private key not found/server cert sign failed
Can anyone tell me what this error means and how to fix it? I'm running apache 1.3.26 with mod_ssl 2.8.10 on a SuSE8.1 box. /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed How do I get it to take my pass phrases? I must have skipped a file because insofar I've given the same phrase to every file that's asked for it. Did I input the wrong information in one of the .conf files maybe? I get the feeling that this is almost supidly simple to fix, but I just can't seem to get it right. It may or may not have something to do with this error I received when recently self-signing my certificate: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *this one error 18 at 0 depth lookup:self signed certificate /C=US/ST=KS/L=Lawrence/O=Pelathe Community Resource [EMAIL PROTECTED] *and this one error 7 at 0 depth lookup:certificate signature failure Again, I have no clue why it failed these checks or how to fix them. Any help would be appreciated. Thanks. -- A. Putnam Assistant IT Administrator Pelathe Community Resource Center __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Mon, Jan 27, 2003 at 10:47:27AM -0700, Steve Chadsey wrote: > On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote: > > Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. > > > > OK. I did that, and the only one I support is "RC4 with MD5". Strange, I > thought I would be able to support more. Actually, to amend my previous > post, the ones I expected to see were: > > EDH-RSA-DES-CBC3-SHA > EDH-DSS-DES-CBC3-SHA > DES-CBC3-SHA > DHE-DSS-RC4-SHA > IDEA-CBC-SHA > RC4-SHA > RC4-MD5 > > since I have SSLv2 shut off. Would the above list be further limited > by the type (RSA / DSA) key I have? It is RSA. Yes, it is limited by the key. Without a DSA key, you cannot use DSS ciphers. Therefore being left: EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA IDEA-CBC-SHA RC4-SHA RC4-MD5 > Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according > to my SSLCipherSuite line. > > To follow up to Lutz, I tested all the ciphers with s_client against > my server. The ones that I connected with were: > > DES-CBC3-SHA > EDH-RSA-DES-CBC3-SHA > IDEA-CBC-SHA > RC4-MD5 > RC4-SHA See above :-) > The following gave me 'illegal parameter': > DES-CBC3-MD5 > DES-CBC-MD5 > IDEA-CBC-MD5 > RC2-CBC-MD5 > RC4-64-MD5 These ciphers are SSLv2 ciphers. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client authnetication
Hello guys, I have been using client authentication for a while now to verify the identity of users at our web site. We run our own CA and point to the certificate file in SSLCACertificateFile in httpd.conf. Now this all seems to work fine, but have the following errors in /var/log/httpd/error_log [Mon Jan 27 18:35:19 2003] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Mon Jan 27 18:35:19 2003] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Mon Jan 27 18:35:19 2003] [error] OpenSSL: error:1409E0E5:lib(20):func(158):reason(229) It seems strange as it seems to work. I have looked through the archives and have seen reference to similar messages but they don't seem to explain what the problem is. I am running RedHat 7.2, mod_ssl 2.8.12-2, apache 1.3.27-1.7.2 (these are RedHat rpm versions). I have stmbled accross this error as I want to also authenticate clients whose certificates are signed by a different CA. That is another issue as I am getting strange results with that too. I thought I had better sort this one out first. Please can anyone shead some light on where I can find out what this error is all about. Many thanks Chris Covell __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Fri, Jan 24, 2003 at 09:30:28AM -, [EMAIL PROTECTED] wrote:
> Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers.
>
OK. I did that, and the only one I support is "RC4 with MD5". Strange, I
thought I would be able to support more. Actually, to amend my previous
post, the ones I expected to see were:
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-DSS-RC4-SHA
IDEA-CBC-SHA
RC4-SHA
RC4-MD5
since I have SSLv2 shut off. Would the above list be further limited
by the type (RSA / DSA) key I have? It is RSA.
> To unpack the terms:
>
> "allows anonymous authentication" - That sounds like allowing anyone to
I believe they mean Anonymous Diffie-Helman. My SSLCipherSuite line
excludes those, so I think they're wrong here.
> "allows cleartext communication" - That's what you get on non-secured sites.
> If the data doesn't need to be secured, there's no issue.
I believe they are referring to the NULL-MD5 cipher. I tested that
with s_client, and I can't connect ('handshake failure'), so I don't
believe I'm supporting that one either.
>
> "supports weak encryption" - Allows older browsers that have
> "export-crippled" security to connect. On the above Netcraft site, you'll
> see "export version". The question for you is whether it is satisfactory to
Yeah, I include only 'HIGH' and 'MEDIUM' strength ciphers, according
to my SSLCipherSuite line.
To follow up to Lutz, I tested all the ciphers with s_client against
my server. The ones that I connected with were:
DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
IDEA-CBC-SHA
RC4-MD5
RC4-SHA
This is a shorter list than what I was expecting (at the top of
this message).
The following did not connect, giving me a 'handshake failure':
ADH-DES-CBC3-SHA
ADH-DES-CBC-SHA
ADH-RC4-MD5
DES-CBC-SHA
DHE-DSS-RC4-SHA
EDH-DSS-DES-CBC3-SHA
EDH-DSS-DES-CBC-SHA
EDH-RSA-DES-CBC-SHA
EXP1024-DES-CBC-SHA
EXP1024-DHE-DSS-DES-CBC-SHA
EXP1024-DHE-DSS-RC4-SHA
EXP1024-RC2-CBC-MD5
EXP1024-RC4-MD5
EXP1024-RC4-SHA
EXP-ADH-DES-CBC-SHA
EXP-ADH-RC4-MD5
EXP-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5
The following gave me 'illegal parameter':
DES-CBC3-MD5
DES-CBC-MD5
IDEA-CBC-MD5
RC2-CBC-MD5
RC4-64-MD5
Thanks,
--
Steve <[EMAIL PROTECTED]>
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Mandatory fields in Certificate
Hello, I'm trying to set up a "simple" SSL server (no client nor server verification) I've noticed that, if a generate the server's certificate with a Microsoft CA, I make the SSL work. If the certificate is generated with a Netscape CA, it works ok. While comparing the two certificates, I found some fields in the MS-CA that were not (or different) in the Netscape CA, and fields that were in the Netscape one and not in the MS one (NetscapeCertType was only visible in the Netscape one)... Could you please tell me if some fields are mandatory in the server's certificate? I just want to set up a simple SSL transaction between my server and my client (without any client nor server verification)... This would help me greatly, thanks in advance... Frederic Viollet
entropy source logging request (patch included)
i thought it might be usefull for mod_ssl to log (at debug level) the
entropy source from which the PRNG will be seeded from so that proper
entropy source configuration can be verified. i've attached a small patch
(mod_ssl-2.8.12-1.3.27) which does this.
best regards,
--
aspahttp://www.kronodoc.fi/
*** pkg.sslmod/ssl_engine_rand.c.orig Mon Jan 27 10:07:26 2003
--- pkg.sslmod/ssl_engine_rand.cMon Jan 27 10:40:46 2003
***
*** 87,92
--- 87,98
time_t t;
pid_t pid;
int m;
+ char *ctxNames[] = { "", "startup", "connect" };
+ char *rssrcNames[] = { "", "builtin", "file", "exec"
+ #if SSL_LIBRARY_VERSION >= 0x00905100
+ , "EGD"
+ #endif
+ };
mc = myModConfig();
nReq = 0;
***
*** 97,102
--- 103,111
pRandSeed = &pRandSeeds[i];
if (pRandSeed->nCtx == nCtx) {
nReq += pRandSeed->nBytes;
+
+ ssl_log(s, SSL_LOG_DEBUG, "%sRequesting %d bytes of entropy from %s:%s in
+'%s' context", prefix, pRandSeed->nBytes, rssrcNames[pRandSeed->nSrc],
+pRandSeed->cpPath, ctxNames[pRandSeed->nCtx]);
+
if (pRandSeed->nSrc == SSL_RSSRC_FILE) {
/*
* seed in contents of an external file
RE: ScriptAlias
You have inconsistent notation and a confused mapping. - Do not put a trailing slash on the alias or the directory. - You should have only one ScriptAlias per CGI directory. - You can match only one directory to each alias (you can have two aliases for one directory). ... it's like buses: Two buses can go to the same destination, but one bus can't go to two destinations :-) PS This has nothing to do with SSL. It is just a config problem with apache. Rgds, Owen Boyle >-Original Message- >From: Ortiz Ruiz Otoniel Manuel [mailto:[EMAIL PROTECTED]] >Sent: Freitag, 24. Januar 2003 19:37 >To: [EMAIL PROTECTED] >Subject: ScriptAlias > > > >I have a problem trying to execute cgis under ssl. (It doesn't find the >URL, a kind of problem with the scriptalias). > >I compiled apache2 with ssl, this are the options that I used. >At the bottom there is a fragment of my ssl.conf. > >Any help will be appreciated > > >OPTIONS: ># CC=gcc ./configure --prefix=/web/apache2 --enable-dav >--enable-info \ >> --enable-http --enable-proxy-ftp --enable-proxy-connect >--enable-proxy-http \ >> --enable-proxy --enable-usertrack --enable-headers --enable-expires \ >> --enable-cern-meta --enable-mime-magic --enable-deflate >--enable-case-filter-i >n \ >> --enable-case-filter --enable-ext-filter --enable-example >--enable-mem-cache \ > >> --enable-disk-cache --enable-cache --enable-charset-lite \ >> --enable-echo --enable-file-cache --enable-auth-dbm \ >> --enable-rewrite --enable-vhost-alias \ >> --enable-optional-hook-export --enable-optional-hook-import \ >> --enable-optional-fn-import --enable-optional-fn-export >--enable-unique-id \ >> --enable-cgi --enable-cgid --with-mpm=worker >--with-ssl=/usr/local/openssl \ >> --enable-auth-digest --enable-static-htdigest --enable-ssl > > > >SSL.CONF > > > > > > >Alias /otoniel"/web/htdocs/labvis/gente/becarios/otoniel" >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin" >ScriptAlias /cgi-bin /web/htdocs/labvis/cgi-bin >ScriptAlias /lab-bin /web/htdocs/labvis/cgi-bin >ScriptAlias /garp-bin/ >"/web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bin/" > >ScriptAlias /mailman/ /export/home/mailman/cgi-bin/ >ScriptAlias /cgi-bin/ /export/home/mailman/cgi-bin >ScriptAlias /cgi-mail "/export/home/mailman/cgi-bin/" > > >## Labvis ### >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin/" >ScriptAlias /cgi-bin/ "/web/htdocs/labvis/cgi-bin/modelacion" >ScriptAlias /lab-bin/ "/web/htdocs/labvis/cgi-bin/" >ScriptAlias /garp-bin/ >"/web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bi >n/" >ScriptAlias /hjg/ "/export/home/hjg/cgi/" > > > > > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
