RE: mod-ssl support for US restricted countries?

[Airey, John]

Oops. I meant www.modssl.org!

John

-Original Message-
From: Airey, John [mailto:[EMAIL PROTECTED]]
Sent: 28 September 2000 10:38
To: Modssl-Users (E-mail)
Subject: mod-ssl support for US restricted countries?


This is a question which is probably best answered by Ralf, however a
response to this list would be useful to all current active members, with an
update to the www.modssl.org.uk
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod-ssl support for US restricted countries?

[Airey, John]

This is a question which is probably best answered by Ralf, however a
response to this list would be useful to all current active members, with an
update to the www.modssl.org.uk

What is the position regarding support for countries that the US governments
restricts 128bit encryption, eg Iraq and North Korea? If someone posts a
question to this list from those countries, are we allowed to help them? If
we are not, should we expect Federal agents to come and arrest us for it? A
naiive view would be that since mod-ssl was developed outside the US, it
isn't covered and is OK for restricted countries to use, but I don't know
this particular law that well.

This question is probably answered in the mail archives, however there is no
mention of any support restrictions at 

http://www.modssl.org/support/

Thanks in advance, everyone!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Key - Certs

[Airey, John]

We can't really answer this question without knowing whether the server name
in the certificate matches your hostname. 

If it does, and if you have paid full price for the certificate, then they
cannot normally legally withhold it as it would be your property. However,
there might well be some restriction in your agreement with them on the
transferring of certificates to you.

Since certificates only last twelve months and cost so little compared to
the probable legal costs I would just get another certificate if I were in
your position. ie create a new key, then a csr and send the csr to another
Certification Authority, eg Verisign or Thawte.

General disclaimer: I am not a lawyer (but I have taken legal action in
person that went all the way to the Court of Appeal).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Nick Davies [mailto:[EMAIL PROTECTED]]
Sent: 28 September 2000 09:24
To: [EMAIL PROTECTED]
Subject: Key - Certs



Hi,

I'm just wanting to know about about what a certificate stores...
My
hosting provider refuses to release our certificates, they tell us we
need to buy new certs.  I thought when a certificate is created you
would generate a key on the server and then the authority people (we are
in the UK so this is trustwise) would create the cert based on this
key.  Surely when the cert needs moving both the key and the cert can be
move to and new server?  The key doesn't hold any info about the isp or
anything does it?

Thanks.

Nick.

-- 
Nick Davies
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Can Search Engines Index SSL-enabled Hosts?

[Airey, John]

Worse than that, have you seen what version of Apache-mod_ssl is running at
www.modssl.org:

Apache/1.3.6 (Unix) mod_perl/1.20 mod_ssl/2.3.5 OpenSSL/0.9.3a DAV/0.9.8

Is this the "mechanics car" syndrome I wonder? In the UK we have an saying
to never to buy a car from a car mechanic (because he'll never have had time
to do any work on it). This may of course be native to Geordie-land)

Keep up the good work, anyway Ralf!

John

-Original Message-
From: Mads Toftum [mailto:[EMAIL PROTECTED]]
Sent: 22 September 2000 08:57
To: [EMAIL PROTECTED]
Subject: Re: Can Search Engines Index SSL-enabled Hosts?


It is entirely up to the search engine wether it wants to check
the certificate issuer against a know issuer or not. 
To get an example - try asking netcrafts ssl server tester to
connect to the site ... as an example:
http://www.netcraft.com/sslwhats/?host=www.modssl.org

Ralf: your cert has expired ;-)

vh

Mads Toftum
-- 
`Darn it, who spiked my coffee with water?!' - lwall

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Installation

[Airey, John]

Can I make a small correction here? The latest apache-devel is usually
available as a binary RPM at 
http://www.modssl.org/contrib


So you don't actually need to rebuild Apache from source. This is not
entirely clear from the documentation as I've posted this information
before.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Giuliano Cocchi [mailto:[EMAIL PROTECTED]]
Sent: 14 September 2000 09:24
To: [EMAIL PROTECTED]
Subject: Re: Installation


If you want to use rpm version of apache, you must install also
APACHE-DELEVEL
for apxs and download the source from www.apache.org or extractin from
APACHE-1.3.12.src.rpm.
It's an hard work, because you have to compile mod_ssl and apache, and then
replace the binary installed by the RPM.
It's more easy if you uninstall all RPM of apache and try with the source.
You can use this or more parameter compiling mod_ssl.
Example:
--with-apache=/path to apache source
--with-apxs=/path to apxs
--with-ssl=/path to openssl


On Fri, 15 Sep 2000, you wrote:
> Hi,
> 
>   I have successfully compiled the openssl already, but i am confuse
on what parameters i should place in the compilation of modssl. I'm using
RedHat Linux 6.2, Apache 1.3.12 (RPM version), JServ 1.1.2 (RPM version),
openssl 0.9.5a. 
>   
>   i don't know what to place in the "--with-apache="  parameter. 
> 
>   thanks
> 
> jack
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: [OT]Things are getting a bit HOT on this mailing list![advice]

[Airey, John]

Here's my 0.02$ worth on this.

Oh no, not the coke song!

Seriously though, I have to say that there are a number of postings to this
list that fall into the RTFM category, especially when it comes to the SSL
chicken and egg problem (please don't ask!). If I could get commission for
every message I've seen on this since I joined the list, I would have
topol's wish come true.

However, it has to be recognised that the *NIX world has more than one way
of storing documentation, unlike windoze. Because of that, some users may
genuinely have not read the manual because they couldn't find it. (For
example you can't easily get the apache-mod_ssl html documentation until you
start up apache-mod_ssl, which may be precisely the problem you have). I've
fallen into that category more than once, although I do know where to look
now.

IMHO receiving a message from someone on this list and then sending them an
abusive message "privately" is an abuse of the membership of this list. This
is because you wouldn't have had the persons email address if you weren't on
this list.

If anyone did this on any list I moderate either at home or work they'd be
taken off the list immediately. "Just as well you don't moderate this list",
I hear you say!

Most of the time you are all very patient with the questions, even those
that are "off topic". I appreciate that and I'm sure many other people do.

I would like to thank Ralf and all the other developers for the work they
do. Their understanding of programming is far better than mine, although
I've managed now to get beyond "hello world" (just). Their work on
apache-mod_ssl is even more greatly appreciated.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: french crypto

[Airey, John]

I think you misunderstand the answer. You can use a 128bit key on your
server, but the end users will probably be connecting using a 40bit browser.
So they won't be getting the maximum level of encryption available.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Florin Andrei [mailto:[EMAIL PROTECTED]]
Sent: 30 August 2000 15:48
To: [EMAIL PROTECTED]
Subject: Re: french crypto


Daniel Montalibet wrote:
> 
> However note that most of the browsers used by french people are still 40
> bits browsers due to earlier restrictions.

I see. So, i'll have to use 40 bit key in order to allow everyone in
France
to access my site, right?
I guess the big https-enabled sites in France use 40 bit too, isn't
so?

-- 
Florin Andrei
mailto:[EMAIL PROTECTED]http://members.linuxstart.com/~florin/
tel: +40-93-261162
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: apache & modssl

[Airey, John]

I would suggest you remove apache with
rpm -e apache

and then install the open-ssl and apache-mod_ssl rpm files from
http://www.modssl.org/contrib

The rpms definitely work. We are using them ourselves!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: tk dev [mailto:[EMAIL PROTECTED]]
Sent: 24 August 2000 11:56
To: modssluser; suse
Subject: apache & modssl


hi all

i've installed suse6.4 together with apache.
when i check the version 
#rpm -qa | grep apache
what i got was apache-1.3.12-15

the directories with apache are
/usr/lib/apache  : contains all mod.so
/usr/include/apache : files *.h
the binary is in /sbin/init.d/apache


my ques is :
when i configure mod_ssl with
./configure --with-apache=/usr/lib/apache (i've tried
all the above directories) i'd get an error message:
-cannot find apache 1.3 source tree.
what should i do? reinstall apache & recompile?
i don't understand why is it when i installed apache
with openssl/0.9.5 & mod_ssl/2.6.2 nothing seemed to
work?(a lot of things is missing e.g. sign.sh etc -
that's why i'm forced to reinstall openssl & modssll-
now maybe even apache!)
Is Suse 6.4 with bug?


thanks for your answers.
tk

 

=
0Oo~~:o)
Smile! You'r Alive!!!

Q:What's peacefulness?
A:What's confusion? Peacefulness is the end of confusion.

o.0.Oo.o May there be peace in every step we take :o):tk

__
Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!
http://mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Certs and IP-Based Virtual Hosting

[Airey, John]

There are two ways to solve this.

1. Buy a certificate for each site you are securing, ie each specific
hostname.
2. Buy a wildcard certificate from Thawte. This is only cost effective for 5
or more sites.

It doesn't matter whether the hostname is an A or CNAME type record in your
DNS, but I'd recommend you use an A type where you can. I don't believe that
web browsers do any reverse lookup.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Gary Algier [mailto:[EMAIL PROTECTED]]
Sent: 23 August 2000 16:25
To: modssl-users
Subject: SSL Certs and IP-Based Virtual Hosting


I am trying to figure out to what is an SSL Certificate tied.  Is it
the value of ServerName or the canonical name from a reverse DNS
lookup or the forward lookup?  Or do all virtual hosts use the same
certificate?

For example:

I want to run multiple virtual servers on a single system:
 
ServerName IP
first.mydomain.com 192.168.10.1
second.mydomain.com192.168.10.2
 
however, let use say that the DNS says:
first.mydomain.com. IN CNAMEserver.mydomain.com
server.mydomain.com.IN A192.168.10.1
second.mydomain.com.IN A192.168.10.2
1.10.168.192.in-addr.arpa.  IN PTR  server.mydomain.com.
2.10.168.192.in-addr.arpa.  IN PTR  second.mydomain.com.
 
In other words, server.mydomain.com already exists and I just
want to use its IP address as first.mydomain.com.
 
So, what do I register with the Certificate Authority?  If it is 
tied to the reverse DNS, would I be better not running the web
server on the main IP address of server.mydomain.com and then put
first.mydomain.com on its own address?

I have seen messages to the effect that if one uses a web hosting
service it is their responsibility to get the certficate as it is
tied to their IP addresses in some way, however this does not make
sense to me in that if I do a forward and reverse lookup of our
company's web server (hosted outside), it looks like it is ours:

% host www.ulticom.com
www.ulticom.com has address 207.106.32.104
% host 207.106.32.104
104.32.106.207.IN-ADDR.ARPA domain name pointer www.ulticom.com

(I control the A record, they control the PTR record).

I have also seen mention in the archives (and FAQ) that name-based virtual
hosting does not work, but I am using IP-based virtual hosting.

-- 
Gary Algier, WB2FWZ   [EMAIL PROTECTED]   +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054  Fax:+1 856 866 2033

This space intentionally left blank by the censors.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSLMutex error

[Airey, John]

Your OSs implementation of the "nobody" account is poor perhaps? This is
mentioned in the Apache documentation, ie

#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#  . On SCO (ODT 3) use "User nouser" and "Group nogroup".
#  . On HPUX you may not be able to use shared memory as nobody, and the
#suggested workaround is to create a user www and use that user.
#  NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET)
#  when the value of (unsigned)Group is above 6;
#  don't use Group nobody on these systems!
#

John

-Original Message-
From: Diana Moreland [mailto:[EMAIL PROTECTED]]
Sent: 20 July 2000 20:03
To: [EMAIL PROTECTED]
Subject: Re: SSLMutex error


So I wonder why mine wouldn't work?

Mads Toftum wrote:

> On Thu, Jul 20, 2000 at 08:42:08AM -0700, David Rees wrote:
> >
> > Is anyone running mod_ssl as nobody with a /dev/null shell successfully?
> >
> Yep.
>
> vh
>
> Mads Toftum
> --
> `Darn it, who spiked my coffee with water?!' - lwall
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Opinions

[Airey, John]

There's no difference between using a wildcard cert compared to any other.
So you need just SSLCertificateFile and SSLCertificateKeyFile lines to point
to the certificate and key respectively. I then match servername to the name
of the host I'm serving. I don't even know if it's necessary, but I'm the
kind of person who would put an elephant in Cairo to make sure the pachyderm
program terminates correctly, if you know what I mean.

As for problems using them, we have used a wildcard certificate for about
two years now and haven't come across any difficulties so far. Being a large
organisation and a charity the same key is used for internal and external
systems rather than pay for a key on every machine. We use IE internally on
a large scale and haven't experienced problems (so far). 

However, it must be said that Microsoft's implementation of SSL on IE,
including wildcard certs leaves a lot to be desired. But I would see that as
little reason not to use a wildcard certificate. If you are using or
intending to use more than five secure sites it's probably just what you
need.

However, the final choice is up to you! You can also talk to Thawte about it
as well and their technicians are available at http://thawte.chatspace.com/ 

AFAIK Thawte are the only people that do wildcard certs. And I don't get
commission for every wildcard cert that I recommend. (Not yet anyway).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: 20 July 2000 21:00
To: [EMAIL PROTECTED]
Subject: RE: Opinions


Shouldn't be a problem.  When building apache, just specify a
different --prefix.

Don't know about the wildcard certs, though.

-Dave

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of callen
> Sent: Thursday, July 20, 2000 12:44 PM
> To: [EMAIL PROTECTED]
> Subject: Opinions
>
>
> Hola,
>
> I have a two-parter:
>
> <>
> I am looking for general opinions on the following situation.
>
> I am thinking of running two apache binaries:
>
>
> 1 to service regular vhosted websites (port 80 only , with php3,
> mod_perl, mod_proxy)
>
> 1 binary to handle modssl with a wildcard cert. (port 443-8443 etc
> only), what I am wondering is their a chance that these binaries will
> intercept each others data? As far as my understanding this is
> httpd.conf's issue and as long as I set these up correctly one hand
> won't see the other hand, correct?
>
> <>
>
>
>
> What has anyone found out about the Wildcard cert as far as
> incompatibilities go? Besides the IE probs? Will anyone post a sample
> vhost snip using the wildcard cert?
>
>
> Thank you,
>
>
>
> --
>Christopher C.M. Allen
>http://design.driver8.org/
>  Email: [EMAIL PROTECTED]
>  Cell : 1.715.821.4006
>  Home Phone: 1.715.426.6661
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: [BugDB] Problems connecting to https thru RadWare WSD (PR#413)

[Airey, John]

I'm probably wrong about this, but I suspect that the load-balancing of
SSL/TLS is the source of your problems.

When an SSL/TLS connection is created, the connection between the server and
the client. The other two servers will know nothing about the session.
Unless the load balancer itself supports the SSL connection then you will
get errors from the other servers when the client attempts to use a key
these servers know nothing about.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 18 July 2000 11:26
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [BugDB] Problems connecting to https thru RadWare WSD (PR#413)


Full_Name: Martin Sperl
Version: 2.6.4_1.3.12
OS: linux
Submission from: (NULL) (131.130.36.60)


Hi!

We are experiencing problems accessing 
our WWW servers using https on netscape Linux.
But Alpha OSF netscape, Windows netscape, Explorer
works. (Old versions of Netscape on Linux seem to 
work too...)

The setup is that we have got several web servers behind
a loadbalancing WSD from RADWARE. So the structure is something
like this:

Internet -> WSD -> Web1
   \-> Web2
   \-> Web3


Then I tried:
openssl s_client -connect web1:443 -state -debug
works fine when typing GET /

on the other hands:
openssl s_client -connect wsd:443 -state -debug
stops at:
SSL_connect:SSLv2/v3 write client hello A

What is wrong?

Thanks in advance,
Martin Sperl

P.s: Sometimes it gets thru to:
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data

But just sometimes - most of the times it hangs immediately

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Can I create a Server Certificate for MS IIS4.0 with mod_ssl

[Airey, John]

I hope my posting at least served as a warning to anyone on the list who
might consider posting .csr's, .crt's or .key's!

I can't vouch for the German version of IIS, but I actually do all the
certificate creation with openssl, eg the csr and key and then import it
back into IIS. I wouldn't trust IIS to create any key. The format of it's
key is different from the format of the key used by apache-mod_ssl. There is
a way to change a key from IIS format to Apache-mod_ssl format, but it's
tricky and the command

openssl rsa -in www.virtualhost.com.key -out www.virtualhost.com.iiskey
-outform NET

Works the other way around, ie converts a modssl key to an IIS format key.

Just to clarify, the CA sends you a .crt file that is valid for twelve
months. This is their way of saying that you are who you say you are for the
next twelve months. It's like a guarantee that a CD will be circular for the
next 90 days (before anyone writes in, I know that CD's don't have to be
circular!)

Thawte gives details on creating a ssl key for Apache-mod_ssl at

http://www.thawte.com/certs/server/keygen/mod_ssl.html

Mads is right (as if he is ever wrong) about the .csr file containing the
public key. I'm not sure where I read that it contained the private key,
perhaps it was on an old page at the Thawte site.

Obviously, it's best to test all this with the test key first before losing
any money on it.

And no, I do not get commission from Thawte!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Juergen Schreier [mailto:[EMAIL PROTECTED]]
Sent: 17 July 2000 18:15
To: [EMAIL PROTECTED]
Subject: AW: Can I create a Server Certificate for MS IIS4.0 with
mod_ssl


Hello John,

thanx for your advice regarding not posting a .csr-file. I know that
I mustn' t do this in a productive environment.
But I am still trying getting my test-environment ready and so I thought
this would help you giving me the right advise and I could change these
keys at a later date when I was able to change those keys at any rate
it fits my purpose.
(actually thats why I want to sign my OWN certificates!).

Could you see any reason, as to why my certificate didn't work ?
I have read alot about having to install special a DER-format copy of the CA
key into the MS IIS 4.0 Server.
Have you done this with any key sent to you by Thawte ?

best regards


Jürgen
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Can I create a Server Certificate for MS IIS4.0 with mod_ssl

[Airey, John]

I hate to spoil your day but you should not have posted your .csr file, as
that contains your SSL private key. You should not  post either .csr or .key
files. I personally wouldn't even post a .crt file. Keep them secret, owned
by root with 400 permissions!

I suggest for your own security that you recreate your key. Unless of course
you are using this for a test certificate then it doesn't really matter.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: Juergen Schreier [mailto:[EMAIL PROTECTED]]
Sent: 14 July 2000 17:33
To: [EMAIL PROTECTED]
Subject: AW: Can I create a Server Certificate for MS IIS4.0 with
mod_ssl


Hello John,

thanx alot for that fast help !
I tried following your advise - but I was curiuos and built my own
CA cert using openssl - and tried to sign my own certificate.

Which of course didn't quit work out. Has this something to do with
the 512-bit Keylengt in the German IIS 4.0 Version ?
I am getting error messages regarding the cert not the key im trying to
install.

to sum up what I did:

1. I created an RSA Key for my Server using openssl like this:
openssl genrsa -des3 -out server.key 512

2. I created a Certificate Signing Request using MS IIS Key Manager
   and cut out the relevant data into file iis.csr:


3. created an RSA private Key for my own CA
openssl genrsa -des3 -out ca.key 1024

4. Then I created a self-signed CA Certificate (X509 structure) with the RSA
key of the CA above
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

5. singed iis.csr with the sign.sh shellscript coming with mod_ssl
sign.sh iis.csr

and ended up having a (errorsome?) iis.crt which the Keymanager of IIS 4.0
is not able to import

What went wrong ?
I will try using a test cert from thawte now but am still too curious if I
can't do this all by
myself in this case.

Thanx a bunch for any advise/hints

Greetings from Munich, Germany

Jürgen Schreier



> -Ursprüngliche Nachricht-
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]Im Auftrag von Airey, John
> Gesendet am: Freitag, 14. Juli 2000 15:16
> An: '[EMAIL PROTECTED]'
> Betreff: RE: Can I create a Server Certificate for MS IIS4.0 with
> mod_ssl
>
> I would recommend that you try a test starred certificate from Thawte
> (www.thawte.com) but create your key with mod_ssl first. The certificate
> from Thawte for mod_ssl is the same that can be used with IIS4.0
> (I know I'm
> right about this because this is how we run it!)
>
> However, the key you create for mod_ssl will not work with IIS. This is
> where openssl helps.
>
> Type the following where you install your private key (I assume you are
> calling it modssl.key)
>
> openssl rsa -in modssl.key -out iis.key -outform NET
>
> This will prompt you for a passphrase. Make sure to put one in!
>
> Next copy the certificate and iis.key to a floppy (with mcopy or
> mount a DOS
> floppy).
>
> Put this floppy in your NT server and run Key Manager. Select Key/Import
> Key/KeySet Files.
>
> Put in the file names for your certificate and private key.
>
> You should now be able to use the same key/cert for IIS4.0 and modssl.
>
> Once finished eat the floppy disk ;-)
>
> -
> John Airey
> Internet Systems Support Officer, ITCSD, Royal National Institute for the
> Blind,
> Bakewell Road, Peterborough PE2 6XU,
> Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
>
>
> -Original Message-
> From: Juergen Schreier [mailto:[EMAIL PROTECTED]]
> Sent: 14 July 2000 14:04
> To: [EMAIL PROTECTED]
> Subject: Can I create a Server Certificate for MS IIS4.0 with mod_ssl
>
>
> Hi all,
>
> I need to test an application in a heterogenous Environment (i.e.
> Apache AND
> MS IIS 4.0
> Webservers).
> This Application is supposed to support SSL encryption between
> Clients (all
> kinds of browsers)
> and Servers.
> At the moment I don't want to buy an expensive Verisign
> Certificate and want
> to experiment in
> making my own certs for the test and if applicable even in the productive
> enviroment since all
> Users would know the issuer of that cert would be trustworthy.
>
> So my question is:
> Can I create a Server Certificate for MS IIS4.0 with mod_ssl
> and if the answer is yes, how.
>
> Any hints - to a howto Document on making certificates with mod_ssl in
> general - or how
> solve my specific questions are very welcome
>
> thanx in advance
>
>   Jürgen Schreier
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl

RE: Can I create a Server Certificate for MS IIS4.0 with mod_ssl

[Airey, John]

I would recommend that you try a test starred certificate from Thawte
(www.thawte.com) but create your key with mod_ssl first. The certificate
from Thawte for mod_ssl is the same that can be used with IIS4.0 (I know I'm
right about this because this is how we run it!)

However, the key you create for mod_ssl will not work with IIS. This is
where openssl helps.

Type the following where you install your private key (I assume you are
calling it modssl.key)

openssl rsa -in modssl.key -out iis.key -outform NET

This will prompt you for a passphrase. Make sure to put one in!

Next copy the certificate and iis.key to a floppy (with mcopy or mount a DOS
floppy).

Put this floppy in your NT server and run Key Manager. Select Key/Import
Key/KeySet Files.

Put in the file names for your certificate and private key.

You should now be able to use the same key/cert for IIS4.0 and modssl.

Once finished eat the floppy disk ;-)

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Juergen Schreier [mailto:[EMAIL PROTECTED]]
Sent: 14 July 2000 14:04
To: [EMAIL PROTECTED]
Subject: Can I create a Server Certificate for MS IIS4.0 with mod_ssl


Hi all,

I need to test an application in a heterogenous Environment (i.e. Apache AND
MS IIS 4.0
Webservers).
This Application is supposed to support SSL encryption between Clients (all
kinds of browsers)
and Servers.
At the moment I don't want to buy an expensive Verisign Certificate and want
to experiment in
making my own certs for the test and if applicable even in the productive
enviroment since all
Users would know the issuer of that cert would be trustworthy.

So my question is:
Can I create a Server Certificate for MS IIS4.0 with mod_ssl
and if the answer is yes, how.

Any hints - to a howto Document on making certificates with mod_ssl in
general - or how
solve my specific questions are very welcome

thanx in advance

  Jürgen Schreier
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: msie AGAIN

[Airey, John]

I installed Netscape 4.72 on Redhat and it gave me 128bit encryption
immediately. I've also read a statement from Netscape regarding version 4.72
support for 128bit encryption, although I cannot remember where at the
moment.

I'll try to find it and get back to you, because if I'm right then Netscape
is messing everyone about. This stuff is hard enough as it is!

John


-Original Message-
From: James H. Cloos Jr. [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2000 18:58
To: [EMAIL PROTECTED]
Subject: Re: msie AGAIN


>>>>> "John" == Airey, John <[EMAIL PROTECTED]> writes:

John> You will find that all versions of Netscape since 4.72 support
John> 128bit encryption out of the box.

No.  They still make you go through loops to get the 128bit version,
while the export version (56 now?) is readily available.

Seven (nine now?) countries and all.

(Or at least they did as of when 4.73 was first released)

-JimC
-- 
James H. Cloos, Jr.  <http://jhcloos.com/public_key> 1024D/ED7DAEA6 
<[EMAIL PROTECTED]>  E9E9 F828 61A4 6EA9 0F2B  63E7 997A 9F17 ED7D AEA6
 Is this post worth two cents?  Then goto <http://2cw.org/23>!
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: msie AGAIN

[Airey, John]

Try visiting http://www.fortify.net/sslcheck.html and see what it says. This
page will negotiate the highest security and state it. For example, using
IE5.01 SP1 I get RC4 128bit.

At first glance it appears you are not afflicted with export restricted
ciphers, so it should be OK.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Filip Van Laenen [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2000 11:21
To: '[EMAIL PROTECTED]'
Subject: RE: msie AGAIN


I have version 4.73 installed, and it says this in the 'About':

--
This version supports U.S. security with RSA
  Public Key Cryptography, MD2, MD5, RC2-CBC,
  RC4, DES-CBC, DES-EDE3-CBC . 
--

I find that sentence a bit cryptic (sorry, but I'm not a native speaker):
does it mean that it supports those ciphers only in the US? I'm sitting in
Norway, and the version I'm running here cannot connect to an SSL-webserver
if I don't open the server for ciphers with 40 bit key lengths (or less).

Filip

--
Filip van Laenen
[EMAIL PROTECTED] ([EMAIL PROTECTED])
Senior Knowledge Engineer, Computas, http://www.computas.com
Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01


-Original Message-
From: Airey, John [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 11:48 AM
To: '[EMAIL PROTECTED]'
Subject: RE: msie AGAIN


You will find that all versions of Netscape since 4.72 support 128bit
encryption out of the box.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Filip Van Laenen [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2000 08:51
To: '[EMAIL PROTECTED]'
Subject: RE: msie AGAIN


Hi,
 
While on the subject, is there an export version of Netscape with 128 bit
encryption? I had a problem similar to yours, but later found out that it
was because MSIE doesn't support IDEA, while I was telling the server that
it should only accept that algorithm. The thing that made me angry is that
the browser just hangs or gives you a stupid message telling it cannot
connect, in stead of just telling the truth, namely that it couldn't produce
the correct cipher for the server. They must be explicitly hiding that
message in MSIE...
 
Best regards,
 
Filip

-- 
Filip van Laenen 
[EMAIL PROTECTED] ([EMAIL PROTECTED]) 
Senior Knowledge Engineer, Computas, http://www.computas.com
<http://www.computas.com/>  
Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 4:57 AM
To: [EMAIL PROTECTED]
Subject: msie AGAIN


ok, microsoft really Pis___ me off!  Why can't they do anything right?
Enough of that, I'm just venting a little.  Anyway, I've spent the last two
days trouble shooting this msie5x problem with https.  I've read and reread
the manual and the FAQ.  As well as searched for hours on the mailing lists.
I have found many things to try, like CipherSuite entries and SSLProtocol.
But I have still been unable to resolve the problem.  As you can see from
my configurartion file I have tried many many things.  The server that is
giving me problems was the first apache server I did (I used the rpms from
RedHat 6.2 apachessl server and loaded all the add on rpms that came with
it).  Please don't tell me to reinstall not using the rpms it is not an
option on this server and yes I have stopped using those freaking rpms.
Anyway,  could anyone please tell me what I got to do in my httpd.conf file
to get msie to view my https server pages.  Oh, I have tried to view the
https pages with ie5.0, 5.01, 5.5  both 40 and 128 bit encryption and none
of them work.  I can view the non-https pages just fine all versions of msie
and Netscape well view everything including the https pages just fine (Ahh,
long live Netscape.)
Thanks ahead of time for you thoughts on this problem of mine.
Jeff Gelina
 
P.S. Sorry for pasting the whole darn thing here, but wanted to make sure
you had it all to look at.
  

 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Royal National Institute for the Blind 
Registered charity number 226227.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager  

RE: msie AGAIN

[Airey, John]

You will find that all versions of Netscape since 4.72 support 128bit
encryption out of the box.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Filip Van Laenen [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2000 08:51
To: '[EMAIL PROTECTED]'
Subject: RE: msie AGAIN


Hi,
 
While on the subject, is there an export version of Netscape with 128 bit
encryption? I had a problem similar to yours, but later found out that it
was because MSIE doesn't support IDEA, while I was telling the server that
it should only accept that algorithm. The thing that made me angry is that
the browser just hangs or gives you a stupid message telling it cannot
connect, in stead of just telling the truth, namely that it couldn't produce
the correct cipher for the server. They must be explicitly hiding that
message in MSIE...
 
Best regards,
 
Filip

-- 
Filip van Laenen 
[EMAIL PROTECTED] ([EMAIL PROTECTED]) 
Senior Knowledge Engineer, Computas, http://www.computas.com
  
Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 4:57 AM
To: [EMAIL PROTECTED]
Subject: msie AGAIN


ok, microsoft really Pis___ me off!  Why can't they do anything right?
Enough of that, I'm just venting a little.  Anyway, I've spent the last two
days trouble shooting this msie5x problem with https.  I've read and reread
the manual and the FAQ.  As well as searched for hours on the mailing lists.
I have found many things to try, like CipherSuite entries and SSLProtocol.
But I have still been unable to resolve the problem.  As you can see from
my configurartion file I have tried many many things.  The server that is
giving me problems was the first apache server I did (I used the rpms from
RedHat 6.2 apachessl server and loaded all the add on rpms that came with
it).  Please don't tell me to reinstall not using the rpms it is not an
option on this server and yes I have stopped using those freaking rpms.
Anyway,  could anyone please tell me what I got to do in my httpd.conf file
to get msie to view my https server pages.  Oh, I have tried to view the
https pages with ie5.0, 5.01, 5.5  both 40 and 128 bit encryption and none
of them work.  I can view the non-https pages just fine all versions of msie
and Netscape well view everything including the https pages just fine (Ahh,
long live Netscape.)
Thanks ahead of time for you thoughts on this problem of mine.
Jeff Gelina
 
P.S. Sorry for pasting the whole darn thing here, but wanted to make sure
you had it all to look at.
  

 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


Royal National Institute for the Blind 
Registered charity number 226227.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Wildcard certificates - the update

[Airey, John]

I've been discussing the issue of the problem with wildcard certificates and
IE5 with Damien Morrison of Thawte's technical support.

He informs me that as far as he knows, Windows 2000 with IE5 does not accept
wildcard certificates. Basically, wildcard certificates weren't acceptable
to IE3 (in fact IE3 does not accept any Thawte security certificates any
more, and there's probably more it doesn't accept either, eg Verisign). This
was fixed with IE4 and appears  broken again with IE5.

Good old Microsoft!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Wildcard certificates

[Airey, John]

I've just been informed by Thawte that there are a number of problems with
IE5 and wildcard certificates. I'm looking into the details now and will
post them to this list for everyone's benefit.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Welcome to the world, Noah!

[Airey, John]

Well done to the pair of you!

I trust you've set him up an email address already? They learn fast these
days!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: 23 June 2000 18:02
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Welcome to the world, Noah!



Welcome to the world, Noah!

Three hours ago (at June 23th, 2000 - 4:08pm CET) our first kid was born: 

   Noah Sebastian Engelschall, weight: 3690g, length: 52cm.

Mother Daniela (27 years) and Noah (3 hours ;) are feeling very well!
Father Ralf also still feels well... and now really understands why we
men are considered snivelling and what OTOH our womans really accomplish
in their life. I'm very proud.

In case you're interested: we've chosen the first name Noah for him, because
this name stands for "the bringer of ease and comfort" (according to the
text
books of names). And Daniela and I found it not unreasonable if at least one
of our family members _at least by definition_ is more of a calming type ;)

Yours,
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Add Module in Apache

[Airey, John]

Read the apxs manual page for full details on using modules with Apache.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Yudha Hawari [mailto:[EMAIL PROTECTED]]
Sent: 20 June 2000 09:51
To: [EMAIL PROTECTED]
Subject: Add Module in Apache



Does anyone know,
how to add a module to apache without recompiling ?


Regards

Yudha


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Namebased Virtual Domains and ModSSL

[Airey, John]

When you add the virtual hosts, use  to specify the
correct port. 

Everything else should be OK as you undoubtedly have the IP number on your
machine and routable to it.

John

-Original Message-
From: LeRoy C. Miller III [mailto:[EMAIL PROTECTED]]
Sent: 18 June 2000 20:37
To: [EMAIL PROTECTED]
Subject: Namebased Virtual Domains and ModSSL


I am having a problem with name based virtual domains under apache 1.3.12
and
Modssl 2.6.2-1.3.12.  When I setup my virtual domains under apache, without
modssl installed they all worked nicely, one big happy family if you will :)
now that modssl is installed though it would appear I can only have one name
based virtual domain (non ssl) and one name based ssl domain (I know for the
ssl domains that's the limit chicken egg etc.) but shouldn't I beable to
keep
the other domains that were name based and NOT SSL ?

Here's how my config looks when it works (1 and 1)

 /* Note the default. ;( */
ServerAdmin [EMAIL PROTECTED]
DocumentRoot "/usr/local/apache/webpages/ansic/cc"
ServerName server.ansic.net
ErrorLog logs/ansic/cc/error.log
CustomLog logs/ansic/cc/access.log combined
 

SSL Stuff


#  General setup for the virtual host
DocumentRoot "/usr/local/apache/htdocs"
ServerName cc.ansic.net
ServerAdmin [EMAIL PROTECTED]
ErrorLog /usr/local/apache/logs/error_log
TransferLog /usr/local/apache/logs/access_log
Engine on etc. etc


With this config and all other vhosts commented out, both ssl page and
non-ssl
page work.

Now when I add other domains 


ServerAdmin [EMAIL PROTECTED]
DocumentRoot "/usr/local/apache/webpages/ansic/gcc"
ServerName gcc.ansic.net
 ErrorLog logs/darkphiber/www/error.log
   CustomLog logs/darkphiber/www/access.log combined


and change the _defualt_:80 to the IP, ONLY the NON-SSL Servers work
and the SSL Server cuases the brower to time out waiting for the Server to
respond.

ANY help would greatly be appreciated.  I read the mailing list archives for
about an hour and from what I saw my config (chaing the defualts') was
correct
but obviosly not.

Thanks in advnace

LeRoy

LeRoy C. Miller III
Network Administrator ANSIC Networks
Email: [EMAIL PROTECTED]
Phone: 610-681-6504
Whois NIC: LM4772
http://www.ansic.net 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Auto HTTPS

[Airey, John]

A user redirect in the head a web page at http://www/mydomain.com/michel
such as

https://www/mydomain.com/michel">


Would achieve this (redirecting after 1 second). However, the secure
document root would have to be different!

I don't think (AFAIK) there's a way for a web server to do this.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: michel [mailto:[EMAIL PROTECTED]]
Sent: 14 June 2000 16:46
To: [EMAIL PROTECTED]
Subject: Auto HTTPS


Hi, I have a site with SSL. I want that if a user came in
http://www/mydomain.com/michel via automatic the user is redirect to
https://www/mydomain.com/michel

I have see manual, but I'm a newbie in regular expression. 
In httpd.conf I have:

Order allow,deny
Allow from all
RewriteEngineon
RewriteCond  %{HTTPS} !=on
RewriteRule  (.*) https://%{SERVER_NAME}/ [R,L]
#RewriteRule   * https://%{SERVER_NAME}/$1


out of every  

Tnx in advance

both them (Windows and M. Lewinski) suck a lot and both them are
are giving Bill some trouble.
--
Michel  Morelli   [EMAIL PROTECTED]

ICQ UIN: 58351764   PR of PhpItalia.com
http://www.ziobudda.net http://faq.ziobudda.net

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: httpd owner?

[Airey, John]

Slightly longer answer. The process is owned by root. The httpd binary
switches to another user on start-up, after reading SSL Certificates etc.
This user owns all the child processes. 

I believe there are security issues in being able to change the ownership of
a process already started.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Lewis Bergman [mailto:[EMAIL PROTECTED]]
Sent: 14 June 2000 11:21
To: [EMAIL PROTECTED]
Subject: Re: httpd owner?


Yes

-- 
--
Lewis Bergman
Texas Communications
4309 Maple ST.
Abilene, TX 79602
915-695-6962

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Legalese...

[Airey, John]

I'll be glad as well. That's my birthday. 

There are some who think that if they restrict encryption they'll stop crime
that way. Now if just making something illegal stopped people breaking the
law, the world would be a different place. It doesn't, and that's why we
need the encryption in the first place!

John

-Original Message-
From: Tim Willis [mailto:[EMAIL PROTECTED]]
Sent: 12 June 2000 15:07
To: [EMAIL PROTECTED]
Subject: RE: Legalese...


Thanks for everyone's concise and well put answers to my question.  I find
it unfortunate, however, that so much legality surrounds encrypting and
keeping private the data I send to my clients.  It seems there are some who
would have their fingers in everyone's pie.  It's over-controlling if you
ask me.  Just plain silliness. I'll be glad when Sept. 20th rolls around so
I can at least use the products I want without worrying about the encryption
police.

Tim Willis
IS Technician
Code Rite
[EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Is logrotate effective?

[Airey, John]

I have a query which I realise is a borderline mod_ssl query.

I want to rotate logs every month just after midnight at the beginning of
each month, using cron. I have two servers I wish to do this on. One has 26
files open for logs and the other has 12 files log files open. This includes
the default ssl_request_log and ssl_engine_log.

I am not entirely convinced that logrotate will rotate these logs before
anything for the next day is written to them, especially if for example the
server is in the process of an SSL handshake at 24:00:00.

I am tempted to write a script to run under cron like as follows:

#!/bin/bash
/etc/rc.d/init.d/httpd stop
mv /var/log/httpd/* /var/log/httpd/archive
/etc/rc.d/init.d/httpd start

(And somehow taking into account all issues related to pass phrases on the
private key). This does mean that the sites are taken down for a short while
every month.

Basically, does anyone have this working using logrotate? I don't want to go
down the route of bunging all virtual hosts into one file, thanks all the
same!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Insecure information

[Airey, John]

Title: 



I take 
it you are suggesting using https for the outside frame, and http for the inside 
frames?
 
First 
of all, why would you want to mix http and https? I haven't tested this, but 
even if a warning doesn't come up, some users will cotton on to your "smoke and 
mirrors" of security.
 
Notwithstanding that frames suck big time. 

 
John

  -Original Message-From: Jody Fraser 
  [mailto:[EMAIL PROTECTED]]Sent: 02 June 2000 00:23To: 
  [EMAIL PROTECTED]Subject: Re: Insecure 
  information
  What about using the mixed-mode approach with HTTP and HTTPS, using frames? 
  
  At 06:06 PM 6/1/00 -0400, you wrote: 
   
  
  You cannot mix HTTP and HTTPS in one page, regardless of the content type, 
  if you want to avoid that message. The bottom line is that you'll need to 
  deliver ALL elements of the page *including images* via HTTPS. 
  
  Hope this helps. 
  
  --Cliff 
  
  
  
  Cliff Woolley 
  Central Systems Software Administrator 
  Washington and Lee University 
  http://www.wlu.edu/~jwoolley/ 
  
  Work: (540) 463-8089 
  Pager: (540) 462-2303 
  >>> [EMAIL PROTECTED] 06/01/00 02:56PM >>> 
  I have installed my secure web server and get the test certificate 
  from verisign. I was trying some of my web pages that using 
  https://mydomain/test.html. Then, a 
  window pop-up and indicate that 
  some of the information is not secured, so it will not be show on the 
  web page. All of the insecured informations are picture which is using 
  jpeg or gif format. I wonder what is wrong with those pictures. And 
  How to overcome this problem. 
   
  = 
  Jody Fraser, CISA, CISSP - Lucent NPS 
  Pager (800) 467-1467 Mobile (916) 769-5751 
  email: [EMAIL PROTECTED] [EMAIL PROTECTED] 
  = 
  __ Apache 
  Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List 
  [EMAIL PROTECTED] Automated List Manager 
[EMAIL PROTECTED]

RE: SSL and reverse proxy weirdness : >

[Airey, John]

I think I understand what you are trying to achieve. I've had a similar
problem before.

Access www.safeplace.com using it's IP address instead on the machine that
is doing the proxying and see if that is correct. If so use


SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/your.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/your.key
ServerName www.foobar.com
...
ProxyPass / http://www.safeplace.com/
ProxyPassReverse / http://www.safeplace.com/


SSLEngine off
ServerName www.foobar.com
...
ProxyPass / http://www.safeplace.com/
ProxyPassReverse / http://www.safeplace.com/


The trailing slash is important!

If you don't get the content you expect with "www.safeplace.com"'s IP
address, then the problem is with that server. 

John


-Original Message-
From: AGT [mailto:[EMAIL PROTECTED]]
Sent: 02 June 2000 00:08
To: [EMAIL PROTECTED]
Subject: SSL and reverse proxy weirdness : >



I would like to do something with mod_ssl and Apache 1.3.12
that seems simple yet is not doing what I require.

https://www.foobar.com or http://www.foobar.com should
reverse proxy for http://www.safeplace.com. ie: I should
see the pages from www.safeplace.com appear on foobar.com's
http server either as a client SSL connection or plain connection.

I have read all examples on engelschalls pages and have
tried maybe 100 variations of rules today and usually get /tmp
contents of foobar and nothing in the logs.
As there is nothing in the logs I cannot tell what is wrong
with my rules.
I have also been through a couple of archives today and dejanews
and this precise topic does not show up thus far. Any suggestions
or ideas?

Thanks - Gerry

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: IE with 56 bits encryption

[Airey, John]

There is a patch at
http://www.microsoft.com/windows/ie/security/schannel.asp

Which says "The version of Internet Explorer 5.01 that is released on the
Web contains an incorrect internal key in the Schannel.dll file. This may
cause programs and services on your computer that use Secure Socket Layer
(SSL) or Security Support Provider Interface (SSPI) to no longer function.
Installing this update will eliminate this problem by providing you with a
corrected Schannel.dll file. If you have installed high (128-bit) encryption
on your computer, you do not need to install this update".

I've also noticed this problem with IE4.01, which I fixed for one user by
upgrading to 128bit encryption. 

There is a fix available for "SGC cryptography" (q249863i.exe). This answers
a question posted by James Lyon ([EMAIL PROTECTED]) entitled "IE4 okay
with latest mod_ssl" which is very much related. Details are at
http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP?LN=EN-US&SD=g
n&FR=0

Bottom line - neither is a problem with Apache-mod_ssl but a problem with
Microsoft's implementation of SSL!

John

-Original Message-
From: Taglang, Guillaume [mailto:[EMAIL PROTECTED]]
Sent: 25 May 2000 15:53
To: '[EMAIL PROTECTED]'
Subject: IE with 56 bits encryption



  Hi all,

  We received a SuperCert from thawte for 3 days we installed it on the
server modify the server config file, and great all works fine ! 128 bits
encryption for IE and Netscape. But, when we try to access to the site with
an older browser (IE 5.0 with 56 bits encryption) an error occured. We make
some test and this is the results (when we access the site with the IP
adress, it says that the certificate do not match the name of the site) :

 |https://|https://
 | 1.12.123.1/| www.foo.com/
--
IE (128 bits | work   |work
encryption)  ||
--
IE (56 and 40||don't
bits | work   |work
encryption)  ||
--
Netscape (128| work   |work
encryption)  ||
--
Netscape (56 ||
and 40 bits  | work   |work
encryption)  ||

  This is an extract of my config file :

[...]


  Listen 1.12.123.1:443
  NameVirtualHost 1.12.123.1:443


[...]


  
  ServerName www.foo.com
  ServerAdmin [EMAIL PROTECTED]

  DocumentRoot"/path/to/htdocs"
  ErrorLog/path/to/error_log
  TransferLog /path/to/access_log


  Options Indexes FollowSymLinks
  AllowOverride None


SSLEngine on
SSLCertificateFile  /path/to/server.crt
SSLCertificateKeyFile   /path/to/server.key

SSLLogLevel info
SSLLog /path/to/ssl_engine_log

  


  If you have any idea, suggestion, solution, let me know.

  Thanx

  Guillaume

---
[EMAIL PROTECTED]
[EMAIL PROTECTED]
  ___[_]___  
(. .)
...oOOo..(_)..oOOo... 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Certificate key needed

[Airey, John]

Try searching for SQL at http://modules.apache.org/search 

John

-Original Message-
From: Balgansuren [mailto:[EMAIL PROTECTED]]
Sent: 20 May 2000 03:00
To: [EMAIL PROTECTED]
Cc: Mike King
Subject: Certificate key needed


Hello,

We have installed Apache 1.3.12+Mod_SSL 2.6.4+OpenSSL 0.9.5a on the PC
w/FreeBSD 3.3.

Also we have installed Webmail software on that PC box.
We want our Webmail users can to use 2 different login authentication.

1.Plain using username, password from SQL database.
Plain text username, password stored in SQL database.
 
2.Security using SSL.

Is it possible?

If possible where can we to get Certificate Key for our Apache Webserver?

How can we to install it on the Apache Webserver machine?

There is any suggestion?

Thanks
Balgaa

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: expired certificate question

[Airey, John]

If a company hasn't renewed it's certificate, it is either out of business
or inept at keeping them up to date. Both are legitimate concerns for any
user.

John

-Original Message-
From: Rusty Wright [mailto:[EMAIL PROTECTED]]
Sent: 23 May 2000 23:20
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: expired certificate question


This is also sort of a behaviour question.  If someone connects to a
web server and that server's certificate has expired, should that
person really be concerned since the information they're sending back
to the server is still probably encrypted?

In IE you can turn off the two options "check for publisher's
certificate revocation" and "check for server certificate revocation"
and if you did and you connected to a server with a revoked
certificate, wouldn't the information passed between you and the
server still be encrypted?

I'm asking because I was at some web site and they had a VeriSign logo
on their main page and when I clicked on it it said their certificate
had expired, although their form page that was using a certificate was
using a valid certificate, but it got me to wondering if I really
should have worried anyhow, as an end user.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Need Help with Virtual Hosts

[Airey, John]

That doesn't sound simple to me! You'd either have to do it as either a
multi-pass for each virtual host, or parse the log file once to give several
output files. You'd also have to write the name of the virtual host into
every log file entry, which I don't believe is done by default. Seems like
using a sledgehammer to crack a nut. 

No doubt though some sed or awk guru can figure the code to do this in their
head!

I'd rather find a way to continue to write multiple log files, via ulimit
etc...

John

-Original Message-
From: James Treworgy [mailto:[EMAIL PROTECTED]]
Sent: 23 May 2000 18:05
To: [EMAIL PROTECTED]
Subject: Re: Need Help with Virtual Hosts


Wouldn't it be simpler to set up a little cron job to break up your log 
file by virtual host every day?

At 09:03 AM 5/23/00 -0400, [EMAIL PROTECTED] wrote:
>The per process file opening limit was a configurable parameter of your OS.
>It was either a user resource limit (ulimit) or a tunable kernel config
found
>in
>param.c or param.h (NFILES??) or UNIX has invented yet another way to put
>reins on processes.
>
>So, you just might be able to make one log per process, if you change the
>ulimit's for the user the web server is running as OR you tune your kernel
>and rebuild.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: rfc2817 (Upgrading to TLS Within HTTP/1.1)

[Airey, John]

www.sunsite.dk/RFC ?

John

-Original Message-
From: Gianni Mariani [mailto:[EMAIL PROTECTED]]
Sent: 23 May 2000 04:06
To: [EMAIL PROTECTED]
Subject: Re: rfc2817 (Upgrading to TLS Within HTTP/1.1)



can someone point me to rfc2817 -
http://www.ietf.org/rfc/rfc2817.txt brings up a 404 !

EKR wrote:

> Mads Toftum <[EMAIL PROTECTED]> writes:
>
> > On Mon, May 22, 2000 at 01:14:03PM -0500, James H. Cloos Jr. wrote:
> > > Any idea of a timeframe for rfc2817 support?
> > >
> > > (I'd offer to help, but I still do not trust the us export issues,
> > > even though I am abroad at the moment)
> > >
> > > It seems straightforward, though it looks like for clients to support
> > > it well, they also need good support for persistant connections
> > >
> > It would probably make sense to wait for openssl to support this and
> > IMHO without clients there really is no need to work on this yet. I
> > don't really think we're going to see this anytime soon unless M$
> > suddenly decides to do something like it.
> It doesn't make sense for OpenSSL to support it. It's a purely
> HTTP feature.
>
> That said, I agree that it's probably not worth doing at this time.
> It's not likely to be suported by browsers any time soon.
>
> In fact, if you read rfc2817, it implies as much:
>
>In the nearly two years since, there has been broad acceptance of the
>concept behind this proposal, but little interest in implementing
>alternatives to port 443 for generic Web browsing. In fact, nothing
>in this memo affects the current interpretation of https: URIs.
>However, new application protocols built atop HTTP, such as the
>Internet Printing Protocol [7], call for just such a mechanism in
>order to move ahead in the IETF standards process.
>
> -Ekr
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

I'm a big fan of Occam's Razor, to the point of boring my colleagues. To
manage multiple certs means that you have to ensure that all these
certificates are not about to expire. I logged onto Yahoo mail recently and
their security certificate had expired the previous day! You'll need to go
through a renewal procedure with every one. If you work for an organisation
that has to raise a cheque for each one, it is very time consuming. You have
to ensure that you leave enough time for the certificate to be renewed.

You'll also need to keep backups of each private key, protect them and
remember which key belongs to which server (which of course you can do with
sensible filenames). This IMHO is multiplying plurality without neccesity.

However, there is a much bigger issue with the encryption level of older
browsers anyway. I now use 128bit encryption at home and at work with IE.
40bit encryption can be easily cracked. Allowing those users to connect via
SSL may lull them into a false sense of security.

Very soon, everyone will be using browsers that give 128bit security
(Netscape 4.72 onwards already does. IE can be easily upgraded). These same
browsers do not have an issue with wildcard certificates.

John

-Original Message-
From: James Treworgy [mailto:[EMAIL PROTECTED]]
Sent: 20 May 2000 00:09
To: [EMAIL PROTECTED]
Subject: RE: VeriSign keys.


On the other hand, if you have a need to authenticate many SSL sites within 
your top level domain, it's probably because you need to distribute 
load.  How I would love to be in a position of needing to spend an extra 
$100 for another cert because my primary server was maxed out.

Seems like not a lot of money to spend considering the reasons why you 
probably need those extra certs...  if even 1% of the potential customers 
out there get a box popping up because of that wildcard cert I would want 
nothing to do with it.

Jamie

At 10:45 AM 5/19/00 +0100, Airey, John wrote:
>Look at it this way, if you have more than 5 SSL sites, you would be best
>advised to use a wildcard. Unless of course you have money to burn and love
>to spend ages sorting out individual certificates and keys.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

Sorry to say this but this page is somewhat out of date. I have no
difficulty with IE and wildcard certificates. Some versions issue a warning
about it being a wildcard, and some don't. However, from IE3.02 onwards they
work fine. For security reasons if nothing else you shouldn't use anything
before IE3.02 (notwithstanding that AFAIK Thawte certificates no longer work
with anything less than IE 3.0 anyway)

It is extremely unlikely that Microsoft would deliberately stop supporting
or allowing wildcard certificates, simply because Thawte has a large market
share. Whether a forthcoming "fix" would remove support accidentally is
anyone's guess.

Look at it this way, if you have more than 5 SSL sites, you would be best
advised to use a wildcard. Unless of course you have money to burn and love
to spend ages sorting out individual certificates and keys.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 19 May 2000 00:38
To: [EMAIL PROTECTED]; Mike King
Subject: Re: VeriSign keys.


Addressed to: [EMAIL PROTECTED]
  Mike King <[EMAIL PROTECTED]>

** Reply to note from Mike King <[EMAIL PROTECTED]> Fri, 19 May
2000 05:58:59 -0700
>   
>   
> >Wildcard certificates allow you to authenticate many web servers within
> >your domain, and pay for only one certificate.  You pay much more for a
> >wildcard certificate, but if you have more than 5 hosts in your domain
> >that need SSL it is cost effective.  (At least when I checked Thawte's
> >prices a few months ago.)
>   
> Rick, 
>   
> I see reference to wild card certificates, but cannot see any
> reference to it on the Thawte web site - is it the Enterprise PKI ?
>   
> Any pointers would be appreciated 
>   


I did some looking around on the Thawte site, and was getting worried
that maybe I was dreaming about wildcard certificates. After a few
minutes I found them in the price list, but nowhere else.


   http://www.thawte.com/pricing.html

---
A certificate that can be used on multiple hosts. Such a certificate 
has a CommonName  like *.domain.com. When Navigator checks the host
name in this certificate it uses a shell expansion procedure to see if
it matches. In the example given, any host ending in .domain.com will
be acceptable. 
---

I also found the killer that stopped me from considering them:

---
Please note, however, that MSIE does not implement wildcard certificate 
name checking, so we cannot guarantee that wildcarding will work with
any Microsoft product for any period of time.
---

That kind of makes them not useful on the Internet.


Rick Widmer
http://www.developersdesk.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

Nearly right! What you have stated applies to all secure servers, not just
Apache-mod_ssl.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Steve Fairhead [mailto:[EMAIL PROTECTED]]
Sent: 18 May 2000 19:21
To: [EMAIL PROTECTED]
Subject: RE: VeriSign keys.


Rick Widmer said:
>> Just to make sure we are talking about the same thing, when I hear 'Name
Based vhosts' I think of: <<

Possibly a slightly cross-purpose conversation going on here. To clarify (I
hope): to the best of my understanding:
- for Apache + mod_ssl with SSL enabled and running:
- no restriction on name-based virtual hosts running
_without_ SSL
- one name-based virtual host can run _with_ SSL
- multiple virtual hosts running with SSL enabled must be
differentiated
by IPs, thus can't run as name-based

OTOH, maybe _I've_ missed the point :).

Steve

--
Steve Fairhead - SFD - Solutions by Design
   www: http://www.sfdesign.co.uk
--
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

The page

http://www.thawte.com/certs/server/keygen/mod_ssl.html

Informs you not only that Thawte support wildcard certificates (we have one
from them) but how to set it up with Apache-mod_ssl.

Just follow the links for SSL Certs and buying an SSL cert.

John

-Original Message-
From: Mike King [mailto:[EMAIL PROTECTED]]
Sent: 19 May 2000 13:59
To: [EMAIL PROTECTED]
Subject: Re: VeriSign keys.



>Wildcard certificates allow you to authenticate many web servers within
>your domain, and pay for only one certificate.  You pay much more for a
>wildcard certificate, but if you have more than 5 hosts in your domain
>that need SSL it is cost effective.  (At least when I checked Thawte's
>prices a few months ago.)

Rick, 

I see reference to wild card certificates, but cannot see any reference to
it on the Thawte web site - is it the Enterprise PKI ?

Any pointers would be appreciated 

Regards

Mike
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Clustering

[Airey, John]

Does anyone know whether it is possible to have some form of clustering
involving two Apache-mod_ssl servers separated by a WAN link?

I want to be able to amend pages on the nearest server and have those pages
automatically updated on the remote server. 

Am I asking too much?

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

The page

http://www.thawte.com/certs/server/keygen/mod_ssl.html

Informs you not only that Thawte support wildcard certificates (we have one
from them) but how to set it up with Apache-mod_ssl.

Just follow the links for SSL Certs and buying an SSL cert.

John

-Original Message-
From: Mike King [mailto:[EMAIL PROTECTED]]
Sent: 19 May 2000 13:59
To: [EMAIL PROTECTED]
Subject: Re: VeriSign keys.



>Wildcard certificates allow you to authenticate many web servers within
>your domain, and pay for only one certificate.  You pay much more for a
>wildcard certificate, but if you have more than 5 hosts in your domain
>that need SSL it is cost effective.  (At least when I checked Thawte's
>prices a few months ago.)

Rick, 

I see reference to wild card certificates, but cannot see any reference to
it on the Thawte web site - is it the Enterprise PKI ?

Any pointers would be appreciated 

Regards

Mike
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Install new certificate

[Airey, John]

It looks to me like you downloaded the cert in the incorrect format for
Apache-mod_ssl. Try going back to the thawte site and download again.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 19 May 2000 11:54
To: [EMAIL PROTECTED]
Subject: Install new certificate




Hello,

cause our certification is out of time (works until 19th, May) i'va ordered
a update
from thawte. After 2 days i get a message that say's that i can download
now
th new one. Works fine.

But after i have installed the new certificate i get the error-message:


key value mismatch.

I look at both (the old n the new) certificates and examine the priv. Key
and found:

 Keyfile:

  Private-Key: (512 bit)
  modulus:
   00:b7:4f:4a:be:b9:89:6b:25:bb:70:96:15:c7:4e:
   [...]

 Old certificate:

 Certificate:
 Data:
 Version: 1 (0x0)
 Serial Number: 0 (0x0)
 [...]
 RSA Public Key: (512 bit)
 Modulus (512 bit):
  00:b7:4f:4a:be:b9:89:6b:25:bb:70:96:15:c7:4e:
  [...]

New certification:

 Certificate:
 Data:
  Version: 3 (0x2)
 Serial Number: 59296 (0xe7a0)
 [...]
 RSA Public Key: (1024 bit)
 Modulus (1024 bit):
  00:d8:38:00:9f:70:d6:d2:ba:47:70:6b:5d:45:9c:
  [...]

Looks different...

Aehm...where is the mistake and what i can do to solve the problem ?

Thanks a lot for your help!

Best regards,
  Kai Szymanski.



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

Nearly right! What you have stated applies to all secure servers, not just
Apache-mod_ssl.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Steve Fairhead [mailto:[EMAIL PROTECTED]]
Sent: 18 May 2000 19:21
To: [EMAIL PROTECTED]
Subject: RE: VeriSign keys.


Rick Widmer said:
>> Just to make sure we are talking about the same thing, when I hear 'Name
Based vhosts' I think of: <<

Possibly a slightly cross-purpose conversation going on here. To clarify (I
hope): to the best of my understanding:
- for Apache + mod_ssl with SSL enabled and running:
- no restriction on name-based virtual hosts running
_without_ SSL
- one name-based virtual host can run _with_ SSL
- multiple virtual hosts running with SSL enabled must be
differentiated
by IPs, thus can't run as name-based

OTOH, maybe _I've_ missed the point :).

Steve

--
Steve Fairhead - SFD - Solutions by Design
   www: http://www.sfdesign.co.uk
--
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

Sorry to say this but this page is somewhat out of date. I have no
difficulty with IE and wildcard certificates. Some versions issue a warning
about it being a wildcard, and some don't. However, from IE3.02 onwards they
work fine. For security reasons if nothing else you shouldn't use anything
before IE3.02 (notwithstanding that AFAIK Thawte certificates no longer work
with anything less than IE 3.0 anyway)

It is extremely unlikely that Microsoft would deliberately stop supporting
or allowing wildcard certificates, simply because Thawte has a large market
share. Whether a forthcoming "fix" would remove support accidentally is
anyone's guess.

Look at it this way, if you have more than 5 SSL sites, you would be best
advised to use a wildcard. Unless of course you have money to burn and love
to spend ages sorting out individual certificates and keys.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 19 May 2000 00:38
To: [EMAIL PROTECTED]; Mike King
Subject: Re: VeriSign keys.


Addressed to: [EMAIL PROTECTED]
  Mike King <[EMAIL PROTECTED]>

** Reply to note from Mike King <[EMAIL PROTECTED]> Fri, 19 May
2000 05:58:59 -0700
>   
>   
> >Wildcard certificates allow you to authenticate many web servers within
> >your domain, and pay for only one certificate.  You pay much more for a
> >wildcard certificate, but if you have more than 5 hosts in your domain
> >that need SSL it is cost effective.  (At least when I checked Thawte's
> >prices a few months ago.)
>   
> Rick, 
>   
> I see reference to wild card certificates, but cannot see any
> reference to it on the Thawte web site - is it the Enterprise PKI ?
>   
> Any pointers would be appreciated 
>   


I did some looking around on the Thawte site, and was getting worried
that maybe I was dreaming about wildcard certificates. After a few
minutes I found them in the price list, but nowhere else.


   http://www.thawte.com/pricing.html

---
A certificate that can be used on multiple hosts. Such a certificate 
has a CommonName  like *.domain.com. When Navigator checks the host
name in this certificate it uses a shell expansion procedure to see if
it matches. In the example given, any host ending in .domain.com will
be acceptable. 
---

I also found the killer that stopped me from considering them:

---
Please note, however, that MSIE does not implement wildcard certificate 
name checking, so we cannot guarantee that wildcarding will work with
any Microsoft product for any period of time.
---

That kind of makes them not useful on the Internet.


Rick Widmer
http://www.developersdesk.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

Once again the chicken and egg problem is not properly understood. SSL
virtual hosts MUST be IP based. It has nothing to do with DNS being hacked.

In a nutshell, the SSL connection must be set up before the http 1.1 headers
stating which host is required are sent. Therefore, you cannot have multiple
domains, server names etc on one IP as the server will have to connect you
to one of the servers BEFORE it knows which one you have asked for.

Personally, I think this is a good thing. It ensures ALL data is encrypted.

John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 16 May 2000 15:20
To: [EMAIL PROTECTED]; Steve Fairhead
Subject: RE: VeriSign keys.


Addressed to: [EMAIL PROTECTED]
  "Steve Fairhead" <[EMAIL PROTECTED]>

** Reply to note from "Steve Fairhead" <[EMAIL PROTECTED]> Tue, 16 May
2000 00:43:19 +0100
>   
> LENGLART Benjamin [[EMAIL PROTECTED]] said:
>   
> >> place a SSLCertificateKeyfile and a SSLCertificatePrivateKey (must look
> like that, not sure of the grammar) in each of your virtual host ...
> (the good one naturally) Woops it works !!! <<
>   
>  but mustn't they also be IP-based rather than name-based?
>   

That is a reccomendation, not a requirement.  The reason for it, I
belive is to allow the web server to start even if DNS is not operating.
(For example if all your servers go down in a power failure and the DNS
server takes longer to boot than the web server.)  IP based VirtualHost
entries will still work, name based entries will go thru slow, painful
DNS lookup attempts, and finaly fail. (After about 30 sec for each
VirtualHost.)

There are other alternatives like adding the names to /etc/hosts or
running a slave DNS server on the web server to make sure there is
something to answer the DNS requests as Apache starts. Or you can do it
the easy way and just list the IP addresses in httpd.conf. (Or where
ever you keep your virtual host declarations.)


Rick

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: VeriSign keys.

[Airey, John]

You mean there's actually a product that competes with Apache? Where is this
product?

I think Apache is brilliant, but that's because more work has gone into
maintaining it than any other web server. IIS has a long way to go to catch
up!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: LENGLART Benjamin [mailto:[EMAIL PROTECTED]]
Sent: 15 May 2000 16:58
To: '[EMAIL PROTECTED]'
Subject: RE: VeriSign keys.


place a SSLCertificateKeyfile and a SSLCertificatePrivateKey (must look like
that, not sure of the grammar) in each of your virtual host ... (the good
one naturally)
Woops it works !!!

Is'nt Apache the best Web server ??

-Message d'origine-
De : Zohar Friling [mailto:[EMAIL PROTECTED]]
Envoyé : lundi 15 mai 2000 17:23
À : [EMAIL PROTECTED]
Objet : VeriSign keys.


Hi,

I have several domains name and for each I have a separate key from
VeriSign.
How could I use them In the same httpd.conf If I want to hosts them on the
same sever, using virtual server.
which directive I should place beneath  each virtual host section.
Where can I look for example conf file?
Please advise,
Thanks.
Zohar.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Setting Apache Error Document if no User Cert provided

[Airey, John]

This is completely off topic for this list. The answer is in the Apache
documentation. 

However, all you need to change is "error document" in your httpd.conf file
eg

ErrorDocument 500 /500.htm

Or whatever number of error you are referring to. In the above example, the
file 500.htm in your Document Root is served.

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


-Original Message-
From: Jan Baumann [mailto:[EMAIL PROTECTED]]
Sent: 11 May 2000 17:14
To: [EMAIL PROTECTED]
Subject: Setting Apache Error Document if no User Cert provided



Hi all,

I am wondering if it is possible to configure a custom html page as an
error document in apache, which is shown when ClientVerifiy is required
but no or a wrong user certificate is presented by the browser.
Currently I only get a Netscape dialog with an "i/o error".

Thanks for any hints,

Reagrds,

Jan Baumann
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE:

[Airey, John]

Type httpd -l 

To show what modules are compiled. I believe that mod_so.c comes as part of
the "JOE AVERAGE" installation. If you have that, you can use apxs to add
modules to Apache-mod_ssl. Having said that, I've yet to get an added module
working!

John

-Original Message-
From: Diana Shepard [mailto:[EMAIL PROTECTED]]
Sent: 09 May 2000 18:16
To: [EMAIL PROTECTED]
Subject: 


I've successfully built Apache 1.3.12 with mod_ssl 2.6.4-1.3.12
and OpenSSL via the JOE AVERAGE mod_ssl INSTALL
instructions.  That INSTALL document says "You...get no
intermediate chance to add more third party Apache modules.."
Does that mean never once Apache is installed?   That is, can I
now add mod_so, for example, or do I have to start all over
again?

Also, has any one added module mod_jrun?  The JRUN Apache
instructions say to compile apache for DSO support (hence the
need for mod_so above) and then to "Run the connector wizard..".
How is that done?  Many thanks.

Diana Shepard
University of Colorado, Boulder

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: after 5 minutes network goes down

[Airey, John]

Have you tried the following line?

route add -host 255.255.255.255 dev eth0

If you don't have the above line anywhere on startup (eg /etc/rc.d/rc.local)
then the chances are your dhcp server will have unpredictable success.
"255.255.255.255" is the broadcast address used by dhcp to send and receive
data (since no other routing information is set up by the client initially).

Try the /sbin/route command and see what you get.

I have occasionally experienced odd routing problems with Apache and dhcp on
the same machine, so perhaps there is an obscure link hiding away somewhere.
I wonder if anyone else has had anything like this?

John


-Original Message-
From: Dominik Berner [mailto:[EMAIL PROTECTED]]
Sent: 20 April 2000 12:07
To: '[EMAIL PROTECTED]'
Subject: after 5 minutes network goes down


Hi members.

I've installed apache and mod_ssl and dhcp-server on my redhat 6.1 system.
It worked good. But now, ever after some minutes, my dhcp-clients can't
connect to my server. If I ping this clients from the server it works some
times.

Do you have any idea. Sorry, that It'a maybe no question about mod_ssl

thank you

Dominik
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Certs from IIS to Apache

[Airey, John]

Sorry, I should have said that you use Key Manager on NT to export your key
(Key/Export Key), although this exports both the key and certificate
together in a file format that you can't (AFAIK) convert to Apache format.

John

-Original Message-
From: Eric Collins [mailto:[EMAIL PROTECTED]]
Sent: 19 April 2000 01:44
To: [EMAIL PROTECTED]
Subject: SSL Certs from IIS to Apache


Greetings,

Hope this is the right place to ask this, but I am
running into brick walls else where.

I need to convert a Thawte cert that was created and
is being used on an IIS server to work with
Apache/mod_ssl.

The Apache server is using the following:
Apache 1.3.12
Mod_SSL 2.6.3-1.3.12
OpenSSL 0.9.5a

I know I will need the private key and the cert
itself, and I also know that IIS stores them both
together in a key backup. Now how do I get the private
key and cert from this file.

Dosent IIS store the private key elsewhere? If so I
have the original cert, shouldnt it be a simple
install from there on?

I know this same situation probably has been asked a
thousand times, but any help will be appreciated
greatly

I just wish this client never choose NT, but hey were
not all perfect! :)


Thanks for any help!

EC

__
Do You Yahoo!?
Send online invitations with Yahoo! Invites.
http://invites.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Certs from IIS to Apache

[Airey, John]

I don't believe you can do this. You can convert an Apache certificate to
IIS using the command

openssl rsa -in apache.key -out iis.key -outform NET

I think you'll have to buy another cert, and then convert this one to run on
IIS as above when your IIS cert expires. then copy the above key onto a
floppy disk and put in your NT server (you do not want to send this key on
your LAN!). For extra security, eat the floppy disk when you are finished
(or keep it as a backup).

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 



-Original Message-
From: Eric Collins [mailto:[EMAIL PROTECTED]]
Sent: 19 April 2000 01:44
To: [EMAIL PROTECTED]
Subject: SSL Certs from IIS to Apache


Greetings,

Hope this is the right place to ask this, but I am
running into brick walls else where.

I need to convert a Thawte cert that was created and
is being used on an IIS server to work with
Apache/mod_ssl.

The Apache server is using the following:
Apache 1.3.12
Mod_SSL 2.6.3-1.3.12
OpenSSL 0.9.5a

I know I will need the private key and the cert
itself, and I also know that IIS stores them both
together in a key backup. Now how do I get the private
key and cert from this file.

Dosent IIS store the private key elsewhere? If so I
have the original cert, shouldnt it be a simple
install from there on?

I know this same situation probably has been asked a
thousand times, but any help will be appreciated
greatly

I just wish this client never choose NT, but hey were
not all perfect! :)


Thanks for any help!

EC

__
Do You Yahoo!?
Send online invitations with Yahoo! Invites.
http://invites.yahoo.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: HTTP fails, HTTPS works

[Airey, John]

Could you post your httpd.conf file so we can see more information? It's
probably because you don't have a virtual host section for http and the
server will default to https if ssl support is included.

John

At 12:36 PM 4/17/2000 -0700, you wrote:
>I did a fresh install of RedHat 6.2
>compiled and installed openssl-0.9.5-1.src.rpm (which builds openssl and
>openssl-devel).
>then compiled and installed mod_ssl-2.6.2-1.src.rpm.
>Now when I start apache with
>httpd -DSSL or even just httpd I can connect with https://localhost but
>not http://localhost
>If I comment out the 2 lines that mod_ssl added to my httpd.conf file I
>can connect with http://localhost but of course not http://localhost
>
>The two lines are 
>Include conf/ssl/mod_ssl.conf
>Include conf/ssl/ssl.default-vhost.conf
>
>So at this point I have to choose between HTTP and HTTPS. The two just
>wont work together. Apache doesnt even log connection attempts, because
>it doesnt even seem to have the port open.
>
>Does anyone know why this is happening?
>
>Dan
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Spurious crash

[Airey, John]

Yesterday one of our Apache web servers crashed. This is quite historic as
it has never crashed in normal operation in three years!

This appeared in the SSL Engine log ten minutes before the crash

[05/Apr/2000 12:37:57 21895] [info]  Connection to child 10 established
(server wwws.rnib.org.uk:443, client 10.2.4.117)
[05/Apr/2000 12:37:57 21895] [info]  Spurious SSL handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]
[05/Apr/2000 12:37:57 21895] [info]  Connection to child 10 established
(server wwws.rnib.org.uk:443, client 10.2.4.117)
[05/Apr/2000 12:37:57 21895] [info]  Spurious SSL handshake interrupt[Hint:
Usually just one of those OpenSSL confusions!?]

Has anyone come across this before?

We are running openssl-0.9.4-1 and apache-mod_ssl-1.3.11.2.5.0-0.6.0 on
Redhat 6.0

I know we are supposed to be running a later version, but I haven't got it
working yet!

- 
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CGI not working under mod_ssl

[Airey, John]

Have you checked that you don't have more than one "ScriptAlias" directive
in httpd.conf?

I would suggest that you try using a different cgi directory for https, copy
the script into it and try again.

Personally, I would keep separate cgi directories for the normal and secure
sites, simply so you know which belongs where.

John

-Original Message-
From: Mike King [mailto:[EMAIL PROTECTED]]
Sent: 06 April 2000 00:37
To: [EMAIL PROTECTED]
Subject: CGI not working under mod_ssl


Folks,

I have a problem: I get an error when trying to run cgi scripts under
https: - the error I get is:

Premature end of script headers: /home/httpd/cgi-mr/go.pl

The file exists, and can be run from http: using the same server

I assumed that such things would run unchanged - are there any things I
need to look for ?

Regards

Mike King
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: SSL Keys...

[Airey, John]

There are two ways of doing this. Either obtain a starred certificate for
every site in your domain. For example, we have a starred certificate named
*.rnib.org.uk. If Verisign don't do starred certificates then Thawte do.
Some browsers cannot use them, but they are mainly less than IE3 and
Netscape 3.0. However, these browsers cannot be upgraded use Thawte
certificates anyway.

The other way is to have a certificate for every hostname you have. This is
the expensive option, but will probably will work for older browsers.

John

-Original Message-
From: Daniel Chester [mailto:[EMAIL PROTECTED]]
Sent: 29 March 2000 15:38
To: mod_ssl users
Subject: SSL Keys...


Just to get complete understanding about the actual Certs that one would
buy from someone like Verisign.  Do you need 1 cert per Apache server,
one per domain/IP address, or one per host on the domain?
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: duplicate message timewarp

[Airey, John]

I reposted one today by mistake as well. Sorry folks!

John

-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: 28 March 2000 10:13
To: [EMAIL PROTECTED]
Subject: Re: duplicate message timewarp


On Mon, Mar 27, 2000, Steve Fairhead wrote:

> Any particular reason why mesages from as long ago as the end of February
> are reappearing here? There appears to have been a flurry of duplicate
> messages on this system today, identifiable by antique postage dates and a
> doubled-up list sig... ??

No reason from my or out Majordomo's side. It just appears that ones
mailer has spooled the stuff for a few weeks and finally delivered
it
   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: name-based virtual host configuration with mod ssl

[Airey, John]

Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).

This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say - one IP number -
one SSL site.

John

-Original Message-
From: Loic Guilmard [mailto:[EMAIL PROTECTED]]
Sent: 24 March 2000 14:35
To: [EMAIL PROTECTED]
Subject: name-based virtual host configuration with mod ssl


I try to use the NameVirtualHost parameter in httpd.conf to enable two
servers with the same address, but a different name.
I can't get it, I shoudn't place my two  section
in the right place.
I have the  sections.
Should I make two sections  inserting the ssl
rows of the default section in each new sections ?
I know that my questions seems stupid !

Thanx for your understanding ...

loic


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: name-based virtual host configuration with mod ssl

[Airey, John]

Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).

This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say - one IP number -
one SSL site.

John

-Original Message-
From: Loic Guilmard [mailto:[EMAIL PROTECTED]]
Sent: 24 March 2000 14:35
To: [EMAIL PROTECTED]
Subject: name-based virtual host configuration with mod ssl


I try to use the NameVirtualHost parameter in httpd.conf to enable two
servers with the same address, but a different name.
I can't get it, I shoudn't place my two  section
in the right place.
I have the  sections.
Should I make two sections  inserting the ssl
rows of the default section in each new sections ?
I know that my questions seems stupid !

Thanx for your understanding ...

loic


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: name-based virtual host configuration with mod ssl

[Airey, John]

The VirtualHost default settings refer to all virtual hosts. You don't need
to copy it all out.

This is all you need as a minimum for each virtual secure host


SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/certificate.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/key.key
ServerName secure.domain.name


Although I guess you will want to have a separate document root and separate
log files for each secure host, together with any other settings.

John

-Original Message-
From: Loic Guilmard [mailto:[EMAIL PROTECTED]]
Sent: 24 March 2000 14:35
To: [EMAIL PROTECTED]
Subject: name-based virtual host configuration with mod ssl


I try to use the NameVirtualHost parameter in httpd.conf to enable two
servers with the same address, but a different name.
I can't get it, I shoudn't place my two  section
in the right place.
I have the  sections.
Should I make two sections  inserting the ssl
rows of the default section in each new sections ?
I know that my questions seems stupid !

Thanx for your understanding ...

loic


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: name-based virtual host configuration with mod ssl

[Airey, John]

Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).

This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say - one IP number -
one SSL site.

John

-Original Message-
From: Loic Guilmard [mailto:[EMAIL PROTECTED]]
Sent: 24 March 2000 14:35
To: [EMAIL PROTECTED]
Subject: name-based virtual host configuration with mod ssl


I try to use the NameVirtualHost parameter in httpd.conf to enable two
servers with the same address, but a different name.
I can't get it, I shoudn't place my two  section
in the right place.
I have the  sections.
Should I make two sections  inserting the ssl
rows of the default section in each new sections ?
I know that my questions seems stupid !

Thanx for your understanding ...

loic


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Issue: unresonable SSLVerifyDepth policy!

[Airey, John]

This would be useful for testing or internal use, but granted, it would be
seriously dodgy in a production machine.

John

-Original Message-
From: Gunther Schadow [mailto:[EMAIL PROTECTED]]
Sent: 20 March 2000 20:56
To: [EMAIL PROTECTED]
Subject: Issue: unresonable SSLVerifyDepth policy!


Hi,

I have an issue with the policy one can set with SSLVerifyDepth. The
documentation says that "a depth of 0 means that self-signed client 
certs are accepted only, the default depth of 1 menas the client cert
can be self-signed or has to be signed by a CA which is directly known
to the server."

I mean, why would a serious server want to trust self-signed client
certificates? It seems like you can't say: "trust only those client
certs that are directly signed by a CA in the server's list of 
trusted CAs." I would suppose, however, that this is the one default
mode that most sites will want to choose.

How is that done?

regards
-Gunther
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Name based virtual hosts

[Airey, John]

I'm sorry I was mistaken. What I've set up takes a number of requests to
real IP numbers and maps them to the same IP number. This is the total
opposite of what is needed here.

Must be the Monday morning blues.

John

-Original Message-
From: Blair Lowe [mailto:[EMAIL PROTECTED]]
Sent: 16 March 2000 18:01
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Name based virtual hosts


Just some crazy ideas:

1. Have the webserver behing the firewall, and have a separate 
private (eg. 192.168.x.x) IP address for each virtual host. This 
solves the problem of having to have multiple Internet addresses.

Make the firewall, or some DMZ box translate the incomming request 
for a.domain.at:443 to the private IP address.

2. Do the same thing, but go from port 443 on the translation box to 
a unique port on the virtual host box. I believe that the virtual 
host box can run a different SSL connection as long as the port is 
distinct. Incoming connections would think that they are going in on 
port 443.

Anyone want to test this theory (or flame it)? I'd love to hear the 
results (comments)!

Blair.

At 08:57 -0500 2000/03/16, Martin Helie wrote:
>Hello,
>
>I seem to have read something about apache and modssl not being too
friendly
>towards name based virtual hosts, but was wondering if anyone had more
>info...
>
>So far, I have been able to allow _one_ virtual host to access port 443,
but
>if I enable SSL for any other vhosts, things get kind of weird.
>
>Are my only options to get IP addresses for each host, or run multiple
>instances of httpd configured differently? Any other ideas?
Computer Engineering Inc. http://www.compeng.net
Phone: 780 499 5687 (9 - 5 MST) Fax:   780 435 0693 (24 Hours)
All email advice that is provided for free is without warrantee: use 
at your own risk. 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Upgrade to Apache 1.3.12 or ... ? dear ME!

[Airey, John]

I think it's like the advice to never buy a car from a mechanic. He'll
always be too busy mending other people's cars to fix his own. Except in
this case the car is a webserver.

John

-Original Message-
From: tim [mailto:[EMAIL PROTECTED]]
Sent: 13 March 2000 18:51
To: [EMAIL PROTECTED]
Subject: Re: Upgrade to Apache 1.3.12 or ... ? dear ME! 



hello ...

what a shame that the apache sysadmin is too lazy to update, are they also
still running FreeBSD 2.2.7? 

tim
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Name based virtual hosts

[Airey, John]

I already have a system like this working already!

John

-Original Message-
From: Blair Lowe [mailto:[EMAIL PROTECTED]]
Sent: 16 March 2000 18:01
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Name based virtual hosts


Just some crazy ideas:

1. Have the webserver behing the firewall, and have a separate 
private (eg. 192.168.x.x) IP address for each virtual host. This 
solves the problem of having to have multiple Internet addresses.

Make the firewall, or some DMZ box translate the incomming request 
for a.domain.at:443 to the private IP address.

2. Do the same thing, but go from port 443 on the translation box to 
a unique port on the virtual host box. I believe that the virtual 
host box can run a different SSL connection as long as the port is 
distinct. Incoming connections would think that they are going in on 
port 443.

Anyone want to test this theory (or flame it)? I'd love to hear the 
results (comments)!

Blair.

At 08:57 -0500 2000/03/16, Martin Helie wrote:
>Hello,
>
>I seem to have read something about apache and modssl not being too
friendly
>towards name based virtual hosts, but was wondering if anyone had more
>info...
>
>So far, I have been able to allow _one_ virtual host to access port 443,
but
>if I enable SSL for any other vhosts, things get kind of weird.
>
>Are my only options to get IP addresses for each host, or run multiple
>instances of httpd configured differently? Any other ideas?
Computer Engineering Inc. http://www.compeng.net
Phone: 780 499 5687 (9 - 5 MST) Fax:   780 435 0693 (24 Hours)
All email advice that is provided for free is without warrantee: use 
at your own risk. 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: apxs

[Airey, John]

You'll find the working version of apxs in the apache-mod_ssl-devel rpm. I
spent ages looking it, and even emailed Ralph directly before I found this
out! I have to say that the location of apxs for users of compiled rpm's is
not that clear.

John

-Original Message-
From: Lewis Bergman [mailto:[EMAIL PROTECTED]]
Sent: 09 March 2000 15:38
To: [EMAIL PROTECTED]
Subject: apxs


OK that was really dumb. mod_so is static. Must sleep.
Curious though, The RPM's don't have EAPI? If so why does the apxs seem
broken?
At least on the surface.
 -- 
-Lewis Bergman-
Texas Communications
915-695-6962
4309 Maple St.
Abilene, TX 79602
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: HELP!!!!!!

[Airey, John]

Too right Ralf. The next thing we'll have is people asking if bugs can be
put back into the code! I can imagine the posting "there was this really
useful bug in ..." 

John

-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: 08 March 2000 10:02
To: [EMAIL PROTECTED]
Subject: Re: HELP!!


On Tue, Mar 07, 2000, Charette, Jason wrote:

> Is there a planned release in the near future for a version of mod_ssl
that
> will work with Apache 1.3.9?

E... what? A mod_ssl version in the future for an older Apache? No,
I will certainly not provide this. What is your reason why you want to
stick with Apache 1.3.9 and not use 1.3.12? But if you really want 2.6.2
to run with 1.3.9, it would be possible, of course. But you've to fiddle
around yourself with the source tree and merge mod_ssl into it manually.

   Ralf S. Engelschall
   [EMAIL PROTECTED]
   www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Certificate questions...

[Airey, John]

>-Original Message-
>From: Karl Denninger [mailto:[EMAIL PROTECTED]]
>Sent: 03 March 2000 15:39
>To: [EMAIL PROTECTED]
>Subject: Re: Certificate questions...


>Hi John,

>On Fri, Mar 03, 2000 at 10:06:19AM -, Airey, John wrote:
>> Assuming we are talking about Thawte's server test certificates, they are
>> only for use for one month. Using them helps you to understand how to
>> install a real certificate without running the risk of destroying it (a
very
>> real risk with NT!)

>Not really true.  You can set the validity up to 365 days.

Obviously Thawte have changed their policy on test certificates then. I
haven't used one for a while but they are a useful test of their certificate
issuing procedure without running the risk of losing money because you get
your csr wrong.

Just to clarify, with Windows NT it is possible to install a certificate and
private key without actually having a copy of them on disk, AFAIK (although
it would be foolish not to keep a backup, wouldn't it?). If you need to
reinstall NT, then you've lost them!

Like I said, if this isn't a public site you can create your own. All a
certificate does is prove who you are, but if you are only securing data for
internal use, you hopefully know who you are anyway.

This reminds me of a joke.

Descartes was in a restaurant having a meal. The waiter asks him "would you
like to see the wine list, Sir?". He replies "I think not" and promptly
vanishes.

(I never said it was a funny joke).

John
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Certificate questions...

[Airey, John]

Assuming we are talking about Thawte's server test certificates, they are
only for use for one month. Using them helps you to understand how to
install a real certificate without running the risk of destroying it (a very
real risk with NT!)

They are not intended for production use. Thawte's own certificates are
accepted by all browsers (AFAIK) and prove to those who connect to your site
that you are the company that you say you are. This is what you pay for, and
if you ask me it's well worth the money.

If you don't intend to connect your site to the outside world, you can make
your own certificates anyway. The documentation to do that comes with
openssl.

John

-Original Message-
From: Alex C. Koch [mailto:[EMAIL PROTECTED]]
Sent: 02 March 2000 19:12
To: [EMAIL PROTECTED]
Subject: Re: Certificate questions...


Is getting one of these test certificate better than using a self signed 
test certificate that can be generated with openSSL?  I am currently using 
a certificate that I generated myself.  What would the advantages be of 
using a certificate from Thawte when it is not authenticated by them?


At 11:42 AM 3/2/00 -0600, you wrote:
>Hi folks,
>
>I have built the MODSSL package and Apache, and it works.  I got a
>"test" certificate from Thawte (their "unauthenticated" one) and it
>installed and worked properly.


Alex Koch
[EMAIL PROTECTED]
https://128.253.163.111 (SSL secured)
http://home.adelphia.net/~alexk

<<-- PGP Keys -->>
2048 bit RSA key id: 0x58635D8F
4096 bit DH/DSS key id: 0x0784EFC5


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: basic...

[Airey, John]

server.key = Your server's private key. Guard this with your life!
server.crt = Certificate signed by a certification authority. 
server.csr = Certificate signing request. This contains your server key and
is used to request your server.crt from a certification authority. Guard
this with your life also!

John

-Original Message-
From: Osvaldo Brito [mailto:[EMAIL PROTECTED]]
Sent: 23 February 2000 13:15
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: basic...


Hi,

What's the diference betwen this files:

server.csr, server.crt, server.key



Thank you in advance.

Osvaldo Brito

  [EMAIL PROTECTED] 
  [EMAIL PROTECTED]   

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Which is better?

[Airey, John]

I want to proxy http to http and https to https (I have my reasons!)

Which is better, to use mod_rewrite for http 


ProxyRequests On
RewriteEngine on
RewriteRule ???


or the following


SSLEngine Off
ServerAdmin [EMAIL PROTECTED]
ServerName http.rnib.org.uk
ErrorLog /var/log/httpd/http-error_log
TransferLog /var/log/httpd/http-access_log
ProxyPass / http://http-proxy/
ProxyPassReverse / http://http-proxy/
Options None


And in the case of https


SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/https.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/https.key  
ProxyRequests On
RewriteEngine on
RewriteRule ???


or


SSLEngine On
SSLCertificateFile /etc/httpd/conf/ssl.crt/https.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/https.key
ServerAdmin [EMAIL PROTECTED]
ServerName https.rnib.org.uk
ErrorLog /var/log/httpd/https-error_log
TransferLog /var/log/httpd/https-access_log
ProxyPass / https://https-proxy/
ProxyPassReverse / https://https-proxy/
Options None


I've missed out the rewrite rule, as I'm not entirely sure about the syntax.

- 
John Airey
Systems Engineer, iSys, Royal National Institute for the Blind,
PO BOX 173, Peterborough PE2 6XU
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 375255 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Username & Password

[Airey, John]

I should have mentioned. It's a bad idea to have your password files under
your Document Root. Store them outside of it for security, although this
isn't why you are having a problem.

In the previous configuration I sent, the "order deny,allow" etc statements
aren't strictly necessary, but are useful if you plan to give users on
specific IP numbers or specific domains access to your server without a
username and password. ie, you can have

deny from all
allow from "IP", "Domain"
etc (without the quotes).

John

-Original Message-
From: Veronique Kraft [mailto:[EMAIL PROTECTED]]
Sent: 18 February 2000 05:54
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Username & Password

[snip]
AuthUserFile /export/users/vekraft/apache/secret/.htpasswd
AuthGroupFile /export/users/vekraft/apache/secret/.htgroup
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Username & Password

[Airey, John]

Please ignore this suggestion. The Apache documentation states that
AllowOverride '...controls which options the .htaccess files in directories
can override. Can also be "All", or any combination of "Options",
"FileInfo","AuthConfig", and "Limit" '. It can also be "None".

>From a practical standpoint "None" is a better option since full control of
the server configuration is in the httpd.conf file. Allowing .htaccess adds
further complexity which appears the original poster does not wish to have.

The configuration I posted does work. I've been running several sites with
the same configuration since Apache 1.3 came out. If it still doesn't work
please get back to me.

John

-Original Message-
From: Lewis Bergman
To: [EMAIL PROTECTED]
Sent: 18/02/00 12:32
Subject: Re: Username & Password


>   AllowOverride None
AllowOveride AuthConfig
-- 
-Lewis Bergman-
Texas Communications
915-695-6962
4309 Maple St.
Abilene, TX 79602
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Username & Password

[Airey, John]

Your configuration is too complex. Try this instead


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
AuthName "Web Developers Only Please"
AuthType Basic
AuthUserFile /export/users/vekraft/apache/secret/.htpasswd
AuthGroupFile /export/users/vekraft/apache/secret/.htgroup
require group webdevelop
satisfy any


I'm not sure why you wanted the "limit" tags in there, since no-one could
access this directory if they weren't in the group "webdevelop" anyway.


John

-Original Message-
From: Veronique Kraft [mailto:[EMAIL PROTECTED]]
Sent: 18 February 2000 05:54
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Username & Password



Sorry to post this little problem but I'm at my wit's end to find out what's
wrong.

I start the http daemon and try to access a site that requires a login and
password.
I have generated the login and password by using htpasswd, stored the
password in a file called .htpasswd, created a group file called .htgroup,
added their paths into my httpd.conf file, and created a .htaccess file in
the document root directory.

When I try to access the page, I am prompted for a login and password. I
enter these in but I keep getting an 'Authorisation Failed' message. I try
this for a few different logins and passwords that I have generated but none
seem to work.

This is what I have in my httpd.conf file:

***
DocumentRoot /export/users/vekraft/apache/www


Options Indexes FollowSymLinks MultiViews
AllowOverride None

Order allow, deny
Allow from all


require group webdevelop


deny from all

AuthName "Web Developers Only Please"
AuthType Basic
AuthUserFile /export/users/vekraft/apache/secret/.htpasswd
AuthGroupFile /export/users/vekraft/apache/secret/.htgroup
require group webdevelop
satisfy any


*

I have the correct paths to find the user/password, group etc... files but I
still cannot
get the authorisation thing to work.

I'm using Apache 1.3.11 with mod_ssl 2.5.0 and openssl 0.9.4 and netscape
communicator 4.7
I have also tried it on MSIE 5 and it doesn't on that either.


Veronique
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CN not server name

[Airey, John]

Undoubtedly they do. Or they'll use multiple machines. My own ISP used to
have hundreds of IP numbers on IIS3 (Idiotic Internet Server?) before
upgrading to IIS4. Now they use a single IP number for all http sites. Not
sure what they do for secure sites.

John 

-Original Message-
From: Randy Lee [mailto:[EMAIL PROTECTED]]
Sent: 17 February 2000 12:41
To: [EMAIL PROTECTED]
Subject: Re: CN not server name


Ahh. This sounds like a plausible explaination. Thanks very much.

Q: what do the Big Guys that host hundreds of virtual e-commerce domains
do about this? I can't figure that they have their machines set up with
150 IP addresses on them, do they?

Randy Lee

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: setting up non-ssl proxy for https use

[Airey, John]

Could you give me a configuration example of 

web client -->HTTPS--> proxy (apache) -->HTTPS--> httpd internal

If you have this working already please? I've not been able to make it work.
The Apache documentation appears to say that ProxyPass only supports http.
John

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: 09 February 2000 20:24
To: [EMAIL PROTECTED]
Subject: Re: setting up non-ssl proxy for https use


Hi,

Regarding my experience it is impossible to run HTTPS server (including 
proxy server) without SSL support.
The problem is that you server is receiving not http request but HTTPS 
request.
To work with this you have to run SSL enabled HTTPD. There is no need you 
internal HTTPD to be SSL enabled.

If the scheme is:

web client -->HTTPS--> proxy (apache) -->HTTP--> httpd internal

then you proxy server have to be SSL enabled. There is no need for you 
internal one.


If the scheme is:

web client -->HTTPS--> proxy (apache) -->HTTPS--> httpd internal

then both your servers have to be SSL enabled.


If the scheme is:

web client -->HTTP--> proxy (apache) -->HTTPS--> httpd internal

Then only you internal server have to be SSL enabled, but I do not see 
reason to one to use scheme like the last one (to protect yourself from 
his local network, but not from the Internet ;)

Rossen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Crypto law question...

[Airey, John]

Isn't discussion allowed under the US Constitution First Amendment, the
right to free speech, which certainly includes printed text? Therefore the
EAR restrictions don't and can't apply to it?

I think I'm right. Anyone else hazard an answer?

John

-Original Message-
From: Daniel S. Reichenbach [mailto:[EMAIL PROTECTED]]
Sent: 28 January 2000 17:32
To: Mod_Ssl (Users)
Subject: Crypto law question...


Hy,

just a little law thing: after the export laws now have changed to allow
128bit exports, how about discussing code related things??? For OpenSA
we would have several mod_ssl related issues to be discussed. This would
help to fix the Win32 problems in 2.5.0.

Daniel
__
The OpenSA Project  http://www.opensa.org/
Daniel S. Reichenbach   [EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Modules

[Airey, John]

Do I have to recompile Apache-mod_ssl in order to use a module that is not
part of the basic distribution (eg an authentication module), or is there a
proper way to do this?

I'm currently using RPM's with Redhat Linux 6.0 because I prefer the
simplicity of installation. However, I'm prepared to battle it out with
APACI, even though I lost the last time I tried.

If I'm being totally thick, please let me know. My ego is in need of
deflating.

- 
John Airey
Systems Engineer, iSys, Royal National Institute for the Blind,
PO BOX 173, Peterborough PE2 6XU
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 375255 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: I want to have my cake and eat it!

[Airey, John]

Thanks Graham. I'd investigated the cost of Cisco Secure ACS for NT. This
supports TACACS+ authentication for NT but costs £3395 + vat. A bit steep
methinks (especially when TACACS+ programs are available for free for
Linux).

I did notice that the Samba book I was reading mentioned LDAP, but I didn't
know there was a Apache LDAP module available. 

Thanks again. If I get something working I'll let everyone know, since I
think members of this list would be interested in simpler and more secure
administration of Apache.

John

-Original Message-
From: Graham Leggett [mailto:[EMAIL PROTECTED]]
Sent: 26 January 2000 11:15
To: [EMAIL PROTECTED]
Subject: Re: I want to have my cake and eat it!


"Airey, John" wrote:

> 1. I want to be able to have users who access to systems over the internet
> authenticated using TACACS+. I've been down the route of trying to get a
> Cisco router to authenticate, but these only support http, ftp and telnet.
I
> want to authenticate them using https for security purposes.

You want a TACACS+ auth module for Apache.

A search at http://module.apache.org for "tacacs" gives this:

http://duke.adesium-services.fr/pub/mod_auth_tacacs/

> 2. I also want to be able to integrate NT and Samba on several Linux
servers
> so that users who have access to change files can be administered as part
of
> the NT domain. I have a Samba book that explains how to do this, however I
> would like a way of combining this with a TACACS+ server.
> 
> Does anyone know of a way I can integrate either of these? I realise the
> second is off-topic for this mailing list, however I'm looking to use
> Apache-mod_ssl to reduce the number of user databases that I need to
support
> and increase security.

A far easier way of doing this would be to standardise on LDAP. Apache
can authenticate against LDAP (using the relevant module), not sure if
the cisco stuff can, but I would be surprised if it can't. Samba can
support LDAP, or even support PAM with a PAM LDAP module.

There are many ways of doing this, though I would suggest choosing your
base level authentication database carefully so that you don't find
incompatibility problems down the line.

Regards,
Graham
-- 
-
[EMAIL PROTECTED]"There's a moon
over Bourbon Street
tonight...
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

I want to have my cake and eat it!

[Airey, John]

I am currently trying to solve two problems

1. I want to be able to have users who access to systems over the internet
authenticated using TACACS+. I've been down the route of trying to get a
Cisco router to authenticate, but these only support http, ftp and telnet. I
want to authenticate them using https for security purposes.

2. I also want to be able to integrate NT and Samba on several Linux servers
so that users who have access to change files can be administered as part of
the NT domain. I have a Samba book that explains how to do this, however I
would like a way of combining this with a TACACS+ server.

Does anyone know of a way I can integrate either of these? I realise the
second is off-topic for this mailing list, however I'm looking to use
Apache-mod_ssl to reduce the number of user databases that I need to support
and increase security.

I could of course give up and do the whole thing using NT security and get
rid of Apache and Samba, but I think I'd prefer a lobotomy first.

- 
John Airey
Systems Engineer, iSys, Royal National Institute for the Blind,
PO BOX 173, Peterborough PE2 6XU
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 375255 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: ssl & proxy .. again

[Airey, John]

I use the following virtual host configuration to connect certain users over
the Internet (real names of systems and IPs have been changed)


# Proxy to security (security measure)

ServerAdmin [EMAIL PROTECTED]
ServerName security.rnib.org.uk
SSL Stuff here ...
Auth Stuff here ...
ErrorLog /var/log/httpd/security-error_log
TransferLog /var/log/httpd/security-access_log
ProxyPass / http://real-security/ 

This takes a secure connection to the virtual host "security", and proxies
all requests to the host "real-security" via http. In this case, the proxy
is on the internal network and passwords are encrypted over the 'net. (I've
missed out the SSL and Auth bits). In fact, the proxied host "real-security"
cannot be contacted directly. The logging is useful for checking that it
works.

I believe this is the best you can do, unless another program can "proxy"
https. Whereas http is effectively plain text (purists will obviously point
out that iso-8859-1 isn't exactly plain text, but I know that!), https is
encrypted end to end. To pass data from one https connection to another
would make the security next to useless.
 
(Actually I'd like to authenticate users via TACACS+, but that's another
question altogether).

John

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 19/01/00 16:57
Subject: ssl & proxy .. again

Hi there,

in the mail archive I found a discussion about using a https connection
from browser to proxy, regardless of the request type. ( browser  <- ssl
-> proxy <- whatever -> server).

Actually, I am trying to set this up myself, without success so far, and
would like to ask, if it can be done somehow.

The reason for doing this is, that I want my users to authenticate
against apache through some module ( mod_auth_nds, actually, but it
could be any auth module ) and by their authentication / authorization
define, how ca use which Internet resources.
I do not want their NDS password going over the net in plain text,
though.

Does anybody know, if / how this can be accomplished?

regards,

Andreas 


[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

TACACS+ authentication using apache_mod-ssl

[Airey, John]

Can anyone tell me if it is possible to use TACACS+ authentication to a web
site over a secure link using apache-mod_ssl?

I'm currently using Redhat 6.0 with apache-mod_ssl-1.3.9.2.4.9-0.6.0 and
openssl-0.9.4-1

Many thanks.

- 
John Airey
Systems Engineer, iSys, Royal National Institute for the Blind,
PO BOX 173, Peterborough PE2 6XU
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 375255 [EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]