Re: ssl renegotiation in post not allowed?
You wrote: > I'm having a problem using client authentication with POST method. I > have an Apache 2.0.43, server side SSL works fine. The browser is an Hi Alejandro, I came across the same problem. I had to upgrade Apache from 1.3.27 (this version just kills the MSIE on Windows XP) to 2.0.43. I tried the Debian package first, than I built Apache from scratch, and finally I built the latest sources from CVS with SSL EXPERIMENTAL flag -- but all without luck. I found the following bug in Apache bugzilla: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 (bug #12355) which describes exactly the same behaviour we noticed, and voted for it, but it still has a Status: NEW and nobody seemed to take care of it. > I need to get this working as soon as posible. So do I. Please, share your solution if you find some. -- Marcin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE and client verification problem
"James Hastings-Trew" <[EMAIL PROTECTED]> wrote:
> Sounds like you need to put a session cache in your apache config.
Thanks for response, but I already did it (forgot to mention it). Here is
important part of my httpd.conf.
Options Includes FollowSymLinks MultiViews ExecCGI Includes
AllowOverride All
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +FakeBasicAuth +StrictRequire +CompatEnvVars +StdEnvVars
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} eq "MYORG" and
%{SSL_CIPHER_USEKEYSIZE}>=128)
Satisfy all
order deny,allow
deny from all
allow from 192.168.0.0/255.255.255.0
SSLEngine on
SSLCertificateFile /etc/apache/webserver.crt
SSLCertificateKeyFile /etc/apache/webserver.key
SSLCACertificateFile /etc/apache/ca.crt
SSLMutex sem
SSLSessionCacheTimeout 600
SSLSessionCache dbm:/tmp/ssl.cache
SetEnvIf User-Agent "MSIE" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
SSLLog /var/log/apache/ssl.log
SSLLogLevel info
--
Marcin
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
IE and client verification problem
Hi, I'm experiencing weird problems with MSIE clients accessing pages on a Apache 1.3.26+mod_ssl-2.8.9 server (Debian Woody with current updates) with client verification turned on. I created and signed CA certificate, then created and signed server and several clients' certificates. On every client workstation, I imported the proper client certificate into MSIE. In Apache config I enabled mod_ssl and set "verify client required" for Document Root directory, and put the "magic" SetEnviF stuff (unclean-shutdown, downgrade-1.0 and so on) as recommended in FAQ. Everything seemed to work just fine, but users started report absence of some pages' elements. Further investigation showed, that for some unknown reasons, the MSIE doesn't load all of the page components. I've created simply test.html: (some more repetition of above line) put it into DocumentRoot and requested it from the MSIE. Randomly choosen pictures did not come up, and MSIE showed well-known red X sign for them. Then I refreshed the page, and some of the pictures became visible, but the other were replaced with X sign. I restarted the browser, then the workstation, then tried it on another couple of workstations with no success. I've following statements so far: * the problem exists in all version of MSIE I've installed: Win95+IE 5.5 SP2; Win98+IE 6.0, Win98+IE 6.0 SP1; WinXP+IE 6.0, WinXP+IE 6.0 SP1; EXCEPT W2000+IE6.0, which works just perfect * on WinXP IE often crashed completely (kindly offering to send a report to MS for analysis) * I could reproduce the problem on another Debian machine, and also on full-patched RedHat 7.0 * turning off the client verification in mod_ssl solves the problem completely (but I can't do this) * slowing the link (with CBQ) to as low as 64kbps also solves the problem (got to throw away all 100Mbit cards ;))) * inserting stunnel between MSIE and Apache, either at the Apache side (turning of mod_ssl) or at the workstation side (no https in MSIE) solves the problem * and last, but not least, Mozilla and Opera works perfect (tell me why I'm not surprised?) Did any of you observe anything similar to this? I searched the mailing list archive, news groups, but found near nothing. I also tried to play with SetEnvIf directive, and turning off the downgrade compatibility options clearly helped some WinXP+IE 6.0 SP1 workstations, but made things worse on rest of them. Thanks for your time, -- Marcin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ODP: Need help !
Thanks for the ideas. I tried both using the ip address instead of localhost and i commented out the setting : SSLVerifyClient require, but it still doesn't work. Anything else that i could do? You can check also: netstat -vat - to see if httpd is listening on https port (443) and /or ipchains -L -v - to see if your port is open __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ODP: Secure Reverse Proxy
[...] Now mod_proxy can obviously not forward https connections. It doesn't know anything about SSL. And I could not find any information that such a thing has already been done. [...] I am running Apache 1.3.6 with mod_proxy on RH6.0 and can forward https connections from LAN to internet. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
