force mod_ssl to choose 3DES over RC4 ciphers?
Hello all, I would like our secure server to default to 3DES 168-bit high encryption for SSL sessions, but with the ability to fall back to 128- bit RC4 _only_ if the client doesn't support 3DES. My current cipher- spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my version of OpenSSL, equates to: EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3- MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5 Is it possible to construct a cipher-spec string that will make Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are 'offered' by the client (most clients seem to offer RC4 ciphers before 3DES ones in the 'Client Hello'). It seems that unless I completely disable RC4 on the server, it always gets chosen ahead of 3DES :-( This is my first post here so thanks in advance for any help. Kind Regards, Daniel Eggleston Senior Network Developer Boxing Orange Ltd t: 0871 871 2774 f: 0871 871 0068 [EMAIL PROTECTED] http://www.boxingorange.com/ This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
variable lookup failed for /opt/apache-2.0.48/conf::private_key
Hello ! Can anyone help me with this one ? When the sign.sh script runs the following command: openssl ca -config /opt/apache-2.0.48/conf/ca.config -out $CERT -infiles $CSR Then I get this error message: variable lookup failed for /opt/apache-2.0.48/conf::private_key The private key file is there, and everything, but still Any changes I try to make to the config files ca.config or openssl.cnf does not make things any better, and no crt-file is created. What am I doing wrong ? Regards Anders __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: force mod_ssl to choose 3DES over RC4 ciphers?
On Thu, Feb 12, 2004 at 02:30:06PM -, Daniel Eggleston wrote: > Hello all, > > I would like our secure server to default to 3DES 168-bit high > encryption for SSL sessions, but with the ability to fall back to 128- > bit RC4 _only_ if the client doesn't support 3DES. My current cipher- > spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my > version of OpenSSL, equates to: > > EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3- > MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5 > > Is it possible to construct a cipher-spec string that will make > Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are > 'offered' by the client (most clients seem to offer RC4 ciphers before > 3DES ones in the 'Client Hello'). > > It seems that unless I completely disable RC4 on the server, it always > gets chosen ahead of 3DES :-( This is my first post here so thanks in > advance for any help. There is no such way by modifying the cipher suite. The server always chooses the first ciphersuite supported by the server according to the list sent by the client. OpenSSL 0.9.7 does support an option to change this behaviour such that the server's preferences are used, but to my best knowledge there is no switch in mod_ssl to set this flag. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Setting up multiple SSL certs on a mac 10.3 server problems
Hi there, Having problems setting up multiple certs on a 10.3 box. I've got one running on the machine yet I can't seem to get any of the others to work I get this error message: [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init: (www.royalcaribbean.co.uk:16443) Ops, no RSA or DSA server certificate found?! [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init: (www.royalcaribbean.co.uk:16443) You have to perform a *full* server restart when you added or removed a certificate and/or key file [Thu Feb 12 09:19:28 2004] [error] mod_ssl: Init: Unable to read server certificate from file /etc/httpd/ssl.key/royal.crt (OpenSSL library error follows) [Thu Feb 12 09:19:28 2004] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Thu Feb 12 09:19:28 2004] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error [Thu Feb 12 09:19:34 2004] [error] mod_ssl: Init: Unable to read server certificate from file /etc/httpd/ssl.key/royal.crt (OpenSSL library error follows) [Thu Feb 12 09:19:34 2004] [error] OpenSSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Thu Feb 12 09:19:34 2004] [error] OpenSSL: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error I know the cert's are OK. Definitely! I've been getting new ones off Geotrust (the techies there are really helpful!) and I've used everyway under the sun to input them. Still won't work tho. So I'm thinking the problem lies somewhere else! Anyone got any idea what could be going wrong? Thanks Huw Jenkins __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Crash in mod_ssl-2.8.10
hi there! I have a crash that looks very similar to the ones described in http://marc.theaimsgroup.com/?l=apache-modssl&m=106001869701959&q=raw and http://marc.theaimsgroup.com/?l=apache-modssl&m=99073424917407&w=2 I assume that this is caused by pointers that reference into free()d and possibly re-used memory. Does anybody know if that is fixed by now? >From the references above, I learn that this issue known as BugDB PR#569. http://www.modssl.org/support/bugdb/index.cgi appears defunct. thanks, Jw. -- o \ Juergen Weigert paint it green!__/ _===.===_ | [EMAIL PROTECTED] linux software/_---|\/ \ | 0911 74053-508 creator __/ (//\ (/) | _/ _/ \_ vim:set sw=2 wm=8 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Setting up multiple SSL certs on a mac 10.3 server problems
On Thu, Feb 12, 2004 at 04:34:08PM +, Huw Jenkins wrote: > Hi there, > > Having problems setting up multiple certs on a 10.3 box. I've got one > running on the machine yet I can't seem to get any of the others to work I > get this error message: > > [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init: > (www.royalcaribbean.co.uk:16443) Ops, no RSA or DSA server > certificate found?! > [Thu Feb 12 09:19:22 2004] [error] mod_ssl: Init: > (www.royalcaribbean.co.uk:16443) You have to perform a > *full* server restart when you added or removed a > certificate and/or key file > [Thu Feb 12 09:19:28 2004] [error] mod_ssl: Init: Unable to > read server certificate from file > /etc/httpd/ssl.key/royal.crt (OpenSSL library error > follows) > [Thu Feb 12 09:19:28 2004] [error] OpenSSL: > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag > [Thu Feb 12 09:19:28 2004] [error] OpenSSL: > error:0D07803A:asn1 encoding > routines:ASN1_ITEM_EX_D2I:nested asn1 error > [Thu Feb 12 09:19:34 2004] [error] mod_ssl: Init: Unable to > read server certificate from file > /etc/httpd/ssl.key/royal.crt (OpenSSL library error > follows) > [Thu Feb 12 09:19:34 2004] [error] OpenSSL: > error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong > tag > [Thu Feb 12 09:19:34 2004] [error] OpenSSL: > error:0D07803A:asn1 encoding > routines:ASN1_ITEM_EX_D2I:nested asn1 error > > > I know the cert's are OK. Definitely! I've been getting new ones off > Geotrust (the techies there are really helpful!) and I've used everyway > under the sun to input them. Still won't work tho. So I'm thinking the > problem lies somewhere else! Anyone got any idea what could be going wrong? The error message indicates, that the contents of the certificate cannot be correctly parsed. You should be able to verify this with the openssl command line tool: openssl x509 -in /etc/httpd/ssl.key/royal.crt -text If the certificate is ok, you should see its contents here. But as the tool is using the same routines as mod_ssl... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
