Re: Document
Hasn't the witty worm destroyed this idiot's computer yet? Here is the file. In order to read the attach you have to use the following password: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mac IE 5 ssl errors
Just noticed that Mac IE 5 is having problems with ssl connections to my apache 1.3.29 server. I either get the 'Security failure. Data decryption error,' or it'll connect but graphics won't load on https pages, and I get this error in httpd error.log: [Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errno: 54) What's the underlying OS? SSL Session caching just doesn't seem to work on older Linuxes is what I've discovered, and falling back to SSL2 is one thing. Another is the Mac IE is very picky and may crap out if a page includes non-SSL content. I dunno, it sounds exactly like the errors I got with my RH7 server till I put a session cache in: SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 Just before the final /IfDefine tag in httpd.conf __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: netsky, beagle, et al.
If we can't filter these viruses out of the mailing list I may have no choice but to add [EMAIL PROTECTED] to my spam filter, which I don't want to do. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Server Report
MyDoom on the mailing list now? Fantastic. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE and client verification problem
Sounds like you need to put a session cache in your apache config. Everything seemed to work just fine, but users started report absence of some pages' elements. Further investigation showed, that for some unknown reasons, the MSIE doesn't load all of the page components. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Macs not able to access 128bit Security sites?
You *really* need an SSLSessionCache in there, or it won't work, in my experience. Hi guys, I still can't get macs to access my secure site. can you see anything wrong with the following setup PLEASE HELP ME.:( IfModule mod_setenvif.c BrowserMatch .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 /ifmodule # see http://www.modssl.org/docs/2.8/ssl_reference.html for more info SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLProtocol -ALL +SSLv2 SSLOptions +CompatEnvVars +OptRenegotiate SLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP SSLLog logs/SSL.log SSLLogLevel warn # You can later change info to warn if everything is OK virtualhost rdsl-mlb-test:443 SSLEngine On SSLCertificateFile conf/ssl/certs/my-server.cert SSLCertificateKeyFile conf/ssl/private/my-server.key SSLCACertificateFile conf/ssl/ssl.crt/ca.crt /virtualhost thankyou, Vince -Original Message- From: Robert J. Pope [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 28 August 2002 1:35 AM To: [EMAIL PROTECTED] Subject: RE: Macs not able to access 128bit Security sites? Rob, I thought I'd try it too. With MSIE 5.2.1(4717) On MacOS X (Jaguar), I was successfully able to access the site and connected with via an RC4-128 cipher. I also see you're using an Entrust cert as apposed to Verisign... Interesting. - Robert On Tue, 2002-08-27 at 10:33, Robert Lagana wrote: Ben, Can you try this site https://www.xe.com Thanks, Rob -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 9:25 AM To: Modssl List Subject: Re: Macs not able to access 128bit Security sites? The cipher is located within the browsers which is different then the way Microsoft puts it in the system (hence the patch to upgrade the cipher). Anyway, I use IE 5.1 for Mac on OS9 and have no problem with 128-bit sites. Are you using OSX? Ben Ricker Web Security System Administrator Wellinx.com On Tue, 2002-08-27 at 01:48, Vince Montuoro wrote: Hi guys, Just wondered if anyone encountered issues with Macs not able to access 128 bit encrypted sites? (The Particular Mac in question is a Powerbook G3 ) I have also encountered problems with IE5 and IE6 where by the only way I could get access to the site was by upgrading the security patches on the IE version. Mac on the other hand has 128 bit encryption standard. PLEASE HELP Vince [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: No solution for bug with IE on Mac?
Hi, i found one (unsatisfying) solution: I disabled SSLv3 by setting SSLProtocol -SSLv3 If i do this MSIE on Mac runs but i worry about other browser that would not run anymore :-( Try also what's posted in http://www.mail-archive.com/modssl-users@modssl.org/msg13577.html Basically, the only thing that fixed it on my server was to establish a sessioncache. I've been using IE on a Mac with our secure pages for months now. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MSIE + The page cannot be displayed error
I am considerably less technically adept than others in this list, but my experience with this issue when first setting up our server leads me to the conclusion that using nokeepalive to fix IE problems is ineffectual. The real, only cure, is to use a session cache. But that might just be me. If no one is doing it now, then one of us has to start. I am also facing the same problem from our project's helpdesk/support teams. First of all I am getting conflicting feedback about using 'nokeepalive' for IE requests. mod_ssl FAQ asks to do this, but Oracle support says not do it (one of the Oracle customer confirmed that after removing 'nokeepalive', the no. reduced drastically). But for me, there isn't much difference, I keep getting the same no.of errors with and without 'nokeepalive'. Thanks Rajidhar Etta - Original Message - From: Julian C. Dunn [EMAIL PROTECTED] Date: Friday, January 18, 2002 11:24 am Subject: RE: MSIE + The page cannot be displayed error I am wondering if someone is keeping a list of working versus non- workingversions of IE, and if not, whether one could be started. I am running into this issue as well, and my support department keeps harrassing me to come up with better solutions to tell the users other than Use Netscape. Thank you Christopher for providing a non-working version number; does anyone know of a version # of IE which does work reliably? - Julian On 18-Jan-2002 Christopher Taranto wrote: snip Fortunately (for my sanity), I have one of non-working versions of the MSIE browsers (5.00.2614.3500) on one of the machines in my office so I can repeatedly create the errors. snip -- Julian C. Dunn, B.A.Sc. [EMAIL PROTECTED] Senior Software Developer, VerticalScope Inc. 111 Peter St., Suite 700, Toronto, ON Tel: (416) 341-8950 x236 Fax: (416) 341-8959 istream ostream We all scream for ice cream; __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MSIE + The page cannot be displayed error
My httpd.conf file has this: SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 In addition to this: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 And this: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP My server accepts SSL connections with all clients I have tried and have received no complaints from users. Your mileage may vary. On 18-Jan-2002 James Hastings-Trew wrote: I am considerably less technically adept than others in this list, but my experience with this issue when first setting up our server leads me to the conclusion that using nokeepalive to fix IE problems is ineffectual. The real, only cure, is to use a session cache. But that might just be me. I am also using a session cache, as in SSLSessionCacheshm:/usr/local/apache/logs/ssl_scache(512000) but I am still getting the errors from IE. So that also seems to be rather ineffective. - Julian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
Sure it is. I gave you the urls in the httpd.conf file. Try them they both work http://209.10.62.26 The ssl version of the site: https://209.10.62.26 Actually, I got an error connecting to the SSL site - identity certificate name is not correct. And the session was not encrypted at all. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem serving to some browsers
I included these lines and am having the same problem. The test page I am working with is: https://secure.logsoftinc.com/co.html I greatly appreciate the responses I've gotten from everyone. Any ideas of something else to try? Is there some tests or something I should post that might make this easier to resolve? Thanks again, --James I am late to this discussion, but have you tried adding and SSLSessionCache to your httpd.conf ? That page came up the way mine used to before I added the cache to my own config - sans graphics. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape + ModSSL=Dead slow.
Oddly enough, on our Red Hat Linux server, the only Mac browswer I had difficulty with was Explorer. Netscape has always worked like a champ. on 6/20/01 10:38 AM, Brian O'Neill at [EMAIL PROTECTED] wrote: I can confirm that I had this same slow/hang problem with Macs running netscape 4.73 and 4.75, using several mod_ssl and apache version, running on Solaris. This was not a Linux-centric issue. It wasn't a priority for my client at the time, but I did send a BrowserMatch statement for them to try. -Brian I've been using Netscape 4.77 (OS 9.1 I think) on an iMac over here without any problems and stock settings. Before that I've used Netscape 4.76 without any problems as well. I don't recall testing anything earlier, although I've got a couple production sites running mod_ssl on Linux (RedHat 6.2 systems with 2.2.18/19) without any problems. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HEAD / HTTP/1.0
on 5/7/01 5:34 AM, Deocs Postmaster at [EMAIL PROTECTED] wrote: From telnet this command returns the type of server, installed modules, and other information. That info is tabulated and tracked by www.netcraft.com (who also infers the operating system) and can help an attacker find a website's vulnerabilities. You want to run a secure server but you have telnet access to it. Seems like the server info is the least of your security problems. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.19
on 4/27/01 1:43 PM, Larry Hoffman at [EMAIL PROTECTED] wrote: I have version 1.3.19 of Apache on a RedHat 7.1 install... I created an images directory under /var/www/html directory... For some reason apache is not serving the images I have in the directory... I have created another images directory up one more level i.e. /var/www/images... It still doesn;t serve these images... Any suggestions? Check the ownership and permissions of files and directories. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProtocol all -SSLv3 having no effect on ie 5 behavior
on 4/23/01 6:30 PM, Tim Taylor at [EMAIL PROTECTED] wrote: So I went back to the archive and found some mention of ssl session cache so I tried dropping in.. SSLsessioncache none I ran into this problem myself. You really do need a session cache. SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 That and the other two lines: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Those lines did the trick for me. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL v3 works with IE5.x on Apple Macintosh?
on 2/26/01 3:17 AM, Christian Jrges at [EMAIL PROTECTED] wrote: Hi there, has anybody out there a working installation with apache, mod_ssl, apache on any unix flavor that an Apple with OS 9.1 can connect? We could only get a connect (with warnings from Browser) only by using SSLProtocol all -SSLv3. The thing that did the trick for my setup was to have the following lines (in the appropriate places) in my httpd.conf file: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 Others report that the shm cache is better, but my Linux system reported errors doing that, so I used a dbm cache instead. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: .htaccess?
on 2/7/01 2:56 AM, Owen Boyle at [EMAIL PROTECTED] wrote: James Hastings-Trew wrote: I think others have asked this question as well, but I would like a portion of my secure site to be blocked to access unless a name and password is entered. There should be no problem with running password-access under SSL. Double-check the following points: - Your configuration should look something like this (assuming you put the authorisation directives in httpd.conf): VirtualHost your_ssl_site:443 ...SSL directives... DocumentRoot /home/web/html/secure Directory /home/web/html/secure/protected AuthType Basic AuthName "Protected HTTPS Area" AuthUserFile /home/web/admin/https.pwd require valid-user /Directory /VirtualHost - make sure to *restart the server* after making the changes. Yes, you'd think this would work, but after trying configuring the server with the directives in the httpd.conf file and/or in an .htaccess file, the result is the same - apache blithely serves up the requested page without asking for a name and password. The directives in my httpd.conf look like this: VirtualHost 111.222.333.444 ...SSL directives... Directory /var/www/my.domain.com/html/adminpages AuthType Basic AuthName "Website Admin" AuthUserFile /etc/httpd/admin-users require valid-user /Directory __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
.htaccess and https:// connections
I think others have asked this question as well, but I would like a portion of my secure site to be blocked to access unless a name and password is entered. I have create a valid .htaccess file, pointing at a valid .htpasswd file, and it works provided that part of the site is accessed through an http: connection -- it correctly query's for the name and password before showing the page. However, when accessed through a https: connection, no such query pops up - the script is run and the page shows as if there were no .htaccess file at all. I have tried putting the directives directly into the httpd.conf file, but the result is the same either way I do it - the .htaccess file only seems to work if the connection to the page is made through an unsecure connection. I would like the sessions to this page (an admin page to be used by authorized users off-site) to require authorization and be through an SSL session. The chances of anyone guessing the directory/script name is low, but still Any ideas? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache, OpenSSL and Internet Explorer
on 2/3/01 4:50 PM, David Rees at [EMAIL PROTECTED] wrote: Pardon a potentially stupid question, but would the syntax for that be: SSLSessionCache shm:/var/cache/httpd/ssl_cache ? On Sat, Feb 03, 2001 at 04:36:07PM -0600, James Hastings-Trew wrote: Thank you for your help. :) I am happy to say, that I *finally* managed to get the silly thing working, and I am going home now to nurse my aching head and sour stomach (nasty cold bug going around). The thing that did the trick was to add the following to near the end of the httpd.conf file: SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 We found someone else with this same problem a while back, some versions of IE require that the SSL session be cached. I also recommend that you use the shm session cache, I found it to be 30% faster than the dbm session cache during benchmarks. Others have found the dbm session cache to be unreliable under heavy load. We really do need to get Ralf to add the check for SSLSessionCache under the FAQ for IO errors with MSIE browsers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache, OpenSSL and Internet Explorer
I am trying to establish a secure server using Apache on RedHat 7. I am using OpenSSL 0.9.5a (the most current RPM available at RedHat) I have tried the various Apache httpd.conf tricks noted at: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC48 But to no avail. Internet Explorer 5.0 (Mac has no higher available version) refuses to negotiate a secure connection with the https:// pages, although Netscape works perfectly. Explorer initially shows the page missing the graphics, but nothing can be submitted. The error is "Security Failure. Data Decryption Error." I am admittedly a dummy when it comes to Linux, and an attempt to install an OpenSSL 0.9.6 RPM obtained from the RedHat site resulted in httpd refusing to start, saying there was a problem with SSL library module. Some have suggested downgrading to OpenSSL 0.9.3 to correct the problem, but without adequate step by step installation instructions I am doomed, since all I can obtain is source for that version and it (apparently) does not install in the places that RedHat 7 expects things to be. I guess my question is - how can a glaring "problem" with the software (not working at all with the default browser on the Mac OS) have escaped the attention of the developers, and how come there is no fix or workaround that a regular Joe just treading water to get this thing working can apply without a having a computer science degree? Is there an integrated, relatively painless to install solution that will give me a working webserver that has secure transaction capabilities that does not require me recompiling half the software on the server to make function properly. Yes, I have been told that IE has a broken SSL implementation, but tell that to people who have been using it successfully to do secure transactions all over the web. A little frustrated now that I am restoring the server software (yet again) from tape backup after a blown installation of OpenSSL 0.9.6. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache, OpenSSL and Internet Explorer
Thank you for your help. :) I am happy to say, that I *finally* managed to get the silly thing working, and I am going home now to nurse my aching head and sour stomach (nasty cold bug going around). The thing that did the trick was to add the following to near the end of the httpd.conf file: SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 That and the other two lines: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP did the fix, and the site now works with IE. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
