private key not found/server cert sign failed
Can anyone tell me what this error means and how to fix it? I'm running apache 1.3.26 with mod_ssl 2.8.10 on a SuSE8.1 box. /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed How do I get it to take my pass phrases? I must have skipped a file because insofar I've given the same phrase to every file that's asked for it. Did I input the wrong information in one of the .conf files maybe? I get the feeling that this is almost supidly simple to fix, but I just can't seem to get it right. It may or may not have something to do with this error I received when recently self-signing my certificate: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *this one error 18 at 0 depth lookup:self signed certificate /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *and this one error 7 at 0 depth lookup:certificate signature failure Again, I have no clue why it failed these checks or how to fix them. Any help would be appreciated. Thanks. -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Mon, Jan 27, 2003 at 10:47:27AM -0700, Steve Chadsey wrote: > On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: > > Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. > > > > OK. I did that, and the only one I support is "RC4 with MD5". Strange, I > thought I would be able to support more. Actually, to amend my previous > post, the ones I expected to see were: > > EDH-RSA-DES-CBC3-SHA > EDH-DSS-DES-CBC3-SHA > DES-CBC3-SHA > DHE-DSS-RC4-SHA > IDEA-CBC-SHA > RC4-SHA > RC4-MD5 > > since I have SSLv2 shut off. Would the above list be further limited > by the type (RSA / DSA) key I have? It is RSA. Yes, it is limited by the key. Without a DSA key, you cannot use DSS ciphers. Therefore being left: EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 > Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according > to my SSLCipherSuite line. > > To follow up to Lutz, I tested all the ciphers with s_client against > my server. The ones that I connected with were: > > DES-CBC3-SHA > EDH-RSA-DES-CBC3-SHA > IDEA-CBC-SHA > RC4-MD5 > RC4-SHA See above :-) > The following gave me 'illegal parameter': > DES-CBC3-MD5 > DES-CBC-MD5 > IDEA-CBC-MD5 > RC2-CBC-MD5 > RC4-64-MD5 These ciphers are SSLv2 ciphers. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client authnetication
Hello guys, I have been using client authentication for a while now to verify the identity of users at our web site. We run our own CA and point to the certificate file in SSLCACertificateFile in httpd.conf. Now this all seems to work fine, but have the following errors in /var/log/httpd/error_log [Mon Jan 27 18:35:19 2003] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Mon Jan 27 18:35:19 2003] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Mon Jan 27 18:35:19 2003] [error] OpenSSL: error:1409E0E5:lib(20):func(158):reason(229) It seems strange as it seems to work. I have looked through the archives and have seen reference to similar messages but they don't seem to explain what the problem is. I am running RedHat 7.2, mod_ssl 2.8.12-2, apache 1.3.27-1.7.2 (these are RedHat rpm versions). I have stmbled accross this error as I want to also authenticate clients whose certificates are signed by a different CA. That is another issue as I am getting strange results with that too. I thought I had better sort this one out first. Please can anyone shead some light on where I can find out what this error is all about. Many thanks Chris Covell __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: > Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. > OK. I did that, and the only one I support is "RC4 with MD5". Strange, I thought I would be able to support more. Actually, to amend my previous post, the ones I expected to see were: EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-DSS-RC4-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 since I have SSLv2 shut off. Would the above list be further limited by the type (RSA / DSA) key I have? It is RSA. > To unpack the terms: > > "allows anonymous authentication" - That sounds like allowing anyone to I believe they mean Anonymous Diffie-Helman. My SSLCipherSuite line excludes those, so I think they're wrong here. > "allows cleartext communication" - That's what you get on non-secured sites. > If the data doesn't need to be secured, there's no issue. I believe they are referring to the NULL-MD5 cipher. I tested that with s_client, and I can't connect ('handshake failure'), so I don't believe I'm supporting that one either. > > "supports weak encryption" - Allows older browsers that have > "export-crippled" security to connect. On the above Netcraft site, you'll > see "export version". The question for you is whether it is satisfactory to Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according to my SSLCipherSuite line. To follow up to Lutz, I tested all the ciphers with s_client against my server. The ones that I connected with were: DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA IDEA-CBC-SHA RC4-MD5 RC4-SHA This is a shorter list than what I was expecting (at the top of this message). The following did not connect, giving me a 'handshake failure': ADH-DES-CBC3-SHA ADH-DES-CBC-SHA ADH-RC4-MD5 DES-CBC-SHA DHE-DSS-RC4-SHA EDH-DSS-DES-CBC3-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 The following gave me 'illegal parameter': DES-CBC3-MD5 DES-CBC-MD5 IDEA-CBC-MD5 RC2-CBC-MD5 RC4-64-MD5 Thanks, -- Steve <[EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mandatory fields in Certificate
Hello, I'm trying to set up a "simple" SSL server (no client nor server verification) I've noticed that, if a generate the server's certificate with a Microsoft CA, I make the SSL work. If the certificate is generated with a Netscape CA, it works ok. While comparing the two certificates, I found some fields in the MS-CA that were not (or different) in the Netscape CA, and fields that were in the Netscape one and not in the MS one (NetscapeCertType was only visible in the Netscape one)... Could you please tell me if some fields are mandatory in the server's certificate? I just want to set up a simple SSL transaction between my server and my client (without any client nor server verification)... This would help me greatly, thanks in advance... Frederic Viollet
entropy source logging request (patch included)
i thought it might be usefull for mod_ssl to log (at debug level) the entropy source from which the PRNG will be seeded from so that proper entropy source configuration can be verified. i've attached a small patch (mod_ssl-2.8.12-1.3.27) which does this. best regards, -- aspahttp://www.kronodoc.fi/ *** pkg.sslmod/ssl_engine_rand.c.orig Mon Jan 27 10:07:26 2003 --- pkg.sslmod/ssl_engine_rand.cMon Jan 27 10:40:46 2003 *** *** 87,92 --- 87,98 time_t t; pid_t pid; int m; + char *ctxNames[] = { "", "startup", "connect" }; + char *rssrcNames[] = { "", "builtin", "file", "exec" + #if SSL_LIBRARY_VERSION >= 0x00905100 + , "EGD" + #endif + }; mc = myModConfig(); nReq = 0; *** *** 97,102 --- 103,111 pRandSeed = &pRandSeeds[i]; if (pRandSeed->nCtx == nCtx) { nReq += pRandSeed->nBytes; + + ssl_log(s, SSL_LOG_DEBUG, "%sRequesting %d bytes of entropy from %s:%s in +'%s' context", prefix, pRandSeed->nBytes, rssrcNames[pRandSeed->nSrc], +pRandSeed->cpPath, ctxNames[pRandSeed->nCtx]); + if (pRandSeed->nSrc == SSL_RSSRC_FILE) { /* * seed in contents of an external file
RE: ScriptAlias
You have inconsistent notation and a confused mapping. - Do not put a trailing slash on the alias or the directory. - You should have only one ScriptAlias per CGI directory. - You can match only one directory to each alias (you can have two aliases for one directory). ... it's like buses: Two buses can go to the same destination, but one bus can't go to two destinations :-) PS This has nothing to do with SSL. It is just a config problem with apache. Rgds, Owen Boyle >-Original Message- >From: Ortiz Ruiz Otoniel Manuel [mailto:[EMAIL PROTECTED]] >Sent: Freitag, 24. Januar 2003 19:37 >To: [EMAIL PROTECTED] >Subject: ScriptAlias > > > >I have a problem trying to execute cgis under ssl. (It doesn't find the >URL, a kind of problem with the scriptalias). > >I compiled apache2 with ssl, this are the options that I used. >At the bottom there is a fragment of my ssl.conf. > >Any help will be appreciated > > >OPTIONS: ># CC=gcc ./configure --prefix=/web/apache2 --enable-dav >--enable-info \ >> --enable-http --enable-proxy-ftp --enable-proxy-connect >--enable-proxy-http \ >> --enable-proxy --enable-usertrack --enable-headers --enable-expires \ >> --enable-cern-meta --enable-mime-magic --enable-deflate >--enable-case-filter-i >n \ >> --enable-case-filter --enable-ext-filter --enable-example >--enable-mem-cache \ > >> --enable-disk-cache --enable-cache --enable-charset-lite \ >> --enable-echo --enable-file-cache --enable-auth-dbm \ >> --enable-rewrite --enable-vhost-alias \ >> --enable-optional-hook-export --enable-optional-hook-import \ >> --enable-optional-fn-import --enable-optional-fn-export >--enable-unique-id \ >> --enable-cgi --enable-cgid --with-mpm=worker >--with-ssl=/usr/local/openssl \ >> --enable-auth-digest --enable-static-htdigest --enable-ssl > > > >SSL.CONF > > > > > > >Alias /otoniel"/web/htdocs/labvis/gente/becarios/otoniel" >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin" >ScriptAlias /cgi-bin /web/htdocs/labvis/cgi-bin >ScriptAlias /lab-bin /web/htdocs/labvis/cgi-bin >ScriptAlias /garp-bin/ >"/web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bin/" > >ScriptAlias /mailman/ /export/home/mailman/cgi-bin/ >ScriptAlias /cgi-bin/ /export/home/mailman/cgi-bin >ScriptAlias /cgi-mail "/export/home/mailman/cgi-bin/" > > >## Labvis ### >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin/" >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin/modelacion" >ScriptAlias /lab-bin/ "/web/htdocs/labvis/cgi-bin/" >ScriptAlias /garp-bin/ >"/web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bi >n/" >ScriptAlias /hjg/ "/export/home/hjg/cgi/" > > > > > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]