RE: Apache SSL
Kevin, since you are dealing with a Solaris system, you might find www.sunfreeware.com/README.prngd (written by the author of PRNGD) to be what will get you through that particular nightmare. Sure did it for me! Good luck. -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache SSL
Absolutely, Kevin. I remember that battle with UnixWare too ... >Yep, works on one server but not the other... Solaris platform. > >Could it be to do with /dev/random not being installed? > > - Original Message - > From: Subscribed > To: [EMAIL PROTECTED] > Sent: Friday, May 03, 2002 5:03 PM > Subject: Re: Apache SSL > > > Did you make your openssl certificate? > Is it referenced in your httpd.conf? > Perhaps openssl's library needs to be recompiled? > or your ssl module? Whave version of Apache are you running? > Just my shotgun approach. :() > > > > > > "The things that come to those that wait may be > the things left by those who got there first." > >- Original Message - >From: Kevin Smith >To: [EMAIL PROTECTED] >Sent: Friday, May 03, 2002 10:16 AM >Subject: Apache SSL > > >Hi All, > >Does anyone know how to get round this problem when starting-up Apache SSL : > >I have, /usr/local/bin/prngd /var/spool/prngd/pool, running so not sure what's >wrong ? > >[Fri May 3 15:55:06 2002] [error] mod_ssl: Init: Failed to generate temporary >512 bit RSA private key (OpenSSL library error follows) >[Fri May 3 15:55:06 2002] [error] OpenSSL: error:24064064:random number >generator:SSLEAY_RAND_BYTES:PRNG not seeded > [Fri May 3 15:55:06 2002] [error] OpenSSL: error:04069003:rsa >routines:RSA_generate_key:BN lib > > >Many thanks, > >Kevin Smith > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: modssl for Apache 2.0
I stand upbraided for my open software bigotry. Actually, Chuck, apologies are in order because I was going through a heavy mailing for SuSE users where there has been discussion about Apache 2. with mod_ssl. I (rather carelessly) did not notice the source of your mailing. My sincere apologies, and the very best of luck with your project. George "Chuck Goehring" <[EMAIL PROTECTED]> wrote: >George, > >It wasn't really my decision to go with Windows. There are many >Unix-phobics out there. Have peculiar combination of requirements that >causes the need for ssl - Not doing ecomerce. > >Chuck > >- Original Message - >From: "George Walsh" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Wednesday, April 10, 2002 10:07 PM >Subject: RE: modssl for Apache 2.0 > > >> Chuck: >> >> With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far >simpler process, and the server, at least in my experience, is much crisper >in terms of response. >> >> As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone >here, so I cannot comment on the peculiarities you might experience in your >environment. I really do not know hy you would want to run a secure server >on top of a windows box, but then I admit to a happy ignorance about it, at >least :-) >> >> George >> >> >I see all the activity on the list about Apache 2.0 and modssl. Where >can I get the necessary "stuff" for Apache 2.0. I don't see it on the >modssl, openssl or Apache web sites. I need to get ssl up on Apache on >Windows 2000. >> > >> > >> >Chuck >> > >> >> >> -- >> George Walsh, >> Managing Director, >> CruiseRoutes Division, >> DSC Directional Services Corp >> Courtenay, British Columbia, Canada >> >> >> >> >> __ >> Your favorite stores, helpful shopping tools and great gift ideas. >Experience the convenience of buying online with Shop@Netscape! >http://shopnow.netscape.com/ >> >> Get your own FREE, personal Netscape Mail account today at >http://webmail.netscape.com/ >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager[EMAIL PROTECTED] >> > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George >I see all the activity on the list about Apache 2.0 and modssl. Where can I get the >necessary "stuff" for Apache 2.0. I don't see it on the modssl, openssl or Apache >web sites. I need to get ssl up on Apache on Windows 2000. > > >Chuck > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0 and SSL
Thanks for clarifying this for the group, Cliff. Our 'hangup' was admittedly a little specific, and I am working my way around that right now - if for no other reason than to reduce the updating cycle. (Yeah, I still cannot love distribution rpms! May the Good Lord forgive my intransigence :-) George Cliff Woolley <[EMAIL PROTECTED]> wrote: >On Tue, 9 Apr 2002, George Walsh wrote: > >> I, for one, would be more than happy to use Apache 2.0. BUT, I need >> mod_ssl to function and as I understand it, mod_ssl applications cannot >> cope with cgi, so I really have no place to start. > >Just to clarify for those who might be listening and didn't follow >George's earlier posts, Apache 2.0 handles https: requests to CGI's >perfectly fine. EXCEPT when you try to configure it to renegotiate on a >POST request (which could happen if, say, your cgi-bin directory had >per-directory SSL parameters set (eg SSLProtocol or requiring a client >certificate)). > >[As a bit of historical reference, those of you who've been around for a >while will recall that mod_ssl for Apache 1.3 had the same problem (worse, >actually... it just gave an I/O error) until version 2.3.10, when the >method not allowed response an experimental workaround were put in. It >remained available only with --enable-rule=SSL_EXPERIMENTAL up until >version 2.5.0.] > >--Cliff > > >-- > Cliff Woolley > [EMAIL PROTECTED] > Charlottesville, VA > > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and SSL
I, for one, would be more than happy to use Apache 2.0. BUT, I need mod_ssl to function and as I understand it, mod_ssl applications cannot cope with cgi, so I really have no place to start. Running without the nedd for https, I have been VERY impressed with Apache 2.0's speed and efficiency, and would love to work with it, but I have to have the basic tools available to go the next step. George -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Very well said, Geoff. I have 'played' with Apache 2.0 but certainly not with anything having to do with https and ssl. Now, with a heavy launch schedule in front of me, I have all I can do to switch people out of windows and into KDE/GNOME environments. Respectfully, George Geoff Thorpe <[EMAIL PROTECTED]> wrote: >Hey there, > >On Tuesday 09 April 2002 10:18, you wrote: >> Steve Gonzales wrote: >> > One list is enough for me. SSL theory doesn't change from 1.3.xx to >> > 2.0.xx; only the configuration and installation changes. >> >> There are many other issues, like the "-DEAPI" and 3rd party modules >> that cause Apache to crash. >> >> Anyway, the fact is that all of the discussions regarding 2.0 are done >> in the new-httpd list, and not here (at least till this thread). So it >> is clear that something must be done. Maybe a request to new-httpd >> subscribers to move the SSL discussions to here? > >I would respectfully suggest that modssl discussions stay here. I don't want >to rag on Apache 2.0, and I'm sure a lot of good things have found their way >into it, but it does not solve a number of issues that I think many people in >production environments would require to push them into a pro-active decision >to migrate. Likewise, it introduces an entirely new base of code with >considerably less real-world mileage than the Apache 1.3.** base, so there's >a non-trivial motivation to *not* migrate unless absolutely necessary. > >Apache 2.0 has clearly also been taking what one might call an, ummm, let's >say "value-added" design approach. If your focus is on SSL/TLS, security, and >serving up HTML through a robust and secure server, then having something new >that tries to multiplex a huge number of different features and services (in >the same address-space as one another, moreover!) is a can of worms that many >people will consider best left shut. For now at the very least. > >So if discussion on the SSL module is in someways independant (or at least >may often be independant) of the apache version, I'd suggest we keep >discussion in this one place. > >For my own part; in the near future, I will be working again on session >caching and other tuning operations on the Apache 1.3.***-based modssl >distribution and [will] have neither the time nor inclination to involve >myself in the goings-on of Apache 2.0. I won't mind at *all* if someone who >does have the time and motivation handles merging anything useful from that >to the apache 2.0 code-base - but I won't be reading from, or posting to, >anything Apache 2.0-specific. > >Cheers, >Geoff > >______ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Oh please, no, not another one I'm drowning just trying to keep up as it is, but that, as they say, is but one man's opinion. I know - I don't have to joi, but then the existing established groups might not be as representative as they would otherwise be. George >On Mon, 8 Apr 2002, Eli Marmor wrote: > >> I think that we should open a special mailing list for mod_ssl of >> Apache2. > >My personal opinion would be that most modssl users' questions will be of >the same nature regardless of version. The kinds of questions we get >here: > > (1) why can't I use NBVH+SSL? > (2) how do I get my certificate created and/or to work > (3) I'm having problems getting IE to connect, what do I do? > (4) ... > >The answers to these questions are all the same regardless of whether >you're talking about 1.3 or 2.0, and there will always be those of us on >the httpd development team that listen in on modssl-users for potential >bugs, so in my mind it makes sense to keep the user group as one. > >But that's just me... if you guys disagree, then go right ahead and create >a new list. > >--Cliff > >-- > Cliff Woolley > [EMAIL PROTECTED] > Charlottesville, VA > > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: Apache 2.0.* and SSL
OpenSSL is a separate issue, really. It is normally found in /usr/local/src. I am using 0.9.6c currently, which I download as a tar.gz to my /usr/local/src file, uncompress it with: gzip -dc openssl-0.9.6c.tar.gz | tar xf - cd /usr/local/src/openssl-0.9.6c ./config shared make all test install ... and voila! Apache 2.0 includes its own mod_ssl as part of the 'new look'. That gives you encryption while openssl gives you certification services. FWIW I prefer to remove rpm installations for Apache, mod_ssl, mozilla, netscape, opera and sendmail so I can keep painlessly up-to-date. Its not everybody's cup of tea, but I've been doing it this way for years and I like the feeling of being 'in control' of these crucial elements. Hope that helps ... George >What options are needed to "configure," with Apache 2.0, to make sure that >mod_ssl is enabled, and that a particular OpenSSL directory is used? I >tried guessing at the right options, but a look at the httpd.conf file in >the resulting installation suggests that I guessed wrong. > >Lynn Gazis >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
Hi! Well said, and the written support from the group is long overdue, as are the well deserved compliments. I intend to rip out the bundled Apache from my SuSE Pro 7.3 distribution and give the new threaded Apache a go. (I intend to do the same with Netscape, Mozilla and Sendmail while I am at it so I have full control over the key elements of my system beyond Linux itself. SuSE rpms are never up-to-date one these services, even when they are available, so I prefer to do the builds 'the old fashioned way'. Regards to all, George >Hi mod_ssl users, > >As most of you probably know, the development efforts of Apache 2 are >going to result in a product, soon. The current betas are already >stable, mature, fast, portable than ever, strong, and support many >features that we have dreamed about for years, like filtering (I >mention this feature, and not zillion others, because it is important >specifically for SSL). > >Yes, it's true that some of us didn't like various things, and that the >development process was not optimal and took too much time. > >But this effort comes (finally...) to a successful end, and I believe >that everybody who uses SSL (including myself...) should do the >migration. > >Contrary to past versions, this one is a dramatic change in the >integration of SSL. No more patches, no more re-compilations with >"-DEAPI", no more 3rd party modules which cause Apache to crash because >these modules were not compiled using this flag, no more specific >versions of mod_ssl per each version of Apache, no more repeating >merges of the patches of mod_ssl. > >Now, thanks to the filtering feature, mod_ssl is separate, and doesn't >depend on modifications in the core of Apache. > >Thanks to the White House, mod_ssl is not a national secret that can't >be distributed, anymore. > >Thanks to the USPTO, mod_ssl doesn't depend on a protected patent >anymore (it expired. RSA even gave up 2 weeks). > >And thanks to ASF, mod_ssl is a standard part of Apache. > >Any Apache that will be distributed in the future, will include SSL >support (at least optionally), that can be enabled externally by >installing OpenSSL and adding some directives to the httpd.conf. > >Ben did a great job by creating apache_ssl. >Ralf did a great job too, by improving it, and his impressive efforts >and skills that were invested in developing and maintaining mod_ssl. >We all owe a great thank to Ralf for other Open Source projects that he >does, or joins. > >Now it's time to make the next step, and migrate to Apache 2.0. >It still requires some work and testing. >It can happen if we all join this effort. >I am not a member of ASF, but I'm convinced that everybody will accept >you happily. > >-- >Eli Marmor >[EMAIL PROTECTED] >CTO, Founder >Netmask (El-Mar) Internet Technologies Ltd. >__ >Tel.: +972-9-766-1020 8 Yad-Harutzim St. >Fax.: +972-9-766-1314 P.O.B. 7004 >Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel >__________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Importing Self-signed CA into Netscape Browser
Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex! I pointed the URL to the actual test file containing the certificate: in this case file:///opt/apache/conf/ssl.crt/ca.crt. Then, I hit on the security icon and asked to import the certificate. It asks for a password(which I left blank) and then the name of the file - indicating an *.p12 extension. However, it will only find the file without the extensio, of course. This suggests to me that some kind of conversion is necessary? If I ask to look for certificates accepted (in any category!) nothing shows except the commercial CAs. Can you provide me with a further step up? Maybe I need to go back and recreate the certificates in encryted form??? Thanks, Alex. George Alex Pircher <[EMAIL PROTECTED]> wrote: >Can you provide the URL of loadcacert.cgi? > >If SSL is enabled the mime-type for certificates is ordinary correctly set in the >httpd.conf. >So actually you don't need loadcacert.cgi, you just have to point your Browser to the >URL of >the certificate. This worked for me without problems. > >GreetingX, > Alex > >> I prepared the CAs using the "make certificate TYPE=custom" option. Both the server >and the CA >> files look fine to me and are in their proper pews. >> There were warnings about security depth being 0, but that is to be expected during >the creation >> process. >> >> In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and >use the Perl >> script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. >> >> Then I have to 'walk through the dialog boxes'. >> >> Well, this is all too simple for me to comprehend. I can execute the script file >and it assigns >> the x509 type, determines the length and prints out the certificate data, but that >doesn't get >> into Communicator, so nothing really happens. How do I tie the script output into >Communicator >> to trigger what should be happening? >> >> Or is there a more straightforward way??? >> >> Thanks, >> >> George Walsh, >> Managing Director >> Travel Seewise Pacific Corp >> >> -- >> George Walsh, >> Managing Director, >> Travel Seewise Pacific Corp >> Vancouver Canada >> >> >> >> __ >> Your favorite stores, helpful shopping tools and great gift ideas. Experience the >convenience of >> buying online with Shop@Netscape! http://shopnow.netscape.com/ >> >> Get your own FREE, personal Netscape Mail account today at >http://webmail.netscape.com/ >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List [EMAIL PROTECTED] >> Automated List Manager[EMAIL PROTECTED] > >__ >Do You Yahoo!? >Gesendet von Yahoo! Mail - http://mail.yahoo.de >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Importing Self-signed CA into Netscape Browser
I prepared the CAs using the "make certificate TYPE=custom" option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Missing symbol _llasgremu (Apache 1.3.20/mod_ssl-2.8.4/openssl-0.9.6b
Attempting to do a startup with "/opt/apache/bin/apachectl startssl" results in the following complaint: Syntax error on line 238 of /opt/apache/conf/httpd.conf Cannot load /opt/apache/libexc/libssl.so into server: dynamic linker: /opt/apache/bin/httpd: relocation error: symbol not found: _llasgremu; referenced from: /opt/apache/libexec/libssl.so /opt/apache/bin/apachectl startssl: httpd could not be started Line 238 of httpd.conf points, of course, to: LoadModule ssl_module libexec/libssl.so libssl.so is in /opt/apache/libexec, where it should be - and that same directory contains all the .so modules one would expect to see. Therefore, I have assumed there was nothing wrong in the dynamic build process, and the problem is one of this missing _llasgremu symbol/element, whatever that might be. I have not before had a problem in building apache/openssl/mod_ssl. I was simply updating the software base we are usining. Not a good idea here? Platform is UnixWare 7.1.1 (unixware-7-pentium) which has been stable as hell in the past. Can anyone give me help? Thanks! George Walsh, Managing Director, DSC Directional Services Corp Travel Seewise Pacific Corp Vancouver, Canada -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: mod_ssl vs. Stronghold 3
Stronghold is now owned by Red Hat and is most definitely NOT free, as I mentioned in the original posting. But Stronghold does use mod_ssl and it really is Apache anyway. Unless the whole process terrifies you, why would you not prefer the support of this community, which from personal experience I can say has been wonderful! George [EMAIL PROTECTED] wrote: > > Hmm.. also, is stronghold free? The price of Apache can't be beat. > -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl vs. Stronghold 3
Believe me, it is not a very time consuming job to configure and get Apache/OpenSSL/mod_ssl up and running. If an applications guy like me can do it ... and there are benefits, similar to those accruing from learning to drive a car with a standard transmission versus an automatic. As a bonus you always end up with the latest versions of the components. Strnghold is just a commercial repackaging - albeit a clean one - but you STILL have to configure. Presently I oversee an older version of Stronghold as well as secure Apache. Neither has faltered. And ... in tribute to this group, the one problem I did have was related to the lack of a /dev/random device on my o/s. That was promptly diagnosed and a permanent fix provided by the author of prngd for which I remain grateful. Balance about 2/3 hours of your time against the $1000+ for Stronghold. (In Canada with our Cretin Currency, thats more like $1600 and just not acceptable, so my decision was even easier when the second system required configuring!) Its your time and your money, I guess, but the alternative is not a scary one. George [EMAIL PROTECTED] wrote: > > My company is looking at going to Stronghold 3, partly because of the commercial >aspect. Is it possible to run mod_ssl for commercial purposes now? Does anybody >know if their are major differences in the way Stronghold 3 is set up that would >prevent us from using mod_ssl instead? Thanks in advance. > > > BoB Woodraska > > IB Systems Administrator > > Precision Computer Systems > > (605) 362-1260 > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
self-signed CA and maintaining a mirror site
Afternoon from sunny Vancouver (today anyway!) I have a problem with a development configuration. I want internal people to be able to do their thing - which is straightforward enough, except that I can't get Netscape to recognize the mod-ssl installed X509 cert. At the same time, I want to maintain a full mirror image of the web site (the web site proper is co-located elsewhere) so we can both see what we are doing without reference to the external web site, and also update the web server daily. This would seem to mean I need another certificate to identify the web site morror. It also seems to me that it might be easier to install 2 instances of Apache, each handling its own 'client'. Any suggestions?? Thanks, George Walsh, DSC Directional Services Corp Vancouver Canada -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Reported problem with apache-1.3.19 + openssl-0.9.6a + modssl-2.8.2-1.3.19
On Friday I reported a problem here I had not encountered before, a missing library identified as -lasgremu. I have no idea what it does or why it is required all of a sudden, but I got rid of the problem by clearing out openssl-0.9.6a and reinstalling openssl-0.9.6. George Walsh, Managing Director, DSC Directional Services Corp Vancouver, Canada -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
load problem: apache_1.3.19 + openssl-0.9.6a + mod_ssl-2.8.2
Hi from the West Coast! For quite some time I have been building this server config without any problems. Today I get "Cannot load /opt/apache/libexc/libssl.so into server: dnamic linker: /opt/apache/bin/httpd: relocation error: symbol not found: -llasgremu; referenced from: /opt/apache/libexc/libssl.so . apache could not be started Clearly I am doing something incredibly stupid all of a sudden, but I am confused by the fact it says it cannot load libssl.so (which is there!) and which it goes on to reference the missing symbol from within. I've tried openssl as a make only and as a make + install, but there seems to be no difference. Anyone give me some quick relief? Thanks, George Walsh, DSC Directional Services Corp Vancouver, Canada -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl / openssl
FWIW Scott: I am a UnixWare7.1.1 user. It took me awhile to learn the value of doing so, but I grew weary of SCO not keeping up to date with either Apache or Sendmail, so I have removed their distributions of each and built them from source with very little trouble. The one problem I did experience was with entropy. UnixWare does not provide a /dev/random function . and so I was continually being stalled by the lack of sufficient entropy to serve SSL calls. If that is a problem in your o/s as well, then prngd will relieve all suffering in that regard with minimum fuss. Regards, George Walsh, Managing Director, DSC Directional Service Corp Travel Seewise Pacific Corp Vancouver, Canada [EMAIL PROTECTED] wrote: > > Hi- > > Does anyone know where I can find the binary for the latest Apache with mod_ssl >and openssl for SCO 5.0.5? > > > > Scott Trowbridge, VP > Information Resources > > mailto: [EMAIL PROTECTED] > Web: www.hsmc-ul.com -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosts and mod_ssl
In my case, I have the option of IP aliasing, so it would seem I simply have to establish a separate IP on the LAN for each virtual host I require and then specifically set up the virtual host directive for each one in turn with both ports. That looks deliciously simple. Is that all I need do to meet Owen's workaround solution? If so, I am off and running (and NOT in circles!) George [EMAIL PROTECTED] wrote: > > Gian Maria Gamboni wrote: > > > > Hi All! > > I'm new to mod_ssl, so the things which I'm going to say may be sounds > > ridicolous but I'm not able to solve this: > > I have just three virtualhosts which should listen on 80 and 443 at the same > > time, how can I do this ? > > > > I've just built the new release 1.3.19 whit mod_ssl-2.8.1 on the machine who > > previously running 1.3.17 without mod_ssl on a FreeBSD 4.1 i386 platform. > > At this point I need to run some parts of a site under SSL and others > > normally as shown below : > > > > This configuration works fine on port 80 but not on 443, WHY ? > > > > In a nutshell: You can't do Name-Based Virtual Hosting with SSL. > > Check out the following from earlier this week: > > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 > > Q: Why is it not possible to use Name-Based Virtual Hosting to identify > different SSL virtual hosts? > > A: Name-Based Virtual Hosting is a very popular method of identifying > different virtual = hosts. It allows you to use the same IP address and > the same port number for many different sites. When people move on to > SSL, it seems natural to assume that the same method can be used to have > lots of different SSL virtual hosts on the same server. > > It comes as rather a shock to learn that it is impossible. > > The reason is that the SSL protocol is a separate layer which > encapsulates the HTTP protocol. So the problem is that the SSL session > is a separate transaction that takes place before the HTTP session even > starts. Therefore all the server receives is an SSL request on IP > address X and port Y (usually 443). Since the SSL request does not > contain any Host: field, the server has no way to decide which SSL > virtual host to use. Usually, it will just use the first one it finds > that matches the port and IP address. > > You can, of course, use Name-Based Virtual Hosting to identify many > non-SSL virtual hosts (all on port 80, for example) and then you can > have no more than 1 SSL virtual host (on port 443). But if you do this, > you must make sure to put the non-SSL port number on the NameVirtualHost > directive, e.g. > > NameVirtualHost 192.168.1.1:80 > > Other workaround solutions are: > > Use separate IP addresses for different SSL hosts. > Use different port numbers for different SSL hosts. > > > Rgds, > > Owen Boyle. > ______ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: [Re: PRNGD compiler options UNIXWARE]]
Hi there, Lutz: RE Could not bind socket to /var/run/egd-pool: Invalid argument Hmm, I can only guess, but do you have a /var/run directory into which the socket can be created? Yes, /var/run directory was established for this purpose, 755 root,sys If this does not help, please check out the manual page of "bind" and see what it states for EINVAL. ON HP-UX it says: [EINVAL] The socket is already bound to an address, the socket has been shut down, addrlen is a bad value, or an attempt was made to bind() an AF_UNIX socket to an NFS-mounted (remote) name. In UNIXWARE7, the bind man entry for EINVAL reads: "namelen is not the size of a valid address for the specified address family" > I took a look at the prngd-seed and it has indeed been written over as > indicated. That's good to hear, but only the smaller part of the wanted functionality :-) But isn't the size of the file controlled by the prngd program itself as reported by the debugging function? I understood my task was to provide a source from which to reliably build that INITIAL seed? Would it help if I sent you the bind man page as a whole??? Warmly appreciated, George Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: PRNGD compiler options UNIXWARE]
Thank you, Lutz and Parad, for having pity with my plight! Yes, the addition of SYSLIBS=lsocket relieved some of the pressure at least! I pumped 102695 byte of unique material into /tmp/prngd-seed. Running /usr/local/sbin/prngd-d /var/run/egd-pool now gives: Debugging enabled Read 102695 bytes Wrote 1024 bytes back to seed file Could not bind socket to /var/run/egd-pool: Invalid argument I took a look at the prngd-seed and it has indeed been written over as indicated. By the way, Lutz, you have my word that a complete set of all changes I have made in Makefile, prngd.c and prngd.conf will be sent to you when this is up. Its the very least I can do! And thanks for the insight on the 'W option. This is all rather interesting, if a bit frustrating. Thanks, guys! George Walsh, Managing Director, Travel Seewise Pacfic Corp Vancouver, Canada As Parad Warudka already pointed out, you are missing a library, probably -lsocket. I have just checked out OpenSSH, for several SCO versions the linker line looks like this: LIBS="$LIBS -lgen -lsocket -lprot -lx" so -lsocket is a quite good guess :-) I only have HP-UX and Linux available, so I cannot test this myself. Actually, I am working on an "autoconf" based configuration for PRNGD, but it may take some more days before I can release it and it will probably also take some tests on platforms I don't have before it will become mature :-) BTW -Wall is the GNU-C option for "Warnings: all", it would not help at all. Best regards, Lutz PS. If you finally succeed, please send me your configuration for inclusion into future versions. Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
PRNGD compiler options UNIXWARE
Because SCO has not bothered to include /dev/random or /dev/urandom functionality in their o/s, I have to port prngd for use in a build of apache with openssl and mod_ssl and as suggested in the mod_ssl FAQ. Problem? I can configure the system and compile prngd okay, but I have a problem with finding the required cc options for dynamic linking. The Solaris solution, -Wall, is not recognized. The error message with just a simple -O option reads: dynamic linker: /usr/local/sbin/prngd: binder error: symbol not found: socket; referenced from: /usr/local/sbin/prngd Killed This is way beyond my area of expertise. Has anyone been down this path before me who might be willing to help out? George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver, Canada Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Importing self-signed CA to Communicator
In the instructions under this topic, I created the 4 encoded files from the previous step in the /usr/local/apache/conf directory: ssl.crt/ca.crt, ssl.key/ca.key, ssl.crt/server.crt and ssl.key/server.key. All print out fine . I fired up Communicator but am 'stuck' on the instruction to 'use the Perl script loadcacert.cg`. If I run this script from the command line (my understanding of use the script), it names the content-type as application/x-x509-ca-cert but with a length of 0. That leaves me with either nothing the browser can read or something in the wrong format. Anyone been through this before? A fouled path perhaps or more massaging required? I am using UNIXWARE 7.1.1 and the 'AVERAGE JOE' instruction set from mod_ssl. My thanks for any help George Walsh, Managing Director DSC Directional Services Corp. Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRandomSeed problem (Manual, Chapter 6)
Afternoon, Lutz: I want to thank you for responding, and I believe you have understood my frustration rather well, because your experience parallels mine. However, since I am an applications man, not a systems man, you can I am sure understand my confusion about this. In my field (psychology) entropy has an entirely different meaning. I'd be thrilled to have the chance to incorporate your solution when it is available. The only thing saving me from total aggravation is that the problem is on our development and data base server which updates the web server, so the 30 second waits going in and out of https/http are endured only by the internal staff. Yes, I am thankful for small mercies. Lutz Jaenicke wrote: > On Thu, Jun 15, 2000 at 03:20:26PM -0700, George Walsh wrote: > > I am encountering this delay problem under UNIXWARE 7.1 because there is > > no /dev/random or /dev/urandom supplied. Following suggestions that I > > use EGD from lothar.com, I pulled down the README only to learn there > > that the insufficient entropy problem is going to continue according to > > the author's untried explanation. > > > > I'd like to think I am not the sole survivor in the Universe with this > > problem. Can someone point me in the right direction? It has to re > > resolvable because Stronghold is running fine on another server with the > > identical o/s. > > I am not totally sure that I understand your mail, so I just discuss my case: > - I am running HP-UX (no /dev/random or /dev/urandom) > - I run EGD, which does not help too much at startup, since no entropy has > been collected at this point and mod_ssl is not seeded correctly. > (Hence I tended to read in entropy from a support file to make mod_ssl happy) > - You can not rely on EGD, since it is easily drained when several processes > query it. > - Since the same problem persists, I have started writing the "prngd" which > should do the same thing as EGD but feed the seed aquired into a PRNG > (the OpenSSL one to be more precise), so that it is never drained. > It also reads back entropy from its seed-save file on startup, so that it > is immediately available. > [The prngd is currently not ready to be released to the public, it will > probably take 1 or 2 more weeks before I can think about publishing it :-)] > > Best regards, > Lutz > -- > Lutz Jaenicke [EMAIL PROTECTED] > BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 > Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLRandomSeed problem (Manual, Chapter 6)
I am encountering this delay problem under UNIXWARE 7.1 because there is no /dev/random or /dev/urandom supplied. Following suggestions that I use EGD from lothar.com, I pulled down the README only to learn there that the insufficient entropy problem is going to continue according to the author's untried explanation. I'd like to think I am not the sole survivor in the Universe with this problem. Can someone point me in the right direction? It has to re resolvable because Stronghold is running fine on another server with the identical o/s. George Walsh, Managing Director, DSC Directional Services Corp. (604) 689-9320 fax (604) 689-9337 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
