Re: httpd.conf
Cuong Tran wrote: > The problem I am > having is that all the > normal virtual hosts as a result have been SSL > readable as well. > > # (below) won't make it automatically listen on the > virtual server's port. > Listen 443 Change the above to Listen 192.168.0.3:443 that will get the result you desire. later John begin:vcard n:Ott;John tel;pager:202 688 9735 tel;cell:301 502 4356 tel;work:202 687 8929 x-mozilla-html:FALSE org:Georgetown University;UIS-SNS version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;304E St. Mary's Hall=0D=0A3800 Reservoir Road, NW;Washington ;DC;20007;USA x-mozilla-cpt:;-13752 fn:John Ott end:vcard
Re: Compiling apache with mod_perl + mod_ssl on HP-UX 10.2; link problem
Ian Macdonald wrote: > > Just in case I come across something that demands the gnu ld, do you > know why this is hard to find for HP-UX? And does hard==impossible? > It is not supported yet for HP-UX 11. x I 've yet to find anything the "demands" it, but I generally use HPs compliers and utilities. later John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: certificates on virtual servers
Owen Boyle wrote: Alexandre Kazuo Sato wrote: > > Hi gurus, > > I have a Apache Web Server 2.0 running mod_ssl 2.8 and a I have the > following scenario: > > This webserver handles about 30 sites, and I'm using VirtualHost proper- > ties to achieve that. > > The question is: > > How can I create and use, different certificates for different Virtual > Hosts? You can't have SSL virtualhosts unless you can give them separate IPs or port numbers. see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2 Rgds, Owen Boyle. _ But that is not the question he asked Owen. Assuming each virtual hosts is ip based and/or has a unique port # you need to specify these variables SSLCertificateFile SSLCertificateKeyFile within each virtual host section. HTH john begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;27472 fn:John Ott end:vcard
Re: modssl freezes on startup
Chris M wrote: > > If there is a cogent reason for killing 100 sites when 1 is configured > wrong, I'm listening to what it might be. > > Chris > Seems silly to have 100 production web sites hung up by a wrong or untested config. Ever think to test it separately first? begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;27472 fn:John Ott end:vcard
Re: Network Error: Connection refused
Henning von Bargen wrote: > Is there nobody in this list who can help me? > I _guess_ it's a simple configuration problem, > but I didn't find an answer in the FAQ or in the mailing-list archive. > pls help > Henning > >Network Error: Connection refused > This usually means there is no service running on the port you tried to connect to. Did you try to connect https and do ./apachectl start instead of ./apachectl startssl ? > > > -Ursprüngliche Nachricht- > > Von: Henning von Bargen [SMTP:[EMAIL PROTECTED]] > > Gesendet am: Mittwoch, 9. Mai 2001 11:23 > > An: [EMAIL PROTECTED] > > Betreff: RE: Network Error: Connection refused > > > > I discovered that I could partially work around this problem by > configuring > > the Netscape browser as follows: > > In Security Info / Navigator / Configure SSL v3 : > > [x] RC4 encryption with a 128-bit key and an MD5 MAC (When > > permitted) > > [x] FIPS 140-1 compliant triple DES encryption and SHA-1 MAC (When > > permitted) > > [x] Triple DES encryption with a 168-bit key and a SHA-1 MAC (When > > permitted) > > [ ] RC4 encryption with a 56-bit key and a SHA-1 MAC > > [ ] DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC > > [ ] RC4 encryption with a 40-bit key and an MD5 MAC > > [ ] RC2 encryption with a 40-bit key and an MD5 MAC > > [ ] No encryption with an MD5 MAC > > That is, I cleared the checkboxes 4,5,6,7 which were checked by default. > > > > However, when I open the page now, I get a messagebox: > > New Site Certificate > > Certificate for: ... > > Signed by: Verisign Trust Network > > Encryption: Export Grade (RC4-Export with 40-bit > >secret key) > > > > shouldn't it be possible with a Verisign Global Server ID to > > have 128 bit encryption with Netscape 4.7, too? > > And why does Netscape Navigator complain about the certificate at all > > whereas Internet Explorer doesn't? > > > > Please help. > > > > Henning > > > > > -Ursprüngliche Nachricht- > > > Von:Henning von Bargen [SMTP:[EMAIL PROTECTED]] > > > Gesendet am:Dienstag, 8. Mai 2001 16:13 > > > An: [EMAIL PROTECTED] > > > Betreff:Network Error: Connection refused > > > > > > We have a web site running > > > Oracle iAS 1.0.1 for NT alias Apache 1.3.12 / mod_ssl 2.6.4 / OpenSSL > > 0.9.5a > > > on a Windows NT 4 workstation. > > > It has a Verisign Global Server ID installed. > > > I can access the SSL pages fine with Microsoft IE 5.0, 5.5 and KDE 2.1 > > > Konqueror. > > > > > > However, when I try to access an SSL page with Netscape 4.7, > > > I get the following error message box: > > > Netscape > > > A network error occured while Netscape was receiving data. > > > (Network Error: Connection refused) > > > Try connecting again. > > > > > > Is this a Netscape bug or a server mis-configuration? > > > > > > One perhaps unusual thing is that we have a start page at > > > http://xxx.xxx.de/index.html > > > that redirects to https://xxx.xxx.de/ucl/html with > > > https://xxx.xxx.de/ucl/html";> > > > > > > The Apache httpd.conf looks like this (excerpt). > > > I didn't change anything from the defaults except > > > ServerName, ServerAdmin, and the various certificate file locations. > > > > > > Any help is highly appreciated... > > > > > > Henning > > > > > > > > > ## > > > ## SSL Virtual Host Context > > > ## > > > > > > > > > > > > # General setup for the virtual host > > > DocumentRoot "D:\iAS_101\Apache\Apache\htdocs" > > > ServerName xxx.xxx.de > > > ServerAdmin [EMAIL PROTECTED] > > > ErrorLog logs/error_log > > > TransferLog logs/access_log > > > > > > # SSL Engine Switch: > > > # Enable/Disable SSL for this virtual host. > > > SSLEngine on > > > > > > # SSL Cipher Suite: > > > # List the ciphers that the client is permitted to negotiate. > > > # See the mod_ssl documentation for a complete list. > > > #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > > > > > # Server Certificate: > > > # Point SSLCertificateFile at a PEM encoded certificate. If > > > # the certificate is encrypted, then you will be prompted for a > > > # pass phrase. Note that a kill -HUP will prompt again. A test > > > # certificate can be generated with `make certificate' under > > > # built time. Keep in mind that if you've both a RSA and a DSA > > > # certificate you can configure both in parallel (to also allow > > > # the use of DSA ciphers, etc.) > > > #SSLCertificateFile \conf\ssl.crt\server.crt > > > SSLCertificateFile \conf\ssl.crt\tup.crt > > > > > > # Server Private Key: > > > # If the key is not combined with the certificate, use this > > > # directive to point at the key file. Keep in mind that if > > > # you've both a RSA and a DSA private key you can configure > > > # both in parallel (to also allow the use of DSA ciphers, etc.) > > > #SSLCertificateKeyFile conf\ssl.key\server.key > > > SSLCertificateKeyFile conf\ssl.key\key-tup > > > > > > # Server
Re: mod_so probs
[EMAIL PROTECTED] wrote: > My problem is that the mod_ssl configure is configuring apache > and the mod_ssl configure won't accept a directive such as: > --enable-module=so > I never could get the enable-module=so to work. what is the object your are trying to build in as a shared object? In my example I am using --enable-rule=SHARED_CORE This builds the apache core as shared so I can add shared objects (DSOs) that I build with apxs and then dynamically load with the apache LoadModule directive in httpd.conf --enable-shared=ssl This builds in the ssl libraries as shared objects. later I use apxs to build the shared module and then use LoadModule auth_ldap_module libexec/auth_ldap.so in the httpd.conf I build auth-ldap.so with the Apache apxs utilitily. This loads it Dynamically at run time. That is the best way to use shared libraries. HTH > > So how do I get it in there??? > > > You have to make apache able to run .so files when compiling. > > This is explained in Apache INSTALL. > > > > m.v.h. > > Lars Schiøler > > > > - Original Message - > > From: <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, April 19, 2001 9:14 PM > > Subject: mod_so probs > > > > > > > Hello modssl-users, > > > > > > Forgive me if this is covered in the faqs at modssl.org, I read > > > them and didn't find anything on this. > > > > > > I have: > > >apache_1.3.19 > > >mm-1.1.3 > > >openssl-0.9.6 > > >mod_ssl-2.8.1-1.3.19 > > >jakarta-tomcat-3.2.1-src > > > > > > I've followed the instructions from mod_ssl's INSTALLATION file. > > > I'm running solaris 7. > > > > > > I'm currently leaving mm out (due to MAP_ANON issue that I can't > > > quite figure out) and so am running the following configure command: > > > > > > cd /usr/local/builds/mod_ssl-2.8.1-1.3.19 > > > ./configure \ > > > --with-apache=../apache_1.3.19 \ > > > --with-ssl=../openssl-0.9.6 \ > > > --prefix=/usr/local/apache \ > > > --enable-shared=ssl > > > > > > The problem I'm having is that, after making apache and make installing > > > it, running apachectl start or sslstart produce error messages > > > having to do with mod_so not being loaded into apache. > > > In the pre-mod_ssl days I would just add --enable_module=so to the > > > apache configure args. But now that I'm not actually running that > > > configure script I'm not sure what to do. > > > > > > Any ideas?? > > > > > > Thank you, > > > Patrick. > > > > > > > > > > > > > > > -- > > > > > > e-mail: [EMAIL PROTECTED] > > > __ > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > User Support Mailing List [EMAIL PROTECTED] > > > Automated List Manager[EMAIL PROTECTED] > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > -- > > e-mail: [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;27472 fn:John Ott end:vcard
Re: OpenCA + mod_ssl + Netscape + Personal Certificates
[EMAIL PROTECTED] wrote: > Problem: Authentification with Netscape Communicator 4.73 > > Apache + mod_ssl is asking for my digital certficiate twice. > I am using basic authentification with LDAP and mod_auth_ldap, > AS WELL as mod_ssl for a location specified > I've had this happen when something behind the scenes does a redirect in cgi from a fully qualified name (ie. server.domain.com) to just the server name. Could that be happening in your case? I'm not sure which module is not equating server to server.domain.com or even if is the correct behaviour to ask for credentials again with the shortening in the https server name. In my case I fixed the cgi to use the fully qualifted name and I now only get the authetication piece once. That is the way I want the cgi to behave anyway. So the pages work regardless of what the search domain is set to in the client workstation's DNS. And users with the correct credentials and ssl can connect from anywhere. I am using auth-ldap 1.5.0 rather than the mod_auth_ldap module. But I suspect you could be seeing the same behavior I was. HTH begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;27472 fn:John Ott end:vcard
Re: mod_ssl does not work
Martin Eriksen wrote: > I have downloaded mod_ssl and installed it without errors. However only > the http-server and not https server seems to work. I start apache like > this: > > root@v38 bin]# ./apachectl startssl > ./apachectl startssl: httpd started > [root@v38 bin]# > > The http server works fine but when I try and access the https server, > ie https://locahost/, Netscape gives me and error saying it is unable to > locate the server. > > Anyone knows what the problem could be? Is apachectl supposed to give me a > different startup message or does mod_ssl seem to be installed ok? Any > suggestions will be appreciated. > > _ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] Did you make the necessary changes to httpd.conf ? begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;1056 fn:John Ott end:vcard
Re: modssl newbie
William Palfreman wrote: > OSX is a varient of UNIX, as is Linux. I thought it was only beta > release? What is probably happening is that because your varient of UNIX > is new, it may not be fully supported yet. That should happen soon, if it > is neccesary. I know in RedHat Linux those error indicate you have failed > to install something non-obvious like kernel-headers or something. As you > are using OSX Beta, you are a valuable tester for lots of applications. > If you want to do something important for yourself, rather than the wider > community, install Yellow-Dog Linux on your Apple and go from there. > > The MacOS X server is NOT beta. The MacOS X workstation software is still beta. They announced a MacWorld they are shipping the first release on March 24. I would think the original question refers to a MacOS X server. I don't think there is anyway to compile apache on the beta workstation. see http://www.apple.com/macosx/server for info. but I do not have access to a MacOS X server to help with the question though. later John begin:vcard n:Ott;John tel;work:202 687 8928 x-mozilla-html:FALSE org:Georgetown University;University Informations Systems version:2.1 email;internet:[EMAIL PROTECTED] title:Unix Systems Programmer adr;quoted-printable:;;Box 571138=0D=0A2201 Wisconsin Avenue NW;Washington;DC;20007;USA x-mozilla-cpt:;-13360 fn:John Ott end:vcard
Re: installation problem
Richard Botting - Development - Torr Hall wrote: > I am trying to build apache+mod-ssl, on a solaris 8 box, given apache 1.3.9, > mod_ssl-2.4.10-1.3.9 and openssl-0.9.6. Following the mod_ssl > INSTALL file I built openssl and configured mod_ssl with: > > ./configure --with-apache=/export/developers/rmb/apache-1.3.9/src/apache_1.3.9. > > I then configured apache with: > > SSL_BASE=/export/developers/rmb/open_ssl/src/openssl-0.9.6 \ > > ./configure \ > > --enable-module=ssl \ > > --prefix=/export/developers/rmb/apache_1.3.9 \ > > --enable-shared=ssl \ > > --enable-module=so > have you tried adding to configure --with-ssl= ../path-to-ssl-dir > > However when i run make in the apache dir. I get an error: > > gcc -c -I../../os/unix -I../../include -DSOLARIS2=280 -DMOD_SSL=204110 -DEAPI > -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fPIC -DSHARED_MODULE > -DSSL_COMPAT -I/export/developers/rmb/open_ssl/src/openssl-0.9.6/include > -DMOD_SSL_VERSION=\"2.4.10\" ssl_expr_eval.c && mv ssl_expr_eval.o > ssl_expr_eval.lo > gcc -c -I../../os/unix -I../../include -DSOLARIS2=280 -DMOD_SSL=204110 -DEAPI > -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fPIC -DSHARED_MODULE > -DSSL_COMPAT -I/export/developers/rmb/open_ssl/src/openssl-0.9.6/include > -DMOD_SSL_VERSION=\"2.4.10\" ssl_util.c && mv ssl_util.o ssl_util.lo > gcc -c -I../../os/unix -I../../include -DSOLARIS2=280 -DMOD_SSL=204110 -DEAPI > -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fPIC -DSHARED_MODULE > -DSSL_COMPAT -I/export/developers/rmb/open_ssl/src/openssl-0.9.6/include > -DMOD_SSL_VERSION=\"2.4.10\" ssl_util_ssl.c && mv ssl_util_ssl.o ssl_util_ssl.lo > ssl_util_ssl.c:145: conflicting types for `d2i_PrivateKey_bio' > /export/developers/rmb/open_ssl/src/openssl-0.9.6/include/openssl/x509.h:779: > previous declaration of `d2i_PrivateKey_bio' > *** Error code 1 > make: Fatal error: Command failed for target `ssl_util_ssl.lo' > Current working directory > /export/developers/rmb/apache-1.3.9/src/apache_1.3.9/src/modules/ssl > *** Error code 1 > make: Fatal error: Command failed for target `all' > Current working directory > /export/developers/rmb/apache-1.3.9/src/apache_1.3.9/src/modules > *** Error code 1 > make: Fatal error: Command failed for target `subdirs' > Current working directory > /export/developers/rmb/apache-1.3.9/src/apache_1.3.9/src > *** Error code 1 > make: Fatal error: Command failed for target `build-std' > Current working directory /export/developers/rmb/apache-1.3.9/src/apache_1.3.9 > *** Error code 1 > make: Fatal error: Command failed for target `build' > > Any ideas/fixes?? > > Richard Botting, > Graham Technology, > Scotland. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] begin:vcard n:Ott;John tel;pager:202 668 0233 tel;work:202 687 8928 x-mozilla-html:FALSE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] fn:John Ott end:vcard
Mutex File disappears
I got this error when the apache locked up: Failed to acquire global mutex lock We are currently at 2.4.10-1.3.9 on Solaris 2.6 I looked and the mutex file was gone. (we are using files and fncl access) Stopping and then staring apache fixed things by recreating the file. But I am concerned as to why the file disappeared? Anyone else seen this behaviour? Is there a patch (Apache, Solaris or Mod-ssl) that addressed this? thanks John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]