configuring 2.8.16 fails on HP-UX 11.00
i'm trying to build Apache 1.3.29 with mod_ssl 2.8.16 as 64-bit application on HP-UX 11.00 using HP C/ANSI C compiler. the build fails during configuration phase. here's what happens: gtar zxf ../apache_1.3.29.tar.gz gtar zxf ../mod_ssl-2.8.16-1.3.29.tar.gz cd mod_ssl-2.8.16-1.3.29 CC=cc CFLAGS=+DA2.0W +DS2.0 ./configure \ --with-apache=../apache_1.3.29 --with-ssl=/opt/openssl/kb20dr2 Error Output for sanity check cd ..; cc -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208116 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I./lib/expat-lite -DNO_DL_NEEDED +DA2.0W +DS2.0 `./apaci` -L/opt/openssl/kb20dr2/lib -o helpers/dummy helpers/dummy.c -lm -lpthread -ldbm -lssl -lcrypto -lm ld: Can't find library or mismatched ABI for -ldbm Fatal error. *** Error exit code 1 Stop. after removing the '-ldbm' flag from CFLAGS (see attached patch) the compilation goes fine. best regards, -- aspa modsslhpux64conf.patch Description: Binary data
Re: Proxy http with modssl?
On Wed, 5 Mar 2003, Chris Davis wrote: I'm looking for a method to hide an old web server behind a modssl server. The hidden server has several applications served over http. What I'd like is for https requests to be rewritten in modssl and proxied to the hidden internal system. ... there are probably several possible implementations for the reverse proxy configuration you're describing but one possibility is to use mod_accel (http://sysoev.ru/mod_accel/) for this purpose. best regards, -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: question.
On Wed, 5 Mar 2003, kulkarni veena wrote: To have SSL enabled server with self-signed certificate do we need Apache+openSSL+ModSSL or just Apache+ModSSL ? mod_ssl needs to be linked against OpenSSL libraries so you need to have OpenSSL if you want to compile mod_ssl. you don't need to have OpenSSL libraries installed on the OS to run mod_ssl if you use static linking. the OpenSSL application is very useful for many PKI operations (handling certificate requests, keys, certificates etc.) but it's not really required. best regards, -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Preprocessor bug in ssl_exp_scan.l when building with nativecompiler on HP-UX 11
On Tue, 4 Feb 2003, Stuart Cook wrote: I have been building Apache 1.3.27 on HP-UX 11 via the native compiler with Mod SSL 2.8.12-1.3.27 and have come across and resolved a build bug during the Apache compilation process. In the Mod SSL file .../pkg.sslmod/ssl_expr_scan.l from line 91 onwards there is a state variable 'str'. The native C pre-processor converts this to 1 and errors with: /opt/ansic/bin/cc -c -I../../os/unix -I../../include -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208112 -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -DSSL_COMPAT -DSSL_ENGINE -I/build/reporter/apache/openssl-engine-0.9.6g/include -DMOD_SSL_VERSION=\2.8.12\ ssl_expr_scan.c cc: lex.ssl_expr_yy.c, line 1753: error 1000: Unexpected symbol: 1. cc: lex.ssl_expr_yy.c, line 1760: error 1720: Subscript expression must combine object pointer and integer. cc: lex.ssl_expr_yy.c, line 1760: error 1566: Test expression in for must be scalar. cc: lex.ssl_expr_yy.c, line 1763: warning 527: Integral value implicitly converted to pointer in assignment. cc: lex.ssl_expr_yy.c, line 1763: warning 563: Argument #1 is not the correct type. *** Error exit code 1 This can be resolved by changing .../pkg.sslmod/ssl_expr_scan.l state variable to 'str_state' or some other value than 'str'. i've been building Apache v1.3.27 with mod_ssl-2.8.12-1.3.27 and OpenSSL v0.9.6h (non-engine) using HP Ansi C compiler on HP-UX 11.00 with no problems. here's the compilation command for ssl_expr_scan.c. cc -c -I../../os/unix -I../../include -DHPUX11 -Aa -Ae -D_HPUX_SOURCE -DMOD_SSL=208112 -I/opt/kronodoc/openldap/2.0.27-kb3/include -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite -DNO_DL_NEEDED -DNO_IDEA -noshared `../../apaci` -DSSL_COMPAT -I/opt/local/openssl/0.9.6h-apache/include -DMOD_SSL_VERSION=\2.8.12\ ssl_expr_scan.c -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
entropy source logging request (patch included)
i thought it might be usefull for mod_ssl to log (at debug level) the entropy source from which the PRNG will be seeded from so that proper entropy source configuration can be verified. i've attached a small patch (mod_ssl-2.8.12-1.3.27) which does this. best regards, -- aspahttp://www.kronodoc.fi/ *** pkg.sslmod/ssl_engine_rand.c.orig Mon Jan 27 10:07:26 2003 --- pkg.sslmod/ssl_engine_rand.cMon Jan 27 10:40:46 2003 *** *** 87,92 --- 87,98 time_t t; pid_t pid; int m; + char *ctxNames[] = { , startup, connect }; + char *rssrcNames[] = { , builtin, file, exec + #if SSL_LIBRARY_VERSION = 0x00905100 + , EGD + #endif + }; mc = myModConfig(); nReq = 0; *** *** 97,102 --- 103,111 pRandSeed = pRandSeeds[i]; if (pRandSeed-nCtx == nCtx) { nReq += pRandSeed-nBytes; + + ssl_log(s, SSL_LOG_DEBUG, %sRequesting %d bytes of entropy from %s:%s in +'%s' context, prefix, pRandSeed-nBytes, rssrcNames[pRandSeed-nSrc], +pRandSeed-cpPath, ctxNames[pRandSeed-nCtx]); + if (pRandSeed-nSrc == SSL_RSSRC_FILE) { /* * seed in contents of an external file
CRL distribution
what's the best way of distributing certificate revocation lists to clients which are mainly web browsers like Netscape communicator and MS Internet Explorer? -- aspa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
expired CA certificate
what's the best way to renew an expired, self-signed CA certificate? i'd like to be able to automate the steps that users (https, imaps with Netscape and Outlook) will have to go through during the renewal process so, they don't have to find the old CA certificate in their programs and delete it. can Certificate Revocation Lists be used for this? best regards, -- aspa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
PRNG seeding problems with mod_ssl v2.8.1
hi i'm problems starting Apache v1.3.19 compiled with mod_ssl v2.8.1-1.3.19 (OpenSSL v0.9.6) on HP-UX B.11.00 and SunOS v5.6 platforms. Apache starts normally the mod_ssl SSL configuration is read (-DSSL option), but when Apache is started without reading the SSL configs i get the following error message: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key this message isn't very informative and i'd like to suggest the attached patch which gives a bit more detailed error message on what's going on. according to ERR_get_error() RSA key generation fails because the pseudo-random number generator ('PRNG not seeded') hasn't been seeded. to my understanding this is because in our configuration SSLRandomSeed-directives are only read in if -DSSL has been defined. this is what we have in our main httpd config file: IfDefine SSL Include conf/httpd-ssl.conf /IfDefine so my question is, is there a way of skipping mod_ssl initialization (ssl_init_Module()) altogether with some Apache command line parameter for example when Apache is being run without using SSL functionality? best regards, -- aspa *** ssl_engine_init.c.dist Thu Mar 22 16:07:10 2001 --- ssl_engine_init.c Thu Mar 22 17:04:46 2001 *** *** 373,378 --- 373,379 { SSLModConfigRec *mc = myModConfig(); ssl_asn1_t *asn1; + int st; unsigned char *ucp; RSA *rsa; DH *dh; *** *** 381,392 if (action == SSL_TKP_GEN) { /* seed PRNG */ ! ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: "); /* generate 512 bit RSA key */ ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)"); if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key"); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc-tTmpKeys, "RSA:512"); --- 382,394 if (action == SSL_TKP_GEN) { /* seed PRNG */ ! st = ssl_rand_seed(s, p, SSL_RSCTX_STARTUP, "Init: "); /* generate 512 bit RSA key */ ssl_log(s, SSL_LOG_INFO, "Init: Generating temporary RSA private keys (512/1024 bits)"); if ((rsa = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { ssl_log(s, SSL_LOG_ERROR, "Init: Failed to generate temporary 512 bit RSA private key"); + ssl_log(s, SSL_LOG_ERROR, ERR_reason_error_string(ERR_get_error())); ssl_die(); } asn1 = (ssl_asn1_t *)ssl_ds_table_push(mc-tTmpKeys, "RSA:512");
crypto board experiences
i'm interested in using crypto accelerator cards with mod_ssl. mod_ssl seems to support crypto devices using the OpenSSL v0.9.6 engine feature. is the accelerator card support in mod_ssl/OpenSSL ready for production use? which cards are known to work well with mod_ssl? could someone post some experiences about using crypto cards with mod_ssl. -- aspa __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]