IE + SSL = File Upload Problems

[Dave . Chapman]

Hello,

Hopefully someone can help...

Environment:

Apache httpd 2.2 + mod_proxy + JK2 + mod_ssl --> JBoss (Tomcat 5.5)

IE 6/7 + WinXP Pro/Win 2003

Problem:

When a large file upload from a http form post reaches a "max allowed
limit" (e.g. 20Mb) on the server, the server returns a response (e.g.
413/406).
Somewhere the SSL part is causing (only) IE to hang for a while (consume
lots of memory/processor time) and then display a page that says:

"Navigation to the webpage was stopped..."

Note: Turning SSL off fixes this behaviour.

Can anyone shed any light on what might be causing this?

Cheers,
Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Authenticating users based on S/MIME certificate

[Dave Sparks]

Gunnar Vestergaard wrote:

> My goal is to let visitors of my web site authenticate themselves to
> my web server using some certificate, possibly S/MIME certificates.

> As I understand the documentation for PHP, there is no means whereby
> PHP can read and interpret an SSL client certificate. Is that correct?

It's possible to configure Apache 2 to add the client certificate to a 
request header.  From one of my configuration files:


  RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \
^.*(-BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-(%0[Dd])?%0[Aa].*%0[Aa]-END%20\2CERTIFICATE-(%0[Dd])?%0[Aa]).*$
  RewriteRule ^.*$ - [E=CLIENT_CERT:%1]

  RequestHeader unset L-ClientCert

  RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT

The certificate is %-encoded to avoid problems with newline characters. 
 Presumably PHP can use the string in the header to match the 
certificate against a list of known certificates.


The certificate digest would be less unwieldy than the entire 
certificate, but mod_ssl would need some simple changes to make the 
digest available and I would be reluctant to use a hosting provider who 
allowed customers to use a modified mod_ssl.



Dave Sparks

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Dave Paris]

It seem like you might be confusing "shared infrastructure" with 
"single ip".  As others have said, you need a distinct address for each 
SSL-enabled httpd or proxy, although they can reside on the same hardware.


A good example of this is the typical configuration for larger server 
farms. You find multiple High Availability load balancers in the DMZ for 
both http and https using something like ha/keepalived for linux.  These 
proxy the incoming request back into private address space.  The SSL 
proxies terminate the SSL connection and broker the request on behalf of 
the user and everything goes to the private address space in plain http. 
 This allows each of the _real_ webservers to achieve better 
performance since the SSL overhead is not present.


While you can use Apache as an SSL-terminating proxy, I find I get 
better performance, lower memory utilization and easier configuration 
using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have 
multiple public IP addresses floating between several hosts and pound 
binds https to those addresses.


Hope that adds a bit of additional clarity,
Dave

Cuesta Gilles sent forth:

So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."


http://www.tbs-certificats.com/index.html.en


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Will these name based virtual host work with SSL?

[Dave Paris]

re-read my previous mail on rewriting the URL.

You *might* want to do something further, like:

http://dev101.domain.com/secure/   gets rewritten to:
https://www.domain.com/dev101/

mod_rewrite is your friend.  ok, so it's more like a thug that clubs you 
over the head before patting you on the back and handing you a beer - 
but it's still your friend.


-d

[EMAIL PROTECTED] wrote:

Thanks for the info.  From what I gather I will not be able to access the 
virtual hosts via SSL since they are name based, unless I use the mod_gnutl 
apache module.  Now my question is, if I purchase only 1 SSL certificate, and I 
SSL enable the main server like:

https://www.mydomain.com/

Then of cousre, none of the virtual hosts like http://devl01.mydomain.com or
http://devl01.mydomain.com would be accessible via SSL.  Would this scneria 
work with just the main server SSL enabled and all the virtual hosts accessed 
via port 80?

-Thanks




 -- Original message --
From: Aaron Dalton <[EMAIL PROTECTED]>

[EMAIL PROTECTED] wrote:
If in my httpd.conf file I have numerous virtual hosts defined with include 

files like:

Include /usr/local/apache/conf/conf.d/devl00.conf
Include /usr/local/apache/conf/conf.d/devl01.conf
Include /usr/local/apache/conf/conf.d/devl02.conf
Include /usr/local/apache/conf/conf.d/devl03.conf


If I SSL enable the entire server in the main httpd.conf file, would I be able 

to access each virtual host on port 443 like https://devl02.mydomain.com/?

I believe I would be able to access https://www.mydomain.com securely as well.
I guess the question is, can you SSL enable the entire server, and access each 

virtual host via port 443?
This comes up so often that it is in the Apache SSL FAQ.  You may not
have more than one SSL host on any given IP/Port combination.

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2

--
Aaron Dalton   |   Super Duper Games
[EMAIL PROTECTED]   |   http://superdupergames.org
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Will these name based virtual host work with SSL?

[Dave Paris]

ok, with my notes and Aaron's, there *is* something you can do.  If you 
create the certificate for www.domain.com, you can rewrite HTTPS 
requests to something like:


https://www.domain.com/dev100/
https://www.domain.com/dev101/

::tosses 0.02$USD on the table::
-d


Aaron Dalton wrote:

[EMAIL PROTECTED] wrote:

If in my httpd.conf file I have numerous virtual hosts defined with include 
files like:

Include /usr/local/apache/conf/conf.d/devl00.conf
Include /usr/local/apache/conf/conf.d/devl01.conf
Include /usr/local/apache/conf/conf.d/devl02.conf
Include /usr/local/apache/conf/conf.d/devl03.conf


If I SSL enable the entire server in the main httpd.conf file, would I be able 
to access each virtual host on port 443 like https://devl02.mydomain.com/?
I believe I would be able to access https://www.mydomain.com securely as well.
I guess the question is, can you SSL enable the entire server, and access each 
virtual host via port 443?



This comes up so often that it is in the Apache SSL FAQ.  You may not
have more than one SSL host on any given IP/Port combination.

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts2


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Will these name based virtual host work with SSL?

[Dave Paris]

a) no.
b) each virtual host would need a separate address - you cannot use SSL 
with name-based virtual hosts.


Best~
-d

[EMAIL PROTECTED] wrote:

If in my httpd.conf file I have numerous virtual hosts defined with include 
files like:

Include /usr/local/apache/conf/conf.d/devl00.conf
Include /usr/local/apache/conf/conf.d/devl01.conf
Include /usr/local/apache/conf/conf.d/devl02.conf
Include /usr/local/apache/conf/conf.d/devl03.conf


If I SSL enable the entire server in the main httpd.conf file, would I be able 
to access each virtual host on port 443 like https://devl02.mydomain.com/?
I believe I would be able to access https://www.mydomain.com securely as well.
I guess the question is, can you SSL enable the entire server, and access each 
virtual host via port 443?


-Thanks
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Adding SSL on-the-fly programmatically

[Dave Paris]

Ok, so script the chown'ing and permissioning on import.  It's still 
easier on an embedded system to install apache as SSL-capable and only
enable when desired, rather than jumping through flaming hoops and 
loading up the mod_ssl module when needed.


Embedded devices are designed around the KISS principle. The more 
complex you make it, the surer you are to be getting loads of support calls.


Best~
-dsp

SANDER SMITH wrote:

You're right, what I'm asking for is not normal and I understand it. However, your 
suggestions make some assumptions about the "normalcy" of the environment that 
we're dealing with which just isn't the reality of my situation.
   
  The project I'm working on is not to simply secure an e-commerce site running on some big server hardware. I'm looking at apache running on some embedded platform. Users will not be people who understand what chown is, but will be content by just pushing buttons on the front panel of the device. Because of how the device is being deployed, I can even assume that everything can be run under root to simplfy things.
   
  So given that this is not a normal case, any ideas on how to proceed?
  


Dave Paris <[EMAIL PROTECTED]> wrote:
  This seems about 180deg from normal. Install Apache with mod_ssl. 
Start it without invoking SSL .. if you get a certificate, you'll want 
to hand-walk it into the right place, chown it to root, and make it 
perm'd to 0400 anyway .. then a quick graceful stop and startssl .. 
*poof*, Bob's yer uncle.


Best~
-d

SANDER SMITH wrote:

I'm looking to do something, but I'm not sure it's even possible. Maybe someone 
can steer me in the right direction.

Let's say that I have a copy of apache running on my server. I also have a 
brand new SSL certificate that was signed by a CA. I'd like to write some code 
to programmatically enable SSL on the server by means of mod_ssl. When I think 
about the steps necessary, I need to:

1. Copy the mod_ssl files to the proper place.
2. Update the mod_ssl config files to point to my SSL certificate.
3. Update the apache config files to recognize and run mod_ssl
4. Cause apache to suddenly start to use mod_ssl

Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge handwave, 
and I'm hoping someone can give me some insight. Is it even possible? Does it 
require apache to be restarted? Is there some programmatic way to get apache to 
restart?




__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Adding SSL on-the-fly programmatically

[Dave Paris]

This seems about 180deg from normal.  Install Apache with mod_ssl. 
Start it without invoking SSL .. if you get a certificate, you'll want 
to hand-walk it into the right place, chown it to root, and make it 
perm'd to 0400 anyway .. then a quick graceful stop and startssl .. 
*poof*, Bob's yer uncle.


Best~
-d

SANDER SMITH wrote:

I'm looking to do something, but I'm not sure it's even possible. Maybe someone 
can steer me in the right direction.
   
  Let's say that I have a copy of apache running on my server. I also have a brand new SSL certificate that was signed by a CA. I'd like to write some code to programmatically enable SSL on the server by means of mod_ssl. When I think about the steps necessary, I need to:
   
  1. Copy the mod_ssl files to the proper place.

  2. Update the mod_ssl config files to point to my SSL certificate.
  3. Update the apache config files to recognize and run mod_ssl
  4. Cause apache to suddenly start to use mod_ssl
   
  Now steps 1,2, and 3 seem pretty straight forward. Step 4 is a huge handwave, and I'm hoping someone can give me some insight. Is it even possible? Does it require apache to be restarted? Is there some programmatic way to get apache to restart?
   
   


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache mod_ssl and FIPS 140-2

[Dave Paris]

http://csrc.nist.gov/cryptval/140-1/1401val2007.htm#733

Best~
-d

[EMAIL PROTECTED] wrote:
Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl 
is FIPS 140-2 validated? What version of OpenSSL is distributed with the 
current version of Apache? Any help is much appreciated…


 


Thanks,

*David Gerendas, **CISSP*
McAfee, Inc.
949-297-5600 Main
949-860-3369 Direct
949-289-8677 Mobile
[EMAIL PROTECTED] 

 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl setup process with apache 2.2.4

[Dave Paris]

That sounds like a lot of unnecessary overhead for the Apache boxes. 
Check:  http://www.apsis.ch/pound/  .. it does precisely what you seek.


Best~
-d

Saikat Saha wrote:

Hi,

 

We are trying to setup apache 2.2.4 alongwith mod_ssl and mod_jk. Mod_jk 
has been successfully configured and working with two instances of Jboss.


However after installing mod_ssl, does not seem to be 
installed/configured properly. Is there some link which describes step 
by step setup process to configure


Mod_ssl with apache 2.2.4? Can anyone please forward the link?

 

Also, we have three ports, two of them need to be https and one needs to 
be http. How do we configure this?


 

In our configuration, we want Apache to receive https requests from 
clients and then forward http to the Jboss application server thru 
mod_jk. Can someone please point to some link/documentation.


We would assume these are standard practices.

 


Thank you so very much for your kind help.

 


Regards,

SS


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache wont start with ssl

[Dave Paris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Occasionally, /var/spool/clientmqueue can bite you as well.  The
filesystem will not show 100% used but you'll be out of inodes.  (If
that happens, you'll have loads of fun clearing it out ;-)

Good Luck!
- -dsp




Andy Cravens wrote:
> Judging from the error message "No space left on device" sounds like
> some file system is full... maybe /tmp.  The next time this happens open
> a shell window and type:
> 
> df -k
> 
> Check the output to see if one of your file systems is full.  Look at
> /tmp and /swap specifically
> 
> 
> 
> Ryan Forrester wrote:
>> When attempting to start apache in SSL mode:
>> $ /home/servers/apache_1.3.37/bin/apachectl startssl
>> $ semget: No space left on device
>>  
>> Rebooting the machine allows me to start apache once more.. but after
>> a few days, apache wil fail and the same error occurs again, and the
>> only way to resolve is to reboot.
>> - Apache will start in mornal mode without a reboot.
>>  
>> error_log doesnt contain any useful information to help troubleshoot the
>> problem.
>>
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFGDz62KmNPF3QynfQRAgjmAJ0XOdj2FH9O8oPRk9wD+IEEGgQHIwCfZmjc
+urX+xVcjjO+b/XjbsSfz6c=
=cMPQ
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Decrypting the HTTPS requests

[Dave Paris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I typically use a SSL-terminating reverse proxy in the DMZ, like Pound,
to terminate the SSL connection at the front door and send the request
back into a private subnet over plain HTTP for IDS/IPS detection,
clicktracking, etc.

Best~
- -dsp

Nikhil Kadu wrote:
> Hi Guys,
> 
> Is it possible to decrypt the encrypted data in an HTTPS request/response 
> while sitting in the Apache Proxy? Which functions of MOD_SSL and MOD_PROXY 
> modules need to be tweaked to achieve this? Please let me know if somebody 
> has done some related work.
> 
> Best regards,
> Nikhil Kadu
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFsOIOKmNPF3QynfQRAsGbAKCILyuzshFEcS2Kxec1Vqwx3BRPDgCfUWQ+
V+K12TOX32Jzmn2MszWgu2s=
=22Uk
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Same old 405 Post not allowed error

[Dave Paris]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Mark,

a) you never added the contents of your  directive (i.e. "with
the following  directives..")
b) you don't specify *why* you need these, particularly given that
you're using IP-based virtual hosts. (i.e. "(which we really need)")

Without this information, it's impossible to answer your question and I
highly suspect that your solution lies with a minor reconfiguration.

Kind Regards,
- -dsp

Mark Diggory wrote:
> Hello,
> 
> I've been doing my research and can't find a solution for this issue, we
> have IP based virtual hosts with the following  directives
> (which we really need) and are getting the 405 Post not allowed error.
> The issue does not seem to be addressed again for 3 years now. Is there
> a solution to this?
> 
> http://marc.theaimsgroup.com/?l=apache-modssl&m=104857625910336&w=2
> 
> Here is my current configuration:
> 
> Gentoo:   1.12.6
> mod_ssl:  2.8.25-r10
> apache:2.0.58-r2
> mod_jk:1.2.19
> tomcat:  5.5.20-r7
> 
> Thanks in advance for any advice,
> 
> Mark R. Diggory
> ~
> DSpace Systems Manager
> MIT Libraries, Systems and Technology Services
> Massachusetts Institute of Technology
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFFsCiIKmNPF3QynfQRAomwAJ4pPBcfzWeeD93Q+YedPX8YV6ARMACfW4EZ
7277LvxtQRhQC8QzxBrE6h8=
=Eqmr
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_ssl and how to reduce overhead

[Dave paris]

In an earlier note, you said that it was 10K-100K *concurrent* users.

a) that's a magnitude of difference, see if you can get better numbers 
from whomever is doing the marketing/project planning.
b) ain't no way you're going to do that many *CONCURRENT* transactions 
on a single box.


-d

Pigeon wrote:

Hmm.. 10k -100k are pretty much  guaranteed numbers..

So my main computer crunching will be done at the beginning? (and to 
relive this I can do session key caching.. how long can I cache a key? 
is this 'secure'?)  (also.. all transfers will be ~15megs in size)


And using a single server is out of the question?

If we just go with one server.. shouldn't it be something super fast.. 
amd64 1gig ram?


thanks!
Lee




On Mon, 26 Sep 2005, Pigeon wrote:


Hello, I am trying to plan a system that can handle 10k-100k users.

I am only using apache w/mod-ssl

What should I look at to reduce overhead of bandwidth/cpu/mem?

At what point should I look at ssl accelerators?

Should I definitly look at clustering?

Also.. I ahve heard about ssl session key caching, anyone know how 
much this

will improve things?

Any good resources I can read?


thanks!
Lee
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_ssl and how to reduce overhead

[Dave paris]

I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse 
proxy .. on commodity hardware, it can handle - at least according to 
quotes from the field - up to around 400 conns/sec.  It also affords you 
some additional firewalling in that you can put the SSL terminating 
accelerator in the DMZ and pass straight HTTP traffic to the backend 
without the client ever directly connecting to the web server/cluster.


I also use keepalived to keep a pair of Pound proxies in a 
high-availability scenario.  If you really need it, you could probably 
put up a HA/LVS cluster of Pound proxies up that terminate and proxy 
traffic for an entire web farm - if your traffic demands it.


The other bonus is that by terminating SSL at the DMZ, your IDS/IPS 
system gets a chance to peek at the traffic.


Pound does numerous other things as well (URL normalization, etc) .. 
head to the URL and have a good read.


Best~
-d

Pigeon wrote:

Hello, I am trying to plan a system that can handle 10k-100k users.

I am only using apache w/mod-ssl

What should I look at to reduce overhead of bandwidth/cpu/mem?

At what point should I look at ssl accelerators?

Should I definitly look at clustering?

Also.. I ahve heard about ssl session key caching, anyone know how much 
this will improve things?


Any good resources I can read?


thanks!
Lee __
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Multiple Virtual Servers with modssl

[Dave Paris]

Jeffrey M. Johnson wrote:
I am knew to this list and have spent many hours looking for an answer I 
am sure is probably right in front of my face.


"knew"?!  from a .edu address?  ::boggle::  alas, I digress.

I have a host that has 40 some virtual hosts associated with it, but 
only one of those hosts is configured for modssl.   I know need to 
configure a second (and possible more) virtualhosts for modssl.


No such thing as multiple hosts under one certificate.  Use one 
certificate per virtual host.



First, I am assuming this can be done.


Bad assumption.  It can't by virtue of the the design of SSL.


Second, I can’t figure out how it can be done.


See my previous answer.


Any help would be appreciated.


Search the archives.  This one rears its ugly head fairly frequently.

-dsp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Again: "License" of ca-bundle.crt

[Dave Paris]

Yes, without equivocation, databases can be protected by copyright.  I do agree with 
Joe about the originality and creativity requirement, since this is necessary public 
information.

Much better information:
http://www.bitlaw.com/copyright/database.html

Kind Regards,
-dsp

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Joe Orton
> Sent: Wednesday, June 16, 2004 4:27 PM
> To: AIDA Shinra
> Cc: [EMAIL PROTECTED]
> Subject: Re: Again: "License" of ca-bundle.crt
> 
> 
> On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote:
> > Hello,
> > 
> > I am packaging sole ca-bundle.crt for Fink.
> > 
> http://sourceforge.net/tracker/index.php?func=detail&aid=928157&gr
> oup_id=17203&atid=414256
> > 
> > Fink package system has "License" field. I must fill it. What is the
> > "license" of sole ca-bundle.crt? Mod_ssl license? Or nothing like
> > "license"?
> 
> It's a tricky legal question, I think.
> 
> The original source of the ca-bundle.crt was a database shipped with the
> Netscape browser.  It's possible to derive a new ca-bundle.crt from the
> Mozilla source code, which is what Debian do in their ca-certificates
> package.  Debian say that the resultant CA certificate bundle is
> licensed under the MPL, as its source in Mozilla is.
> 
> But can a database be copyrighted?  Can a database made up of copies of
> necessarily-public CA certificates published by third parties be
> copyrighted?  It is somewhat lacking in "originality", which is one of
> the requirements for US copyright law to apply, at least.
> 
> You may be better of asking a lawyer, unfortunately!
> 
> joe
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Install Questions

[Dave Paris]

First and foremost, if this is a world-accessable server, upgrade your
version of OpenSSL to the most recent available for RH7.3 (I'd also consider
upgrading to RH9.0 while you're at it).  0.9.6b has several security
vulnerabilities outlined at www.openssl.org.  Also, use the most current
versions of Apache and mod_ssl.

.. that being said..

Generally speaking, the standard, non-DSO build can be summarized as such:

# build and install OpenSSL from source (http://www.openssl.org)
cd ${OPEN_SSL_SRC_DIR} ; CFLAGS=${CFLAGS} ./config -fPIC
make test
make install

# build mod_ssl/patch Apache source (http://www.modssl.org)
cd ${MOD_SSL_DIR}
CFLAGS=${CFLAGS} ./configure --with-apache=../${APACHE_SRC_DIR}

# build and install Apache from source (http://httpd.apache.org)
cd ${APACHE_SRC_DIR}
CFLAGS=${CFLAGS} SSL_BASE=../${OPEN_SSL_SRC_DIR}
./configure --enable-module=ssl
make
make install

# done..
There are numerous other configuration directives, but the above will build
a mod_ssl capable Apache instance for you.

Kind Regards,
-dsp

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Bob Cohen
> Sent: Monday, March 01, 2004 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: Install Questions
>
>
> Hi,
>
> Please forgive the newbie questions, I'm a web designer bumbling my way
> through system administration.  I really did make an effort to search
> the archives. :-)  Time's running short to get this project done.
>
> The box on which I'm working has RedHat 7.3 with openssl-0.9.6b-35.7
> installed as an RPM.
[...]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re[2]: rse has beagle-a virus ?

[Dave Paris]

As I suspected, none of these messages originate from Ralf.  Just 
checking the original headers on the most recent batch of six I got 
overnight...

from cruzeiro (cruzeiro.fisc.wwu.edu [140.160.220.200])	by master.modssl.org
from CLS-TORG1010-27 (torg1010-27.its.vt.edu [128.173.44.191])	by 
master.modssl.org
from CLS-TORG1010-24 (torg1010-24.its.vt.edu [128.173.44.188])	by 
master.modssl.org
from CLS-TORG1010-30 (torg1010-30.its.vt.edu [128.173.44.194])	by 
master.modssl.org
from woofie (A052105.N1.Vanderbilt.Edu [129.59.52.105])	by master.modssl.org
from AdamBroughton (asdl00.ae.gatech.edu [130.207.39.100])	by 
master.modssl.org

What this tells me is that someone realized the .edu addresses on the 
listserv were low hanging fruit.  Nice job.  Try partying less, studying 
more, and figure out how to keep yourself from being infected (on 
multiple fronts).  [aside:  pisses me off that I have to deal with spam 
from cracked/infected boxes from .edu domains ... I think I'm just going 
to reject all .edu-headered mail.  it's a hugely sad commentary that 
people from institutions of *higher* education can't grasp the concept 
of DON'T CLICK ON F^&KING ATTACHMENTS YOU'RE NOT EXPECING and USE A 
[EMAIL PROTECTED] A/V PACKAGE ALREADY, DAMNIT.  I mean really, people.. you're 
shelling out a TON of money and you don't seem to be one lick smarter 
than Jimmy Joe-Jobber's mom who'll click on everything and anything 
since getting her PC two weeks ago.  If you're as f%$king stupid as you 
appear to be, give it up .. save yourself the money and give your slot 
at school to someone else.  There no shame in doing manual labor for a 
living.  Society needs both ends of the spectrum.  If you can't figure 
out the "don't click" stuff, I have no idea what you're going to do with 
number theory or algorithms (assuming you're in a CS program).  I vote 
to kick the .edu's off the listserv until they prove they've got an 
intellectual agility quotient above that of a small soapdish.  If this 
pisses off admins for .edu's, sorry .. life's a bitch, grab a helmet. 
The rest of us out in the real world have to deal with [l]users like 
this and keep our networks clean for the rest of the planet - you're no 
different... you just have a harder job that I certainly don't envy. 
Perhaps instituting a "three strikes" policy for students .. the first 
infection gets you a warning .. the second gets you booted off the 
school's network .. the third (meaning you violated both the 2nd AND 
1st) gets you booted from school.  Hrmm.. not a bad idea, I suppose. 
Anyway .. rant mode is now OFF.]

Kind-ish Regards,
-dsp :-)
[...]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: rse has beagle-a virus ?

[Dave Paris]

More likely a faked 'From' address.  While possible, it's highly improbable
that the source is actually Ralf's machine.  I've routed my copies to
/dev/null so I can't examine the headers to determine if the source address
actually resides in Europe or not.

Kind Regards,
-dsp

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of madhon
> Sent: Friday, February 27, 2004 6:31 PM
> To: [EMAIL PROTECTED]
> Subject: rse has beagle-a virus ?
>
>
> just had a couple of copies of this come through from [EMAIL PROTECTED] ...
> someone needs to check their machine
>
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[moderator-request] Re: Your Contact Info

[Dave Paris]

Will the moderator(s) be so kind as to killfile this user?   Thanks, we 
get enough spam without it bypassing internal filters for important 
listservs like modssl-users.

Kind Regards,
-dsp
On Tuesday, Nov 4, 2003, at 10:53 US/Eastern, Kevin Klawon wrote:



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: ASN.1 Encoding errors

[Dave Paris]

Wonder if this has anything to do with the recent "repairs" to the ASN.1
subsystem in OpenSSL.  http://www.openssl.org/news/secadv_20030930.txt

-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jeffrey Burgoyne
Sent: Wednesday, October 08, 2003 7:04 AM
To: [EMAIL PROTECTED]
Subject: Re: ASN.1 Encoding errors



Hmm, just noticed something a bit more suspicious. The error does not come
up every time for the same certs. It sometimes does not seem to come up at
all.

Jeff

On Wed, 8 Oct 2003, Jeffrey Burgoyne wrote:

> Hi;
>
> I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
> 2.8.9 from Openssl 0.9.6d.
>
> I now get the following errors :
>
> Server www.eac-trousse.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server biotech.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server strategis.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server production.paymentnotification.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server ip-pi.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server cbac-cccb.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporations.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporationscanada.ic.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.
> /usr/local/apache/bin/apachectl startssl: httpd started
> strategis>
>
>
>
> The virtual hosts with the error still seem to work fine.
>
> Ideas?
>
> Jeffrey Burgoyne
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Modssl wait background script to finish

[Dave Paris]

Someone with more PHP experience than I will need to address the use of
exec() in the context of PHP, but were this Perl then exec() would stop the
running Perl process after launching the external process - which would have
the effect of stopping your running Perl script.

Whether PHP operates similarly, I'm not sure (I don't do anything with
PHP).. however this might be something to look into since (as I understand
it) many of PHP's internals were borrowed from Perl originally.  If this was
Perl, you'd want either system(), open2(), open3(), or backticks.

Good luck!
-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Vincent KERAVEC
Sent: Monday, September 01, 2003 11:59 AM
To: [EMAIL PROTECTED]
Subject: Re: Modssl wait background script to finish


Thanks for your response,
Sorry I mean 443 and not 143  :(

I just want to run a bash script on the server.
I launch the script whith :
 /dev/null &");
?>

The page load successfully but when I follow a link the server didn't
respond.
If I use an other navigator the server respond normally.

Vincent KERAVEC

Dave Paris wrote:

>A couple questions.  Is this something like a SSL-protected web interface
to
>an IMAP server (ref: your mention of port 143)?  If so, are you accepting
>certain directives which are being passed on to the IMAP server (ref:
"start
>the script on port 143")?  If this is the case, it sounds like what you're
>intending to do is start a "fire and forget" script .. not being concerned
>about the return value from the script.  If that's the case, you may want
to
>look at creating a IPC process of some sort that can be left to fend for
>itself after being started, allowing a response to get back to the user.
>
>Is this an accurate assessment of what you're trying to do?
>
>-dsp
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED] Behalf Of Vincent KERAVEC
>Sent: Monday, September 01, 2003 11:32 AM
>To: [EMAIL PROTECTED]
>Subject: Modssl wait background script to finish
>
>
>Hello,
>I've got a problem with modssl. When I run a script in background, the
>server doesn't respond to the browser who start the script on port 143
>until the script finish. The server continue to reply to all other browser.
>
>I'm running Apache/2.0.40 (Red Hat Linux) with mod_ssl/2.0.40 and
>OpenSSL/0.9.7a. I'm also using client side authentication.
>
>Is there something to change in the ssl configuration to allow
>background process ?
>
>Thanks,
>Vincent KERAVEC
>
>ps : When i put modssl in loglevel debug the server seems to wait after
>this message :
>[Wed Aug 27 15:10:30 2003] [debug]
>/usr/src/build/250859-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_engine_io.c(1
0
>05):
>
>
>+-+
>[Wed Aug 27 15:10:30 2003] [info] Initial (No.1) HTTPS request received
>for child 0 (server ***..***:443)
>
>
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Modssl wait background script to finish

[Dave Paris]

A couple questions.  Is this something like a SSL-protected web interface to
an IMAP server (ref: your mention of port 143)?  If so, are you accepting
certain directives which are being passed on to the IMAP server (ref: "start
the script on port 143")?  If this is the case, it sounds like what you're
intending to do is start a "fire and forget" script .. not being concerned
about the return value from the script.  If that's the case, you may want to
look at creating a IPC process of some sort that can be left to fend for
itself after being started, allowing a response to get back to the user.

Is this an accurate assessment of what you're trying to do?

-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Vincent KERAVEC
Sent: Monday, September 01, 2003 11:32 AM
To: [EMAIL PROTECTED]
Subject: Modssl wait background script to finish


Hello,
I've got a problem with modssl. When I run a script in background, the
server doesn't respond to the browser who start the script on port 143
until the script finish. The server continue to reply to all other browser.

I'm running Apache/2.0.40 (Red Hat Linux) with mod_ssl/2.0.40 and
OpenSSL/0.9.7a. I'm also using client side authentication.

Is there something to change in the ssl configuration to allow
background process ?

Thanks,
Vincent KERAVEC

ps : When i put modssl in loglevel debug the server seems to wait after
this message :
[Wed Aug 27 15:10:30 2003] [debug]
/usr/src/build/250859-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_engine_io.c(10
05):


+-+
[Wed Aug 27 15:10:30 2003] [info] Initial (No.1) HTTPS request received
for child 0 (server ***..***:443)



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: [Fwd: mod_ssl compile problems]

[Dave Paris]

of course, this is assuming the kerberos libs have been installed. :-)
-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Joe Orton
Sent: Tuesday, August 26, 2003 4:27 PM
To: Trevor Morrison
Cc: [EMAIL PROTECTED]
Subject: Re: [Fwd: mod_ssl compile problems]


> I am trying to compile in mod_ssl 2.8.15 into the apache1.3.28 source 
> and using openssl-1.9.7a-2 installed from an RH RPM and I am getting the 
> following error:
> 
> ranlib libstandard.a
> <=== src/modules/standard
> ===> src/modules/ssl
> gcc -c -I../.. -I/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE 
> -I../../os/unix -I../../include   -DLINUX=22 -DMOD_SSL=208115 -DMOD_PERL 
> -DUSE_PERL_SSI -D_REENTRANT  -DTHREADS_HAVE_PIDS -DDEBUGGING 
> -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE 
> -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -DUSE_HSREGEX
> -DEAPI -DEAPI_MM -DNO_DL_NEEDED `../../apaci` -DSSL_USE_SDBM 
> -DSSL_ENGINE -DMOD_SSL_VERSION=\"2.8.15\" mod_ssl.c
> In file included from /usr/include/openssl/ssl.h:179,
> from mod_ssl.h:116,
> from mod_ssl.c:65:
> /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory
> In file included from /usr/include/openssl/ssl.h:179,
> from mod_ssl.h:116,
> from mod_ssl.c:65:
> /usr/include/openssl/kssl.h:132: parse error before "krb5_enctype"
...

You need to add "-I/usr/kerberos/include" to CFLAGS, use e.g.

CFLAGS="-I/usr/kerberos/include"
./configure --etc etc

when building Apache.

Regards,

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CGI/SSL spec?

[Dave Paris]

http://www.apache-ssl.org/docs.html#CGI

but there is no RFC for SSL envvars that I'm aware of.  mod_ssl offers a
more complete list than is shown above.  This can be found at:

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25

since the server is what's setting the environment variable, you need to go
by the documentation you're working with.  A good example of a popular, yet
optional envvar is HTTP_REFERER .. this is a completely optional envvar left
up to the browser's implementation team.  So, to depend on this variable,
you need to be positive of the client hitting your server.  Likewise the SSL
envvars.

Regards,
-dsp


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Philip Champon
Sent: Friday, August 22, 2003 2:42 PM
To: [EMAIL PROTECTED]
Subject: Re: CGI/SSL spec?


Thanks, but I was more so looking to find out if there was some sort of
formal spec that the mod_ssl team used to decide what SSL environment
variables to create. I am making some changes to stunnel to support http
proxying and I wanted to include some headers for user CGIs. Since I can
not find any spec, describing what SSL environment variables are expected,
I have simply chosen to insert the headers X-Https and X-Session-Id.

Thus spake Colin Faber, on the year of our L*rd Wed, Aug 20, 2003 at
05:32:58PM -0600:
> Dumping the environment variables is a very simple task. Try:
>
>
> #!/bin/sh
> echo "Content-type: text/plain"
> echo ""
> /usr/bin/printenv
>
>
> chmod it and stick it on your SSL server and run it.
>
>
> Philip Champon wrote:
>
> >Hi,
> >
> >I tried searching the archives, to find out where I might be able
> >to read about a CGI/SSL spec, but I couldn't turn anything up?
> >While I have read the mod_ssl ref on envirionment variables, I was
> >hoping to find out what source the group used to compile this list
> >of environment variables. I also consulted the CGI spec, but it did
> >not cover any SSL specific variables.
> >
> >Could someone tell me, is there such a spec, or did the group arbitrarily
> >compile a list of SSL env vars to include in the CGI env?
> >
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

--
Philip Champon Affinity Developer
Ph - 954-334-8156
Em - [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SET payload factor ???

[Dave Paris]

I was referring to Asynchronous Transfer Mode transport-layer protocol 
- typically used on WAN and long-haul links.  Really doesn't have 
anything to do with SET or other applications.

-d

On Friday, Aug 22, 2003, at 00:51 US/Eastern, Arthur Chan wrote:

Hiya.
How's it going Dave ?
Remember we were talking about ATM packet and payload factor ?
U mentioned something like payload to o/head @ 48/5. Were u talking 
about
S.E.T. ?
Am I looking at the right thing for very *high*  volumn, short 
duration,
24x7 operations ?
There's actually a small box inside those atms to capture the tx's 
when the
db of the acquirer bank is down and depending on the card, issuance is
almost guaranteed and the risk carried by the issuer bank.
I don't know what they are now for IBM atms, but last few years there 
is a
slow trend towards MS, scary thought.
I think (meaning I don't know fore sure) SET is the "smart card" 
version
with a chip. Relatively common in Hong Kong, don't know about USA.
Wish theres a vpn here.
[...]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re:

[Dave Paris]

On Thursday, Aug 21, 2003, at 21:53 US/Eastern, Ian Newlands wrote:

Dave

Thank you for your reply, it was most enlightening and yes I will 
re-assess my future as a human being.  Hopefully that statement 
somehow makes you feel better about yourself.
[...]
Get over yourself.  I went out of my way to make it COMPLETELY CLEAR 
that I was not intending my comments as any sort of insult or other 
attack on your intelligence or worth as a person.

-dsp

[once again, I'm reminded why I stopped contributing to listservs a few 
years back]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re:

[Dave Paris]

Ian,

http://www.google.com/search?num=20&hl=en&lr=lang_en&ie=UTF- 
8&safe=off&q=SSL+%22name+based+virtual+hosts%22&spell=1

That's a Google query for:   SSL "name based virtual hosts"

The very first hit is:   
http://httpd.apache.org/docs/vhosts/name-based.html

The summary text presented by Google reads:
"Name-based Virtual Hosts
 ... Name-based virtual hosting cannot be used with SSL secure servers  
because
 of the nature of the SSL protocol. ... Using Name-based Virtual Hosts.  
..."

If you don't like that one, there are 1,890 other matches .. several of  
the first 20 clearly say in the summary text presented by Google that  
you can't do name-based virtual hosts with SSL.

Please note I have not to date, nor am I now, calling you [insert  
derogatory/deriding term or phrase here], nor am I saying you're a  
worthless human.  I'm simply pointing out the obvious fact that the way  
your mind seems to go about solving problems and researching does not  
mesh well with the tasks you're trying to accomplish.  You claim to  
have spent two MONTHS trying to find what I found in under 10 SECONDS.   
That doesn't make me one bit of a better person than you... it just  
says that my mind works in a way that is different from yours.  I'd  
wager there are certain tasks you accomplish quite easily that would  
take me some effort.  It's the way us humans seem to be designed.

Every once in awhile, it's a good thing to look at who we are and what  
we're good at and then review what we've chosen to do in life.  Doing a  
job that meshes well with how you think can be all the difference  
between looking forward to an rewarding day at the office and a bruised  
forehead from repeatedly smashing your head against a wall in  
self-frustration.  [ of course, I'm omitting the forehead bruising  
caused by external influences like PHBs ;-) ]   As for the tone of your  
note .. life's tough, grab a helmet.

Kind Regards,
-dsp
On Thursday, Aug 21, 2003, at 00:05 US/Eastern, Ian Newlands wrote:

If I hadn't already exhausted resources I would not have made this  
post in the first place.  I have tried 3 different versions of apache,  
searched through previous postings, used search engines etc. bought 2  
books on apache and have been attempting to get this going for almost  
2 months now.

I'm glad you're amused by my frustration here.

If there is anyone out there that is willing to submit a serious  
response to this I would appreciate it greatly.

Regards,

Ian Newlands

- Original Message -
From: "Dave Paris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Ian Newlands" <[EMAIL PROTECTED]>
Sent: Thursday, August 21, 2003 11:58 AM
Subject: Re: virtual hosting

geeze.  is it that time of the month already for this question?   
seems like it was just yesterday when it was asked last .. maybe I'm  
just thinking of the other 100,000 times it was asked.

in all seriousness, this dead horse has been beaten so many times on  
this list there isn't even a carcass left to hit at this point.   
please go dig through the mail list archives to see why name-based  
virtual hosts don't work with SSL.

yes, that's a flippant answer.  no, you're not likely to get a reply  
any more serious.

-dsp

On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:

> I am currently running about 15 virtual hosts using name based on  
port > 80, and 1 virtual host using SSL.
>
> My SSL host is currently working with the following:
>
>
>
> However I want to change this to the IP based hosting for this  
host, > allowing me to then add more SSL based virtual hosts on this  
setup, so > I tried changing this to the following:
>
>
>
> By doing this my SSL virtual host stops working altogether.
>
> I try the following to debug it on a remote machine:
>
># openssl s_client -connect 203.xxx.xxx.xxx:443
>CONNECTED(0003)
>27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown  
> protocol:s23_clnt.c:475:
>
> I do the exact same thing on the local machine and it responds with  
a > valid SSL response.
>
> Can anyone suggest might be wrong here?
>
> Regards,
>
> Ian Newlands
>
> _
> Hotmail is now available on Australian mobile phones. Go to  >  
http://ninemsn.com.au/mobilecentral/signup.asp
>
>  
__
> Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
> User Support Mailing List   
[EMAIL PROTECTED]
> Automated List Manager 
[EMAIL PROTECTED]
>



___

Re: virtual hosting

[Dave Paris]

geeze.  is it that time of the month already for this question?  seems 
like it was just yesterday when it was asked last .. maybe I'm just 
thinking of the other 100,000 times it was asked.

in all seriousness, this dead horse has been beaten so many times on 
this list there isn't even a carcass left to hit at this point.  please 
go dig through the mail list archives to see why name-based virtual 
hosts don't work with SSL.

yes, that's a flippant answer.  no, you're not likely to get a reply 
any more serious.

-dsp

On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote:

I am currently running about 15 virtual hosts using name based on port 
80, and 1 virtual host using SSL.

My SSL host is currently working with the following:

   

However I want to change this to the IP based hosting for this host, 
allowing me to then add more SSL based virtual hosts on this setup, so 
I tried changing this to the following:

   

By doing this my SSL virtual host stops working altogether.

I try the following to debug it on a remote machine:

   # openssl s_client -connect 203.xxx.xxx.xxx:443
   CONNECTED(0003)
   27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown 
protocol:s23_clnt.c:475:

I do the exact same thing on the local machine and it responds with a 
valid SSL response.

Can anyone suggest might be wrong here?

Regards,

Ian Newlands

_
Hotmail is now available on Australian mobile phones. Go to  
http://ninemsn.com.au/mobilecentral/signup.asp

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: configuration question

[Dave Paris]

I was not referring to post-encryption compression in the context of SSL or
other, proven, known-sane encryption algorithms.  I probably should have
made this point *much* clearer to avoid confusion.  I posed the scenario to
would-be cryptographers who [99.9% of the time] wrongly believe they've
created the "next great encryption algorithm".

In any case, the Apache processing chain applies SSL as the last stage
anyway, so compressing *after* encryption, under normal Apache request
processing, won't happen without someone [who knows *exactly* what they're
doing] forcing the issue.

Best~
-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Eric Rescorla
Sent: Wednesday, August 20, 2003 11:44 AM
To: [EMAIL PROTECTED]
Subject: Re: configuration question


Cliff Woolley <[EMAIL PROTECTED]> writes:

> On Tue, 19 Aug 2003, Eric Rescorla wrote:
>
> > "Dave Paris" <[EMAIL PROTECTED]> writes:
> > > In addition to Owen's salient points about compression working
efficiently
> > > on repetitive strings in plaintext/binary data (e.g. whitespace in a
Word
> > > document) and not on random data (e.g. encrypted data), some
encryption
> > > algorithms can actually be weakened by compressing the resulting data,
> > > giving a cryptanalyzer clues to the inner workings of the algorithm.
> >
> > No reasonable encryption algorithm will be weakened this way.
>
> I agree.  I'm guessing what he meant is that some encryption algorithms
> are weakened if their /input/ is pre-compressed by some known algorithm.
> If the cleartext is in some known format, it might possibly be easier to
> recover it from the ciphertext.

True. But no modern algorithm is susceptible to this kind of known
plaintext attack either. Moreover, SSL incorporates all sorts of
opportunities for known plaintext. I wouldn't worry about this one.

-Ekr
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: configuration question

[Dave Paris]

On Wednesday, Aug 20, 2003, at 00:32 US/Eastern, Arthur Chan wrote:

Well, my eyes did glaze over somewhere betw thermodynamics and mobile
perpetuum ;-)
So does this mean that if I work in a less sophisticated infrastructure
where only 56kbps ppp dialup is available, I can get some incremental 
gain
by zipping it up before encrypting it ? [yes/no]
Yes.  ...And the larger the plaintext, the larger your gain, 
percentage-wise. (simply because larger plaintext files *tend* to 
shrink by a larger percentage when compressed)

Caveats ?
Both compression and encryption are computationally expensive 
operations.  Don't skimp on the CPU for this machine.
[]

Best~
-dsp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: CRL updating with mod_ssl

[Dave Paris]

Your actual message issue notwithstanding, the versions you're running are
not just old, they've got security flaws and vulnerabilities well documented
at both CERT, apache.org, and openssl.org.

http://www.cert.org/advisories/CA-2002-27.html  (Linux, Apache, OpenSSL,
mod_ssl)
http://www.cert.org/advisories/CA-2002-23.html  (OpenSSL)
http://www.cert.org/advisories/CA-2002-17.html  (Apache)


If you've got support preventing *you* from upgrading, *DEMAND* they be
updated to reduce your security risks, vulnerability, and liability.  If
your support contract won't do that, you don't have support and you should
upgrade to current anyway.

Respectfully,
-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Roberto Hoyle
Sent: Tuesday, August 19, 2003 1:56 PM
To: [EMAIL PROTECTED]
Subject: CRL updating with mod_ssl


I'm trying to understand when a CRL list gets read by Apache.  I have
cases of it being read when a new CRL is placed in the directory and
the "make" is run, and cases when it does not get read under identical
circumstances.

The only reliable way that I have to make sure that the CRL gets
updated is by restarting the server.

Is this supposed to be the case?  I'm confused that it works sometimes
and doesn't work on others.

Right now, I'm running 1.3.19 with mod_ssl 2.8.1 (yes, I know that they
are old, but I am not able to update them for support reasons...).  We
have the SSLCARevocationPath directive set to the proper location, and
a script that downloads a new CRL every evening and runs the make.  The
script does not kick the server.  Our CRLs expire in seven days, but
get published every evening.

Should I just stop worrying and learn to love restarting Apache?

Thanks,

r.
--
Roberto Hoyle
PKI Lab Programmer
Dartmouth College

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: configuration question

[Dave Paris]

In addition to Owen's salient points about compression working efficiently
on repetitive strings in plaintext/binary data (e.g. whitespace in a Word
document) and not on random data (e.g. encrypted data), some encryption
algorithms can actually be weakened by compressing the resulting data,
giving a cryptanalyzer clues to the inner workings of the algorithm.

The bottom line here is that SSL works on the socket/transport layer and not
at the application layer.  If you're generating a .gz file on-the-fly within
Apache (mod_gzip, etc), the result will still be encrypted *after*
compression.  The output chain of Apache applies SSL as the last stage, so
something like mod_gzip will operate *before* SSL.  Most modern browsers
produced in the last four or five years will decompress a .gz file (not
.zip!) for the user - even on Windows (just tested IE6 on XP .. works fine).
If you've ever experimented with VRML, one "best practices" is to send files
as .wrl.gz and not straight .wrl.

As for SSL packets being larger - they're not to any appreciable degree -
for the exact reason Owen pointed out below.  Even symmetric cipher
algorithms don't produce appreciably larger amounts of data.  For example,
using Chained Block Cipher (CBC) mode will only increase the amount of data
by 8 bytes from adding an Initialization Vector (IV) to the beginning of the
ciphertext and padding the end of the ciphertext to get a complete final
block (with an 8 byte block cipher like Blowfish, the largest amount of
padding will only be 7 bytes).  So, at most, you've added 15 bytes to even
the largest amount of plaintext data using Blowfish in CBC mode.  There are
a few exotic exceptions here, like interleaved chaining block ciphers which
will add an IV (of the same size as above) per parallel operation (so if
you've got four parallel encryption operations using interleaved CBC, you're
adding 24 bytes at the beginning of the ciphertext).  However, these are
exceptionally rare and typically limited to proprietary
implementations/applications.

Addressing one other misconception here.. a packet can contain up to 1500
bytes - including headers (assuming your network handles MTUs of 1500, some
are less (like ATM @ 53 bytes [48 bytes of payload w/5 bytes of header),
some are more (like Frame Relay @ up to 4500 bytes), but hey, not many
desktops are connected with ATM or Frame, so we'll call the connection
standard ethernet with a MTU of 1500.  The way networks operate and packets
are forwarded, smaller packets actually transmit *less* data for any given
amount of time over larger packets.  Switches and routers (OSI layer 2 and 3
devices) operate on packet forwarding rates, regardless of the amount of
data in the packet.  The more data in the packet, the more data you're going
to get for X period of time - this is one factor that introduces latency
into a network.  Lots of small packets going through a network simply
transmit less data than lots of large packets .. and since the only
appreciable metric is the number of packets and the packet forwarding rate
of the network device, the larger the packet, the happier the network and
the more data getting to the end user.  The *only* place this is going to
make a difference is if you've got an -inline- intrusion
detection/prevension system (IDS/IPS), in which case you've got what most
network engineers would consider to be a design flaw anyway.  In this case,
each packet needs to be inspected and the more data there is, the more there
is to be inspected.  Most IDS sensors will simply discard packets being
inspected rather than slow the network down (Snort does this when it's
either misconfigured or overloaded).

So.. go for it.  Use mod_gzip (or similar) to generate .gz docs on the fly
.. let Apache handle your SSL.  If anything, your win comes from SSL having
to encrypt *less* data.  This won't speed up the handshake phase, but will
speed up the rest of the transaction since there's simply less data to
encrypt and transmit.  How much speed improvement you get is completely
dependent on how much compression you're getting.  If you can take a 100K
document and compress it to 25K, that's a 75% reduction in the amount of
data SSL needs to encrypt and reduces the number of packets from about 66 to
around 16 - again, not including the SSL handshake/setup and general TCP
setup/teardown.

If you're bogging down your server with all the SSL transactions, look at
investing in a SSL accelerator.  If your business model depends on both
security *and* performance, then the cost (starting around 20K$USD) should
be easily justified.  But that's the subject of another mail and I've got
some coffee getting cold over here. ;-)

Hope this didn't glaze your eyes over. :-)
Best~
-dsp


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Boyle Owen
Sent: Tuesday, August 19, 2003 7:02 AM
To: [EMAIL PROTECTED]
Subject: RE: configuration question




>-Original Message-
>From: Arth

RE: high-grade vs low-grade encryption with MD5 and DES

[Dave Paris]

I wasn't [specifically] referring to SSL.  In fact, the mere premise of
passing data designated as "must be protected" for a 20 year timeframe over
128 bit SSL (with a 1024 bit client key) frightens me to the core.  (If the
encryption of this data was protecting *you* from [we'll go on a limb here
and be dramatic] an crime organization with tens of millions of dollars to
devote to discovering who turned them in to the Feds, would *you* want it
sent over a 1024 bit SSL link?!)

*THIS* is what's really wrong with the industry - we have people using
technology in inappropriate situations.  Too many who DO understand how to
use it appropriately with the responsibilities, restrictions, and caveats
that come with that understanding are either unable or unwilling to convince
those in the position of "final decision maker" of just how WRONG certain
applications/implementations actually are.

Bottom line, if the available protocols & application cannot support the
data protection requirements - DO NOT send the data over that link.

For a baseline dissertation on key lengths for symmetric and asymmetric
ciphers, please see:
http://www.giac.org/practical/gsec/Lorraine_Williams_GSEC.pdf

Additionally, RSA currently recommends 2048 bit keys for "extremely valuable
keys".  My gut says that knowing about devices like TWIRL, et al. make 2048
bit keys risky for long-term protection because God only knows what devices
we *don't* know about.

-dsp

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Arthur Chan
Sent: Sunday, August 10, 2003 7:52 AM
To: [EMAIL PROTECTED]
Subject: Re: high-grade vs low-grade encryption with MD5 and DES


Practicality : do not use 4096 bits server side private key. No, not even
2048.
Key size larger than 1024 is not supported by those bollocky client
browsers. Netscape and MSIE4 come to mind.
Regards,
Arthur Chan

- Original Message -
From: "Dave Paris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 07:34 PM
Subject: RE: high-grade vs low-grade encryption with MD5 and DES


> The "5 minutes" I mentioned doesn't implicitly refer to the amount of time
> needed to crack the ciphertext, but more the type of data and the amount
of
> time it needs to be protected.
>
[...]
> Example 2:
> A "sealed" court case which is mandated to be sealed for 20 years needs to
> be protected by a cipher capable of using a large enough keyspace to keep
a
> sustained attack against the data at bay for that 20 years.
>
> Herein lies the challenge in the practical utilization of cryptography...
> how do we know what will protect data for 20 years?  We don't.  So we make
> educated guesses.  We make compromizes.  We use "best-available".  In the
> example of the password above, 56 bit DES would be a reasonable choice.
> It's fast, but weak - yet strong enough to keep that password encrypted
for
> the two or three - heck, six, minutes it would be attacked. (this is not
to
> say that one should use the weakest available cipher for any given problem
> set!  3DES, AES, or Blowfish would be a much better choice in any case.)
In
> the example of the sealed court records, we're not worried about
transaction
> speed or decryption speed so an asymmetric cipher capable of utilizing a
> 4096 bit (or larger!) private key is much more appropriate.
[...]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: high-grade vs low-grade encryption with MD5 and DES

[Dave Paris]

The "5 minutes" I mentioned doesn't implicitly refer to the amount of time
needed to crack the ciphertext, but more the type of data and the amount of
time it needs to be protected.

A couple examples:

Example 1:
A password which will only work for the next ten minutes only needs to be
protected by encryption capable of rendering the text sufficiently scrambled
for that 10 minute duration.  This might mean it would take an attacker 1
minute to obtain the ciphertext and get it into a state where it can be
cryptanalyzed.  Four or five minutes to determine the cipher used.  Then the
attacker is left with only 3 or 4 minutes to break the cipher if they need
one minute to actually use the password.  So, how strong do you need
encryption in this case?  Only long enough to hold out against a 3 to 4
minute attack.

Example 2:
A "sealed" court case which is mandated to be sealed for 20 years needs to
be protected by a cipher capable of using a large enough keyspace to keep a
sustained attack against the data at bay for that 20 years.

Herein lies the challenge in the practical utilization of cryptography...
how do we know what will protect data for 20 years?  We don't.  So we make
educated guesses.  We make compromizes.  We use "best-available".  In the
example of the password above, 56 bit DES would be a reasonable choice.
It's fast, but weak - yet strong enough to keep that password encrypted for
the two or three - heck, six, minutes it would be attacked. (this is not to
say that one should use the weakest available cipher for any given problem
set!  3DES, AES, or Blowfish would be a much better choice in any case.)  In
the example of the sealed court records, we're not worried about transaction
speed or decryption speed so an asymmetric cipher capable of utilizing a
4096 bit (or larger!) private key is much more appropriate.

Kind Regards,
-dsp


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Arthur Chan
Sent: Sunday, August 10, 2003 6:39 AM
To: [EMAIL PROTECTED]
Subject: Re: high-grade vs low-grade encryption with MD5 and DES


This is really symptomatic of our industry, isn't it? We seen to be our own
worse enemy.
Back in 95, it took that French student days to crack the 40-bit codes. Now
we are talking about minutes... its disheartening. Merde. I really wonder
how some of those MS sites survive these days...

- Original Message -
From: "Dave Paris" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, August 11, 2003 06:16 PM
Subject: Re: high-grade vs low-grade encryption with MD5 and DES


> "compromised" is probably a poor word to use, "pointlessly weak" is
> more accurate.  If you're going to use SSL and you're dealing with data
> that needs to be protected longer than 5 minutes, use 128bit SSL.
>
> -dsp
>
> On Sunday, Aug 10, 2003, at 02:25 US/Eastern, Arthur Chan wrote:
>
> > Hi all.
> > Verisign currently has a discount on both a high grade (128bits) SSL
> > encrypted and a low grade (40bits) SSL encrypted certificates. The
> > former is
> > priced at US$895 and the latter at US$1395.
> > I noticed some sites also present Verisign certificates with low-grade,
> > 54-bits encryption from their Microsoft/IIS servers. However I cannot
> > find a
> > 54-bits certificate in
> > www.verisign.com/products/site/commerce/index.html
> > Is this 54-bits affair only for Microsoft / IIS ???
> > Is low-grade encryption with 40 and 54 bits considered "compromised"
> > ???
> > Are there any finance/insurance industry standard requiring a 128 bits,
> > high-grade encryption ???
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: high-grade vs low-grade encryption with MD5 and DES

[Dave Paris]

"compromised" is probably a poor word to use, "pointlessly weak" is 
more accurate.  If you're going to use SSL and you're dealing with data 
that needs to be protected longer than 5 minutes, use 128bit SSL.

-dsp

On Sunday, Aug 10, 2003, at 02:25 US/Eastern, Arthur Chan wrote:

Hi all.
Verisign currently has a discount on both a high grade (128bits) SSL
encrypted and a low grade (40bits) SSL encrypted certificates. The 
former is
priced at US$895 and the latter at US$1395.
I noticed some sites also present Verisign certificates with low-grade,
54-bits encryption from their Microsoft/IIS servers. However I cannot 
find a
54-bits certificate in 
www.verisign.com/products/site/commerce/index.html
Is this 54-bits affair only for Microsoft / IIS ???
Is low-grade encryption with 40 and 54 bits considered "compromised" 
???
Are there any finance/insurance industry standard requiring a 128 bits,
high-grade encryption ???

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 2 VirtualHosts with 2 Certificates

[Dave Paris]

Per all the documentation and countless examples in the archives of 
this mail list, you must either use two different IPs or use different 
ports.  You *cannot* used Named Virtual Hosts for SSL.  Period.

-dsp

On Wednesday, Jan 8, 2003, at 13:58 US/Eastern, toxshark wrote:

ihave the apache configured with 2 VirtualHosts on port 443.

bothVirtualServers have separately CertificateFiles and 
CertificateKeyFiles.

butnow if i connect to the VirtualHost2, the Host have the Certificate 
from the VirtualServer1!

bothHosts have now the same Certificate.

 

myhttpd.config:

 

...

NameVirtualHost92.35.28.17:443

 



ServerNamedomain1.com

ServerAliaswww.domain1.com

DocumentRoot"/web1/"

SSLEngineon

SSLCertificateFile/usr/local/etc/apache/key/ssl1.cert

SSLCertificateKeyFile/usr/local/etc/apache/key/ssl1.key



 



ServerNamedomain2.com

ServerAliaswww.domain2.com

DocumentRoot"/web2/"

SSLEngineon

SSLCertificateFile/usr/local/etc/apache/key/ssl2.cert

SSLCertificateKeyFile/usr/local/etc/apache/key/ssl2.key



...

 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: how to add multiple SSL cert for each virtual host?

[Dave Paris]

Look at the handshake for SSL.  During the name to address translation 
phase, you wind up with a chicken-egg scenario if more than one name 
shares an address.

Not only is it not possible, it'd be a HUGE security flaw if it WERE 
possible.

-dsp

On Tuesday, Dec 3, 2002, at 15:34 US/Eastern, Hack Hawk wrote:

What?!?!?!  Are you absolutely sure about this?  SSL certs are based 
on the Domain Name,,, NOT the IP address.  It stands to reason that it 
would be possible for virtual hosts/domains to have their own certs.  
Perhaps modssl doesn't support it, but I think that in theory it's 
possible.

- hawk

At 10:24 AM 12/03/2002, you wrote:
Multiple SSL certs for name-based virtual hosts aren't possible based 
upon
the way SSL is designed. Each site requiring a separate cert must 
have it's
own IP address.

---
Shawn Syms | Systems Administrator
Infinet Communications | [EMAIL PROTECTED]
---



-Original Message-
From: Thomas Sandor [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 1:20 PM
To: [EMAIL PROTECTED]
Subject: how to add multiple SSL cert for each virtual host?


hi everyone,

I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with 
ssl
(openssl 0.9.6g).
Till now I had only one domain for which apache should use SSL cert 
files
(crt, key), but for our next project I have to add another SSL cert 
file a
specific domain.

I have NameVirtualHost 12.34.56.78 and have a list of  
for
each of our domain, using ServerNamed base aliases, but for the ssl 
conf it
ain't works. In my ssl.conf in short looks like this:

NameVirtualHost 12.34.56.78:443


ServerName domain1.com
CustomLog "..."
ErrorLog "..."
SSLEngine on
SSLCertificateFile "/somewhere/ssl.crt/domain1.crt"
SSLCertificateKeyFile "somewhere/ssl.key/domain1.key"



ServerName domain2.com
CustomLog "..."
ErrorLog "..."
SSLEngine on
SSLCertificateFile "/somewhere/ssl.crt/domain2.crt"
SSLCertificateKeyFile "somewhere/ssl.key/domain2.key"


The problem is that apache does not serve domain2 cert files for 
domain2, it
uses the first declaration for every https://domainX.com invoke. Does 
anyone
know how to tell apache to uses specific SSL cert I'd like to define 
for
each of my virtualhosts?

Thanks in advance for any help.

Regards,
Thomas

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod-ssl Virtual Hosts

[Dave Paris]

a) you could try surfing the archives of this list since an arguable 
10% of the traffic is either this exact question or directly relates to 
it.
b) you could use different ports
c) you could use different IPs.  they're not *that* rare .. and .. it 
could be sanely argued that if you've got content important enough to 
protect using SSL, the cost of "using up" an IP is just part of the 
cost of making that _important_ information accessible.

-dsp


On Friday, Nov 8, 2002, at 18:30 Europe/London, Irving Carrion wrote:

Hello All!

Just recently I was able to get this mod-ssl library working on Apache.
It is working just fine.  Much thanks to the developer team.

Anyway my question is...

Currently I use name-based virtual hosts for all of our websites.

http://domain1.com
http://domain2.com

We would like to have the ability to get each domain a https address as
well like...

https://domain1.com
https://domain2.com

What would be the best method of tackling this, since mod-ssl doesn't
support name-based virtual host?

I've thought of using IP Based virtual host, but there isn't enough
static ip's to go around.  I've also thought of using
proxypass/proxyreverse to point it to an internal static ip.  Am I on
target with this?

I would really appreciate any help or suggestions ANYONE can provide.

Thanks!
IRV




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems with Thawte freemail certificate and Apache

[Dave Kelly]

Hello,

I would appreciate any help on this please.

I am using Apache 1.3.23 on RedHat 7.3 with mod_ssl 2.8.7 and openssl 
0.9.6b-28.
This web server provides access to our internal Bugzilla database.

I have set up a CA on my server using /usr/share/ssl/misc/CA.pl and I 
issue browser certificates from it.

I have copied the CA certificate and appended it to 
/etc/httpd/conf/ssl.crt/ca-bundle.crt.

I have the following configuration in httpd.conf:


Options ExecCGI FollowSymLinks
SSLVerifyClient require
SSLVerifyDepth  1
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_OU} in {"Support", "Bugzilla"}


I have also uncommented:

SSLCACertificatePath /etc/httpd/conf/ssl.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

in httpd.conf.

I generated an Apache server certificate using

make testcert

in /etc/httpd/conf so that the correct machine name was in the CN attribute.

This is all working fine. However, my colleague and I both have Thawte 
freemail certificates installed and that's when we get a problem.

Using Mozilla with the configuration set to prompt for a certificate, 
both the browser certificate and the Thawte certificate are displayed 
with the Thawte certificate being listed first. If the configuration is 
set to automatically select a certificate, the Thawte certificate is 
chosen.
The behaviour is similar using IE.

The symptoms we see in Bugzilla is that we seem to be circulating 
through the same of 3-4 pages (depending upon what we choose).

The ssl_engine_log file shows:

[19/Aug/2002 12:35:23 01206] [error] Re-negotiation handshake failed: 
Not accepted by client!?
[19/Aug/2002 12:35:23 01206] [error] SSL error on writing data (OpenSSL 
library error follows)
[19/Aug/2002 12:35:23 01206] [error] OpenSSL: 
error:1409E0E5:lib(20):func(158):reason(229)


When we remove the Thawte certificate, everything works.

The Thawte certificate has no O or OU specified so why do the browsers 
find a match with it ?

Cheers

Dave.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache, ssl, and solaris

[Dave Kimberley]

 > Your assert popped on the line that I prefixed with "-->".  Try
 > changing your vhosts to not use "_default_".  I forget exactly which
 > configuration combination causes that error, but it's definitely been
 > seen before.


Hi

I've replaced _default_ in ssl.conf and all now working.

Thanks


Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache 2.0.39 problems on Solaris 9

[Dave Kimberley]

Problem: Cannot get Apache 2.0.39 to run on Solaris 9 with SSL.

Details:

cc: Sun Workshop 6 update 2 C 5.3 2001/05/15

Compiled and installed openssl-0.9.6d

Compiled and installed Apache 2.0.39 ( ./configure
--prefix=/usr/local/apache --enable-ssl --with-ssl=/usr/local/ssl
--enable-rewrite )

Added custom cert

Tried starting Apache without SSL, works but get an SSLSessionCache warning:
# /usr/local/apache/bin/apachectl start
# more error_log
[Tue Jun 25 16:22:17 2002] [warn] Init: Session Cache is not configured
[hint: SSLSessionCache]
[Tue Jun 25 16:22:19 2002] [notice] Apache/2.0.39 (Unix) mod_ssl/2.0.39
OpenSSL/0.9.6d configured -- resuming normal operations

Tried starting Apache with SSL, crashes
# /usr/local/apache/bin/apachectl startssl
[Tue Jun 25 16:21:32 2002] [crit] [Tue Jun 25 16:21:32 2002] file
vhost.c, line 232, assertion "rv == APR_SUCCESS" failed
Abort - core dumped


Any ideas

Thanks


Dave
-- 
-----
   Dave Kimberley Tel: +44 1785 785489
   System Administrator   Fax: +44 1785 785401
   Marconi Pensions Office   http://www.marconi-pensions.co.uk
-


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache 2.0.39 problems on Solaris 9

[Dave Kimberley]

Problem: Cannot get Apache 2.0.39 to run on Solaris 9 with SSL.

Details:

cc: Sun Workshop 6 update 2 C 5.3 2001/05/15

Compiled and installed openssl-0.9.6d

Compiled and installed Apache 2.0.39 ( ./configure 
--prefix=/usr/local/apache --enable-ssl --with-ssl=/usr/local/ssl 
--enable-rewrite )

Added custom cert

Tried starting Apache without SSL, works but get an SSLSessionCache warning:
# /usr/local/apache/bin/apachectl start
# more error_log
[Tue Jun 25 16:22:17 2002] [warn] Init: Session Cache is not configured 
[hint: SSLSessionCache]
[Tue Jun 25 16:22:19 2002] [notice] Apache/2.0.39 (Unix) mod_ssl/2.0.39 
OpenSSL/0.9.6d configured -- resuming normal operations

Tried starting Apache with SSL, crashes
# /usr/local/apache/bin/apachectl startssl
[Tue Jun 25 16:21:32 2002] [crit] [Tue Jun 25 16:21:32 2002] file 
vhost.c, line 232, assertion "rv == APR_SUCCESS" failed
Abort - core dumped


Any ideas

Thanks


Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: getting rid of Snake Oil stuff

[Dave Paris]

Start your understanding by reading the following section from the
mod_ssl FAQ:

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC24

it should all fall into place from there, particularly the part about
being your own CA.

best regards,
-dsp

Joe Auty wrote:
> 
> Hi,
> 
> I've been working many many hours on this problem, so I'd be EXTREMELY
> grateful if somebody can help me here with my handicap of limited
> knowledge on this subject...
> 
> I've created the certificate for my site, and it works fine.. the
> problem is it is still signed by Snake Oil...
[...snip...]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Single IP and need two virtual SSL servers

[Dave Paris]

http:// is *NOT* the same thing has https:// .. therefore,
http://host:443 is a standard HTTP request to port 443, it is *NOT* a
HTTPS request.

URL 101 is in session!
protocol://user:pass@host:port/uri

and since "http" is not the same thing as "https", the server is simply
giving you back precisely what you asked for .. non-secure http from
port 443 .. which it doesn't know how to do since it's only designed to
speak secure http.

no wonder you found IIS5 to be "better" than in the past .. Microsoft
doesn't understand what RFCs are either.  ::sigh::

-dsp

[EMAIL PROTECTED] wrote:
> 
> Hi guys!
> I am Apache webserver user too. I don't know how long... IIS5 is much better
> now than in the past.
> I had have this problem in the past using Apache.
> As far as I know, seems that apache use distinct IPs for every virtual SSL
> host configured.
> So I see no solution for you unless if you could build a second SSL virtual
> server using other port than default port 443.
> Suppose that will work how will access browsers your website using
> encryption?
> Browsers know to communicate encrypted using https protocol witch is default
> set on 443 port.
> Why am I saying that?
> I made few tests:
> 1. http://www.inetsoft.ro:443 who generated these:
> Bad Request
> Your browser sent a request that this server could not understand.
> Reason: You're speaking plain HTTP to an SSL-enabled server port.
> Instead use the HTTPS scheme to access this URL, please.
> 
>   Hint: https://www.inetsoft.ro:443/
> 2. https://www.inetsoft.ro who worked!
> 
> 3. I changed 443 port in 444 for one of my websites http://xxx.aaa.ro.
> https://xxx.aaa.ro/ was redirected by apache to default SSL virtual host.
> 
> Conclusion: I don't know! :)
[...]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: few questions

[Dave Paris]

David Loszewski wrote:
> 
> I have a few small questions that I'm seeking answers for, any help
> would be much appreciated:
> 
> 1. Mod_SSL is working...I type in 'https://192.168.0.1' and it uses the
> ssl but when I type in 'http://192.168.0.1:443' it doesn't work, comes
> up saying that it can't load the page. Ideas?

URLs are encoded by protocol first.  HTTP is *not* HTTPS.  Plain and
simple.  Your suggestion might as well by wondering why
http://127.0.0.1:21 doesn't make your web client a FTP client.  Most web
browsers *can* do FTP, provided you type ftp://...

> 2. How do I make it so if I type in 'http://192.168.0.1' it goes to
> 'https://192.168.0.1', pretty much so it only uses ssl, and please don't
> tell me to just redirect it.

You'll need to redirect it somehow, someway.  The client is requesting
one protocol and you want them to request another.  If *you* don't
redirect it, then .. uhmm .. who are you expecting will?  Santa Claus is
busy routing presents, not packets.  Look into mod_rewrite.

> 3. This is more of a curious type question, but if https is so much more
> secured than http then why aren't all the big sites using it?

"so much more secured" .. one uses encryption, one doesn't.  HTTP isn't
secure at all.  As for why not.. becuase buying racks full of majorly
expensive SSL accelerators to hide information you want shown to as many
people as possible is $#!*ing dumb.

-d
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Autostart apache /w mod_ssl from init.d ?

[Dave]

Hello, I am new to this mailing list, and I have browsed through the mail 
archives and I can't seem to find an answer y/n to my question.

I run Debian 2.2 and I have finally gotten everything setup with mod_ssl 
and apache and everything appears to be running quite happily. My only 
question is this: I noticed that when I started the binary 'perlhttpdctl 
startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass 
phrase which I entered and all is well, but what happens when I reboot this 
server? I am not always physically at the machine when it is rebooted or 
powered down/up and I was wondering if there was a way I could automate 
this through /etc/init.d (rc startup scripts)?

If this question has already been addressed, I am sorry I must have missed 
it in the archives.

Thanks in advance.

-
Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Ultimate BrowserMatch List (second try)

[DAve Goodrich]

You can see my message dated 6/20 for an example of where to put it. So far
my additions work perfectly.

DAve

on 7/18/01 12:01 PM, David Rees at [EMAIL PROTECTED] wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of Andrea Cerrito
>> 
>> What about:
>> 
>> SetEnvIf User-Agent "MSIE [1-4]" nokeepalive ssl-unclean-shutdown
>> downgrade-1.0 force-response-1.0
>> SetEnvIf User-Agent "MSIE [5-9]" ssl-unclean-shutdown
> 
> Make sure those are only in your SSL virtual hosts, keep alive works fine
> for most MSIE browsers for normal HTTP.
> 
> -Dave
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/20/01 3:16 PM, David Rees at [EMAIL PROTECTED] wrote:

> I'm using Netscape 4.76 straight from Netscape without any problems over
> here.
> 
I wish I were you ;^)

> Now, you've basically disabled all keep alives and HTTP 1.1 for all browsers
> except Netscape on the PC and Unix and probably have something like this:
> 
? I think I've only removed keep alives and HTTP 1.1 on PPC Macintosh
machines running Netscape 4+. If there is more disabled, it's a result of
the default config of mod_ssl.

> BrowserMatch "MSIE" nokeepalive ssl-unclean-shutdown downgrade-1.0
> force-response-1.0
> BrowserMatch "Mozilla/4\..*PPC)$" nokeepalive downgrade-1.0
> force-response-1.0
> 
Closer to this;


BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Mozilla/4\..*PPC)$" nokeepalive downgrade-1.0
force-response-1.0


Which I will remove the new entry and then change to;


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl


DocumentRoot "/usr/local/www/secure"
ServerName www.rblc.com
php_value session.cache_limiter "nocache"

    lines removed for clarity ...

SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0

SetEnvIf User-Agent "Mozilla/4\..*PPC)$" \
 nokeepalive downgrade-1.0 \
 force-response-1.0




This will, I believe, stop the hanging with Netscape 4+ on the Mac in the
secured area of my web site. Note that this area is a paying member area and
broadband is a requirement for the client. All other areas of the site will
still allow Netscape 4+ and MSIE 5+ to enjoy keep alives and HTTP 1.1
performance.

> At this point, you may as well disable keep alives for everyone and simplify
> the setup with something like this:
> 
> SetEnv nokeepalive downgrade-1.0 force-response-1.0
> BrowserMatch "MSIE" ssl-unclean-shutdown
> 
> But if your site has many small images with clients on slow links, I think
> you'll find yourself looking for ways to turn keep alive back on to speed
> things up.
> 
> -Dave
That would be akin to throwing my hands into the air, which I never do ;^)

It's not like I have to type a new httpd.conf entry every hour. If one line
in httpd.conf works for even 10% of my client base that is better than
simplifying the setup and crippling everyone.

So the problem isn't solved, just "avoided" at this point. I think it's
agreed something is wrong then and I should compile all the current
information and file a bug report.

DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/20/01 12:54 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
> Netscape Installers taken from ftp.netscape.com;
> 
> Mozilla/4.73 = "Mozilla/4.73 (Macintosh; U; PPC)"
> Mozilla/4.74 = "Mozilla/4.74 (Macintosh; U; PPC)"
> Mozilla/4.75 = "Mozilla/4.75 (Macintosh; U; PPC)"

This;
> Mozilla/4.76 = "Mozilla/4.76 (Macintosh; I; PPC)"

Should have been;
Mozilla/4.76 = "Mozilla/4.76 (Macintosh; U; PPC)"

Sorry

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

OK, that went faster than expected.

I clean-installed Netscape from several sources, below are the text strings
recorded in the apache log for each Netscape version I tested. I can
confirm, each Netscape DID NOT work with out the BrowserMatch regex, and
each DID work with the BrowserMatch regex. I tried to make the match as
close as possible and I think it works fine. Regex junkies please correct
me.

I added this line to httpd.conf;

BrowserMatch "Mozilla/4\..*PPC)$" nokeepalive downgrade-1.0
force-response-1.0

Netscape installers taken from OEM CD's;

iMAC_8.6_OEM = "Mozilla/4.61 (Macintosh; I; PPC)"
G4/9.0_OEM = "Mozilla/4.76 (Macintosh; I; PPC)"
G4_9.1_OEM = "Mozilla/4.7C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; I; PPC)"

Netscape Installers taken from ftp.netscape.com;

Mozilla/4.73 = "Mozilla/4.73 (Macintosh; U; PPC)"
Mozilla/4.74 = "Mozilla/4.74 (Macintosh; U; PPC)"
Mozilla/4.75 = "Mozilla/4.75 (Macintosh; U; PPC)"
Mozilla/4.76 = "Mozilla/4.76 (Macintosh; I; PPC)"
Mozilla/4.77 = "Mozilla/4.77 (Macintosh; U; PPC)"

All browsers now work! Does anyone see a flaw in this solution? Should I
file a bug report?

DAve


--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/19/01 5:02 PM, David Rees at [EMAIL PROTECTED] wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
>> 
>> It's running alright, I'm tailing the logs in a console as I connect. I'm
>> running Slackware. If you search for this thread in the archives,
>> you'll get
>> everything you ever wanted to know about these boxes ;^)
> 
> I've got a couple things for you to try.
> 
> First of all, what kernel are you running?  Are you running the stock kernel
> with Slackware 7.0?
sysadmin@www2:/usr$ uname -a
Linux www2 2.2.16 #6 Wed Dec 13 15:18:16 /etc/localtime 2000 i686 unknown

Nope, the kernel is stripped of all unneeded goodies, I don't have file
systems other than ext2 compiled in, no sound, only my required inet
drivers, etc. 

> If so, can you try upgrading to 2.2.19?  Previous
> versions had some known TCP/IP bugs which could cause problems like you're
> describing.
> 
Out of curiosity, what problems that would only affect mod_ssl? I'll pull
sources today for 2.2.19+

> If that doesn't work, can you try adding this line?
> 
> BrowserMatch "Mozilla" nokeepalive downgrade-1.0 force-response-1.0
> 
I can do that right away.

> This will disable keepalive for all versions of Netscape and make sure that
> the response is 1.0, not 1.1.  If it helps, we can then tailor it to
> Netscape on the Mac after we figure out what the UserAgent header is.  You
> can pull the UserAgent header out of the log files if you're using the
> combined log format.
> 
> What version of Netscape on the Mac are you using?  Are multiple versions of
> Netscape affected?  And what version of Mac OS?
> 
Mac OS 8.1/8.5/9.0/9.1 running Netscape 4.73/4.74/4.75[en_US] I believe all
combinations were tested, but I won't swear to it.

Working..Working..Working..Working..Working..Working..Working..

DAve.
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/19/01 5:02 PM, David Rees at [EMAIL PROTECTED] wrote:

> 
> I've got a couple things for you to try.

> If that doesn't work, can you try adding this line?
> 
> BrowserMatch "Mozilla" nokeepalive downgrade-1.0 force-response-1.0
> 
> This will disable keepalive for all versions of Netscape and make sure that
> the response is 1.0, not 1.1.  If it helps, we can then tailor it to
> Netscape on the Mac after we figure out what the UserAgent header is.  You
> can pull the UserAgent header out of the log files if you're using the
> combined log format.
YES YES YES YES YES YES!!! instant response!

Log file SAYSS..

Mozilla/4.75C-CCK-MCD {C-UDP; EBM-APPLE} (Macintosh; U; PPC)

I will begin testing every version we have available in the testlab and get
a good match. I'll then return this info to the list.

Thank you Dave, where are you at? I'm in Seattle and will be in Indianapolis
this fall. I owe you a beverage of choice.

DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/19/01 11:30 AM, Yu, Ming at [EMAIL PROTECTED] wrote:

> Dave - try "ps -ef | grep http" at the console or a telnet session.  See if
> the apache engine is started.  By the way wahat OS you are using?
> 
> - Ming
>
It's running alright, I'm tailing the logs in a console as I connect. I'm
running Slackware. If you search for this thread in the archives, you'll get
everything you ever wanted to know about these boxes ;^)

DAve
 
> -Original Message-
> From: DAve Goodrich [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, June 19, 2001 1:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Netscape + ModSSL=Dead slow.
> 
> OK, fresh clean install of the following current versions,
> 
> drwxr-xr-x   8 1134 1134 4096 Jun 19 09:55
> apache_1.3.20/
> drwxr-xr-x   3 sysadmin wheel4096 Dec 13  2000 mm-1.1.3/
> drwxr-xr-x  10 root root 4096 Jun 19 09:35
> mod_ssl-2.8.4-1.3.20/
> drwxr-xr-x  20 root root 4096 Jun 19 09:21
> openssl-0.9.6a/
> drwxr-xr-x  16 sysadmin wheel8192 Jun 19 09:49 php-4.0.0/
> 
> I followed the instructions in the INSTALLATION (UNIX) guide to the
> letter.
> Stopping apache and then restarting after the install produced the
> exact
> same results, Netscape on a Mac hangs for up to 3 minutes.
> 
> I am currently porked, done, finished, showstoppered,
> gottaFindaNotherSolutionIzed unless someone can offer a suggestion.
> Is there
> something else I can try?
> 
> Again, is there ANY other information I can send the list?
> 
> DAve
> 
> on 6/5/01 1:09 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> on 6/5/01 12:21 PM, Mads Toftum at [EMAIL PROTECTED] wrote:
>> 
>>> On Tue, Jun 05, 2001 at 10:25:25AM -0700, DAve Goodrich wrote:
>>>> 
>>>> If the there is a another bug repository, reporting tool, etc,
> would someone
>>>> please point me to it?
>>> 
>>> Usually the mailing list[1] archive is the place to look - all
> entries in the
>>> bugdb are sent to the mailing list, but not all answers make it
> back.
>>> 
>>>> 
>>>> Again, I appreciate the help and suggestions I've gotten, still
> digging ;^)
>>>> 
>>> I just looked into the archive and saw your answers to one of my
> questions:
>>> http://www.mail-archive.com/modssl-users@modssl.org/msg11612.html
> - I must
>>> have missed it the other day. I have previously seen somewhat
> similar trouble
>>> for others using dbm caches - and they managed to solve it by
> switching to
>>> MM based session caching. I'm far from sure that it will fix your
> problem,
>>> but the very short logfile entry that you posted suggests that
> new entries
>>> are being added to the session cache instead of reusing sessions.
>>> 
>>> [1] http://www.modssl.org/support/
>>> 
>>> vh
>>> 
>>> Mads Toftum
>> 
>> Well I hadn't used it because I didn't want to throw another
> variable into
>> the mix. I compiled in MM support and tried;
>> 
>> SSLSessionCache shm:/tmp/ssl_scache(512000)
>> 
>> (I have a 1GB of Ram to play with)
>> 
>> Everything else is speeded up quite nicely, but no change with
> Netscape Mac
>> 8^(
>> 
>> h.
>> 
>> DAve


--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

OK, fresh clean install of the following current versions,

drwxr-xr-x   8 1134 1134 4096 Jun 19 09:55 apache_1.3.20/
drwxr-xr-x   3 sysadmin wheel4096 Dec 13  2000 mm-1.1.3/
drwxr-xr-x  10 root root 4096 Jun 19 09:35 mod_ssl-2.8.4-1.3.20/
drwxr-xr-x  20 root root 4096 Jun 19 09:21 openssl-0.9.6a/
drwxr-xr-x  16 sysadmin wheel8192 Jun 19 09:49 php-4.0.0/

I followed the instructions in the INSTALLATION (UNIX) guide to the letter.
Stopping apache and then restarting after the install produced the exact
same results, Netscape on a Mac hangs for up to 3 minutes.

I am currently porked, done, finished, showstoppered,
gottaFindaNotherSolutionIzed unless someone can offer a suggestion. Is there
something else I can try?

Again, is there ANY other information I can send the list?

DAve

on 6/5/01 1:09 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> on 6/5/01 12:21 PM, Mads Toftum at [EMAIL PROTECTED] wrote:
> 
>> On Tue, Jun 05, 2001 at 10:25:25AM -0700, DAve Goodrich wrote:
>>> 
>>> If the there is a another bug repository, reporting tool, etc, would someone
>>> please point me to it?
>> 
>> Usually the mailing list[1] archive is the place to look - all entries in the
>> bugdb are sent to the mailing list, but not all answers make it back.
>> 
>>> 
>>> Again, I appreciate the help and suggestions I've gotten, still digging ;^)
>>> 
>> I just looked into the archive and saw your answers to one of my questions:
>> http://www.mail-archive.com/modssl-users@modssl.org/msg11612.html - I must
>> have missed it the other day. I have previously seen somewhat similar trouble
>> for others using dbm caches - and they managed to solve it by switching to
>> MM based session caching. I'm far from sure that it will fix your problem,
>> but the very short logfile entry that you posted suggests that new entries
>> are being added to the session cache instead of reusing sessions.
>> 
>> [1] http://www.modssl.org/support/
>> 
>> vh
>> 
>> Mads Toftum
> 
> Well I hadn't used it because I didn't want to throw another variable into
> the mix. I compiled in MM support and tried;
> 
> SSLSessionCache     shm:/tmp/ssl_scache(512000)
> 
> (I have a 1GB of Ram to play with)
> 
> Everything else is speeded up quite nicely, but no change with Netscape Mac
> 8^(
> 
> h.
> 
> DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Firewall shows 80 in/out, Apache shows nothing

[Dave Paris]

Dave, 

Unfortunately, those "firewall logs" are all but worthless as they don't
detail what type of packet is being sent and what the reply is, nor the
source port for the reply.  Trying to ascertain what's going on here
without real packet data is akin to looking at railroad tracks and
wondering which way the train went.

--dsp

Deocs Postmaster wrote:
> 
> >On Mon, 11 Jun 2001, Deocs Postmaster wrote:
> >
> > > The following is from my firewall log file:
> > >
> > > Incoming:
> > > 06/11/2001 19:19:59 200.4.193.240[3268] ==> 192.168.1.100[80]
> > > 06/11/2001 19:19:59 200.4.193.240[3268] ==> 192.168.1.100[80]
> > > 06/11/2001 19:20:00 200.4.193.240[3268] ==> 192.168.1.100[80]
> > > 06/11/2001 19:20:00 200.4.193.240[3268] ==> 192.168.1.100[80]
> > >
> > > Outgoing:
> > > 06/11/2001 19:19:59 192.168.1.100 ==> 200.4.193.240[3268]
> > >
> > > My Apache logs don't show any traffic for 200.4.193.240, but
> > > does show the other hit-by-hit traffic.  This particular hit was
> > > from Peru.  I recall seeing the same thing from China earlier.
> > >
> > > How did it go in and out, but not show up in any Apache log files?
> >
> >
> >Well, this has nothing to do with mod_ssl, but to answer your question,
> >this would happen anytime somebody connects to your server and disconnects
> >before making an actual HTTP request.  Maybe they STARTED to make one and
> >disconnected mid-request.
> 
> Thanks for the reply, I may have been ambiguous in my email.
> The incoming firewall shows four hits and the outgoing shows
> one reply.  None of the Apache log files show any traffic
> to or from 200.4.193.240.  Would the outgoing traffic be present
> if they disconnected mid-request?
> 
> My security concern is that it appears that some message was sent
> to port 80 on the server, and that computer appears to have replied,
> but I can't see in the log files that Apache was the program that
> replied.  So what program on the server sent the outgoing message?
> 
> Thanks,
> Dave
> (I sent a similar reply earlier, but it hasn't surfaced yet)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 6/5/01 12:21 PM, Mads Toftum at [EMAIL PROTECTED] wrote:

> On Tue, Jun 05, 2001 at 10:25:25AM -0700, DAve Goodrich wrote:
>> 
>> If the there is a another bug repository, reporting tool, etc, would someone
>> please point me to it?
> 
> Usually the mailing list[1] archive is the place to look - all entries in the
> bugdb are sent to the mailing list, but not all answers make it back.
> 
>> 
>> Again, I appreciate the help and suggestions I've gotten, still digging ;^)
>> 
> I just looked into the archive and saw your answers to one of my questions:
> http://www.mail-archive.com/modssl-users@modssl.org/msg11612.html - I must
> have missed it the other day. I have previously seen somewhat similar trouble
> for others using dbm caches - and they managed to solve it by switching to
> MM based session caching. I'm far from sure that it will fix your problem,
> but the very short logfile entry that you posted suggests that new entries
> are being added to the session cache instead of reusing sessions.
> 
> [1] http://www.modssl.org/support/
> 
> vh
> 
> Mads Toftum

Well I hadn't used it because I didn't want to throw another variable into
the mix. I compiled in MM support and tried;

SSLSessionCache shm:/tmp/ssl_scache(512000)

(I have a 1GB of Ram to play with)

Everything else is speeded up quite nicely, but no change with Netscape Mac
8^(

h.

DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

After much troubleshooting, thanks Marcel and Ray, I'm no closer that when I
started. I did look high and low for info and found some other posts/bugs
with the same problem I am experiencing that have also gone unresolved.

http://www.modssl.org/support/bugdb/index.cgi/open?id=491;page=35;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=485;user=guest;selecti
d=485
http://marc.theaimsgroup.com/?l=apache-modssl&m=98882322530871&w=2
http://marc.theaimsgroup.com/?l=apache-modssl&m=97830080628611&w=2

I have also read the Manuals and FAQ and any third party info I could find
such as, 
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC43

I am open to suggestions, changes I might make, tests I can run, anything
someone with more knowledge might need to arrive at a fix.

As I've stated before I will upgrade if there is a known or demonstrated
problem, but the combination of software I currently run is tried and
dependable and worked perfectly prior to installation of mod_ssl. I'm not in
the habit of upgrading blindly as a troubleshooting step ;^)

Curiously I may have been looking in the wrong bug database. I went to
http://www.modssl.org/support/bugdb/ but I noticed that it seems to be
untended as there were many entries such as these,

http://www.modssl.org/support/bugdb/index.cgi/open?id=466;page=32;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=462;page=32;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=446;page=30;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=432;page=29;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=403;page=26;user=guest
http://www.modssl.org/support/bugdb/index.cgi/open?id=367;page=22;user=guest

If the there is a another bug repository, reporting tool, etc, would someone
please point me to it?

Again, I appreciate the help and suggestions I've gotten, still digging ;^)

DAve

on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> I'll throw my hat in on this one. I also have looked high and low for an
> answer without luck. The logs tell me nothing about what might be going
> wrong. I did read and use the suggestions from the FAQ and Ref manual before
> searching the list.
> 
> Slackware 7.0
> Apache 1.3.12
> mod_ssl-2.6.6-1.3.12
> openssl-0.9.6
> 
> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
> problems. Netscape on a PC seems OK as does Netscape on Unix.
> 
> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Ok I can get that cert and connect just fine. That make two servers that
work so the obvious question is "What did I do wrong?".

I'll look at your don't file but I wonder if it isn't something in my build
that is wrong. I did RTFM, and I had no errors or warnings. I also didn't do
a "make clean" so I can reproduce my steps ;^)

DAve

on 6/1/01 1:35 PM, McCaffity, Ray at [EMAIL PROTECTED] wrote:

> I see you're on Willows in Redmond, I used to work at the corner of Willows
> at 148th
> at AT&T there in Redmond.  We have Macs that can get this certificate.
> You might try http://ns2.e-williams.net  It has a locally created
> certificate.
> I will send you my conf file if this works.
> 
> Ray McCaffity
> 
> -Original Message-
> From: DAve Goodrich [mailto:[EMAIL PROTECTED]]
> Sent: Friday, June 01, 2001 10:57 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Netscape + ModSSL=Dead slow.
> 
> 
> Troubleshooting I can sink my teeth into.
> 
> on 5/31/01 2:12 PM, Mads Toftum at [EMAIL PROTECTED] wrote:
> 
>> On Thu, May 31, 2001 at 10:56:04AM -0700, DAve Goodrich wrote:
>>> Current update on this problem;
>>> 
>>> I've been sniffing the TCP stream while logging in with Netscape/PC and
>>> Netscape/Mac. Interestingly the Mac version appears to load three objects
>>> (images) and then wait for 18 seconds. Then load another three objects
> and
>>> again wait 18 seconds. Etc etc etc.
>> 
>> Hmmm - what is your SSLSessionCache set to?
> 
> 
> SSLPassPhraseDialog  builtin
> SSLSessionCache dbm:/tmp/ssl_scache
> SSLSessionCacheTimeout  300
> SSLMutex  file:/tmp/ssl_mutex
> SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed startup builtin
> SSLRandomSeed connect file:/dev/urandom 512
> #SSLRandomSeed connect builtin
> SSLLog  /usr/local/apache/logs/ssl_engine_log
> SSLLogLevel trace
> #SSLLogLevel info
> 
> 
> 
> 
>> And when looking at your Apache
>> logs, does it show session cache hits or misses?
> 
> This is my only mention of "Session" in the logs. From "ssl_engine_log";
> 
> [31/May/2001 09:20:58 02358] [trace] Inter-Process Session Cache:
> request=SET status=OK
> id=36ED0D71FB6E54389AAFD21BC519884910C3F958A165E431C19B9EAFB550C671
> timeout=299s (session caching)
> 
> 
>> In Netscape under
>> "Security/Passwords/Netscape will ask for this Password:"
>> what is it set to?
> 
> Choice #1 "The first time your certificate is needed"
> 
> Interestingly Marcel Erkens let me hit against his ssl server (I came from
> 216.122.43.219 if you want to check your logs) and Netscape worked
> perfectly. This confirms it is something in the setup or configuration of my
> machines.
> 
> Still digging
> 
> DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

I appologise for that typo, the version of apache I'm running is in fact
1.3.12. 

DAve.

on 5/31/01 4:50 PM, David Rees at [EMAIL PROTECTED] wrote:

>> Of course ;^)  Our web app is built around PHP+CPDF+GD+Openlink, to get
>> everything to compile without errors I can't use bleeding edge
>> releases. I'm
>> running Apache 1.2.13 and PHP 4.0.0 because they are rock solid
>> for me. CPDF
>> and GD compile best against PHP 4.0.0, and Openlink compiles best against
>> Slack 7.0 (actually, kernel 2.2.13).
>> 
>> As to mod_ssl and openssl, well they were current when I started
>> this..
>> I've also discovered that staying one version behind (provided it has no
>> major flaws) greatly increases ones chance of finding info in
>> FAQ, mail list
>> archives, etc.
>> 
>> Is there a known problem with either of these versions? Jeeez I hope I
>> didn't miss a message.
> 
> Well, PHP 4.0.0 has known security holes, so you might want to avoid that.
> Upgrading to PHP 4.0.5 is recommended, although this shouldn't have any
> affect on your particular problem.
> 
> You also really should be using a version of OpenSSL which matches Apache, I
> didn't even know that modssl-2.6.6-1.3.12 would work against Apache 1.2.13.
> I would at the very least upgrade to Apache 1.3.12.  Upgrading to Apache
> 1.3.20 is also recommended because of some security holes found in older
> releases as well.
> 
> If you really want to use modssl 2.6.6, you probably should stick with
> OpenSSL 0.9.5a which was available at the time of release of 2.6.6.  OpenSSL
> 0.9.6 wasn't released until Sep 24, a month after modssl 2.6.6.
> 
> -Dave
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Troubleshooting I can sink my teeth into.

on 5/31/01 2:12 PM, Mads Toftum at [EMAIL PROTECTED] wrote:

> On Thu, May 31, 2001 at 10:56:04AM -0700, DAve Goodrich wrote:
>> Current update on this problem;
>> 
>> I've been sniffing the TCP stream while logging in with Netscape/PC and
>> Netscape/Mac. Interestingly the Mac version appears to load three objects
>> (images) and then wait for 18 seconds. Then load another three objects and
>> again wait 18 seconds. Etc etc etc.
> 
> Hmmm - what is your SSLSessionCache set to?


SSLPassPhraseDialog  builtin
SSLSessionCache dbm:/tmp/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/tmp/ssl_mutex
SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed startup builtin
SSLRandomSeed connect file:/dev/urandom 512
#SSLRandomSeed connect builtin
SSLLog  /usr/local/apache/logs/ssl_engine_log
SSLLogLevel trace
#SSLLogLevel info




> And when looking at your Apache
> logs, does it show session cache hits or misses?

This is my only mention of "Session" in the logs. From "ssl_engine_log";

[31/May/2001 09:20:58 02358] [trace] Inter-Process Session Cache:
request=SET status=OK
id=36ED0D71FB6E54389AAFD21BC519884910C3F958A165E431C19B9EAFB550C671
timeout=299s (session caching)


> In Netscape under
> "Security/Passwords/Netscape will ask for this Password:"
> what is it set to?

Choice #1 "The first time your certificate is needed"

Interestingly Marcel Erkens let me hit against his ssl server (I came from
216.122.43.219 if you want to check your logs) and Netscape worked
perfectly. This confirms it is something in the setup or configuration of my
machines.

Still digging

DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

As an exercise to see if I made simple typos, I compared my httpd.conf
against a known working httpd.conf and saw no difference. I also had another
set of eyes look it over. Nothing noticed, I can post if need be.

I'm left thinking there is something incorrect in the method in which I
built mod_ssl. I used the info and instructions from;

http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL

I did this for two reasons, one RTFM is good. Two, I've built so many
Apache/PHP sets I was afraid overconfidence would cause me to miss something
if I didn't go step by step. I used method B, the "flexible APACI-only way".

mod_ssl was built with a simple;

./configure \
"--with-apache=../apache_1.3.12-ssl" \
"--with-ssl=../openssl-0.9.6" \
"--with-mm=../mm-1.1.3" \
"--enable-rule=SSL_SDBM" \
"--enable-shared=ssl" \
"--disable-rule=SSL_COMPAT" \
"--prefix=/usr/local/apache" \

I'm looking to see what I can test on the CL to verify my openssl install is
correct.

DAve

on 6/1/01 8:57 AM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> Troubleshooting I can sink my teeth into.
> 
> on 5/31/01 2:12 PM, Mads Toftum at [EMAIL PROTECTED] wrote:
> 
>> On Thu, May 31, 2001 at 10:56:04AM -0700, DAve Goodrich wrote:
>>> Current update on this problem;
>>> 
>>> I've been sniffing the TCP stream while logging in with Netscape/PC and
>>> Netscape/Mac. Interestingly the Mac version appears to load three objects
>>> (images) and then wait for 18 seconds. Then load another three objects and
>>> again wait 18 seconds. Etc etc etc.
>> 
>> Hmmm - what is your SSLSessionCache set to?
> 
> 
> SSLPassPhraseDialog  builtin
> SSLSessionCache dbm:/tmp/ssl_scache
> SSLSessionCacheTimeout  300
> SSLMutex  file:/tmp/ssl_mutex
> SSLRandomSeed startup file:/dev/urandom 512
> #SSLRandomSeed startup builtin
> SSLRandomSeed connect file:/dev/urandom 512
> #SSLRandomSeed connect builtin
> SSLLog  /usr/local/apache/logs/ssl_engine_log
> SSLLogLevel trace
> #SSLLogLevel info
> 
> 
> 
> 
>> And when looking at your Apache
>> logs, does it show session cache hits or misses?
> 
> This is my only mention of "Session" in the logs. From "ssl_engine_log";
> 
> [31/May/2001 09:20:58 02358] [trace] Inter-Process Session Cache:
> request=SET status=OK
> id=36ED0D71FB6E54389AAFD21BC519884910C3F958A165E431C19B9EAFB550C671
> timeout=299s (session caching)
> 
> 
>> In Netscape under
>> "Security/Passwords/Netscape will ask for this Password:"
>> what is it set to?
> 
> Choice #1 "The first time your certificate is needed"
> 
> Interestingly Marcel Erkens let me hit against his ssl server (I came from
> 216.122.43.219 if you want to check your logs) and Netscape worked
> perfectly. This confirms it is something in the setup or configuration of my
> machines.
> 
> Still digging
> 
> DAve

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

on 5/31/01 2:08 PM, David Rees at [EMAIL PROTECTED] wrote:

>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED]]On Behalf Of DAve Goodrich
>> 
>> Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
>> B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
>> work fine.
>> 
>> Anyone have a mod_ssl server I can try against? mod_ssl version number
>> different and same as mine for comparison would be excellent.
>> 
>> Slackware 7.0
>> Apache 1.2.13
>> mod_ssl-2.6.6-1.3.12
>> openssl-0.9.6
> 
> Any reason you're running an old version of Apache/mod_ssl and openssl?
> 
> -Dave
Of course ;^)  Our web app is built around PHP+CPDF+GD+Openlink, to get
everything to compile without errors I can't use bleeding edge releases. I'm
running Apache 1.2.13 and PHP 4.0.0 because they are rock solid for me. CPDF
and GD compile best against PHP 4.0.0, and Openlink compiles best against
Slack 7.0 (actually, kernel 2.2.13).

As to mod_ssl and openssl, well they were current when I started this..
I've also discovered that staying one version behind (provided it has no
major flaws) greatly increases ones chance of finding info in FAQ, mail list
archives, etc.

Is there a known problem with either of these versions? Jeeez I hope I
didn't miss a message.

DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Maybe..  but the Netscape I'm testing works perfectly with Amazon, ebay,
B&N, etc etc etc. I've tried with Win2k servers, Solaris, Stronghold, all
work fine.

Anyone have a mod_ssl server I can try against? mod_ssl version number
different and same as mine for comparison would be excellent.

Slackware 7.0
Apache 1.2.13
mod_ssl-2.6.6-1.3.12
openssl-0.9.6

DAve

on 5/31/01 11:42 AM, McCaffity, Ray at [EMAIL PROTECTED] wrote:

> We several Mac's all running OS 9.1 using MSIE 5,
> Web server is Apache1.3.20+mod_ssl+openSSL0.9.6a
> We don't have any problems.  Maybe it's a Netscape thing?
> 
> -Original Message-
> From: DAve Goodrich [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 31, 2001 12:56 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Netscape + ModSSL=Dead slow.
> 
> 
> Current update on this problem;
> 
> I've been sniffing the TCP stream while logging in with Netscape/PC and
> Netscape/Mac. Interestingly the Mac version appears to load three objects
> (images) and then wait for 18 seconds. Then load another three objects and
> again wait 18 seconds. Etc etc etc.
> 
> Very strange, the PC Netscape loads the entire page in under a second.
> 
> I have also tried using Netscape/Mac with differing security levels. Using
> the security tool in Netscape I have tried turning off SSLv2 or SSLv3 at the
> client, including changing the requested ciphers. Any combination of the
> below, on or off, makes no difference, Netscape/Mac still crawls.
> 
> RC4 encryption with a 128-bit key and an MD5 MAC
> FIPS 140-1 compliant triple DES encryption and SHA-1 MAC
> Triple DES encryption with a 168-bit key and a SHA-1 MAC
> FIPS 140-1 compliant DES encryption and SHA-1 MAC
> DES encryption with a 56-bit key and a SHA-1 MAC
> RC4 encryption with a 56-bit key and a SHA-1 MAC
> DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
> RC4 encryption with a 40-bit key and an MD5 MAC
> RC2 encryption with a 40-bit key and an MD5 MAC
> No encryption with an MD5 MAC
> 
> Any clues yet? Is there anything I can do, record, reconfig, chant, to try
> and find an answer for this?
> 
>   Hello?
> 
> on 5/29/01 1:22 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> More information on this. I have dropped down to SSLv2 with no change.
>> Netscape is still slow. Testing on a local LAN (100mb duplex, only my
>> client), server config unchanged.
>> 
>> Netscape 4.75 on a Mac G4 running MacOS 9.1. A test page loads in slightly
>> more than three minutes, the same page when viewed on a PC running Win2K
> and
>> Netscape 4.75 loads in under 1/2 second.
>> 
>> I have ssl_engine_log files available run in  mode if
>> someone would look at them. It appears, "appears", that the Mac Netscape
> is
>> doing many things twice.
>> 
>> DAve
>> 
>> TS continues...
>> 
>> on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
>> 
>>> I'll throw my hat in on this one. I also have looked high and low for an
>>> answer without luck. The logs tell me nothing about what might be going
>>> wrong. I did read and use the suggestions from the FAQ and Ref manual
> before
>>> searching the list.
>>> 
>>> Slackware 7.0
>>> Apache 1.2.13
>>> mod_ssl-2.6.6-1.3.12
>>> openssl-0.9.6
>>> 
>>> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
>>> problems. Netscape on a PC seems OK as does Netscape on Unix.
>>> 
>>> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

Current update on this problem;

I've been sniffing the TCP stream while logging in with Netscape/PC and
Netscape/Mac. Interestingly the Mac version appears to load three objects
(images) and then wait for 18 seconds. Then load another three objects and
again wait 18 seconds. Etc etc etc.

Very strange, the PC Netscape loads the entire page in under a second.

I have also tried using Netscape/Mac with differing security levels. Using
the security tool in Netscape I have tried turning off SSLv2 or SSLv3 at the
client, including changing the requested ciphers. Any combination of the
below, on or off, makes no difference, Netscape/Mac still crawls.

RC4 encryption with a 128-bit key and an MD5 MAC
FIPS 140-1 compliant triple DES encryption and SHA-1 MAC
Triple DES encryption with a 168-bit key and a SHA-1 MAC
FIPS 140-1 compliant DES encryption and SHA-1 MAC
DES encryption with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 56-bit key and a SHA-1 MAC
DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC
RC4 encryption with a 40-bit key and an MD5 MAC
RC2 encryption with a 40-bit key and an MD5 MAC
No encryption with an MD5 MAC

Any clues yet? Is there anything I can do, record, reconfig, chant, to try
and find an answer for this?

  Hello?

on 5/29/01 1:22 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:

> More information on this. I have dropped down to SSLv2 with no change.
> Netscape is still slow. Testing on a local LAN (100mb duplex, only my
> client), server config unchanged.
> 
> Netscape 4.75 on a Mac G4 running MacOS 9.1. A test page loads in slightly
> more than three minutes, the same page when viewed on a PC running Win2K and
> Netscape 4.75 loads in under 1/2 second.
> 
> I have ssl_engine_log files available run in  mode if
> someone would look at them. It appears, "appears", that the Mac Netscape is
> doing many things twice.
> 
> DAve
> 
> TS continues...
> 
> on 5/25/01 4:51 PM, DAve Goodrich at [EMAIL PROTECTED] wrote:
> 
>> I'll throw my hat in on this one. I also have looked high and low for an
>> answer without luck. The logs tell me nothing about what might be going
>> wrong. I did read and use the suggestions from the FAQ and Ref manual before
>> searching the list.
>> 
>> Slackware 7.0
>> Apache 1.2.13
>> mod_ssl-2.6.6-1.3.12
>> openssl-0.9.6
>> 
>> Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
>> problems. Netscape on a PC seems OK as does Netscape on Unix.
>> 
>> DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Netscape + ModSSL=Dead slow.

[DAve Goodrich]

I'll throw my hat in on this one. I also have looked high and low for an
answer without luck. The logs tell me nothing about what might be going
wrong. I did read and use the suggestions from the FAQ and Ref manual before
searching the list.

Slackware 7.0
Apache 1.2.13
mod_ssl-2.6.6-1.3.12
openssl-0.9.6

Netscape 4.7.X on a Mac literally crawls. MSIE, Mozilla, Opera have no
problems. Netscape on a PC seems OK as does Netscape on Unix.

DAve.

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: HEAD / HTTP/1.0

[DAve Goodrich]

on 5/7/01 12:32 PM, R. DuFresne at [EMAIL PROTECTED] wrote:

> 
> Then why pray tell is OS finger printing so important to a cracker?  Why
> are the major vendors beefing up issues such as tcp sequence number
> prediction and obscuring their OS's from easy OS type determination?  Even
> the DNS/Bind folks have added the ability to their deamon to hide it's
> verson and such from outside connects.
> 

It has been my experience, right or wrong, that OS fingerprinting is more to
identify a certain OS (which will remain nameless) than anything else.

Having spent that last year on two *heavily* scanned networks, oz.net and
lightrealm.net, most of what I have seen is easily stopped with a good
firewall, log reviews, and an alert sysadmin. How do you define "cracker"?
Is it some kid who wants to springboard off your machine, a simple resource
thief? Or do you actually have data the cracker wants, credit card numbers?

The first might be slowed down by concealing your OS. The second will see it
as a challenge, or minor inconvenience, but I do not think it will stop him.
Your best defense is being security aware, and minding your boxes.

DAve

PS. I make no attempt to conceal any of my four servers in three domains,
neither netcraft or portscanners seem to get the server configuration right
anyway. I am running multiple OS's and differing configs and they are now,
and always have been, wrong.
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: HEAD / HTTP/1.0

[DAve Goodrich]

on 5/7/01 7:50 AM, James Hastings-Trew at [EMAIL PROTECTED] wrote:

> on 5/7/01 5:34 AM, Deocs Postmaster at [EMAIL PROTECTED] wrote:
> 
>> From telnet this command returns the type of server,
>> installed modules, and other information.  That info
>> is tabulated and tracked by www.netcraft.com (who also
>> infers the operating system) and can help an attacker
>> find a website's vulnerabilities.
> 
> You want to run a secure server but you have telnet access to it. Seems like
> the server info is the least of your security problems.
> 
Telnet to port 80 is a simple and common method to get server info,
specifically making a HEAD request. I don't believe his intent was to use
the telnet port to talk to apache.


--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 1024 bit key nessesary?

[DAve Goodrich]

Thanks for answers, testing here showed no real difference for me with a
pounder script running so I'm opting for the 1024bit key and we will see how
it goes.

Thanks.

on 3/23/01 1:40 PM, Rich Salz at [EMAIL PROTECTED] wrote:

> The 'best practices' standard *for everyone who doesn't have to support
> older browsers that only did 512bit keys* is a 1024 bit key.
> 
> RSA operations are only done at the start of an SSL session, not at each
> HTTP(S) connection.  (Because public key is so expensive, it's typically
> only used to exchange a bulk symmetric key for application data
> encrypt/decrypt.)
> /r$
> 

--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

1024 bit key nessesary?

[DAve Goodrich]

If my data is not monetary or financial in origin. Is a 1024 key really
needed? The reason I ask is that my data is really not useful to anyone
other than our customers, but it does require security. Since I am running a
web application, somewhat heavy in the graphics, wouldn't a smaller key be
advantages to me for performance?

How safe is a smaller key, in real world terms.

Thanks,

DAve
--
Dave Goodrich
Director of Interface Development
Reality Based Learning Company
9521 NE Willows Road, Suite 100
Redmond, WA 98052 
Toll Free 1-877-869-6603 ext. 237
Fax (425) 558-5655 
[EMAIL PROTECTED] 
http://www.rblc.com


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0

[Dave Paris]

[..snip a bunch of sane pondering at completely inexplicable behavior by
third parties..]

> The only thing I currently know is that with Apache 2.0 it seems that we
> again will have the same SSL/TLS problem as we had three years ago with
> Apache 1.3 (means: an unpolished 70% percent solution). And I also know
> that someone (not necessarily me) will again find this not satisfactory.
> What approach then is used to change this we all still don't know...

Ralf, take heart that you're not alone here.  As much as I believe in
and work for OpenSource projects, this is the achilies heel of them
all.  They completely forget they are still developing applications for
a USER BASE.  When their internal politics flies in the face of what's
best for that user base, the project comes off looking like it was done
by a gaggle of immature, clue-challenged fruckwits who cannot grasp the
basics of how to run a successful project.



Apache has been (arguably) one of the best OS projects to date.  It
pains me to see the obvious, and most successful current SSL
implementation not be chosen for the 2.0 revision.  I definitely don't
recall seeing a user-community vote on the topic of SSL/TLS choice for
the 2.0 revision.  I'm sure there are many folks who would have
appreciated the opportunity to have voiced their opinion.  Heck, even
large companies like Computer Associates take polls of that nature.

After all, if the project doesn't do its best to increasingly serve the
user base that's grown along with it, what's the point?  Surely the
point can't be politics - that's reserved for those extra-special folks
who speak far more and work far less.

just my $0.02 at the state of some recent, mind-bogglingly stupid moves
in the OpenSource community.

--dsp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Solaris+DSO+SSL+Jrun+etc.=Segfault

[Dave Caplinger]

Yes, I'm yet another person having segmentation fault problems with
Apache,
mod_ssl, openssl, DSO, and . :-)  Adding the
newest
jrun (3.0.1) triggered this for me; the older jrun connector module
(2.3.3)
worked just fine with all of the other modules.

Here's my environment:

I started with:

Solaris 2.6
apache 1.3.12
mod_ssl 2.6.2
openssl 0.9.5 (built with -fPIC)
rsaref 2.0
mm 1.0.12 (built with --disable-shared)
mod_php 3.0.16
mod_dav 1.0.1
mod_jrun 2.3.3

Everything worked great.  But of course we need the new features of jrun
3.0.1... so I upgraded only that module and it caused never-ending

[notice] child pid  exit signal Segmentation Fault (11)

errors in /usr/local/apache/logs/error_log .

So, I started upgrading things, because getting ahold of allaire tech
support
was taking a while, and I just knew that they were going to say to do
this first.

So now I'm at:

Solaris 2.6
apache 1.3.14
mod_ssl 2.7.1
openssl 0.9.6 (built with -fPIC)
rsaref 2.0
mm 1.1.3 (built with --disable-shared)
mod_php 3.0.16 (I did not want to get involved w/ php4 at this
point)
mod_dav 1.0.2
mod_jrun 3.0.1

and this has not helped at all.
(turning off mod_php and/or mod_dav make no difference, BTW.)

Turning off SSL ("apachectl start" rather than "startssl") makes JRun
happy,
but I need SSL of course.

I've been poring through the list archives all day and come to the
following
hypotheses:

 Lots of people have these types of problems, though the specific module

  involved may change (perl, php, jrun, jserv, etc.)

 It may be a Solaris-specific problem (shared library loader), but other
OSs
  have similar issues, so it's hard to say conclusively

 No version of Solaris (2.6, 7, 8) appears to be immune

 There aren't a lot of solutions, so I assume everyone is still
struggling
  with this to this day :-(

Are any of these incorrect?

Incidentally, I'm configuring mod_ssl like this:

./configure \
--with-apache=/usr/local/apache_1.3.14 \
--with-crt=/usr/local/ssl/certs/server.crt \
--with-key=/usr/local/ssl/certs/server.key

and building apache like this:

setenv SSL_BASE /usr/local/src/openssl-0.9.6
setenv RSA_BASE /usr/local/src/rsaref-2.0/local
setenv EAPI_MM /usr/local/src/mm-1.1.3
setenv OPTIM "-g -ggdb3"
setenv LD_RUN_PATH /usr/local/lib
./configure \
  --prefix=/usr/local/apache_1.3.14 \
  --enable-module=ssl --enable-shared=ssl \
  --enable-module=status \
  --enable-module=info

Finally, here's my stack trace:

GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "sparc-sun-solaris2.6"...
(gdb) set args -X -DSSL
(gdb) run
Starting program: /usr/local/apache_1.3.14/bin/./httpd -X -DSSL

Program received signal SIGSEGV, Segmentation fault.
0xef5a423c in strcmp () from /usr/lib/libc.so.1
(gdb) bt
#0  0xef5a423c in strcmp () from /usr/lib/libc.so.1
#1  0xef35d328 in getPropertyValue (props=0x171618,
name=0xefffee00 "/jobpost.use-webserver-root")
at ../connector/jrun_property.c:199
#2  0xef35b80c in loadMappings (pxy=0x1397e0, r=0xe648,
props=0x171618)
at ../connector/jrun_proxy.c:1153
#3  0xef35c1a0 in initInetProxy (pxy=0x1397e0, r=0xe648,
jvmname=0x11fd90 "default",
localProps=0xe160
"/var/local/www/jrun3.01/servers/default/local.properties",
global=0x169688) at ../connector/jrun_proxy.c:1284
#4  0xef35c4ec in addJvms (pxy=0x131f68, r=0xe648,
jrunroot=0x131ff0 "/var/local/www/jrun3.01/bin/..",
jvmlist=0x132020 "default") at ../connector/jrun_proxy.c:1344
#5  0xef35c898 in initProxy (pxy=0x131f68, r=0xe648,
jrunroot=0x131ff0 "/var/local/www/jrun3.01/bin/..",
jvms=0x132020 "default") at ../connector/jrun_proxy.c:1397
#6  0xef355e4c in jrun_child_init (s=0x12d388, p=0x15a348) at
mod_jrun.c:52
#7  0x4a818 in ap_child_init_modules (p=0x15a348, s=0xd81e0)
at http_config.c:1678
#8  0x57840 in child_main (child_num_arg=0) at http_main.c:3972
#9  0x58290 in make_child (s=0xd81e0, slot=0, now=974244739)
at http_main.c:4411
#10 0x584ac in startup_children (number_to_start=2) at http_main.c:4493
#11 0x58e98 in standalone_main (argc=3, argv=0xebd4) at
http_main.c:4781
#12 0x59aac in main (argc=3, argv=0xebd4) at http_main.c:5123

Does anyone have any ideas or insights into further debugging I can do?
Is my only hope to static-build everything?

- Dave Caplinger, IT Manager, Orent Graphi

Re: Why pay a CA?

[Dave Paris]

If an eight-year-old were to look at the whole thing and write your
reply, then yes .. what you've written would probably be accurate - just
missing other fun phrases like "dooty-head", "cooties", etc.  

D&B aren't a bunch of rank amateurs when it comes to checking the
legitmacy of a business.  As for "who decided that X was really
trustable", it was people who are 

a) most likely on the net wayyy before you. (pre-web)
a) probably more knowledgable than you (have you tried out-marketing MS
recently?[1]),
b) definitely uninterested in asking you, 
c) backed with more corporate $$$ than you, more-than-likely 
and 
d) well, you're stuck with it. they're doing a passable job and you
can't change it anyway. (despite all the whining  I've heard about
verisign, I've yet to experience even one delay in getting a cert using
their online toolset - however I won't discount these other stories, so
verisign gets nothing above "passable")

You can either dance with an elephant or get run over by him.  Your
choice, choose wisely.

Yes, I hate it that VeriSign bought Thawte.  It sucks.  It ruins
competition.  I've dealt with both and I preferred Thawte, despite their
*massive* client cert expiration fustercluck with IE two years ago. Oh
well, the bus is leaving the station and I still have to get on to
another town.  If you're walking, I'll see you there after awhile.

regards,
--dsp

NOTES
[1] I don't purchase their software, I don't like their tactics, and
I'll subvert them any chance I get, but you'll *never*, *ever* see
anyone with two brain cells try to out-market them, including me. 
They've got metric f**ktons of $$$ and have an utter mastery of
marketing tactics.  You go around something like that, not head-to-head.


Michael wrote:
> 
> So the main protection is that company x charges a fee large enough to
> company y in order to prove company y is a real company and not highschool
> students trying to rip off users. of course there is no proof that being
> able to afford a certificate really makes you anymore qualified than small
> business z and who decided company x was really trustable. all xompany x
> has proven is that they grasp the concept of this security model well
> enough to pretty much blackmail company x, company z, etc into paying
> out the arse for their 30 seconds of work.
> 
> Maybe is a bit cynical but is that the gist of how it works?
> 
> *^*^*^*
> Have the courage to take your own thoughts seriously, for they will shape
> you. -- Albert Einstein
> 
> On Wed, 6 Dec 2000, Dave Paris wrote:
> 
> > While I can appreciate the "why do we have to pay these mooks?!"
> > attitude, the reasoning is rather more straightforward.
> >
> > It seems those making the silly** (imho) arguments have forgotten the
> > entire reason for a "trusted third party" (in this case, the CA).  User
> > U heads over to site S and wishes to conduct a transaction, except U has
> > never dealt with S, nor does U have the time to do background checks on
> > S to significantly reduce the risk that S may actually be a fraudulent
> > front end for a questionable organization.  Note that I'm not saying
> > this completely mitigates the risk, as it certainly does not.  However
> > it does go quite some ways to reducing the risk.
> >
> > This same notion is at the heart of many types of cryptographic
> > protocols and key escrow (ick) systems.
> >
> > I do completely agree that much over $50 for a certificate is a bit
> > bonkers (please, someone tell me that 90% of the process isn't
> > completely automated .. I really need to laugh).  However, until a
> > majority of cert purchasers really understand *how* and *what* trusted
> > third parties work, the current price is liable to be with us.
[...]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Why pay a CA?

[Dave Paris]

While I can appreciate the "why do we have to pay these mooks?!"
attitude, the reasoning is rather more straightforward.

It seems those making the silly** (imho) arguments have forgotten the
entire reason for a "trusted third party" (in this case, the CA).  User
U heads over to site S and wishes to conduct a transaction, except U has
never dealt with S, nor does U have the time to do background checks on
S to significantly reduce the risk that S may actually be a fraudulent
front end for a questionable organization.  Note that I'm not saying
this completely mitigates the risk, as it certainly does not.  However
it does go quite some ways to reducing the risk.

This same notion is at the heart of many types of cryptographic
protocols and key escrow (ick) systems.

I do completely agree that much over $50 for a certificate is a bit
bonkers (please, someone tell me that 90% of the process isn't
completely automated .. I really need to laugh).  However, until a
majority of cert purchasers really understand *how* and *what* trusted
third parties work, the current price is liable to be with us.

regards,
--dsp

Notes:
** James "I'm not a cynic" Moore's line:
"A cynic might argue that CAs represent the sleaziest sort of
pandering;  that it is designed to exploit the ignorance of the average
consumer..."

[ok, so what do you think would happen to a large, publicly traded
company if they failed to maintain their position as a trusted third
party?  Can you say "class action lawsuits for very big $$$"? (along
with a few other minor ditties)]

** Lanny "we'll show 'em!" Baron's eloquent rambling:
"Well the one reason we don't use a CA that m$ wants or netscape wants,
is to show potential purchasers of our systems that the system is quite
capable of running https as well as Apache for web hosting or for
Intranet and Extranet."

[great business plan, way to win the confidence of a potential client. 
"please give us your money *and* we'll shove our viewpoint down your
throat."  sign me right up, I'll take two to go.]

..and..
"The problem remains that, people unfamiliar with Unix or CA's or
Mod-SSL would most likely be scared to input their credit cards or other
personal/financial data."

[whatever you're smoking, please share so the rest of us enjoy as well. 
That sentence registers in negative integers on the makes_senseometer. 
How many Amazon.com users care if that site runs off Unix or a banana
running Apache, IIS, or a tricycle for a HTTPd?  They don't care, they
shouldn't need to care, and they have no problems parting with $$$ (now,
as for Amazon turning a profit .. well, that's not the user's problem
:)]


> On 6 Dec 2000, Owen Boyle wrote:
> 
> > Michael wrote:
> > > Is there any reason to pay for Verisigned keys or does setting up our
> > > companies own CA work equally well?
> >
> > Technically, a self-signed certificate will work perfectly well.
> > However, the browser will "inform" the user that it doesn't recognise
> > the authority that signed this certificate. If you use Verisign etc..
> > the browser will already recognise them as a Certificate Authority and
> > accept the certificate without a squeak.
> >
> > It depends what you want to use SSL for. If you want strangers to send
> > you their private details, you'd be better off with a commercial
> > certificate since they won't be frightened by the "warnings". However,
> > if you are using SSL for a specific closed group of users, then use your
> > own certificate and inform them about it...
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

IP-based virtualhost problem ** Ha, I know NBVH is impossible!!!******

[Dave]

Dear all,

Although I am new to mod_ssl and apache, I 've been digging the old
messages for a few days to get my problem solved.  Finally, I can't
help but post this annoying message to seek help from all of you. 

I can't make my IP-based virtual host to work, the browser keep
complianing I don't have permission to view the page.  Since I don't
know which one went wrong, and I suppose the problem can be find in
the httpd.conf file, I put it here to see if someone can help.

Dave


## httpd.conf -- Apache HTTP server configuration file
##

#
# Based upon the NCSA server configuration files originally by Rob
McCool.
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See http://www.apache.org/docs/> for detailed information about
# the directives.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are
unsure
# consult the online docs. You have been warned.  
#
# After this file is processed, the server will look for and process
# /usr/local/conf/srm.conf and then /usr/local/conf/access.conf
# unless you have overridden these with ResourceConfig and/or
# AccessConfig directives here.

#
# The configuration directives are grouped into three basic sections:
#  1. Directives that control the operation of the Apache server
process as a
# whole (the 'global environment').
#  2. Directives that define the parameters of the 'main' or 'default'
server,
# which responds to requests that aren't handled by a virtual
host.
# These directives also provide default values for the settings
# of all virtual hosts.
#  3. Settings for virtual hosts, which allow Web requests to be sent
to
# different IP addresses or hostnames and have them handled by the
# same Apache server process.
#
# Configuration and logfile names: If the filenames you specify for
many
# of the server's control files begin with "/" (or "drive:/" for
Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
# with ServerRoot set to "/usr/local/apache" will be interpreted by
the
# server as "/usr/local/apache/logs/foo.log".
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of
Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.
#

#
# ServerType is either inetd, or standalone.  Inetd mode is only
supported on
# Unix platforms.
#
ServerType standalone

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# NOTE!  If you intend to place this on an NFS (or otherwise network)
# mounted filesystem then please read the LockFile documentation
# (available at
http://www.apache.org/docs/mod/core.html#lockfile>);
# you will save yourself a lot of trouble.
#
# Do NOT add a slash at the end of the directory path.
#
ServerRoot "/usr/local"

#
# The LockFile directive sets the path to the lockfile used when
Apache
# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or
# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left
at
# its default value. The main reason for changing it is if the logs
# directory is NFS mounted, since the lockfile MUST BE STORED ON A
LOCAL
# DISK. The PID of the main server process is automatically appended
to
# the filename. 
#
#LockFile /usr/local/logs/httpd.lock

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile /usr/local/logs/httpd.pid

#
# ScoreBoardFile: File used to store internal server process
information.
# Not all architectures require this.  But if yours does (you'll know
because
# this file will be  created when you run Apache) then you *must*
ensure that
# no two invocations of Apache share the same scoreboard file.
#
ScoreBoardFile /usr/local/logs/httpd.scoreboard

#
# In the standard configuration, the server will process httpd.conf
(this 
# file, specified by the -f command line option), srm.conf, and
access.conf 
# in that order.  The latter two files are now distributed empty, as
it is 
# recommended that all directives be kept in a single file for
simplicity.  
# The commented-out values below are the built-in defaults.  You can
have the 
# server ignore these files altogether by using "/dev/null" (for Unix)
or
# "nul" (for Win32) for the arguments to the directives.
#
#ResourceConfig conf/srm.conf
#AccessConfig conf/access.conf

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per c

Re: Permanent re-direct

[Dave Paris]

Before blindly screaming "It's broken!", think about *why* you need
suexec first.  If you aren't going to use it, then don't bother enabling
it.  I run configurations with a heavily modified (for values, not for
additional defines or typedefs) apache_[ver]/src/include/httpd.h.  These
typically have SUEXEC_BIN linked to /dev/null as well as SHELL_PATH. 
The reasoning is pretty obvious;  if I'm not going to use it, why should
I leave even a remotely possible attack point in the server if I lose my
mind and do Something Stupid [tm]?

Apache allows for large amounts of tweaking.  There are some things
which are prudent to disable if you're not going to use them.  (where
"disable" means: "no, you *can't* change this behaviour without
rebuilding the executable").  The bulk of the folks out there will *not*
get suexec calls right, which, more often than not, will put a nice, big
security hole in the box.  I don't point SHELL_PATH to anything but
/dev/null since I don't use anything but mod_perl environments.  YMMV.

Be alert, the world needs more lerts.
--dsp


"Robert L. Yelvington" wrote:
> 
> regarding 'suexec'..
> 
> you must have misconfigured suEXEC when you compiled...where is your
> suexec log file .AND. what does it say .OR. what other useful suexec log
> information can you forward to the list?
> 
> your configure flags would also be helpful...
> 
> thanx,
> rob
> 
> John Markunas wrote:
> >
> > Hi
> > I do a httpd -l and get
> > compiled in modules
> > http_core.c
> > mod_so.c
> > suexec: disabled;invalid wrapper /usr/sbin/suexec
> >
> >  Can someone tell me why I get the suexec error and what to do to
> >  fix it ?*
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

module mod_define.c: not found in module list

[Dave Reichard]

The following error messages are showing up in my apache error_logs.
Does anyone have an idea on what may be causing this, and if so how do I
fix the problem?

[Mon Jul 10 18:00:01 2000] [notice] SIGHUP received.  Attempting to
restart
[Mon Jul 10 18:00:01 2000] [error] Cannot remove module mod_define.c:
not found in module list
[Mon Jul 10 18:00:02 2000] [info] mod_unique_id: using ip addr *.*.*.*
[Mon Jul 10 18:00:03 2000] [notice] Apache/1.3.12 (Unix) mod_ssl/2.6.1
OpenSSL/0.9.5 PHP/3.0.15 configure
d -- resuming normal operations
[Mon Jul 10 18:00:03 2000] [info] Server built: Mar 27 2000 12:34:59
[Tue Jul 11 06:00:02 2000] [notice] SIGHUP received.  Attempting to
restart
[Tue Jul 11 06:00:02 2000] [error] Cannot remove module mod_define.c:
not found in module list
[Tue Jul 11 06:00:03 2000] [info] mod_unique_id: using ip addr *.*.*.*
[Tue Jul 11 06:00:04 2000] [notice] Apache/1.3.12 (Unix) mod_ssl/2.6.1
OpenSSL/0.9.5 PHP/3.0.15 configure
d -- resuming normal operations
[Tue Jul 11 06:00:04 2000] [info] Server built: Mar 27 2000 12:34:59




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

if you can solve

[niraj . dave]

dear author

i am using apache_1.3.12 +mod_ssl-2.6.4-1.3.12 +open_ssl-.0.9.5a

and using serverid of verisign freee trial version

and it has been successfully installed 

also having verisign test CA certificate for the browser and is installed and

showing in the security-->certificates-->signers

now i make the apachectl startssl and apache starts

and from browser i ran ssl environment variable

it is showing ssl_server certificate and all related data  but

in SSL_CLIENT_I_DN or any other client related variable is showing nothing

also it displays as
 SSL_VERIFY_CLIENT=NONE  



this indicates that i do not have client certificate installed on mine machine

if you can help me of how to install or to have client certificate configure in growser

OR

how can i make viewing of SSL_CLIENT environment variable running on perl script



niraj

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache and mod_ssl

[Dave]

After I sent the message, I turned on the computer (even though I did this
before) and for some odd reason, it worked.  Thanks for the help!



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

apache and mod_ssl

[Dave]

   I have been trying for the past couple of days to get apache and
ssl(http://www.modssl.org and http://www.apache-ssl.org) to work. I have

   tried them both. Netscape hangs when I try to connect to
https://localhost but works without security at http://localhost:443.
Apache alone
   without ssl works great. I used the default httpd.conf file that came
with ssl and changing only path names and have made all the certificates

   and keys.
   Any sites or help would be greatly appreciated. I would prefer to use
mod_ssl but if someone can get the other working with it,great.
   Files provided on request or message posted.
   THANKS
   [EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problem with creating a self sign also

[Dave Kimberley]

Use the following:

make certificate TYPE=custom

You will then be asked to enter CA details and your details, make sure they 
differ.


Dave

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl and explorer problems.

[Dave Woods]

this is one of the wierdest problems I have yet encountered. if anyone has
any ideas what it might be please e-mail me.

I am running apache 1.3.12 and mod_ssl 2.6.2 and OpenSSL 0.9.4
Anyways the site that I have set up is having some strange issues with
internet explorer.
When a person clicks an item from the shopping cart it brings up the order
form just fine in netscape but in explorer occasionally when you click an
item it says: "The page you are viewing contains both secure and non-secure
items do you wish to display the non-secure items". when you click yes it
says the page can not be displayed yet this problem only occurs once in a
while and it's not just specific items (ie. if you click one item and it
does not work and then you click back and click the item again it works
fine). I have no idea what is causing this so if you have any ideas please
feel free to contact me.

Sincerly,
Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mkcert.sh:Error: Failed to encrypt RSA private key

[Dave Kimberley]

Just trying to upgrade from:

apache_1.3.9
mod_ssl-2.4.10-1.3.9
openssl-0.9.4

to:

apache_1.3.12
mod_ssl-2.6.2-1.3.12
openssl-0.9.5

on Solaris 7.

Everything build OK but get an error when trying:

make certificate TYPE=custom

...

Verifying password - Enter PEM pass phrase:
unable to write key
15808:error:24064064:random number generator:SSLEAY_RAND_BYTES:prng not 
seeded:md_rand.c:470:
mkcert.sh:Error: Failed to encrypt RSA private key
*** Error code 1
make: Fatal error: Command failed for target `certificate'
Current working directory /home/dave/WebServer/apache_1.3.12/src
*** Error code 1
make: Fatal error: Command failed for target `certificate'

On checking the openssl site it says the application using openssl is not 
seeding the random number generator correctly. What do I do?



Dave Kimberley
System Administrator
Marconi Pensions Office

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Downloading files under SSL (using MSIE)

[Dave Fowlie]

> > OkI'm not entirely sure why, but by making the link open a new window
(hence
> > using the target="_blank" tag addition) it is now working.
>
>hmm, that doesn't work for me...
>
> > After reading some more faqs...it seems that MSIE does not treat HTTPS as a
> > valid protocol for downloading fileshence you need to get straight to
the
>
>Could you give me some pointers about MSIE not treating HTTPS for
>downloading files right?
...
>Dirk

As I said with the _blank methodI haven't figured out why so I'm not sure
what exactly makes it work.

All I know about MSIE and protocols is that they explicitly list:
NOTE: Valid protocols include: http://, news://, gopher://, telnet://, ftp://,
and mailto://.
under their list of valid protocols.

Now generally people might assume that HTTPS:// should be included as it is a
derivative of the http:// protocol, but I'm guessing that Microsoft have
implemented some kind of correctness checking on every URL that it gets passed,
and when it initiates a download it runs this check and rejects the URL

Of course 90% of this is pure conjecture, but you can read
http://support.microsoft.com/support/serviceware/windows/win98/76GDPJJDM.ASP and
make your own conclusions.

I guess it's also possible that the server software and more recent releases of
MSIE change how it works.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Downloading files under SSL (using MSIE)

[Dave Fowlie]

OkI'm not entirely sure why, but by making the link open a new window (hence
using the target="_blank" tag addition) it is now working.

After reading some more faqs...it seems that MSIE does not treat HTTPS as a
valid protocol for downloading fileshence you need to get straight to the
download window, bypassing whatever sort of check it makes.
This means that the "Save Target as" or for some reason the _blank method seem
to be needed untill Microsoft get their act together.

-Original Message-
From: Dirk Lutzebaeck [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 17, 1999 10:29 PM
To: [EMAIL PROTECTED]
Cc: Dave Fowlie
Subject: Re: Downloading files under SSL (using MSIE)


Dave Fowlie writes:
 > With messages containing attachments there seems to be a problem retrieveing
the
 > attached file.
 > This problem only occurs in MSIE however, the file download works fine
through
 > Netscape browsers.
 >
 > I have experimented with having files available to download placed statically
on
 > my SSL site and found that I get the same error, which is
 > "
 > Internet Explorer cannot download  from secure.attica.net.nz
 > Internet Explorer was not able to open this Internet site.  The requested
site
 > is either unavailable or cannot be found. Please try again later.
 > "

Hi, I have the same problem here. I think it has something to do with
the certificate which MSIE claims to be invalid because it is a test
certificate. It looks like MSIE does not save files from Apache::File
when the certificate is not known to MSIE. I cannot prove this because
we are still waiting for our real certificate from Verisign. Netscape
works however. Interesting to know is that files retrieved via
Apache::File that are handled as plugins by MSIE work. You may test
this for yourself.

I would be interested if you find any solution.

Dirk
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Downloading files under SSL

[Dave Fowlie]

I have recently been working on a WWW-MAIL interface which I have set up to run
through a SSL site

With messages containing attachments there seems to be a problem retrieveing the
attached file.
This problem only occurs in MSIE however, the file download works fine through
Netscape browsers.

I have experimented with having files available to download placed statically on
my SSL site and found that I get the same error, which is
"
Internet Explorer cannot download  from secure.attica.net.nz
Internet Explorer was not able to open this Internet site.  The requested site
is either unavailable or cannot be found. Please try again later.
"
This is using Apache-1.3.9 mod_ssl-2.4.8 and open_ssl-0.9.4, viewing/donloading
under MSIE 5.5b (but MSIE 5.0 doesn't work either)

Now I'm not sure where the problem lies...whether it's something that needs
fixing with MSIE, mod_ssl/open_ssl or Apache so I'm covering my bases by sending
notes to all the support mailing lists I can.

Any information would be appreciated.

---
Dave Fowlie
Webmaster: Attica Communications
DDI: (09) 377-3771
Fax: (09) 373-5723
Cell: 021-406040
Email: [EMAIL PROTECTED]
---
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: VIRTUAL HOST QUESTION

[dave]

[EMAIL PROTECTED] wrote:

> [EMAIL PROTECTED] wrote:
>
> > Presently, I have one IP address assigned through which I operate
> > name-based/non-IP based virtual hosts.  I realize I can't have ssl
> > with not IP based virtual hosts.  However, if another IP address is
> > assigned, can I have the SSL host assigned to one IP and my non-
> > IP virtual hosts assigned to the other IP and have it all configured in
> > the same httpd.conf configuration file?
>
> Yes.  Assuming your config file would have a structure similar to this...
>
> 
> ServerName www.foo.com
> DocumentRoot /path/to/foo
> [SSL directives]
> 
>
> NameVirtualHost: ipaddress:80
> 
> ServerName www.foobar1.com
> DocumentRoot /path/to/foobar1
> 

>
> 

>
> 
>

Oops. The line above should not be there.  After I began typing up a generic
virtual server configuration, I changed some things to make it simpler and
forgot to delete a line.  To my knowledge the above is not even a valid
apache directive, and if it were, it certainly wouldn't belong there.  Sorry
-- it was really late...:)

Dave


> ServerName www.foobar2.com
> DocumentRoot /path/to/foobar2
> 
>
> > If so, can someone give an
> > example of what entries I would need to make in the httpd.conf file?
> > Thanks for any help.
> >
>
> Don't forget the  containers.
>
> Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Loss of security warning message.

[dave]

[EMAIL PROTECTED] wrote:

> Just when I thought I had SSL working, I setup a form to be
> processed through the cgi-bin.  I added these lines to the SSL
> Virtual host:
>
> AddType application/x-httpd-cgi .cgi
> ScriptAlias /cgi-bin/ /var/lib/httpd/share/apache/htdocs/cgi-bin/
>
> When activating the send button on the form, however, this exciting
> message appears:
>
> "Warning! You have requested an insecure document that was
> originally designated a secure document (the location has been
> redirected from a secure to an insecure document). The document
> and any information you send back could be observed by a third
> party while in transit."
>
> Eeek,  what is the error of my way here?
>

Double check your form tag and make sure that it if you are posting to an
absolute url that it begins with https.  Or, if you are using a relative
URL, check your page; does it contains a page "BASE HREF" tag?  In all
cases make sure you are posting to an absolute URL beginning with https,
nto http.  Although relative URL's should not pose any problem, setting it
absolute should at least narrow down your problem.


Dave


>
> Bill Webb
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: VIRTUAL HOST QUESTION

[dave]

[EMAIL PROTECTED] wrote:

> Presently, I have one IP address assigned through which I operate
> name-based/non-IP based virtual hosts.  I realize I can't have ssl
> with not IP based virtual hosts.  However, if another IP address is
> assigned, can I have the SSL host assigned to one IP and my non-
> IP virtual hosts assigned to the other IP and have it all configured in
> the same httpd.conf configuration file?

Yes.  Assuming your config file would have a structure similar to this...


ServerName www.foo.com
DocumentRoot /path/to/foo
[SSL directives]


NameVirtualHost: ipaddress:80

ServerName www.foobar1.com
DocumentRoot /path/to/foobar1



ServerName www.foobar2.com
DocumentRoot /path/to/foobar2


> If so, can someone give an
> example of what entries I would need to make in the httpd.conf file?
> Thanks for any help.
>

Don't forget the  containers.

Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Lurking SSL requests

[Dave Armstrong]

Martin Lichtin wrote:

> > However, we are experiencing severe problems with lurking https
> > requests. Many clients say that they see infinitely long "waiting for reply"
> > on their browsers. We've also seen https sockets in FIN_WAIT2 state on the
> > server side.
>
> Looks like there are problems having Keep-Alive turned on. After turning
> it off for _all_ browser types (not just MSIE), things work smoothly now.

What version of MOD_SSL are you using?

Mr. Engelschall, would you advice turning keep alives off regardless of the
version, just to be on the "safe" side?

Since by far the vast majority of my server requests are on port 80 -- and I have
6 domains but only one secured, I run two separate apache daemons, one listening
on 80, the other on 443.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Strange delays

[dave madden]

 =>From: Oscar Abrahamsson <[EMAIL PROTECTED]>
 =>...
 =>I have a problem with my apache/mod_ssl-webserver:
 =>- sometimes when accessing a page I get a reponse time of  a few minutes. The 
 =>moment before and after everything is normal.

Check the "SSLRandomSeed" entries in your configuration file.
Apparently, it's a common problem that the random source used by the
SSL libraries for key material tends to run dry, so connections hang
until more entropy is generated somehow so that key generation can
continue.  I don't know what happens on Solaris, but on Linux, if you
use "/dev/random" instead of "/dev/urandom," you're likely to see
this.

d.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Generating Entropy [was OT: Long connect times...]

[dave madden]

 =>From: Steve Freitas <[EMAIL PROTECTED]>
 =>...
 =>is there a way to generate entropy to prevent random 
 =>from blocking?

Depends on how badly you want it.  SGI has a http://lavarand.sgi.com">neat solution.  They use Lava
Lite(r) lamps and a video digitizer to generate gobs of entropy.  On a
more human scale, you can probably use a video camera looking at just
about anything, as long as it moves a little.  (How about FishRand?)

I've also seen occasional discussions about using a sound card to
digitize noise, but I can't remember whether the Hard Crypto guys
think that's a good idea or not.  I suspect there's not *that* much
entropy in what you get from a sound card.

I don't know how hard it'd be to feed that entropy into /dev/random,
though.  For web server use (bringing this back on-topic) you probably
want to use /dev/urandom, because otherwise local users can do a
denial-of-service by saying: "dd if=/dev/random of=/dev/null &"

d.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Long connect times...

[dave madden]

 =>From: "Ralf S. Engelschall" <[EMAIL PROTECTED]>
 =>...
 =>Yes, and details about this situation and problem are in the mod_ssl
 =>documentation since a long time - directly under the entry for
 => SSLRandomSeed. 
 =>But people often like it more to waste time instead of reading documentation
 =>first... ;) I've now also added an FAQ entry about this topic to increase the
 =>chance people find the answer. Thanks for your hint.

FAQ is good; perhaps also a mention in the comments of the default
config file.  (That's how I got in trouble: I was just going through
the file and tweaking stuff.)

Regards,
d.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Long connect times...

[dave madden]

I'm clearly a stupid fsck, but perhaps this tip will help other stupid
fscks out there running Apache and modssl on Linux.

I was having trouble with long (really long, sometimes) connect times
on SSL connections.  Sometimes things would go through immediately, or
within a second or two, but often it would be 20 seconds before data
started coming back.  Well, I'd configured SSL to use the high-quality
random data from /dev/random (Linux gurus can stop reading here --
I've just told you what I did wrong) but that device won't give you
any more data than it has collected entropy.  That is, /dev/random
maintains a pool of randomness that is fed by external, presumably
unpredictable, events.  When the pool runs dry, you have to wait for
some random stuff to happen before you'll get the data you tried to
read.

So Apache was reading from this limited resource, and sometimes (if I
was moving the mouse, or typing, or had a lot of disk activity
happening) there'd be enough random data to generate a key or whatever
modssl needed, but other times it had to wait until "things"
happened.  Tough to debug if you're thinking it's maybe network
problems or something, but a quick strace will show what's really
happening.

Anyway, the solution is to use /dev/urandom, which never runs dry, as
your source for the SSLRandomSeed lines.

d.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [Q] Using mod_ssl for e-commerce in the US

[Dave Neuer]

I'm not a lawyer.  That said, I think that the rep's assertion that it is
illegal to use RSAREF in the US for non-commercial purposes is bogus and in
direct contradiction to the actual terms of the RSAREF license.

However, the use you describe counts as 'commercial' under the RSAREF
license (v 2.0) as far as I can tell.  You are selling a service (web
hosting) and using RSA as a part of that service.  It doesn't matter that
you are not charging extra for the SSL functionality.

There are several RSA-licensed, Apache-based SSL servers ranging in price
from inexpensive (RedHat Secure Web Server, $99 last I checked) to
moderately expensive (C2Net's Stronghold, somewhere between $500 and $1000,
IIRC).

I'd suggest using one of those.

Dave Neuer
Software Engineer
Futuristics Labs, Inc.
www.futuristics.net

-Original Message-
From: David C. Snyder <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, October 13, 1999 8:12 AM
Subject: [Q] Using mod_ssl for e-commerce in the US


>Hello,
>
>I would like to use mod_ssl enabled Apache to host a few small
>e-commerce web sites in the US.  Unfortunately, the instructions for
>building mod_ssl (INSTALL) indicate that it is mandatory for
>US-citizens to link openssl and mod_ssl with RSAref-2.0.
>
>I talked to someone in licensing at RSA, and they indicated that it
>is illegal to use RSAref-2.0, commercially or not, in the US.  They
>said that I would need to license their "Crypto-C" library.
>
>I am hoping that they simply misunderstood my intentions.  I don't
>plan to "sell" any software, nor do I plan to charge extra for the use
>of the SSL enabled Apache that will on my web server.  (My prices for
>hosting SSL enabled domains are the same as for non-SSL domains.)
>
>Given this situation, is it necessary to purchase a license in order
>to legally operate a mod_ssl enabled Apache in the US?
>
>-- David
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache + mod_ssl exits cleanly on startup

[Dave Neuer]

The initial apache process usually exits after the first fork call, in the
detach() function.  That's normal.

The child process normally takes over starting all other server processes,
etc.  Is that dying also?  You can put a pause() or sleep() call in the
sources after the first fork call (in the child section) and then attach to
the child with gdb to see what's happening, if it is in fact dying before
writing anything to the logs.

Dave Neuer

-Original Message-
From: Graham Leggett <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, August 31, 1999 3:34 PM
Subject: Apache + mod_ssl exits cleanly on startup


>Hi all,
>
>I am having some hassles with Apache v1.3.9 + mod_ssl v2.4.1 under
>Redhat v6.0 (Intel).
>
>When the server is started, the server exits cleanly straight away.
>Nothing is logged, or output to stderr or stdout.
>
>An strace reveals that httpd is making a clean exit just after it's
>initialised. Anyone know what's wrong?
>
>The strace is attached.
>
>Regards,
>Graham
>--
>-
>[EMAIL PROTECTED] "There's a moon
> over Bourbon Street
> tonight...

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: no connection with https

[Dave Neuer]

Error 111 is the value of the libc errno variable that Linux sets for
refused socket connections.

My experience with them generally suggests that the listener at the other
end isn't.  Listening, that is (i.e. no server socket to connect to).

Dave Neuer

-Original Message-
From: Ralf S. Engelschall <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Tuesday, August 31, 1999 3:18 PM
Subject: Re: no connection with https


>On Tue, Aug 31, 1999, Hung Nguyen wrote:
>
>> When I run openssl s_clent -connect localhost:443 I get an error,
>> connect: Connection refused
>> connect:errno=111
>>
>> What is the error code number=111? I looked in the documentations but I
can
>> not find what it is.
>
>111? Usually there is no such errno code. They are usually values between 1
>and 32 or a little bit higher only.  Seems like a strange platform or a bug
in
>OpenSSL. At least you now know that on port 443 Apache seems to not
listening.
>Check your "Listen" and "" sections.  And if all fails, start
>from scratch with a fresh Apache source tree and follow carefully the
mod_ssl
>INSTALL document.  It then _WILL_ work, doubt me.
>
>   Ralf S. Engelschall
>   [EMAIL PROTECTED]
>   www.engelschall.com
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

apache version patch for 2.4.0-1.3.9

[Dave Paris]

Greets,

the patch below allows mod_ssl to correctly read the apache version
number when the SERVER_BASEVERSION definition in the
$apache/src/include/httpd.h file has been altered to reflect an internal
configuration.

eg.  "Apache/1.3.9 GestaltBuild/1.4.0 RnDTeam"

..will cause mod_ssl great distress since the stripping regex in
mod_ssl's `configure' doesn't handle anything past the revision number.

In any case, if someone's modified too much of the apache core, all bets
are off... but, in the case of minor performance twiddling the patch
below nicely fixes it.

Regards,
-dsp

### start patch ##
--- configure   Fri Aug 20 15:34:28 1999
+++ configure   Fri Aug 20 15:35:26 1999
@@ -296,7 +296,7 @@
 fi
 APV=`cat $apache/src/include/httpd.h |\
  grep "#define SERVER_BASEVERSION" |\
- sed -e 's/^[^"]*"//' -e 's/".*$//' -e 's/^Apache\///'`
+ sed -e 's/^[^"]*"//' -e 's/".*$//' -e 's/^Apache\///' -e 's/
.*$//'`
 fi
 if [ .$force != .yes ]; then
 if [ ".$V_APACHE" != ".$APV" ]; then
### end patch #
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Build problem: sanity check fails and cannot open -lgdbm

[Dave Paris]

[EMAIL PROTECTED] wrote:
> 
> > /usr/bin/ld: cannot open -lgdbm: No such file or ...
> [snip]
> >   + SSL interface plugin: Vendor DBM (libndbm)
> [snip]
> 
> > --enable-rule=SSL_SDBM
> 
> it could be as simple as you don't have gdbm in your path, or you don't have
> it installed. www.sleepycat.com has a dbm package that might fix your
> problem.
> 
> >From their FAQ :
> 
> Is Berkeley DB 2.X backward compatible with:
> Berkeley DB 1.85?
> Dbm/Ndbm(3)?
> Hsearch(3)?
> 
> The Berkeley DB 2.X library provides backward compatible interfaces for the
> historic UNIX dbm(3), ndbm(3) and hsearch(3) interfaces. See the Berkeley DB
> manual pages for more information.

If you're receiving this error on a Linux (RedHat) system, you can also
head over to 'www.rpmfind.net' and get the gdbm-devel RPM .. which
nicely makes this error go away.  :-)

-dsp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]