Re[2]: OT: cheap CA certificates
Thawte is pretty cheap. $127 bucks through their ISP channel (anyone can sign up) for a regular web cert, I am not sure you can do much better. If it's not worth $127 a year, then I assume it's not for profit, e.g. for internal use only or for a small number of users. In that case, just use self-signed certificates. They're no less secure, they just pop up a warning. Advise your users to add them to their root store the first time they connect to your site and even that won't happen anymore. We do this for all our internal secured sites. -- Jamie Monday, November 17, 2003, 3:05:23 PM, you wrote: GBE Hello Eric, GBE Eric Wood wrote: Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. GBE That depends on your definition of the terms cheap and reliable. GBE But we offer client and server certs GBE (low level client certs are still free) GBE Bye GBE Goetz -- Best regards, Jamesmailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
Add: SSLPassPhraseDialog exec:(path to SSLpassphrasefile) to httpd.conf SSLpassphrasefile is: #!/bin/sh echo (passphrase) Of course, this is a security risk, since you've got your pass phrase stored on the server itself in clear text. The consequences of that should be considered. You could improve this a little by having your SSLPassphrasefile keep the passphrase in some encrypted form, and pass it the decryption key from httpd.conf which would at least require a hacker gain access to both files to get the pass phrase. But I can't think of a really secure way to accomplish this. Jamie At 05:06 PM 5/31/00 -0700, Paul wrote: In a sudden (and late) moment of epiphany, I just realized (while writing a note to our CSA to please put the new server's startup in the machines boot cycle) that when we reboot (*every* monday morning in the wee hours) it's not terribly likely that anyone's going to be around to feed the password to the startup query. This really needs to be automated. Help? =o) Paul = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Incorrect Certificate presented for Virtual Site...Why?
You can't use name-based virtual hosting for SSL. More specifically you cannot have two SSL virtual hosts bound to the same IP and port. You must either use a different IP or a different port. Check the FAQ or archives of this list for details of why you can't do this. Jamie On Sunday, February 11, 2001, 9:03:22 PM, you wrote: I have 4 virtual servers setup somthing like the following: Listen 80 Listen 443 NameVirtualHost 1.2.3.4 VirtualHost 1.2.3.4:80 ServerName www.dom1.com /VirtualHost VitrualHost 1.2.3.4:443 ServerName www.dom1.com SSLCertificateFile file1.pem SSLCertificateKeyFile file1.key /VirtualHost VirtualHost 1.2.3.4:80 ServerName www.dom2.com /VirtualHost VirtualHost 1.2.3.4:443 ServerName www.dom2.com SSLCertificateFile file2.pem SSLCertificateKeyFile file2.key /VirtualHost When apache starts, it asks me for both passwords to both certs. However, if I go to https://www.dom2.com, the certificate for file1.pem is presented to the browser. IT IS SUPPOSED to present file2.pem. What's wrong? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL and vhosts
It is impossible, read the faq. For your purposes, why not just use alternate ports, or use a subdirectory of a single secure server (e.g. https://yourhost.com/yourclient)? For administration purposes - presumably by the person who maintains the sites - the url really doesn't matter much. Jamie At 05:55 PM 1/15/01, Deim Agoston wrote: Hi ! Recently, I've read on the RH support page that SSL doesn't work with name-based virtual hosts. Is it true ? And what if I just want to redirect only the administration pages of the sites (there are pages for editors etc at our website). Maybe the next version of mod_ssl (or does it depend on Apache?) will support it ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Why pay a CA?
... and you can tell your browser to add a certificate to it's root authority list so it won't warn you in the future. So if it's for a small group or intranet you simply tell everyone how to accept the cert and they'll never be bothered again. But for any commercial use this simply won't fly... go buy a Thawte cert before Verisign phases them out. The Thawte web site says in the acquisition FAQ "In fact we guarantee that Thawte SSL Server Certificates will continue to be available to both existing and new customers for US$125 (or less!) at least through February 1, 2001"... this is not promising for the future. Jamie At 10:08 AM 12/6/00, Owen Boyle wrote: It depends what you want to use SSL for. If you want strangers to send you their private details, you'd be better off with a commercial certificate since they won't be frightened by the "warnings". However, if you are using SSL for a specific closed group of users, then use your own certificate and inform them about it... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape 6
Why did you need to do this? I would think this would have unpredictable results. You only need one IP addresss to use the same domain name for both http and https since they are accessed on different ports. # Secure virtual host VirtualHost 216.186.181.230:443 ... # http virtual host VirtualHost 216.186.181.230:80 ... is the usual way to set this up. Jamie At 10:01 PM 12/1/00, Brendon Maragia wrote: Ok my trouble is that in order to get this class i wrote in php to work I can't switch domain names when moving from a 'http' to a 'https'. So I went ahead and aliased my domain name to 2 IP addresses so I can do an apache vhost a ssl vhost, thus so... Name:www.commaflex.com Addresses: 216.186.181.230, 216.186.181.231 ...I setup www.commaflex.com as an apache vhost a ssl vhost as follows # #commaflex.com # VirtualHost 216.186.181.231:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/commaflex/public_html ServerName www.commaflex.com ErrorLog /home/commaflex/.error.log TransferLog /home/commaflex/.transfer.log /VirtualHost ##end## VirtualHost 216.186.181.230:443 DocumentRoot "/home/commaflex/public_html" ServerName www.commaflex.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ssl.keys/www.commaflex.com/server.crt SSLCertificateKeyFile /usr/local/ssl.keys/www.commaflex.com/server.key SSLCertificateChainFile /usr/local/ssl.keys/www.commaflex.com/ca.crt SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 /VirtualHost Well all of these things work fine and dandy in IE (the versions i've checked) , however, Netscape 6 can't find https://www.commaflex.com :( Anybody have any tips? Or perhaps a better way? -Brendon _ Get more from the Web. FREE MSN Explorer download : http://explorer.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MOD_SSL + MSIE 5.x
Apache 1.3.14 will not compile with php4.0.0? Why? Also, why _must_ you use a specific version of PHP that contains documented memory leaks, among other bugs, when there are more recent versions available? Using the 2.7.1 version of mod_ssl (without RSAREF) also has the significant advantage of a nice big speed increase, as I recall from recent discussion here. -- Jamie At 05:13 AM 11/14/00, Brendon Maragia wrote: I really would try, but in order to get apache to compile with php4.0.0 (which is the version I have to use) I have to use apache_1.3.12. which requires an older version of mod_ssl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] PRIVATE: Internet Explorer File Upload fails (PR#484)
I was going to note a similar problem I was having to this list (as I believed it to be mod_ssl related at first), but I believe the problem is not with mod_ssl but with Apache 1.3.14 and/or PHP 3.0.4pl1. That is, are you noting this problem with https only, or have you confirmed that it exists for non-SSL connections as well? Since you are noting that it doesn't work with scripts other than PHP, it leads me to believe it's an apache problem, but I found the problem with: Apache 1.3.14 + mod_ssl + PHP3.0.4pl1 Apache 1.3.12 + mod_ssl + php 3.0.2 Everything works fine with: Apache 1.3.12 + mod_ssl + php 3.02 I have not tried Apache 1.3.14 + php 3.0.2 yet, and have not tried compiling Apache 1.3.14 with the previous mod_ssl (as it is not designed to work with it) -- but the evidence in my testing seems to suggest a problem with Apache 1.3.14 AND PHP3.0.4pl1, rather than mod_ssl Jamie At 04:04 PM 11/10/00, [EMAIL PROTECTED] wrote: Full_Name: Dieter Wimberger Version: 2.7.1-1.3.14 OS: RH 6.1 Submission from: (NULL) (193.170.30.134) Internet Explorer POST to https with multipart/form-data fails (just 5% of tries it does not). Verified for 5.5, 5.5 SP1 (High and low encryption) FORM: SCRIPT (simple cgi): #!/bin/sh echo Content-type: text/plain echo echo echo "multipart/form-data upload debug:" echo "-" echo "ContentType=$CONTENT_TYPE " echo " DATA " cat - #end SCRIPT Behaviour also verified with perl script, php and jserv tests. Host System: RH 6.1 (Cartman) Apache/1.3.14 (Unix) ApacheJServ/1.1.2 PHP/4.0.3pl1 mod_ssl/2.7.1 OpenSSL/0.9.6 Client System: Windows 2000 Professional Windows NT4 SP6 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
True, there's nothing in protocol against it, and users can switch it off, but if you're trying to sell something over the internet (which is the reason a lot of poeple use SSL) then you really need to cater to the least common denominator. Trying to explain frightening messages to the 60% or whatever of your users who use Internet Explorer is not a good way to go about that. You shouldn't rely on users to "know" how to use SSL, since the technology is far beyond most of their comprehensions. You should do everything possible to ensure that the fewest number of people possible are presented with any difficult or confusing questions, and "this site contains both secure and insecure objects. do you want to proceed?" is *defintely* a confusing question to the average user. It will absolutely cause an e-businessperson to lose customers and there's no good reason to purposely implement a site this way. Jamie At 03:13 AM 11/7/00, Owen Boyle wrote: I would absolutely *not* do this, [mix SSL and non-SSL content] unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. Good point Jamie. However, for some users this may be necessary, there is nothing in the protocol against doing this, the browser warnings are browser-dependent (Netscape doesn't give a peep) and can be switched off. Users have to choose for themselves how they want to use SSL. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Some question about modssl
I would absolutely *not* do this, unless you want your web site users to see a message from the web browser saying "this page has both secure and insecure information. Do you want to proceed?" every time they user your site. This does not instill confidence. -- Jamie At 06:03 AM 11/6/00, Owen Boyle wrote: Note that SSL is quite heavy on the system (all that encryption and decryption) so you might like to send some content (such as logo GIFs) by plain HTTP. To do this you can either refer to them explicitly, e.g. img src=http:/your.site.com/images/my_logo.gif __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Ready for Prime Time ?
The others have answered one part of your question, but I wanted to mention another very significant part of the whole support issue. What is your experience with paid, supported software from companies like 'the evil empire'? Personally, I have been in many situations where I was ready, willing and able to pay someone large amounts of money for a solution to a problem. The lesson I have learned: If I have found what appears to be a bug, it generally is. The end result of paying someone for support is you spend endless time on the phone going through an "idiot list" of questions until you either 1) get blown off, or 2) finally get to speak to a developer who simply says, yes, it's a bug. But either way, it won't get fixed. Basically, I have found that free support from other users on the internet, and searching archives of mailing lists and resources like deja.com, to be far superior in quality, timeliness, (and price) to paid telephone support for commercial products. In the open source world, it is true that nobody is accountable, and you are never guaranteed a response. Although it defies reason, though, the support available on resources such as this one is in practice far more useful than paid support. Perhaps there are some things that money just can't buy - e.g. being part of a discussion forum with technical people who are innately familiar with the software (as well as the ones who _wrote_ it) and probably like what they are doing a lot more than the guy answering the tech support line for Microsoft. Jamie At 01:03 AM 11/2/00, Keith Parkansky wrote: Without such a thing, the Evil Empire will never be wiped off the face of the earth because corporate IS managers can't base systems on products where one *might* find an answer to an issue on a list or Web site. Linux distributors will only go so far in offering support for the applications included in their distributions. If there are any commercial support operations available, where can I find contact information for them ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Securing subdirectorys
Here's one way... Set up your roots in separete directories in httpd.conf: ./normal-root/ ./secure-root/ Make a symbolic link from ./normal-root/index.html to ./secure-root/index.html This would be the only file under normal-root, and everything is stored in secure-root but the link makes just the home page available from the non-secured document root. Jamie At 07:16 AM 10/30/00, Alexander Häussel wrote: Hi All, maybe this question has been asked before, but i wasnt able to find a solution right now. i have a website, that i want to allow access to via regular http. but as soon as the user logs in i want the pages to be secured via ssl. my ssl works, but it is possible to access those pages via http or https. i want that a special subdirectory is only accessibel via https regardless what the user types into the url. P.S.sorry fo my bad english ___ Alex celsius37.com AG Email mailto:[EMAIL PROTECTED]
Re: PHP Info www search and server info gathering (fwd)
Doesn't seem like a big deal to me.. even _without_ the phpinfo() function i could probably tell you with about 80% accuracy what directories stuff on any given server is installed in, since most people use the defaults anyway. And any technical mailing list such as this one would tell you exactly this information (and a lot more) about any of the thousands of people who post to the list. So what use is this information from a security threat standpoint? While knowing an exact server version might conceivably help a hacker know what explots to try (or not try), one should hardly consider that the _lack_ of published info about their server is any sort of security. Jamie At 10:59 PM 10/23/00, R. DuFresne wrote: I am not sure if this is an issue that is seems bad for a servers security to most people, but to me it is a really bad looking problem. The phpinfo() function available from PHP versions gives out a _LOT_ of server information, directories things are installed in, versions etc. Anyone who is not familiar with this page and the contents can look below for examples in the search results I did or do a search themselves and see. This page is also super easy to find through a search engine, like the ASP/PHP page error problem reported in the past. I did a lookup in Google for the following... phpinfo() PHP Credits Version __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Who is this clueless moron?
The answer lies.. https://www.ahresources.org (https, not http) He got to ModSSL via the "Apache Interface to SSLEay" link. I guess he missed the next paragraph that reads "ATTENTION! f you are seeing this page instead of the site you expected, please contact the administrator of the site involved. Although this site is running the Apache software it almost certainly has no other connection to the Apache Group, so please do not send mail about this site or its contents to the Apache authors. If you do, your message will be ignored" Apparently he's ceased his attack, and hopefully in his second day of life on the internet he'll be a little more careful before shooting everything that moves... -- Jamie At 01:51 PM 10/11/00, James Ford wrote: On Wed, 11 Oct 2000, [EMAIL PROTECTED] wrote: I don't understand it, but they think that somehow their website is being disrupted. www.ahresources.org is running Apache/1.3.9 (Unix) FrontPage/4.0.4.3 Rewrit/1.1a ApacheJServ/1.0b5 PHP/3.0.12 on Linux So perhaps he's seeing the default Apache page (or such) for the install and assumes someone's "hacked" his site. Highly likely since he apparently has not figured out his caps-lock key. -- James __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Who is this clueless moron?
The answer lies.. https://www.ahresources.org (https, not http) He got to ModSSL via the Apache Interface to SSLEay link. I guess he missed the next paragraph that reads ATTENTION! f you are seeing this page instead of the site you expected, please contact the administrator of the site involved. Although this site is running the Apache software it almost certainly has no other connection to the Apache Group, so please do not send mail about this site or its contents to the Apache authors. If you do, your message will be ignored Apparently he's ceased his attack, and hopefully in his second day of life on the internet he'll be a little more careful before shooting everything that moves... -- Jamie At 01:51 PM 10/11/00, James Ford wrote: On Wed, 11 Oct 2000, [EMAIL PROTECTED] wrote: I don't understand it, but they think that somehow their website is being disrupted. www.ahresources.org is running Apache/1.3.9 (Unix) FrontPage/4.0.4.3 Rewrit/1.1a ApacheJServ/1.0b5 PHP/3.0.12 on Linux So perhaps he's seeing the default Apache page (or such) for the install and assumes someone's hacked his site. Highly likely since he apparently has not figured out his caps-lock key. -- James __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: allow access to https area without certificate
You can't have a secured area without a certificate. This is the entire principle of the system depends on a certificate from the server. It's like trying to find a way to keep your door locked without carrying keys around. You need to either buy a cert from a trusted issuing authority, or generate your own, but that will give warnings to users who come to your web site. If the site is for public consumption then this generally isn't acceptable, so you must pay up. Jamie At 07:25 AM 9/25/00 , Rickard Svorén wrote: Hi I am working on a www-project for a customer, my role is to configure the apache-wwwserver. The problem is; they want to have https secured pages that users can access without getting certificates to their webbrowser or other warnings that IE or netscape show. Anyone knows howto do that? -Mvh , Rickard Xpress On-Line Värmland AB Rickard Svorén Bivägen 4 663 41 Hammarö [EMAIL PROTECTED] Tel : 054-521920 Fax : 054-525867 www.xpress.se __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to restrict a portion of web site to ONLY https?
Why not just use a different document root for the secure and insecure sites? Put symbolic links from the HTTPS root into the regular root for directories that you want to make available insecurely as well. Jamie At 02:01 PM 9/14/00 , Carlos Ramirez wrote: You can use mod_rewrite. Example: RewriteEngine On RewriteCond %{REQUEST_URI} ^/secureSection.* RewriteCond %{HTTPS} !=on RewriteRule ^/(.*) https://www.mydomain.com/$1 [R] -Carlos
Re: Virtual Hosting problem
RTFA ;-) Virtual hosting does not work with SSL. Each site must have its own IP. Jamie At 12:10 PM 9/8/00, Thomas E. Ruth wrote: Hello, I have a little but I found that I'd like to report. I am using the NameVirtualHost facility of Apache together with SSL. The problem comes with the environment variable DOCUMENT_ROOT that Apache is setting. ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: installation of modssl step-by-step
The information that isn't linked on the web site is included in the tarball, called "Install". -- Jamie At 12:54 PM 9/7/00, Marcos Sanchez wrote: Hello! I'm about to install mod_ssl 2_1_8-1_3_4 but I couldn't find the information to a detailed installation of mod_ssl in the website of www.modssl.org The address to this topic doesn't work. Can somebody send me this information, please? Thanks a lot. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent: remove password from server cert?
Add: SSLPassPhraseDialog exec:(path to SSLpassphrasefile) to httpd.conf SSLpassphrasefile is: #!/bin/sh echo (passphrase) Of course, this is a security risk, since you've got your pass phrase stored on the server itself in clear text. The consequences of that should be considered. You could improve this a little by having your SSLPassphrasefile keep the passphrase in some encrypted form, and pass it the decryption key from httpd.conf which would at least require a hacker gain access to both files to get the pass phrase. But I can't think of a really secure way to accomplish this. Jamie At 05:06 PM 5/31/00 -0700, Paul wrote: In a sudden (and late) moment of epiphany, I just realized (while writing a note to our CSA to please put the new server's startup in the machines boot cycle) that when we reboot (*every* monday morning in the wee hours) it's not terribly likely that anyone's going to be around to feed the password to the startup query. This really needs to be automated. Help? =o) Paul = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Need Help with Virtual Hosts
Wouldn't it be simpler to set up a little cron job to break up your log file by virtual host every day? At 09:03 AM 5/23/00 -0400, [EMAIL PROTECTED] wrote: The per process file opening limit was a configurable parameter of your OS. It was either a user resource limit (ulimit) or a tunable kernel config found in param.c or param.h (NFILES??) or UNIX has invented yet another way to put reins on processes. So, you just might be able to make one log per process, if you change the ulimit's for the user the web server is running as OR you tune your kernel and rebuild. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Password access to a site
In response to Veronique's original question - there's no way that I can think of to make a user re-authenticate on your site after they "leave". HTTP is by nature a request/response protocol so you how would you know they "left" your site? The only control you have is with time, which should be suitable for most purposes. You could muck around by creating custom browser windows which don't have forward/back controls or menus thereby actually *preventing* the user from leaving your site inside a given window if it is *really* necessary, and trapping attempts to close the window, e.g. like citibank's online banking. But if you don't disable navigation controls and you have any links within your site to external sites, your server cannot possibly know that the user has left. As far as managing sessions with cookies, it's much better not to use the actual cookie or a cookie expiration to try to manage your session timeout. Rather, store a session ID inside a cookie which never expires, and keep all the relevant info on your server in a database. So when a user hits your site, you look for an existing cookie and generate a new one if it doesn't exist, with a unique session ID. You then look in your database of logins for that session ID to find out when the last time they hit the site was and decide whether to make them log in again or not. Everything is handled by your database on server side, the cookie's only purpose is to identify the session the user belongs to. If the site handles sensitive information, a session timeout of 10 minutes ought to be fairly secure but long enough that you won't require users to re-log-in while using your web site. (Every time they pull up a new page you reset the counter, so you've always got 10 minutes after each "click" before it times out). The "citibank" solution above is the only way I can think of to ensure that you can't re-enter after leaving the site, though. Jamie At 10:43 AM 5/19/00 -0700, Doug Poulin wrote: I have been grappling with this problem for several days now, and I cannot seem to resolve it. The problem is a lot more complicated than it seems. The problem with cookies (or whatever method you choose) you run into the problem that when they first log on to the site you will not get a cookie and you will force them to authenticate a second time which for an end user would be very annoying. There doesn't seem to be any way to detect the difference between a valid log in and a browser faking a real log in on your behalf. I have tried cookies, redirects, temporary files and am quickly running out of ideas. The ideal way would be someway to tell the browser to forget who he is when the user logs off (through a cgi script or javascript). If anyone has any brilliant ideas let me know. Doug Poulin - Original Message - From: Costantino Imbrauglio [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, May 08, 2000 4:33 AM Subject: Re: Password access to a site You might consider using cookies with a very short expiration time. In such case your html pages should contain a small piece of code (you might use both php or perl or whatever you like) that would check the presence of the cookie into the user request. If no cookie is present then authentication is required. It's fairly easy and it works. - Original Message - From: "Veronique Kraft" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, May 08, 2000 8:11 AM Subject: Password access to a site Hi all, How can I require users to re-enter their passwords when they re-visit my site with the same browser window? ie. The first time they visit, they enter a password, then they visit another site, then decide they want to go back to my site so they use the back button on their broswer. I currently have .htaccess working, but when I test it by leaving my site then comming back to it, I'm not prompted for a password. Veronique Kraft __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: request webserver by HTTPS only
Remove the "listen" directive for port 80 for that server in httpd.conf Jamie At 03:50 PM 5/12/00 +0800, wen wrote: modssl-users: I have intalled apache+openssl+modssl.now I want to allow intranet client request webserver by HTTPS only,don't allow by http. how to do? wen [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Adding Perl
I don't know how to do it without recompiling, but it really doesn't take that long to recompile. In my experience it has always taken a little messing around to get the configure's exactly right, so I save the statements for each component in a script file so I can just rerun it each time I need to recompile. Here's my configure for mod_perl. Following the mod_ssl instructions, put this where is says [...Now add more Apache modules to the Apache source tree...]: perl Makefile.PL USE_APACI=1 EVERYTHING=1 \ SSL_BASE=../openssl-0.9.5a \ APACHE_PREFIX=/usr/local/apache \ DO_HTTPD=1 \ PREP_HTTPD=1 Now add to your apache configure: ... --activate-module=src/modules/perl/libperl.a \ --enable-module=perl \ ... Also you will need to edit your httpd.conf to AddModule the perl mod. Jamie At 05:02 PM 5/11/00 -0500, Mel Sojka wrote: So far absolutly fantistic from the install page and the All-In-One install works fine, but I want to add Mod-Perl after the fact. I checked the Apache + mod_ssl/OpenSSL + mod_perl/perl install but it doesn't cover RSAref or MM. I went back 3 months in this list and couldn't find any reference. Also thanks to those that helped me unRPM the Red Hat 6.2 attempt to install. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem solved! RE: apache 1.3.12, open-ssl 0.9.5a, mod_ssl-2.6.4 -1.3.12/
When I got certs from Thawte (now owned by verisign) they had extensive instructions on their web site for generating a CSR. This wasn't a big deal. You run the openssl program to create a new CSR for your company and it asks you to enter all the information. Thawte's web site has step by step instructions for generating a correct CSR using apache + mod_ssl (as well as a large number of other server configurations). Jamie At 01:41 PM 5/10/00 -0700, Scott wrote: Speaking of certificates, Apache certificate generation provides a default issuer of Snake Oil. If the company I work for plans to deploy its own web servers and be the issuer via Verisign, what do I do about the Snake Oil piece? Make certificate View=1 shows Snake Oil as the issuer, but my company as the Subject. What do I do, and what do I send to Verisign for a formal "real" key/certificate pair? Thanks in advance. Scott __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (no subject)
Check httpd.conf. If you are upgrading from a previous version, and therefore aren't using the default httpd.conf for this version of mod_ssl, then check httpd.conf.default (which will be generated when you install apache + mod_ssl) and make sure you merge any missing directives. My guess is you're missing: IfDefine SSL AddModule mod_ssl.c /IfDefine or it's in the wrong place. Jamie At 10:50 AM 5/9/00 -0400, Bill Norman wrote: When I try the startssl argument I get the following error: Syntax error on line 1080 of /usr/local/apache/conf/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not incl uded in the server configuration Is there something else I need to add to the httpd.conf? Bill Norman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Submit form sometimes fails connecting to secure server
My cache is indeed set this way. Also, I don't seem to be getting any errors in my log when this happens. The last two errors are: [Thu May 4 11:50:14 2000] [error] mod_ssl: SSL handshake timed out (client 216.181.63.35, server ss.generationnet.org:443) [Mon May 1 18:02:07 2000] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] However, yesterday (May 4) I experienced the problem personally about 3:00 PM, and the only error from yesterday is the first one (that IP is not me, nor is that the web site I had the problem with). It should be noted that I upgraded from 1.3.9/2.4.8 on Wednesday, so the only error in the log since then is the first one. There are a decent number of these handshake interrupted errors in older logs. Jamie At 03:47 PM 5/4/00 -0700, Robert Monical wrote: SSLSessionCache dbm:/http/logs/ssl_scache __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Is it secure to use a self signed Certificate?
Yes, but this isn't really useful unless you are using the certs in a closed/internal situation. Having to explain to random users on your web site that they need to import you as a CA authority doesn't serve the purpose very well of assuring users they can trust you. Jamie At 09:21 AM 5/5/00 +0200, Schouw, Lars wrote: Not completely right you can import yourself as CA Authority into Netscape and IE, these certificates are not hardcoded. That was what Bellsign.be did before they where release with the browsers per. default 2 years ago. [] The [] browsers are hardcoded with information about the certificate authorities [] and will always ask a user if they want to accept a certificate from an [] unknown authority, e.g. you. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Submit form sometimes fails connecting to secure server
Amazing... this also fixed another frustrating problem I had been having, which I thought was a programming error. In a web site which uses SSL inside frames (of course I needed to reload the entire frameset in SSL to get the padlock to appear on broswers), I had been getting a message "the page you are about to load contains both secure and insecure items... do you want to continue" upon clicking Submit on IE5. Everything works perfectly now. Thanks! Seems like this ought to be in the default configuration file with mod_ssl, even though the problem is Microsoft's fault. (Hard to explain that to all your users ;-) Jamie At 01:09 PM 5/4/00 -0500, Albert Steiner wrote: From the FAQ When I connect via HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer (MSIE) I sometimes get I/O errors and the message "bad data from the server". What's the reason? [L] The reason is that MSIE's SSL implementation has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. You've to work-around this by forcing Apache+mod_ssl to not use keep-alive connections and not sending the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section: SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown At 10:18 AM 5/4/00 -0400, James Treworgy wrote: I am running apache 1.3.12 + mod_ssl 2.6.4 (openssl 0.9.5a) + mod_php 3.0.16 on RH Linux 6.0, though this problem has occurred in previous versions of the software (e.g. 1.3.9 + prev. mod_ssl). mod_ssl is installed as a dso. A user clicks a "submit" button on a form, or even a link, on an insecure page which loads a secure page. In my testing, occasionally the first time you click the button it will come up with a server error e.g. "can't find page". Clicking the back arrow and clicking the button again always works, and the problem will not recur in that session, but of course most users won't figure this out! I generally use IE5 which is where this error has been happening, I haven't been able to reproduce it yet in Netscape. The action of the URL is a complete url (e.g. "https://xxx.xxx.xxx/x.php3") which happens to be a different domain -- but same physical server - than the referring page, though I can't imagine that this could be related. Any ideas? My gut tells me that the server hangs for a sec when first starting a secure session and for some reason. (My server hosts a few fairly low traffic web sites). I thought installing it as a DSO might help but it still happens. I can't seem to create a specific circumstance under which it will happen - e.g. if I restart httpd it won't do it the first time I hit the site, it just happenssometimes. James Treworgy [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Albert Steiner Coordinator Distributed Computing Technology Support Services N O R T H W E S T E R N U N I V E R S I T Y 1603 Orrington Suite #1400, Evanston, IL 60201-5064 [EMAIL PROTECTED] Phone 847-491-4056 FAX 847-467-7732 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Submit form sometimes fails connecting to secure server
I am running apache 1.3.12 + mod_ssl 2.6.4 (openssl 0.9.5a) + mod_php 3.0.16 on RH Linux 6.0, though this problem has occurred in previous versions of the software (e.g. 1.3.9 + prev. mod_ssl). mod_ssl is installed as a dso. A user clicks a "submit" button on a form, or even a link, on an insecure page which loads a secure page. In my testing, occasionally the first time you click the button it will come up with a server error e.g. "can't find page". Clicking the back arrow and clicking the button again always works, and the problem will not recur in that session, but of course most users won't figure this out! I generally use IE5 which is where this error has been happening, I haven't been able to reproduce it yet in Netscape. The action of the URL is a complete url (e.g. "https://xxx.xxx.xxx/x.php3") which happens to be a different domain -- but same physical server - than the referring page, though I can't imagine that this could be related. Any ideas? My gut tells me that the server hangs for a sec when first starting a secure session and for some reason. (My server hosts a few fairly low traffic web sites). I thought installing it as a DSO might help but it still happens. I can't seem to create a specific circumstance under which it will happen - e.g. if I restart httpd it won't do it the first time I hit the site, it just happenssometimes. James Treworgy [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Is it secure to use a self signed Certificate?
No. The short answer (and about as much as I understand ;-) is that part of the purpose of the certificate authorities is that an independent third party has verified the information provided by your certificate. The browsers are hardcoded with information about the certificate authorities and will always ask a user if they want to accept a certificate from an unknown authority, e.g. you. This situation is also the reason why older Netscape browsers have problems with Verisign certificates because the hardcoded info on Verisign expired Jan. 1, 2000 in versions up through about 4.0.5 The connection itself is still secure, and if you are using it for non-mission-critical purposes (e.g. selling stuff) you could just put a message up explaining what the warning means, but if you care how many people eventually click through you're well advised to spend the $125 to get a real cert! Jamie Since MSIE and Netscape produce error messages when viewing a self signed certificate, is there any alternative to getting a certificate that won't produce error messages, and that is also free?? Brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]