date:20050602

Re: SSL Client Auth with Virtual Hosts

2005-06-02 Thread Daniel Kimblad

Yes, I've had an environment like that running.

/Daniel

- Original Message - 
From: "Hoda Nadeem" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, May 31, 2005 6:05 PM
Subject: SSL Client Auth with Virtual Hosts




Does anybody know if it is possible to use virtual hosts with one
virtual host with ssl client authentication, but the other one without?

Example: 

NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache none

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: SSL Client Auth with Virtual Hosts

2005-06-02 Thread Hoda Nadeem

Are there any parameters that I am missing, or am I doing something
incorrect?

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.

Thanks. 

Nadeem

Example again:

NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kimblad
Sent: Thursday, June 02, 2005 8:50 AM
To: modssl-users@modssl.org
Subject: Re: SSL Client Auth with Virtual Hosts

Yes, I've had an environment like that running.

/Daniel

- Original Message -
From: "Hoda Nadeem" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, May 31, 2005 6:05 PM
Subject: SSL Client Auth with Virtual Hosts




Does anybody know if it is possible to use virtual hosts with one
virtual host with ssl client authentication, but the other one without?

Example: 

NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData
SSLSessionCache none

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Redirection limit for this URL exceeded.

2005-06-02 Thread Rob Waldrum





Hi,


I'm still getting this error:


Redirection limit for this URL exceeded. Unable to load the
requested page. This may be caused by cookies that are blocked.


I have configured Tomcat for SSL on port 8443. I can bring tomcat up at
https://www.mydomain.com:8443
just fine. But when I add the apps portion, such as: https://www.mydomain.com:8443/apps,
I get the above error. However, when I just use the IP address, such
as: https://12.34.56.78:8443/apps
it works just fine. I have poured over tomcat documentatiom, reviewed
my setup and configuration, checked the logs, everything. I'm stumped.
Any ideas?


Rob

Re: Redirection limit for this URL exceeded.

2005-06-02 Thread Tim Fowle


Rob,

I may be wrong but i would work through your mod_rewrite configuration as 
afaik this error is caused by internal redirections going in a loop, rather 
than it being an ssl related error.


you can turn on rewrite logging and see exactly what it is doing, although 
beware this does produce LOTS of logging, especially with a rewrite loop.



Tim


At 14:36 02/06/2005, you wrote:

Hi,

I'm still getting this error:

Redirection limit for this URL exceeded. Unable to load the requested 
page. This may be caused by cookies that are blocked.


I have configured Tomcat for SSL on port 8443. I can bring tomcat up at 
https://www.mydomain.com:8443 just fine. 
But when I add the apps portion, such as: 
https://www.mydomain.com:8443/apps, I 
get the above error. However, when I just use the IP address, such as: 
https://12.34.56.78:8443/apps it works just 
fine. I have poured over tomcat documentatiom, reviewed my setup and 
configuration, checked the logs, everything. I'm stumped. Any ideas?


Rob


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL Client Auth with Virtual Hosts

2005-06-02 Thread Daniel Kimblad

I'm not a guru but I would suspect that your NameVirtualHost
directives need to differ. You probably need to configure the
virtual hosts using their domain names, like this:


NameVirtualHost abc1-no-client-auth.com:443

...


NameVirtualHost abc1-ssl-client-auth.com:443

...



Otherwise I think one will just overwrite the other.
Also for MSIE compatibility it is recommended that you add
the following to the virtual host configuration:


SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0


Hope this was helpful.

/Daniel

- Original Message - 
From: "Hoda Nadeem" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, June 02, 2005 3:26 PM
Subject: RE: SSL Client Auth with Virtual Hosts


Are there any parameters that I am missing, or am I doing something
incorrect?

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.

Thanks. 

Nadeem

Example again:

NameVirtualHost 111.111.111.111:443


ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-no-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key



ServerAdmin [EMAIL PROTECTED]
DocumentRoot /var/www
ServerName abc1-ssl-client-auth.com

SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt
SSLOptions +StdEnvVars +ExportCertData


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Redirection limit for this URL exceeded.

2005-06-02 Thread Daniel Kimblad




Do you have different VirtualHosts configured for 
the domain-name
and the IP-address? If so, do they differ in configuration?
 
/Daniel

  - Original Message - 
  From: 
  Rob Waldrum 

  To: modssl-users@modssl.org 
  Sent: Thursday, June 02, 2005 3:36 
  PM
  Subject: Redirection limit for this URL 
  exceeded.
  Hi, I'm still getting this error: 
  Redirection limit for this URL exceeded. Unable to load the 
  requested page. This may be caused by cookies that are blocked. I 
  have configured Tomcat for SSL on port 8443. I can bring tomcat up at https://www.mydomain.com:8443 just 
  fine. But when I add the apps portion, such as: https://www.mydomain.com:8443/apps, 
  I get the above error. However, when I just use the IP address, such as: https://12.34.56.78:8443/apps it 
  works just fine. I have poured over tomcat documentatiom, reviewed my setup 
  and configuration, checked the logs, everything. I'm stumped. Any ideas? 
  Rob

Re: SSL Client Auth with Virtual Hosts

2005-06-02 Thread Eckard Wille


Hoda Nadeem schrieb:

On my setup, client authentication is either on or off globally. I can't
seem to isolate it at the virtual host level.


Exactly.

Take a look at http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts,
use a different IP for your second host and it will work.

Greetings from Germany,
Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

problem compiling on windows

2005-06-02 Thread b h


Hi

to begin, platform winxp pro, visual studio 6

I downloaded and extracted httpd-2.0.54-win32-src.zip,
openssl-0.9.7g.tar.gz from their respective websites. 
And I was following
http://httpd.apache.org/docs-2.0/platform/win_compiling.html

I placed awk.exe in the path, extracted all the
openssl files into srclib/openssl, ran all the perl
lines configuring, and nmaking in the srclib/openssl
directory (and they seemed to work without any
error)...

but then when running 

nmake /f Makefile.win _apacher

after a couple minutes I end up with fatal errors: 
see last few lines before the error following...

-
   Creating library .\Release\mod_proxy.lib and object
.\Release\mod_proxy.exp
NMAKE -nologo -f mod_proxy_connect.mak
CFG="mod_proxy_connect - Win32 Release" RECURSE=0
tempfile.bat
cl.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nma00480.
proxy_connect.c
link.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nmb00480.
   Creating library .\Release\mod_proxy_connect.lib
and object .\Release\mod_proxy_connect.exp
NMAKE -nologo -f mod_proxy_ftp.mak  
CFG="mod_proxy_ftp - Win32 Release" RECURSE=0
tempfile.bat
cl.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nma03996.
proxy_ftp.c
link.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nmb03996.
   Creating library .\Release\mod_proxy_ftp.lib and
object .\Release\mod_proxy_ftp.exp
NMAKE -nologo -f mod_proxy_http.mak 
CFG="mod_proxy_http - Win32 Release" RECURSE=0
tempfile.bat
cl.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nma01708.
proxy_http.c
link.exe
@C:\DOCUME~1\brad\LOCALS~1\Temp\nmb01708.
   Creating library .\Release\mod_proxy_http.lib and
object .\Release\mod_proxy_http.exp
cd ..\..
cd modules\ssl
NMAKE -nologo -f mod_ssl.mak
CFG="mod_ssl - Win32 Release" RECURSE=0 
.\Release\mod_ssl.so
NMAKE : fatal error U1073: don't know how to make
'"..\..\srclib\openssl\inc32\openssl\asn1.h"'
Stop.
NMAKE : fatal error U1077: '"C:\Program
Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE"' :
return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program
Files\Microsoft Visual Studio\VC98\bin\NMAKE.EXE"' :
return code '0x2'
Stop.

C:\Documents and Settings\brad\Desktop\httpd-2.0.54>


everything was working perfectly and I thought I was
following all the instructions properly.  

What did I forget to do or can anyone tell me what is
wrong?  I ask here because it seems to be in the
mod_ssl portion at that time.  Please let me know if
there is a more appropriate place to ask.

(And I know it's rude to ask, but please cc me in any
responses)

thanks
b.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Client Authentication and Access Control

2005-06-02 Thread Øyvin Sømme



Hi.

I have read the instructions at:

http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

and successfully set up a web server which runs HTTPS and requires
client certificates for authentication.

However, I am not 100% pleased with neither of the *two* methods. What I
dislike is the *user-id* part of the information that is stored in the
access log:

Method 1 (mod_auth):

   The user-id field is a string converted from the *full* subject DN in the
   client certificate which in my case (with Verisign class 1 certificates)
   are typically 230 chars long!

Method 2 (SSLRequire):

  The user-id field is just '-'.

Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?


One more thing with method 1: I noted that the syntax in mod_auth/AuthGroupFile
is:

mygroup: user-id1 user-id2 user-id3

i.e. using space as a separator. The user-id produced in method 1 above
contains a lot of spaces. How can this work? Using quotes?

Thanks.

Oyvin
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL Client Auth with Virtual Hosts

RE: SSL Client Auth with Virtual Hosts

Redirection limit for this URL exceeded.

Re: Redirection limit for this URL exceeded.

Re: SSL Client Auth with Virtual Hosts

Re: Redirection limit for this URL exceeded.

Re: SSL Client Auth with Virtual Hosts

problem compiling on windows

Client Authentication and Access Control

9 matches

Site Navigation

Mail list logo

Footer information