RE: What is a good way to determine this
Hi Mark, I use SSLFakeBasicAuth in my httpd.conf. I assumed it was encrypted because I'm stating to use SSL but fake basic Auth. Maybe I am not understanding SSLFakeBasicAuth? Let me know what other people say, I would appericate that. Thanks Ron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Barton Sent: Wednesday, November 27, 2002 2:32 PM To: [EMAIL PROTECTED] Subject: What is a good way to determine this I have what I think is probably an easy question to answer, but I have done some searching and have not found anything obvious. The gist of the question is: I have mod_ssl running and have my entire site covered with it (there is nothing listening on port 80). I also have .htaccess files forcing people to log into the site. Is the username and password transaction from the .htaccess prompt encrypted, being as it is the first thing the user logging on is prompted to perform? My gut feeling is, of course. I have SSL options protecting the directory and the .htaccess file (i will include those at the end). But the reason why I am doubting myself is the logs show me something sketchy. I have a Custom log that shows the username and SSL environment variables of the user logging in: ... LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat CustomLog logs/ssl/mbsindassl.log sslformat ... But here is the log file entry that I am worried about: ... [27/Nov/2002:16:46:29 -0500]- --> - - - <-- GET /index.html HTTP/1.1 [27/Nov/2002:16:46:34 -0500]mbarton --> RC4-MD5 128 SSLv3 <-- GET /index.html HTTP/1.1 ... The log file shows first the request with no username (which makes sense because they haven't logged on yet) but the SSL environment variables are all NULL too. So is this just a problem with the way environment variables are reported to the log? Because it looks like there is not an SSL connection before the user logs in! I have verifed that SSL is up and running and working correctly for the site with s_client. The software I am using is: Windows 2000 Apache 1.3.27 Mod_SSL 2.8.12 OpenSSL 0.9.6g Here is the top-level .htaccess file AuthName "Dude, you had better be authorized" AuthType Basic AuthUserFile "C:/MBserver/Apache/bin/.htpasswd" SSLRequireSSL SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 require user mbarton Here is the relevant SSL Portion of the httpd.conf file --- AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLMutex sem SSLSessionCache dbm:logs/ssl/scache SSLSessionCacheTimeout 400 SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl/engine.log SSLLogLevel warn DocumentRoot "C:/MBserver/Apache/secure" ErrorLog logs/ssl/error.log LogLevel debug TransferLog logs/ssl/access.log LogLevel debug AccessFileName .htaccess LogFormat "%>s \t%u \t%r \t%t \t%f \t%h \t%a \t%A \t%c \t%b \t%e \t%p \t%s" docscommon LogFormat "%t \t%u \t%{Referer}i -> %U" docsreferer LogFormat "%t \t%u \t%{User-agent}i" docsagent LogFormat "%t \t%u \t%r" docssmall LogFormat "%t \t%u \t--> %{SSL_CIPHER}e %{SSL_CIPHER_USEKEYSIZE}e %{SSL_PROTOCOL}e <-- \t%r" sslformat CustomLog logs/ssl/mbsinda.log docscommon CustomLog logs/ssl/mbsindareferer.log docsreferer CustomLog logs/ssl/mbsindaagent.log docsagent CustomLog logs/ssl/mbsindasmall.log docssmall CustomLog logs/ssl/mbsindassl.log sslformat ScriptAlias /cgi-bin/ "C:/MBserver/Apache/secure/cgi-bin/" SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 SSLOptions +StdEnvVars +ExportCertData SSLProtocol -all +SSLv3 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv3:-EXP:-LOW:-SSLv2 SSLCertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.crt" SSLCertificateKeyFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaSSL.key" SSLCACertificateFile "C:/MBserver/Apache/conf/ssl-AA/MBsindaCA.crt" SSLCACertificatePath "C:/MBserver/Apache/conf/ssl-AA" SSLOptions +CompatEnvVars +StdEnvVars SSLEngine on I appreciate you guys taking a look at this, Thanks, Mark Barton __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailin
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:53 pm, Sasa STUPAR wrote: >I have here made a printscr and save it in a word doc. Please look at >it, maybe it will give same clue. in fact! it seems that you lack openssl.conf pathname in your env vars check your env a search for something realted to this byez! - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95lSF4Q/49nIJTlwRAnh5AJ4n0nqzTCd1dBaOjpx7KewlUyNucACfbxQe /Z2RE3roRyop6t0s4v4iXAI= =/YNG -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
One thing, if I try to use directly with the command "openssl req -new -x509 -days 365 -key ca.key -out ca.crt" I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: > >They are already uncommented. Here is attached my config file. > I've: > commonName = Common Name (eg, your name or your server\'s > hostname) > commonName_max = 64 > commonName_default = iris.dev.datalogica.com > > it seems u lack this: > commonName_default = your_fqdn > > - -- > Maurizio Marini GSM +39-335-8259739 > Altamura: +39-080-3105228 Fax +39-080-3105228 > Pesaro: +39-0721-54277 Fax +39-0721-415055 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG > STINIYzTZ0FPIeYy3o5MKNg= > =t8N+ > -END PGP SIGNATURE- > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Well, I have added what you've told me but still the same problem. Maurizio Marini a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: > >They are already uncommented. Here is attached my config file. > I've: > commonName = Common Name (eg, your name or your server\'s > hostname) > commonName_max = 64 > commonName_default = iris.dev.datalogica.com > > it seems u lack this: > commonName_default = your_fqdn > > - -- > Maurizio Marini GSM +39-335-8259739 > Altamura: +39-080-3105228 Fax +39-080-3105228 > Pesaro: +39-0721-54277 Fax +39-0721-415055 > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG > STINIYzTZ0FPIeYy3o5MKNg= > =t8N+ > -END PGP SIGNATURE- > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: >They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
They are already uncommented. Here is attached my config file. Maurizio Marini a écrit: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: > "unable to find a 'distinguished_name' in config". > > in your openssl.cnf you should uncomment lines regarding distinguished_name; > otherwise re-post with it attached > > - -- > Maurizio Marini > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q > o2atqXF6nX4goCsODTV7hmo= > =ldnj > -END PGP SIGNATURE- > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > # # OpenSSL example configuration file. # This is mostly being used for generation of certificate requests. # # This definition stops the following lines choking if HOME isn't # defined. HOME= . RANDFILE= $ENV::HOME/.rnd # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions= # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca' and 'req'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 [ ca ] default_ca = CA_default# The default ca section [ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs# Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database= $dir/index.txt# database index file. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE= $dir/private/.rand# private random number file x509_extensions = usr_cert # The extentions to add to the cert # Comment out the following two lines for the "traditional" # (and highly broken) format. name_opt= ca_default# Subject Name options cert_opt= ca_default# Certificate field options # Extension copying option: use with caution. # copy_extensions = copy # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs # so this is commented out by default to leave a V1 CRL. # crl_extensions= crl_ext default_days= 365 # how long to certify for default_crl_days= 30# how long before next CRL default_md = md5 # which md to use. preserve= no# keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName= match organizationalUnitName = optional commonName = supplied emailAddress= optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName= optional organizationName= optional organizationalUnitName = optional commonName = supplied emailAddress= optional [ req ] default_bits= 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert # Passwords for private keys if not present they will be prompted for # input_password = secret # output_password = secret # This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString. # pkix : PrintableString, BMPString. # utf8only: only UTF8Strings. # nombstr : PrintableString, T61String (no BMPStrings or UTF8
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 03:45 pm, Sasa STUPAR wrote: "unable to find a 'distinguished_name' in config". in your openssl.cnf you should uncomment lines regarding distinguished_name; otherwise re-post with it attached - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95i6C4Q/49nIJTlwRArC3AJ9L+sCspWbSYGJr5QNIdoUxw+XTjACfVK6Q o2atqXF6nX4goCsODTV7hmo= =ldnj -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with creating own CA
Hi ! I am trying to create my own CA. The creation of a key file is fine. When I try to create a CSR file I get back an error "unable to find a 'distinguished_name' in config". I am runing on winXP with openssl 0.9.6g. I wanted to make a server certificate for my Apache. Please help me ! Sasa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems
Dear Sir, I am trying to run Apache 2.0.43 with openssl-0.9.6g. I think I have it well configured, but when trying to establish a secure connection I get this error: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocoll would you be so gratefull to tell me what can I do to resolve my problem? Than you in advance. Yours sincerelly, Irune Garay Irune Garay UrrutiaSoporte TécnicoMarketing y Ventas owasys Parque Tecnológico, 207-BE-48170 Zamudio, Vizcaya[Spain]Tel: +34 946 025 356Fax: +34 946 025 353irune.garay@owasys.comwww.owasys.com Advanced Wireless Devices
How to read the html content
Hi all I am a newbie to this list. I need to know how mod_ssl gets the content(I mean the HTML message body) which the apache sends to the client. If it is difficult to explain, atleast please tell in which part of code, it is described Thanking in advance regards Blesson Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]