SSL config for Netscape 4.5 , 4.6, 4.7 on Mac
Hi All, My system is running on 1.3.27 / 2.8.12 / 0.9.6g. The SSL connection from Netscape 4.5, 4.6 and 4.7 browsers running only on "Mac" seems like taking very long time to load a page with or without the images (50-60K pages about 2-3 mins with a T1 connection). I'm not really sure if the problem is caused by the server (e.g. TLS intolerant) or by the Netscape client (e.g. random num generation ). My attemps to solve the problem have been unsuccessfull so far. Any help is much appreaciated. Kind Regards,
RE: Multiple SSL VirtualHosts in apache
It's IP and/or port based. But, do remember, if port based then one is server only one cert, and the trouble is making sure the cert is constructed in a fashoin such that hostnames are not contained within the CN and such. In this case, and others can correct me if I'm wrong here, you would need to generate the cert on the IP rather then FDQN. And I'm not sure openssl allows such a cert, but others might well be better clued then I on this . Thanks, Ron DuFresne On Wed, 19 Feb 2003, Jack L. Stone wrote: > Please excuse the top post: > > Ian or anyone, are you sure that a wildcard setup won't work??? Just > getting ready to do a fresh install involvoing vhosts and this will become > an important issue. > > Thanks! > > At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: > >I believe that I read somewhere that you must have a different > >ip address for each ssl virtualhost. > > > >Ian Moon > > > >On Wed, 19 Feb 2003, Boyle Owen wrote: > > > >> >-Original Message- > >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] > >> >Sent: Donnerstag, 6. Februar 2003 02:02 > >> >To: [EMAIL PROTECTED] > >> >Subject: Multiple SSL VirtualHosts in apache > >> > > >> > > >> >I check the mail archives, but could not find a good > >> >answer for this "problem" I am having. > >> > > >> >I am building out a dev environment using apache > >> >on Solaris. The dev environment needs to run under > >> >SSL (to simulate the production environment). I am > >> >starting with 4 virtual servers. They all use the > >> >same cert file, but are on different ports. > >> > > >> >The problem I am running into is that only the "first" > >> >VirtualHost works. Requests to subsequent ports result > >> >in a mod_ssl:error:HTTP-request error. Here is the error_log > >> >entry: > >> > > >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP > >> >spoken on HTTPS port; trying to send HTML error page (OpenSSL library > >> >error follows) > >> > >> This looks like you typed http://server:7001/ into the browser. You > >> still need to define https even if you have the port number, i.e. > >> https://server:7001/. > >> > >> Can you confirm that if you do this, you still get an error? > >> > >> Rgds, > >> Owen Boyle > >> > >> > >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL > >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking > >> >HTTP to HTTPS > >> >port!?] > >> > > >> >This is being used in conjunction with an auth package, > >> >but the redirect after logging in is https:// > >> > > >> >Does anyone knnow of a good way to have multiple > >> >SSL virtual servers on one apache instance? > >> > >> The way you are doing it is fine. You just have a probelm... > >> > >> > > >> >Here is a sample of httpd.conf. In this case, port 7000 > >> >works, but 7001 and 7002 get the mod_ssl error. > >> > > >> > > >> >DocumentRoot/some/doc/root > >> >SSLEngine on > >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >> > > >> > > >> > > >> >DocumentRoot/some/doc/root > >> >SSLEngine on > >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >> > > >> > > >> > > >> >DocumentRoot/some/doc/root > >> >SSLEngine on > >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > >> > > >> > > >> >-- > >> >Steve (egrep) > >> >__ > >> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >> >User Support Mailing List [EMAIL PROTECTED] > >> >Automated List Manager[EMAIL PROTECTED] > >> > > >> > >> This message is for the named person's use only. It may contain > >> confidential, proprietary or legally privileged information. No > >> confidentiality or privilege is waived or lost by any mistransmission. > >> If you receive this message in error, please notify the sender urgently > >> and then immediately delete the message and any copies of it from your > >> system. Please also immediately destroy any hardcopies of the message. > >> You must not, directly or indirectly, use, disclose, distribute, print, > >> or copy any part of this message if you are not the intended recipient. > >> The sender's company reserves the right to monitor all e-mail > >> communications through their networks. Any views expressed in this > >> message are those of the individual sender, except where the message > >> states otherwise and the sender is authorised to state them to be the > >> views of the sender's company. > >> > >> > >> __ > >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >> User Support Mailing List
RE: Multiple SSL VirtualHosts in apache
Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't work??? Just getting ready to do a fresh install involvoing vhosts and this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: >I believe that I read somewhere that you must have a different >ip address for each ssl virtualhost. > >Ian Moon > >On Wed, 19 Feb 2003, Boyle Owen wrote: > >> >-Original Message- >> >From: Steve Pirk [mailto:[EMAIL PROTECTED]] >> >Sent: Donnerstag, 6. Februar 2003 02:02 >> >To: [EMAIL PROTECTED] >> >Subject: Multiple SSL VirtualHosts in apache >> > >> > >> >I check the mail archives, but could not find a good >> >answer for this "problem" I am having. >> > >> >I am building out a dev environment using apache >> >on Solaris. The dev environment needs to run under >> >SSL (to simulate the production environment). I am >> >starting with 4 virtual servers. They all use the >> >same cert file, but are on different ports. >> > >> >The problem I am running into is that only the "first" >> >VirtualHost works. Requests to subsequent ports result >> >in a mod_ssl:error:HTTP-request error. Here is the error_log >> >entry: >> > >> >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP >> >spoken on HTTPS port; trying to send HTML error page (OpenSSL library >> >error follows) >> >> This looks like you typed http://server:7001/ into the browser. You >> still need to define https even if you have the port number, i.e. >> https://server:7001/. >> >> Can you confirm that if you do this, you still get an error? >> >> Rgds, >> Owen Boyle >> >> >> >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL >> >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking >> >HTTP to HTTPS >> >port!?] >> > >> >This is being used in conjunction with an auth package, >> >but the redirect after logging in is https:// >> > >> >Does anyone knnow of a good way to have multiple >> >SSL virtual servers on one apache instance? >> >> The way you are doing it is fine. You just have a probelm... >> >> > >> >Here is a sample of httpd.conf. In this case, port 7000 >> >works, but 7001 and 7002 get the mod_ssl error. >> > >> > >> >DocumentRoot/some/doc/root >> >SSLEngine on >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> > >> > >> > >> >DocumentRoot/some/doc/root >> >SSLEngine on >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> > >> > >> > >> >DocumentRoot/some/doc/root >> >SSLEngine on >> >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >> >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key >> > >> > >> >-- >> >Steve (egrep) >> >__ >> >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> >User Support Mailing List [EMAIL PROTECTED] >> >Automated List Manager[EMAIL PROTECTED] >> > >> >> This message is for the named person's use only. It may contain >> confidential, proprietary or legally privileged information. No >> confidentiality or privilege is waived or lost by any mistransmission. >> If you receive this message in error, please notify the sender urgently >> and then immediately delete the message and any copies of it from your >> system. Please also immediately destroy any hardcopies of the message. >> You must not, directly or indirectly, use, disclose, distribute, print, >> or copy any part of this message if you are not the intended recipient. >> The sender's company reserves the right to monitor all e-mail >> communications through their networks. Any views expressed in this >> message are those of the individual sender, except where the message >> states otherwise and the sender is authorised to state them to be the >> views of the sender's company. >> >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager[EMAIL PROTECTED] >> > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > > Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
apache is not able to server an SSL html page
Title: apache is not able to server an SSL html page I need some help, or just a new way of investigation for a msg in error_log, when handshake SSL occurs.. Config : APACHE 2.0.44 OpenSSL 0.9.7 OS = AIX 5.2 kernel 64 bits Compiler = cc_r ( IBM compiler ) No DSO MPM-WORKER When compile in 32 bit mode, all work fine and I ‘ve got this msg when handshake SSL is starting: [Tue Feb 18 17:52:46 2003] [info] Seeding PRNG with 136 bytes of entropy [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_kernel.c(1758): OpenSSL: Handshake: start [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Loop: before/accept initialization [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_io.c(1477): OpenSSL: read 11/11 bytes from BIO#30a21348 [mem: 36fca158] (BIO dump follows) [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_io.c(1424): +-+ [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_io.c(1449): | : 80 43 01 03 00 00 2a 00-00 00 10 .C* | [Tue Feb 18 17:52:46 2003] [debug] ssl_engine_io.c(1455): +-+… … As soon as I compile in 64 bit mode, apache is not able to server an SSL html page, and I found this error when handshake SSL is starting: [Mon Feb 10 14:27:47 2003] [info] Seeding PRNG with 144 bytes of entropy [Mon Feb 10 14:27:47 2003] [debug] ssl_engine_kernel.c(1758): OpenSSL: Handshake: start [Mon Feb 10 14:27:47 2003] [debug] ssl_engine_kernel.c(1766): OpenSSL: Loop: before/accept initialization [Mon Feb 10 14:27:47 2003] [debug] ssl_engine_io.c(1477): OpenSSL: read 0/11 bytes from BIO#1103b10d0 [mem: 1105ba110] (BIO dump follows) [Mon Feb 10 14:27:47 2003] [debug] ssl_engine_io.c(1424): +-+ [Mon Feb 10 14:27:47 2003] [debug] ssl_engine_io.c(1455): +-+ [Mon Feb 10 14:27:47 2003] [info] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] [Mon Feb 10 14:27:47 2003] [info] Connection to child 64 closed with abortive shutdown Any help should be appreciate. Thanks in advance. Pierre. - Ce message et toutes les pieces jointes sont a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute duplication, totale ou partielle, est interdite, sauf autorisation prealable. L'internet ne permettant pas d'assurer l'integrite de ce message, nous declinons toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. --- This message and any attachements are intended solely for the addressees and are confidential. If you receive this message by error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except previous approval. The internet can not guarantee the integrity of this message. We will not therefore be liable for the message if modified. -
RE: Multiple SSL VirtualHosts in apache
I believe that I read somewhere that you must have a different ip address for each ssl virtualhost. Ian Moon On Wed, 19 Feb 2003, Boyle Owen wrote: > >-Original Message- > >From: Steve Pirk [mailto:[EMAIL PROTECTED]] > >Sent: Donnerstag, 6. Februar 2003 02:02 > >To: [EMAIL PROTECTED] > >Subject: Multiple SSL VirtualHosts in apache > > > > > >I check the mail archives, but could not find a good > >answer for this "problem" I am having. > > > >I am building out a dev environment using apache > >on Solaris. The dev environment needs to run under > >SSL (to simulate the production environment). I am > >starting with 4 virtual servers. They all use the > >same cert file, but are on different ports. > > > >The problem I am running into is that only the "first" > >VirtualHost works. Requests to subsequent ports result > >in a mod_ssl:error:HTTP-request error. Here is the error_log > >entry: > > > >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP > >spoken on HTTPS port; trying to send HTML error page (OpenSSL library > >error follows) > > This looks like you typed http://server:7001/ into the browser. You > still need to define https even if you have the port number, i.e. > https://server:7001/. > > Can you confirm that if you do this, you still get an error? > > Rgds, > Owen Boyle > > > >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL > >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking > >HTTP to HTTPS > >port!?] > > > >This is being used in conjunction with an auth package, > >but the redirect after logging in is https:// > > > >Does anyone knnow of a good way to have multiple > >SSL virtual servers on one apache instance? > > The way you are doing it is fine. You just have a probelm... > > > > >Here is a sample of httpd.conf. In this case, port 7000 > >works, but 7001 and 7002 get the mod_ssl error. > > > > > >DocumentRoot/some/doc/root > >SSLEngine on > >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > > > > > >DocumentRoot/some/doc/root > >SSLEngine on > >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > > > > > >DocumentRoot/some/doc/root > >SSLEngine on > >SSLCertificateFile/usr/local/apache/certs/my_cert.crt > >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > > > >-- > >Steve (egrep) > >__ > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >User Support Mailing List [EMAIL PROTECTED] > >Automated List Manager[EMAIL PROTECTED] > > > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any mistransmission. > If you receive this message in error, please notify the sender urgently > and then immediately delete the message and any copies of it from your > system. Please also immediately destroy any hardcopies of the message. > You must not, directly or indirectly, use, disclose, distribute, print, > or copy any part of this message if you are not the intended recipient. > The sender's company reserves the right to monitor all e-mail > communications through their networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be the > views of the sender's company. > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
> Cool..
> Can you please post the patch to the list, so that ppl can review the
> code,
> and give their comments.
> -Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:
Hello!
This is the distribution point for the Apache 2.0 as SSL Intermediary Patch.
Currently you need this patch to use Apache 2.0 as a trusted intermediary
in configuration with the SAP J2EE Engine.
The patch is subject to become part of the standard Apache 2.0 distribution.
Feedback welcome!
Maik ([EMAIL PROTECTED])
INSTRUCTIONS:
- extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz)
- change directory to httpd-2.0.43
- apply the patch with -p1 (patch -p1 < Apache-2.0.43-SSLintermediary.patch)
- follow the Apache INSTALL instructions
HISTORY:
02-12-30 initial release (available SAP internal)
03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added
In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is
already applied. More convenient for users not so familiar with the
usage of diff & patch.
03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added
You cannot use the UNIX source to build the WIN32 binaries.
This ZIP archive contains the already patched version of
httpd-2.0.43-win32-src. Use it to build the WIN32 binaries.
If you want to apply Apache-2.0.43-SSLintermediary.patch to the
original httpd-2.0.43-win32-src be aware that you have to convert
CR-LFs in CR before applying the patch. In the successfully patched
files you can again expand CR to CR-LF.
03-01-20 Bug in base 64 padding found. The calculation of the number of
padding
characters ('=') needed computes wrong results in some cases.
03-02-07 Apache 2.0.44 Released
Apache-2.0.44-SSLintermediary.patch corresponds to
httpd-2.0.44.tar.gz
The documentation changes are NO longer part of the patch.
Download mod_headers_mai.html.en for proposed documentation
changes.
SSLproxy.conf is a good example for a proxy's mod_ssl
configuration.
The SAP proposed header names are use in the example added to the
mod_headers documentation (see mod_headers_mai.html.en).
And here follows the patch (My proposed changes to the HTML docu are now not
included in the patch. Please advice me if and how to post this changes to
mod_headers.html.en):
--- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002
+++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003
@@ -109,6 +109,7 @@
#include "apr_lib.h"
#include "apr_strings.h"
#include "apr_buckets.h"
+#include "apr_base64.h"
#include "apr_hash.h"
#define APR_WANT_STRFUNC
@@ -198,6 +199,62 @@
else
return "(null)";
}
+
+/* Base 64 encoded ASN.1 data is usually tagged with decorations of
+ * the following style:
+ * -BEGIN -
+ *
+ * -END -
+ * The defines are used to search for such decorations.
+ */
+#define DECORATION_MARKER_BEGIN "-BEGIN"
+#define DECORATION_MARKER_END "-END"
+#define DECORATION_EOF_MARKER "-"
+
+static const char *header_request_env_varB64(request_rec *r, char *a)
+{
+ const char *s = apr_table_get(r->subprocess_env,a);
+ char *pStartBody = NULL;
+ char *pBehindBody = NULL;
+ char *ptr;
+
+ if (s) {
+/* search for decorations marking encapsulated base64 encoded data */
+ptr = strstr((char *)s, DECORATION_MARKER_BEGIN);
+if (ptr) {
+ ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN),
DECORATION_EOF_MARKER);
+ if (ptr && (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') {
+ /* explicit check that there are sitll chars in the string */
+ pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1;
+
+ ptr = strstr(pStartBody, DECORATION_MARKER_END);
+ if (ptr && strstr(ptr, DECORATION_EOF_MARKER))
+ pBehindBody = ptr;
+ }
+}
+
+if (pStartBody && pBehindBody) {
+ /* encapsulated base64 encoded data found */
+ /* all except the body will be skipped */
+ *pBehindBody = '\0';
+ apr_base64_cleanB64(pStartBody);
+ return pStartBody;
+} else {
+ /* call apr_base64_encode() to encode the data */
+ int inlen = strlen(s);
+ int outsize = apr_base64_encode_len(inlen);
+ char *encoded = apr_palloc(r->pool, outsize);
+ int rc = apr_base64_encode(encoded, s, inlen);
+ if (rc > outsize)
+ return "(null)";
+ else
+ return encoded;
+}
+ }
+ else
+return "(null)";
+}
+
/*
* Config routines
*/
@@ -407,7 +464,7 @@
/* Handle the envclause on Header */
if (envclause != NULL) {
-if (inout != hdr_out) {
+if (inout != hdr_out && inout != hdr_in) {
return "error: envclause (env=...) only valid on Header
directive";
}
if (strncasecmp(envclause, "env=", 4) != 0) {
@@ -448,12 +505,23 @@
return head
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All,
I want to provide updated information to my earlier described scenario using
mod_ssl + mod_proxy + mod_headers:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
The following discussion focuses on Apache 2.0.43 and 2.0.44.
I have implemented a solution to transfer the Web browser's client
certificate (and other SSL information) to the backend Web server:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
Client Cert (and other SSL information) --> Transfer
as HTTP Headers
The problem was that mod_headers' RequestHeader directive didn't really
matched the requirements.
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical
solution to
forward the client's certificate to the backend server for the
following reasons:
1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader
directive isn't able to transfer it into a correct multi-line HTTP header.
2. The "decorations" (-BEGIN/END CERTIFICATE-) and the multi-line
format are not very useful in this scenario.
Therefore I have introduced the option "E" in addition to "e" for putting
environment variables in headers. The "E" has the following meaning:
%{FOOBAR}E The base64 encoded content of the environment variable FOOBAR.
If the environment variable already contains a base64 encoded body (e. g.
SSL_CLIENT_CERT) the body will be set as the value of the header variable.
The result is in any case a single line of base64 characters only.
This behavior serves two requirements:
1. There is no problem escaping special characters when putting other SSL
information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably
contain characters that have to be escaped.
2. Reduces the overhead produced by "decorations" and multi-line format.
Here is an example for forwarding the SSL Client Certificate and other SSL
information:
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E
env=SSL_CLIENT_S_DN
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E
env=SSL_CLIENT_CERT_CHAIN_0
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E
env=SSL_CLIENT_CERT_CHAIN_1
RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e
env=SSL_CIPHER_USEKEYSIZE
RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e
env=SSL_CIPHER
To make this work I also patched two other things:
1. mod_headers' RequestHeader directive wasn't able to take an env clause as
a forth argument in contrast to the Header directive. I don't know the
reason
for that behavior, but env clause seams to work fine with the SSL
environment
variables for RequestHeaders. This was necessary to avoid an empty header if
the environment variable isn't present.
If there are objections, let me know.
2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried
to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the
introduction of the "_" wasn't quite consistent. I patched that and now I
can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to
SSL_CLIENT_CERT_CHAIN_n in the environment.
Last but not least I have updated the mod_headers documentation with the new
option "E" and an example for forwarding the Web browser's client
certificate and some other SSL information.
I think the described patches and enhancements are quite reasonable and I
would like to make them part of the standard Apache distribution. I have
already produced a patch file that works for Apache 2.0.43 and 2.0.44. I
would appreciate guidance on how to proceed.
Comments welcome!
Regards,
Maik
Maik Mueller
Development Architect
SAP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mass ip virtual host & mod_ssl?
On Wed, 19 Feb 2003, Ray a PowerWeb Tech wrote: > but some of the domains have SSL, and it doesn't seem like this will > cover it as is. how do i setup a folder for keys that will be used? ie > /www/certs/%0.key or does it automagicly pick the correct key for the > ip/domain? > > i'm hoping to get it so that by droping files into the correct places, > our customer will be able to add/remove domains without having to have > the ability to restart apache (as its on windows, he would need nearly > total control of the machine to do this) Nope, sorry, you can't do that. You have to have real virtual hosts set up for each SSL vhost; mod_vhost_alias won't cut it. That's not to mention the fact that changing or adding SSL keys/certs requires restarting Apache anyway to reinitialize OpenSSL. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL VirtualHosts in apache
On Wed, 5 Feb 2003, Steve Pirk wrote: > They all use the same cert file, but are on different ports. I'm not so sure you can do that. But anyway, assuming for a second that you can: > The problem I am running into is that only the "first" > VirtualHost works. Requests to subsequent ports result > in a mod_ssl:error:HTTP-request error. Here is the error_log > entry: Interesting. What version of Apache is this? If 1.3.x, what version of mod_ssl? The mod_ssl:error:HTTP-request thing is supposed to be purely internal; if it ever leaks out to the client, something is screwed up. I found some odd cases a while back where you could set up redirections in an odd way and it would do that, but I've forgotten the details and would have to dig them up. What redirects are you doing? Any rewriterules? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL VirtualHosts in apache
The error you posted from logs implies the request the server is getting is http rather then https, perhaps your redirect or rewrite is not functioning properly? Thanks, Ron DuFresne On Wed, 5 Feb 2003, Steve Pirk wrote: > I check the mail archives, but could not find a good > answer for this "problem" I am having. > > I am building out a dev environment using apache > on Solaris. The dev environment needs to run under > SSL (to simulate the production environment). I am > starting with 4 virtual servers. They all use the > same cert file, but are on different ports. > > The problem I am running into is that only the "first" > VirtualHost works. Requests to subsequent ports result > in a mod_ssl:error:HTTP-request error. Here is the error_log > entry: > > [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP > spoken on HTTPS port; trying to send HTML error page (OpenSSL library > error follows) > [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL > routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS > port!?] > > This is being used in conjunction with an auth package, > but the redirect after logging in is https:// > > Does anyone knnow of a good way to have multiple > SSL virtual servers on one apache instance? > > Here is a sample of httpd.conf. In this case, port 7000 > works, but 7001 and 7002 get the mod_ssl error. > > > DocumentRoot/some/doc/root > SSLEngine on > SSLCertificateFile/usr/local/apache/certs/my_cert.crt > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > > DocumentRoot/some/doc/root > SSLEngine on > SSLCertificateFile/usr/local/apache/certs/my_cert.crt > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > > DocumentRoot/some/doc/root > SSLEngine on > SSLCertificateFile/usr/local/apache/certs/my_cert.crt > SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > -- > Steve (egrep) > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mass ip virtual host & mod_ssl?
is it possible using either mod_rewrite, mod_vhosts_alias or some trick in mod_ssl to have multiple virtual hosts by ip address and there keys was thinking something like # get the server name from the Host: header UseCanonicalName Off # this log format can be split per-virtual-host based on the first field LogFormat "%V %h %l %u %t \"%r\" %s %b" vcommon CustomLog logs/access_log vcommon # include the server name in the filenames used to satisfy requests VirtualDocumentRoot /www/hosts/%0/docs VirtualScriptAlias /www/hosts/%0/cgi-bin as per http://httpd.apache.org/docs/vhosts/mass.html#ipbased but some of the domains have SSL, and it doesn't seem like this will cover it as is. how do i setup a folder for keys that will be used? ie /www/certs/%0.key or does it automagicly pick the correct key for the ip/domain? i'm hoping to get it so that by droping files into the correct places, our customer will be able to add/remove domains without having to have the ability to restart apache (as its on windows, he would need nearly total control of the machine to do this) -- Eternity is a terrible thought. I mean, where's it going to end? -- Tom Stoppard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: tried everything on linux but SSL will not work
This is a completely wild guess based on not much information, but since I gather you have two independent https servers that have failed on linux, have you checked your iptables / ipchains config? Otherwise you need to do some more checking, e.g.: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Preprocessor bug in ssl_exp_scan.l when building with nativecompiler on HP-UX 11
On Tue, 4 Feb 2003, Stuart Cook wrote: > I have been building Apache 1.3.27 on HP-UX 11 via the native compiler > with Mod SSL 2.8.12-1.3.27 and have come across and resolved a build bug > during the Apache compilation process. > > In the Mod SSL file .../pkg.sslmod/ssl_expr_scan.l from line 91 onwards > there is a state variable 'str'. The native C pre-processor converts > this to 1 and errors with: > > /opt/ansic/bin/cc -c -I../../os/unix -I../../include -DHPUX11 -Aa -Ae > -D_HPUX_SOURCE -DMOD_SSL=208112 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT > -I../../lib/expat-lite `../../apaci` -DSSL_COMPAT -DSSL_ENGINE > -I/build/reporter/apache/openssl-engine-0.9.6g/include > -DMOD_SSL_VERSION=\"2.8.12\" ssl_expr_scan.c > cc: "lex.ssl_expr_yy.c", line 1753: error 1000: Unexpected symbol: "1". > cc: "lex.ssl_expr_yy.c", line 1760: error 1720: Subscript expression > must combine object pointer and integer. > cc: "lex.ssl_expr_yy.c", line 1760: error 1566: Test expression in for > must be scalar. > cc: "lex.ssl_expr_yy.c", line 1763: warning 527: Integral value > implicitly converted to pointer in assignment. > cc: "lex.ssl_expr_yy.c", line 1763: warning 563: Argument #1 is not the > correct type. > *** Error exit code 1 > > This can be resolved by changing .../pkg.sslmod/ssl_expr_scan.l state > variable to 'str_state' or some other value than 'str'. i've been building Apache v1.3.27 with mod_ssl-2.8.12-1.3.27 and OpenSSL v0.9.6h (non-engine) using HP Ansi C compiler on HP-UX 11.00 with no problems. here's the compilation command for ssl_expr_scan.c. cc -c -I../../os/unix -I../../include -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208112 -I/opt/kronodoc/openldap/2.0.27-kb3/include -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED -DNO_IDEA -noshared `../../apaci` -DSSL_COMPAT -I/opt/local/openssl/0.9.6h-apache/include -DMOD_SSL_VERSION=\"2.8.12\" ssl_expr_scan.c -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, 19 Feb 2003, Zampognaro Sergio wrote: > How to add a client certificate to an already created and empty Certificate > Revocation List? Here are the instructions if you are using openssl and your own CA: First you have to revoke the certificate: openssl ca -revoke certificate-file Then you have to recreate the CRL: openssl ca -gencrl -out crl.pem If you need DER format: openssl crl -in crl.pem -outform der -out crl.der Regards Burkhard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 12:10:14PM +0100, Mads Toftum wrote: > openssl ca -revoke filename > > see man ca and man crl in the openssl docs. > I forgot to add this link - http://www.apacheweek.com/features/crl vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 11:57:20AM +0100, Zampognaro Sergio wrote: > How to add a client certificate to an already created and empty Certificate > Revocation List? > openssl ca -revoke filename see man ca and man crl in the openssl docs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
add a certificate to a Certificate Revocation List
How to add a client certificate to an already created and empty Certificate Revocation List? thanks Sergio __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple SSL VirtualHosts in apache
>-Original Message- >From: Steve Pirk [mailto:[EMAIL PROTECTED]] >Sent: Donnerstag, 6. Februar 2003 02:02 >To: [EMAIL PROTECTED] >Subject: Multiple SSL VirtualHosts in apache > > >I check the mail archives, but could not find a good >answer for this "problem" I am having. > >I am building out a dev environment using apache >on Solaris. The dev environment needs to run under >SSL (to simulate the production environment). I am >starting with 4 virtual servers. They all use the >same cert file, but are on different ports. > >The problem I am running into is that only the "first" >VirtualHost works. Requests to subsequent ports result >in a mod_ssl:error:HTTP-request error. Here is the error_log >entry: > >[Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP >spoken on HTTPS port; trying to send HTML error page (OpenSSL library >error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle >[Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL >routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking >HTTP to HTTPS >port!?] > >This is being used in conjunction with an auth package, >but the redirect after logging in is https:// > >Does anyone knnow of a good way to have multiple >SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm... > >Here is a sample of httpd.conf. In this case, port 7000 >works, but 7001 and 7002 get the mod_ssl error. > > >DocumentRoot/some/doc/root >SSLEngine on >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > >DocumentRoot/some/doc/root >SSLEngine on >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > > >DocumentRoot/some/doc/root >SSLEngine on >SSLCertificateFile/usr/local/apache/certs/my_cert.crt >SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key > > >-- >Steve (egrep) >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
certificate authentication & alternate authentication & REMOTE_USER variable
Hi all,
SERVER: Apache 1.3.27 + mod_ssl/2.8.12
My problem:
I want to authenticate clients of my domain based on certificates
and obtain my users' usenames. I try using the two methods mentioned
in http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9
but they don't seem to be completely equivalent.
Specifically, when I try without SSLRequire and Load an authentication
module such as mod_auth_ldap or mod_auth_mysql (in order to offer
an alternate authentication schema - Satisfy any), in the browser,
a dialog window appears asking for Username/Password just after the
window for chosing the certificate.
This window (asking for username/password) does not appear
1. when I use SSLRequire directive and load other modules (but REMOTE_USER
variable is empty) and
2. when I use AuthUserFile directive and don't load the modules (but
I can't offer alternate authentication)
Apache configuration
#LoadModule ldap_auth_module libexec/mod_auth_ldap.so
SSLCACertificatePath /etc/apache/conf/ssl.crt
SSLCACertificateFile /etc/apache/conf/ssl.crt/ca-bundle.crt
SSLVerifyClient 0
/apache/secure/area">
AllowOverride None
Options None
Order deny,allow
Deny from all
Allow from localnetwork
SSLVerifyClient require
SSLVerifyDepth 2
SSLOptions +FakeBasicAuth
+StdEnvVars
SSLRequireSSL
#SSLRequire %{SSL_CLIENT_S_DN_O}
eq "My Organization" and \
#
%{SSL_CLIENT_S_DN_OU} eq "My Departement"
AuthName
"Certificate Authentication"
AuthType
Basic
AuthUserFile
/path/to/httpd.passwd
require
valid-user
#Satisfy any
#AuthType Basic
#AuthName "LDAP Authentication"
#LDAP_Server MyLdapServer
#LDAP_Port 389
#Base_DN "o=MyOrganization,c=GR"
#UID_Attr uid
#require valid-user
thanks in advance
-sophia
smime.p7s
Description: S/MIME Cryptographic Signature
Multiple SSL VirtualHosts in apache
I check the mail archives, but could not find a good answer for this "problem" I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the "first" VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key -- Steve (egrep) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Preprocessor bug in ssl_exp_scan.l when building with native compileron HP-UX 11
I have been building Apache 1.3.27 on HP-UX 11 via the native compiler with Mod SSL 2.8.12-1.3.27 and have come across and resolved a build bug during the Apache compilation process. In the Mod SSL file .../pkg.sslmod/ssl_expr_scan.l from line 91 onwards there is a state variable 'str'. The native C pre-processor converts this to 1 and errors with: /opt/ansic/bin/cc -c -I../../os/unix -I../../include -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208112 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -DSSL_COMPAT -DSSL_ENGINE -I/build/reporter/apache/openssl-engine-0.9.6g/include -DMOD_SSL_VERSION=\"2.8.12\" ssl_expr_scan.c cc: "lex.ssl_expr_yy.c", line 1753: error 1000: Unexpected symbol: "1". cc: "lex.ssl_expr_yy.c", line 1760: error 1720: Subscript expression must combine object pointer and integer. cc: "lex.ssl_expr_yy.c", line 1760: error 1566: Test expression in for must be scalar. cc: "lex.ssl_expr_yy.c", line 1763: warning 527: Integral value implicitly converted to pointer in assignment. cc: "lex.ssl_expr_yy.c", line 1763: warning 563: Argument #1 is not the correct type. *** Error exit code 1 This can be resolved by changing .../pkg.sslmod/ssl_expr_scan.l state variable to 'str_state' or some other value than 'str'. Once this change is made, the apache web server correctly and successfully compiles. Stuart -- Stuart V Cook BSc. (Hons) Senior Software Consultant - Micromuse Ltd. 90 Putney Bridge Rd, London. SW18 1DA. UK Office: +44-(0)20-8875 9500 x734 Mobile: +44-(0)7771 816 472 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
