Re: Mod_proxy and client certificate auth

2006-06-08 Thread BJ Swope 
Guess I've been hearing wrong for 3 years now ;)

Time to go digging...On 6/8/06, Paul D. Robertson <[EMAIL PROTECTED]> wrote:
On Wed, 7 Jun 2006, BJ Swope wrote:> >From everything I've heard and read, mod-proxy will not proxy HTTPS on the> back like what you are asking.  You can have HTTPS on the front end but not> on the back.  It will have to be HTTP to the back.
>> If you get this working I would LOVE to hear how you got it done>>I'm getting end-to-end SSL, just the undesired (this time) effect ofhaving the client cert passed all the way through the chain, which I'd
expect folks to want as normal behavior.Paul-Paul D. Robertson  "My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact."http://fora.compuwar.net  Infosec discussion boards
__Apache
Interface to OpenSSL
(mod_ssl)  
www.modssl.orgUser Support Mailing
List  modssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams

Re: Mod_proxy and client certificate auth

2006-06-07 Thread BJ Swope 
>From everything I've heard and read, mod-proxy will not proxy HTTPS on
the back like what you are asking.  You can have HTTPS on the
front end but not on the back.  It will have to be HTTP to the
back.

If you get this working I would LOVE to hear how you got it done

On 6/6/06, Paul D. Robertson <[EMAIL PROTECTED]> wrote:
Hi,I'm trying to get mod_proxy to work as an SSL proxy using a clientcertificate on the proxy to connect to a backend IIS server that's set upto use any client certificate signed by my OpenSSL-based CA.
If I use a browser with the same certificate bundled up as a PKCS12bundle, through the proxy, it all works, but what I really need is forApache/mod_ssl to use a locally stored version of the cert/key to connect,
then let the IIS server do its normal basic auth.  That's one singleclient cert/key for all externally connecting users (yes, I understandthe ramifaction- it's not for user authentication,) not a per-user proxy
cert.Here's what I have in my Apache ssl.conf file:RequestHeader set Front-End-Https "On"CacheDisable *SSLProxyEngine OnProxyPass /app https://iisserver/app
ProxyPassReverse /app https://iisserver/appSSLProxyMachineCertificatePath conf/certSSLEngine onconf/cert contains user.pem, a .pem cert file with an RSA private key
catenated to it.  I also have a hash link to the user.pem cert file.Just in case, I've also added "export OPENSSL_ALLOW_PROXY_CERTS=1" tobin/envvars.Can anyone tell me what I'm doing wrong?
Thanks,Paul-Paul D. Robertson  "My statements in this message are personal opinions
[EMAIL PROTECTED]   which may have no basis whatsoever in fact."__Apache
Interface to OpenSSL
(mod_ssl)  
www.modssl.orgUser Support Mailing
List  modssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]-- We are all slave to our own paradigm. -- Joshua Williams

Re: A SSL scenario (involving multiple SSL-servers)

2006-04-25 Thread BJ Swope 
Every item the browser requests, such as images, comes from a unique/distinct connection.

So the links to the other web servers will result in independent
connections to the other web servers.  So you should be good to go.

On 4/24/06, Vishwas <[EMAIL PROTECTED]> wrote:
Hello there,I have few doubts, the scenario goes as below.Scenario:
There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all of them
independently controlled and have valid certificates. Now, a "user" on
A1 designs an HTML page (
index.html) that refers to images from all the 4 servers. The links to
these images are specified in the HTML file using "https://A[1-4]/..."Questions:1. A request for 
https://A1/~user/index.html
comes, The requestor is going to get a SSL connection from A1. And the
content from A1 to the browser is flowing through the SSL-tunnel. I
think only the files that reside on A1 are going to flow through this
tunnel from A1 to the browser!? And the files from A2, A3, and A4 are
flowing through separate SSL-tunnels to the browser!? Then the browser
shows only one PADLOCK symbol, will it be for A1? YES. Then what about
the SSL-connections from A2, A3, and A4? How does browser tells its
user about these connections?
2. Or does A1 brings the files from A2, A3, and A4 that
referred inside the "index.html" file by the "user" and serves to the
browser?Am confused. Because my understanding was SSL is Secure
socket layer, and one cannot tamper with this tunnel. And I used to
think, when I ask the browser to open some URL, it opens a connection
(by obtaining a socket, say 56789, from underlying OS) to the port 80
of URL server. Now I feel, if the URL page has objects residing on
other servers, my browser opens separate sockets (different from 56789)
for these objects.!? Please clarify my doubts. Or point me to some
guides et al.
Thank you for your patience.-- Best Regards,Vishwas.

Re: SSLCACertificateFile crashes Apache

2006-02-07 Thread BJ Swope 
On 2/7/06, Liam Kirsher <[EMAIL PROTECTED]> wrote:
>[07/Feb/2006 11:57:08 25653] [error] OpenSSL: error:02001002:system library:fopen:No such file or directory

Are you sure the path is correct?  Is the path relative or absolute as you indicated in your post? 
-- "But we also know the dangers of a religion
that severs its links with reason and becomes prey to fundamentalism"
--  Cardinal Paul Poupard"It morphs into the Republican party!"  -- BJ

Re: SSLPassPhraseDialog & several certificates

2006-01-31 Thread BJ Swope 
On 1/30/06, Cliff Woolley <[EMAIL PROTECTED]> wrote:
On 1/30/06, Konstantin N. Bezruchenko <[EMAIL PROTECTED]> wrote:> Because we already have password-protected certificates, and as i know> we cant remove password protection from existing certificate.
That's not correct.  Your certificate is not password protected...your private key is.  And you can definitely remove the password fromthe private key.From the OpenSSL documentation:To remove the pass phrase on an RSA private key:
openssl rsa -in key.pem -out keyout.pemTo remove the pass phrase on a DSA private key:openssl dsa -in key.pem -out keyout.pem
Thanks for the correction.  Guess I was close but no cigar... 
-- "But we also know the
dangers of a religion that severs its links with reason and becomes
prey to fundamentalism" --  Cardinal Paul Poupard"It morphs into the Republican party!"  -- BJ

Re: SSLPassPhraseDialog & several certificates

2006-01-30 Thread BJ Swope 
On 1/28/06, Konstantin N. Bezruchenko <[EMAIL PROTECTED]> wrote:
Greetings,I need setup new virtualhost with ssl certificate, and i dont want enterpasswords every time when apache restarts. When i have only onecertificate i use:SSLPassPhraseDialog exec:/path/to/apache/bin/startssl.pl
I try set two SSLPassPhraseDialog with two different exec scripts, butapache could not start. When i enter password manually - everything is ok.So how can i use SSLPassPhraseDialog for 2 certificates what require
passwords?
Why not save the certificates without passphrases? 
-- "But we also know the
dangers of a religion that severs its links with reason and becomes
prey to fundamentalism" --  Cardinal Paul Poupard"It morphs into the Republican party!"  -- BJ

Re: Back in the ModSSL group?

2006-01-23 Thread BJ Swope 
Until the "me toos" this list received about 1 mail a month...On 1/23/06, Peter Reilly <[EMAIL PROTECTED]
> wrote:It happened to me as well.- Original Message -From: "Joachim Feise" <
[EMAIL PROTECTED]>To: Sent: Monday, January 23, 2006 11:56 AMSubject: Re: Back in the ModSSL group?
> Kyle wrote on 01/23/06 06:55:>>> Hi, I quit this forum a while back, and today I am suddenly receiving>> e-mails again.  What's going on?  How did I get back in the group?>
>> Ditto here.> Can someone tell me how to opt-out again?  I no longer have any of my>> old subscription info, and opt-out instructions aren't included in the>> e-mails like other e-mail forums I use.
>>> It says>
Automated List
Manager[EMAIL PROTECTED]> At the bottom of the mails. Just send an email to that address, and you> get the> usual majordomo help email with unsubscribe info.
> I agree, though, that this should not have happened in the first place.>> -Joe> __>
Apache Interface to OpenSSL
(mod_ssl)  
www.modssl.org> User Support Mailing
List  modssl-users@modssl.org>
Automated List
Manager[EMAIL PROTECTED]__Apache
Interface to OpenSSL
(mod_ssl)  
www.modssl.orgUser Support Mailing
List  modssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]-- "But
we also know the dangers of a religion that severs its links with
reason and becomes prey to fundamentalism" --  Cardinal Paul
Poupard"It morphs into the Republican party!"  -- BJ

Re: Environment variables question

2005-10-11 Thread BJ Swope 
I was wanting a context for the information.  Oftentimes context will provide indicators of purpose.

Re: Environment variables question

2005-10-11 Thread BJ Swope 
Post your certificate and I'd be glad to take a look.

BJ

On 10/11/05, Dr. Harry Knitter <[EMAIL PROTECTED]> wrote:
Hello,I have a question about the meaning of some environment variables for mod_ssl.What do the fields T, I, G, S, and D in subject or issuer DNs mean,respectively, to which fields of a certificate do they point?
ThanksHarry__Apache
Interface to OpenSSL
(mod_ssl)  
www.modssl.orgUser Support Mailing
List  modssl-users@modssl.orgAutomated
List
Manager[EMAIL PROTECTED]

Internet Explorer Security Warning Using Self Signed Certificates

2005-06-13 Thread BJ Swope 
We are using self signed certificates on our Apache server.

Previously we were able to use the

SSLCACertificateFile /conf/apache/trustroots.ber
or
SSLCertificateChainFile /conf/apache/chain.ber

directives to push the chain of certifiers to IE without IE
complaining.  It would read the chain that was pushed with the
certificate and the session would continue.


For the past 6 to 8 months or so Internet Explorer has been throwing
security warnings saying ...

"The security certificate was issued by a company you have not chosen
to trust.  View the certificate to determine whether you want to trust
the certifying authority."


I know this is not a modssl issue.  The directives used to work, and still do.

If you leave the directive out of the httpd.conf file, the browser
does not show a certificate chain.  With either directive, the browser
will display the complete chain.

I realize that installing the signing CA into IE's (and Mozilla's for
that matter) CA store will resolve the issue, but that's incredibly
difficult to do across many enterprises.

I suspect that this is an "Anti-Phishing" security change in IE but
cannot find anything related on the web.  I have been googling and
cannot find anybody experiencing an issue similar to this. Has anybody
on this list seen anything akin to this?



BJ
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]