RE: Hey, dude, it's me ^_^ :P
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 30 March 2004 12:38 To: [EMAIL PROTECTED] Subject: Hey, dude, it's me ^_^ :P Argh, i don't like the plaintext :) pass: 56270 In case anyone hasn't guessed, this has come from Telekom Malaysia, not Ralf. Specifically it came from 202.188.53.169, which APNIC says is: inetnum: 202.188.0.0 - 202.188.255.255 netname: TMNET-MY-1 descr:TMnet Telekom Malaysia country: MY admin-c: TA35-AP tech-c: TA35-AP remarks: Send abuse email to [EMAIL PROTECTED] remarks: [EMAIL PROTECTED] or [EMAIL PROTECTED] mnt-by: APNIC-HM mnt-lower:TM-NET-AP changed: [EMAIL PROTECTED] 19990526 changed: [EMAIL PROTECTED] 20010124 status: ALLOCATED PORTABLE source: APNIC Can someone at Telekom Malaysia fix this please? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Shameless movie plug - go see the Passion of the Christ! - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Hey, dude, it's me ^_^ :P
-Original Message- From: madhon [mailto:[EMAIL PROTECTED] Sent: Tuesday, 30 March 2004 16:20 To: [EMAIL PROTECTED] Subject: Re: Hey, dude, it's me ^_^ :P inetnum: 202.188.0.0 - 202.188.255.255 netname: TMNET-MY-1 descr:TMnet Telekom Malaysia country: MY admin-c: TA35-AP tech-c: TA35-AP remarks: Send abuse email to [EMAIL PROTECTED] remarks: [EMAIL PROTECTED] or [EMAIL PROTECTED] mnt-by: APNIC-HM mnt-lower:TM-NET-AP changed: [EMAIL PROTECTED] 19990526 changed: [EMAIL PROTECTED] 20010124 status: ALLOCATED PORTABLE source: APNIC Can someone at Telekom Malaysia fix this please? instead of asking here you are better off emailing to [EMAIL PROTECTED] just like it says in the remarks They were cc'ed in the message so they have been asked. The list was informed so that they could see that something useful was being done about this problem. Now would you mind telling me how useful your post was? Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Shameless movie plug - go see the Passion of the Christ! - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Handshake time out
-Original Message- From: Joe Pearson [mailto:[EMAIL PROTECTED] Sent: Tuesday, 09 March 2004 14:39 To: [EMAIL PROTECTED] Subject: SSL Handshake time out Hello, I have a server that has been reaching max clients serveral times per day. When I look at apache-status, 90% of the children are in Reading Request state. Most of them stay in that state until the apache Timeout is reached. However, some of the children stay reading until I restart http. Since this causes my server to become unresponsive, I've lowered the Timeout to 200, which helps somewhat, but we still have the problem. [snip] What's your SSLSeesionCache set to? I can't remember the 7.2 settings (It'll be in the archives though as I've posted the right one before). The Red Hat 9 setting is: SSLSessionCache dbm:/var/cache/mod_ssl/scache Of course, 7.2 isn't supported by Red Hat any more, but there is a legacy project to keep patches up to date. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Why do so many people who call themselves christians use the name of Jesus Christ as a swear word? - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Test message
We've had DNS problems, so I'm just checking whether this will be approved to the list immediately. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Why do so many people who call themselves christians use the name of Jesus Christ as a swear word? - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: HTTPS variable is missing
-Original Message- From: Alvaro Gonzalez [mailto:[EMAIL PROTECTED] Sent: 01 March 2004 09:39 To: [EMAIL PROTECTED] Subject: HTTPS variable is missing I have a Red Hat 9 server running Apache 2.0.40 + mod_ssl with several name based virtual hosts. One of the sites works under http and https. Apparently everything goes fine (browser claims page is encryped when loading https and not encrypted when loading http) but I just can't find the HTTPS environmental variable anywhere. It is there for main site (https://ip_address) but not for my virtual host. I have access to two other linux boxes (Red Hat 7.3 with Apache 1.x and a Mandrake with Apache 2.x) and that same config works just fine: HTTPS=on when using SSL (no matter the host) and I can also access the rest of SSL_* variables if I add SSLOptions +StdEnvVars to config file (which doesn't work either in the Red Hat 9 server). Of course there's probably a difference somewhere (servers aren't identical) but I just can't find it. I understand I can only use one certificate for one IP-port combination but I don't mind browser warnings about that; as I said, that works fine in my other linux boxes. I've left most default options at httpd.conf. I only added some virtual hosts: VirtualHost *:80 DocumentRoot /home/site/htdocs ServerName www.site.com ErrorLog logs/site.com_error_log CustomLog logs/site.com_access_log combined Directory /home/site/htdocs AllowOverride All Options FollowSymLinks /Directory /VirtualHost VirtualHost *:443 DocumentRoot /home/site/htdocs ServerName www.site.com ErrorLog logs/site.com_error_log CustomLog logs/site.com_access_log combined Directory /home/site/htdocs AllowOverride All Options FollowSymLinks /Directory IfDefine HAVE_SSL SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/www.site.com.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/www.site.com.key /IfDefine /VirtualHost I'd suggest that you lose the IfDefine lines. If you are listening on port 443, it makes more sense to turn the SSLEngine on anyway and the associated SSL certificate lines. There isn't a good reason I can think of for not enabling SSL on port 443. Also, check that you have the mod_ssl package installed with rpm -q mod_ssl. That will probably explain your woes. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Why do so many people who call themselves christians use the name of Jesus Christ as a swear word? - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Server Report
Yes, but it didn't come from Ralf. Check the headers. Someone who has a message from this list at some time somewhere on their hard disk is infected. It's even possible that they've never been subscribed (eg they just looked at the archives). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Even if you win the rat race, that will still only make you a rat. -Original Message- From: James Hastings-Trew [mailto:[EMAIL PROTECTED] Sent: 29 January 2004 15:17 To: [EMAIL PROTECTED] Subject: Re: Server Report MyDoom on the mailing list now? Fantastic. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Cannot Access Includes Above Current Directory
Sorry I haven't got back to you sooner. I think I understand the problem better now. I suspect this is down to environment variables. Try using phpinfo(); via SSL and non-SSL connections and see if you can see which variables aren't in the first one (curl and diff are very handy for this). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] There is more historical evidence for the existence of Jesus Christ than for either Henry VIII or Julius Caesar. -Original Message- From: Steve Benson [mailto:[EMAIL PROTECTED] Sent: 16 December 2003 17:29 To: [EMAIL PROTECTED] Subject: RE: Cannot Access Includes Above Current Directory John: Thanks for taking the time to respond to my question it's much appreciated. I can understand this may be thought of as nothing to do with mod_ssl (and that's most likely true). I'm not sure what other list might be more appropriate and was trying to reach knowledgeable folks with both Apache and SSL experience. It might help if I explained the reason I tried the mod_ssl list is that - - I've created a number of Apache web sites using PHP but this is my first using SSL(mod_ssl incorporated into Apache 2.0.48, openssl). I've never encountered anything like this before in web development. - All scripts work fine with relative paths to include files as long as they're accessed via http and are not in the https virtual server directory tree structure. - When accessing the same scripts within the https virtual server tree the scripts cannot reference any include files that aren't at the same level or below in the directory tree. - If the include file is made available at the same level or below, no problem accessing via relative or absolute paths. - Even when the paths to include files are changed to absolute paths they fail if the file is above the current directory in the tree. For some reason I can't go up the directory tree from within the https virtual server directory structure. This is true no matter where I am in the structure i.e. if I'm two levels deep in the directory tree I can't reference a file up one level. If I'm three levels deep I can't reference files back on level two, bummer! This seems to be a configuration problem but I've exhausted my resources trying to figure out what within httpd.conf or ssl.conf would be causing this behavior. Seems like such a small thing but with an existing site structure I'd have to replicate many scripts, css',images etc. to make the components I need available within the https virtual server's directory structure. What a maintenance nightmare! Any suggestions you may offer are appreciated. Thanks, .. Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 16, 2003 2:30 AM To: [EMAIL PROTECTED] Subject: RE: Cannot Access Includes Above Current Directory This isn't really a mod_ssl issue, but I suggest you use the absolute path for included php as the current directory is probably where the httpd binary is, or perhaps where the config files are. (I changed the subject as my last post was rejected, somehow) - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Cannot Access Includes Above Current Directory
This isn't really a mod_ssl issue, but I suggest you use the absolute path for included php as the current directory is probably where the httpd binary is, or perhaps where the config files are. (I changed the subject as my last post was rejected, somehow) - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] There is more historical evidence for the existence of Jesus Christ than for either Henry VIII or Julius Caesar. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
How up to date are these versions of IE? I recall that the original IE 5.0 that shipped with Windows 2000 was quite broken with regards to SSL support (but IE5.01 wasn't). The last time I looked, SP3 for Windows 2000 gave you IE5.01 SP3, but SP3 wasn't available directly (only SP2). I haven't checked the situation with SP4 (yet). The official line from Microsoft is that IE5.01 SP2 is no longer available, as it is in the extended support phase: http://www.microsoft.com/windows/ie/support/ie51exsupport.asp - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] After over 144 years, there's still no fossil evidence of Evolution. -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 10:26 To: '[EMAIL PROTECTED]' Subject: Problems with old MSIE 5.0 Hello. After upgrading to 2.0.47 we have been experiencing problems with clients using old MSIE 5.0 browsers (40 bit versions). They are suddenly unable to connect, and get a The page cannot be displayed error. However, disabling SSLv3 cures the problem. We are using glibc-2.3.2. The MSIE version we have tried is 5.00.2614.3500, on W2K, but quite a few clients are experiencing problemms. Any suggestions? -Torvald Bringsvor Ergo Integration AS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
That hasn't answered my question about which exact version it is. Is it SP1, SP2, SP3 or no service pack? Those are the details that are needed to look into this. If in fact the end user hasn't applied Microsoft's patches to Microsoft's browser, how can that be your problem? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] After over 144 years, there's still no fossil evidence of Evolution. -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 11:21 To: '[EMAIL PROTECTED]' Subject: RE: Problems with old MSIE 5.0 I dont think theese browsers are supported, no. However, quite a few clients are using them still and our customers does not accept us tossing our hands in the air and saying that we dont support all browsers. It has worked in the past, and therefore it is our problem that theese browsers are indeed broken. We have had a similar problem with 56 bit browsers before, and had a lot of problems convincing our customers that the browsers are broken. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
Neither the browser or the OS is supported by Microsoft anymore, http://support.microsoft.com/default.aspx?scid=fh;en-gb;lifewin98, with the exception of security fixes and paid support. Are the users aware of this? They can upgrade to IE5.5 or 6 for free (although I doubt that this will go down particularly well). I don't see a great deal of point in putting resources into solving this one, except to ask what SSLSessionCache settings are you using? These have been known to cause problems with IE. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] After over 144 years, there's still no fossil evidence of Evolution. -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 11:33 To: '[EMAIL PROTECTED]' Subject: RE: Problems with old MSIE 5.0 Sorry, I misunderstood this. As it turns out, it is not W2k as I said in my original post, it is Win98 SE, and there is no MSIE service pack installed. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
I use SSLSessionCache shm:logs/ssl_scache(512000) SSLSessionCacheTimeout 300 and it works for me... John -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 12:48 To: '[EMAIL PROTECTED]' Subject: RE: Problems with old MSIE 5.0 It seemes that you are right that SSLSessionCache is important! I set up a test server (with 2.0.47) and it worked when SSLSessionCache was enabled, but didnt when it was disabled. What I will do next is to reconfigure the production environment with SSLSessionCache enabled, and we will see if that cured it. Thanks! -Torvald - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: https access problems
I've just double-checked and the Red Hat 7.3 RPM packages (apache-1.3.27-2 and mod_ssl-2.8.12-2) use dbm instead of the shm caching that was in 7.2: SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 I hope this hasn't sent you off the wrong way... - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Konn Danley [mailto:[EMAIL PROTECTED] Sent: 16 June 2003 17:01 To: [EMAIL PROTECTED] Subject: Re: https access problems Hi John, Thanks for the response. The thing is, I can get in once in a while (1 in 100 times). When I first encountered the problem, I thought it was a firewalling problem. I use both TCP wrappers and iptables. I had disabled both without any change in the problem. The fact that I can get in once in a while leads me to think that it is not a firewalling problem. I can get in with the machines on my internal network 100% of the time. I have never had a problem with http on either internal or external. It is https only. I did try what you suggested with no change in the problem, and I did do this before on several occasions. I have a wireless access point which acts as my gateway. I am wondering if there is a problem with NAT? The strange thing is that when I changed the SSLSessionCache from 'dbm' to 'none' (I don't think my platform supports shm), I was able to get in with external access 100% of the time. I thought my problem was fixed, but 5 minutes later, the connections could not get in. Since I sent the last mail, I now have all of the latest software, mod_ssl 2.8.14, OpenSSL 0.9.7b. and I still have the same problem. Konn - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: https access problems
Do you have the ipchains or iptables firewall enabled? Try service ipchains stop and service iptables stop to disable it completely and then try again. In the former case lokkit will allow you to configure your firewall to accept connections on the relevant ports. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution isn't true just because the majority of people think it is. -Original Message- From: Konn Danley [mailto:[EMAIL PROTECTED] Sent: 13 June 2003 19:31 To: [EMAIL PROTECTED] Subject: https access problems Hi, I am new to this mailing list. I am having a problem with external internet access to my server. I have the following in place: Red Hat 7.3/2.4.18-3 Apache 1.3.27 mod_ssl 2.8.12-1.3.27 OpenSSL 0.9.7a I have a main server running on port 80, and a virtualhost on port 443 for the SSL. I can access port 443 100% of the time from any client on my internal network. From external networks, I am having problems connecting. I see nothing in IPTraf when these connections external connections don't connect, nor do I get anything in my log files. I have no problems at all with http. All internal clients work fine for both http and https on MSIE, Netscape, and Mozilla. These same clients configured for loopback through a dial-up and back into a cable-modem can't get in.most of the time, but once in a while. The same symptoms occur for other people who have tried to access my SSL website. They have no problems with http, but https will almost always refuse the connection or give them a page not displayed. I found a couple of messages posted on this board which talked about the SSLSessionCache. I tried changing that to 'none' from 'dbm'. When I did this, the external connections worked!! 5 minutes later, they were gone, and I was back to the same place that I started. This is a very strange problem, and I am NOT an expert. I see that there are a lot of posts on this board concerning similiar sounding problems. Has anybody come up with a fix for this? Does anybody have any suggestions as to what I should do or try next? Any help here is greatly appreciated. Konn __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: netscape warning message
Have you restarted the httpd process since you put: SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key In your configuration? If not it will probably still be using the default configuration, which I think will have a localhost.localdomain cert. I take it that the above paths are where your key and certificate are? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Anyone who believes in Evolution as fact just because they were told so at school seems to have missed the relevance of the renaissance. -Original Message- From: Austin Conger (IT) [mailto:[EMAIL PROTECTED] Sent: 01 April 2003 21:52 To: [EMAIL PROTECTED] Subject: netscape warning message Hi All, When I view my ssl pages in Netscape 7.x, I am getting a, Website Certified by an Unknown Authority, popup message. I am using Apache/2.0.43 and mod_ssl with openssl 0.9.6g running under Solaris 8. I am assuming its a configuration issue as the certificate is signed by Verisign and it works fine in IE. I am using virtual hosts with separate IPs. What could be causing this to occur? What errors might my httpd.conf file contain? Thanks, Austin Some of my httpd configuration is as follows: Listen 10.0.0.26:80 Listen 10.0.0.27:80 ServerName 10.0.0.26:80 IfModule mod_ssl.c Include conf/ssl.conf /IfModule NameVirtualHost 10.0.0.27 VirtualHost 10.0.0.27 DocumentRoot /site/htdocs/vhost RewriteEngine On RewriteRule ^/.* /site/htdocs/vhost/index.html /VirtualHost VirtualHost 10.0.0.27 ServerName www.domain2.com ServerPath /domain2/ DocumentRoot /site/htdocs/domain2 RewriteEngine On RewriteRule ^(/domain2/.*) /site/vhost$1 /VirtualHost VirtualHost 10.0.0.27 ServerName www.domain3.com ServerPath /domain3/ DocumentRoot /site/htdocs/domain3 RewriteEngine On RewriteRule ^(/domain3/.*) /site/vhost$1 /VirtualHost VirtualHost _default_:443 DocumentRoot /site/htdocs/ ServerName www.domain.com ServerAdmin [EMAIL PROTECTED] ErrorLog /site/logs/error_log TransferLog /site/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /site/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost And the this is my ssl.conf file: IfDefine SSL Listen 10.0.0.26:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin VirtualHost 10.0.0.26:443 DocumentRoot /site/htdocs ServerName www.domain.com ServerAdmin [EMAIL PROTECTED] ErrorLog /site/logs/error_log TransferLog /site/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /site/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost /IfDefine - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: netscape warning message
I missed the bit about it working on IE, which indicates that it must have worked at some point. However, IE has its own unique form of caching which sometimes takes a deletion of temporary Internet files and a reboot. Netscape IIRC creates a .netscape/cache directory on Linux machines, but it's been a long time since I used it on Windows so I don't know where that would be. It too should have an option to remove them. You could try deleting temporary Internet files on IE and see if it can connect. Also check the logs generated by apache to see if there are any warnings, eg being unable to open your key and certificate files. John -Original Message- From: Austin Conger (IT) [mailto:[EMAIL PROTECTED] Sent: 02 April 2003 15:55 To: [EMAIL PROTECTED] Subject: RE: netscape warning message Hi John, I have restarted the apache process several times since installing the new certificate. I did have a self-signed cert installed first. Could it be caching it somehow? If so, is there a way to erase this cache? Yes, these paths are the locations of my key and certificate. thanks, Austin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 5:36 AM To: [EMAIL PROTECTED] Subject: RE: netscape warning message Have you restarted the httpd process since you put: SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key In your configuration? If not it will probably still be using the default configuration, which I think will have a localhost.localdomain cert. I take it that the above paths are where your key and certificate are? - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Anyone who believes in Evolution as fact just because they were told so at school seems to have missed the relevance of the renaissance. -Original Message- From: Austin Conger (IT) [mailto:[EMAIL PROTECTED] Sent: 01 April 2003 21:52 To: [EMAIL PROTECTED] Subject: netscape warning message Hi All, When I view my ssl pages in Netscape 7.x, I am getting a, Website Certified by an Unknown Authority, popup message. I am using Apache/2.0.43 and mod_ssl with openssl 0.9.6g running under Solaris 8. I am assuming its a configuration issue as the certificate is signed by Verisign and it works fine in IE. I am using virtual hosts with separate IPs. What could be causing this to occur? What errors might my httpd.conf file contain? Thanks, Austin Some of my httpd configuration is as follows: Listen 10.0.0.26:80 Listen 10.0.0.27:80 ServerName 10.0.0.26:80 IfModule mod_ssl.c Include conf/ssl.conf /IfModule NameVirtualHost 10.0.0.27 VirtualHost 10.0.0.27 DocumentRoot /site/htdocs/vhost RewriteEngine On RewriteRule ^/.* /site/htdocs/vhost/index.html /VirtualHost VirtualHost 10.0.0.27 ServerName www.domain2.com ServerPath /domain2/ DocumentRoot /site/htdocs/domain2 RewriteEngine On RewriteRule ^(/domain2/.*) /site/vhost$1 /VirtualHost VirtualHost 10.0.0.27 ServerName www.domain3.com ServerPath /domain3/ DocumentRoot /site/htdocs/domain3 RewriteEngine On RewriteRule ^(/domain3/.*) /site/vhost$1 /VirtualHost VirtualHost _default_:443 DocumentRoot /site/htdocs/ ServerName www.domain.com ServerAdmin [EMAIL PROTECTED] ErrorLog /site/logs/error_log TransferLog /site/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /site/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost And the this is my ssl.conf file: IfDefine SSL Listen 10.0.0.26:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin VirtualHost 10.0.0.26:443 DocumentRoot /site/htdocs ServerName www.domain.com ServerAdmin [EMAIL PROTECTED] ErrorLog /site/logs/error_log TransferLog /site/logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/ssl/certs/verisigned.cert SSLCertificateKeyFile /usr/local/ssl/private/domain.key SetEnvIf
RE: APache 2.x + Mod_ssl : Ive a problem!
Did you install the mod_ssl package too? Did you know that Red Hat renamed the package from apache to httpd (for some kind of consistency I guess, although confusing to those who know about it already). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Anyone who believes in Evolution as fact just because they were told so at school seems to have missed the relevance of the renaissance. -Original Message- From: Timothée GROS [mailto:[EMAIL PROTECTED] Sent: 29 March 2003 11:04 To: [EMAIL PROTECTED] Subject: APache 2.x + Mod_ssl : Ive a problem! I cant't have my Apache with mod_ssl working: I have Apache 2 directly installed from the RPM of Redhat 8.0 idem for mod_ssl [snip] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: openssl upgrade
It really depends what you want. 1. You can stick with the Red Hat supplied packages to keep your machine up to date. Registration with RHN is free (https://rhn.redhat.com), although the demo accounts do get locked out under heavy. I recommend buying at least one registration to get priority access. You'll need to run rhn_register on each machine. 2. If you want the latest features (including patent restricted cyphers) you can install openssl 0.9.7a alongside the openssl package (don't remove it). Just don't overwrite /usr/bin/openssl. I haven't tried this with the latest versions, but it worked fine with one of the betas. I could make up some RPMs for the latest openssl version, but I've not had any demand (or much time. I've spent most of the last three weeks trying to rebuild an evil windoze server). See the openssl FAQ for some more details. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. -Original Message- From: Robert Lagana [mailto:[EMAIL PROTECTED] Sent: 20 March 2003 16:34 To: '[EMAIL PROTECTED]' Subject: openssl upgrade On a linux 7.2 system, would it be easy to upgrade the current version of OpenSSL to the most recent? Are there any directions for this? Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Wildcard certificates from GlobalSign
I've just received an email from GlobalSign that makes it appear that Wildcard certificates are still financially viable. If anyone wants details can they contact me off the list. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: securing one area of a vhost in apache 2
-Original Message- From: Nick Tonkin [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 21:01 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: securing one area of a vhost in apache 2 On Thu, 27 Feb 2003, Mads Toftum wrote: On Thu, Feb 27, 2003 at 12:52:06PM -0800, Nick Tonkin wrote: [EMAIL PROTECTED] ~lwp-request -sSed https://www.ladyraquel.com:8080/secure/ GET https://www.ladyraquel.com:8080/secure/ -- 501 Protocol scheme 'https' is not supported ## huh?! This looks very much like a client error from lwp. You need Crypt::SSLeay for that, see: http://search.cpan.org/author/CHAMAS/Crypt-SSLeay-0.49/ I'm sorry, for what? For requesting https? - nick Have you tried requesting these pages another way, eg with a browser or even curl (http://curl.haxx.se)? Like Mads says, it does look to be a client error. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: securing one area of a vhost in apache 2
-Original Message- From: Nick Tonkin [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 05:50 To: [EMAIL PROTECTED] Subject: securing one area of a vhost in apache 2 Hello, I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7 I have a virtual host which mostly is served without SSL. But it has one area, /secure, that needs to be secured with SSL. I've tried various combinations of directives but can't get it to work. Right now I have: VirtualHost 123.456.789.123:8080 SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt SSLVerifyClient none Directory /home/debug/www/ladyraquel/secure SSLVerifyClient require SSLVerifyDepth 1 /Directory /VirtualHost The server starts fine, serves non-SSL pages fine, but hangs when I request /secure. I'm assuming that you are only interested in securing access, not in using client certificates. Would that be correct? In that case this will suffice: VirtualHost 123.456.789.123:8080 SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key Directory /home/debug/www/ladyraquel/secure SSLRequireSSL /Directory /VirtualHost See the SSLRequireSSL directive for more details. http://www.modssl.org/docs/2.8/ssl_reference.html#ToC22 - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!!
-Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 15:15 To: [EMAIL PROTECTED] Subject: RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!! Sensitivity: Confidential Why is apachectl in /usr/sbin/apachectl? This sounds like the default installation that came with RH. Your apachectl and httpd should be in /home/aspco1/apache_1.3.27/bin. What happens if you do /home/aspco1/apache_1.3.27/bin/apachectl startssl? I think this is your MAIN problem... You should be able to install this on Red Hat with no problems (I haven't tried it yet though. Compiling openssl 0.9.7 on Red Hat 7.2 and above is on my todo list). Remove the Red Hat apache, modssl and mm packages first with: rpm -e mm apache modssl You might find you have other packages installed, eg php. You'll need to remove these too. DON'T REMOVE THE REDHAT OPENSSL PACKAGE. You'll have even more problems if you do... Like Owen, I don't think you can build mod_ssl without mm either. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
What happened to http://www.modssl.org/contrib
This is what I see when I access http://www.modssl.org/contrib/index.phtml ) { s|\s*\n$||; push(HI, $_); } close(FP); sub ls { my ($pat) = _; my (F, R, $f, S, T); F = sort(glob($pat)); R = (); foreach $f (F) { next if ($f =~ m|^index.*|); S = stat($f); $f = $f/ if (-d $f); T = localtime($S[9]); my moy = ('Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun', 'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'); push(R, sprintf(%.8d %.s %.2d %.02d:%.02d:%.02d %.d %.s\n, $S[7], $moy[$T[4]], $T[3], $T[2], $T[1], $T[0], 1900+$T[5], $f)); } return R; } chdir(../../ftp/contrib/); L = ls(*); foreach $l (L) { next if ($l =~ m|^\s*$|); $l =~ s|(\s+)(\S+[^/])(\s*\n)$|$1.$2.$3|e; $l =~ s|(\s+)(\S+/)(\s*\n)$|$1.$2.$3|e; foreach $hi (HI) { $l =~ s|^(.*$hi.*)$|$1 [LATEST]|; $l =~ s|($hi)|$1|; } print $l; } ! Is something broken? The contrib part is no longer linked to from the top level http://www.modssl.org either. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A fundamentalist - what you call someone more sure of what they believe than what you are - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems compiling mod_ssl with apache 2.0.44
-Original Message- From: Geoff Thorpe [mailto:[EMAIL PROTECTED]] Sent: 08 February 2003 18:08 To: [EMAIL PROTECTED] Subject: Re: Problems compiling mod_ssl with apache 2.0.44 * Sasa STUPAR ([EMAIL PROTECTED]) wrote: Ok, I have found the problem. If you want to have files in the same directories as original instalation of RH8 you have to use ./config --prefix=/usr. Sorry for that confusion. It is the distribution which is strange. Phew, I was starting to wonder what I was missing here :-) As I mentioned originally, using /usr/include as an installation prefix doesn't make sense because it will create the standard {include,bin,man} tree beneath that and install. Hence /usr or /usr/local make more sense. Also, especially on package management systems like RH, you're better not to simply install *over* existing files, particularly as a newer version of openssl may have removed headers that were in a previous version, so the old ones will end up mixed up with the new ones. And of course if a bug-fix release is made by RH to the older version, eg. 0.9.6x, that could seriously screw things up if you'd installed 0.9.7 over the top. It could also totally mangle your system's RPM database, and various other carnage is possible. The solution is to either grapple with RH's dependencies to try and build a replacement openssl RPM from source to upgrade to (which many will tell you is an only slightly less difficult problem than the alchemy of gold itself) or to install openssl elsewhere and make sure your system paths are organised appropriately. Eg. you could use /usr/local or /opt as a place to manually install packages such as a newer openssl, and make sure that the bin subdirectory is earlier in PATH than /usr/bin, ditto for the lib subdirectory in /etc/ld.so.conf, the man subdirectory in /etc/man.config, and so on ... Actually, it shouldn't make any difference to the installed RPM of openssl-0.9.6b, provided that /usr/bin/openssl isn't overwritten. The quickest way to check is with rpm -V openssl, which should return no response. All your other points above are valid though. It is probably best though to put newer stuff for Red Hat under /usr/local so you don't break anything installed. Now, upgrading openssl-0.9.6 on a Red Hat box (7.0-8.0 inclusive) will screw things up bigtime (see the specific section in the openssl FAQ). If there's sufficient demand I'll make up an openssl 0.9.7 RPM for RedHat users. So far no-one has asked... - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Am I the only person in the UK who finds it strange that our Prime Minister complains of Human Rights abuses around the world, yet wishes to opt out of the European Convention of Human Rights? - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl versus other ssl servers
For just under $2000, Security space will give you a report on it. http://www.securityspace.com/s_survey/payrepdetail.html?ym=200212cat=Apache Techrepid=10903 (Which explains why the links on the modssl site to statistics are out of date). - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (OK pedants, an oblate sphere). -Original Message- From: Chris Davis [mailto:[EMAIL PROTECTED]] Sent: 31 January 2003 14:34 To: [EMAIL PROTECTED] Subject: modssl versus other ssl servers Hi, Does anyone know how many modssl installations there are versus other SSL servers? I'd like to know what percentage of SSL sites use modssl. Thanks, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl versus other ssl servers
Oops, my mistake. The page http://www.securityspace.com/s_survey/payrepdetail.html?ym=200212cat=Apache Techrepid=10903 says 1.4 million mod_ssl sites out of 5.3 million Apache sites. I'd reckon that mod_ssl is the number one secure server on the 'net. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (OK pedants, an oblate sphere). -Original Message- From: Chris Davis [mailto:[EMAIL PROTECTED]] Sent: 31 January 2003 14:34 To: [EMAIL PROTECTED] Subject: modssl versus other ssl servers Hi, Does anyone know how many modssl installations there are versus other SSL servers? I'd like to know what percentage of SSL sites use modssl. Thanks, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
Try http://www.netcraft.com/sslwhats. It will give you a list of ciphers. To unpack the terms: allows anonymous authentication - That sounds like allowing anyone to visit your site, since I've never heard of anonymous auth for http, only ftp. Of course, the evil IIS uses a specific account for anonymous access (supposedly to protect your filesystem, but it's pants), which might be what they are thinking of. allows cleartext communication - That's what you get on non-secured sites. If the data doesn't need to be secured, there's no issue. supports weak encryption - Allows older browsers that have export-crippled security to connect. On the above Netcraft site, you'll see export version. The question for you is whether it is satisfactory to exclude older browsers from your websites. We've decided it isn't, so we stick with the export ciphers. It's true that they could be compromised in some way, but if there are users out there who are using ancient browsers then they probably have no up to date anti-virus protection either, so this is the least of their worries. You'll need more information about all of these one from your auditor, rather than just sweeping statements. We had a security auditor recently who said much the same. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). -Original Message- From: Steve Chadsey [mailto:[EMAIL PROTECTED]] Sent: 24 January 2003 02:10 To: [EMAIL PROTECTED] Subject: Verifying enabled ciphers? How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those
RE: Verifying enabled ciphers?
-Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED]] Sent: 24 January 2003 10:09 To: [EMAIL PROTECTED] Subject: RE: Verifying enabled ciphers? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). Perhaps. But this is not why we believe it to be round. We know it is a sphere from observations we make on the surface. For instance, ships sailing away from port disappear from the bottom up (Columbus knew that). The main evidence comes from the fact that the angle of elevation of astronomical bodies sighted at the same time in different places varies in a way that can only be explained if we are on the surface of a sphere. In any case, billions of people have seen at first-hand photos of the Earth from space. Are we to assume all photos are always faked? Rgds, Owen Boyle PS I liked your one about Alexander Graham Bell :-) I heard the quote about Alexander Graham Bell on Classic FM, and couldn't resist using it. Ironically, most of the time he turned his telephone off as it disturbed his work. Indeed, there is evidence that the earth is curved. I've seen it myself 6 miles up in an aircraft. However, there are still only 430 people (that figure comes from NASA staffer Catherine Watson), and not many women among them, who've seen the earth as round for themselves. A cynic may well claim that pictures of the Earth from space are faked. After all, that claim has been levelled against the Bible for years (and every year, more and more evidence is uncovered to support its authenticity. eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their statement about it being the first piece of physical evidence needs taking with a large pinch of salt) Incidentally, I was bought Origin of Species for Christmas, and I'm reading through it properly. I hadn't read that much of it, and what I had read was from quotes by other people. Which is probably where most believers in Evolution are at, simply following the flock. His section on problems with the theory is interesting, as those problems are still true, and there are many more problems too. John - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
Apologies for the last message everyone. I thought I was sending it personally, and not to the list. Must pay more attention in the mornings. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (OK pedants, an oblate sphere). - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Wildcard Certs
That's interesting! We still have a wildcard certificate (check it out at https://wwws.rnib.org.uk/donation.htm) which we received back on the 16th July. Thawte have been making it difficult to get them, since although they save on administration and allow you limited NBVH to a single IP, they were losing money by issuing them. We had to give a statement last year on how many sites we'd run it on and agreed a price for them. I will check with my contacts within Thawte and get a definitive response. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 14:18 To: [EMAIL PROTECTED] Subject: Wildcard Certs Wildcard certs have been discussed here on the list recently and Thawte has been mentioned as the place to buy wildcard certs. We decided to check and got the following answer: - We unfortunately discontinued the wild cards certs about 8 months ago and no longer issue them. You would have to apply for each SSL individually. - So neither Thawte or Verisign (who own Thawte) issue wildcard certs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Wildcard Certs
There is information on the Thawte site to say that these are now issued by Verisign. This page http://www.verisign.com/resources/gd/buildEcommerce/certificates.html Says: £Name-Based Virtual Hosting: An ISP or Web Host provides each hosted customer with a unique domain name, such as customername.isp.com. If the same certificate is used for each domain name, browsers will indicate that the site domain name does not match the common name in the certificate. To solve this problem, a wildcard certificate of the form *.isp.com is required to properly serve the multi-hostname configuration without creating browser mismatch error messages. (VeriSign offers wildcard certificates on a case-by-case basis, and they are subject to certain additional licensing terms and conditions. For more information, please contact [EMAIL PROTECTED]) This is similar to the position that Thawte had regarding wildcard certificates when we renewed last year. I'll post exact details when I get them. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 14:18 To: [EMAIL PROTECTED] Subject: Wildcard Certs Wildcard certs have been discussed here on the list recently and Thawte has been mentioned as the place to buy wildcard certs. We decided to check and got the following answer: - We unfortunately discontinued the wild cards certs about 8 months ago and no longer issue them. You would have to apply for each SSL individually. - So neither Thawte or Verisign (who own Thawte) issue wildcard certs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Wildcard Certs
Here are the exact details as promised. Thawte stopped issuing wildcard certificates on August 28th 2002. They say that Verisign have always done them and still do them (see my previous post). I can give details of individuals within the company if anyone needs to verify this for themselves. It looks highly likely that this will be the first year since 1998 that we don't continue with wildcard certificates and go back to managing certificates individually. Thanks for raising this one Mads. Hopefully the position is now clear. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: 16 January 2003 14:18 To: [EMAIL PROTECTED] Subject: Wildcard Certs Wildcard certs have been discussed here on the list recently and Thawte has been mentioned as the place to buy wildcard certs. We decided to check and got the following answer: - We unfortunately discontinued the wild cards certs about 8 months ago and no longer issue them. You would have to apply for each SSL individually. - So neither Thawte or Verisign (who own Thawte) issue wildcard certs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: httpd won't start
I doubt that missing something in the build of the kernel would prevent a file from being created. Some more information would be useful. When you say linux, do you mean Red Hat? How exactly are you attempting to start it? What user and group are you starting the server as? A copy of your httpd.conf configuration file (with any data you don't want made public removed) would be most useful. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 03 January 2003 18:19 To: [EMAIL PROTECTED] Subject: httpd won't start Hi all, I can't start httpd on linux kernel 2.4.20 which I compiled. The error message is: [Fri Jan 03 11:11:18 2003] [error] (38)Function not implemented: Cannot create SSLMutex file `/var/log/httpd/ssl_mutex.575' Configuration Failed I have checked all file and directory privileges. It seems no problems. I guess that I am missing build components while building the linux kernel. Has someone gone through this and tell me which components I am missing or have a suggestion? FYI, httpd starts fine under Red Hat 8.0 with kernel 2.4.18 Thank you, Jenny Gu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
Will the file be fairly large then? Try setting these to 8M and 16M respectively (if you have enough memory that is), do a reload of the config and see if the problem repeats. It may be the case that there is a large overhead on the forms that you are submitting (since each field becomes a PHP variable). John -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: 17 December 2002 17:39 To: [EMAIL PROTECTED] Subject: RE: POST with mod_ssl intermittently fails with a 405 I've got an upload_max_filesize = 2M and a memory_limit = 8M and I'm POSTing 10 fields of about 20 characters each! I'm using POST because there will later be a file attached, but at the moment there isn't. So it can't really be that, can it ? -JP On Tue, 17 Dec 2002, [EMAIL PROTECTED] wrote: Oops. I meant to say that you should have memory_limit twice upload_max_filesize. I've had problem when they've both been the same. John -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: 17 December 2002 16:50 To: [EMAIL PROTECTED] Subject: RE: POST with mod_ssl intermittently fails with a 405 I've upgraded to 0.9.6h and recompiled Apache. No change. Still get the hint in the error_log. Any other ideas ? -JP On Tue, 17 Dec 2002, Boyle Owen wrote: Your openSSL libs are a bit old - there have been many important code updates since 0.9.6b. In particular, the most recent update (0.9.6h) fixed race condition bugs that were causing intermittent failures. Try an upgrade first, I would advise... Rgds, Owen Boyle -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 17. Dezember 2002 16:07 To: [EMAIL PROTECTED] Subject: POST with mod_ssl intermittently fails with a 405 Hello, I've got an self-built Apache on a RedHat 7.3 Linux box with Apache/2.0.43, mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22 Every so often a PHP page is called with a POST request to send data to the server. The whole server area is protected via the following settings in ssl.conf: Directory /var/www/html/ca Options Indexes FollowSymLinks ExecCGI DirectoryIndex index.php index.cgi SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire StdEnvVars OptRenegotiate SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 4 SSLRequire ( \ %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ %{SSL_CLIENT_I_DN_CN} eq my CA ) AuthzLDAPEngine on AuthzLDAPAuthoritative on AuthzLDAPServer localhost:389 AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com AuthzLDAPBindPassword terriblysecret AuthzLDAPUseCertificate on AuthzLDAPSetAuthorization on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,dc=mydomain,dc=com AuthzLDAPMapScope subtree AuthzLDAPLogLevel warn AuthzLDAPCacheConnectionoff AuthzLDAPCacheSize 0 AuthNameAuthzLDAP AuthTypeBasic /Directory and with the following require in .htaccess of the same directory: require user CN=Jan-Piet [EMAIL PROTECTED] GET operations always work perfectly (BTW almost all resources are .PHP). Once in a while a POST method is attempted which then sometimes fails (not always). When it has failed, subsequent GET methods on different pages do not work either. After a certain time which always differs, the GET will work and the following POST also. I've tried changing SSLSessionCache to `shm' and SSLMutex to `sem' thinking it had something to do with it, but to no avail. The value of SSLSessionCacheTimeout doesn't seem to matter either. At the time of the failure, the logs have this in them: error_log: [Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured -- resuming normal operations [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate access_log: 10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST /ca/ra/upd.php HTTP/1.1 405 312 10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET /ca/ra/req.php HTTP/1.1 403 292 10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] [17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php
RE: POST with mod_ssl intermittently fails with a 405
I've just re-read the original posters message, and it is possible that when they say the system is self-built that they built an older version of openssl. However, given what I've already said that is unlikely. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED]] Sent: 17 December 2002 15:19 To: [EMAIL PROTECTED] Subject: RE: POST with mod_ssl intermittently fails with a 405 Your openSSL libs are a bit old - there have been many important code updates since 0.9.6b. In particular, the most recent update (0.9.6h) fixed race condition bugs that were causing intermittent failures. Try an upgrade first, I would advise... Rgds, Owen Boyle -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 17. Dezember 2002 16:07 To: [EMAIL PROTECTED] Subject: POST with mod_ssl intermittently fails with a 405 Hello, I've got an self-built Apache on a RedHat 7.3 Linux box with Apache/2.0.43, mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22 Every so often a PHP page is called with a POST request to send data to the server. The whole server area is protected via the following settings in ssl.conf: Directory /var/www/html/ca Options Indexes FollowSymLinks ExecCGI DirectoryIndex index.php index.cgi SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire StdEnvVars OptRenegotiate SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 4 SSLRequire ( \ %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ %{SSL_CLIENT_I_DN_CN} eq my CA ) AuthzLDAPEngine on AuthzLDAPAuthoritative on AuthzLDAPServer localhost:389 AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com AuthzLDAPBindPassword terriblysecret AuthzLDAPUseCertificate on AuthzLDAPSetAuthorization on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,dc=mydomain,dc=com AuthzLDAPMapScope subtree AuthzLDAPLogLevel warn AuthzLDAPCacheConnectionoff AuthzLDAPCacheSize 0 AuthNameAuthzLDAP AuthTypeBasic /Directory and with the following require in .htaccess of the same directory: require user CN=Jan-Piet [EMAIL PROTECTED] GET operations always work perfectly (BTW almost all resources are .PHP). Once in a while a POST method is attempted which then sometimes fails (not always). When it has failed, subsequent GET methods on different pages do not work either. After a certain time which always differs, the GET will work and the following POST also. I've tried changing SSLSessionCache to `shm' and SSLMutex to `sem' thinking it had something to do with it, but to no avail. The value of SSLSessionCacheTimeout doesn't seem to matter either. At the time of the failure, the logs have this in them: error_log: [Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured -- resuming normal operations [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate access_log: 10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST /ca/ra/upd.php HTTP/1.1 405 312 10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET /ca/ra/req.php HTTP/1.1 403 292 10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] [17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936 ssl_request_log: [17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5 POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=- The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all with a client cert issued by my CA. The issue affects both clients (Netscape 4.5 shows the same) Can someone help me resolve this, please ? Thank you very much. Regards, -JP _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived
RE: POST with mod_ssl intermittently fails with a 405
Sorry to be slow on the uptake. How big is your POST? I had an issue with memory_limit, post_max_size and upload_max_filesize (all in /etc/php.ini). If your POST is bigger than the limits within php, the script may give up. This could be the cause of what you are seeing. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] I know it sounds cocky, but I honestly believe that one day there'll be a telephone in every Town in America - Alexander Graham Bell (my paraphrase) -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: 17 December 2002 16:50 To: [EMAIL PROTECTED] Subject: RE: POST with mod_ssl intermittently fails with a 405 I've upgraded to 0.9.6h and recompiled Apache. No change. Still get the hint in the error_log. Any other ideas ? -JP On Tue, 17 Dec 2002, Boyle Owen wrote: Your openSSL libs are a bit old - there have been many important code updates since 0.9.6b. In particular, the most recent update (0.9.6h) fixed race condition bugs that were causing intermittent failures. Try an upgrade first, I would advise... Rgds, Owen Boyle -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 17. Dezember 2002 16:07 To: [EMAIL PROTECTED] Subject: POST with mod_ssl intermittently fails with a 405 Hello, I've got an self-built Apache on a RedHat 7.3 Linux box with Apache/2.0.43, mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22 Every so often a PHP page is called with a POST request to send data to the server. The whole server area is protected via the following settings in ssl.conf: Directory /var/www/html/ca Options Indexes FollowSymLinks ExecCGI DirectoryIndex index.php index.cgi SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire StdEnvVars OptRenegotiate SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 4 SSLRequire ( \ %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ %{SSL_CLIENT_I_DN_CN} eq my CA ) AuthzLDAPEngine on AuthzLDAPAuthoritative on AuthzLDAPServer localhost:389 AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com AuthzLDAPBindPassword terriblysecret AuthzLDAPUseCertificate on AuthzLDAPSetAuthorization on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,dc=mydomain,dc=com AuthzLDAPMapScope subtree AuthzLDAPLogLevel warn AuthzLDAPCacheConnectionoff AuthzLDAPCacheSize 0 AuthNameAuthzLDAP AuthTypeBasic /Directory and with the following require in .htaccess of the same directory: require user CN=Jan-Piet [EMAIL PROTECTED] GET operations always work perfectly (BTW almost all resources are .PHP). Once in a while a POST method is attempted which then sometimes fails (not always). When it has failed, subsequent GET methods on different pages do not work either. After a certain time which always differs, the GET will work and the following POST also. I've tried changing SSLSessionCache to `shm' and SSLMutex to `sem' thinking it had something to do with it, but to no avail. The value of SSLSessionCacheTimeout doesn't seem to matter either. At the time of the failure, the logs have this in them: error_log: [Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured -- resuming normal operations [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate access_log: 10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST /ca/ra/upd.php HTTP/1.1 405 312 10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET /ca/ra/req.php HTTP/1.1 403 292 10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] [17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936 ssl_request_log: [17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5 POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=- The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all with a client cert issued by my CA. The issue affects both clients (Netscape 4.5 shows the same) Can someone help me resolve this, please ? Thank you very much. Regards, -JP _ _ Apache Interface to OpenSSL (mod_ssl
RE: POST with mod_ssl intermittently fails with a 405
Oops. I meant to say that you should have memory_limit twice upload_max_filesize. I've had problem when they've both been the same. John -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: 17 December 2002 16:50 To: [EMAIL PROTECTED] Subject: RE: POST with mod_ssl intermittently fails with a 405 I've upgraded to 0.9.6h and recompiled Apache. No change. Still get the hint in the error_log. Any other ideas ? -JP On Tue, 17 Dec 2002, Boyle Owen wrote: Your openSSL libs are a bit old - there have been many important code updates since 0.9.6b. In particular, the most recent update (0.9.6h) fixed race condition bugs that were causing intermittent failures. Try an upgrade first, I would advise... Rgds, Owen Boyle -Original Message- From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 17. Dezember 2002 16:07 To: [EMAIL PROTECTED] Subject: POST with mod_ssl intermittently fails with a 405 Hello, I've got an self-built Apache on a RedHat 7.3 Linux box with Apache/2.0.43, mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22 Every so often a PHP page is called with a POST request to send data to the server. The whole server area is protected via the following settings in ssl.conf: Directory /var/www/html/ca Options Indexes FollowSymLinks ExecCGI DirectoryIndex index.php index.cgi SSLOptions FakeBasicAuth ExportCertData CompatEnvVars StrictRequire StdEnvVars OptRenegotiate SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 4 SSLRequire ( \ %{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \ %{SSL_CLIENT_I_DN_CN} eq my CA ) AuthzLDAPEngine on AuthzLDAPAuthoritative on AuthzLDAPServer localhost:389 AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com AuthzLDAPBindPassword terriblysecret AuthzLDAPUseCertificate on AuthzLDAPSetAuthorization on AuthzLDAPUseSerial on AuthzLDAPMapBase ou=AuthzLDAPCertmap,dc=mydomain,dc=com AuthzLDAPMapScope subtree AuthzLDAPLogLevel warn AuthzLDAPCacheConnectionoff AuthzLDAPCacheSize 0 AuthNameAuthzLDAP AuthTypeBasic /Directory and with the following require in .htaccess of the same directory: require user CN=Jan-Piet [EMAIL PROTECTED] GET operations always work perfectly (BTW almost all resources are .PHP). Once in a while a POST method is attempted which then sometimes fails (not always). When it has failed, subsequent GET methods on different pages do not work either. After a certain time which always differs, the GET will work and the following POST also. I've tried changing SSLSessionCache to `shm' and SSLMutex to `sem' thinking it had something to do with it, but to no avail. The value of SSLSessionCacheTimeout doesn't seem to matter either. At the time of the failure, the logs have this in them: error_log: [Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured -- resuming normal operations [Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate access_log: 10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST /ca/ra/upd.php HTTP/1.1 405 312 10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET /ca/ra/req.php HTTP/1.1 403 292 10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED] [17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936 ssl_request_log: [17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5 POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=- The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all with a client cert issued by my CA. The issue affects both clients (Netscape 4.5 shows the same) Can someone help me resolve this, please ? Thank you very much. Regards, -JP _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from
RE: OpenSSL RPMs and Apache/modssl install
Yes, you will run into problems if you overwrite the existing openssl files. For example, both ssh and sendmail will be broken. (Please don't anyone start a religious war over sendmail). I have been assured by Red Hat's own staff that although the numbering is off, it includes all the security updates to the present day which are usually backported. Red Hat have a policy of backporting as they keep new features for new releases so that these can be tested independently. (Again, no religious wars over package versions please). Only if there are features not compiled in that you wish to use is it worth recompiling, and in that case you can use /usr/local/ssl or /usr/local to build it in (ie, don't overwrite the /usr/bin/openssl file). Although as you are in the US then you are restricted by a number of US patents anyway. See the openssl FAQ for more information. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: Emily Eileen Witcher [mailto:emily;crytech.com] Sent: 12 November 2002 17:26 To: [EMAIL PROTECTED] Subject: OpenSSL RPMs and Apache/modssl install I have a Red Hat 7.3 system and ran up2date to get all the latest packages. Now I want to install Apache/modssl/modperl etc. which I am accustomed to building from source, starting with the OpenSSL libraries. I see that an OpenSSL RPM has already been installed with 7.3, but it does not appear to be the latest version (unless RedHat has a different numbering system). Specifically it says openssl-0.9.6b-28.rpm is installed, whereas I want to have openssl-0.9.6g.tar.gz. I don't see any updated rpms on RedHat. Am I going to run into any trouble if I build OpenSSL from source and overwrite (or duplicate) the RPM? There are other packages that depend on the RPM. Thanks. Thanks Emily Witcher - [EMAIL PROTECTED] Developer and System Administrator Crytech - 406-655-0501/1-888-CRYTECH __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Is anyone successfully running OWA2K behind Apache/mod_ssl?
I'd suggest that you disable the basic authentication as well, once it all works. This does mean that users would have to enter their username and password twice, but does keep out worms like Code Red. After all, your exchange server isn't a public site. On Exchange 5.5/IIS4 we've disabled both Challenge/Response (as this prevents Netscape or Mozilla getting into your mailbox) and basic authentication. We do get a niggly message your password will expire in 0 days, but we just ignore it. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: David Marshall [mailto:dmarshall;esilicon.com] Sent: 07 November 2002 14:58 To: [EMAIL PROTECTED] Subject: RE: Is anyone successfully running OWA2K behind Apache/mod_ssl? Jason, I had this running on RedHat 7.2. Apache 1.3.22/Mod_SSL Here are the steps... 1. Obtain Apache Mod mod_proxy_add_forward.c Modify the code to set the header font-end-https: on. add the following /* turn on front-end-https header, so OWA will put HTTPS into urls */ ap_table_set(r-headers_in, front-end-https,on); Compile and install mod_proxy_add_forward.c. I used command apxs -i -c mod_proxy_add_forward.c 2. Add a line to your httpd.conf file: LoadModule proxy_add_forward_module /usr/lib/apache/1.3/mod_proxy_add_forward.so replacing /usr/lib/apache/1.3 with the path that apxs installs the module. 3. Add the following directives to the virtual host section of your apache configuration files, replacing FQDN with the fully qualified domain name you want to use, NOT the address of the exchange server: ProxyPass /exchange/ http://FQDN/exchange/ ProxyPass /public/ http://FQDN/public/ ProxyPass /exchweb/ http://FQDN/exchweb/ 4. Make sure that external dns resolves the FQDN to the Apache proxy server 5. Modify your /etc/hosts on the Apache proxy server Add the FQDN to resolve to the ip address of the OWA server 6. On the Server where OWA is installed, Turn off Windows Integrated Authentication run Internet Services Manager ( Programs-Administrative Tools-Internet Services Manager ) Expand to your OWA website and Right-click the OWA site and select Properties, on the resulting Dialog, select the Directory Security Tab, Then Edit the Anonymous access and authentication control, remove Windows Integrated Authentication and turn on Basic Authentication note: you must repeat this step every time you restart IIS or reboot this machine. I must tell that although the solution worked, we did not put this solution into production. The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. We have found no way to resolve this. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. c. Users cannot use the password change option. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. David Marshall -Original Message- From: Jason Haar [mailto:Jason.Haar;trimble.co.nz] Sent: Thursday, November 07, 2002 12:04 AM To: [EMAIL PROTECTED] Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl? We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done packet sniffs and compares and can't see anything out of the ordinary. I think it's
RE: Is anyone successfully running OWA2K behind Apache/mod_ssl?
Oops, I made a big mistake! I'd suggest that you disable *anonymous* access as well, once it all works. This does mean that users would have to enter their username and password twice, but does keep out worms like Code Red. After all, your exchange server isn't a public site. On Exchange 5.5/IIS4 we've disabled both Challenge/Response (as this prevents Netscape or Mozilla getting into your mailbox) and *anonymous* access. We do get a niggly message your password will expire in 0 days, but we just ignore it. If you followed my last message, you'd never get in. Doh! - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: David Marshall [mailto:dmarshall;esilicon.com] Sent: 07 November 2002 14:58 To: [EMAIL PROTECTED] Subject: RE: Is anyone successfully running OWA2K behind Apache/mod_ssl? Jason, I had this running on RedHat 7.2. Apache 1.3.22/Mod_SSL Here are the steps... 1. Obtain Apache Mod mod_proxy_add_forward.c Modify the code to set the header font-end-https: on. add the following /* turn on front-end-https header, so OWA will put HTTPS into urls */ ap_table_set(r-headers_in, front-end-https,on); Compile and install mod_proxy_add_forward.c. I used command apxs -i -c mod_proxy_add_forward.c 2. Add a line to your httpd.conf file: LoadModule proxy_add_forward_module /usr/lib/apache/1.3/mod_proxy_add_forward.so replacing /usr/lib/apache/1.3 with the path that apxs installs the module. 3. Add the following directives to the virtual host section of your apache configuration files, replacing FQDN with the fully qualified domain name you want to use, NOT the address of the exchange server: ProxyPass /exchange/ http://FQDN/exchange/ ProxyPass /public/ http://FQDN/public/ ProxyPass /exchweb/ http://FQDN/exchweb/ 4. Make sure that external dns resolves the FQDN to the Apache proxy server 5. Modify your /etc/hosts on the Apache proxy server Add the FQDN to resolve to the ip address of the OWA server 6. On the Server where OWA is installed, Turn off Windows Integrated Authentication run Internet Services Manager ( Programs-Administrative Tools-Internet Services Manager ) Expand to your OWA website and Right-click the OWA site and select Properties, on the resulting Dialog, select the Directory Security Tab, Then Edit the Anonymous access and authentication control, remove Windows Integrated Authentication and turn on Basic Authentication note: you must repeat this step every time you restart IIS or reboot this machine. I must tell that although the solution worked, we did not put this solution into production. The biggest drawbacks to this solution were. a. Every time you reboot/restart IIS on the System where OWA is installed, your security settings will be reset adding Windows Integrated Authentication back to the virtual directories. We have found no way to resolve this. b. We had to add a virtual host for every OWA site on Apache that we needed to host. In my environment we have 3 exchange servers and 2 routing groups. This meant that as we changed our Exchange Topology, that we would have to re-work the Apache front-end proxy. c. Users cannot use the password change option. After reading the Microsoft Exchange Front-End/Backend documents http://www.microsoft.com/downloads/release.asp?releaseid=43997 , We decided to evaluate running a Front-End OWA server under SSL with HTTP disabled on a separate system from the other Exchange Servers. In the final analysis, we decided that this was the right answer for us. David Marshall -Original Message- From: Jason Haar [mailto:Jason.Haar;trimble.co.nz] Sent: Thursday, November 07, 2002 12:04 AM To: [EMAIL PROTECTED] Subject: Is anyone successfully runnin OWA2K behind Apache/mod_ssl? We're using Apache/mod_ssl to provide a reverse-proxy to some backend Web servers, and want to add OWA2K to the list (that's Outlook Web Access for Microsoft Exchange 2000). It works fine with OWA from Exchange 5.5 - which was basically just HTML plus some javascript - but OWA2K (under IE5+) uses all sorts of whizzy M$ stuff, and doesn't work! If you access OWA2K with a non-IE browser (e.g. Mozilla), OWA2K reverts to the older format and works fine - it just doesn't work well from IE (ironic isn't it :-) It's pretty flakey. IE5.0 works pretty well, IE5.5 works 20% of the time and IE6 just dies. It goes without saying that all these browsers work fine when talking directly to the OWA2K server: it's only via the RP that they fail. I've done
RE: Configuring Multiple Certicates SSL over an unique IP
Only Thawte do starred certificates, www.thawte.com, however they are now fairly restrictive on allowing them. You have to contact a representative first (ie you can no longer get them online). We are probably not going to bother renewing our current one because they are now too much hassle. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If we could learn one thing from September 11th 2001, it would be the utter absurdity of moral relativism. -Original Message- From: Hunt,Keith A [mailto:keith;uakron.edu] Sent: 05 November 2002 14:56 To: [EMAIL PROTECTED] Subject: RE: Configuring Multiple Certicates SSL over an unique IP How does one go about getting a star certificate? -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: Tuesday, November 05, 2002 5:22 AM To: [EMAIL PROTECTED] Subject: RE: Configuring Multiple Certicates SSL over an unique IP Yes indeed, although this is a rather limited case of NBVH. -Original Message- From: [EMAIL PROTECTED] [mailto:ueli;heuer.org] Sent: Dienstag, 5. November 2002 10:08 To: [EMAIL PROTECTED] Subject: Re: Configuring Multiple Certicates SSL over an unique IP On Tue, 5 Nov 2002 08:48:58 +0100 Boyle Owen [EMAIL PROTECTED] wrote: No. This is called name-based virtual hosting (NBVH). It works fine for plain HTTP but is impossible under SSL. The reason is that NBVH uses the Host header to find the VH. But in SSL, the connection must be established *before* you get the Host header. So the server cannot decide which VH to use. except you are using a star-certificate, if your certificate is *.foo.bar you can use name-based virtual hosting for following dhosts: www.foo.bar test.foo.bar new.foo.bar ... what-ever.foo.bar Rgds, Owen Boyle -Original Message- From: [EMAIL PROTECTED] [mailto:asom;vetorialnet.com.br] Sent: Montag, 4. November 2002 23:20 To: [EMAIL PROTECTED] Subject: Configuring Multiple Certicates SSL over an unique IP Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes -- The software said it requires Windows 95 or better, so I installed Linux __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which
RE: mod_ssl-2.0.40-8
You'll find the source RPM on the source CD for Red Hat 8.0. Install it as any normal package (eg rpm -ivh), and you'll find the spec file that built the binary in /usr/src/redhat/SPECS. As Geoff points out, it is unusual that Red Hat 8.0 uses a separate package name, but Red Hat have been doing this since version 7.0. With version 8.0, the apache package name disappears and is called httpd instead. I guess they are synchronising the names of the packages to match the daemon names, although I haven't yet checked to see if bind has become named. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Mike Pacheco [mailto:mike;fwdsystems.com] Sent: 25 October 2002 18:30 To: [EMAIL PROTECTED] Subject: mod_ssl-2.0.40-8 Hi All, Been on the mod_ssl site from top to bottom and I can not find mod_ssl for apache 2.0.40 - I do a custom install of RedHat 8.0 - pick httpd and mod_ssl and then query the installed packages after it finishes and I test apache with ssl successfully and I get: rpm -q mod_ssl = mod_ssl-2.0.40-8 I would like to get my hands on the source for this version of mod_ssl for some custom install options but I can not seem to find it. Can somebody please point me in the right direction? Thanks Mike Pacheco __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl-2.0.40-8
I wasn't just surprised, I was confused. I was looking all over for the apache package! I've only had a brief dabble into 8.0, but will have to consider it if and when our apache servers start to get any heavier load. My last attempt at Apache 2.0 ended in disaster regardless of whether I used an RPM or compiled it myself, so hopefully version 8.0 does what I haven't managed yet. Thanks for the information. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Nadav Har'El [mailto:nyh;math.technion.ac.il] Sent: 28 October 2002 10:26 To: [EMAIL PROTECTED] Subject: Re: mod_ssl-2.0.40-8 On Mon, Oct 28, 2002, [EMAIL PROTECTED] wrote about RE: mod_ssl-2.0.40-8: the apache package name disappears and is called httpd instead. I guess they are synchronising the names of the packages to match the daemon names, although I haven't yet checked to see if bind has become named. No, it hasn't, and remind bind (bind-9.2.1-9). I think they wanted a different name when they switched from Apache 1 to Apache 2. By the way, considering Apache 2's site is http://httpd.apache.org/;, I guess the choice of name httpd could be understood. But I was also quite suprised when I first saw this name in Redhat 8. -- Nadav Har'El| Monday, Oct 28 2002, 22 Heshvan 5763 [EMAIL PROTECTED] |- Phone: +972-53-245868, ICQ 13349191 |Long periods of drought are always http://nadav.harel.org.il |followed by rain. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl_scache.dir and ssl_scache.pag
Here's a script to rotate files from /usr/local/apache/logs to /usr/local/apache/logs/archive: #!/bin/csh /bin/mv /usr/local/apache/logs/* /usr/local/apache/logs/archive /etc/rc.d/init.d/httpd graceful This will rotate all the files in that directory out without Apache dropping a single byte. On your system you might need apachectl reload instead as the above example is for a Red Hat Linux system. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Emily Eileen Witcher [mailto:emily;crytech.com] Sent: 21 October 2002 20:53 To: [EMAIL PROTECTED] Subject: ssl_scache.dir and ssl_scache.pag Is it possible to rotate these files? I don't seem to even be able to gzip or move them. They are getting very large and I would like to reclaim some disk space. They are located in /usr/local/apache/logs but also symbolically lined to /etc/httpd/logs/ - do I need to remove the link first? Emily Witcher - [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Site for modssl.org
An rpm for mod_ssl comes with Red Hat 7.2 (I assume that's what you are referring to). As for latest, there should be an update available from Red Hat fairly soon. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Robert Lagana [mailto:[EMAIL PROTECTED]] Sent: 08 October 2002 18:02 To: '[EMAIL PROTECTED]' Subject: Site for modssl.org Hi, I can't hit http://www.modssl.org I'm in need of the latest rpm or tarball for linux 7.2 Does anyone have another site I could use to download? Thanks, Rob - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Not Working from Outside LAN
Have you also ran ipchains -L to see what you get? You may well have set up a firewall that prevents packets coming in. If you get this: ipchains: Incompatible with this kernel, then you don't have a firewall on the server. If you get anything else, it could be stopping packets coming in. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 06 October 2002 16:03 To: [EMAIL PROTECTED] Subject: Re: SSL Not Working from Outside LAN Good idea! I'll have to wait until tomorrow to try that. I did however do some packet sniffing and noticed that tcp packets from outside the firewall do get to the web server and the web server returns tcp packets. But never returns any SSL ( actually SSLv2 protocol I think) packets. Watching the packets for http the tcp and http packets pass back and forth. Thanks -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 6 Oct 2002 at 10:10, Jeffrey Burgoyne wrote: How about a simple test to ensure it is not the firewall. Set apache to listen to HTTPS across port 80, which you already know works outside the firewall. Then you can easily test to ensure it is not the firewall. Jeff On Sun, 6 Oct 2002, Jeff Umstead wrote: I've recently added a Red Hat 7.3 Linux server to our network running Apache and mod_ssl. My problem is I can't make an https (over standard port 443) connection from outside our network. I can connect via http (port 80) from both inside and outside our LAN. I have the necessary port pass throughs, firewall rules etc in place for both ports. It works perfectly from inside our lan (subnet) to either http or https but not from our other sites (different subnets) or from the internet. I believe the problem is either an incorrect setting in httpd.conf or perhaps in a network configuration file I've overlooked. Or ??? Any help / tips would be greatly appreciated. This e-mail (and attachment(s)) has been virus scanned by McAfee WebShield. This message is intended only for use of the individual or entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or copying of this e-mail or attachments, in whole or in part is strictly prohibited and may be unlawful. If you have received this message in error, please inform the sender by replying to this message and then delete the message and any attachments from your system and destroy all copies. Thank You __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Installing mod_ssl
You actually have several options: 1. Use the mod_ssl, mm and apache package that come with the Red Hat Linux 7.3 system. These are out of date, but you can get the latest by registering with https://rhn.redhat.com. Some people don't like the fact that these are not the latest versions, merely backported to the latest fix. It doesn't bother me though. The latest openssl update from Red Hat prevents the linux slapper worm from infecting your systems. 2. Remove the apache, mm and mod_ssl rpm packages and recompiling them. In the second case, you have two options: 1. Compile against the openssl that comes with 7.3. In this case you'll need to install the openssl-devel rpm package. 2. Compile against the latest openssl files. In that case I believe you'd need to install the openssl binary into a directory other than /usr/bin (see http://www.openssl.org/support/faq.cgi#BUILD8). If I'm wrong on this hopefully someone will correct me, but I've always believed that you need the same version of openssl installed somewhere that you used to compile mod_ssl. There is always the option of creating RPMs from either of the above options. Don't remove the openssl package that comes with 7.3 though. You'll break several packages that come with 7.3 such as ssh, sendmail and nearly all the email programs. I used to compile apache and mod_ssl, but now I prefer to wait for the packages from Red Hat. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Dan Sabo [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 00:31 To: [EMAIL PROTECTED] Subject: Installing mod_ssl Hi Folks, mod_ssl newbie here. I'm running RH Linux 7.3 and apache 1.3.23. I have been reading the archives and Kabir's book - Red Hat Linux 7 Server, and from what I understand, correct me if I'm wrong, is that in order to install mod_ssl on my machine, I will have to start from scratch and re install and compile a fresh copy of apache. Is this true? Or can I install mod_ssl on an existing apache machine that has already been configured and set up with e-commerce sites? If I can install mod_ssl on my machine without re compiling apache, can anyone direct me to any step by step documentation as to how to install and configure mod_ssl and secure sites/Thawte certificates on a Linux 7.x box already set up with apache? Lastly, if it is possible to install mod_ssl on a server already configured with apache with e-commerce sites already set up, are there any security risks in installing mod_ssl on an already configured server? Is it better, to install mod_ssl on an empty server? Also I read somewhere that this mod_ssl worm is a big problem. Is that true? Should I upgrade my apache software to prevent such an attack, and if I do, will upgrading apache cause any problems with my current set up of my sites? Thanks much Dan Sabo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Not Working from Outside LAN
Great. chkconfig ipchains off should stop it running in all runlevels. John -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 16:01 To: [EMAIL PROTECTED] Subject: RE: SSL Not Working from Outside LAN John, I think that was it. I had cleared the ipchains list stopped and restarted it. Even though it said accept all for input, output and forward it was still stopping it. So I stopped ipchains from running at start up for all levels restarted the Linux box and it now works! Thanks for the help -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 7 Oct 2002 [EMAIL PROTECTED] wrote: Have you also ran ipchains -L to see what you get? You may well have set up a firewall that prevents packets coming in. If you get this: ipchains: Incompatible with this kernel, then you don't have a firewall on the server. If you get anything else, it could be stopping packets coming in. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Jeff Umstead [mailto:[EMAIL PROTECTED]] Sent: 06 October 2002 16:03 To: [EMAIL PROTECTED] Subject: Re: SSL Not Working from Outside LAN Good idea! I'll have to wait until tomorrow to try that. I did however do some packet sniffing and noticed that tcp packets from outside the firewall do get to the web server and the web server returns tcp packets. But never returns any SSL ( actually SSLv2 protocol I think) packets. Watching the packets for http the tcp and http packets pass back and forth. Thanks -- Jeff Umstead IS Director Merrill Tool Holding Company Saginaw MI USA On 6 Oct 2002 at 10:10, Jeffrey Burgoyne wrote: How about a simple test to ensure it is not the firewall. Set apache to listen to HTTPS across port 80, which you already know works outside the firewall. Then you can easily test to ensure it is not the firewall. Jeff On Sun, 6 Oct 2002, Jeff Umstead wrote: I've recently added a Red Hat 7.3 Linux server to our network running Apache and mod_ssl. My problem is I can't make an https (over standard port 443) connection from outside our network. I can connect via http (port 80) from both inside and outside our LAN. I have the necessary port pass throughs, firewall rules etc in place for both ports. It works perfectly from inside our lan (subnet) to either http or https but not from our other sites (different subnets) or from the internet. I believe the problem is either an incorrect setting in httpd.conf or perhaps in a network configuration file I've overlooked. Or ??? Any help / tips would be greatly appreciated. This e-mail (and attachment(s)) has been virus scanned by McAfee WebShield. This message is intended only for use of the individual or entity to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any unauthorized use, dissemination, distribution or copying of this e-mail or attachments, in whole or in part is strictly prohibited and may be unlawful. If you have received this message in error, please inform the sender by replying to this message and then delete the message and any attachments from your system and destroy all copies. Thank You __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments
RE: mod_ssl / mod_proxy interaction
Could you eloborate on why you say that reverse proxy with SSL won't work? We've been running it for years on our Exchange system here, although granted that uses 5.5 rather than 2000. Testing of access to OWA 2000 is on my to-do list. Thank you. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute -Original Message- From: Robin P. Blanchard [mailto:[EMAIL PROTECTED]] Sent: 30 September 2002 14:29 To: [EMAIL PROTECTED] Subject: mod_ssl / mod_proxy interaction in effort to eventually setup a secure apache reverse proxy for exchange 2000's OWA, i've run into the following dilemma per the mod-ssl docs, i had the following declared globally: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 and realised after much wailing and gnashing of teeth that that line caused the following (non-ssl) virtual host failed to operate correctly under IE: Listen 10.10.10.99:80 VirtualHost 10.10.10.99:80 ServerName webmail.gactr.uga.edu UseCanonicalNameOff CustomLog /tmp/webmail-trans.log combined ErrorLog/tmp/webmail-error.log RedirectPermanent / http://webmail.gactr.uga.edu/exchange/ ProxyRequests Off ProxyVia Full ProxyPass /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPassReverse /exchange/ http://webmail.gactr.uga.edu/exchange/ ProxyPass /public/ http://webmail.gactr.uga.edu/public/ ProxyPassReverse /public/ http://webmail.gactr.uga.edu/public/ ProxyPass /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPassReverse /ex2k/ http://webmail.gactr.uga.edu/ex2k/ ProxyPass /exchweb/ http://webmail.gactr.uga.edu/exchweb/ ProxyPassReverse /exchweb/ http://webmail.gactr.uga.edu/exchweb/ /VirtualHost So, I placed User-Agent config out of the global config and into each SSL config. Now, the exchange 2000 proxy (currently non-SSL) is correctly handled by IE. Obviously, though, I will be wanting to put this proxy behind SSL, which I've already determined will not work (using the mod_ssl recommended settings). Has anyone else run into a similar situation? Is there a reasonable work-around for this? -- Robin P. Blanchard Systems Integration Specialist Georgia Center for Continuing Education fon: 706.542.2404 | fax: 706.542.6546 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: certificate + network ACL + passwords problem?
I think it's just the way you use allow, deny. I would have put this myself: Order deny,allow Denyfrom all Allow from 127.0.0.1, 199.85.99. The Allow syntax has always seemed odd to me. What appears in the documentation at http://httpd.apache.org/docs/mod/mod_access.html#allow doesn't all work for me. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron -Original Message- From: Harald Koch [mailto:[EMAIL PROTECTED]] Sent: 22 September 2002 23:53 To: [EMAIL PROTECTED] Subject: certificate + network ACL + passwords problem? I've tried this both with the stock (fully patched) RedHat 7.2, and with a fresh-built Apache 1.3.26 + modssl-2.8.10-1.3.26 + openssl-0.9.6g. With the attached config snippet for a private directory, based on the samples from the documentation, the webserver first asks me for my certificate, successfully validates it, and *then* asks me for a username/password. I know the certificate is successfully authenticated, as I've modified my CustomLog entry to log the values of SSL_CLIENT_S_DN, SSL_CLIENT_VERIFY, and SSL_CIPHER_USEKEYSIZE. If I comment out the four lines for network-based access control: #Order deny,allow #Denyfrom all #Allow from 127.0.0.1 #Allow from 199.85.99.0/24 Then I get my expected behaviour, which is: - if I give a certificate, I get access - if I don't give a certificate, I am asked for username/password Am I being dense about combining access control methods, or is there a bug somewhere? Thanks in advance, -- Harald Koch [EMAIL PROTECTED] It takes a child to raze a village. -Michael T. Fry Directory /var/www/html/private # any intranet' access is allowed # but from the Internet only HTTPS + Strong-Cipher + Password # or the alternative HTTPS + Strong-Cipher + Client-Certificate # If HTTPS is used, make sure a strong cipher is used. # Additionally, allow client certs as an alternative to basic auth. SSLRequireSSL SSLVerifyClient optional SSLVerifyDepth 2 SSLOptions -StrictRequire +OptRenegotiate +StdEnvVars SSLRequire ( %{SSL_CIPHER_USEKEYSIZE} = 128 and %{SSL_CLIENT_VERIFY} eq SUCCESS ) # Allow any of certs, network access or basic auth Satisfy any # Network Access Control Order deny,allow Denyfrom all Allow from 127.0.0.1 Allow from 199.85.99.0/24 # HTTP Basic Authentication AuthTypeBasic AuthNameCFRQ users AuthUserFile/etc/httpd/conf/passwd Require valid-user /Directory __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Red Hat Linux update for Linux Slapper worm
You can disregard the following email if you don't use Red Hat Linux 7.0 and above. Having waited for an update to openssl from RedHat, I decided to call them. They've not had anyone ask them for an update, which came as a bit of a shock. I have therefore registered a request to release an update to openssl via their bugzilla site. For information, the vulnerability that Linux Slapper takes advantage of was fixed in openssl on 30th July. See http://www.cert.org/advisories/CA-2002-23.html for details. The previous openssl errata at http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer overflows fixed on July 30th. This package was built on August 1st, so it is unlikely to include the 0.9.6d patches due to the time lag of testing patches by Red Hat. You can add your comments to the bug report at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=74312. If I haven't heard from them soon, I will probably release an update myself. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Red Hat Linux update for Linux Slapper worm
Further to my previous posting, I have been informed by Red Hat of the following: http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th of July and fixed the vulnerability that the Linux Slapper worm takes advantage of. We released a new version of OpenSSL a little later that fixed one of the other vulnerabilities, http://rhn.redhat.com/errata/RHSA-2002-160.html If you upgraded to either of the OpenSSL errata and followed the instructions about restarting your services you are protected against the Linux slapper worm. Just to explain how we can have a fix so quickly - The OpenSSL group gave vendors advance notice of the vulnerabilities giving us time to prepare updated packages in advance of their advisory. However, Red Hat (and others such as Suse) have been very quiet about this. They have not informed CERT or Bugtraq that this vulnerability is fixed in their latest version. I didn't even get told this when I rang their support department. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Red Hat Linux update for Linux Slapper worm
So why do your telephone support people not know about this? They advised me to log it on bugzilla in the first place. Why isn't this page linked to from your errata site? That's where people look for updates. Why no information to CERT or Bugtraq? You're beginning to make Microsoft look professional, which is a scary thought. John -Original Message- From: Mark J Cox [mailto:[EMAIL PROTECTED]] Sent: 20 September 2002 12:25 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Red Hat Linux update for Linux Slapper worm The previous openssl errata at http://rhn.redhat.com/errata/RHSA-2002-160.html has no mention of the buffer overflows fixed on July 30th. This package was built on August 1st, so it is unlikely to include the 0.9.6d patches due to the time lag of testing patches by Red Hat. On the www.redhat.com home page you will find a link about the slapper worm, http://www.redhat.com/support/alerts/linux_slapper_worm.html Versions of OpenSSL that are not vulnerable to this worm have been available from Red Hat since 29th July 2002. Customers who have kept their systems up to date are not impacted by this worm. http://rhn.redhat.com/errata/RHSA-2002-155.html was released on the 29th of July and fixed the vulnerability that the Linux Slapper worm takes advantage of. We released a new version of OpenSSL a little later that fixed one of the other vulnerabilities, http://rhn.redhat.com/errata/RHSA-2002-160.html If you upgraded to either of the OpenSSL errata and followed the instructions about restarting your services you are protected against the Linux slapper worm. Thanks, Mark -- Mark J Cox / Security Response Team / Red Hat Tel: +44 798 061 3110 // Fax: +44 870 1319174 - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache Operations?
That depends on which firewall you have. Mail me off the list with details and I'll see what I can do to help. I was hoping to speak at this year's apachecon on Apache and Firewalls, but it wasn't to be! Maybe next year... - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Reality TV - the ultimate oxymoron -Original Message- From: Mark-Nathaniel Weisman [mailto:[EMAIL PROTECTED]] Sent: 01 September 2002 10:01 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Apache Operations? This may be a little off topic, but I can't find any other place to post it. I have a apache web server running inside my network behind a firewall. The firewall is using NATD/IPFW to forward IP packets through based on port address assignment. I wondering how I can route a request to a specific domain name from the main webserver to another server with a class C address? And only for the singular domain name? Any suggestions? His humble servant, Mark-Nathaniel Weisman President Outland Domain Group Consulting Anchorage,AK USA http://www.outlander.us __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: problem when i create private key
Try this instead openssl genrsa -des3 -rand file1:file2:file3:file4:file5 -out ca.key 1024 Where file1 to file5 are reasonably random files. Log files are handy for this. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Saher [mailto:[EMAIL PROTECTED]] Sent: 03 July 2002 10:39 To: '[EMAIL PROTECTED]' Subject: problem when i create private key Hi The problem i have it , when i wont create a new RSA Private Key for our Apache server using this command $ openssl genrsa -des3 -out ca.key 1024 OR $ openssl genrsa -des3 1024 ca.key this error coming for me worning , not mutch extra random data , consider using the -rand option generating RSA private key . 1024 bit long moduls. 16863 : error : 24064064 random number generator :SSLEAY_RAND_BYTES :PRNG not seeded : md__rand .c :538 16863 : error : 04069003 :rsa routines : RSA_GENERATOR_KEY :BN lib : rsa_gen .c :182 if you have the selution please send it in this email [EMAIL PROTECTED] thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Static Page after SSL Handshake Failure ??
I don't think you can. The handshake has to complete before any other data can be transferred. An incomplete handshake means no connection and hence no data. However, I think you might be able to connect users with a lower cipher to a different document root and from there direct them elsewhere. I recall this being raised before, so look in the archive of this list. Users of IIS will notice that the errors returned from server are becoming more and more meaningless. The page cannot be displayed covers up whatever the real error is. I recommend using curl for testing anyway: http://curl.haxx.se - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Marc Buetikofer [mailto:[EMAIL PROTECTED]] Sent: 02 July 2002 08:31 To: [EMAIL PROTECTED] Subject: Static Page after SSL Handshake Failure ?? Hi, Is it possible for to return a static page to a browser if an SSL handshake failed? I have in mind the situation, when e.g. a 56-bit Browser tries to hanshake with an Apache that requires 128 bits. I could not find any directive in the documentation. Thanks for help!! Marc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 1 certificate for several sites using redirection ?
There's always the possibility of a wildcard certificate, but you'd need to have the same domain name throughout. Some browsers don't work with them. See www.thawte.com for details. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Peter Viertel [mailto:[EMAIL PROTECTED]] Sent: 12 June 2002 10:24 To: [EMAIL PROTECTED] Subject: Re: 1 certificate for several sites using redirection ? You could do that using reverse proxy, ie mod_proxy. Redirects are not going to help. Wim Godden wrote: Hi, I'd like to use a certificate to secure several of our subdomains... buying hundreds of certificates is simply too expensive. Is there some way to do this : - Install certificate on secure.ourdomain.com - Let people surf to https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh at-ever-page.html Thanks in advance. Greetings, Wim Godden _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 1 certificate for several sites using redirection ?
Sounds like you have some absolute links rather than relative links. You can also use proxypass /test https://other-subdomain.ourdomain.com If the data needs to be secured between the proxy and the destination server. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Wim Godden [mailto:[EMAIL PROTECTED]] Sent: 12 June 2002 11:06 To: [EMAIL PROTECTED] Subject: Re: 1 certificate for several sites using redirection ? proxypass /test http://other-subdomain.ourdomain.com doesn't work properly... I get errors about the images being insecure and all links point to the wrong position. Peter Viertel wrote: You could do that using reverse proxy, ie mod_proxy. Redirects are not going to help. Wim Godden wrote: Hi, I'd like to use a certificate to secure several of our subdomains... buying hundreds of certificates is simply too expensive. Is there some way to do this : - Install certificate on secure.ourdomain.com - Let people surf to https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh at-ever-page.html Thanks in advance. Greetings, Wim Godden __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- -- Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites ! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RHL7.0 with openssl0.9.5a 0.9.6
Why did you forcibly install and upgrade the packages? Were there error messages without it? The ONLY time I'd ever forcibly install a package is if it was already installed according to the RPM database but files were damaged. This is because certain packages (eg openssl) cannot be removed and reinstalled because of the number of dependencies on them. Likewise, I'd never use no-deps without a really really good reason. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 07 June 2002 20:10 To: [EMAIL PROTECTED] Subject: RHL7.0 with openssl0.9.5a 0.9.6 I just upgraded my openssl and the sent a SIGHUP to httpd and I got the following error: Syntax error on line 265 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/libssl.so into server: symbol __sysconf, version GLIBC_2.2 not defined in file libc.so.6 with link time reference The system is running RHL7.0. Before upgrade everything was working fine (including SSL module). We had openssl-0.9.5a-14 installed. Then for upgrade I performed the following: rpm -ivh --force openssl095a-0.9.5a-9.i386.rpm rpm -Uvh --force openssl-0.9.6-9.i386.rpm (for your info: openssl095a is the same as openssl-0.9.5a just different names, they include the same files so you can have both 0.9.5a and 0.9.6 installed at the same time. it's an RPM versioning issue) So in the /usr/lib directory there is libssl.so.0 and libssl.so.1 (this is compatibility for other programs). But now on restart of httpd I received the following error. Anybody have ideas? Thanks, Ben __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Server stops serving
I tried exactly the same on RedHat 7.2, with the same result. If there is a way round this I'd like to know as well, as for now I've given up on Apache 2.0 with RedHat 7.2. Out of interest, is the user and group set to apache in the httpd.conf file. Does the apache user and group exist? Finally, have you removed (or not installed) the apache version rpm that comes with Red Hat 7.2? Thanks. John -Original Message- From: Thomas Gagne [mailto:[EMAIL PROTECTED]] Sent: 06 June 2002 13:20 To: [EMAIL PROTECTED] Subject: Re: Server stops serving There was a post in usenet about this issue. I'll forward one of the last messages with some of the history. It should help. Loren K. Louthan wrote: Hello, Hopefully, this will ring a bell for someone: My secure server starts up with no problem. It serves pages for 5 mins., 10 mins, sometimes even a half-hour. Eventually, however, it stops serving pages. The clients will see opening page *server-address* , or Requesting page from *server-address*. But the page never shows up, it is blank.And we don't get any Time-out error messages, either. At about the time this happens, I get the following in my ssl_engine_log file: [05/Jun/2002 11:22:35 09388] [info] Connection to child 10 established (server www.MYDOMAINNAME.com:443, xxx.xxx.xxx.xxx) [05/Jun/2002 11:22:35 09388] [info] Seeding PRNG with 136 bytes of entropy [05/Jun/2002 11:22:36 09388] [warn] Failed to acquire global mutex lock [05/Jun/2002 11:22:36 09388] [warn] Failed to release global mutex lock Now, in %server-root%/logs (the path specified in httpd.conf) there is a ssl_mutex file, but it is empty. There is no relevant error in the either server's or system error logs. Server config is: Apache Version:2.0.36 mod_ssl version:2.8.7-4 openssl version0.9.6b-18 System is RedHat 7.3, Apache was built from source tarball, openssl is from the RPM that installs w/RH 7.3 I can send httpd.conf settings, if necesarry. Thanks in advance, -- .tom __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Installing ModSSL Question
You have two other options (at least). 1. Download the Apache-mod_ssl rpm from http://www.modssl.org/contrib/ 2. Upgrade to RedHat 7.0 or above, as this comes with it. Either way, keep a backup of your httpd.conf file, just in case. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. -Original Message-From: Don [mailto:[EMAIL PROTECTED]]Sent: 04 June 2002 15:41To: [EMAIL PROTECTED]Subject: Installing ModSSL Question Hi, I'm new to this so please bare with me. I am running RedHat Linux 6.2 with Apache 1.3.22 and OpenSSL 0.9.6d. I wish to install ModSSL so that I can secure my web site. I have downloaded the mod_ssl-2.8.5-1.3.22 tarball from the web site. Upon reading the documentation, I find that I need to recompile apache with additional configuration options in order to install ModSSL. Here is my dilemma. I never compiled Apache from source but rather installed from rpm packages. Therefore, there doesn't seem to be any way I can install ModSSL. I've looked at the FAQ but can see no hints on installing ModSSL once Apache is installed. Neither have I found and ModSSL rpm package. I DON'T want to download the Apache tarball and compile/install if I can help it because RedHat is a bit screwy as it uses it's own directories. Installing Apache from the tarball will undoubtedly mess up my system as it will install in other directories and confuse the hell out of me. Do I have other options? Thanks, Don - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it.
RE: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8
-Original Message- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: 30 May 2002 23:59 To: [EMAIL PROTECTED] Subject: Re: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8 On Thu, 30 May 2002, Patrick Dionisio wrote: Currently, I have a client script that generates n number of requests to the apache server. The page it requests is a static page. With SSL turned on, I'm only able to get at most 7 to 8 requests per second. With SSL turned off, I am able to get 50+ requests per second. Wow, that's still incredibly slow. What kind of CPU and how much RAM are we talking about here? With SSL turned off you should be able to pump out way more RPS than that on a static page. I suggest you tune that first (you should be looking for a number in the hundreds of RPS at least), and *then* focus on SSL. See: http://httpd.apache.org/docs/misc/perf-tuning.html Upgrading to Apache 2.0.x might help, too. :) Upgrading to Apache 2.0.x on the users platform (I guess it's Red Hat 7.2) is particularly hard. I spent a week trying this out recently but kept running into problems with openssl libraries, and pre-compiled packages. I used both an rpm that had already been built for Apache 2 (after creating symlinks to the openssl libraries), and compiled openssl and Apache 2 from source. In both cases I could send one request for a secure page, but all subsequent requests hung completely. Until Red Hat can release an rpm that works with their other rpms I'd suggest that Apache 2 on that platform is still a bit of a pipe-dream. It's now my preference to stay with pre-compiled packages where-ever I can, simply because it is easier for me to administer (but I don't want to start another discussion on that either!) Which brings me to the point. Are you using the packages that came with RedHat 7.2, or compiling your own? In the latter case, you may be seeing conflicts with the openssl libraries that come with Red Hat 7.2. I've had no difficulties with the packages that come with Red Hat 7.2 thus far. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Runs on local...but can't see it anywhere else
A small correction, RedHat Linux is still using ipchains. ipchains -L From the command line as root will show if you have any ipchains rules. The simplest way to fix is to type setup, go into firewall configuration and make the interface trusted. It does neuter ipchains somewhat though. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. -Original Message- From: Peter Viertel [mailto:[EMAIL PROTECTED]] Sent: 17 May 2002 10:45 To: [EMAIL PROTECTED] Subject: Re: Runs on local...but can't see it anywhere else You say you can connect to the 'actual server address' while on the actual machine but not from across the network. You do not say which operating system you're using - but if it's redhat linux for example, perhaps you've got iptables rules. Otherwise is network routing ok, like does the machien have it's default route set correctly? Alex Earl wrote: Hi! First off I would like to thank you for your help and knowledge! I enjoy this forum a lot! I have set up mod_ssl with Apache 1.3 and everything seems to run just fine on the local machine. I can curl https://localhost (and the actual server address) and get the right stuff...but when I try to access it from anywhere else I get a server not found error. Any ideas?! Thanks! Alex Earl _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE 5.00 - 5.01 SSL Connection Failures
Just to concur with Jeff, IE5.00 is useless. At the end of June Microsoft are dropping support for IE5.01SP2. I can't remember right now where I found that out, and http://support.microsoft.com/default.aspx?scid=%2fdefault.aspx%3fscid%3dfh%3 ben-us%3bobsprodi Doesn't list IE5.01 as obsolete, although IE5.5SP2 is listed as a replacement for other versions of IE. Of course, the obsolete list is incomplete anyway (Office 97 is missing, as was mentioned in this weeks Woody's Office Watch. I'm the one who got it in there). A minimum of IE5.5SP2 is required now, although of course people will be using older versions. As an organisation we are dependant on IE (since we use VBScript a lot) and so we are moving up to IE5.5SP2 gradually. Having said that, I've just posted to Bugtraq a comment that the latest update (MS02-23, or Q321232 depending on your preferences) is refusing to install on some Windows 2000 machines. Don't we just love Microsoft? - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. -Original Message- From: Jeff [mailto:[EMAIL PROTECTED]] Sent: 17 May 2002 13:51 To: [EMAIL PROTECTED] Subject: RE: IE 5.00 - 5.01 SSL Connection Failures MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced [snip] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet Sent: 17 May 2002 13:29 To: [EMAIL PROTECTED] Subject: IE 5.00 - 5.01 SSL Connection Failures Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive Page Connot Be Found. With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet [EMAIL PROTECTED] http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [BugDB] mod_ssl.so does not load (again, sorry) (PR#704)
I believe you need openssl installed as you do with the apache 1.3 mod_ssl combination. At the very least you need /lib/libcrypto.so.0 and /lib/libssl.so.0. John -Original Message- From: Frederik Uyttersprot [mailto:[EMAIL PROTECTED]] Sent: 16 May 2002 12:26 To: [EMAIL PROTECTED] Subject: Re: [BugDB] mod_ssl.so does not load (again, sorry) (PR#704) Oeps, Let me correct myself... only no-ssl binaries on httpd.apache.org for now. Guess someone should compile it for you then (if possible at all). Sorry, -FU - Original Message - From: Uyttersprot Frederik [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, May 16, 2002 1:15 PM Subject: Re: [BugDB] mod_ssl.so does not load (again, sorry) (PR#704) Hello Dimitri, Did you give Apache 2.0.36 binaries a try? It should have mod_ssl compiled into to by default as far as I know. I managed to get all the ssl stuff and more working on Solaris, so that won't be of any good for you Greets, Frederik. ps. small world euh :-) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, May 15, 2002 2:28 AM Subject: [BugDB] mod_ssl.so does not load (again, sorry) (PR#704) Full_Name: Dimitri Pochet Version: Apache_1.3.24-Mod_SSL_2.8.8-OpenSSL_0.9.6c-WIN32.zip OS: NT4 SP6a Submission from: (NULL) (217.136.205.41) Steps to reproduce: Installation of Apache, keys generation and installation of modSSL, according to http://tud.at/programm/apache-ssl-win32-howto.php3 libeay.dll and ssleay.dll copied in winnt/system32. Earlier such files (from teraterm ttssh) removed. openssl.exe in the path (and runnable from any working dir). httpd.conf was edited according to the install page above, including AddModule and LoadModule. Symptom : Syntax error on line 173 of C:/Program Files/Apache Group/Apache2/conf/httpd.conf: Cannot load C:/Program Files/Apache Group/Apache2/modules/mod_ssl.so into server: The specified module could not be found. log levels set to debug. Error logs: Nothing in event DB Nothing in error.log (except half a timestamp) Nothing in access.log except my successful attempts on port 80 No ssl.log has been created Tried to use a strace on apache.exe, no success. Then, tried using earlier versions of apache+modssl, same error. Unfortunately I do not know C, otherwise I would have tried adding debug info from the .so. Given up, tima beg for help. Question: appart solving this problem which looks uneasy when I see the unanswered rfh on the web, is there a way to activate some debug on loading of dso modules ? what about the new apache versions ? any intention to follow them up ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
RE: Proxying problem - a little off topic
Answering my own post, the line RequestHeader unset Authorisation in Apache 2.0.36 config fixes this issue. I've also been sent a dirty hack of mod_proxy from someone else to do the same. Perhaps putting the line a little off topic in my post stopped everyone reading it! John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 15 May 2002 10:00 To: [EMAIL PROTECTED] Subject: Proxying problem - a little off topic I currently use basic auth over SSL to connect to our Intranet site (https://iris.rnib.org.uk). This has worked fine for many years, however, we need to move to a new system that runs on IIS (stellent, formerly xpedio), although some content will remain on Apache. [snip] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Proxying problem - a little off topic
I currently use basic auth over SSL to connect to our Intranet site (https://iris.rnib.org.uk). This has worked fine for many years, however, we need to move to a new system that runs on IIS (stellent, formerly xpedio), although some content will remain on Apache. To keep it under some kind of control, I'm only proxying certain extensions as follows: RewriteEngine on # Redirect home page RewriteRule ^/$ http://dilbert/xpedio/groups/public/documents/iris/iriswelcome.hcsp [P,L] # Redirect hcsp,htm,css and js pages RewriteRule ^/xpedio/(.*)\.hcsp(.*)$ http://dilbert/xpedio/$1.hcsp$2 [P,L] RewriteRule ^/xpedio/(.*)\.htm(.*)$ http://dilbert/xpedio/$1.htm$2 [P,L] RewriteRule ^/xpedio/(.*)\.css$ http://dilbert/xpedio/$1.css [P,L] RewriteRule ^/xpedio/(.*)\.js$ http://dilbert/xpedio/$1.js [P,L] # Redirect images RewriteRule ^/xpedio/(.*)\.gif$http://dilbert/xpedio/$1.gif [P,L] RewriteRule ^/xpedio/(.*)\.jpg$http://dilbert/xpedio/$1.jpg [P,L] RewriteRule ^/xpedio/(.*)\.png$http://dilbert/xpedio/$1.png [P,L] # Redirect one and only one cgi script! RewriteRule ^/intradoc-cgi/idc_cgi_isapi.dll(.*)$ http://dilbert/intradoc-cgi/idc_cgi_isapi.dll$1 [P] However, what happens is that the username and password to log into Apache is passed to the ISAPI filter on the IIS box. This then sends its authentication realm with it's request for the correct password. Unless the username and password exists on both machines, you cannot access the content externally. The Stellent system has a limit of 50 registered users, whereas we have over 200 people who access our Intranet remotely. I've been spending weeks reading through the mod_header, mod_proxy and mod_rewrite documentation and I can't see any way to stop the username and password being passed via mod_proxy. I've been testing it out as well. I think this is something that Ralf might be able to answer as he wrote the mod_rewrite module (great work Ralf). Of course, there may be others on this list that have come across this problem before or are a bit brighter than me (that wouldn't take much). It might mean that I have to use the Request Header feature of Apache 2.0. I say this is a little off topic, as it is really a problem with having to use the evil IIS. Despite writing a paper six weeks before Code Red hit saying that IIS is not safe to use, some people still insist on using it. (Apologies for the bad word-wrapping). - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Test message
The list has been quiet for nearly six hours. I'm getting concerned (especially as I've not had a response to the last post). Oh well, off to compile Apache 2.0 I go. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] If Charles Darwin knew a fraction of what scientists know today, he'd never have written the Origin of the Species. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests
-Original Message- From: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Sent: 04 May 2002 18:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests snip] No question: I would also prefer to develop under LINUX SOO MUCH (!) but I have no choice: the project is bound to windows NT hosts and I was not able to convince the company to take LINUX (or UNIX) - I tried all the arguments as you stated above. So what I need are other people with the same problem, that they MUST develop under windows NT and have a RELIABLE apache running on such a machine. Are there any people out there - stating that they have a apache mod_ssl running on windows NT RELIABLE ??? johannes We have an expression in the UK that you can't make a silk purse out of a sow's ear. I have had blue screen logging in with Windows NT and reboots on logging in to Windows 2000, both fully patched. We are regularly rebooting our Windows NT servers on an almost monthly basis. If you look at Microsoft's own web site via Netcraft (www.netcraft.co.uk), you'll see that none of their servers has run for more than about 90 days. One server managed to get to 143 days before a reboot. So much for 99.999% availability. They boasted that they'd run 99.98% availability during the Winter Games, which sounds good till you realise that this is over a period of about two weeks. You don't hear them talk about the five nines any more, simply because they can't do it. If you look at our site, www.rnib.org.uk you'll see we just passed 150 days. It would have been longer if it weren't for a power cut. I've had a Linux server pass 497 days uptime, before it was moved to a new site: 2:43pm up 497 days, 2:27, 0 users, load average: 0.00, 0.00, 0.00 2:44pm up 0 min, 0 users, load average: 0.00, 0.00, 0.00 The uptime counter on Linux resets after 497 days, whereas on NT it resets after 49.7 days. It's still possible to track uptime for longer though. The longest uptimes in the world are nearly all Apache servers on BSD or IRIX (http://uptime.netcraft.com/up/today/top.avg.htm). You won't find an NT server staying up for long. What is running on the host is irrelevant. We use Samba to publish our web pages from Windows clients. We have had occasional Samba crashes, but the web server has been totally reliable. In over six years, I've seen only one spurious crash of the web server, all other downtime has been for maintainence. Why spend money on Microsoft's licenses, when you can install Linux or any other type of UNIX for far less money? In Latin you would say res ips a loquitor (I'm not sure of the spelling, but it means the thing speaks for itself. It's used a lot in law). - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Repudiability
-Original Message- From: Andrew McNaughton [mailto:[EMAIL PROTECTED]] Sent: 06 May 2002 16:55 To: [EMAIL PROTECTED] Subject: Repudiability Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. Andrew McNaughton Provided you know the time of the transaction, the web server logs will give you details of the IP address all the web transactions are coming from. You can find who owns this IP address via the Ripe (www.ripe.net), Arin (www.arin.net) or Apnic (www.apnic.net) websites. From this you can find which ISP this address belongs to, and that ISP can verify who was using that IP address at the time. How much assistance you receive from each ISP will vary. That may give you sufficient information to press a case against the person who alleges they didn't access your website, but IANAL. I'm not sure what you mean about information being signed with a given key. Do you mean a personal key like a digital signature, or do you mean the SSL key? - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Repudiability
-Original Message- From: Balázs Nagy [mailto:[EMAIL PROTECTED]] Sent: 07 May 2002 14:58 To: [EMAIL PROTECTED] Subject: Re: Repudiability [EMAIL PROTECTED] wrote: Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. Andrew McNaughton Provided you know the time of the transaction, the web server logs will give you details of the IP address all the web transactions are coming from. You can find who owns this IP address via the Ripe (www.ripe.net), Arin (www.arin.net) or Apnic (www.apnic.net) websites. From this you can find which ISP this address belongs to, and that ISP can verify who was using that IP address at the time. How much assistance you receive from each ISP will vary. That may give you sufficient information to press a case against the person who alleges they didn't access your website, but IANAL. John, unfortunately IP hijacking is so trivial (see threads on bugtrack) that this method will not work with reasonable certainty. I don't think the question involved IP address hijacking, but I take your point. I also forgot to factor in AOL users who apparently (urban myth?) change IP addresses every few seconds. I haven't seen anything on Bugtraq recently about IP hijacking, but then again I delete more emails from Bugtraq than I do from this list. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 128 bit key
When you say you need to create a 128bit key, what are you referring to? I believe you are confusing the 128bit (or less if your browser is an old export-crippled one) generated SSL key per SSL session with the actual server key. Anything less than a 1024 bit server key is a waste of time, given that 512bit keys are now breakable via desktop machines. Allegedly the US Government has the power to break 1024 bit keys. There's been a lot of discussion about this on Bugtraq recently. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. -Original Message- From: Robert Durdle [mailto:[EMAIL PROTECTED]] Sent: 18 April 2002 21:06 To: [EMAIL PROTECTED] Subject: 128 bit key Hi, I need to create a 128 bit key, but when I try to, it throws this at me. 11663:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:rsa_sign.c:114: 11663:error:0D072006:asn1 encoding routines:ASN1_sign:bad get asn1 object call:a_sign.c:129: I need it to create a 128 bit key due to an employers special needs, a 1024 bit one would be useless to me :/ - Robert __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: new rpm for apache-mod_ssl?
I've attached the email notification from Red Hat about the latest rpm for mod_ssl (I did this in Outlook, so probably no-one else can read it). Unless you are running client certificates, there's no rush to put this on your system. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Rick Goyette [mailto:[EMAIL PROTECTED]] Sent: 07 March 2002 16:02 To: [EMAIL PROTECTED] Subject: new rpm for apache-mod_ssl? I am running apache-mod_ssl-1.3.20.2.8.4-2, and I like it very much. It is a complete package of apache and ssl, and, as it was packaged into a RedHat rpm, was easy to install. However, the recent security advisory concerning the buffer overflow in mod_ssl (appended below) demonstrates my need for an update. I am unable to locate an rpm which corrects this problem. Is there another way to correct this, short of uninstalling apache-mod_ssl and then installing apache-1.3.23 and mod_ssl-2.8.7-1.3.23 serarately? INFORMATION BULLETIN mod_ssl and Apache_SSL Modules Contain a Buffer Overflow [CERT Vulnerability Note VU#234971] March 6, 2002 00:00 GMT Number M-053 ___ _ __ PROBLEM: There is a remotely exploitable buffer overflow in two modules that implement the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocol. PLATFORM: mod_ssl in all versions prior to 2.8.7-1.3.23. Apache-SSL in all version prior to 1.3.22+1.4.6. DAMAGE:An attacker may be able to execute arbitrary code on the system with the privileges of the ssl module. SOLUTION: Upgrade to mod_ssl 2.8.7 or Apache_SSL 1.3.22+1.46, or apply the patch provided by your vendor. ___ _ __ VULNERABILITY The risk is MEDIUM. To exploit the overflow, the server must be ASSESSMENT:configured to allow client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority (CA) which is trusted by the server. -- R. J. Goyette Argonne National Laboratory [EMAIL PROTECTED] http://www.pns.anl.gov __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. ---BeginMessage--- - Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated mod_ssl packages available Advisory ID: RHSA-2002:041-08 Issue date:2002-03-01 Updated on:2002-03-06 Product: Red Hat Linux Keywords: mod_ssl buffer overflow session cache Cross references: RHSA-2002:042 Obsoletes: RHSA-2001:126 - 1. Topic: Updated mod_ssl packages for Red Hat Linux 7, 7.1, and 7.2 are available which close a buffer overflow in mod_ssl. 2. Relevant releases/architectures: Red Hat Linux 7.0 - alpha, i386 Red Hat Linux 7.1 - alpha, i386, ia64 Red Hat Linux 7.2 - i386, ia64 3. Problem description: When session caching is enabled, mod_ssl will serialize SSL session variables to store them for later use. Unpatched versions
RE: MSIE broken SSL implementation - problems with mod_ssl / openssl
Just to throw my bit into the mix, this should also be resolved with SP2 for IE5.01. I believe this kb article predates that. This article was published in December 1999, and last modified 17th September 2001. IE 5.01 SP2 was released on June 19th 2001. (http://www.microsoft.com/windows/ie/downloads/recommended/ie501sp2/default. asp) I can't find a definitive answer on the MS site, like a list of bugs fixed with SP2. IE5.01SP2 is apparently the lowest supported browser by MS now. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Carl D'Halluin [mailto:[EMAIL PROTECTED]] Sent: 08 March 2002 13:15 To: Christopher Taranto; [EMAIL PROTECTED] Subject: Re: MSIE broken SSL implementation - problems with mod_ssl / openssl Hello Christopher, I looked around on the www and this is our official statement towards our customers. Maybe you can re-use it :-) SSL Problem with certain versions of Internet Explorer / Internet Information Server Certain versions of Internet Explorer contain bugs which cause an incompatibility with all servers having an SSL implementation based on openssl. This includes all Apache webservers and commercial products based on Apache, such as certain Oracle servers, Ubizen DMZ/Shield 3.0 and higher, and many other products. This bug may also affect certain low-crypto distributions of Internet Information Server. Typical error messages experienced by the clients are : Internet Explorer 4.x The server returned an invalid or unrecognized response Internet Explorer 5.x Cannot find server or DNS Error The bugs are caused by a certain Windows dll file, which influences all SSL software on the client machines (or on the IIS server machine). The bug has been around for more than two years, and Microsoft is well aware of this problem. They admit their mistake and have an entire support page dedicated to it, containing a patch. Customers experiencing problems with Internet Explorer when using SSL, are recommended to go to the Microsoft patch page, and to install the fix. The bug and its patch are very clearly documented at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q247367 --- Greetings, Carl Christopher Taranto wrote: Hi Carl, Unfortunately, I have had no luck in tracking down or fixing this problem. And it's really a big problem in my opinion. I haven't had enough time to really dig deep on the using openssl to debug the connection - but I don't really know what I would be looking for specifically. Fortunately (I guess otherwise I would have a special bald spot on my head!), I have access to a broken MSIE browser available in my office that I can use to repeatedly test the server for errors - so there is a way of trying to find the problem. Here is what I have tried: openssl s_server -accept 4443 -WWW -cert /usr/local/apache/conf/ssl.crt/www.condoms.net.crt -key /usr/local/apache/conf/ssl.key/www.condoms.net.key -state -debug When I use this, I get this: Using default temp DH parameters ACCEPT and the system waits for me forever - and I am not sure what to put in. openssl s_client -connect condoms.net:443 CONNECTED(0003) depth=0 /C=US/ST=California/L=San Francisco/O=Condom Sense/OU=DN/CN=www.condoms.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=California/L=San Francisco/O=Condom Sense/OU=DN/CN=www.condoms.net verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=California/L=San Francisco/O=Condom Sense/OU=DN/CN=www.condoms.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/C=US/ST=California/L=San Francisco/O=Condom Sense/OU=DN/CN=www.condoms.net i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority --- Server certificate -BEGIN CERTIFICATE- MIID0zCCA0CgAwIBAgIQWlU/retDZkl/izm7HTNt4TANBgkqhkiG9w0BAQQFADBf MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x LjAsBgNVBAsTJVNlY3VyZSBTZXJ2ZXIgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw HhcNMDExMTI1MDAwMDAwWhcNMDIxMTI4MjM1OTU5WjB4MQswCQYDVQQGEwJVUzET MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2FuIEZyYW5jaXNjbzEVMBMG A1UEChQMQ29uZG9tIFNlbnNlMQswCQYDVQQLFAJETjEYMBYGA1UEAxQPd3d3LmNv bmRvbXMubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC91jpQDQ/gzKLn u4BLU9rkzp9RPVSTo10u/A7j4nBGHv9oJrswuNxJA5oyNF/naTHX0xNuzWK9LL7A cK/VwciZIHRCXkQq7Xh4pWbdOjRFBhKRmgt0L2roBggPx+ecaH+sUdNOqQvDq68n 0iyVCgnNEmGzTfIKiBN5dVJbHNTOnwIDAQABo4IBeTCCAXUwCQYDVR0TBAIwADAL BgNVHQ8EBAMCBaAwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC52ZXJpc2ln
RE: Problem with File-Upload20k
One thing to double-check is whether you are compiling with the correct headers. What does rpm -q openssl-devel give you? You should be able to remove the openssl-devel package if it's installed with the usual rpm -e openssl-devel It is possible that you are compiling against the older headers, whilst the libraries used are the newer version of openssl that you've compiled. I'll be trying this kind of installation out myself soon for Red Hat 7.2, as the lag in versions that Red Hat provide is becoming irritating. If you are still stuck I'll speed myself up a bit! - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Michael Metz [mailto:[EMAIL PROTECTED]] Sent: 01 March 2002 17:19 To: [EMAIL PROTECTED] Subject: RE: Problem with File-Upload20k Hi John, I have reinstalled openssl 0.9.6 (Sep 2000) which was shipped with RedHat 7.1 but with no effect. I'm receiving the same error. apache and/or mod_ssl isn't installed via RPM (checked) I compiled apache/mod_ssl with the following arguments: (I'm using constants for Version-Numbers ) cd mod_ssl-$MODSSLVERSION ./configure --with-apache=../apache_$APACHEVERSION cd ../apache_$APACHEVERSION CFLAGS=-Wall -DSECURITY_HOLE_PASS_AUTHORIZATION SSL_BASE=/usr/local/ssl/ export CFLAGS SSL_BASE ./configure --with-layout=RedHat --enable-module=vhost_alias --enable- module=so --enable-module=rewrite --enable-module=log_referer --enable- module=ssl --enable-module=info --add-module=../mod_gzip.c --server- uid=wwwrun --server-gid=www Could there be the problem? Thanks in advance ... Bye Michael Am 1 Mar 2002 14:44 schrieb [EMAIL PROTECTED]: This kind of error is often seen where there is a conflict between the built-in version of openssl and the version you have compiled. Redhat 7.0,7.1 and 7.2 all come with openssl. Currently they are all older versions than what you can compile from source, and so are the version of apache and mod_ssl that they supply. Can you check what you get if you type rpm -q apache rpm -q mod_ssl These are the built-in packages, which may also conflict with what you have compiled. Unlike openssl, you will be able to remove these packages, although you may have to remove other packages also. In the case of openssl, ensure you don't overwrite the built-in one in /usr/bin. Use /usr/local/bin instead. If you have, use rpm -ivh openssl-package-name --force To forcibly reinstall the built-in package. Incidentally, I'm currently writing a submission for the openssl FAQ because this comes up so often. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Michael Metz [mailto:[EMAIL PROTECTED]] Sent: 01 March 2002 13:21 To: [EMAIL PROTECTED] Subject: Problem with File-Upload20k Hi there, i'm running a SSL enabled WebServer since nearly 1 month. Today I wanted to make an http-file-upload (~20k) an received the following error in my error_log: [Fri Mar 1 11:26:41 2002] [error] mod_ssl: SSL error on reading data (OpenSSL library error follows) [Fri Mar 1 11:26:41 2002] [error] OpenSSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number After that I updated my openssl-Version (which was from Dec 2000) to the current release OpenSSL 0.9.6c [engine] 21 dec 2001 and recompiled my apache 1.3.23 mit mod_ssl 2.8.7-1.3.23. With no other result. Normal connections seem to work fine (Opera says High Encryption TLS v1.0 128 bit C4 (1024 bit RSA/SHA) but File-Uploads fail when they are larger than about 20k. Smaller files work fine I'm running on RedHat 7.1 Can anyone give me a solution for this problem? MfG Michael _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has
RE: Problem with File-Upload20k
This kind of error is often seen where there is a conflict between the built-in version of openssl and the version you have compiled. Redhat 7.0,7.1 and 7.2 all come with openssl. Currently they are all older versions than what you can compile from source, and so are the version of apache and mod_ssl that they supply. Can you check what you get if you type rpm -q apache rpm -q mod_ssl These are the built-in packages, which may also conflict with what you have compiled. Unlike openssl, you will be able to remove these packages, although you may have to remove other packages also. In the case of openssl, ensure you don't overwrite the built-in one in /usr/bin. Use /usr/local/bin instead. If you have, use rpm -ivh openssl-package-name --force To forcibly reinstall the built-in package. Incidentally, I'm currently writing a submission for the openssl FAQ because this comes up so often. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Michael Metz [mailto:[EMAIL PROTECTED]] Sent: 01 March 2002 13:21 To: [EMAIL PROTECTED] Subject: Problem with File-Upload20k Hi there, i'm running a SSL enabled WebServer since nearly 1 month. Today I wanted to make an http-file-upload (~20k) an received the following error in my error_log: [Fri Mar 1 11:26:41 2002] [error] mod_ssl: SSL error on reading data (OpenSSL library error follows) [Fri Mar 1 11:26:41 2002] [error] OpenSSL: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number After that I updated my openssl-Version (which was from Dec 2000) to the current release OpenSSL 0.9.6c [engine] 21 dec 2001 and recompiled my apache 1.3.23 mit mod_ssl 2.8.7-1.3.23. With no other result. Normal connections seem to work fine (Opera says High Encryption TLS v1.0 128 bit C4 (1024 bit RSA/SHA) but File-Uploads fail when they are larger than about 20k. Smaller files work fine I'm running on RedHat 7.1 Can anyone give me a solution for this problem? MfG Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Advisory 012002: PHP remote vulnerabilities (fwd)
This has been sent out by CERT as well. However, I'd be curious to find an administrator who isn't on either CERT or Bugtraq though, especially one who administers multiple systems as many of us do. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: 28 February 2002 00:28 To: [EMAIL PROTECTED] Subject: Advisory 012002: PHP remote vulnerabilities (fwd) Considering the plethroa of php users on the list, and the fact many are perhaps not reading bugtraq: -- Forwarded message -- From: [EMAIL PROTECTED] Subject: Advisory 012002: PHP remote vulnerabilities Date: Wed, 27 Feb 2002 12:30:56 +0100 To: [EMAIL PROTECTED], [EMAIL PROTECTED] e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Multiple Remote Vulnerabilites within PHP's fileupload code Release Date: 2002/02/27 Last Modified: 2002/02/27 Author: Stefan Esser [[EMAIL PROTECTED]] Application: PHP v3.10-v3.18, v4.0.1-v4.1.1 Severity: Several vulnerabilities in PHP's fileupload code allow remote compromise Risk: Critical Vendor Status: Patches Released Reference: http://security.e-matters.de/advisories/012002.html Overview: We found several flaws in the way PHP handles multipart/form-data POST requests. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. Details: PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfourtunately there are several flaws in the php_mime_split function that could be used by an attacker to execute arbitrary code. During our research we found out that not only PHP4 but also older versions from the PHP3 tree are vulnerable. The following is a list of bugs we found: PHP 3.10-3.18 - broken boundary check(hard to exploit) - arbitrary heap overflow (easy exploitable) PHP 4.0.1-4.0.3pl1 - broken boundary check(hard to exploit) - heap off by one (easy exploitable) PHP 4.0.2-4.0.5 - 2 broken boundary checks (one very easy and one hard to exploit) PHP 4.0.6-4.0.7RC2 - broken boundary check(very easy to exploit) PHP 4.0.7RC3-4.1.1 - broken boundary check(hard to exploit) Finally I want to mention that most of these vulnerabilities are exploitable only on linux or solaris. But the heap off by one is only exploitable on x86 architecture and the arbitrary heap overflow in PHP3 is exploitable on most OS and architectures. (This includes *BSD) Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch. Proof of Concept: e-matters is not going to release exploits for any of the discovered vulnerabilities to the public. Vendor Response: Because I am part of the php developer team there is not much I can write here... 27th February 2002 - An updated version of php and the patch for these vulnerabilities are now available at: http://www.php.net/downloads.php Recommendation: If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running php as module keep in mind to restart the webserver. Anyway you should better install the fixed or a properly patched version to be safe. Sidenotice: This advisory is so short because I don't want to give out more info than is needed. Users running the developer version of php (4.2.0-dev) are not vulnerable to these bugs because the fileupload support was completly rewritten for that branch. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6 Copyright 2002 Stefan Esser. All rights reserved. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you
RE: wildcard certificate errors?
-Original Message- From: Rhys Hopkins [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 13:26 To: '[EMAIL PROTECTED]' Subject: RE: wildcard certificate errors? I have this problem viewing our site with IE5.5 Do all microsoft browsers reject wildcard certs ? Some reject them entirely, eg IE3, but these are no longer supported. I trust that you mean IE5.5SP2? Is there a patch for IE5 to get round this problem ? You should be able to either disable the warning or click past it. Why don't Thawte tell you about this when you buy the certificate? The information is there on their site: http://www.thawte.com/getinfo/products/wildcard/overview.html I found this clicking the wildcard certificates link from www.thawte.com. Not exactly hidden. There's even a link to creating test certificates that you can play with until you get the process right. Officialy IE doesn't support wildcard certificates, but other than the original IE5 refusing them unofficially it does. In fact, there were enormous bugs with IE5 (pre version 5.01). - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Julian C. Dunn [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 13:19 To: [EMAIL PROTECTED] Subject: Re: wildcard certificate errors? On Tue, 26 Feb 2002, Matus fantomas Uhlar wrote: [26/Feb/2002 09:06:59 15055] [warn] Init: (ssl.fantomas.sk:443) RSA server certificate CommonName (CN) *.fantomas.sk' does NOT match server name!? I really don't understand this. *.fantomas.sk DOES match ssl.fantomas.sk, right? It works but why does it produce warning? No, it doesn't, because there are no wildcard expansion patterns accepted on the server end. Wildcard certs only work because the _browser_ accepts the wildcard in the CN. In any case the warning you are seeing is only a warning; it's not fatal. - Julian -- Julian C. Dunn, B.A.Sc [EMAIL PROTECTED] Senior Software Developer, VerticalScope Inc. Tel.: (416) 341-8950 x236 Fax: (416) 341-8959 WWW: www.verticalscope.com Windows NT encountered the following error: The operation was completed successfully. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: wildcard certificate errors?
The most infuriating thing is that too many people use IE (including myself)! IE breaks so many standards it's incredible. The recent fiasco over handling a file according to its Mime-Type rather than its contents comes to mind. Faking extensions or Mime-Types is trivial, whereas faking contents isn't. This is precisely why most of the posts to this list seem to involve IE more than mod_ssl. Dismounts soapbox. John -Original Message- From: Rhys Hopkins [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 14:00 To: '[EMAIL PROTECTED]' Subject: RE: wildcard certificate errors? Thanks - My own fault for not reading things properly. Darn infuriating though - considering xx% of users have IE. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 13:48 To: [EMAIL PROTECTED] Subject: RE: wildcard certificate errors? -Original Message- From: Rhys Hopkins [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 13:26 To: '[EMAIL PROTECTED]' Subject: RE: wildcard certificate errors? I have this problem viewing our site with IE5.5 Do all microsoft browsers reject wildcard certs ? Some reject them entirely, eg IE3, but these are no longer supported. I trust that you mean IE5.5SP2? Is there a patch for IE5 to get round this problem ? You should be able to either disable the warning or click past it. Why don't Thawte tell you about this when you buy the certificate? The information is there on their site: http://www.thawte.com/getinfo/products/wildcard/overview.html I found this clicking the wildcard certificates link from www.thawte.com. Not exactly hidden. There's even a link to creating test certificates that you can play with until you get the process right. Officialy IE doesn't support wildcard certificates, but other than the original IE5 refusing them unofficially it does. In fact, there were enormous bugs with IE5 (pre version 5.01). - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. -Original Message- From: Julian C. Dunn [mailto:[EMAIL PROTECTED]] Sent: 26 February 2002 13:19 To: [EMAIL PROTECTED] Subject: Re: wildcard certificate errors? On Tue, 26 Feb 2002, Matus fantomas Uhlar wrote: [26/Feb/2002 09:06:59 15055] [warn] Init: (ssl.fantomas.sk:443) RSA server certificate CommonName (CN) *.fantomas.sk' does NOT match server name!? I really don't understand this. *.fantomas.sk DOES match ssl.fantomas.sk, right? It works but why does it produce warning? No, it doesn't, because there are no wildcard expansion patterns accepted on the server end. Wildcard certs only work because the _browser_ accepts the wildcard in the CN. In any case the warning you are seeing is only a warning; it's not fatal. - Julian -- Julian C. Dunn, B.A.Sc [EMAIL PROTECTED] Senior Software Developer, VerticalScope Inc. Tel.: (416) 341-8950 x236 Fax: (416) 341-8959 WWW: www.verticalscope.com Windows NT encountered the following error: The operation was completed successfully. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org
RE: Multople VH with same certificate?
-Original Message- From: Owen Boyle [mailto:[EMAIL PROTECTED]] Sent: 11 February 2002 16:26 To: [EMAIL PROTECTED] Subject: Re: Multople VH with same certificate? Santosh Deshpande wrote: hi all, I would like to know whether a SSL certificate is issued to a specific domain? Yes - a normal certificate has the fully-qualified domain name in it. If you use the cert on another site, the browser will trap it and pop up an alert that the cert doesn't match the FQDN. Can I run have two vhosts configured with a single certificate e.g. www.mydomain.com ( 213.x.x.x:443) and sub.mydomain.com ( 213.x.x.y:443) SSL doesn't care about the IP addresses. If you run two sites like this with one cert, it will work - but the browser will throw up an alert which might frighten off customers. I've heard you can get a wildcard certificate which will match *.mydomain.com - from Thwate, I think. Here at RNIB we've been using a wildcard certificate from Thawte (www.thawte.com, pronounced thought) since July 1999, mainly because of the hassle of maintaining several certificates. flame war commences. Recently, it simply been more economical to pay $500 for a wildcard certificate than for several $100 certificates (the price may have changed since our last renewal). In all that time I've not received any complaints that someone couldn't connect to our secure site. We've had 128bit security since 1997, again without much difficulty. A while ago we had some problems internally with IE and SSL. IIRC that was with IE5.0 and no service packs. We currently use IE5.5SP2 corporately (yuk!) again without SSL related problems. Of course, YMMV. In an event, you'll find Thawte staff very helpful. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache SSL redundancy
another caveat that i've found to be problematic is when going from http to https (or the other way round) you can lose state as you go from one machien to the other. The load balancers do a pretty good job of the work, however, we've definitely seen jumpage from aol and webtv clients, as well as IIRC earthlink and mindspring==- where the routing is complex, and there can be multiple public IPs that a single session proxy can come from. I've seen requests from different IPs coming in with the same cookie or session IDs. it's an imperfect solution, and we're still working on ours. One thing i've thought of doing has been to setup a linux-vs cluster for the straight port-forwarding, then use apache/mod_ssl to handle the ssl negotiations, and pass it on to the real app server with mod_proxy. I have heard that AOL change dial-up IPs every 3-4 seconds. I have no data to back this up, but considering their large user base it wouldn't be surprising as they'd need to ensure that there are no unused IPs out there (although of course a user should be able to renew the lease on the IP they already have, but there you go). So what you've observed makes some kind of sense. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL Proxy with Strong Authentication
This is the kind of thing within the virtual host configuration on the machine you are proxying to: LocationMatch / Order deny,allow Deny from all Allow from 10. AuthType Basic AuthName Outside users AuthDBUserFile /path/to/dbuserfile require valid-user satisfy any /LocationMatch This assumes that your internal network is a class A network starting with 10. as defined in RFC1918. Internal users get in immediately. You have to use dbmmanage to manage the dbuserfile. It is a good idea to ensure that the web server has only read-only access to this file. This works because / appears in every single web request, so will match all requests under your secure site. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) -Original Message- From: Mike Murray [mailto:[EMAIL PROTECTED]] Sent: 24 January 2002 23:49 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: SSL Proxy with Strong Authentication -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I'm investigating using Apache and SSL for (reverse) proxying HTTPS requests; however, one of the requirements of the task is to have a strong auth mechanism in place. I had two ideas, both of which have lead me to a dead end: 1. Use the ProxyPass and ProxyPassReverse directives to authorize connections, and requiring client certs to authenticate to the server. 2. Using a normal SSL page to authenticate via client certs, and using an .htaccess file in the DocRoot of the proxy server to auth IP addresses. Both seemed likely, and both have failed. The first because the directives don't work as I had hoped, and the second because I can't find anywhere to put an .htaccess file that makes sense to the Directory proxy section. So, this is a two-part question: first, does anybody have any idea on how to use .htaccess to control access to the proxy, and/or, does anybody have any ideas on what will accomplish this task? Thanks, Mike - -- | Mike Murray[EMAIL PROTECTED] | Scientific Technologist http://www.nCircle.com | nCircle Network Security -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8UJ1WSZ6Dtue7Vb4RAsDDAJwMg0CCcY70/0ombK2ryyN7LkF1ugCfQHsy 42fEW4GwPOUph+5Jo8tQPBo= =gyM/ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: strange problem with unclean shutdown
-Original Message- From: Andreas Gietl [mailto:[EMAIL PROTECTED]] Sent: 23 January 2002 18:13 To: [EMAIL PROTECTED] Subject: strange problem with unclean shutdown hi, i've got a really really strange problem with mod_ssl 2.8.5-1.3.22 on Apache 1.3.22 with openssl 0.9.6c. As we all know MSIE needs the unclean-shutdown to sucessfully work with mod_ssl. This is why we add the SetEnvIf for this Browser. (full vhost-config see below). The strange thing is that this for some reason seems not to match IE 5.01 and 5.5. This are the user-agent for these browsers: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; DT) Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; DT) Versions 6 worked. Others not tested. The certificate is issued let's say for www.defaulthost.de. And not it is really getting unbelievable: if i connect to defaulhost.de it's doing the unclean-shutdown and to www.defaulhost.de it is doing a standard-shutdown, which does not work. Connecting to www.defaulhost.de does give the ie standard-error-page. There's no HTTP-Request in the access_log, just in the SSLLog an entry that it connected and quited with standard shutdown. Any ideas? Andreas Here's the config: # # Global SSL # AddType application/x-x509-ca-cert .cer AddType application/x-pkcs7-crl.crl #SSLPassPhraseDialog builtin SSLSessionCachedbm:/tmp/ssl_scache SSLSessionCacheTimeout 100 #SSLMutex file:domlogs/ssl_mutex #SSLRandomSeed startup builtin #SSLRandomSeed connect builtin #SSLLog domlogs/ssl_engine_log #SSLLogLevel debug # SSL - Virtual-Host VirtualHost XXX:443 ServerName www.defaulthost.de ServerAdmin [EMAIL PROTECTED] DocumentRoot /home/defaulthost/public_html SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL ErrorLog domlogs/defaulthost.errors.https CustomLog domlogs/defaulthost.de.ssl combined SetEnvIf User-Agent MSIE nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog domlogs/defaulthost.de.ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b SSLCertificateFile /usr/local/apache/conf/cert/www.defaulthost.de.cer SSLCertificateKeyFile /usr/local/apache/conf/cert/www.defaulthost.de.key ScriptAlias /cgi-bin/ /home/defaulhost/public_html/cgi-bin/ /VirtualHost I notice that you are using the dbm ssl session cache. What happens if you try the shm ssl session cache? Some people have reported that things start working after using shm. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problem building Apache 1.3.22 + mod_ssl 2.8.5
-Original Message- From: Toomas Aas [mailto:[EMAIL PROTECTED]] Sent: 15 January 2002 13:50 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Problem building Apache 1.3.22 + mod_ssl 2.8.5 Hi [EMAIL PROTECTED]! Thanks for replying so soon. That might be my problem right here, then. I use OpenSSL version which is included in the base system of FreeBSD 4.3-RELEASE. The version is 0.9.6: $ openssl version OpenSSL 0.9.6 24 Sep 2000 Can anyone confirm that mod_ssl 2.8.5 doesn't work with this version of OpenSSL? There's a README.Versions file with the mod_ssl package, but this is all it has at the end of it: 23-Jan-2001 2.8.0 1.3.17 0.9.3-0.9.6 03-Mar-2001 2.8.1 1.3.19 0.9.3-0.9.6 30-Mar-2001 2.8.2 1.3.19 0.9.3-0.9.6 04-May-2001 2.8.3 1.3.19 0.9.3-0.9.6a 20-May-2001 2.8.4 1.3.20 0.9.3-0.9.6a (The figures are the release dates, mod_ssl, Apache and openssl versions). 2.8.5 was released on 16th October, and openssl 0.9.6c was released on 21st December, hence my statement that it should work with 0.9.6b or 0.9.6c. Unless Ralf can say otherwise, it looks like 2.8.5 should build with 0.9.6. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with Apache / mod_ssl and Internet Explorer 5/6
I'd suggest you try this for SSLSessionCache instead: SSLSessionCache shm:logs/ssl_scache(512000) It seems to fix it for most users. -John AireyInternet systems support officer, ITCSD, Royal National Institute for the Blind,Bakewell Road, Peterborough PE2 6XU,Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]Agnostic (Greek) = Ignoramus (Latin) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: 11 January 2002 19:01To: [EMAIL PROTECTED]Subject: Problems with Apache / mod_ssl and Internet Explorer 5/6 Hi everyone, I´ve got a big problem: I installed on SuSE Linux 7.3 the Apache Web Server including the mod_ssl in order to run a secured webinterface for my IMAP-Server... Unsecured everything works just fine in every Browser. After installing the SSL-Plugin I generated a custom certificate and everything works fine with Netscape / Konquerer / w3m.But when I try to connect via https with any version of Microsofts Internet Explorer I get the message, that the page cannot be displayed. I found out that there are many problems with MSIE, and I did all the fixes. Here are parts of my httpd.conf. Does anyone has an idea? Apache-Version 1.3.20 mod_ssl Version 2.8.4 openssl Version 0.96b PHP Version Pear 4.1.0 MySQL Version 3.21 [...] SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scacheSSLSessionCacheTimeout 300 SSLRandomSeed startup builtinSSLRandomSeed connect builtin VirtualHost _default_:443SSLEngine on #*** here I tried both versions no change #SSLProtocol ALL -SSLv3 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLVerifyClient none Files ~ "\.(cgi|shtml|phtml|php3|php?)$" SSLOptions +StdEnvVars/FilesDirectory "/usr/local/httpd/cgi-bin" SSLOptions +StdEnvVars/Directory #*** here I tried both versions no change #SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk
RE: problem while giving url HTTPS
Some versions of Lynx do not have support for SSL compiled in. I suggest you get hold of a version that does, or compile it with SSL support. Have a look at http://lynx.isc.org/ for more details. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. -Original Message- From: Bineet Suri [mailto:[EMAIL PROTECTED]] Sent: 17 December 2001 08:21 To: [EMAIL PROTECTED] Subject: problem while giving url HTTPS hello myself is bineet and i am developer in osprey software technology in india actually just recently i have configured apache v 1.3.22 with mod+ssl and my lynx browser is 2.8.4 i am able to test through http://localhost but when i give https://localhost so it giving me This client does not contain support for https urls i have done all the configuration which have mentioned in installation file now i am really helpless so please reply me or send me the appropriate configuartion and required file as soon as possible i will be very oblige to you Thanks Bineet __ Do You Yahoo!? Check out Yahoo! Shopping and Yahoo! Auctions for all of your unique holiday gifts! Buy at http://shopping.yahoo.com or bid at http://auctions.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Question
This doesn't seem to be a mod_ssl question as such. What I suspect is the older browsers don't have the root certificate for Equifax installed. I am guessing that you are referring to IE, since Netscape has had 128bit support since 4.67 (IIRC). In the case of IE, check out Tools/Internet Options/Content/Certificates and click the Trusted Root Certification Authorities. If Equifax isn't listed, then that is your problem. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] More people die each day of AIDS than died in the terrorist attacks on September 11th 2001. -Original Message- From: Juce [mailto:[EMAIL PROTECTED]] Sent: 12 December 2001 02:34 To: [EMAIL PROTECTED] Subject: Question We just recently upgraded Apache (1.3.19) and Mod_SSL (2.8.1) for one of our dedicated customers who is using secure certificates from Equifax. Soon after the upgrade 2 of his sites were receiving Root Certificate Warnings meaning that Equifax's certificates were not being recognized correctly. However, this problem only seems to be occurring on certain browsers if the browsers themselves do not have 128 bit encryption. But then some of these browsers report a warning and some do not. If you want to look, the sites are https://www.dells.com and https://www.ad-lit.com. I have already contacted Equifax regarding this problem when it first occurred about 2 weeks ago, but they haven't really been all that helpful in this matter. I asked one our Development guys here who was the one to the upgrade on his server and he said that the upgrade could have caused the problem but as of yet are not sure what that maybe yet. We were wondering if you guys have heard of anything similar occur to other people. I'm not sure if you guys can help, but if you have any information that maybe useful, we would be extremely grateful. Please get back to us at your earliest convenience. Thank You, Julian [EMAIL PROTECTED] DreamHost.com NewDream.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache SSL Private Keys
-Original Message- From: Mark J Cox [mailto:[EMAIL PROTECTED]] Sent: 30 November 2001 12:07 To: [EMAIL PROTECTED] Subject: Re: Apache SSL Private Keys The adversary has root. If the private key is encrypted, they must also break that passphrase to get the key. But if an adversary gets root without rebooting your machine then the unencrypted private keys are just sitting around in memory. The passphrase is only protecting them between the time you reboot and the time you enter the passphrase. Mark So to complete the hack, issue a command that dumps core, or even write a short C program to dump core. Most of my C programs do that ;-). Then you can analyse the core dump to extract the keys. Child's play. Therefore, the passphrase only protects the key if it is removed from your server, but as has been shown, being able to remove the key requires (or should require) root privileges. QED. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache SSL Private Keys
-Original Message- From: Rich Salz [mailto:[EMAIL PROTECTED]] Sent: 29 November 2001 12:12 To: Owen Boyle Cc: [EMAIL PROTECTED] Subject: Re: Apache SSL Private Keys The difference is that with a passphrase the rooter must be an active attacker with an active compromise on your machine, as opposed to a non-pass phrase which can be a passive attacker trying to snarf a single file. More than just warm fuzzy; the first is just downright harder. /r$ -- Zolera Systems, Securing web services (XML, SOAP, Signatures, Encryption) http://www.zolera.com I think your point is a moot one. After all, everyone stores their private keys as mode 0400 owned by user and group root, right? (At least, you should). That is stored in a directory that only root has access to. If you have any exploits on your machine that can retrieve a file like that, (eg file giveaways) you've got bigger problems than a pass-phrase could ever solve. Allegedly NCipher make a crypto card that can store the keys on it, which is supposedly secure, but since they haven't sent me a test one I don't know how secure that is. Physically it's highly secure, being coated in a thick resin that destroys the circuit board if you remove it. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ProxyPass to https
-Original Message- From: Ravi Babu D - CTD, Chennai. [mailto:[EMAIL PROTECTED]] Sent: 28 November 2001 11:10 To: [EMAIL PROTECTED] Subject: ProxyPass to https Hi, I've small clarification related ProxyPass , ProxyPassReverse directives in the Apache_1.3.19 with mod_ssl2.8.3 . Is it possible to Proxypass to the https server ? ie Is the following directives are correct ? ProxyPass /test https://remotewebserver/test1 ProxyPassReverse /test https://remotewebserver/test1 Here the remotewebserver is SSL enabled server. Yes, although I would use ProxyPass /test/ https://remotewebserver/test1/ ProxyPassReverse /test/ https://remotewebserver/test1/ But that means that you have to remember the trailing / (which purists will point out should always be added if you are requesting the default document for a directory. Most browsers add this automatically) The following should work as well: RewriteEngine on RewriteCond %{HTTP_HOST} ^(.*)$ RewriteRule ^(/test/.*)$ https://remotewebserver/test1/$1 [P] No doubt someone else knows a more elegant usage of mod-rewrite. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE:
This isn't an actual idea as such, but I've so far been unable to build Apache 1.3.22 mod_ssl 2.8.5 on RedHat 7.1. I've yet to attempt it on 7.2 (although I'm starting the upgrade of all our machines to 7.2 today). I think I'll run into the same problems. Apache 1.3.22 mod_ssl 2.8.4 compiles fine on RedHat 6.2! However, I note that RedHat 7.2 comes with Apache 1.3.20 mod_ssl 2.8.4 (funny how it's always one version behind!). Unless you have compelling reasons to be running the very latest, what comes out of the RedHat box is probably sufficient. Especially as most of the changes between 1.3.20 and 1.3.22 are for Windows anyway. Incidentally, did you install the openssl-devel RPM package? Without that you can't compile Apache-mod_ssl. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Dean Hall [mailto:[EMAIL PROTECTED]] Sent: 29 October 2001 18:45 To: [EMAIL PROTECTED] Subject: I am having trouble running Apache with mod_ssl: [root@yggdrasill bin]# /usr/local/apache/bin/apachectl startssl /usr/local/apache/bin/apachectl: line 184: 4921 Segmentation fault (core dumped) $HTTPD -DSSL /usr/local/apache/bin/apachectl startssl: httpd could not be started The error_log shows the following: [notice] Apache/1.3.22 (Unix) configured -- resuming normal operations [notice] Accept mutex: sysvsem (Default: sysvsem) [notice] caught SIGTERM, shutting down I am running: - RedHat Linux 7.2 - 2.4.9-7 kernel - openssl-0.9.6b-8 - Apache 1.3.22 * mod_ssl 2.8.5-1.3.22 (compiled into source tree) * mm 1.1.3 * php 4.0.6 (compiled as a DSO) mhash 0.8.11 libmcrypt 2.4.17 (mcrypt 2.5.10) -- dropped this from PHP as Apache wouldn't start with it mysql 3.23.41-1 Here's how I compiled and/or installed Apache and related things, BTW: openssl: Installed RPM mm: ./configure; make; make install mod_ssl: ./configure \ --with-apache=../$APACHE_SRC_DIR \ --with-ssl \ --with-rsa \ --with-mm=../$MM_SRC_DIR --enable-shared=ssl apache: ./configure \ --enable-module=ssl \ --enable-module=proxy \ --enable-shared=proxy \ --enable-module=rewrite \ --enable-shared=rewrite \ --enable-shared=ssl \ --enable-rule=SHARED_CORE \ --enable-rule=SHARED_CHAIN \ --enable-module=so make; make certificate; make install (These might not be important as they only pertain to the PHP DSO:) mhash: ./configure; make; make check; make install; make distclean php: ./configure \ --with-config-file-path=/usr/local/apache/conf \ --with-apxs=/usr/local/apache/bin/apxs \ --with-pear=/usr/local \ --with-zlib \ --with-openssl \ --with-ldap \ --with-mhash \ --with-mysql make; make install I'm not dealing with a custom httpd.conf yet. I'm just using the default one for now -- until I can get it to start. Any ideas? Dean. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MSIE POST problem
try the shm version, eg: SSLSessionCacheshm:/var/run/ssl_scache(512000) Seems to work better for everyone. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Peter Morelli [mailto:[EMAIL PROTECTED]] Sent: 25 October 2001 16:37 To: '[EMAIL PROTECTED]' Subject: RE: MSIE POST problem Yes, using the dmb version... --pete -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 6:55 PM To: '[EMAIL PROTECTED]' Subject: Re: MSIE POST problem On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote: Sorry, I have the same situation after using those config lines. I had seen them on the mailing list before, but just to be sure I've just retested them. No change. Same symptoms and solutions... And you do have a ssl session cache defined? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: New User: must be obvious question
Excuse me snipping all the old stuff, but I think I noticed from your logs that you have managed to compile Apache 1.3.12 mod_ssl 2.6.6. against openssl-0.9.6a, which in itself is quite an achievement. ie: [Tue Oct 23 11:52:05 2001] [notice] Apache/1.3.12 (Unix) PHP/4.0.5 FrontPage/4.0.4.3 mod_ssl/2.6.6 OpenSSL/0.9.6a configured -- resuming normal operations (I wouldn't imagine that such an old version of apache-mod_ssl would compile against the latest openssl, and probably wouldn't ever try). The latest version is Apache 1.3.22, mod_ssl 2.8.5 and openssl-0.9.6a, which is definitely a good idea to upgrade to (notwithstanding that a number of security issues with the Apache server are resolved, eg cross-site scripting which is fixed from 1.3.14 onwards). Getting back to the real issue, that of starting up a secure server. Provided your Apache server has been compiled with ssl support, a valid configuration file always gets a secure server up. (Of course, it is possible to split your configuration file into multiple files if you host hundreds or thousands of sites). First of all, test that mod_ssl is compiled in using httpd -l. You should then get the following: Compiled-in modules: http_core.c mod_so.c suexec: enabled; valid wrapper /usr/sbin/suexec You might get an error at the last line. I've never understood the suexec part, and apparently it isn't important. Next, check that your server is listening to port 443 (because if it isn't listening, it won't be able to receive secure connections). There should be a line in your httpd.conf saying Listen 443 There may be a Listen 80 which isn't actually required as there is a Port 80 That does exactly the same thing. But it might as well be left in for the sake of completeness. Next, the mod_ssl module must be loaded into the server. It is possible to run an apache-mod_ssl server without ssl support, which is useful for debugging if nothing else. This is what the LoadModule and AddModule lines do, and both are needed as IIRC Apache reads the module list twice. If they are enclosed in IfDefine SSL statements, then Apache needs to be started with httpd -DSSL. Finally, you'll need at least one virtual host listening on Port 443, with at least these three extra lines defined: SSLEngine on SSLCertificateFile /path/to/ssl.crt SSLCertificateKeyFile /path/to/ssl.key (Non-SSL hosts need only SSLEngine off defined). I have to admit that I rarely use apachectl, preferring instead to use the following where necessary: /etc/rc.d/init.d/httpd stop /etc/rc.d/init.d/httpd start /etc/rc.d/init.d/httpd restart /etc/rc.d/init.d/httpd reload The last one is the most useful, as it re-reads the configuration file without dropping a single byte. It's useful for moving log files on the fly or minor changes to the httpd.conf file. There's no doubt that this stuff is hard (it's taken me years to get to grips with it), but it's better that running NT any day! (Off Topic: I've spent the last fortnight testing a single CD method of patching NT/IIS that works for all the NT servers and workstations I support, yet the procedure for updating our Linux boxes was written and completed in an afternoon.) - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: New User: must be obvious question
The commented out Listen 443 and Listen 80 are probably part of your problem, however, I'd suspect that your httpd.conf is missing the following from the relevant sections also: LoadModule ssl_module modules/libssl.so AddModule mod_ssl.c - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: ComCity [mailto:[EMAIL PROTECTED]] Sent: 23 October 2001 15:29 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: New User: must be obvious question Well that doesn't make a lot of senseso your saying that configtest is better at error checking than apache is at running? Here's the error I get: Syntax error on line 1158 of /usr/local/apache/conf/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration 8 snip #Listen 80 VirtualHost 209.10.62.26:80 DocumentRoot /home/webs/holisticfamilyandpets ServerName www.holisticfamilyandpets.com ScriptAlias /_vti_bin/_vti_adm/ /home/webs/holisticfamilyandpets/_vti_bin/_vti_adm/ ScriptAlias /_vti_bin/_vti_aut/ /home/webs/holisticfamilyandpets/_vti_bin/_vti_aut/ ScriptAlias /_vti_bin/ /home/webs/holisticfamilyandpets/_vti_bin/ /VirtualHost #Listen 443 VirtualHost 209.10.62.26:443 DocumentRoot /home/webs/holisticfamilyandpets ServerName www.holisticfamilyandpets.com # The following line is line 1158 SSLEngine ON SSLCertificateFile /usr/local/certs/holisticfamilyandpets.com.crt SSLCertificateKeyFile /usr/local/certs/holisticfamilyandpets.com.key SSLVerifyClient none /VirtualHost - Original Message - From: Owen Boyle [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 23, 2001 12:14 AM Subject: Re: New User: must be obvious question ComCity wrote: Hi, I've gotten Mod_SSL working on my apache server along with openSSL. I have working certs and they get served up as virtual servers. My question has to be obvious. I can stop apache no problem with: apachectl stop I can start apache no problem with apachectl startssl However, I cannot restart apache with apachectl restart And, if I use apachectl configtest it tells me I have an error at the SSLEngine On line of my conf file line. This can't be real because it work fine if I stop and restart or reboot the computer. The restart command simply doesn't seem to be working for me. If you are getting an error message when you configtest, then the amazing thing is that your server is starting under any circumstances. I suspect this is not a problem with apachectl which works fine for everyone else but rather (suprise, suprise...) and error in your conf file. To help diagnose it, please cut'n'paste the error messagea and post the section from your conf file which deals with the SSL virtualhost. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.3.22 and modssl
-Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: 14 October 2001 17:05 To: [EMAIL PROTECTED] Subject: Re: apache 1.3.22 and modssl On Sun, Oct 14, 2001 at 05:36:59PM +0200, Ralf S. Engelschall wrote: In article [EMAIL PROTECTED] you wrote: Ralf is usually pretty quick to release new versions of mod_ssl. I plan to provide an upgraded mod_ssl version for 1.3.22 on Monday or Tuesday. Cool. I was right then :) The major changes in 1.3.22 are winblows related anyway, so no need to hurry :) Specifically, The changes listed at http://httpd.apache.org/dist/httpd/CHANGES_1.3 are: Changes with Apache 1.3.22 *) Recognize AIX 5.1. [Jeff Trawick] *) PORT: Support AtheOS (see www.atheos.cx) [Rodrigo Parra Novo [EMAIL PROTECTED]] *) The manual directory is still configurable (as enabled by the 1.3.21 change), but its default setting was reverted to the pre-1.3.21 default as a subdirectory of the DocumentRoot. You can adapt your path in config.layout or with the configure --manualdir= switch. [Martin Kraemer] *) Additional correction for the mutex changes on the TPF platform. [David McCreedy [EMAIL PROTECTED]] *) mod_proxy - remove Explain*; replace with ap_log_* [Chuck Murcko [EMAIL PROTECTED]] Changes with Apache 1.3.21 *) Enable mod_mime_magic (experimental) for Win32. [William Rowe] *) Use an installed Expat library rather than the bundled Expat. This fixes a problem where multiple copies of Expat could be loaded into the process space, thus conflicting and causing strange segfaults. Most notably with mod_perl and XML::Parsers::Expat. [Greg Stein] *) Handle user modification of WinNT/2K service display names. Prior versions of Apache only accepted identical internal and display names (where internal service names were space-stripped.) [William Rowe] *) Introduce Win32 -W option for -k install/config to set up service dependencies on the workstation, snmp and other services that given modules or configurations might depend upon. [William Rowe] *) Update the mime.types file to map video/vnd.mpegurl to mxu and add commonly used audio/x-mpegurl for m3u extensions. [Heiko Recktenwald [EMAIL PROTECTED], Lars Eilebrecht] *) Modified mod_mime and mod_negotiation to prevent mod_negotiation from serving any multiview variant containing one or more 'unknown' filename extensions. In PR #8130, mod_negotiation was incorrectly serving index.html.zh.Big5 when better variants were available. The httpd.conf file on the failing server did not have an AddLanguage directive for .zh, which caused mod_mime to loose the file_type information it gleened from parsing the .html extension. The absence of any language preferences, either in the browser or configured on the server, caused mod_negotiation to consider all the variants equivalent. When that occurs, mod_negotiation picks the 'smallest' variant available, which just happened to be index.html.zh.Big5. [Bill Stoddard, Bill Rowe] PR #8130 *) Security: Close autoindex /?M=D directory listing hole reported in bugtraq id 3009. In some configurations where multiviews and indexes are enabled for a directory, requesting URI /?M=D could result in a directory listing being returned to the client rather than the negotiated index.html variant that was configured and expected. The work around for this problem (for pre 1.3.21 releases) is to disable Indexes or Multiviews in the affected directories. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2001-0731 to this issue. [Bill Stoddard, Bill Rowe] *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted) as arguments for mod_vhost_alias'es directives. [William Rowe] *) Changes for Win32 to assure mod_unique_id's UNIQUE_ID strings really are unique between threads. [William Rowe] *) mod_proxy - fix for Pragma: nocache (HTTP/1.0 only) [Kim Bisgaard [EMAIL PROTECTED]] PR #5668 *) PORT: Some Cygwin changes, esp. improvements for dynamic loading, and cleanups. [Stipe Tolj [EMAIL PROTECTED]] *) Win32 SECURITY: The default installation could lead to mod_negotiation and mod_dir/mod_autoindex displaying a directory listing instead of the index.html.* files, if a very long path was created artificially by using many slashes. Now a 403 FORBIDDEN is returned. This problem was similar to and in the same area as the problem reported and fixed by Martin Kraemer in 1.3.1 17 in all, mostly Windoze. I don't think I'll be losing any sleep over these (I lose enough as it is!) - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL
RE: Apache 1.3.22 Modssl
-Original Message- From: Webmaster (Nemesis Services) [mailto:[EMAIL PROTECTED]] Sent: 15 October 2001 10:16 To: [EMAIL PROTECTED] Subject: Re: Apache 1.3.22 Modssl Thanks, this week is the only week I can really get enough downtime on my apache web server for an upgrade. Downtime on an Apache web server? What's that? I've never heard of such a thing! I count the downtime on our servers in seconds per year, and that's only for restarting each time apache-mod_ssl is updated. IIRC each restart takes around 20 seconds. Microsoft dig deleted - the choir aren't interested - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Ditching support for IE4 with Apache-mod_ssl
Thank you for your responses. It is interesting to see that there are still some IE4 users out there (albeit very few), so as you both say, its too soon to drop it. We still have all our public non-ssl sites on distinct IP numbers so that any users of http 1.0 browsers can access all our sites. I imagine there are far fewer of those about. Speaking personally, if anyone can't access any of our sites with IE4, I won't be trying to fix it! - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Ed Kubaitis [mailto:[EMAIL PROTECTED]] Sent: 11 October 2001 19:14 To: [EMAIL PROTECTED] Subject: Re: Ditching support for IE4 with Apache-mod_ssl -- [EMAIL PROTECTED] wrote: I've noticed recently that Microsoft no longer support any version of IE lower than IE5.01 (specifically SP2 with the Q295106 hotfix). As there are some serious issues with IE3, like the now expired root certificates, isn't now a good time to stop supporting browser sessions with IE4? I would not be surprised if any future updates to IIS prevent these from working, so why should mod_ssl worry about a now unsupported browser that creates so many posts to this list? Obviously I realise that there are many users still using IE4 and below, hence this does need some consideration. What do people think? Too soon to drop IE4 support in my opinion. Here are stats based on a recent sample of 148,000 different host addresses visiting a web server here that indicate IE4 is still used by ~5% of IE users and ~4% of all users: http://www.ews.uiuc.edu/bstats/latest-month.html -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl and proxypass...
-Original Message- From: Yu, Ming [mailto:[EMAIL PROTECTED]] Sent: 12 October 2001 14:19 To: '[EMAIL PROTECTED]' Subject: Mod_ssl and proxypass... I have a general question about SSL and Apache: I am running Apache 1.3.20 with mod_ssl. I created a Virtual host in the apache server VirtualHost 10.0.0.1:443 ServerName secwww.company.com DocumentRoot=/www/docs/htdocs SSLEngin On . . . RewriteEngin On Directory ~ ^proxy:.* Order allow,deny Allow from all /Directory ProxyPass/test/ http://another-machine.company.com/ ProxyPassReverse /test/ http://another-machine.company.com/ . . /VirtualHost When user browse https://secwww.company.com/test/; is everything incrypted? What about the proxy request from secwww.jhuapl.edu to another-machine.company.com? Yes, communication between the client and https://secwww.company.com is encrypted. No, communication between https://secwww.company.com between another-machine.company.com is not encrypted. If another-machine.company.com supports SSL, you can use https:// in your ProxyPass directive. The last time I looked, this was not documented in the mod_ssl documentation. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Keepalives
-Original Message- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: 12 October 2001 16:06 To: [EMAIL PROTECTED] Subject: Keepalives The mod_ssl conf file says: # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable nokeepalive for this. SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown SetEnvIf User-Agent .*Mozilla.* nokeepalive Does anyone here know what exactly goes wrong if you use keepalive with SSL and clients? AFAIK there's nothing in the standard that implies this should be a problem. -Ekr I believe that is because the client is unable to either make or maintain a secure connection due to inadequacies in the way that IE handles keepalive. I'm not so sure about Mozilla though. I've been on this list a long time and I don't recall as many issues with other browsers as there have been with IE (even allowing for my obvious bias), so it's definitely not an issue with the SSL/TLS standards. IIRC IE5 onwards is a lot better (hence my recent post about dropping support for IE4 and below). I haven't even looked at IE6. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache connection died
For my log rotation, I use this shell script every month: #!/bin/csh # Written by John Airey 30/6/2000 # Move Apache log files and reload Apache web server /bin/mv /var/log/httpd/* /var/log/httpd/archive /etc/rc.d/init.d/httpd reload The log files that are created are then burnt onto CD and deleted from the server (if I remember to do it!) As you can see, not the flashiest of scripts! - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: 12 October 2001 16:37 To: Rachel Cc: [EMAIL PROTECTED] Subject: Re: Apache connection died On my systems it does not, that is why I sugested altering your perl script in use already. Yet, Owen or John, I certainl, bo to their better modssl knowledge, might beable to enlighten both of us if the rotate logs function of apache can do this in one fell swoop, which would allow me to reduce a step or two in my setups. Otherwise, it works well. Thanks, Ron DuFresne On Fri, 12 Oct 2001, Rachel wrote: will the access_log name be arrange follow by the date? like: access_log20011011 Rachel - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 11, 2001 8:58 PM Subject: Re: Apache connection died If you used the builtin capability to rotate logs within apache, you could eliminate this whole step and the troubles inherent in this process. You'll most likely have to change yer perl script to do this: httpd.conf; TransferLog |/usr/local/apache/bin/rotatelogs /usr/local/apache/logs/access_log 86400 Thanks, Ron DuFresne On Thu, 11 Oct 2001, Rachel wrote: the reason for the cronjob:- to change the access.log name into more manageble name, like:- access.log20011010.gz (to it equal to access.log for the day of 10 Oct 2001) so need to stop the apache and rename the access.log to new name and gzip it. here's the log example:- #!/usr/bin/perl # This script is mainly for producing rotate access log daily and rename # it into format access.log(mmdd).gz $file1=shift; print Attempting to rotate $file1\n; ($sec,$minute,$hour,$mday,$mth,$year,)=localtime(time); $year+=1900; $mth++; $mth='0'.$mth if $mth=9; $mday='0'.$mday if $mday=9; $new_file=$file1$year$mth$mday; rename ($file1,$new_file) or die can't rename:$!\n; die can't restart httpd:$!\n if system('/usr/local/apache/bin/apachectl restart'); print Sleeping after move\n; sleep 10; print Zipping the file up\n; die can't gzip:$!\n if system(gzip $new_file); print Done\n; - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 11, 2001 7:31 PM Subject: Re: Apache connection died What is the reason for this cron job? Can you show the line from the crontab that impliments it? Thanks, Ron DuFresne On Thu, 11 Oct 2001, Rachel wrote: Yup... i found a cronjob that running every nite... is that possible to restart the apache with startssl option in cronjob? bcos the apache will require a password to start the SSL connection how should i automate it? - Original Message - From: Ashton, Bruce [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 11, 2001 4:10 PM Subject: RE: Apache connection died SIGHUP is a kind of signal that can be sent to a Unix process to cause it to terminate. open a shell on your Unix box and type 'man kill', also 'man nohup', nohup may be the answer to your problems. Bruce Ashton Java Developer Product Development Branch Commercial Division ext. 4560 -Original Message- From: Rachel [SMTP:[EMAIL PROTECTED]] Sent: Thursday, October 11, 2001 3:25 AM To: [EMAIL PROTECTED] Subject: Apache connection died Hi, I having problem where my APACHE no longer run after the everynight 12:01am I have no idea what's the error message below can someone teach/explain to me? What is SIGHUP received ? where can i configure it? What is the bottom error message that say dynamic module limit was reached? how can i increase it? [Thu Oct 11 00:00:01 2001] [notice] SIGHUP received. Attempting to restart [Thu Oct 11 00:00:01 2001] [error] Cannot remove module mod_ssl.c: not found in module list [Thu Oct 11 00:00:01 2001] [error] Cannot remove module mod_setenvif.c: not found in module list [Thu Oct 11 00:00:01 2001] [error] Cannot