configuring 2.8.16 fails on HP-UX 11.00

2004-04-14 Thread Marko Asplund 
i'm trying to build Apache 1.3.29 with mod_ssl 2.8.16 as 64-bit 
application on HP-UX 11.00 using HP C/ANSI C compiler. the build fails 
during configuration phase. here's what happens:

gtar zxf ../apache_1.3.29.tar.gz
gtar zxf ../mod_ssl-2.8.16-1.3.29.tar.gz
cd mod_ssl-2.8.16-1.3.29
CC=cc CFLAGS=+DA2.0W +DS2.0 ./configure \
  --with-apache=../apache_1.3.29 --with-ssl=/opt/openssl/kb20dr2
 Error Output for sanity check 
cd ..; cc  -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208116 
-DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I./lib/expat-lite -DNO_DL_NEEDED 
+DA2.0W +DS2.0 `./apaci`   -L/opt/openssl/kb20dr2/lib  -o helpers/dummy 
helpers/dummy.c   -lm -lpthread  -ldbm -lssl -lcrypto -lm
ld: Can't find library or mismatched ABI for -ldbm
Fatal error.
*** Error exit code 1

Stop.

after removing the '-ldbm' flag from CFLAGS (see attached patch) the 
compilation goes fine.

best regards,
--
aspa


modsslhpux64conf.patch
Description: Binary data

Re: Proxy http with modssl?

2003-03-05 Thread Marko Asplund 
On Wed, 5 Mar 2003, Chris Davis wrote:

  I'm looking for a method to hide an old web server behind
  a modssl server. The hidden server has several applications
  served over http. What I'd like is for https requests
  to be rewritten in modssl and proxied to the hidden
  internal system.
  ...

there are probably several possible implementations for the reverse proxy
configuration you're describing but one possibility is to use mod_accel
(http://sysoev.ru/mod_accel/) for this purpose.

best regards,
-- 
aspahttp://www.kronodoc.fi/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: question.

2003-03-05 Thread Marko Asplund 
On Wed, 5 Mar 2003, kulkarni veena wrote:

 To have SSL enabled server with self-signed
 certificate do we need
 
  Apache+openSSL+ModSSL or just Apache+ModSSL ?

mod_ssl needs to be linked against OpenSSL libraries so you need to have
OpenSSL if you want to compile mod_ssl. you don't need to have OpenSSL
libraries installed on the OS to run mod_ssl if you use static linking.
the OpenSSL application is very useful for many PKI operations (handling
certificate requests, keys, certificates etc.) but it's not really
required.

best regards,
-- 
aspahttp://www.kronodoc.fi/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Preprocessor bug in ssl_exp_scan.l when building with nativecompiler on HP-UX 11

2003-02-19 Thread Marko Asplund 
On Tue, 4 Feb 2003, Stuart Cook wrote:

 I have been building Apache 1.3.27 on HP-UX 11 via the native compiler 
 with Mod SSL 2.8.12-1.3.27 and have come across and resolved a build bug 
 during the Apache compilation process.
 
 In the Mod SSL file .../pkg.sslmod/ssl_expr_scan.l from line 91 onwards 
 there is a state variable 'str'.  The native C pre-processor converts 
 this to 1 and errors with:
 
 /opt/ansic/bin/cc -c  -I../../os/unix -I../../include   -DHPUX11 -Aa -Ae 
 -D_HPUX_SOURCE -DMOD_SSL=208112 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT 
 -I../../lib/expat-lite `../../apaci` -DSSL_COMPAT -DSSL_ENGINE 
 -I/build/reporter/apache/openssl-engine-0.9.6g/include 
 -DMOD_SSL_VERSION=\2.8.12\ ssl_expr_scan.c
 cc: lex.ssl_expr_yy.c, line 1753: error 1000: Unexpected symbol: 1.
 cc: lex.ssl_expr_yy.c, line 1760: error 1720: Subscript expression 
 must combine object pointer and integer.
 cc: lex.ssl_expr_yy.c, line 1760: error 1566: Test expression in for 
 must be scalar.
 cc: lex.ssl_expr_yy.c, line 1763: warning 527: Integral value 
 implicitly converted to pointer in assignment.
 cc: lex.ssl_expr_yy.c, line 1763: warning 563: Argument #1 is not the 
 correct type.
 *** Error exit code 1
 
 This can be resolved by changing .../pkg.sslmod/ssl_expr_scan.l state 
 variable to 'str_state' or some other value than 'str'.

i've been building Apache v1.3.27 with mod_ssl-2.8.12-1.3.27 and OpenSSL
v0.9.6h (non-engine) using HP Ansi C compiler on HP-UX 11.00 with no
problems. here's the compilation command for ssl_expr_scan.c.

cc -c  -I../../os/unix -I../../include   -DHPUX11 -Aa -Ae -D_HPUX_SOURCE 
-DMOD_SSL=208112 -I/opt/kronodoc/openldap/2.0.27-kb3/include -DUSE_HSREGEX -DEAPI 
-DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED -DNO_IDEA -noshared `../../apaci` 
-DSSL_COMPAT -I/opt/local/openssl/0.9.6h-apache/include -DMOD_SSL_VERSION=\2.8.12\ 
ssl_expr_scan.c

-- 
aspahttp://www.kronodoc.fi/

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

entropy source logging request (patch included)

2003-01-27 Thread Marko Asplund 

i thought it might be usefull for mod_ssl to log (at debug level) the
entropy source from which the PRNG will be seeded from so that proper
entropy source configuration can be verified. i've attached a small patch
(mod_ssl-2.8.12-1.3.27) which does this.

best regards,
-- 
aspahttp://www.kronodoc.fi/

*** pkg.sslmod/ssl_engine_rand.c.orig   Mon Jan 27 10:07:26 2003
--- pkg.sslmod/ssl_engine_rand.cMon Jan 27 10:40:46 2003
***
*** 87,92 
--- 87,98 
  time_t t;
  pid_t pid;
  int m;
+ char *ctxNames[] = { , startup, connect };
+ char *rssrcNames[] = { , builtin, file, exec
+ #if SSL_LIBRARY_VERSION = 0x00905100
+  , EGD
+ #endif
+ };
  
  mc = myModConfig();
  nReq  = 0;
***
*** 97,102 
--- 103,111 
  pRandSeed = pRandSeeds[i];
  if (pRandSeed-nCtx == nCtx) {
  nReq += pRandSeed-nBytes;
+ 
+   ssl_log(s, SSL_LOG_DEBUG, %sRequesting %d bytes of entropy from %s:%s in 
+'%s' context, prefix, pRandSeed-nBytes, rssrcNames[pRandSeed-nSrc], 
+pRandSeed-cpPath, ctxNames[pRandSeed-nCtx]);
+ 
  if (pRandSeed-nSrc == SSL_RSSRC_FILE) {
  /*
   * seed in contents of an external file

CRL distribution

2002-03-13 Thread Marko Asplund 


what's the best way of distributing certificate revocation lists to
clients which are mainly web browsers like Netscape communicator and MS
Internet Explorer?

-- 
aspa

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

expired CA certificate

2001-07-20 Thread Marko Asplund 


what's the best way to renew an expired, self-signed CA certificate? i'd
like to be able to automate the steps that users (https, imaps with
Netscape and Outlook) will have to go through during the renewal process
so, they don't have to find the old CA certificate in their programs and
delete it. can Certificate Revocation Lists be used for this?

best regards,
-- 
aspa



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

PRNG seeding problems with mod_ssl v2.8.1

2001-03-22 Thread Marko Asplund 

hi

i'm problems starting Apache v1.3.19 compiled with mod_ssl v2.8.1-1.3.19
(OpenSSL v0.9.6) on HP-UX B.11.00 and SunOS v5.6 platforms. Apache starts
normally the mod_ssl SSL configuration is read (-DSSL option), but when
Apache is started without reading the SSL configs i get the following
error message:

[error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key

this message isn't very informative and i'd like to suggest the attached
patch which gives a bit more detailed error message on what's going on.

according to ERR_get_error() RSA key generation fails because the
pseudo-random number generator ('PRNG not seeded') hasn't been seeded.
to my understanding this is because in our configuration
SSLRandomSeed-directives are only read in if -DSSL has been defined. this
is what we have in our main httpd config file:

IfDefine SSL
Include conf/httpd-ssl.conf
/IfDefine

so my question is, is there a way of skipping mod_ssl initialization
(ssl_init_Module()) altogether with some Apache command line parameter for
example when Apache is being run without using SSL functionality?

best regards,
-- 
aspa


*** ssl_engine_init.c.dist  Thu Mar 22 16:07:10 2001
--- ssl_engine_init.c   Thu Mar 22 17:04:46 2001
***
*** 373,378 
--- 373,379 
  {
  SSLModConfigRec *mc = myModConfig();
  ssl_asn1_t *asn1;
+ int st;
  unsigned char *ucp;
  RSA *rsa;
  DH *dh;
***
*** 381,392 
  if (action == SSL_TKP_GEN) {
  
  /* seed PRNG */
! ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
  
  /* generate 512 bit RSA key */
  ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys 
(512/1024 bits)");
  if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
  ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit 
RSA private key");
  ssl_die();
  }
  asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc-tTmpKeys, "RSA:512");
--- 382,394 
  if (action == SSL_TKP_GEN) {
  
  /* seed PRNG */
! st = ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: ");
  
  /* generate 512 bit RSA key */
  ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys 
(512/1024 bits)");
  if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
  ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit 
RSA private key");
+   ssl_log(s, SSL_LOG_ERROR, ERR_reason_error_string(ERR_get_error()));
  ssl_die();
  }
  asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc-tTmpKeys, "RSA:512");

crypto board experiences

2001-02-22 Thread Marko Asplund 


i'm interested in using crypto accelerator cards with mod_ssl. mod_ssl
seems to support crypto devices using the OpenSSL v0.9.6 engine feature.

is the accelerator card support in mod_ssl/OpenSSL ready for production
use? which cards are known to work well with mod_ssl? could someone post
some experiences about using crypto cards with mod_ssl.

-- 
aspa

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]