by default CacheNegotiatedDocs jens:H __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Installing mod_ssl
1. Use the mod_ssl, mm and apache package that come with the Red Hat Linux 7.3 system. These are out of date, but you can get the latest by registering with https://rhn.redhat.com. Some people don't like the fact that these are not the latest versions, merely backported to the latest fix. It doesn't bother me though. The latest openssl update from Red Hat prevents the linux slapper worm from infecting your systems. I've been doing this to keep my 6.2 packages up to date. I always find it a little bit disconcerting that openssl version returns a really old rev (0.9.5a in the backported rpm that I installed lasy week). Anyone know why RH insist on this confusing system? Why not just rebuild them in full for 6.2 and the other supported releases? cam - [EMAIL PROTECTED] __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLCipherSuite ALL error
Hello , again.. I hate to be a pain here With ./apachectl startssl I am getting.. ../conf/httpd.conf 1234 lines, 44355 characters 109 /apache/bin ./apachectl startssl Syntax error on line 1085 of /apache/conf/httpd.conf: Invalid command 'SSLCipherSuite', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started Line 1085 says /// 1085 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod.so errors.
You have to obtain the mod.so file and place it in the ../libexec directory.. its not there. -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 15:47 To: '[EMAIL PROTECTED]' Subject: Mod.so errors. Hello , I cannot get mod.so to work.. And I have no Idea where it should be here.. I build apache with the following options.. EAPI_MM=/usr/local/bin \ SSL_BASE=/usr/local/ssl \ ./configure \ --with-layout=Apache \ --server-uid=zandip \ --server-gid=other \ --with-perl=/usr/local/bin/perl \ --prefix=/apache \ --enable-module=most \ --enable-shared=max \ --enable-module=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --enable-module=so \ --enable-module=rewrite \ --enable-module=log_referer \ --enable-module=log_agent \ --enable-module=expires \ --enable-module=info \ --enable-module=usertrack \ Now When I execute I am getting the following.. Syntax error on line 204 of /apache/conf/httpd.conf: Cannot load /apache/libexec/mod.so into server: ld.so.1: /apache/bin/httpd: fatal: /apache/libexec/mod.so: open failed: No such file or directory ./apachectl start: httpd could not be started Looking at line 204 says LoadModule mod_so libexec/mod.so Ls -la of LIBEXEC Shows.. httpd.exp mod_asis.so mod_cgi.so mod_headers.so mod_log_referer.so mod_speling.so libproxy.so mod_auth.so mod_define.so mod_imap.so mod_mime.so mod_status.so libssl.so mod_auth_anon.somod_digest.so mod_include.so mod_mime_magic.so mod_unique_id.so mod_access.so mod_auth_dbm.so mod_dir.so mod_info.so mod_negotiation.so mod_userdir.so mod_actions.so mod_autoindex.somod_env.so mod_log_agent.so mod_rewrite.so mod_usertrack.so mod_alias.somod_cern_meta.somod_expires.so mod_log_config.so mod_setenvif.so mod_vhost_alias.so __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Not Working from Outside LAN
John, I think that was it. I had cleared the ipchains list stopped and restarted it. Even though it said accept all for input, output and forward it was still stopping it. So I stopped ipchains from running at start up for all levels restarted the Linux box and it now works! Thanks for the help -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 7 Oct 2002 [EMAIL PROTECTED] wrote: Have you also ran ipchains -L to see what you get? You may well have set up a firewall that prevents packets coming in. If you get this: ipchains: Incompatible with this kernel, then you don't have a firewall on the server. If you get anything else, it could be stopping packets coming in. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 06 October 2002 16:03 To: [EMAIL PROTECTED] Subject: Re: SSL Not Working from Outside LAN Good idea! I'll have to wait until tomorrow to try that. I did however do some packet sniffing and noticed that tcp packets from outside the firewall do get to the web server and the web server returns tcp packets. But never returns any SSL ( actually SSLv2 protocol I think) packets. Watching the packets for http the tcp and http packets pass back and forth. Thanks -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 6 Oct 2002 at 10:10, Jeffrey Burgoyne wrote: How about a simple test to ensure it is not the firewall. Set apache to listen to HTTPS across port 80, which you already know works outside the firewall. Then you can easily test to ensure it is not the firewall. Jeff On Sun, 6 Oct 2002, Jeff Umstead wrote: I've recently added a Red Hat 7.3 Linux server to our network running Apache and mod_ssl. My problem is I can't make an https (over standard port 443) connection from outside our network. I can connect via http (port 80) from both inside and outside our LAN. I have the necessary port pass throughs, firewall rules etc in place for both ports. It works perfectly from inside our lan (subnet) to either http or https but not from our other sites (different subnets) or from the internet. I believe the problem is either an incorrect setting in httpd.conf or perhaps in a network configuration file I've overlooked. Or ??? Any help / tips would be greatly appreciated. This e-mail (and attachment(s)) has been virus scanned by McAfee WebShield. This message is intended only for use of the individual or entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or copying of this e-mail or attachments, in whole or in part is strictly prohibited and may be unlawful. If you have received this message in error, please inform the sender by replying to this message and then delete the message and any attachments from your system and destroy all copies. Thank You __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCipherSuite ALL error
It looks like the default CA certificate that comes with openssl has expired... The solution to this is to generate your own CA and then generate and sign your server certificate using this own CA. If you have perl in your machine, try this url (although its meant for FreeBSD, it works just as well on Linux): http://www.freebsddiary.org/openssl-client-authentication.php Just follow the part until he generates the server certificate and insert this and the CA on httpd.conf. The second part he's actually admited to me is not the client certificate he was mentioning, but rather the server certificate. Regards Jose -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 17:01 To: '[EMAIL PROTECTED]' Subject: RE: SSLCipherSuite ALL error OK, I think I narrowed this part down.. I am getting this on make certificate... Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil [EMAIL PROTECTED] error 10 at 1 depth lookup:certificate has expired Anyone ? -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS Sent: Monday, October 07, 2002 9:39 AM To: '[EMAIL PROTECTED]' Subject: SSLCipherSuite ALL error Hello , again.. I hate to be a pain here With ./apachectl startssl I am getting.. ../conf/httpd.conf 1234 lines, 44355 characters 109 /apache/bin ./apachectl startssl Syntax error on line 1085 of /apache/conf/httpd.conf: Invalid command 'SSLCipherSuite', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started Line 1085 says /// 1085 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Not Working from Outside LAN
Great. chkconfig ipchains off should stop it running in all runlevels. John -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 16:01 To: [EMAIL PROTECTED] Subject: RE: SSL Not Working from Outside LAN John, I think that was it. I had cleared the ipchains list stopped and restarted it. Even though it said accept all for input, output and forward it was still stopping it. So I stopped ipchains from running at start up for all levels restarted the Linux box and it now works! Thanks for the help -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 7 Oct 2002 [EMAIL PROTECTED] wrote: Have you also ran ipchains -L to see what you get? You may well have set up a firewall that prevents packets coming in. If you get this: ipchains: Incompatible with this kernel, then you don't have a firewall on the server. If you get anything else, it could be stopping packets coming in. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 06 October 2002 16:03 To: [EMAIL PROTECTED] Subject: Re: SSL Not Working from Outside LAN Good idea! I'll have to wait until tomorrow to try that. I did however do some packet sniffing and noticed that tcp packets from outside the firewall do get to the web server and the web server returns tcp packets. But never returns any SSL ( actually SSLv2 protocol I think) packets. Watching the packets for http the tcp and http packets pass back and forth. Thanks -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 6 Oct 2002 at 10:10, Jeffrey Burgoyne wrote: How about a simple test to ensure it is not the firewall. Set apache to listen to HTTPS across port 80, which you already know works outside the firewall. Then you can easily test to ensure it is not the firewall. Jeff On Sun, 6 Oct 2002, Jeff Umstead wrote: I've recently added a Red Hat 7.3 Linux server to our network running Apache and mod_ssl. My problem is I can't make an https (over standard port 443) connection from outside our network. I can connect via http (port 80) from both inside and outside our LAN. I have the necessary port pass throughs, firewall rules etc in place for both ports. It works perfectly from inside our lan (subnet) to either http or https but not from our other sites (different subnets) or from the internet. I believe the problem is either an incorrect setting in httpd.conf or perhaps in a network configuration file I've overlooked. Or ??? Any help / tips would be greatly appreciated. This e-mail (and attachment(s)) has been virus scanned by McAfee WebShield. This message is intended only for use of the individual or entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or copying of this e-mail or attachments, in whole or in part is strictly prohibited and may be unlawful. If you have received this message in error, please inform the sender by replying to this message and then delete the message and any attachments from your system and destroy all copies. Thank You __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all