RE: What is a good way to determine this
Hi Mark,
I use SSLFakeBasicAuth in my httpd.conf. I assumed it was encrypted because
I'm stating to use SSL but fake basic Auth. Maybe I am not understanding
SSLFakeBasicAuth? Let me know what other people say, I would appericate
that.
Thanks
Ron
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Mark Barton
Sent: Wednesday, November 27, 2002 2:32 PM
To: [EMAIL PROTECTED]
Subject: What is a good way to determine this
I have what I think is probably an easy question to answer, but I have done
some searching and have not found anything obvious. The gist of the
question is:
I have mod_ssl running and have my entire site covered with it (there is
nothing listening on port 80). I also have .htaccess files forcing people
to log into the site. Is the username and password transaction from the
.htaccess prompt encrypted, being as it is the first thing the user logging
on is prompted to perform?
My gut feeling is, of course. I have SSL options protecting the directory
and the .htaccess file (i will include those at the end). But the reason
why I am doubting myself is the logs show me something sketchy. I have a
Custom log that shows the username and SSL environment variables of the
user logging in:
...
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat
CustomLog logs/ssl/mbsindassl.log sslformat
...
But here is the log file entry that I am worried about:
...
[27/Nov/2002:16:46:29 -0500]- --> - - - <-- GET /index.html
HTTP/1.1
[27/Nov/2002:16:46:34 -0500]mbarton --> RC4-MD5 128 SSLv3 <-- GET
/index.html HTTP/1.1
...
The log file shows first the request with no username (which makes sense
because they haven't logged on yet) but the SSL environment variables are
all NULL too. So is this just a problem with the way environment variables
are reported to the log? Because it looks like there is not an SSL
connection before the user logs in!
I have verifed that SSL is up and running and working correctly for the
site with s_client.
The software I am using is:
Windows 2000
Apache 1.3.27
Mod_SSL 2.8.12
OpenSSL 0.9.6g
Here is the top-level .htaccess file
AuthName "Dude, you had better be authorized"
AuthType Basic
AuthUserFile "C:/MBserver/Apache/bin/.htpasswd"
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
require user mbarton
Here is the relevant SSL Portion of the httpd.conf file
---
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLMutex sem
SSLSessionCache dbm:logs/ssl/scache
SSLSessionCacheTimeout 400
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog logs/ssl/engine.log
SSLLogLevel warn
DocumentRoot "C:/MBserver/Apache/secure"
ErrorLog logs/ssl/error.log
LogLevel debug
TransferLog logs/ssl/access.log
LogLevel debug
AccessFileName .htaccess
LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p
\t%s" docscommon
LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer
LogFormat "%t \t%u \t%{User-agent}i" docsagent
LogFormat "%t \t%u \t%r" docssmall
LogFormat "%t \t%u \t-->
%{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <--
\t%r" sslformat
CustomLog logs/ssl/mbsinda.log docscommon
CustomLog logs/ssl/mbsindareferer.log docsreferer
CustomLog logs/ssl/mbsindaagent.log docsagent
CustomLog logs/ssl/mbsindasmall.log docssmall
CustomLog logs/ssl/mbsindassl.log sslformat
ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/"
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
SSLOptions +StdEnvVars +ExportCertData
SSLProtocol -all +SSLv3
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2
SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt"
SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key"
SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt"
SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA"
SSLOptions +CompatEnvVars +StdEnvVars
SSLEngine on
I appreciate you guys taking a look at this,
Thanks,
Mark Barton
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailin
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:53 pm, Sasa STUPAR wrote: >I have here made a printscr and save it in a word doc. Please look at >it, maybe it will give same clue. in fact! it seems that you lack openssl.conf pathname in your env vars check your env a search for something realted to this byez! - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95lSF4Q/49nIJTlwRAnh5AJ4n0nqzTCd1dBaOjpx7KewlUyNucACfbxQe /Z2RE3roRyop6t0s4v4iXAI= =/YNG -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
One thing, if I try to use directly with the command "openssl req -new -x509 -days 365 -key ca.key -out ca.crt" I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: > >They are already uncommented. Here is attached my config file. > I've: > commonName = Common Name (eg, your name or your server\'s > hostname) > commonName_max = 64 > commonName_default = iris.dev.datalogica.com > > it seems u lack this: > commonName_default = your_fqdn > > - -- > Maurizio Marini GSM +39-335-8259739 > Altamura: +39-080-3105228 Fax +39-080-3105228 > Pesaro: +39-0721-54277 Fax +39-0721-415055 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG > STINIYzTZ0FPIeYy3o5MKNg= > =t8N+ > -END PGP SIGNATURE- > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Well, I have added what you've told me but still the same problem. Maurizio Marini a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: > >They are already uncommented. Here is attached my config file. > I've: > commonName = Common Name (eg, your name or your server\'s > hostname) > commonName_max = 64 > commonName_default = iris.dev.datalogica.com > > it seems u lack this: > commonName_default = your_fqdn > > - -- > Maurizio Marini GSM +39-335-8259739 > Altamura: +39-080-3105228 Fax +39-080-3105228 > Pesaro: +39-0721-54277 Fax +39-0721-415055 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG > STINIYzTZ0FPIeYy3o5MKNg= > =t8N+ > -END PGP SIGNATURE- > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: >They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
They are already uncommented. Here is attached my config file.
Maurizio Marini a écrit:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote:
> "unable to find a 'distinguished_name' in config".
>
> in your openssl.cnf you should uncomment lines regarding distinguished_name;
> otherwise re-post with it attached
>
> - --
> Maurizio Marini
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q
> o2atqXF6nX4goCsODTV7hmo=
> =ldnj
> -END PGP SIGNATURE-
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME= .
RANDFILE= $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions=
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
[ ca ]
default_ca = CA_default# The default ca section
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs# Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE= $dir/private/.rand# private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt= ca_default# Subject Name options
cert_opt= ca_default# Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crl_extensions= crl_ext
default_days= 365 # how long to certify for
default_crl_days= 30# how long before next CRL
default_md = md5 # which md to use.
preserve= no# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName= match
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
emailAddress= optional
[ req ]
default_bits= 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: "unable to find a 'distinguished_name' in config". in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with creating own CA
Hi ! I am trying to create my own CA. The creation of a key file is fine. When I try to create a CSR file I get back an error "unable to find a 'distinguished_name' in config". I am runing on winXP with openssl 0.9.6g. I wanted to make a server certificate for my Apache. Please help me ! Sasa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems
Dear Sir, I am trying to run Apache 2.0.43 with openssl-0.9.6g. I think I have it well configured, but when trying to establish a secure connection I get this error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocoll would you be so gratefull to tell me what can I do to resolve my problem? Than you in advance. Yours sincerelly, Irune Garay Irune Garay UrrutiaSoporte TécnicoMarketing y Ventas owasys Parque Tecnológico, 207-BE-48170 Zamudio, Vizcaya[Spain]Tel: +34 946 025 356Fax: +34 946 025 353irune.garay@owasys.comwww.owasys.com Advanced Wireless Devices
How to read the html content
Hi all I am a newbie to this list. I need to know how mod_ssl gets the content(I mean the HTML message body) which the apache sends to the client. If it is difficult to explain, atleast please tell in which part of code, it is described Thanking in advance regards Blesson Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
