Does Mod_SSL use SSL_get_shared_ciphers()?
Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() function from OpenSSL? As you may know a buffer overflow has been detected in that function in OpenSSL versions prior to 0.9.8d. I'm trying to find out if Mod_SSL uses the vulnerable function. Thanks in advance. Stanley E. Laufer Network Administrator School of Library and Information Science San Jose State University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Stanley Laufer wrote: Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() function from OpenSSL? As you may know a buffer overflow has been detected in that function in OpenSSL versions prior to 0.9.8d. I'm trying to find out if Mod_SSL uses the vulnerable function. I just checked a couple different versions and did not see that function. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Question on version
Hi, We have Intranet server with apache 2.0.54 and openssl 0.9.8 self-made certificate. It is accessed by IE 6.0 with no problem, but will stop and get the connection has terminated unexpectedly. Some data may have been transferred when I use Firefox or Netscape (all version ). After I unmark v3.0 from Firefox security, I can access the site. From the ssl_request_log, it works well with V2.0 or V3.0. Here is it: 1/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/jibcol3.j pg HTTP/1.1 - # tail ssl_request_log [11/Oct/2006:12:06:10 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /mininav.html HTTP/ 1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /area.html HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/mission_g raphic.jpg HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/maus_roug e.jpg HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/newnav3.g if HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/roll_back 3.gif HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/jibcol3.j pg HTTP/1.1 - [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /resources.html HTT P/1.1 3218 [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /graphics/res_banne r.gif HTTP/1.1 2090 [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /favicon.ico HTTP/1 .1 209 Anybody can tell me why? Thanks Yi ella for Spam Control has removed 4797 Spam messages and set aside 10203 Newsletters for me You can use it too - and it's FREE!www.ellaforspam.com
Re: Newbie Question regarding mod_ssl
http://hunter.campbus.com/ - and yes Chris is trustworthy. Blame Canada :) Bill Eckard Wille wrote: Erol Yalaz schrieb: I have a WIN2003 box with the latest Apache on it (2.2.3) and it is working great. I need to get mod_ssl working. Unfortunately, I can’t Any suggestions? Shouldn’t there be some pre-compiled binaries out there? http://www.apachelounge.com/download/ If you trust them :-) Greetings Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OCSP? (UNCLASSIFIED)
My organization is headed down this road after experiencing performance degradation from checking large CRLs. As we come up with a solution, will post what I find out. Alternatively, if you have any information, would appreciate it, thanks! Paul Victor, Dwight P CTR DISA PAC wrote: Classification: UNCLASSIFIED Caveats: NONE Hello List! Has anyone had any experience/success with using mod_ssl + Apache v2 to query an OCSP responder regarding the status of an end-user provided certificate and allow/deny access based on the response? Any tips, suggestions, discussion would be appreciated. Best Regards, Dwight... --- Dwight Victor, CISSP (Contractor) Systems Administrator / Webmaster General Dynamics C4 Systems EMAIL: [EMAIL PROTECTED] TEL: (808) 653-3677 ext 229 Classification: UNCLASSIFIED Caveats: NONE -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: CRL Checking Uses Excessive Memory
I am working on a DoD project, and we are experiencing high CPU load on HP-UX servers with multiple CPUs in this scenario. We are thinking it is because the CRL size for some CAs is huge - ad-hoc tests done with certs associated with small CRLs do not produce CPU spikes, but large CRLs do. We are running an older version of Apache and the mod_ssl package without OCSP support, but have just installed an updated Apache with mod_ssl and OCSP support. Anyone using this, and if so, have any luck with it? Thanks in advance! Paul Victor, Dwight P CTR DISA PAC wrote: Hi Rob, I also work for the DoD and am using the same CRLs as you (downloaded and converted on a daily basis). We're running a Linux webserver with a single 1.8Ghz Celeron, 512MB of RAM, and 1GB of swap. I haven't noticed any memory issues when checking CRLs. My Apache server starts multiple child servers. It looks like the child servers hit around 60MB of memory usage (max) when processing CRL checks; 500KB to 1MB seems to be the average child server's memory usage when idle. top says my current load average is about 0.03, 0.01, 0.00. When checking CRLs, top says my load average zooms up to around 0.20, 0.05, 0.01. Of course, my userbase is very small and we aren't doing a ton of CRL checks. OCSP should resolve your issue with plowing through the CRLs, however, I have yet to find a viable OCSP solution. There was a patch for mod_ssl, but I haven't heard anything about it since it was last released in 2004. Maybe someone else on this list knows? Rob, why don't you email me offline. I'm in the DISA GAL, if you can get to that. Dwight... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Walls Rob W Contr 75 CS/SCBS Sent: Friday, April 21, 2006 10:47 AM To: 'modssl-users@modssl.org' Subject: CRL Checking Uses Excessive Memory I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and httpd processes are killed by the OS (Linux) due to out of memory conditions and all the memory swapping activity sends the proc utilization way up there and makes the server unresponsive. On Windows the CPU use just pegs at 100% (I have no idea what else is going on in there). CRL's are downloaded every day and openssl is used to make hash'd file names (ssl.conf is using SSLCARevocationPath). I don't currently restart apache after retrieving the new CRL files. The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works great, but as soon as CRLs are checked, apache starts to go south! I have a 2Gb swap partition and have added another 2Gb swap file to at least keep things running, but it becomes so slow it might as well crash. Each httpd process goes from using about 14Mb of memory when not CRL checking to 250Mb when CRL checking is enabled! BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that machine. Any ideas on how to use large CRL's in Apache? Do I just need more memory? If Apache can't use many large CRL files, would an OSCP solution side-step these problems? Any good ones out there? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/CRL-Checking-Uses-Excessive-Memory-tf1488925.html#a6764331 Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: OCSP? (UNCLASSIFIED)
I went down this road a few months ago. Someone wrote a patch that would add OCSP client functionality to Apache, but the patch never got folded into the Apache mainline code. We spent a bit of effort trying to get the patch to work with our version of Apache with no luck. There are two products from commercial organizations out there that can help. One is from Tumbleweed, called Server Validator. It's pricey about $2000 per server, but works pretty well. Its very easy to install and configure and has some nice features for supporting OCSP and failing over to CRLs. It is supported on several platforms. The other product is called WebCullis from the organization that used to be Orion Security. (Orion Security has since been bought by Entrust.) It used to be under the GPL, which was nice. At the time, they only had a version for Windows and Intel based Solaris. I hope this helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of pbains Sent: Wednesday, October 11, 2006 4:32 PM To: modssl-users@modssl.org Subject: Re: OCSP? (UNCLASSIFIED) My organization is headed down this road after experiencing performance degradation from checking large CRLs. As we come up with a solution, will post what I find out. Alternatively, if you have any information, would appreciate it, thanks! Paul Victor, Dwight P CTR DISA PAC wrote: Classification: UNCLASSIFIED Caveats: NONE Hello List! Has anyone had any experience/success with using mod_ssl + Apache v2 to query an OCSP responder regarding the status of an end-user provided certificate and allow/deny access based on the response? Any tips, suggestions, discussion would be appreciated. Best Regards, Dwight... --- Dwight Victor, CISSP (Contractor) Systems Administrator / Webmaster General Dynamics C4 Systems EMAIL: [EMAIL PROTECTED] TEL: (808) 653-3677 ext 229 Classification: UNCLASSIFIED Caveats: NONE -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: OCSP? (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Hi Eriks, Thanks for the tip regarding Tumbleweed WebCullis. I'll definitely have to do some research. Paul, One of my web searches pulled up the fact that HP-UX has a OCSP enabled version of mod_ssl. Seems to be a lucky break for you. Hope that works out. I have experienced a large memory hit anytime certificate checking is performed against the CRLs (some of which are 13 MB in size) in the range of 75MB per Apache server instance. Luckily we aren't that busy, or we would definitely be feeling the pain. BTW, I've been reading a bit about mod_nss (http://directory.fedora.redhat.com/wiki/Mod_nss). This module sounds interesting, but it isn't supported on HP-UX. I'll have to give it a try and I'll let the list know the results (if I can find some time to play with it). Thanks again, Dwight... --- Dwight Victor, CISSP (Contractor) EMAIL: [EMAIL PROTECTED] SMAIL: [EMAIL PROTECTED] TEL: (808) 653-3677 ext 229 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 10:55 AM To: modssl-users@modssl.org Subject: RE: OCSP? (UNCLASSIFIED) Thanks Eriks, appreciate the info. We are using HP-UX, so the Tumbleweed solution won't work for us. We do have an HP version of Apache that has the OCSP mod of mod_ssl, but we just installed it (today) and haven't had a chance to look at the documentation yet. Will post back and let you know what we found out. Thanks again. Paul Richters, Eriks A wrote: I went down this road a few months ago. Someone wrote a patch that would add OCSP client functionality to Apache, but the patch never got folded into the Apache mainline code. We spent a bit of effort trying to get the patch to work with our version of Apache with no luck. There are two products from commercial organizations out there that can help. One is from Tumbleweed, called Server Validator. It's pricey about $2000 per server, but works pretty well. Its very easy to install and configure and has some nice features for supporting OCSP and failing over to CRLs. It is supported on several platforms. The other product is called WebCullis from the organization that used to be Orion Security. (Orion Security has since been bought by Entrust.) It used to be under the GPL, which was nice. At the time, they only had a version for Windows and Intel based Solaris. I hope this helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of pbains Sent: Wednesday, October 11, 2006 4:32 PM To: modssl-users@modssl.org Subject: Re: OCSP? (UNCLASSIFIED) My organization is headed down this road after experiencing performance degradation from checking large CRLs. As we come up with a solution, will post what I find out. Alternatively, if you have any information, would appreciate it, thanks! Paul Victor, Dwight P CTR DISA PAC wrote: Classification: UNCLASSIFIED Caveats: NONE Hello List! Has anyone had any experience/success with using mod_ssl + Apache v2 to query an OCSP responder regarding the status of an end-user provided certificate and allow/deny access based on the response? Any tips, suggestions, discussion would be appreciated. Best Regards, Dwight... --- Dwight Victor, CISSP (Contractor) Systems Administrator / Webmaster General Dynamics C4 Systems EMAIL: [EMAIL PROTECTED] TEL: (808) 653-3677 ext 229 Classification: UNCLASSIFIED Caveats: NONE -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764147 Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/OCSP--%28UNCLASSIFIED%29-tf1638361.html#a6764600 Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Classification: UNCLASSIFIED Caveats: NONE __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List
Having modssl run on different ports, is this even possible?
I am running Apache2 with the included mod_ssl module, I figure this a good place to start, but if it belongs on the apache httpd mailing list you can bluntly tell me.The servers I administer run in an environment that is pretty painful, but common i hear. Another team at corporate headquarters administer the firewall and what they are planning to do is as follows. I have no control over the firewall what so ever. Any port 80 (http) request sent to the firewall for domain www.example.com will be then rerouted to an internal IP, such as 172.16.15.102 (behind the firewall), on port 8000. Thus I have apache listening on port 8000. Any port 443 (https) request sent to the firewall for domain www.example.com will be then rerouted to to an internal IP, such as 172.16.15.102 (behind the firewall), on port 9000. I want to have mod_ssl listening on port 9000, is this possible?Should a virtualhost entry just work such VirtualHost 172.16.15.102:9000 and have the usual items such as SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc?Any help is appreciated. Yvo
Re: Encrypted page would not load into IE
Hi Micheal: Are you able to post the certificate here? It sounds like the issue may be the key usage, or an entry in some other field - I've seen results like this if you don't have key agreement set, or some of the other fields mangled, or particular security settings enabled in your certificate. Patrick. On Tuesday 10 October 2006 10:20, Richters, Eriks A wrote: This definitly sounds like an IE problem. Check MSDN, http://msdn.microsoft.com. If you can't find anything there, then contact MicroSoft Support. Unfortunately, unless you're a large corporation, its hard to get good support from them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Pacey Sent: Tuesday, October 10, 2006 6:40 AM To: modssl-users@modssl.org Subject: Re: Encripted page would not load into IE Hmmm, sorry I'm not an IE expert but it sounds like you are at least on the right track. Maybe check on an IE list or forum? BB said: Sorry, my mistake. The CA shows up in the list, but I get still the same error. I tried also to install the certificate of the CA in the Trusted Root Certification Authorities folder. It says Import Successfull, but my CA doesn't show up in the list. Any hints? Apparently, it's someting wrong with the certificates, as IE Watch gets: ERROR_INTERNET_SEC_INVALID_CERT What could this be? Firefox works just fine with these certs. Additionaly, pop3s and imaps from Dovecot work fine with the same certs, even with MS Outlook and Outlook Express clients. It's a self created CA, with self signed certificates. Any suggestions for what should I check further? Thank you in advance! BBR BB said: I made the tests with IE from at least 4 different computers, located in networks from 3 different ISP's. Yes, the connection is done, because ith shows up instantly with tail -f /var/log/apache/ssl_engine_log Sounds weird. You could try installing an HTTP capture tool like IE Watch and seeing if that gives any useful info. -- Michael Pacey __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Patrick Patterson President and Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Having modssl run on different ports, is this even possible?
On Wed, 2006-10-11 at 14:31 -0700, Yvo van Doorn wrote: I am running Apache2 with the included mod_ssl module, I figure this a good place to start, but if it belongs on the apache httpd mailing list you can bluntly tell me. The servers I administer run in an environment that is pretty painful, but common i hear. Another team at corporate headquarters administer the firewall and what they are planning to do is as follows. I have no control over the firewall what so ever. Any port 80 (http) request sent to the firewall for domain www.example.com will be then rerouted to an internal IP, such as 172.16.15.102 (behind the firewall), on port 8000. Thus I have apache listening on port 8000. Any port 443 (https) request sent to the firewall for domain www.example.com will be then rerouted to to an internal IP, such as 172.16.15.102 (behind the firewall), on port 9000. I want to have mod_ssl listening on port 9000, is this possible? Should a virtualhost entry just work such VirtualHost 172.16.15.102:9000 and have the usual items such as SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc? Yes that should work. Make sure you have your ports in the Listen directive. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SSL/httpd defunct
Using apache 2.2.x. Installed--works fine for http only. Soon as -DSSL is added to startup the following happens. httpd processes get continously created then show as defunct then go away. error_log shows many lines of: [error] (38)Function not implemented: apr_pollset_poll: (listen) Similar SSL setup works fine on other servers. Clues anyone? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
