how to nest SSLRequire
Hi,
I tried to nest two directory with SSLRequire entries:
Directory /htdocs-ssl/user/
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq user )
/Directory
Directory /htdocs-ssl/
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq Global )
/Directory
But I got a 403 when I tried to access the /htdocs-ssl/user/ with a certificate, which
have the organisation entry user.
It's the same with Location, LocationMatch ...
any ideas ?
Thanks in advance
Hendrik
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: how to nest SSLRequire
On Wed, Aug 20, 2003 at 10:56:11AM +0200, Hendrik Robbel wrote:
Hi,
I tried to nest two directory with SSLRequire entries:
Directory /htdocs-ssl/user/
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq user )
/Directory
Directory /htdocs-ssl/
SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq Global )
/Directory
But I got a 403 when I tried to access the /htdocs-ssl/user/ with a
certificate, which
have the organisation entry user.
Why not just use REQUEST_URI as part of your SSLRequire statement
instead of wrapping it in Directory?
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: configuration question
On Wednesday, Aug 20, 2003, at 00:32 US/Eastern, Arthur Chan wrote: Well, my eyes did glaze over somewhere betw thermodynamics and mobile perpetuum ;-) So does this mean that if I work in a less sophisticated infrastructure where only 56kbps ppp dialup is available, I can get some incremental gain by zipping it up before encrypting it ? [yes/no] Yes. ...And the larger the plaintext, the larger your gain, percentage-wise. (simply because larger plaintext files *tend* to shrink by a larger percentage when compressed) Caveats ? Both compression and encryption are computationally expensive operations. Don't skimp on the CPU for this machine. [] Best~ -dsp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
compression and SSL (was configuretion question)
Just a word from real world - I have implemented compression (via mod_deflate) and SSL together and it was worth it. Simply because mod_deflate can shrink my typical html pages to 20-30% of original size (images are excluded from compression) and the SSL overhead is not that big. So, HTML sent through wires is encrypted and smaller that origin. Jirka Vejrazka -- __ Sign-up for your own personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: configuration question
Cliff Woolley [EMAIL PROTECTED] writes: On Tue, 19 Aug 2003, Eric Rescorla wrote: Dave Paris [EMAIL PROTECTED] writes: In addition to Owen's salient points about compression working efficiently on repetitive strings in plaintext/binary data (e.g. whitespace in a Word document) and not on random data (e.g. encrypted data), some encryption algorithms can actually be weakened by compressing the resulting data, giving a cryptanalyzer clues to the inner workings of the algorithm. No reasonable encryption algorithm will be weakened this way. I agree. I'm guessing what he meant is that some encryption algorithms are weakened if their /input/ is pre-compressed by some known algorithm. If the cleartext is in some known format, it might possibly be easier to recover it from the ciphertext. True. But no modern algorithm is susceptible to this kind of known plaintext attack either. Moreover, SSL incorporates all sorts of opportunities for known plaintext. I wouldn't worry about this one. -Ekr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: configuration question
I was not referring to post-encryption compression in the context of SSL or other, proven, known-sane encryption algorithms. I probably should have made this point *much* clearer to avoid confusion. I posed the scenario to would-be cryptographers who [99.9% of the time] wrongly believe they've created the next great encryption algorithm. In any case, the Apache processing chain applies SSL as the last stage anyway, so compressing *after* encryption, under normal Apache request processing, won't happen without someone [who knows *exactly* what they're doing] forcing the issue. Best~ -dsp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Eric Rescorla Sent: Wednesday, August 20, 2003 11:44 AM To: [EMAIL PROTECTED] Subject: Re: configuration question Cliff Woolley [EMAIL PROTECTED] writes: On Tue, 19 Aug 2003, Eric Rescorla wrote: Dave Paris [EMAIL PROTECTED] writes: In addition to Owen's salient points about compression working efficiently on repetitive strings in plaintext/binary data (e.g. whitespace in a Word document) and not on random data (e.g. encrypted data), some encryption algorithms can actually be weakened by compressing the resulting data, giving a cryptanalyzer clues to the inner workings of the algorithm. No reasonable encryption algorithm will be weakened this way. I agree. I'm guessing what he meant is that some encryption algorithms are weakened if their /input/ is pre-compressed by some known algorithm. If the cleartext is in some known format, it might possibly be easier to recover it from the ciphertext. True. But no modern algorithm is susceptible to this kind of known plaintext attack either. Moreover, SSL incorporates all sorts of opportunities for known plaintext. I wouldn't worry about this one. -Ekr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CGI/SSL spec?
Hi Philip, Dumping the environment variables is a very simple task. Try: #!/bin/sh echo Content-type: text/plain echo /usr/bin/printenv chmod it and stick it on your SSL server and run it. Philip Champon wrote: Hi, I tried searching the archives, to find out where I might be able to read about a CGI/SSL spec, but I couldn't turn anything up? While I have read the mod_ssl ref on envirionment variables, I was hoping to find out what source the group used to compile this list of environment variables. I also consulted the CGI spec, but it did not cover any SSL specific variables. Could someone tell me, is there such a spec, or did the group arbitrarily compile a list of SSL env vars to include in the CGI env? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
virtual hosting
I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be wrong here? Regards, Ian Newlands _ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting
geeze. is it that time of the month already for this question? seems like it was just yesterday when it was asked last .. maybe I'm just thinking of the other 100,000 times it was asked. in all seriousness, this dead horse has been beaten so many times on this list there isn't even a carcass left to hit at this point. please go dig through the mail list archives to see why name-based virtual hosts don't work with SSL. yes, that's a flippant answer. no, you're not likely to get a reply any more serious. -dsp On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be wrong here? Regards, Ian Newlands _ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
If I hadn't already exhausted resources I would not have made this post in the first place. I have tried 3 different versions of apache, searched through previous postings, used search engines etc. bought 2 books on apache and have been attempting to get this going for almost 2 months now. I'm glad you're amused by my frustration here. If there is anyone out there that is willing to submit a serious response to this I would appreciate it greatly. Regards, Ian Newlands - Original Message - From: Dave Paris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Ian Newlands [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 11:58 AM Subject: Re: virtual hosting geeze. is it that time of the month already for this question? seems like it was just yesterday when it was asked last .. maybe I'm just thinking of the other 100,000 times it was asked. in all seriousness, this dead horse has been beaten so many times on this list there isn't even a carcass left to hit at this point. please go dig through the mail list archives to see why name-based virtual hosts don't work with SSL. yes, that's a flippant answer. no, you're not likely to get a reply any more serious. -dsp On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be wrong here? Regards, Ian Newlands _ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: your mail
Ian: Look at Netscape's specification for the SSL protocol, RFC 2246 published by the IETF covering TLS 1.0, or any of a number of books regarding SSL/TLS that have been published in the last few years. Basically, the problem is that the entire payload of the TCP/IP packet is encrypted. All that is visible is the IP address in the IP header. Merton Campbell Crockett On Thu, 21 Aug 2003, Ian Newlands wrote: If I hadn't already exhausted resources I would not have made this post in the first place. I have tried 3 different versions of apache, searched through previous postings, used search engines etc. bought 2 books on apache and have been attempting to get this going for almost 2 months now. I'm glad you're amused by my frustration here. If there is anyone out there that is willing to submit a serious response to this I would appreciate it greatly. Regards, Ian Newlands - Original Message - From: Dave Paris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Ian Newlands [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 11:58 AM Subject: Re: virtual hosting geeze. is it that time of the month already for this question? seems like it was just yesterday when it was asked last .. maybe I'm just thinking of the other 100,000 times it was asked. in all seriousness, this dead horse has been beaten so many times on this list there isn't even a carcass left to hit at this point. please go dig through the mail list archives to see why name-based virtual hosts don't work with SSL. yes, that's a flippant answer. no, you're not likely to get a reply any more serious. -dsp On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be wrong here? Regards, Ian Newlands _ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=fax,work: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[no subject]
Probably you might want to see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 FAQ is the best place to start. -Kiyoshi Kiyoshi Watanabe If I hadn't already exhausted resources I would not have made this post in the first place. I have tried 3 different versions of apache, searched through previous postings, used search engines etc. bought 2 books on apache and have been attempting to get this going for almost 2 months now. I'm glad you're amused by my frustration here. If there is anyone out there that is willing to submit a serious response to this I would appreciate it greatly. Regards, Ian Newlands - Original Message - From: Dave Paris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Ian Newlands [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 11:58 AM Subject: Re: virtual hosting geeze. is it that time of the month already for this question? seems like it was just yesterday when it was asked last .. maybe I'm just thinking of the other 100,000 times it was asked. in all seriousness, this dead horse has been beaten so many times on this list there isn't even a carcass left to hit at this point. please go dig through the mail list archives to see why name-based virtual hosts don't work with SSL. yes, that's a flippant answer. no, you're not likely to get a reply any more serious. -dsp On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be wrong here? Regards, Ian Newlands _ Hotmail is now available on Australian mobile phones. Go to http://ninemsn.com.au/mobilecentral/signup.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Hot chart ringtones and polyphonics. Go to http://ninemsn.com.au/mobilemania/default.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
