Re: ssl handshake failure
On Sat, Nov 24, 2007 at 11:56:49PM -0500, Bob Johnson wrote: SSL 2.0 [length 007a], CLIENT-HELLO 01 03 01 00 51 00 00 00 20 00 00 39 00 00 38 00 00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00 33 00 00 32 00 00 2f 00 00 07 05 00 80 03 00 80 00 00 05 00 00 04 01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00 00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00 03 02 00 80 37 bf 69 76 53 ce 0a d5 8c d5 78 8e 94 73 05 84 d7 13 d6 2a fe 77 b8 8b be b0 dc e2 72 5f 4f d3 SSL_connect:SSLv2/v3 write client hello A read from 0x80bb680 [0x80c1260] (7 bytes = 4 (0x4)) - 68 69 55 53 hiUS read from 0x80bb680 [0x80c1264] (3 bytes = 0 (0x0)) 15772:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188: What version of openssl are you using? Try adding the following line to that failing vhost: SSLCipherSuite ALL:!SSLv2 (You probably want to tune it more later if you care about the security, but the important thing here is to get rid of SSLv2) To see which ciphers this opens up, run openssl ciphers -v 'ALL:!SSLv2' vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Apache
On Tue, Sep 11, 2007 at 02:50:10PM -0700, Yvo van Doorn wrote: Its not really complaining, more in that modssl.org and its downloads are geared for apache 1.3.x not apache 2.x as they took incorporated modssl into the source thus you can pretty much expect better support for apache 2.x related modules, incl. modssl, on the apache mailing lists. We did actually create a list for modssl over at httpd.apache.org, but so far there's been no valid traffic (note to self: put the list on http://httpd.apache.org/lists.html or shut it down). vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Apache
On Wed, Sep 12, 2007 at 09:55:52AM +0100, Glyn Astill wrote: Considering this a mailing list for modssl 1.x not 2.x mod_ssl _for httpd 1.3_ not _modssl for httpd 2.x_. With httpd 2.x, modssl is integrated and doesn't need an external patch. That being said, I've seen quite a bit of httpd 2.x related modssl talk here and not heard many complaints. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Apache
On Tue, Sep 11, 2007 at 01:10:20PM -0400, Aaron Smith wrote: Oh! My apologies. I thought this was a mailing list for mod_ssl independent of version. It has been used for both versions over time - this is pretty much the first time anyone complained. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 2.x?
On Fri, Dec 29, 2006 at 08:31:32PM +, Bahadir Balban wrote: Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 everywhere? Because the version of mod_ssl you find at modssl.org is only for 1.3. Is there any other ssl solution to apache 2.x? --enable-ssl when configuring apache 2 - mod_ssl is included in the apache httpd-2.x source. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Why is SSL_SESSION_ID changing?
On Tue, Oct 18, 2005 at 12:28:31PM +0200, Ryszard Lach wrote: We thought, that one of possible solutions will be binding user's session to SSL_SESSION_ID (i.e. keeping SSL_SESSION_ID in user's session and comparing it at every request with ID read from this request). Don't - SSL_SESSION_ID isn't useable for longer lifetime sessions. The problem is, that SSL_SESSION_ID is changing regardles of SSLSessionCacheTimeout (we've set it to very high value). I suppose that it's not caused by server (mod_ssl after writing SESSION_ID to cache is able to get it back everytime, 100% hit rate). Is there any reason for which the ssl sessions are renegotiated (sometimes even three times during one minute)? Is it possible to block such a renegotiations at server/application side, or it is very browser-dependent? Lifetime can't be forced from the serverside, all you can do is set an upper bound on it. The client may very well choose to cut the session earlier. I've seen clients that let sessions live longer with a higher level of security on the session - but it still isn't a good choice. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: configure SSL session timeout
On Thu, Oct 06, 2005 at 09:51:47AM -0400, Cliff Woolley wrote: I know the SSL session timeout param can be configured by the directive SSLSessionCacheTimeout. Is there any setting or API for the browser or client application to configure the SSL session timeout param and override the server's one such that each application can configure their timeout period of the SSL connection according to their requirement? Nope... not that I know of. Just to clear this up - both the client and the server choose wether they want to reuse sessions. SSLSessionCacheTimeout sets how long the server is willing to reuse a session, but a client may choose not to reuse the session after a shorter time. When a session expires on the server, a client may try to reuse the session, but the server won't allow that. One example of a client using short session times is IE which would expire SSL2 sessions really fast, but allow TLSv1 with strong crypto to live much longer (that experience is a couple of years old, so they've probably changed the policy many times over since then). vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 08:54:30AM -0400, Cliff Woolley wrote: Session caching is more or less essential for any kind of reasonable SSL performance. Disabling the session cache will hurt your SSL perf by perhaps as much as an order of magnitude (roughly speaking -- it's been a long time since I benchmarked it). The actual performance benefit is dependent on the usage pattern (mostly the length of sessions) but fetching a session from the cache is easily 100x faster than negotiating a new session key (again ymmv dependt on how much spare processing power you have). Openssl is usefull in at least getting an idea of the order of magnitude - run openssl speed rsa on the box to figure out how many rsa operations it can handle concurrently for your chosen keysize. openssl s_client with the -reconnect option will help determine wheter session caching is working on the server. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL support for a VirtualHost on a port other than 443
On Tue, Aug 16, 2005 at 09:57:38AM -0700, Andrew Musselman wrote: I am trying to set up apache2 to provide SSL support for a VirtualHost running on port 81. Have you added a virtualhost for port 81 and the corresponding Listen statement? The server handles https requests just fine, but when I try connecting with https through port 81 I receive an error (in Firefox The connection to [myhost]:81 has terminated unexpectedly. Some data may have been transferred.). Browser messages are not much use. Openssl seems to be running fine, as these commands from the FAQ at http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html return no errors: $ openssl s_client -connect localhost:443 -state -debug GET / HTTP/1.0 What if you use localhost:81 instead? We need more info like the SSL specific part of the conf and perhaps output of openssl s_client. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL support for a VirtualHost on a port other than 443
On Tue, Aug 16, 2005 at 11:16:36AM -0700, Andrew Musselman wrote: Listen 81 VirtualHost *:81 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/www/printers ServerName pc74965.cts.cwu.edu DirectoryIndex index.html index.php ErrorLog /var/log/printers-error_log CustomLog /var/log/printers-error_log combined /VirtualHost Do I need to add any ssl-specific directives in there? Yes. SSLEngine on is the first thing to add - you also need to point to the server cert and key. SSL_connect:SSLv2/v3 write client hello A read from 08097700 [080B5000] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY This matches the config above - SSL isn't turned on on port 81 - you should never see !DOCTY in plain as part of an ssl session. [SNIP lots of useless comments] no need to paste comments verbatim from the config file. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: access restriction based on RFC3280/4.2 'Certificate Extensions'
On Mon, Aug 08, 2005 at 02:26:37PM +0200, Pitrich, Karl wrote: Hi, is it somehow possible to restrict access to a httpd2/mod_ssl based on the presence of an extended attribute with a specific OID in the client's certificate? There is some support for that in the very latest httpd dev tree - see http://mail-archives.apache.org/mod_mbox/httpd-cvs/200507.mbox/[EMAIL PROTECTED] vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Multiple Virtual Servers with modssl
On Wed, Jun 22, 2005 at 02:06:32PM -0500, Jeffrey M. Johnson wrote: I have a host that has 40 some virtual hosts associated with it, but only one of those hosts is configured for modssl. I know need to configure a second (and possible more) virtualhosts for modssl. First, I am assuming this can be done. Yes - but you might not like the answer - as you'll need one ip(or non-std port) for each ssl vhost. Second, I can't figure out how it can be done. Just add one more ip based vhost with the necessary settings - and before you ask about name based vhosting with ssl - go see the ssl FAQ: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for Apache 2
On Wed, Jan 26, 2005 at 02:15:37AM -0800, ColinB wrote: What is the relationship between mod_ssl for Apache 1 and Apache 2 ? The mod_ssl in apache2 is based on the mod_ssl for Apache 1.3, but the two versions are not the same module. Why doesn't www.modssl.org say that it is for both Apache 1 and 2 ? Because it isn't. The mod_ssl available at www.modssl.org is only for Apache 1.3. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and MOD_SSL
On Mon, Dec 27, 2004 at 11:06:21PM -0500, leandro asnaghi-nicastro wrote: $ openssl s_client -connect def.con.ca:443 CONNECTED(0003) 24271:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: That's usually what happens if the server is responding in HTTP instead of HTTPS. You could try adding -state -debug to the openssl s_client command to get more info. Also check your error log on the server, it should have something about invalid method. If def.con.ca is in fact the host with the problem, then I get the following with -debug: [SNIP] - 3c 21 44 4f 43 54 59 !DOCTY The !DOCTY should never be sent in plain text over an SSL encrypted connection, so I'm quite sure SSL isn't on. Further reading online: add SSLEngine on within the Virtual Host setting (I'm guessing they meant in mod_ssl.conf?) and that is done. It has to go inside the VirtualHost block for the port 443 vhost. You also need a few other settings there pointing to the certificates. You could try posting the ssl related part of that vhost. [EMAIL PROTECTED]:/etc/apache# netstat -tln | grep 443 tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN Okay, so I'm not that off. Certainly there is something listening on port 443 - the s_client error would have been different if there was nothing on that port. Obviously I am doing something wrong, albeit I am at a loss as to what excatly I screwed up. Can someone kindly kick me in the right direction? It still looks like you don't have SSLEngine on in the right place. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Solaris 9 / modssl-2.8.22-1.3.33 problems
On Fri, Dec 17, 2004 at 12:59:42AM +, Steve Parker wrote: Summary: It seems from http://forum.sun.com/thread.jspa?threadID=18986tstart=15 that this was a problem with 2.8.17, fixed in 2.8.18 with a sed command on line 244 of apache-1.3.33/src/modules/ssl/Makefile: 242: ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h 243: flex -Pssl_expr_yy -s -B ssl_expr_scan.l 244: sed -e '/$$Header:/d' lex.ssl_expr_yy.c ssl_expr_scan.c rm -f lex.ssl_expr_yy.c You shouldn't need to regenerate these files - most likely a timestamp problem that results in make thinking that the lex/yacc files has been updated later than the output .c and .h - simply touch the output files to make sure they have a newer timestamp, then make won't try to regenerate. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and apache configuration question
On Fri, Nov 05, 2004 at 05:07:06PM -0700, Kory Wheatley wrote: I have a project where I need to setup an Apache secure server. I have an Apache non secure server already on my workstation. I don't want the Apache secure server to run under the same daemon service, so I've downloaded a separate Apache tar file. This server also needs to run under a different user and group. What is the steps of compiling Mod_SSL and DSO into Apache and under a different server user. This setup will only be for a secure server and no other virtual hosts. If there's a step by step process to do this that would be really nice. You don't need anything special to do this - just build apache with mod_ssl and change the config so that you have it listening on port 443 only. Then change User and Group to whatever user you want it to run under. That's really all you need to do. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL not working with apache
On Thu, Sep 02, 2004 at 09:20:45AM -0700, Philip Lavine wrote: [SNIP] SSL_connect:SSLv2/v3 write client hello A read from 080AED40 [080B5270] (7 bytes = 7 (0x7)) - 0a 3c 3f 78 6d 6c .?xml ^ You certainly shouldn't see that if the connection was encrypted - you probably forgot SSLEngine on in your virtual host. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Is it possible to 'add' mod_ssl later on, without recompiling all of Apache?
On Tue, Mar 23, 2004 at 04:33:11PM +0100, Evert Meulie wrote: Hi! The following case: A apache-2.0.48 server which was compiled without SSL. Now the powers that be have decided the server should also be able to support https, so mod_ssl needs to be 'added'. Is it possible to do this without recompiling/reinstalling all of Apache? How do I proceed? In theory it should be possible if you have mod_so built in already (httpd -l should list mod_so). But it is certainly much simpler just to rebuild apache with --enable-ssl. In a standard build, there will be a build/ directory with the file config.nice that contains all the options originally used to build apache. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: vulnerability in mod_ssl on apache 2
On Fri, Mar 12, 2004 at 01:19:04PM +0100, Boyle Owen wrote: Greetings, Does the DoS vulnerability reported in http://secunia.com/advisories/11092/ affect the mod_ssl-2.8.16-1.3.29 codebase? All the filtering stuff in mod_ssl was new in the Apache 2 version and didn't turn up until after the code was imported. http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_io.c?r1=1.88r2=1.89 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: this list
On Mon, Mar 01, 2004 at 10:49:18AM -0500, Kevin wrote: I am guessing that no one is able to block the mail from mmx.engelschall.com on the modssl.org list? Since mmx.engelschall.com is part of the modssl/openssl mail infrastructure, that would effectively kill all mail to both modssl and openssl lists. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: this list
On Mon, Mar 01, 2004 at 06:59:55PM +0100, Goetz Babin-Ebell wrote: Since all these mails have no Message ID when they are received at master.modssl.org, it seems to be a good Idea to configure this host to refuse all mail (comming from the outside) that has no message ID... sure, that would certainly make sense. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL and Virtual hosts
On Fri, Feb 20, 2004 at 11:18:10AM +0100, Svein E. Seldal wrote: I'm running Debian testing latest versions on a i686: Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux) debian versions: apache-ssl 1.3.29.0.1-5 You're asking on the wrong list then - this is the mod_ssl list, while you're running apache-ssl which lives at http://www.apache-ssl.org/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: symmetric or asymmetric ?
On Fri, Feb 06, 2004 at 06:09:45PM +0100, Ringaby Anders wrote: Hello ! I am one of many mod-ssl beginners, and I have two questions. 1. The modssl web site refers to the SSL cryptography algorithm as being conventional, or symmetric. But mod-ssl uses public and private keys, which are known as parts of asymmetric cryptography. Any explanation ? mod_ssl uses both - if you want the details, read: http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html 2. I copied a mod-ssl-enhanced apache-2.0.48 installation to another machine, replaced the certificate file ( server.crt ) with another certificate ( but same file name ), and made some small changes in httpd.conf and ssl.conf. Of course, this did not work. Is there any way that I can generate a new private key ( server.key file ) according to the public key in the new certificate file ? Or should I remove everything and install again, the proper way ? There's nothing that should keep the keys from working on different machines, so chances are that it is either the installation or the configuration that failed. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FW: Memory leak - Apache2.0.47 and openSSL 0.9.7c
On Fri, Dec 19, 2003 at 09:19:15AM -, John Hughes wrote: Please let me know if you would like any other information. I do have output from the load generator and the utility that I can send anyone. What type of SSLSessionCache are you using? Do you any any 3rd party modules? Please also note that the current release version is 2.0.48 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FW: Memory leak - Apache2.0.47 and openSSL 0.9.7c
On Fri, Dec 19, 2003 at 11:01:57AM -, John Hughes wrote: I have no 3rd party modules loaded. The testing I did was with and without mod_ssl loaded. Only when mod_ssl was loaded - and SSL was used - did I see a memory leak under load. My SSLSessionCache values are the default and are: SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout300 On linux you really should be using a shared memory session cache - like SSLSessionCache shmcb:logs/ssl_gcache_data(512000) SSLSessionCacheTimeout300 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client Info
On Sun, Nov 09, 2003 at 04:01:59PM -0500, [EMAIL PROTECTED] wrote: I aplogize if this is a re-send. I never heard anything back about it, and it seems like a pretty simple question, so I don't know if my message went out to the list. The SSL_CLIENT_* variables are not appearing in my environment. My web host insists it's something my CGI needs to do to request this information from the client, but that doesn't make sense to me. I obtained a certificate from Thawte and installed it in my browser, but that doesn't make a difference. Is there something else I need to do? Is there something my host needs to do? Those fields will be filled when using client certificates - see http://www.modssl.org/docs/2.8/ssl_reference.html#ToC17 also remember to turn on SSLOptions +StdEnvVars - see http://www.modssl.org/docs/2.8/ssl_reference.html#ToC21 vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl kerberos ?
On Mon, Nov 10, 2003 at 12:58:33PM +0100, Daniel Struck wrote: Hello, I want to ask if the following setup is possible: Clients will be authenticated towards apache with x509 certificates (mod_ssl). Would it now be possible to give authenticated clients a kerberos ticket which could be read out in php/perl? I would like to use this ticket to authenticate the client towards a database like postgresql. I imagine something like http://modauthkerb.sourceforge.net/ along with SSLOptions +FakeBasicAuth could do the trick (YMMV - I don't know enough about Kerberos to know wether that type of usernames would be a problem). http://www.modssl.org/docs/2.8/ssl_reference.html#ToC21 vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: Client Info
On Tue, Nov 11, 2003 at 04:29:22PM -0500, [EMAIL PROTECTED] wrote: Thanks for the reply. I should be able to just add these lines to my .htaccess: SSLVerifyClient optional SSLOptions +StdEnvVars require would be better than optional (at least for testing). and have the client variables in my environment (assuming the client has a certificate installed), correct? Sorry I didn't RTFM earlier, but I assumed it would be something complicated, and something only my host could configure anyway. Anyway, I tried that and I still don't get the client variables. Am I missing something? Is it possible the main configuration is overriding mine? I must say that I've never really felt like playing around with my ssl setup in .htaccess files... one thing to check is wether the AllowOverride settings allow those directives in .htaccess - see Override for SSLVerifyClient and SSLOptions. Especially the Options override required by SSLOptions is something that won't be allowed. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
On Thu, Oct 30, 2003 at 11:40:52AM +0100, xavier jeannin wrote: [SNIP] --- drop connection and then reconnect CONNECTED(0003) --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA SSL-Session: Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: Session-ID-ctx: Master-Key: 0F8D50DBEAE85A067D6A631609D5728CE9AA91F7052E39115481D6787478124CC43B290C4D164F858FBC2F44103F8C2A Key-Arg : None Start Time: 1067509174 Timeout : 300 (sec) Verify return code: 0 (ok) Session caching seems to be off on the server side - when I use reconnect, I get Protocol : TLSv1 Cipher: EDH-RSA-DES-CBC3-SHA Session-ID: 1C7284F45FE7153AD082C737E2EBFD2176A4B0B34BCA41AE79663F9C804142EB Session-ID-ctx: Master-Key: 6D9E61B97ADE120B056E79A09B3489D23D7D2A74FE2D82E067CBEF50296B76B5E6034ECDB32B4B062788BA9D9832DD3B vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
On Wed, Oct 29, 2003 at 05:15:13PM +0100, xavier jeannin wrote: I have developped Web application, that uses X509 certificat. Netscape ask at each time (page) the certificat. As my users have several certificates they do not use the option Select Automaticly in netscape, I have to say to my user to use now this option and create a netscape's profile for every certificat. First, I have compile Apache with MM and use : SSLSessionCacheshm:/usr/local/apache/logs/ssl_gscache(2048000) SSLSessionCacheTimeout 1800 but it does not work. but it does not work - how should that be understood? that SSLSessionCache does not work, or that the users are still being asked for the certificate? The simplest way to test sessions away from the browser is to use openssl s_client with the -reconnect option - that should tell you wether session caching is in effect or not. Usually when sessions are enabled in apache, but the browser keeps asking for the cert, then it is a setting in the browser - I seem to recall that Netscape had an option to ask for the password on every use. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: shmcb vs shmht
On Sat, Oct 11, 2003 at 08:50:29AM -0700, Sarah Haff wrote: Hi, What are the differences between #SSLSessionCacheshmht:logs/ssl_scache(512000) and #SSLSessionCacheshmcb:logs/ssl_scache(512000) (in ssl.conf file) Two different ways of storing sessions in shared memory - ht is a hashtable while cb is a cyclic buffer. Look back in the archive for mails from Geoff Thorpe for all the gory details. One thing that came to mind about your problem from the other day - iirc you had a long session timeout, but a small sized cache. Try increasing the size and/or lowering the Timeout - just to make sure you're not exhausting your session store capacity before the browser times out. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, Oct 07, 2003 at 07:17:06PM -0700, Sarah Haff wrote: Other suggestions could be turning on keepalives and possibly to remove some of the weaker cipher options from SSLCipherSuite. How does removing weaker cipher improve the performance. It doesn't improve performance - but I've seen cases where Internet Explorer would allow a session to live longer if it was negotiated to a newer cipher like TLS instead of SSLv2. How does the cpu usage look on the server? If the load isn't high, then you probably won't win much with an ssl accelerator. It is a quad CPU server 2.8 Ghz, so the max CPU usage goes to 10% per CPU. If that is the case, then it doesn't seem likely to me that a hardware accelerator will improve things much. With that much cpu power to spare, there shouldn't be any significant slowdown in the connect. If you have an SSL enabled benchmark tool (could be a recent ab from apache), then try seeing what happens when you run a number of concurrent requests - do they start to fail? I'm inclined to think that the problem could be related to keepalives, where Internet Explorer tries to open more connections than it can handle at once because keepalives are turned off (the SetEnvIf I mentioned). It should be possible to determine with netstat or LogLevel debug. If that isn't the case, then I can only think of things like a blocking random device, or some other resource being exhausted. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, Oct 07, 2003 at 03:17:49PM -0700, Sarah Haff wrote: We have a webserver that is serving image (gif/jpg) file over SSL. I am using Apache 2.46 compiled with SSL/PHP/mod_rewrite support. I did not include any other module. The webserver seems to work fine. However if a webpage has mutiple image files, not all the image files load, and broken image icons are shown instead. Seems like the SSL/HTTP connection is timing out. Is there a way to increase this timeout period. I don't mind if take a little longer to load the page, but the user should see all the image file. Check Cliffs suggestions about SSLSessionCache (the shm type is preferable for performance reasons). Other suggestions could be turning on keepalives and possibly to remove some of the weaker cipher options from SSLCipherSuite. Another alternative is to use a HW based SSL solution like nCipher's CHIL. But I want to make that the last option, since I dont want to re-configure the HW/application on the server. How does the cpu usage look on the server? If the load isn't high, then you probably won't win much with an ssl accelerator. Any ideas on how other sites handle image files over SSL. I need the image file over SSL, because they are scanned images of confidential information. Just like any other file type - apache doesn't really care what it is. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Webpage over SSL timing out?
On Tue, Oct 07, 2003 at 04:00:11PM -0700, Sarah Haff wrote: Here is my SSLCache setting in ssl.conf SSLSessionCacheshmcb:logs/ssl_scache(512000) #SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 1300 Looks ok - you could try confirming that session caching works by using the command: openssl s_client -connect HOST:PORT -reconnect and httpd.conf # # Timeout: The number of seconds before receives and sends time out. # Timeout 300 # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to Off to deactivate. # KeepAlive On This might be diabled elsewhere by something like (from the std config): SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 You could try without it and see if it helps. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache warning: Connection refused: connect to listener
On Thu, Oct 02, 2003 at 11:58:35PM -0400, Alex Hart wrote: More Info: SSLSessionCache dbm:logs/ssl_scache Ususally I'd suggest using an shm based cache for performance reasons, but that probably isn't the cause. SSLMutex file:logs/ssl_mutex I seem to recall some sort of trouble with mutexes on bsd that has been fixed recently - although your error message doesn't seem directly related, it might be worth looking into. Or possibly even going for the latest cvs version in APACHE_2_0_BRANCH (a new release should be right around the corner anyway). I will try out different values for these, but I reinstalled without modssl, so I have to install modssl first. Seems like these are pretty standard settings. I'm surprised no one else has run across this warning. I have heard one reporting similar problems on irc, but that's it. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache warning: Connection refused: connect to listener
On Tue, Sep 30, 2003 at 12:13:42PM -0400, Alex Hart wrote: I sent this yesterday but never saw it, so sorry if this is double. Output of httpd -V at bottom. ./httpd -V Server version: Apache/2.0.47 Server built: Sep 29 2003 18:29:13 Server's Module Magic Number: 20020903:4 Architecture: 32-bit Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_FLOCK_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT Right, this was part of what we needed - then there is the configuration. Specifically there are two settings that might be worth taking a closer look at - SSLMutex and SSLSessionCache. What are they currently set to? and if you feel adventurous, try switching between different types. http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslmutex http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslsessioncache vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Registration Open for ApacheCon 2003
Looking back through the list archive, it appears that this message never got through to the list. (sorry if I missed it). If there's enough interested mod_ssl users there, we could try setting up a mod_ssl BOF to discuss what has happened after the module became a part of the Apache distribution and where we would like to see the module going in the future. If you're interested, then drop me a note off list, and I'll talk to the planners. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation ---BeginMessage--- http://www.marketwire.com/mw/release_html_b1?release_id=57498 Registration Opens for ApacheCon 2003, the Global Hub for All Things Apache (MARKET WIRE) -- 09/15/2003 -- http://www.apachecon.com/ -- ApacheCon, the official conference of the Apache Software Foundation (ASF), announced today the opening of registration for ApacheCon 2003, to be held November 16-20, 2003 in Las Vegas, Nevada. Forward-thinking open source users, developers, programmers, system administrators, and information architects head to ApacheCon to master new technologies, expand their knowledge and share problem-solving skills with peers from across the globe. Offering a wide range of beginner, intermediate and advanced sessions, ApacheCon attendees will learn firsthand the latest developments in Apache, the world's most popular Web server software, as well as key open source projects spanning PHP, Perl, XML, Java, MySQL, WebDAV, and more. Debuting at ApacheCon is code-named Geronimo, the ASF-licensed open source implementation of the J2EE specification that builds upon the many ASF-driven Java projects in liaison with leading members of the Castor, JBoss, MX4J and OpenEJB communities. We're proud to offer the opportunity to inspire, educate, and interact with some of the industry's sharpest minds, said ApacheCon 2003 Chairman Ken Coar. ApacheCon attendees are part of a collective voice in providing input and feedback to the Apache Software Foundation, thereby making a direct impact on the Apache community. More than 60 Sessions Highlight Core and Next-Generation Apache Server Tools ApacheCon kicks off with intensive full- and half-day tutorials that offer real world insight, techniques, and methodologies pivotal to the increasing demand for open source software. Attendees hone their skills, learn shortcuts and hacks and solve programming challenges on a variety of topics, including Apache 2.0, Jakarta, PHP, Perl, and SVG. This year's sessions highlight the dynamic nature of open development, and are grouped into three Focus Days: 1) Apache with XML and Java; 2) All Things Apache; and 3) Apache with Perl and PHP. ApacheCon presenters and faculty include some of the most accomplished and respected leaders in the open source community, such as Rich Bowen, Doug Tidwell, Stas Bekman, Rasmus Lerdorf, Greg Stein, Stefano Mazzocchi, and Geoffrey Young, along with keynote speakers Chris Pirillo and Doc Searls. Attendees can meet ASF members and peers during the ApacheCon Expo, evening events, birds of a feather sessions and a number of informal social gatherings. Premier sponsors include the Java Community Process (JCP), and Sun Microsystems who returns as a platinum sponsor. Once again ApacheCon is offering early registration incentives, including a tiered discount of up to $400 off the $899 individual registration fee to those who register by 30 September. The full conference schedule, tutorial descriptions, sponsorship and exhibitor opportunities, and venue details can be found at the ApacheCon 2003 Website. Register today at http://www.apachecon.com/ . Press registration is now available; please contact the ApacheCon Press Team on +1.617.921.8656 or via email at [EMAIL PROTECTED] About the Apache Software Foundation The Apache Software Foundation provides organizational, legal, and financial support for world-class, Open Source, Java, Perl, XML, Tcl, and PHP projects, in addition to the world's most popular Web server. The membership driven, non-profit, Foundation exists to ensure that the Apache projects continue to exist beyond the contributions of individuals, to enable contributions of intellectual property and financial support, and to provide a vehicle for limiting legal exposure while participating in Open Source projects. For more information, please see http://www.apache.org -- Contact: Sally Khudairi Company: Apache Software Foundation Phone: 617-921-8656 Email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---End Message---
Re: Apache warning: Connection refused: connect to listener
On Mon, Sep 29, 2003 at 11:06:31PM -0400, Alex Hart wrote: I just installed Apache/2.0.47 (Unix) mod_ssl/2.0.47 OpenSSL/0.9.7b in my server (freebsd 4.8) and everything seems to be working fine. I have apache configured to serve both secure and insecure pages. However, I keep getting the following line in my error log file (thousands of times): [Wed Sep 24 12:51:15 2003] [warn] (61)Connection refused: connect to listener I have thousands of these warnings now in just a couple of days. I can't figure out any pattern to them. I get this warning even when I don't have any activity going on with the web server. It also happens if I don't have any SSL virtual hosts set up. I notice no problems with any web pages, secure or not. We need a few more details to guess what might be happening - something like the output of httpd -V, the configure options used when building apache and wether you have any other non standard modules installed (ie. php and such). Also your SSL specific part of the configuration. vh Mads Toftum -- Speaking at http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-direct in vhost
Currently I've one vhost on Port 443 and while others listen on Port 80. I would like to test the scenario of putting *everything* on openSSL ie listening on Port 443. Do I assume right that all I need is a redirect from the Port 80 vhost to Port 443 ? Yes, that sounds about right. Something like this should do: Listen 80 VirtualHost *:80 ServerName example.com RedirectPermanent / https://example.com /VirtualHost vh Mads Toftum -- Speaking at http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Are client requested update supported?
On Fri, Sep 12, 2003 at 03:42:16PM +0200, Adrien Felon wrote: Hi, I would like to try some client side requested upgrade to HTTP over TLS (cf. section 3 of RFC2817). For that I had apache loading mod_ssl and I try to send the following data to the server (using a telnet on port 80): OPTIONS * HTTP/1.1\r\n Host: ...\r\n Upgrade: TLS/1.0\r\n Connection: Upgrade\r\n \r\n I got HTTP/1.1 200 Ok\r\n... response instead of HTTP/1.1 101 Switching Protocols\r\n. I start to wonder if apache actually supports this... As https works fine, I think my openssl/mod_ssl config is up and running. It sounds like a dummy question to me but I walk through the docs without the response. Up to version 2.0.x the answer is that there is no support for it. For 2.1.x there might be some initial code to take care of that, but even if it did make it into the tree, then it is more or less untested because there are no clients for it. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: howto fossick around in archive
On Thu, Aug 21, 2003 at 04:52:12PM +0800, Arthur Chan wrote: Hiya. How does one get to the archive to look around ? As noted on http://www.modssl.org/support/ there is two archives for the mailing list: http://marc.theaimsgroup.com/?l=apache-modssl http://www.mail-archive.com/[EMAIL PROTECTED]/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to nest SSLRequire
On Wed, Aug 20, 2003 at 10:56:11AM +0200, Hendrik Robbel wrote: Hi, I tried to nest two directory with SSLRequire entries: Directory /htdocs-ssl/user/ SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq user ) /Directory Directory /htdocs-ssl/ SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \ and %{SSL_CLIENT_S_DN_O} eq Global ) /Directory But I got a 403 when I tried to access the /htdocs-ssl/user/ with a certificate, which have the organisation entry user. Why not just use REQUEST_URI as part of your SSLRequire statement instead of wrapping it in Directory? vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Flex failure during apache 1.3.28 make - RESOLVED
On Mon, Jul 21, 2003 at 05:14:53PM +0200, Boyle Owen wrote: Thanks all! Touching the .c files in src/modules/ssl let flex do its work and the make continued without a hitch. Well, to be precise, that's not what happened. Make checks the date of the .c file that is output from flex - if the output is newer, then make does not try to run flex. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mm library enable or disable shared for modssl as DSO.
On Tue, Jun 10, 2003 at 02:53:38PM -0700, kulkarni veena wrote: Hi, Thanks. To use the shared library from apache should something be set while configuring apache? I'm using SunOS 5.9 , does this OS support it? It shouldn't be a problem on your os - at least I've used shared memory session caching on solaris 7 8 many times. The thing to configure is SSLSessionCache which should be set to something like: SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000) http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslsessioncache vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mm library enable or disable shared for modssl as DSO.
On Tue, Jun 10, 2003 at 02:31:28PM -0700, kulkarni veena wrote: Hello, I'm trying to use mm shared library for Apache2.0.45 with modssl as DSO . My question is should I configure MM_shared library --enable-shared or --disable-shared. There's no need for MM with apache2 - it has its own shared memory handling built in if your os supports it. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: test please ignore
On Sun, Jun 01, 2003 at 09:06:48PM -0500, Ronald Petty wrote: I am having a hard time with this list, first I couldn't join, then I haven't received any mail since it supposedly succeeded. In fact I have not reached one message yet and its been a couple of days. Anyone on this list? Yeah, there's plety of people on the list, but it does go quiet at times. Last message was friday - always check the list archive: http://marc.theaimsgroup.com/?l=apache-modssl vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
On Fri, Mar 21, 2003 at 04:18:11AM -0500, Jason Parsons wrote: I'm seeing similar problems after an upgrade to mod_ssl 2.8.13 under Solaris 2.8. [Fri Mar 21 04:10:42 2003] [notice] child pid 4241 exit signal Segmentation Fault (11) [Fri Mar 21 04:10:42 2003] [notice] child pid 4248 exit signal Segmentation Fault (11) [Fri Mar 21 04:10:42 2003] [notice] child pid 4240 exit signal Segmentation Fault (11) When accessing an https page using php. http and php are fine. You need to upgrade to 2.8.14-1.3.27, which was released 21-Mar-2003 to fix a problem similar to what you're describing. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: verify error:num=21
On Thu, Apr 03, 2003 at 02:52:17PM -0500, Austin Conger (IT) wrote: Hi All, When I submit this command to my Verisign Certificate Secured Site I am getting this error. openssl s_client -connect www.domain.com:443 Its returning these errors: CONNECTED(0004) depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com verify error:num=27:certificate not trusted verify return:1 depth=0 /C=US/ST=michigan/L=some city/O=Company A LLC/OU=Terms of use at www.verisign.com/rpa (c)00/CN=www.domain.com verify error:num=21:unable to verify the first certificate verify return:1 etc Can anyone identify the reason as to why this is happening? Very simple really - openssl is telling you that it can't verify the certificate because it does not know the CA that it was issued by. Nothing strange or unexpected in that. Use one of the following to enable verification: -CApath arg - PEM format directory of CA's -CAfile arg - PEM format file of CA's By default openssl knows no CA's, so you need to get the CA cert of the signer and use that. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl + Apache 2.0.44
On Wed, Mar 12, 2003 at 10:25:04AM -, Eduardo Zurita wrote: Hello, I'm trying to configure Apache 2.0.44 + mod_ssl and i'm getting this: [EMAIL PROTECTED] mod_ssl-2.8.12-1.3.27]# ./configure --with-apache=../httpd-2.0.44 Configuring mod_ssl/2.8.12 for Apache/1.3.27 ./configure:Error: Cannot find Apache 1.3 source tree under ../httpd-2.0.44 ./configure:Hint: Please specify location via --with-apache=DIR what is wrong? Mod_ssl is included in Apache2, so you don't need a seperate download - see ./configure --help in the Apache 2 source for instructions on how to enable mod_ssl. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: securing one area of a vhost in apache 2
On Thu, Feb 27, 2003 at 12:52:06PM -0800, Nick Tonkin wrote: [EMAIL PROTECTED] ~lwp-request -sSed https://www.ladyraquel.com:8080/secure/ GET https://www.ladyraquel.com:8080/secure/ -- 501 Protocol scheme 'https' is not supported ## huh?! Any more advice gratefully accepted :) This looks very much like a client error from lwp. You need Crypt::SSLeay for that, see: http://search.cpan.org/author/CHAMAS/Crypt-SSLeay-0.49/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mass ip virtual host mod_ssl?
On Tue, Feb 18, 2003 at 05:09:38PM -0600, Ray a PowerWeb Tech wrote: is it possible using either mod_rewrite, mod_vhosts_alias or some trick in mod_ssl to have multiple virtual hosts by ip address No, that is not possible. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy - Howto delegate Client Certificate to backend server
On Fri, Feb 21, 2003 at 07:39:07AM +0100, [EMAIL PROTECTED] wrote: I'd like to pass the client certificate provided by the end user to the backend server. Is there a chance to do this with mod_ssl? Currently there isn't a solution with mod_ssl. There is however a couple of ways to do this if you don't mind hacking the code. I made a POC module for Apache 1.3 http://www.toftum.org/www2/apache/ which is just a very simple example of how this can be done. There has also been sent a patch to the [EMAIL PROTECTED] list recently - they have not been included, but see http://marc.theaimsgroup.com/?t=10449923556r=1w=2 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache will not start HELP
On Thu, Feb 20, 2003 at 03:19:19PM -0800, [EMAIL PROTECTED] wrote: I get the error message every time I try to start Apache and it will not start. I need help with this. What do I need to be looking at to fix this [Thu Feb 20 18:00:09 2003] [error] mod_ssl: Init: Failed to load temporary 512 bit RSA private key See the FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#entropy vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 11:57:20AM +0100, Zampognaro Sergio wrote: How to add a client certificate to an already created and empty Certificate Revocation List? openssl ca -revoke filename see man ca and man crl in the openssl docs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: add a certificate to a Certificate Revocation List
On Wed, Feb 19, 2003 at 12:10:14PM +0100, Mads Toftum wrote: openssl ca -revoke filename see man ca and man crl in the openssl docs. I forgot to add this link - http://www.apacheweek.com/features/crl vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FW: newbie request for assistance
On Mon, Feb 03, 2003 at 11:52:09AM -0600, Kurt A. Buckardt wrote: for the record, here's the only error_log output I'm receiving. [Mon Feb 03 12:45:51 2003] [warn] Init: Session Cache is not configured [hint: SSLSessionCache] [Mon Feb 03 12:45:51 2003] [notice] Apache/2.0.44 (Unix) mod_ssl/2.0.44 OpenSSL/0.9.6g configured -- resuming normal operations Right, so you're missing a configuration directive - see http://httpd.apache.org/docs-2.0/mod/mod_ssl.html#sslsessioncache vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: log question
On Mon, Feb 03, 2003 at 08:15:21PM -0600, Kurt A. Buckardt wrote: Two dumb questions: 1: If it is informational, why is it in an error log? That is how it has been done with apache - your LogLevel is set so that this type of errors goes into the ErrorLog. Given that there is usually only an access and an error log, this is the only place. 2: I have configured OpenSSL 0.9.7 on this box. Previously (before Apache was installed) it had OpenSSL 0.9.6g. Is the reference to OpenSSL 0.9.6g in the aforementioned log entry indicating that mod_ssl included older OpenSSL code, or is the reference to 0.9.6 indicating that something is misconfigured on my box? The openssl version number is defined at compile time, so even with a new openssl you wouldn't see a difference. Wether it has in fact been updated depends on wether openssl was linked statically or dynamically into mod_ssl. If ldd is available on your os, then you can try: ldd SERVER_ROOT/libexec/libssl.so (SERVER_ROOT is usually /usr/local/apache/) It will tell you which libraries libssl is linked to. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [warn] RSA server certificate CommonName (CN) `yin.*' does NOT match server name!?
On Wed, Jan 29, 2003 at 11:00:05AM +0100, Aihong Yin wrote: Hello all, I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat 7.1). I have created a SSL server certificate using a self-made CA, and am sure that the Common Name in the Server Certificate und ServerName in http.conf file are the same yin.fokus.gmd.de, which is identical with the host address. From the error message in the subject, it would appear that you have set CN to yin.* and not yin.fokus.gmd.de. Use openssl to verify the problem: openssl x509 -noout -text -in server.crt vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Error on expired date of cert
On Tue, Jan 28, 2003 at 09:22:36PM +0200, Oleg Lyebyedyev wrote: Hello, I have following option: SSLVerifyClient optional (optional_no_ca - same result) My servlet analizes data from cert. With correct certs all is ok. Somebody without cert also has access to my page and I know that he hasn't a cert, but when expired cert is used then server error is occured. What is problem? Can I create ssl configuration to give access for all certs and to get cert info. Currently that is not possible afaict. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP -- HTTPS rewrite not working
On Fri, Jan 17, 2003 at 09:39:12PM -0700, Sancho2k.net Lists wrote: NameVirtualHost 10.0.0.40:443 VirtualHost 10.0.0.40:443 [SNIP] RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ This will never happen because you're already inside the Port 443 vhost container. NameVirtualHost 10.0.0.2:80 VirtualHost 10.0.0.2:80 ServerName www.sancho2k.net Redirect / https://family.sancho2k.net No real need to use mod_rewrite for that. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Wildcard Certs
Wildcard certs have been discussed here on the list recently and Thawte has been mentioned as the place to buy wildcard certs. We decided to check and got the following answer: - We unfortunately discontinued the wild cards certs about 8 months ago and no longer issue them. You would have to apply for each SSL individually. - So neither Thawte or Verisign (who own Thawte) issue wildcard certs. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
On Sun, Jan 12, 2003 at 09:23:27PM -0600, Barry Smoke wrote: o.k...you have my attention now... wildcard certificate? Can wildcard certificates be purchased, or is this only if you are self signing? According to Thawte's website they still issue wildcard certs. I sure would like to buy one certificate, and have all my subdomains on my main domain recognize it without a warning window popping up for internet customers... YMMV - some versions of MSIE does not accept wildcard certs because M$ decided to stop doing that for a couple of releases. https://arhosting.com https://www.arhosting.com https://secure.arhosting.com https://www.secure.arhosting.com I would like to cover all of my bases with one certificate... Is this possible? *arhosting.com should probably do it. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
On Mon, Jan 13, 2003 at 07:32:24AM -0800, Eric Rescorla wrote: There is already a document describing how to do this with SSL/TLS in the IETF standards pipeline. Unfortunately this is not implemented very many places - so far the only place I've heard of is Apache 2.1 which has some preliminary and untested code for it. If anyone knows of a compliant client, then that would be much appreciated. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2 VirtualHosts with 2 Certificates
On Wed, Jan 08, 2003 at 07:58:10PM +0100, toxshark wrote: i have the apache configured with 2 VirtualHosts on port 443. both VirtualServers have separately CertificateFiles and CertificateKeyFiles. but now if i connect to the VirtualHost2, the Host have the Certificate from the VirtualServer1! both Hosts have now the same Certificate. A classical FAQ - http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts you need different ip's or different ports. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compiling on existing apache 1.3.27 ?
On Thu, Dec 19, 2002 at 10:15:05AM +1100, Andrew Nelson wrote: Hi, I had great trouble upgrading my server to Apache 1.3.27 with frontpage and PHP... I've finally done it and now I want to add mod_ssl to it... In the docs, it only describes building apache with mod_ssl from scratch - is it easy to compile it in now? I also noticed the directory structure is different from the FreeBSD port - apache config is in /usr/local/etc/apache and the rest is elsewhere. It can't be done unless apache was prepared for mod_ssl in the first place. /path/to/apache/bin/httpd -V should list -DEAPI if it has. If that is in place, then read the INSTALL file about upgrading, but without it you have to recompile from scratch. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Server Load problems under heavy SSL traffic
On Thu, Dec 12, 2002 at 11:35:07AM -0500, Dale Weaver wrote: We are experiencing problems under heavy traffic to our SSL site. I have read the FAQ on performance and have decided to switch to shmcb caching, but I don't know if that will help the problem. Switching from what? You might be able to speed it up a bit tweaking different things like the cache size, timeouts and compiling openssl with no-threads But this is still quite a few connections, and you may not be able to squeeze too much more out of it without adding an ssl accelerator card. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
On Wed, Dec 04, 2002 at 01:17:12PM +0100, Boyle Owen wrote: From: Cliff Woolley [mailto:[EMAIL PROTECTED]] But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I'd say it is THE most frequently asked question (but I can't be bothered scanning the archives to prove it :-) Yeah, I think so too. The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very well, but it is rather technical for a newbie and, having been written by someone for whom English is a second language, is not as illuminating as it might be. I had a go a re-writing it a few years ago (http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2) so maybe we could start there... Yes, I'll add it to the 2.x docs. However, given the tendency of people to read the instructions only if all else fails, putting a warning in the default config sounds like a good idea. Putting an error message in the source-code would be even better! I'm pretty sure there already is (at least in 1.3) but that requires people to read the error_log. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl for apache 2.0.x - wasn't compiled
On Mon, Nov 18, 2002 at 02:11:47PM +0800, Xeruz at Hotmail wrote: [Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? httpd.apache.org/docs-2.0/ www.modssl.org/support/ (which has links to the archive of this list). 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) You should be using 2.0.43 - but other than that, what comes with apache should be just fine. The options from 1.3 won't work, but running ./configure --help in the 2.0 source tree will give you a list of the options that you need. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https
On Tue, Oct 29, 2002 at 10:32:53AM -0800, rmckee wrote: Hello, Im sure this has been asked but I cant find the answer. I have Apache/1.3.27 (Unix)mod_ssl/2.8.12 OpenSSL/0.9.6e. In the httpd.conf can I make an http link go to (redirect) an https link. So if they click on this link: http://system.company.com/ it will direct to https://system/ or https://system.company.com/ In your http vhost put: Redirect / https://system.company.com/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.39 and OpenSSL 0.9.6g.
On Thu, Oct 03, 2002 at 01:00:06PM -0400, Xiao, Wei wrote: I installed apache with SSL. After generating the self-signed key. I can't start apache. Following is the error message in error_log. [Thu Oct 03 12:53:41 2002] [warn] Init: PRNG still contains not sufficient entropy! [Thu Oct 03 12:53:41 2002] [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Does that mean that the random files that I picked were not big or unique enough? What will be the proper file on AIX? See http://www.modssl.org/docs/2.8/ssl_faq.html#entropy and http://www.openssl.org/support/faq.cgi#USER1 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL_CLIENT_CERT env var empty?
On Tue, Oct 01, 2002 at 03:23:38PM +0200, Pavel Zdenek wrote: Hello, short and simple question: is the SSL_CLIENT_CERT environment variable supposed to have some content? According to the mod_ssl reference, it should be the raw string of PEM-encoded client certificate. Everything else SSL_CLIENT_* is set and correct (the client auth is working ok), except the damn SSL_CLIENT_CERT. Neither the SSL_SERVER_CERT but i'm not interested in that. The playground is RedHat 7.2 Linux with mod_ssl 2.8.4 on Apache 1.3.20 combination which is a default of the distribution. If none of the SSL_CLIENT_* env vars would be set, i would be hacking around with versions, apache setup, suspecting RedHat etc. but it basically works and i have no other problem, except that SSL_CLIENT_CERT is empty :-( Make sure that you have the following set in the right context: SSLOptions +ExportCertData See also http://www.modssl.org/docs/2.8/ssl_reference.html#ToC21 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and apache 1.3.26
On Sun, Sep 29, 2002 at 02:23:11AM -0400, [EMAIL PROTECTED] wrote: Hey , I too have the same requirement. I want to install(add module) only mod_ssl to existing apache and openssl . Many sites explain how to install apache with mod_ssl from their sources. but no where I found how to add the mod_ssl module alone. This is only possible if apache already has EAPI built in. To check do: ./httpd -V It should list: -D EAPI for the install without rebuilding apache to work. Also make sure that openssl is OpenSSL 0.9.6g. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.9 make fails with mod_ssl 2.4.10 and openssl 0.9.5a
On Tue, Sep 17, 2002 at 02:24:35AM -0700, hiren mehta wrote: Hi, I am getting the error as below when making apache .I am using Apache 1.3.9+mod_ssl 2.4.10 with openssl 0.9.5 .I also tried with openssl 0.9.5a without success . IIRC you would need an even older version of openssl for this to work - something in the early 0.9.4 series. But you should not do that, as there are well known exploits for all of these. You really should be using openssl-0.9.6g, apache-1.3.26 and mod_ssl-2.8.10. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + VirtualHost + WebDAV + mod_ssl
On Wed, Sep 04, 2002 at 06:01:28PM +0200, Thierry Cabuzel wrote: Is it possible to keep all my ordinary sites on the http protocol and put the WebDAV web folder on https ? yes I have downloaded Apache_1.3.24-Mod_SSL_2.8.8-OpenSSL_0.9.6c-WIN32.zip. Is it enough ? you need newer versions - apache should be 1.3.26 and openssl also needs to be the latest version. How I can configure my httpd.conf ? Use the default mod_ssl httpd.conf along with the docs to do that. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Regarding mod_ssl version which suits apache 2.0.39
On Wed, Jul 31, 2002 at 02:14:21PM -0400, Venkat Reddy Valluri wrote: Hi, Can you please let me know where exactly i can get the suitable mod_ssl version which suits for apache 2.0.39, I tried to find out in www.modssl.org, but found out only the mod_ssl_2.8.10-1.3.26 which suits for apache 1.3.26, Mod_ssl is part of apache 2.0.x and is included in the source tarballs available at http://httpd.apache.org/dist/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign Global Server ID requires Stronghold
On Tue, Jul 30, 2002 at 11:10:01AM +0300, Viljo Marrandi wrote: Hello, We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. They will work just as well on apache with mod_ssl. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: freebsd SSLCryptoDevice
On Wed, Jul 10, 2002 at 01:48:15AM -0400, Cliff Woolley wrote: Note that there's no such thing as a separate SSLLog/SSLLogLevel in Apache 2.0 anymore -- it's all lumped in with the regular error_log. flame mode Which is a really bad move IMHO - debugging with mod_ssl was very good, and easy to use, but now with 2.0 it has been hacked into something much less usable. Making the loglevel tie in with the general loglevel, you get debugging info from two places at once, that it _very_ rarely makes sense to debug together. For those of us who actually use the SSLLog as proof that every transaction did in fact have the right levels of crypto etc, this is a real PITA change. But I suppose that is what happens when someone decides to apr'ize stuff they don't really know a whole lot about. /flame mode vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLPassPhraseDialog
On Fri, Jun 14, 2002 at 02:25:32PM +0100, Zac Hillier wrote: Can anyone help? I'm trying to set-up the ssl_module on apache 2 under Mandrake 8.1 When I start the server I get an error message 'Invalid Command SSLPassPhraseDialog' in the ssl.conf this is trying to call builtin. However I'm not sure where to turn to resolve this issue, if I comment out the line in the conf file then a further error occurs for the next item in the conf file 'SSLSessionCahce'. Please help it's driving me slowly mad = { It looks like your apache2 has been compiled without ssl support, or that the module has not been loaded. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to disable part of the HTTP pages?
On Thu, Jun 06, 2002 at 08:47:24AM +0800, Conrad Ng wrote: Dear all After I have implemented the SSL technology in my servers, I understand that users can access securely under HTTPS://link. However, they can still access through HTTP://link. Is there any way to block people from accessing under HTTP:// ? I'm not meaning to block the whole port 80 but only some pages, is it belong to the settings of Apache or what? Please instruct. Thanks a lot!! Just make sure that DocumentRoot is not the same for both the HTTP and the HTTPS server. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Details on how to run a CRL?
On Wed, Jun 05, 2002 at 02:47:12PM +1200, Jason Haar wrote: We are looking at using Client Certs via an internal CA as a cheap way of strong authentication (SecurID costs are killing us!) Obviously we'll have to introduce processes by which leaving staff have their certs revoked, and have quick turnaround on revoking certs when a user reports them lost (yeah, right... :-/) Anyway, I can't think of a way of getting the server to check revocations other than uploading the crl.pem hourly/daily from the CA to each SSL server. This is possible, but I wondered if there is a better way of doing it, or is that how this is meant to be done? I mean, that doesn't look like it'd scale very well... Depending on exactly how many certs you're expecting to expire, this should still work fine for a couple of thousand users. I suppose you could even remove certs from the crl once they've expired (since they will still be rejected). As an alternative you could use http://authzldap.othello.ch/ If that is true, can I imply from this that revocation checks basically aren't done on the Internet today? No. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: looking for the sign.sh file
On Sat, May 11, 2002 at 05:18:07AM -0500, Ian Miller wrote: Looking for the sign.sh file in apache 2.0 It isn't there, but you can grab the one from 1.3 at http://www.modssl.org/source/cvs/exp/mod_ssl/pkg.mod_ssl/pkg.contrib/sign.sh?rev=1.7hideattic=1sortbydate=0 vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Repudiability
On Tue, May 07, 2002 at 03:55:08AM +1200, Andrew McNaughton wrote: Suppose someone refutes that they have sent information to a Web site owner, how is the Web site owner to prove that the information was in fact received and that it was signed with a given key? To do this, the Web site owner would presumably need to be able to produce the still-encrypted post as sent by the user, but from a quickish reading of the mod_ssl reference, I don't see any way to log this information. The SSL protocol does not have any support for that. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to Create a wildcard certificate?
On Thu, May 02, 2002 at 01:15:33PM +1000, Adrian Bolzan wrote: Hello, Are there instructions on the Apache site, or elsewhere, detailing how to create a self-signed wildcard certificate? I have created host.domain specific certificates but am not sure how to create a wildcard cert. Wildcard certs are made exactly as any other cert. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate Question
On Thu, May 02, 2002 at 03:26:23AM +, [EMAIL PROTECTED] wrote: All, I am new and am wondering the following: I have installed openssl. Do I need to buy a cert from verisign/thawte,etc.. or can I generate a free one using the openssl engine? Wether you need a real certificate or not depends on what you want to use it for - see also http://www.modssl.org/docs/2.8/ssl_faq.html#cert-dummy vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: More Apache 2.0.35 testing
On Wed, May 01, 2002 at 12:50:42PM -0700, Lynn Gazis wrote: I'm now getting unresolved externals when trying to build Apache 2.0.35 with SSL enabled on Solaris 7, and would like, before I go farther in trying to diagnose this particular problem (and the shared memory cache problem I am having on HP UX), to ask a couple of general questions: Which of the shared memory cache versions? There was a fix checked into cvs a day or two ago. 1) In testing Apache 2.0, should I be testing with the latest version of OpenSSL 0.9.6 or with the latest pre-release version of OpenSSL 0.9.7? I think 0.9.6c is your safest bet - but 0.9.7 might work too. 2) Is there some option that I have not found which I should be using to enable to engine code (right now I am doing so by modifying mod_ssl.h to turn SSL_EXPERIMENTAL and SSL_ENGINE on)? The old way doesn't work? 3) Should the shared memory cache be automatically included in Apache 2.0, or should I be somehow including mm-1.1.3, as I have been doing with modssl? Shared memory is now supported by apr which is included in apache. 4) Should I be reporting problems I run across in testing Apache 2.0 to a different list from this one? This list should be fine - if you have confirmed bugs or patches, then the bug tracking system at apache.org would be a nice place to dump a copy. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: More Apache 2.0.35 testing
On Wed, May 01, 2002 at 02:37:56PM -0700, Lynn Gazis wrote: The shmcb session cache. Is that the one the fix is for? If so, I'll try it out. Yes, that is the one - http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_scache_shmcb.c The next version of apache2 should be tagged in the tree - a new release is probably not too far away. No, for some reason SSLCryptoDevice cswift isn't being recognized, in my conf file, if I use --enable-rule=SSL_EXPERIMENTAL, but is recognized if I go and modify mod_ssl.h directly. Will adding -DSSL_EXPERIMENTAL to CFLAGS work? There is a bit in the README file about how it is supposed to work. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl problem
On Fri, Apr 26, 2002 at 08:06:54PM +0530, manjeet wrote: Dear Sir, PLease tell me solution about mod_ssl Starting service httpd[Fri Apr 26 22:16:27 2002] [info] mod_ssl:Compat: MAPPED 'SSLEnable' = 'SSLEngine on' [Fri Apr 26 22:44:59 2002] [notice] Apache/1.3.12 (Unix) (SuSE/Linux) mod_fastcgi/2.2.2 DAV/0.9.14 mod_perl/1.21 PHP/4.0b4pl1 mod_ssl/2.6.2 OpenSSL/0.9.5 configured -- resuming normal operations What exactly is the problem - all this tells me is that you've got an old version of Apache and mod_ssl - and that you're either using a very old config or a config from something like Apache+SSL vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl, Apache 2.0.35 and ProxyPass
On Sat, Apr 27, 2002 at 01:15:15PM +0200, Guan Yang wrote: I am using Apache 2.0.35 (configured using --enable-ssl --enable-proxy) and I am having some problems with using ProxyPass over an SSL-encrypted server. ProxyPass is broken for ssl vhosts in Apache 2.0.35 - either use the latest cvs version (where this bug has been fixed) or wait for the next Apache2 release. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Why https vs http
On Mon, Apr 22, 2002 at 04:20:45PM -0400, [EMAIL PROTECTED] wrote: Hello, Im looking for anyones thoughts on why it is not a good Idea to have an https site be able to convert to an http site. I am having many disscusions with co-workers that feel the client would be at fault if they type in the http link instead of using the https link that is provided?? I feel that the customer should not even have the chance to enter http and be able to log in. My response to my team is It's our job (web team) not to even let them have access to the http link, it should redirect or give error. What do you people have to add to this? Something like this in your http vhost: RedirectMatch permanent ^/(.*)$ https://www.example.com/$1 vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.35 + mod_proxy
On Mon, Apr 15, 2002 at 11:48:33AM +0300, Issac Goldstand wrote: I've just upgraded my front-end server to Apache 2.0.35/mod_ssl/openssl-0.9.6b When I try to connect to an https virtualhost, however, the connection just seems to hang there. Now, the backend is NOT running mod_ssl (under Apache 1.3, it didn't have to). Does it have to, now? the engine_log is reporting: You're hitting a bug that has been fixed in the latest cvs - see http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/mod_ssl.c?rev=1.63content-type=text/vnd.viewcvs-markup vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
On Mon, Apr 15, 2002 at 05:18:05PM +0200, Owen Boyle wrote: What's this about ssl.conf? Are you including this file into httpd.conf at runtime? This is the default for Apache2 - the ssl configuration has been moved out of httpd.conf to ssl.conf vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: lex and yacc was Re: Apache 2.0.35 and SSL
On Thu, Apr 11, 2002 at 10:09:07AM -0400, Cliff Woolley wrote: I *wish* I could figure out why it is that mod_ssl feels the need to regenerate the scanner and parser sometimes. It happens to me every now and then but I haven't pinned down the cause. Best guess is that you did a copy of the files without preserving the timestamps? Given that this is probably the same problem as we have seen with the old mod_ssl - my guess is more like a broken tar that resets timestamps. But I haven't verified the problem because it never failed for me :) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 01:18:29AM +0300, Eli Marmor wrote: Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? User discussion/support was never welcome on new-httpd, so I'm sure that at least the user part of modssl discussions won't stay there. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, Apr 08, 2002 at 11:49:37AM -0700, Lynn Gazis wrote: What options are needed to configure, with Apache 2.0, to make sure that mod_ssl is enabled, and that a particular OpenSSL directory is used? I tried guessing at the right options, but a look at the httpd.conf file in the resulting installation suggests that I guessed wrong. The relevant stuff is: --enable-sslSSL/TLS support (mod_ssl) --with-ssl=DIR SSL/TLS toolkit (OpenSSL) (you can get a list of options with ./configure --help) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, Apr 08, 2002 at 04:34:12PM -0400, Cliff Woolley wrote: On Mon, 8 Apr 2002, Eli Marmor wrote: I think that we should open a special mailing list for mod_ssl of Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: I agree. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 12:52:26PM +1200, Geoff Thorpe wrote: I would respectfully suggest that modssl discussions stay here. I don't want to rag on Apache 2.0, and I'm sure a lot of good things have found their way into it, but it does not solve a number of issues that I think many people in production environments would require to push them into a pro-active decision to migrate. Likewise, it introduces an entirely new base of code with considerably less real-world mileage than the Apache 1.3.** base, so there's a non-trivial motivation to *not* migrate unless absolutely necessary. I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. MAJOR CHANGES lists a substantial number of things that IMHO needs a load of testing and ideally also some code review. A look at the readme file also shows a substantial number of TODOs. modules/ssl/README is worth a look for anyone thinking about a migration. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 11:03:28AM -0400, Cliff Woolley wrote: On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Exactly. That was the point I wanted to make - that the new SSL code needs extensive testing. I must admit that I was rather surprised when Apache went GA last friday, I had expected another month at the very least to start looking closer at it. Oh well, time to start testing :) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question about errors browsers give on non-validated keys
On Thu, Apr 04, 2002 at 08:19:20PM -0800, Cliff wrote: Opera: This sites certificate chain is incomplete and the signer is not verified, continue? This looks like you might have to get a CA certificate chain from Thawte and put it in http://www.modssl.org/docs/2.8/ssl_reference.html#ToC12 vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]