Re: how to install mod_ssl at openunix 8.0.0 (caldera)?
ch wrote: i tried to install mod_ssl-2.8.8-1.3.24 at openunix 8.0.0. but failed. the reason was apache_1.3.24 could not install at openunix 8.0.0. only httpd-2.0.36 can. I don't understand this message at all... - Do you have apache already installed? Which version? - Do you know you have to recompile apache to load mod_ssl? - Do you have openssl libraries installed? - How are you trying to compile apache/mod_ssl? which order? - Where does the install fail? configure? make? make install? - what is the error messages? (Just the last error, not the whole output, please!) Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.20 and ModSSL
Jason Lawrence wrote: I am trying to use two the Apache NameVirtualHost option with two sites using different certificate files. The two virtual hosts work however only the cert for the first specified virtual host is recognized. Is there anyway that you can get two certificates working in Apache for the same IP address It is impossible to have two distinct HTTPS virtualhosts on the same socket (IP address/port no. pair). See: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 Just to be clear, the issue is fundamental to the way HTTP works - it is not a bug in apache or mod_ssl! Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificates and Apache/modssl
Greg Jones wrote: All- We are planning on using commercial load balancing software for two servers running apache with modssl. Does Apache with modssl require that each server have its own certificate or can I use the same certificate on both servers since they'll be answering to the same virtual ip? Also, will my certificate be based on the virtual ip or the ip of the server. Users will always get to the web servers via virtual IP. The certificate is assigned to a fully-qualified domain name, not to an IP address. The idea is that when the browser goes to www.acme.com, it expects to see a certificate containing www.acme.com - thus proving that the site is really www.acme.com. This is authentication which is the second but equally important aspect of SSL that everyone forgets about... (the first aspect is encryption). Therefore, as long as both your servers are serving the same site, they can have the same certificate (indeed, they *should* have the same cert). There is one other problem, however. Remember that the public-key/private-key encryption is used only to negotiate the session-key. Once that has been established, the client and server communicate using the session-key and the certificate is forgotten. Now, if you have two servers behind a load-balancer, you have to make sure that once a client starts an HTTPS conversation with one server, all subsequent requests are served by the same server. In other words, if the session-key negotiation takes place on one server but the next request comes in to the second server, it will be encrypted with a key known only to the first server. I guess the solution would be to ensure requests are split on a client basis rather than request basis in the load balancer. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: EAPI!
Klosa Uwe wrote: I've got a problem with the installation of mod_ssl. I'm using Apache 1.3.24, mod_ssl-2.8.8-1.3.24 and mm-1.1.3. I'm configuring apache with EAPI_MM=../mm-1.1.3 \ ./configure \ --with-layout=RedHat7 \ --enable-module=most \ --enable-module=auth_digest \ --enable-module=ssl \ --disable-module=auth_dbm \ --disable-module=auth_anon \ --enable-shared=max \ --manualdir=/var/www/apache \ $@ After a make and make install, a apachectl configtest creates several errors, which wants me do recompile several modules with the -DEAPI. But this modules was compiled with -DEAPI. You understand that apache needs the extended API (EAPI) to allow mod_ssl to hook into the openssl library functions? So that's why you always need to recompile apache if you want to use mod_ssl. Are you 100% certain you are not trying to load a module which has not been recompiled with EAPI? (i.e. to prove it - post the ls -l of httpd and all modules in the modules directory). Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to configure it?
zhong duhang wrote: I want one directory can be visited by https,while others visit by http,how should I configure it? Use port-based virtualhosts. Something like (where 192.168.1.1 = server ip-addr): Listen 192.168.1.1:80 VirtualHost 192.168.1.1:80 DocumentRoot /path/to/http/content /VirtualHost Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 DocumentRoot /path/to/ssl/content SSL directives... /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: help needed for virtualhosting + SSL configuration.
Nisarg Rav wrote: hello gurus , I've installed and configured apache-1.3.23 + openssl-0.9.6b + mod_ssl and mod_perl successfully. It is working fine for my main site and self signed ssl certificate. I want to do IP based virtual hosting for more one site and want to serve that site through self signed ssl certificate. so may i get help to configure httpd.conf to full fill my requirement . No problem. You just need to create IP-based VirtualHosts: - Remove all Port and BindAddress directives (they will be replaced by Listen). - set up as follows: # Original HTTP site Listen 192.168.1.1:80 VirtualHost 192.168.1.1:80 DocumentRoot /path/to/original/http .. /VirtualHost # Original SSL site Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 DocumentRoot /path/to/original/ssl SSLCertificateFile/path/to/original/cert SSLCertificateKeyFile /path/to/original/key .. /VirtualHost # Second SSL site Listen 192.168.1.2:443 VirtualHost 192.168.1.2:443 DocumentRoot /path/to/second/ssl SSLCertificateFile/path/to/second/cert SSLCertificateKeyFile /path/to/second/key .. /VirtualHost and so on... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
Michael Grant wrote: I've been playing around with the apache and our virtual hosts. I am well aware that I could have different certs for each IP address if I were using IP based virtual hosting but I'm using name based virtual hosts. I host a variety of domains which are not at all subdomains of my main domain. What I would like to do is have one cert for all my domains. I sort of have it working with name based virtual hosting, but in some cases, I get the following warning in Internet Explorer: The name on the security certificate does not match the name of the site. Indeed. There is a fundamental problem with using NBVHs with SSL - it don't work, see: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 YOu can get it sort of working if you don't mind that all your VHs share the same certificate. What happens is: - an https request for a session comes in on port 443 - that's all apache gets. Since the session hasn't been established yet, there is no Host header. - with no host header, apache has no idea which VH to use (what can it use to match the ServerName?). - since apache doesn't know which VH to use, it can't decide which certificate to send. - to get out of the loop, apache just selects the first VH on port 443 and send its certificate. - probably the cert is for a different site so the browser pops a warning. If the user clicks OK, the browser establishes a session-key, encrypts its request (this time containing a host header) and sends it off. - the server decrypts the request and now finds the Host header. - Now apache can decide which VH to use and so serves the correct content. But you can't get by the warning because the default cert doesn't match the requested site. The only possible non-general solution is if the sites are like www1.acme.com, www2.acme.com and so on. Then you can get a wildcard cert which is valid for *.acme.com. Even then though, the behaviour is browser dependent. Before you ask, there is no such thing as a super-wildcard *.*.com cert... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 2.0.35 and mod_ssl hangs
John P. Dodge wrote: I just compiled 2.0.35 with: ./configure \ --prefix=/opt/apache_2.0.35.ssl \ --with-layout=Apache \ --without-confadjust \ --without-execstrip \ --with-mpm=worker \ --enable-ssl \ --with-ssl=/opt/ssl But when I try to start Apache it just hangs forever waiting for something: Like the passphrase you used when you encrypted your certificate? You need either a script to feed it or remove it altogether: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Rgds, OWen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL/TLS-aware Apache
Syed Sadiqur Rahman wrote: Hello! I've installed the apache on my computer running windows 2000 Now I'm trying to implement SSL with Apache. i.e. I want to use https instead of http. I've done so far is when I type http:\\localhost in the browser I see an HTML file that says: Hey, it worked ! The SSL/TLS-aware Apache webserver was successfully installed on this website. But If I type https instead of http it doest work. What can I now ? By default, a newly installed apache has a single virtualhost on port 80 which contains the Hey it worked! page and all the documentation. HTTPS uses port 443 by default - check you have a Listen 443 or Port 443 directive in your config file It also sounds like you haven't created any content yet. At the very least, you need to create an SSL virtualhost (i.e. some webpages behind the SSL port, 443). Follow the link on the Hey it worked! page into the documentation and read about VirtualHosts. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started To bind to a port 1024, you have to start apache as root. Are you doing this? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
paul priestman wrote: So its trying to bind to 443 - i have stated in my ssl.conf to listen on port 8443 and have set up a virtual host for port 8443 with ssl enabled - how come it tries to bind to port 443? I have therefore tried to start the server as root - it started okay but I cannot make a ssl connection - i goto https://servername.com:443 but get a server error telling me i could not connect to server - in the error logs i get: mod_ssl: Unable to set session id context to 'servername.com:443' (OpenSSL library error follows) What's this about ssl.conf? Are you including this file into httpd.conf at runtime? If so, I have a nasty suspicion that you have two SSL VHs defined - perhaps an old one in httpd.conf which is trying to Listen to port 433 (therefore causing a no permission error when you try to start as a normal user) but when you do start as root still fails because its docroot or certificates or something is missing (since it is an old VH - anything is possible). Can you thoroughly check (or even post!) all your config information... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with Compiling Mod_ssl
Mohamed Alwakeel wrote: I keep on getting an error when I do a ./configure --with-apxs=/usr/local/apachenew/bin/apxs --with-apache=/root/moh/apache_1.3.22 Error:- Configuring mod_ssl/2.7.1 for Apache/1.3.14 /configure:Error: Installed Apache doesn't contain Extended API (EAPI) I am getting very similar error when compiling mod_ssl for apache 1.3.22, with either version mod ssl-2.7.1 or version mod ssl-2.8.8. I have a redhat 7.2 box patched up to latest packages. It does have apache 1.3.22 installed as an rpm and apache 1.3.22 installed from source under /usr/local/apachenew. Im not using the rpm one Im using the source installed one. I have the whole source directory for apache under /root/moh/apache_1.3.22 When I do httpd -l I get the following:- /httpd -l Compiled-in modules: http_core.c mod_mmap_static.c mod_vhost_alias.c mod_env.c mod_log_config.c mod_log_agent.c mod_log_referer.c mod_mime_magic.c mod_mime.c mod_negotiation.c mod_status.c mod_info.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_speling.c mod_userdir.c mod_alias.c mod_rewrite.c mod_access.c mod_auth.c mod_auth_anon.c mod_auth_dbm.c mod_auth_db.c mod_digest.c mod_auth_digest.c mod_proxy.c mod_cern_meta.c mod_expires.c mod_headers.c mod_usertrack.c mod_example.c mod_unique_id.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /usr/local/apachenew/bin/suexec Is there any way to fix this without having to recompile apache again ? No. apache *needs* the extended API (EAPI) to connect to the openssl library functions. In order to use mod_ssl, you need to recompile apache with EAPI.. This is true whether you compile in mod_ssl statically or load it as a DSO. However, it shouldn't be too much trouble - the INSTALL document in the mod_ssl distro is quite good. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with Compiling Mod_ssl
Server Admin wrote: Owen: I run FBSD 4.5-stable and have tried 5-6 times to install apache+mod_ssl-1.3.24+2.8.8 directly from ports that does all the work, where I simply use make install clean but I'm getting the same (or similar) error message, but don't have a clue as to how to do the re-compile. Could you please point me to the ...the INSTALL document in the mod_ssl distro is quite good... that you refer to. I'm desparate to set up a secure server as time is of the essence. Does mod_ssl install that document in the /usr/local/share/ directory during the install. To be more specific, here is the error I get: == [Wed Apr 10 18:26:46 2002] [warn] Loaded DSO libexec/apache/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) [Wed Apr 10 18:26:46 2002] [warn] Loaded DSO libexec/apache/mod_frontpage.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) == When you untar the mod_ssl distro it's right there in the top directory. Here are my notes from the last time I installed plain statically compiled apache+mod_ssl (this is version 1.3.14 - just change the numbers and the installation paths to suit your distro): Installing Apache 1.3.14 with mod_ssl and mm --- (see http://www.modssl.org/example/) - Get the sources: - www.apache.org-- apache_1.3.14.tar.gz - ftp://ftp.openssl.org -- openssl-0.9.6.tar.gz - www.modssl.org-- mod_ssl-2.7.1-1.3.14.tar.gz - www.engelschall.com/sw/mm/-- mm-1.1.3.tar.gz - Save all these in /home/obo/downloads/tar_files # cd /home/apache # gzip -d -c /home/obo/downloads/tar_files/apache_1.3.14.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/openssl-0.9.6.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/mod_ssl-2.7.1-1.3.14.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/mm-1.1.3.tar.gz | tar xvf - - Need to add perl and ar to the path; # PERL=/usr/local/bin/perl # export PERL # PATH=$PATH:/usr/local/bin:/usr/ccs/bin # export PATH - first, compile MM # cd mm-1.1.3 # ./configure --prefix=/home/apache/mm # make # make test # make install - All the files are untarred, so we go to openssl-0.9.6 # cd ../openssl-0.9.6 # ./Configure solaris-sparcv9-gcc --prefix=/home/apache # make clean # make - Switch to the modd_ssl directory and configure it. # cd ../mod_ssl-2.7.1-1.3.14 # ./configure --with-apache=../apache_1.3.14 --with-ssl=../openssl-0.9.6 --prefix=/home/apache - Switch to the apache directory # cd ../apache_1.3.14 # SSL_BASE=../openssl-0.9.6 # export SSL_BASE # ./configure --enable-module=ssl --prefix=/home/apache # make # make install __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How To Unsubscribe.
[EMAIL PROTECTED] wrote: i have asked to be removed from the mailing list so remove me please First: Don't send mails directly - always go through the list. Second: I am just a user like you - I couldn't unsubscribe you if I wanted to. Third: Do it yourself, it's the only way - http://www.modssl.org/support/ Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.12 with newer mod_ssl
[EMAIL PROTECTED] wrote: What are the issues with using a newer mod_ssl with an older apache? I need to use Apache 1.3.12 for a project and am wondering if I can use the newer mod_ssl releases? Are there bugs or vulnerabilities with the mod_ssl for Apache 1.3.12 or is it safe to use the older mod_ssl? AFAIK, mod_ssl is tweaked with every new apache version. If you look on the mod_ssl site you will see that each distro is tagged with the apache version to which it applies. I would not expect mod_ssl-2.8.8-1.3.24 to work with apache 1.3.12. Why do you need to use 1.3.12? If your binary was not compiled with EAPI (needed for mod_ssl) you will need to recompile anyway. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem with SSL authentication
David wrote: My website is a https website using mod_ssl : Apache/1.3.22 (Unix) (Red-Hat/Linux) mod_ssl/2.8.5 OpenSSL/0.9.6 DAV/1.0.2 PHP/4.0.4pl1 mod_perl/1.24_01 This is what i have in my access.conf : Directory /path/to/directory/secure AuthName https://name.of.my.website/secure AuthTypeBasic AuthUserFile/path/to/password/file Require valid-user /Directory Here is the problem. When i click a link to a page in the directory, i come up with my login screen popup. If i type the right username/password pair, it will display the page, if i dont, it comes up with a 403 error-forbidden. This is all fine. However, i was extremely surprised to realise that if i fail the connection to receive the 403 error, i can click the back button in the browser, then the forward button, and get the page...even tho i still havent even authenticated yet!!! I am assuming that I am doing something stupid, but i cant seem to guess what that might be. Are you sure it does this on a first-time login with a clean browser, before you *ever* authenticate? Remember that if you login even once, your browser will cache the username/password and use it automatically for any subsequent requests in the protected realm (that is how you only have to authenticate once and can navigated about in a protected realm) Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Server:Https mode
Mahesh Mahalingam wrote: Hi, I have successfully installed apache with mod_ssl setup. But i was not able to get the page in https mode. (mod_ssl.c is also enabled.)How can i run this in https mode with a security certificate. Well, what did you try? There are a lot of things you need to do: - set up an SSL VH - Listen 443 - SSLEngine on - define certs and key - etc. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Nowhere talks about RPMS installation. Is it possible?
Sergi Mayordomo wrote: Hi, I have: -apache-1.3.22-2.i386.rpm, mod_ssl-2.8.5-4.i386.rpm. under Redhat 7.2 I have php-4.0.6-12.i386.rpm too. Is it normal that when I try $apachectl startssl , or $httpd -SSLD it don't works at all ? the previous commands aren't recognized for apache. Do you know if any RPM version would work correctly ?? I don't know much about the RPM environment (I usually use the source, Luke) but I doubt very much that getting a mod_ssl aware apache is as simple as rpm -i on the packages above... For one thing, the standard apache cannot load mod_ssl like a normal module, the apache API has to be extended to allow mod_ssl access to the openssl library. This means an apache recompile with mod_ssl... Did you do something like this? In any case, you can check the status of your apache binary by doing httpd -l which will list the compiled in modules - do you see mod_ssl? If you are using DSO, do you get an error about the LoadModule directive or any SSL directives in the config? What do you see in the error_log when you try to start apache like this? What SSL directives do you have in the config? Do you have an SSL virtualhost defined? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Creating client certificates ?
[EMAIL PROTECTED] wrote: Hello modssl users ! I managed to set up an ssl aware web server. Although I searched the web and also the list archive I haven't been able to create a client certificate which is signed by my own CA for client authentication. Could someone describe the process of creating such a certificate in detail ? I assume you are working as root with bourne-shell and with the openssl bin directory in your path. Also, many of the command below have many options, check the docs and change to suit. Proceed as follows (assume you are working as root with bourne-shell): STAGE 1: Prepare your CA - First you need a source of random data (skip this if you have /dev/urandom or something): # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/home/apached/ssl/certs/random_data # export RANDFILE - Create a RSA private key (ca.key) for your Certificate Authority and choose a password for your CA (e.g. CA_PASSWORD). # openssl genrsa -des3 -out ca.key 1024 - Now make the certificate (ca.crt) using the private key. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt It is here you define the details of the certificate authority, e.g. Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Inc. Organizational Unit Name (eg, section) []:ACME Internet (Unofficial CA) Common Name (eg, YOUR name) []:www.acme.com Email Address []:[EMAIL PROTECTED] STAGE 2: MAKE A CERT FOR YOUR SITE -- - Make a private key for www.banana.com # openssl genrsa -des3 -out banana.key 1024 - You will be prompted for a password. If you later use the certificate, the server will not start until you enter the password. If you want to avoid having a password, you have to write out the key and save it again. # openssl rsa -in banana.key -out temp_key # mv temp_key banana.key - now banana.key is unencrypted. Next, make a certificate signing request: # openssl req -new -key banana.key -out banana.csr It is here you define the details of the website, e.g. Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:. Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:Banana Inc. Organizational Unit Name (eg, section) []:Banana Internet Common Name (eg, YOUR name) []:www.banana.com Email Address []:[EMAIL PROTECTED] - Finally, sign the CSR using the CA certificate: # ./sign.sh eex.csr - you need to enter the CA password to sign it. You finish up with banana.crt and banana.key which you move to the server and refer to with SSLCertificateFile and SSLCertificateKeyFile. You can remove banana.csr. Rgds, Owen Boyle. PS: Regarding removing the passphrase on the certificate - it is up to you whether to do this or not. If you want certificates that no-one can steal but don't mind typing in a passowrd every time you start the server, leave it on. If you prefer to have an automated server start but are willing to risk certificate theft, remove it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using https without certificates
Bruce Smith wrote: Can anyone out there explain how (/whether ?) I can configure mod_ssl so that I can use https for encryption without needing to use certificates ? SSL can't work without a certificate since the certificate contains the public key of the server which is used to establish the encrypted communications. However, you don't need to buy a third-party certificate. You can make a self-signed certificate as described in: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28 rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: After Install: Apache working, modssl not
Michael Connors wrote: I have followed the installation procedures exactly for SSL. This is what I have configured in this order 1) openssl 0.9.6.c 2) mod_ssl 2.8.7 3) Apache 1.3.23 onto a Linux Mandrake 8.0 (redhat) OS. I chose NOT to install MM Shared Memory. The whole configure and install worked without any errors and the 'make certificate' went fine. When I execute '/path/to/apache/bin/apachectl startssl I get this response apachectl startssl: httpd started When I check the open listening ports (443 and/or 8443) on this same machine they are closed and the 8081 (cause my ISP blocks port 80) is open. And here is the error_log from apache logs after a start (apachectl startssl) [Mon Mar 25 12:40:24 2002] [notice] Apache/1.3.23 (Unix) mod_ssl/2.8.7 OpenSSL/0.9.6c configured -- resuming normal operations [Mon Mar 25 12:40:24 2002] [notice] Accept mutex: sysvsem (Default: sysvsem) What does this mean? Does anyone know what may be wrong? Starting with the obvious questions: Did you define an SSL virtual host (with SSLEngine on) and switch on port 443/8443 with a Listen directive? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apachectl starts but I am unable to connect to my https site
Janardhan wrote: Hello modssl-users, I have configured 2 seperate Apache servers in different machines with modssl. I created self CA using openssl and created server certificates also. One of the Apache https server works fine and I am facing problem with another server. The problem is Apachectl starts but I am unable to connect to my https site using browser. Why are you unable to connect? - timeout? - error? - you haven't got a return key on your keyboard? Sorry for being cheeky but you are not providing anything like enough details to allow anyone to help you. What do you type in the browser? what does the browser do? what is in the error, access and ssl logs on the server? Is apache really running (ps -ef - don't rely on apachhectl saying httpd started)? is the server really listening to port 443? (netstat -a) what OS are you on? what browser? local or network? anything else you can think of? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual hosts and ssl.
Mark Weisman wrote: Working a little here with Apache couldn't you just make another VS entry in Apache for the new port, all using a singular IP addr? Example; --VirtualHost 120.120.120.120:80 -- ServerAdmin [EMAIL PROTECTED] -- DocumentRoot /www/domain1 -- ServerName www.whatever.com -- ErrorLog wherever -- CustomLog wherever part two --/VirtualHost --VirtualHost 120.120.120.120:443 -- ServerAdmin sameguy or gal -- DocumentRoot /www/ssl -- ServerName www.whatever.com -- ErrorLog wherever -- CustomLog wherever part two --/VirtualHost By allowing Apache to do the internal routing, wouldn't that re-direct where he's talking about. I'm also doing a lot of virtual hosting, and currently I use a singular domain name for all SSL requests I was thinking about trying the above out and see if it worked? But since we're on the topic. What you have above is perfect. This is port-based virtula-hosting and there is no problem with it. The problem arises if you try name-based VHing with SSL - that won't work: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 Rgds, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: I need help please!
MARTIN Pierre wrote: Hi, im using an apache server with mod_ssl. (the last one, newest one version...) I get the error 724:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:D:\MyPro jects\Applications\opensa\openssl\ssl\s23_clnt.c:460: When i'm trying to connect. I can only read this with the openssl s_client mode, because the broser just search forever when i type the secured domain name. Notice that the number of the error is sometimes 724, sometimes 982, sometimes 972,... I red about my config was pointing to a wrong port and i may had Listen 80 instead of Port 80. That is all i found about this error, and it was already done in my config. You're trying to connect to an SSL-aware server with plain HTTP. Do you want an SSL server? If so, you must set up a VH on port 443 then access it using https://servername/; -- NB https, *not* http. rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL works from localhost but not elsewhere
Eric Webber wrote: When I go to the url https://localhost using netscape on the same box running apache and mod_ssl, SSL appears to work fine. But when I come in from a box other than the box running apache and mod_ssl, I get Page cannot be displayed. I have apache 1.3.20 RedHat, OpenSSL version 0.9.6b, on redhat version 2.4.7-10. Is this because of the Servername ? I am at a loss and cannot find the solution in the mod_ssl documentation. Is there a set of tests to help ferret out this problem ? How do you try to address the server in the remote client browser? You don't type localhost, by any chance? If not, what do you use? Can you access a plain HTTP site on the server from the remote client? (try this if you haven't already done so). Do other network applications work between the client and server - e.g. ping, telnet etc.? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Advisory 012002: PHP remote vulnerabilities (fwd)
[EMAIL PROTECTED] wrote: Evolution - A crutch for scientists who can't handle the existence of the creator. See disproven scientific theories and Romans 1:22. Religion: A crutch for people who can't handle the reality of the universe. See wishful tinking and the Origin of Species. Rgds, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to install mod_ssl + mod_webapp?
Wes Barris wrote: We are currently using Jakarta-tomcat-4.0.1 with Apache httpd 1.3.22 (binary distributions for linux downloaded from the www.apache.org website). I also have mod_webapp installed (downloaded from the same website). Now, I want to add mod_ssl functionality to this mix. From what I gather from the www.modssl.org website, I must throw away what I have and compile from sources in order to use mod_ssl. I followed the instructions on this page: http://www.modssl.org/example/ and everything seemed to build properly. After copying mod_ssl.so to the new ./libexec directory and adding the following two lines to ./conf/httpd.conf: LoadModule webapp_module libexec/mod_webapp.so AddModule mod_webapp.c I get this error message: root@redhat# /usr/local/apache-ssl/bin/apachectl configtest [Wed Feb 20 15:59:04 2002] [warn] Loaded DSO libexec/mod_webapp.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) [Wed Feb 20 15:59:04 2002] [warn] module mod_webapp.c is already added, skipping Syntax OK I can read the words but I don't really know what to do. It seems to be saying that I have to compile mod_webapp using -DEAPI. Can anyone provide some guidance? G'day, I think you've got most of it yourself... The standard apache API needs to be extended to allow the inclusion of mod_ssl, that is why you have to compile apache with extended API (EAPI) if you want to load or compile in mod_ssl. It seems that mod_webapp (don't know it personally) does indeed need to be re-compiled using -DEAPI if you are going to load it into a EAPI apache. Rgds, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Name Based HTTP vhosts and IP Based HTTPS vhosts
Joe Pearson wrote: I'm trying to setup to ssl virtual hosts. When I start up the server, only the last one in the configuration file gets recognized. Does anyone have any clue what I'm doing wrong? Attempting the impossible... You can't use name-based VHs with SSL. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Name Based HTTP vhosts and IP Based HTTPS vhosts
Joe Pearson wrote: But I am trying to use IP based vitual hosts. Are you saying I can't mix IP based https with name based http? whoops - my mistake, I just looked at your config again and you're *not* trying to NBVH on 443... Of course you can mix, IP, name-based and port-based VHs and your config looks OK - except for one detail: www.domain.net and www2.domain.net both have the same DocumentRoot so would look the same in the browser... Apart from that, I didn't see any Listen Directives - you may have them elsewhere, but I usually keep them next to the VH containers for clarity. You would need: Listen 199.184.207.29:80 Listen 199.184.207.29:443 Listen 199.184.207.28:443 NB - 443 isn't listened to by default) Also, since all your VHs are distinguished by IP or port, you don't need the NameVirtualHost 199.184.207.29 Rgds, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
Matus \fantomas\ Uhlar wrote: Hello, I'd like to know, how does modssl decide which port is ssl and which one is non-ssl? if I bind apache to two ports, how to tell which one should be used for ssl connects and which one for non-ssl connects? Apache is the process - mod_ssl is just a module. Only port 80 is listened to by default by apache so to get SSL to work you must explicitly say Listen 443. Another question. if I run http on port 80 and httpd on port 443, and I define only one virtualhost: VirtualHost ip.address ServerName blablabla /VirtualHost will that virtualhost be available via both ports/protocols? I guess so... but this not a good idea since SSL requires lots of extra directives (like SSLEngine on - how they would interact with the HTTP host is not obvious... Or, do I need to define two virtualhosts, one on port 80 without ssl and one on 443 with ssl? This is a much better idea - keep the SSL and HTTP hosts completely separate, you will sleep better. Warning: I don't wish to receive spam to this address. You'll be lucky! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: VirtualServers config for SSL
Andrew V. Sirotkin wrote: Hello, All! I want to use some VirtualServers on port 80 and _default_ VirtualServer on 443 on demand. I used ifDefine SSL Listen 80 Listen 443 /ifDefine ... NameVirtualHost host.net:80 ... VirtualHost _default_:443 SSLEngine on . /VirtualHost ... VirtualHost VServer:80 . /VirtualHost When I brows host.net by 443 I get a good result (certificate etc.) When I attempt to connect by 80 port to _default_ I get VServer. How can I solve this task? This is correct behaviour - what do you want to happen? Do you want to get the SSL site via plain HTTP (port 80) as well? Rgds, Owen boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: directing http -- https
[EMAIL PROTECTED] wrote: RedirectMatch (.*) https://d.com$1 Won't this create an infinate loop? I could be wrong, but I think RedirectMatch will pick up the hit via http or https, and attempt to send the user to https://d.com$1 even if the user came via https in the first place. It depends on the context - i.e. where you put the directive in the httpd.conf file. If you put it outside of any virtualhost container it will have server-config context which means it will apply globally to all VHs. Then you will have trouble... However, if you have virtualhosts defined and you put the directive inside a VH container, it will have virtualhost context which means that it will only apply to that VH. Since you are using VHs, you must put the directive inside the plain HTTP VH for d.com. Then it will only apply to HTTP requests to d.com. mod_rewrite seems to be the only alternative I've seen so far. If I'm wrong, let me know... mod_rewrite is great and I'm a big fan, but it is a sledge-hammer to crack a nut in this instance. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: https without certificate
Mathieu Arnold wrote: I know that it should be possible because certificates are just a way to authenticate the server, not to establish the crypto. No, the server certificate is also important and required for the secure exchange of the crytography parameters of SSL/TLS. Without this, the client and server would not be able to securely exchange the necessary symmetric encryption parameters. well, that's right, but, if I don't really care about that much security and would just like some crippled http to get rid of young kiddies ? Read Ralf's reply again - the certificate actually *contains* the server's public key. The browser uses this to encrypt a session-key and send this back to the server. Thereafter, the browser and server use this common session key to communicate throughout the rest of the session. Without a certificate, the browser can *never* establish communication with the server. It's like opening a locked door without a key. Read some of the docs for more details. If you don't care about authentication (or rather, if you believe your clients don't care about authentication) then make a self-signed certificate as described in the mod_ssl docs (see the website). This will provide the free certificate you need to get SSL working. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Stop mod_ssl from writing errors to the general Apache error logfile
Bert Courtin wrote: Hi Owen, thank you for your reply:-) ... but - when sending the output for the ErrorLog to /dev/null I don't have an ErrorLog at all, and that's not really what I needed.. I dont what no ErrorLog at all but just no SSL errors in my ErrorLog (even inside the virtual host!). I don't see the point that if I set SSLLogLevel to none that this only means that no dedicated SSL logging is done, but messages of level ``error'' are still written to the general Apache error logfile. In my opinion there should be an option quite or disabled available which turns off this behaviour. For me meanwhile I now playing around with piped logging using a statemend like: ErrorLog| /usr/bin/fgrep -v 'errno: 131' | /usr/bin/fgrep -v 'SSL handshake interrupted by system' /var/log/apache_1.3.23/logs/error_log I think you're missing a crucial point - you can have SEVERAL error_logs... You do not need to have just one ErrorLog directive, you can also have an ErrorLog inside a VH and it will receive log messages only from that VH. Since you need a separate VH for SSL, it is easy to put an extra ErrorLog directive inside the SSL VH and it will trap all the error messages generated by requests to that VH. So your config would look like: # Define default server-wide error_log ErrorLog logs/main_error_log # Declare SSL VH VirtualHost ip-addr:433 ... # Define special SSL_only error_log ErrorLog logs/SSL_error_log ... /VirtualHost Then you will get TWO error_logs... and the main_error_log will not have any SSL errors in it. The thing about /dev/null was just if you wanted to ignore the logging - obviously you can replace /dev/null with a real file. NB - the same is true of TransferLog... Rgds, Owen Boyle PS If you haven't already done so, you might like to sign up for the Official Apache Users List: http://httpd.apache.org/userslist.html It is more appropriate for general config issues like this. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
directing http -- https
Farooq Khan writes: I have installed apache with mod_ssl. Briefly, I want all http requests to a particular VirtualHost to be redirected to https for the same VirtualHost. Do I use mod_rewrite to do this? I have set up 4 VirtualHosts in the order: VirtualHost a.com:80 VirtualHost b.com:80 VirtualHost c.com:80 VirtualHost d.com:443 All https://d.com requests work fine. I want all http://d.com to be redirected to https://d.com but they are defaulting to http://a.com. The trouble is you haven't defined anything for requests on port 80 with ServerName = d.com so apache just serves the first port 80 VH it finds - in this case a.com. The solution is to create a small VH for d.com:80 and fill it with just a Redirect to the https site, e.g. VirtualHost d.com:80 ServerName d.com Redirect / https://d.com/ /VirtualHost This will bounce any request to d.com to the top of the https site. If you want to be more specific so that http://d.com/foo/bar.html -- https://d.com/foo/bar.html then use something like: RedirectMatch (.*) https://d.com$1 Read the docs for these directives for more details. You can do a lot with redirects and you only need to use rewrites if things get really complicated. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Stop mod_ssl from writing errors to the general Apache error logfile
Bert Courtin wrote: I wonder how I can stop mod_ssl from writing errors to the general Apache error logfile. Since your SSL site is defined by a virtualhost, simply put a separate ErrorLog directive in the SSL VH. Errors generated by that VH will go there instead of the global error_log. If you really don't want to see SSL errors at all, just do: in SSL VH ErrorLog /dev/null Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Certs
Brandon Amundson wrote: We have created a CA using openssl for our apache server which is running on linux.. We currently have more than 200 users that access our site via certificates. Here is what we are having problems doing. We have an IIS Web server which we would like to allow our current certificate users to be able to access with their existing certs. Is it possible to generate a server certificate request on the IIS server and have that signed by the CA on the linux box? If this were possible, would this allow our researchers access to the second website with the same certs? Again, if this is possible, what is the command to have the request signed by the CA? We have attempted this and we continue to get an error. Here is the error. Put a subject on your postings so you'll know if someone responds... AFAIK, certificates are all in a standard format and so are cross-platform. To sign the certificate, use the sign.sh script that comes with the mod_ssl distro (in the pkg.contrib directory). Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ssl virtual host IP's
Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape gave error on SSL
Bab S wrote: Hi mod_ssl users, After starting SSL htps://servername.com,I tried on IE and netscape. With IE it works fine but with Netscape Browser version 6 it gives me an error : Netscape and this server cannot communicate securly because they have no common Encryption Algorthims. I've never seen this error but it seems fairly self-explanatory. The browser and server have to decide on a common scheme to use for encryption. In the case of NS6, it doesn't have a scheme in common with the server so they can't communicate. On the server side, the schemes allowed are defined by the SSLCipherSuite directive. Check your entry to see if it is unusually restrictive (e.g. only one scheme defined). For comparison, my entry looks like this: SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: To unSubscribe
Shakeel Shaikh wrote: Dear sir, I want to unsubscribe for your mailing list please unlist me from your mailing list. The quickest way to unsubscribe is to visit the mod_ssl website and use the form interface: http://www.modssl.org/support/ Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Cannot seem to bind to port 443?
David Hsu wrote: After apache is started, there's absolutely no error message anywhere. However httpd does not seem to bind to port 443 at all? (checked using netstat -anp | grep 443) There is NO firewall installed on this server. Connecting to https via browser fails obviously. telnet localhost 443 also fails. Um... starting with the simplest question first: You did start apache with; apachectl startssl or httpd -DSSL didn't you? Does the plain http server on port 80 work? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL-enabled vhosts
Joe Auty wrote: You mean the browser takes the domain name from the browser, does a DNS lookup, and equates this to the IP, and because the IPs are differnet in my example, the Servername is not necessary? Yes - kind of... The browser always does a DNS lookup of the name you type in. That's how it knows which IP address to send the request to (TCP/IP only cares about IP addresses). The distinction comes in the server. If you have two different VHs on different IPs then it is easy for the server to distinguish them. You can put ServerName into these VHs if you like, but, with the IP address, apache has enough to decide which VH to use. If you wanted to have more than one name-based VH on each IP address then you'd need the ServerNames again. What if I wanted to setup something like the following: VirtualHost IP.114:443 pathtocert1 Servername joe.com DocumentRoot /home/joe /VirtualHost VirtualHost IP.114:443 pathtocert1 Servername auty.com DocumentRoot /home/auty /VirtualHost Because the IP is now ambigious, I'm assuming the Servername is required unless I used the NameVirtualHost * convention (which I haven't really gotten working with SSL in my brief attempts)? You missed the point of a previous mail - you can't have name-based SSL VHs. It doesn't work. It's impossible. This (the above) seems to work as expected, although when I do a apachectl startssl I get an error message about the one taking precident over the other... the error message doesn't seem to affect any usage, it seems to work fine. Am I right? If not, is there a way to get around the error? It seems to work because you are using the same certificate for both VHs. What is happening is accidental behaviour - the server uses the certificate from the first VH to establish the SSL session. Since the session is now established, it can see the full HTTP header and so can use the Host: field to determine which VH to use. This setup works if you don't care what certificate your VHs use but since authentication is as important as encryption in SSL, it is not a general solution. If you can spare the IP addresses, the correct way to proceed is with separate IP-based SSL VHs on each IP address. For non-SSL VHs, you can put as many as you like on each IP address so long as you put NameVirtualHost and define ServerName in each one. It breaks down like this: SSL VHs - must be IP-based or Port-based (name-based doesn't work). - only one per IP/port. - if you use conventional port 443, only one per IP address. - ServerName is redundant (no harm if you use it - it is just ignored) - NameVirtualHost meaningless non-SSL VHs - Can be IP, port or name-based If name-based: - Unlimited number of name-based VHs per IP - needs NameVirtualHost - needs ServerName in each VH If you have many non-SSL VHs and one SSL VH on a particular IP, it is good idea to define the port on the NameVirtualHost directive, e.g. NameVirtualHost 192.168.1.1:80 This suppresses a warnign about mixing SSL and non-SSL. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL-enabled vhosts
Joe Auty wrote: I want to have 2 different certificates used in 2 different virtual hosts on my server. I have: SSLCertificateFile /etc/httpd/conf/ssl.crt/cert1.crt specified for one virtualhost, and: SSLCertificateFile /etc/httpd/conf/ssl.crt/cert2.crt specified for the other. The problem is that other/second vhost is using cert1.crt for some reason. When I do a openssl x509 -noout -text -in cert2.crt I get the correct information for that certificate which is, of course, different than cert1. Is there a way to specify multiple SSLCertificateFile directives for different vhosts, or will the first one specified be used unconditionally for all other vhosts? Hate to have to tell you but it can't be done. You cannot have more than one SSL VH on any given IP address/Port. To have more than one SSL VH on the same machine, they have to use different IP addresses or different ports - name-based VHs don't work. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 and http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 for why... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL-enabled vhosts
Joe Auty wrote: Hate to have to tell you but it can't be done. You cannot have more than one SSL VH on any given IP address/Port. To have more than one SSL VH on the same machine, they have to use different IP addresses or different ports - name-based VHs don't work. I see Have you ever setup more than one SSL VH using more than one IP on the same machine and gotten this to work? I've set my DNS to point to cert2 with an IP address ending in '.115', and cert1 ends with '.114'. My virtual hosts in httpd.conf are setup as following: VirtualHost IP.114:443 Pathtocert1 Servername server.com /VirtualHost VirtualHost IP.115:443 Pathtocert2 Servername joe.server.com /VirtualHost The results are, again, going to joe.server.com gives the same certificate as just going to server.com. Of course, I have two IP addresses designated to the same machine (.114 and .115). Am I on the right track? Kind of - you don't need to define SServerName since the IP address does the defining. You get the selection in the browser - i.e. https://ip.114/ and http://ip.115/ should go to the different hosts... Rgds, Owen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: getting rid of Snake Oil stuff
Joe Auty wrote: Okay, it seems that after restarting apache without the CACertificate directives in there that sign.sh script now works without yielding the error I copied into my last email... I've got myself a netmusician.crt file... what do I do with it now to replace the dummy SnakeOil stuff? You put your new .crt and .key in the conf/ssl.crt and conf/ssl.key directories and change the names in the SSLCertificateFile and SSLCertificateKeyFile directives. Then you give the server a full restart (graceful won't reload certs). (I hope that you guys don't object to the CC) Except that we get every mail twice... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache modssl last release ...
[ Falk Großwig ] wrote: Hello, i just installed the mod_ssl for Apache. First it workes fine, but i cant tell how, the Apache shuts down the mod_ssl ... i cant reach the mod_ssl url if i open a new browser window. VirtualHost ssl.design-4-you.ath.cx ServerAdmin [EMAIL PROTECTED] ServerName design-4-you DocumentRoot E:/Server/secure/ ErrorLog E:/Server/logs/secure.design-4-you.ath.cx-error_log CustomLog E:/Server/logs/secure.design-4-you.ath.cx-access_log common SSLEngine On SSLCertificateFile conf/ssl/www.design-4-you.ath.cx.cert SSLCertificateKeyFile conf/ssl/www.design-4-you.ath.cx.key /VirtualHost So this is your SSL VH? First, you need: Listen 443 before the VH so apache listens to port 443, which is where SSL works. Second, you need to define port 443 in the VH, i.e. VirtualHost ssl.design-4-you.ath.cx:443 Third, you need to start apache with SSL. In unix, the command is: # apachectl startssl or (more primitively) # ./httpd -DSSL check the docs for the appropriate command under windows. Rgds, Owen boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question
Natisha Greenway wrote: Hello, I am a new user of modssl and several questions. I am trying to build modssl and would like to know once I got it installed how can I tell if it is properly installed or working? Is there some sort of compiler flag that I can implement? You need to create an SSL virtual host in httpd.conf and restart apache in SSL mode. Look in the mod_ssl docs for the directives you need to use to define an SSL VH rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: getting rid of Snake Oil stuff
Joe Auty wrote: Hi, I've been working many many hours on this problem, so I'd be EXTREMELY grateful if somebody can help me here with my handicap of limited knowledge on this subject... I've created the certificate for my site, and it works fine.. the problem is it is still signed by Snake Oil... I have gone through and created a CA for myself with instructions I found on the net, but I'm not sure what filetype this process creates which is relevant (I'm assuming .crt), if it has to be in a particular path, and what stuff to put into my httpd.conf file... My current attempt has been the following: SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCACertificatePath /etc/httpd/conf/ssl.crt/ SSLCACertificateFile /etc/httpd/conf/ssl.crt/myservername.crt I think a few misunderstandings may have crept in... I assume you just want a certificate for your SSL site so that clients can establish a secure connection - if so, you don't need the SSLCACertificatePath or SSLCACertificateFile directives. They are for when you want to authenticate *client's* certificates (i.e. if the client needs a certificate to get into your site). All you need for a public SSL site are SSLCertificateFile and SSLCertificateKeyFile. You still need to make a CA certificate but this is for your private use to sign site certificates that you make - it never needs to be seen by the web-server. In summary, the tasks are: - Make a CA certificate (ca.crt) - make a site key (.key) - make a site certificate signing request (.csr), using the .key - sign the .csr to make a .crt These are the notes I use whenever I need to do this: 1) Create a RSA private key and certificate for our Certificate Authority # openssl genrsa -des3 -out ca.key 1024 password is CA_PASSWORD Now make the certificate using the private key. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt 2) Now make a Certificate Signing Request for www.kiwi.com # openssl genrsa -des3 -out kiwi.key 1024 This makes the key but it is password protected, which means you have to type in a password to start the server. To avoid this, remove the PW by writing out the key to a file and overwriting it. # openssl rsa -in kiwi.key -out temp # mv temp kiwi.key Finally, make a CSR from the KEY. # openssl req -new -key kiwi.key -out kiwi.csr 4) And sign it # ./sign.sh kiwi.csr Now we have ca.crt Certificate Authority certificate ca.db.certs ) CA databases, holding ca.db.index ) details of certificates ca.db.serial) issued ca.key Certificate Authority private key sign.sh script for signing certificates kiwi.crtwww.kiwi.com certificate (sent with SSL requests) kiwi.csrKIWI certificate signing request (not really needed anymore) kiwi.keywww.kiwi.com private key (decrypts public-key encoded messages) - summary of commands # openssl genrsa -des3 -out www.kiwi.com.key 1024 # openssl rsa -in www.kiwi.com.key -out temp # mv temp www.kiwi.com.key # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr # ./sign.sh www.kiwi.com.csr Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CA installation
andrew reid wrote: Hi i created a certificate to used by apache but cant figure out how were to install it help please. You need a cert and a key. When you compiled apache with mod_ssl, and did make install, they should have been installed for you. Anyway, they go in your apache conf dir (e.g. /usr/local/apache/conf) in their own directories ssl.crt and ssl.key - then you have to point to the key and cert in httpd.conf: SSLCertificateFile/usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key Make sure the key and the ssl.key directory are readable ONLY by root - i.e. permissions 400. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate
Hong Tian wrote: Hi, I have installed make certificate TYPE=custom during the build of mod_ssl-2.8.5-1.3.22 with Apache successfully as the followings: # cd ../apache_1.3.22 # ./config ... --enable-module=ssl # make # make certificate TYPE=custom ... After I installed mod_ssl certificate, is there any quick methods to change some information of Common Name, Email Address, and Certificate Validity days of certificate again? Should I change the whole certificate again after making certificate if only some items of certificate need to be changed? Think about it. If you could edit a certificate after it had been issued, you could change its identity. So you could get a cert from Verisign for your own site, set up a fake amazon.com site, then edit your certificate to pretend it was for amazon.com... Or you could extend your certificate's life after it had expired (Verisign would love that!). You cannot edit a certificate it has been signed, it is a one-way encryption. The only way is to make a new certificate. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem while giving url HTTPS
Bineet Suri wrote: hello myself is bineet and i am developer in osprey software technology in india actually just recently i have configured apache v 1.3.22 with mod+ssl and my lynx browser is 2.8.4 i am able to test through http://localhost but when i give https://localhost so it giving me This client does not contain support for https urls Hi Bineet, The problem is in your browser (lynx). The message is very clear: This client does not contain support for https urls - it means lynx does not know how to make an HTTPS request (as opposed to an HTTP request). The HTTPS protocol is quite different from HTTP - you need a browser which can support it. I don't know much about lynx, maybe you can get a module or something to extend its functionality. If not, why not try Opera or Netscape which have SSL support built-in. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Help with Certificates
[EMAIL PROTECTED] wrote: Hello Everyone I need to create the key for my secure server I am just starting out with SSL so do not want to pay verisign yet later yes but now right now $ ./sign.sh server.csr This signs the server CSR and results in a server.crt file. *end paste* I dont understand what they meen about preparing a script for signing. Just use the script you've been given (sign.sh). Follow each step in the instructions just as it is written. The main steps are: - make a Certificate Authority (CA) key and certificate (this allows you to pretend you are Verisign). - make a website key for your site. - make a website Certificate Signing Request for your website (this is the thing you would send to Verisign and which turns into a certificate). - sign the CSR using the CA cert - outputs a certificate. You need a key and a certificate for your site to work. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: invalid request question
Hernan Salvarezza wrote: Part 1.1Type: Plain Text (text/plain) Please post in plain-text, I can't quote your message... If http://localhost:443 works, serving plain HTTP, and https://localhost doesn't work, producing invalid method then you must have accidentally created a plain HTTP VirtualHost on port 443. You need to have SSLEngine on inside the SSL VH. Do you? Rdgs, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make certificate
Hong Tian wrote: Owen, I created my own CA for signing certificate, not by a commercial CA like Verisign. Now I try to make certificate again by openssl command on Solaris and still have PRNG problem: # openssl genrsa 0des3 -out ca.ket 1024 ...PRNG not seeded... 1) Make a random data file and set it up as $RANDFILE # cd /usr/local/apache/ssl/certs # PATH=$PATH:/usr/local/apache/bin # export PATH # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/usr/local/apache/ssl/certs/random_data # export RANDFILE __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: loading private key? urgent...please help!
Mike K wrote: Hi all... Before upgrading, one of my virtual domains (ip based) had SSL setup and was working fine. The second domain did not work. The error was odd according to people in IRC support channels, and I was told to upgrade to all of the latest versions. You weren't trying to run two Name-based Virtual Hosts under SSL by any chance? If you were, that doesn't work: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 routines:X509_check_private_key:key values mismatch routines:ASN1_get_object:header too long unable to load key This looks like your key files are corrupted. No idea how this could happen. Did you have commercial certificates or self-signed? If self-signed, better make new ones with your most recent openssl distro. NamevirtualHost xxx.xxx.xxx.44:443 VirtualHost xxx.xxx.xxx.44:443 This won't work - if the second VH tries to use the same IP address (your post is a bit ambiguous on this point, you did mention changing IPs). Assuming you have re-installed apache, mod_ssl and openssl at the latest versions, you should be able to make certificates that will work. If not, please post the version numbers you are actually using along with OS details and confirm/refute the point about NBVHs. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] graceful needed after CRL update? (PR#641)
[EMAIL PROTECTED] wrote: Full_Name: robert joop Version: 2.8.0 OS: Submission from: (NULL) (193.175.135.28) on an apache 1.3.17 with mod_ssl 2.8.0, i installed new CRLs, called make in the ssl.crl directory, but even days later, it still considers the CRLs as expired (which they aren't). is it necessary to restart the apache (graceful seems to be sufficient)? By experience, I find that a graceful isn't sufficient to reload a cert and that you need a full restart. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Name-Based Virtual Hosting via a Single IP and SSL implementation
Dr. Peter Kanyion wrote: Hello folks, I'll greatly appreciate any help you could offer in getting to the right solution to my problems. I'm acquainted with Apche and SSL, but I'm not a GURU. I have two domains, let say mydomain1.com and mydomain2.com and a single registered IP address. Both domains are mapped to the single IP address and the domain lookup is working perfectly. I've installed Apache 1.3.19 with mod_ssl version 2.8. Using the default configuration, I could access the domain mydomain1.com via http(80) and https(443) without problems. Now I'm in the process of modifying the configuration to incorporate both domains. I've not been very succesful in getting this accomplihed. Here is in summary what I actually want to accomplish. I want to access mydomain1.com via http (80) and https (443) and mydomain2.com via http(80) and http(444). I have a single certificate. Based on information gathered via threads in this mailing list, I understand that I could accomplish this using name-based virtual host. Not quite. Name-based virtual-hosting doesn't work with SSL (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 - the basic probelm is that you don't get the Host: header until everything is encrypted but you can't encrypt anything until you know what cert to use - and that's defined by the host header!). However, this is not what you are doing. Since you are happy to use port 444, you are using port-based virtual-hosting which works fine with SSL. The following should work: Listen 80 Listen 443 Listen 444 VirtualHost *:443 SSLEngine On SSLCertificateFile ssl/server1.cert SSLCertificateKeyFile ssl/server1.key DocumentRoot C:/websites/confidential_1 /VirtualHost VirtualHost *:444 SSLEngine On SSLCertificateFile ssl/server2.cert SSLCertificateKeyFile ssl/server2.key DocumentRoot C:/websites/confidential_2 /VirtualHost Note that although you want to use a single certificate, this will lead to problems - the cert contains the FQDN and this can only match one site. So the other, non-matching site will generate cert doesn't match FQDN warnings in the browser. If this doesn't work, please explain what is going wrong. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quick Q on Server Certificates
Chris Allen wrote: Perhaps a real easy one ... I have to rebuild my entire setup for serving pages. Need to get all new source of php/apache/modssl etc... I just received my server certificate from Thawte, and I am wondering do I need to go thru this whole process of getting a new cert? Can I jsut simply copy over my server.key and server.crt to the appropiate place where the new apache can find them? Can I reuse my key and cert with new binaries? If so why, if not :(. A certificate is in a standard format which can be used, not only by different builds, but by different web-servers - so no problem with re-using it. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Servers Configuration
Ravi Babu D - CTD, Chennai. wrote: Hello, I got some minor problems in configuring Virtual Servers (Ip-based) with SSL in apache_1.3.22 with mod_ssl2.8.5 under Solaris 8. i) When the SSLCertifcateKeyFile path is too long (doesn't fit in one line), the config script is not recognizing the key and unable to start the server. get another editor - you must get the data on one line... ii) I've mentioned document root as /newhtdocs, but whenver i access the virtual host, Browser displays the message that Fobidden, You dont have permissions to access / on this server. Directory /path/to/newhtdocs Allow from all /Directory Rgds, Owen Boyle PS: These are really apache questions. Try to separate your questions according to whether they apply to the server generally ([EMAIL PROTECTED]) or mod_ssl only ([EMAIL PROTECTED]). If you have a question about a particular directive, if it begins with SSL, send it to the mod-ssl list, otherwise to apache... you'll get a faster/better response if you send to the correct list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can't run apache + modssl on Solaris 8
Irwan Hadi wrote: I already compiled apache 1.3.22 and latest modssl on Solaris 8, but when I run ./apachectl start I got error message Thu Nov 29 23:06:20 2001] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Thu Nov 29 23:06:20 2001] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded PRNG programmable random number generator - it needs a good source of random data to get started. Check out: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC15 Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache SSL Private Keys
[EMAIL PROTECTED] wrote: Build a Script which provide mod_ssl with a passphrase. maybe its possible to modify apachectl for build and delete this script if necessary. http://www.modssl.org/docs/2.8/ssl_reference.html#ToC2 A lot of people do this but I wonder whether it is worth the bother... The pass-phrase is there to prevent anyone who steals your certificate from being able to install it on a fake server. He might steal the certificate but can't start the server without the passphrase. Now, if you make a script to feed the pass-phrase to the server on boot, what point is there in having the pass-phrase? The hacker, while stealing the cert, might as well steal the pass-phrase from the script. he has to have root access to get the cert in the first place so it's no problem for him to get the script too. Actually, I wonder about the pass-phrase altogether. I prefer to have a secure server so that no hacker can get the cert on the first place. if I ensure that, then I don't need to worry about pesky pass-phrases... Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache SSL Private Keys
[EMAIL PROTECTED] wrote: If you have a root privileged hacker on your machine you are lost anyway! Exactly. Pass-phrases give a warm, comfortable feeling but not much else... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache SSL Private Keys
Are Hoel wrote: Well, it would mabe be smart to put all the certs and a startup script with passphrases on an encrypted disk, where you have to manually mount the encrypted disk, then run the script. Or you could leave the certs in unencrypted space, and just have the script encrypted. Then unmount the encrypted partitionwhen the script has been used? This would require some manual interaction, but it would secure your script. I have also been told there is to be a new version of stronghold (I don't know if this works on *nix though), with a hardware keyfile which plugs into an usb port. With it attached it's possible to mount the partition, but without it's blocked. Ha ha ha! Very ironic.. this is a joke, right? No? Oh dear... hardware key-files? This is like dongles that you used to have to plug into your parallel port to stop you installing software twice. You see the crazy situations you get into when you convince yourself you need a pass-phrase... The only way I can accpet pass-phrases is if you have a server which must be so secure that it must never, ever, be started without your knowledge and that the certificate must never, ever be used elsewhere. Then you keep the pass-phrase where no hacker can get it - in your head. The downside is that you have to go to the console of the machine and type it in every time you start apache so no automatic reboot or restart. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache SSL Private Keys
Are Hoel wrote: It's not a joke, it's a fact. I know, I know - my tongue was in my cheek :) And in my opinion it's MUCH better to use a small encrypted partition so store a startupcript with passphrases then to just have the script lying around on the server. If you have a better solution I'd like to see it. My solution: Forget about the pass-phrase since it is a waste of time. Put the energy into protecting your server in the first place. As John points out, the file you are protecting with the pass-phrase is owned by root and has permissions 400. If someone can lift that file, you've got real problems... You will have to enter the console to enter the passphrase. You can't have automated security, then there is no security. Exactly. But if we remember the original poster wanted to automate the start-up of his server... I think the answer to his question is you can't - unless you are only playing pretend security. Rgds, Owen Boyle. P.S. I always like to bring this topic up whenever the list is getting quiet - it warms things up on a cold winter's day (brrr...) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-SSL, IE Connection Reset By Peer errors
Stuart Butcher wrote: I am running Apache/1.3.20 (Unix) PHP/4.0.6 mod_ssl/2.8.4 OpenSSL/0.9.6a on FreeBSD 4.4-STABLE and am having problems with a secure site Im running. Most of the time it works fine, but sometimes IE (versions 4, 5, 5.5, 5.5 Sp2 and 6) returns a 'Page not found' error, which goes away when refreshed. [Thu Nov 29 11:35:25 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Thu Nov 29 11:35:25 2001] [error] System: Connection reset by peer (errno: 54) A lot of people complain about problems like this. My understanding is that it's M$IE that's broken. Check out the discussion in the archives - this first link is probably a good start (otherwise, use the search facility to find more references): http://marc.theaimsgroup.com/?l=apache-modsslm=97145494902868w=2 Rgds, Owen BOyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Servers with SSL
Ravi Babu D - CTD, Chennai. wrote: Hi , Can any one help me in cofiguring Virtual server with SSL support in Apache1.3.19 with mod_ssl2.8.3. I heard that name based virtual servers doen't support SSL but ip based does. Also please help me in creating dummy key and cert in apache1.3.19 with mod_ssl2.8.3. Your right about name-based virtual-hosts.. You can't have more than one SSL VH per IP/port. see http://marc.theaimsgroup.com/?l=apache-modsslm=98576871506980w=2 fro reasons why. To set up an SSL VH, its just the same as a normal VH - but switch on port 443, e.g. Listen servername:443 Virtualhost servername:443 DocuumentRoot ssl-content-path ... SSL directives /VirtualHost You can still have HTTP name-based VHs... as well. To make certs, etc, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 - summary of commands (for a no-pass-phrase cert). # openssl genrsa -des3 -out www.kiwi.com.key 1024 # openssl rsa -in www.kiwi.com.key -out banana # mv banana www.kiwi.com.key # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr # ./sign.sh www.kiwi.com.csr Rgds, Owen BOyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: page not displayed in IE
Domenico Rotiroti wrote: [I'm reposting this message 'cause for several days I haven't received the subscription confirmation ] Hi, I'm experiencing problems with the visualization of some pages with MSIE. This is what happens: a servlet is called through ssl, then the servlet forwards to a jsp page. The jsp get loaded in the browser (I see the generated HTML with view source), but it is not displayed and I got no errors! If you allow access to the page via HTTP (port 80) does the page work? Rgds, owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Installation Apache_1.3.22 in Solaris 8
Ravi Babu D - CTD, Chennai. wrote: Thankyou Cliff, but i'm surprised why its happening like that even i installed as root. Is there any reason ? There's a bit of a debate about this point on the official apache list (see below)... Rgds, Owen Boyle. !!! Sign-Up Now for the New Apache Mailing-list !!! --- Your favourite resource for apache answers, debates and gripes is now hosted by the Apache Software Foundation. Send an empty mail to: [EMAIL PROTECTED] Why you should move: + This new list will be monitored by a real, live list-manager who will make sure we don't get spammed or flamed and so the S/N ratio should be much higher. + Most of the serious contributors will migrate to the new list. + The apache website now points new users to the new list so there are unlikely to be any additions to the Yahoo list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: segfault problem - from scratch
Dean Hall wrote: - Original Message - From: Sang Yi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, October 29, 2001 07.12pm Subject: Re: segfault problem - from scratch umm, where's openssl? normally, openssl is mandatory for building apache+mod_ssl. Can't get away with it that easily. As I said: [...] I merely installed a binary RPM for openssl[.] Apache wouldn't even have compiled without openssl, I think. Actually, I think Sang Yi has a point. I've never heard of anyone using RPM for openssl then compiling mod_ssl and apache from source. It sounds like a recipe for disaster to me... Since you are happy compiling from source, why not throw openssl into the mix as well? Here's some old notes from the last time I compiled this set-up (obviously change the versions, paths and architecture to suit your system): # cd openssl-0.9.6 # ./Configure solaris-sparcv9-gcc --prefix=/home/apached # make clean # make # cd ../mod_ssl-2.7.1-1.3.14 # ./configure \ --with-apache=../apache_1.3.14 \ --with-ssl=../openssl-0.9.6 \ --prefix=/home/apached # cd ../apache_1.3.14 # SSL_BASE=../openssl-0.9.6 # export SSL_BASE # ./configure \ --enable-module=ssl \ --enable-module=rewrite \ --prefix=/home/apached # make # make certificate # make install Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssll and NT
Craig Newlander wrote: I'm trying to run apache with SSL on NT. yeah I know this isn't a good choice but the choice isn't mine. If you can't help please don't waste my time by chasting me - I'll simply delete your message and move on. :) You are free however, to waste your own time. Talk about attack being the best form of defence... Chill out a bit, nobody has said Boo to you yet... I've downloaded OpenSSL,and mod_ssl. I've followed the installation note for Win32. I am #6 in the document.Can someone point me to a source where I can figure out how to setup the config files and certificates? Or better yet tell me how! thanks. I hope it doesn't waste your precious time, but here's how I set up my certificates: Rgds, Owen Boyle. Making self signed certificates: NB: These certificates contain no pass-phrase so do not need user input when you start apache. Also, can be used by any server... 1) Make a random data file and set it up as $RANDFILE # cd /usr/local/apache/ssl/certs # PATH=$PATH:/usr/local/apache/bin # export PATH # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/usr/local/apache/ssl/certs/random_data # export RANDFILE 2) Create a RSA private key and certificate for our Certificate Authority # openssl genrsa -des3 -out ca.key 1024 password is CA_PASSWORD Now make the certificate using the private key. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt 3) Now make a Certificate Signing Request for www.kiwi.com # openssl genrsa -des3 -out kiwi.key 1024 # openssl rsa -in kiwi.key -out banana # mv banana kiwi.key # openssl req -new -key kiwi.key -out kiwi.csr 4) And sign it # ./sign.sh kiwi.csr Now we have ca.crt Certificate Authority certificate ca.db.certs ) CA databases, holding ca.db.index ) details of certificates ca.db.serial) issued ca.key Certificate Authority private key random_data for random routines sign.sh script for signing certificates kiwi.crtwww.kiwi.com certificate (sent with SSL requests) kiwi.csrKIWI certificate signing request (not really needed anymore) kiwi.keywww.kiwi.com private key (decrypts public-key encoded messages) - summary of commands # openssl genrsa -des3 -out www.kiwi.com.key 1024 # openssl rsa -in www.kiwi.com.key -out banana # mv banana www.kiwi.com.key # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr # ./sign.sh www.kiwi.com.csr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: build/installation prb
Anand Nagarhalli wrote: Hello, I want to test a small program through SSL on Apache(1.3.14) on linux. I am trying to build/install mod_ssl with Apache but in vain. Is there site from where I can just get the installable of mod_ssl/openssl/mm/apache(for 1.3.14) without bothering to build the source. It would be great if that were possible but I fear the subtle differences in environment among the various distributions and version levels of linux would make it highly unlikely that mod_ssl/apache binary compiled on another machine will work on yours. The attached script works for me (also includes PHP). You could read through it and see if you gain any ideas as to why your compilation failed... Rgds, Owen Boyle. apache_1.3.14+ssl+php+mm_install.sh
Re: problems with DSO support
Marco Nardelli wrote:
When a few years ago someone had installed apache, he forgot to
enable-module=so.
Now I'm using this server with every particular configurations I put on
it and I don't want to lose them.
I shouldn't want to reinstall apache, only to enable-module=so.
Is it possible?
is it possible to make an upgrade?
You cannot tag on a module which has to be compiled in. Its functions
have to be included in the binary and there is no way to do this except
by re-compiling. I appreciate that it is quite scary to re-install
something that has been running for years and that you're
afraid you'll lose lots of undocumented bells and whistles but have
courage.
First of all, unpack apache in /tmp - so you can be sure it is not
overwriting anything.
Now execute the following:
if (you made any edits to the source code) {
if (you didn't document them) {
die;
}
else {
apply_previous_edits_to_new_source_code();
}
}
Now just save your existing httpd.conf somewhere safe for peace of mind.
This is the only important file in an apache set-up (... OK, save
mime.types as well). By the way, install *will not* overwrite an
existing httpd.conf so you don't even need to save the original - but do
it anyway...
Then do configure, make and make install and you'll have a new, clean
apache binary.
Rgds,
Owen Boyle.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
ComCity wrote: Thank youAustin,Andy and Ron. I thought the purpose of the list was to get helpI'm sorry if my question seemed stupid. It was not my intention to post a stupid question in which I had not exhausted other resources or throughly looked at what I could find on this. I responded honestly and, I thought, helpfully to your problem. Basically, if you get an error message you can be sure that an error has occurred - it's no use telling us that there's nothing wrong with your set-up. However, You chose to disregard my advice in a cheeky way: Well that doesn't make a lot of sense So I reserve the right to tell you to: Figure it out for yourself. I appreciate that SSL can be tricky to set up and this list exists to help people out but remember that all respondents are giving up their time voluntarily and are under no obligation to you. You should have some manners and treat them politely - even if they tell you something you don't want to hear. You are just another one of these guys who thinks they've set things up correctly and can't be bothered checking properly. It is obvious you have made a mistake in compilation, installation or configuration - the alternative hypothesis is that you have uncovered a major bug which has not surfaced before in a popular piece of software in use for years on thousands of computers... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
ComCity wrote: Hi, I've gotten Mod_SSL working on my apache server along with openSSL. I have working certs and they get served up as virtual servers. My question has to be obvious. I can stop apache no problem with: apachectl stop I can start apache no problem with apachectl startssl However, I cannot restart apache with apachectl restart And, if I use apachectl configtest it tells me I have an error at the SSLEngine On line of my conf file line. This can't be real because it work fine if I stop and restart or reboot the computer. The restart command simply doesn't seem to be working for me. If you are getting an error message when you configtest, then the amazing thing is that your server is starting under any circumstances. I suspect this is not a problem with apachectl which works fine for everyone else but rather (suprise, suprise...) and error in your conf file. To help diagnose it, please cut'n'paste the error messagea and post the section from your conf file which deals with the SSL virtualhost. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: issuing certificate
Murali K. Vemuri wrote: hi, i could make a certificate in the way given by you. i copied the .crt and .key files into /etc/httpd/conf/ssl.crt/server.crt and ../ssl.key/server.key respectively and then restarted the httpd. after that i set the multi.crt ( i created like this instead of your suggested kiwi.crt) and multi.key paths in the httpd conf file in the /etc/httpd/conf/httpd.conf file . i am attaching the relevant portions of the httpd.conf file here. now, to test whether my certificate works or not, i typed openssl -x509 -noout -text -in multi.crt i observe that the certificate is same as was generted by me. but, when i open netscape and type https://yogi (it is my host name), i get the same old certificate which is snake oil ' etc. can some one tell me how i can get rid of that snake oil certificate for ever ? Double-double-check the path leads to the correct file, i.e. do: openssl -x509 -noout -text -in /etc/httpd/conf/ssl.crt/multi.crt If this is correct then the problem must be caching in the browser. Click on the security icon and delete any certificates you have already accepted. is there any documentation available out there? http://www.modssl.org/ and click on Documents... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: New User: must be obvious question
Well that doesn't make a lot of senseso your saying that configtest is better at error checking than apache is at running? How do you think configtest works? - it's just an instance of apache with an error trap and exit stuck on. Actually I think you were mistaken when you told us apache was running - I think you would find it was not working in SSL mode (apachectl startssl doesn't report startup errors to the console - they go in the logfile). Here's the error I get: Syntax error on line 1158 of /usr/local/apache/conf/httpd.conf: Invalid command 'SSLEngine', perhaps mis-spelled or defined by a module not included in the server configuration What could that mean? Figure it out for yourself. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: issuing certificate
Murali K. Vemuri wrote: when i type make certificate, i get a certificate signed by Snake Oil CA etc... can someone please tell me how i can change these..? When starting out, it is easiest to make your own certificates. Later, you can buy a proper certificate. This is the procedure I use: Rgds, Owen Boyle. Making self signed certificates: NB: These certificates contain no pass-phrase so do not need user input when you start apache. Also, can be used by any server... 1) Make a random data file and set it up as $RANDFILE # cd /usr/local/apache/ssl/certs # PATH=$PATH:/usr/local/apache/bin # export PATH # cp /var/cron/olog temp # gzip temp # mv temp.gz random_data # RANDFILE=/usr/local/apache/ssl/certs/random_data # export RANDFILE 2) Create a RSA private key and certificate for our Certificate Authority # openssl genrsa -des3 -out ca.key 1024 password is CA_PASSWORD Now make the certificate using the private key. # openssl req -new -x509 -days 365 -key ca.key -out ca.crt 3) Now make a Certificate Signing Request for www.kiwi.com # openssl genrsa -des3 -out kiwi.key 1024 # openssl rsa -in kiwi.key -out banana # mv banana kiwi.key # openssl req -new -key kiwi.key -out kiwi.csr 4) And sign it # ./sign.sh kiwi.csr Now we have ca.crt Certificate Authority certificate ca.db.certs ) CA databases, holding ca.db.index ) details of certificates ca.db.serial) issued ca.key Certificate Authority private key random_data for random routines sign.sh script for signing certificates kiwi.crtwww.kiwi.com certificate (sent with SSL requests) kiwi.csrKIWI certificate signing request (not really needed anymore) kiwi.keywww.kiwi.com private key (decrypts public-key encoded messages) - summary of commands # openssl genrsa -des3 -out www.kiwi.com.key 1024 # openssl rsa -in www.kiwi.com.key -out banana # mv banana www.kiwi.com.key # openssl req -new -key www.kiwi.com.key -out www.kiwi.com.csr # ./sign.sh www.kiwi.com.csr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache+mod_ssl
Märith Olsson wrote: Hello everybody! I have some problems installing apache with ssl. The versions I use: apache.1.3.20 open-ssl 0.9.6b mod_ssl 2.8.4-1.3.20 the promt looks like this after I've configured and try to make: -- bash-2.03# make ... whole bunch of nasty stuff make what? - apache? did you install openssl first? I would recommend you follow the instructions posted by Mads Toftum a few days ago, namely: Openssl-0.9.6b: # ./config no-threads MM-1.13: # ./config --disable-shared Mod-SSL-2.84: # ./configure \ --with-apache=../apache_1.3.20 \ --with-ssl=../openssl-0.9.6b \ --with-mm=../mm-1.1.3 \ --prefix=/usr/local/apache/ \ --enable-module=most \ --enable-shared=max Apache_1.3.20: # make # make certificate # make install Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.22 Modssl
Webmaster (Nemesis Services) wrote: Can someone help me as I want to start using Apache 1.3.22 Hold your horses... Ralf has promised a mod_ssl upgrade for this week: http://marc.theaimsgroup.com/?l=apache-modsslm=100307405515138w=2 Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache connection died - passphrase security
R. DuFresne wrote: Never start talking to those lacking secific skills about what is important and what can be tossed aside, until one is fully aware of the skills they are facing. Never advise one to forgoe certain security issues without a full assesment of the issues involved, never advise someone they can be lax here and there as long as this and that are covered until you have a full idea of the skills and degree of security knowledge they possess. This is a good point and in general I would agree that you should never advise anyone to drop any aspect of *real* security without understanding their application thoroughly. However, I would argue that in the specific case of an SSL server, the pass-phrase is useless security *under any circumstances*... Logically, you machine can be in only one of two states; secure or insecure: (1) If you have a secure machine, a passphrase is unnecessary - so you don't need it. (2) If you have an insecure machine, a passphrase is useless - so you still don't need it. Why is it useless? Because, although you may be able to prevent a bad guy starting the server maliciously what's to stop him thereafter stealing the data that you captured over your SSL connection? In other words, you simply shouldn't run an SSL server on an insecure system - it is like using an armoured van to deliver $1,000,000 to a bank which has no safe and no locks on the door. Rgds, Owen Boyle. P.S. There was one other point, brought up by NickM, that you might want to use SSL to communicate with an intranet from the internet (as a tunnel). Then you might want to use a passphrase to control the internal web-server, even though you don't care if the individual session data are visible. I accept that this is an application (albeit highly specialised) where passhrase control would be useful. No doubt this is what the mod_ssl developers were thinking about when they added this functionality... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: password protection of a folder running apache 1.3.19 on NT 4.0
[EMAIL PROTECTED] wrote: Hi there, We have setup a folder which we want to protect with a username and password. but whenever I type in the username and password we have setup I continually get The server encountered an internal error or misconfiguration and was unable to complete your request. More information about this error may be available in the server error log So? What does it say in the server error log? How are you accessing the folder - do you try to get a file? Are you trying to execute a CGI program? (the error looks more like the kind of response you get from a failed CGI program). By the way, there are a couple of snags with your .htaccess file: AuthUserFile E:/WebSites/acro/password/.htpasswd This is a funny filename to use. htpasswd is the name of a program in the apache suite - it is the program used to make password files. Don't you find it confusing to type: htpasswd -c .htpasswd test? Also, what are you going to call your next password file (e.g. for a different folder)? I usually use the extension pwd and a name which reflects the contents of the folder, so for example, I have password files called member_section.pwd, private_area.pwd and so on. AuthName Test Signon This is the phrase which appears in the pop-up password challenge. If you want more than one word you are supposed to put it in quotes, so you should have: AuthName Test Signon AuthType Basic Fine. require user test So only one user (called test) can enter this area. Is this what you want? A more general solution is to put: Require valid-user then anyone listed in the password file (called, e.g. test_area.pwd) can get in. By the way, use the correct case in directives (i.e. capital R for Require) - I know it doesn't matter with windows but maybe one day you'll be working on a unix system... If you get lucky. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache connection died
Rachel wrote: Hi, I having problem where my APACHE no longer run after the everynight 12:01am I have no idea what's the error message below can someone teach/explain to me? [Thu Oct 11 00:00:01 2001] [notice] SIGHUP received. Attempting to restart What is SIGHUP received ? where can i configure it? SIGHUP is a hangup signal. For a running process like apache it has the effect of making the process reload its configuration file without breaking any existing connections. You often do this if you make a minor change to httpd.conf and want to implement the change immediately but you don't want to stop and start the server. You send a SIGHUP with the kill command. First, find out apache's parent process-id. This is stored in the file defined by the PidFile directive. If you don't have a PidFile directive, it will be in httpd.pid in the logs directory. So you can do: # cd apache logs directory # cat httpd.pid 27443 # kill -HUP 27443 and you will get the message above in the error_log and apache will reload httpd.conf. Alternatively, the apachectl program does this when invoked with the graceful argument. NB: Some changes are too extreme to be reloaded by a SIGHUP and need a full stop and start (e.g. changing CertificateFile directives). What is the bottom error message that say dynamic module limit was reached? how can i increase it? [Thu Oct 11 00:00:01 2001] [notice] SIGHUP received. Attempting to restart [Thu Oct 11 00:00:01 2001] [error] Cannot remove module mod_ssl.c: not found in module list httpd: module mod_proxy.c could not be loaded, because the dynamic module limit was reached. Please increase DYNAMIC_MODULE_LIMIT and recompile. This is a funny one. The DYNAMIC_MODULE_LIMIT is defined in your apache distribution. Go to the directory in which unpacked apache and look in: src/include/httpd.h and you will find the lines: /* Max. number of dynamically loaded modules */ #ifndef DYNAMIC_MODULE_LIMIT #define DYNAMIC_MODULE_LIMIT 64 #endif So its default is 64 which ought to be enough for anyone. Check yours is not unusually small... However, I rather suspect that the problem is something else. Why is your apache restarting at 00.01 every night? The only way this will happen is if you have a cron job doing it. So do: (login as root) # crontab -l and look for something like apachectl graceful. Did someone else set up or maintain your apache installation? In any case, even if it does restart each night, it shouldn't cause any problems. I don't use mod_so personally (all my modules are compiled in) so I don't know if a SIGHUP will reload modules or not. It could be that the original set of modules stays in and it trys to load a new set on top which increases the DYNAMIC_MODULE_LIMIT count. Usually, if you have problems with a SIGHUP, it is best to do a full stop and start (e.g. apachectl restart). Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache connection died
Rachel wrote: Yup... i found a cronjob that running every nite... is that possible to restart the apache with startssl option in cronjob? Of course. If you use apachectl, say: apachectl startssl otherwise, /usr/local/apache/bin/httpd -DSSL bcos the apache will require a password to start the SSL connection how should i automate it? Personally, I would remove the passphrase since flame-warI think it is a waste of time/flame-war. To do so, consult The Fine Manual: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache connection died
R. DuFresne wrote: On Thu, 11 Oct 2001, Owen Boyle wrote: Personally, I would remove the passphrase since flame-warI think it is a waste of time/flame-war. No flames from here, but, security should be more on the minds of folks these days, not less security. That being said, removal of the password might well be okay, depending upon the security of the server in question. How many folks have hands-on access to this system? How many folks have telnet/ssh/ftp access to this system? Those are issues to be considered when making this kind of decision. Aha! Someone picks up the gauntlet... Security has to be well-thought out. Fake security is worse than nothing because it provides an impression of safety and so leads to complacency. The only way to ensure security is to secure the whole machine. Our system is behind a sturdy firewall and other sneaky protections and we run a minimalist set of services (certainly no telnet, ssh or FTP) - http and smtp basically. We are regularly audited by third-party security companies and come out clean every time. The machine itself is in a sealed room with only LAN access from selected machines owned by sys-admins (who know the root password - so you've got to trust us). So I think we're OK (but I'd be interested to hear if there are any chinks in our armour). I admit that you might want to restrict who can start apache with mod_ssl if there is public access to the machine but hang on a minute... Why would anyone allow untrusted access to a machine on which they are going to run a secure HTTP server? Put it another way, would you feel happy sending your credit card number, even over SSL, to a machine that any Tom, Dick or Harry can log into? In other words, if you run a secure server, you have a *responsibility* to restrict access to it from your side of the FW. You would be opening yourself to tremendous liability if you took confidential details from clients and processed them on a machine which was insecure. But, Judge, I had a passphrase... won't cut much ice in the courts, I fear. In summary - Only if your machine is insecure do you need a passphrase - but if your machine is insecure you shouldn't be using it as an SSL server. Therefore, a passphrase is a waste of time. Discuss? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtualhost - example
Bartosz Aninowski wrote: Problem is: When I try to connect to https://secure.mydomain.pl nothing happend What does nothing happened mean? - timeout?, connection refused?, error 404? Does secure.mydomain.pl resolve to IP_first in DNS? Do you have Listen 443 somewhere? but when I try to connect to https://test.mydomain.pl or https://IP_firs it works fine. Are you sure you have only one SSL VH in your httpd.conf? It looks like you have a VH on port 443 with test as the docroot. Remember you must only have ONE SSL VH per IP address. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2 Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtualhost - example
Bartosz Aninowski wrote: When I try to connect to https://secure.mydomain.pl nothing happend nothing = HTTP 404 [10/Oct/2001 13:10:42 12536] [info] Connection to child 2 closed with unclean shutdown (server secure.mydomain.pl:443, client 217.96.20.2) Ok. This is the SSLEngineLog - what does it say in the apache TransferLog? - do you have a file like index.html in /home/www/panel/site? If not, have you set DirectoryIndex so that apache can find a file at the docroot? Are you sure you have only one SSL VH in your httpd.conf? It looks like you have a VH on port 443 with test as the docroot. no!! No need to shout, I hear you... I'm only trying to help, you know. Do you have a DocumentRoot directive at server level (i.e. before the VH declaration)? Remember you must only have ONE SSL VH per IP address. yes! Shouting again... But it's good you know this. A lot of people make this mistake. As an experiment, could you cut out everything from httpd.conf *except* the desired VH on secure.mydomain.pl. Then see what happens. Alternatively, just post the whole httpd.conf and I'll take a look - if you promise not to shout. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtualhost - example
Bartosz Aninowski wrote: Now is working great! That's a good reason to shout!!! Rgds, owen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Lost Virtual Host
Henning Sittler wrote: I setup an IP based vhost with ssl amd my https connection worked. I was happy. But out of the blue, the vhost is gone. Can't connect to it, nothing. However my other vhosts (non-ssl, name based) remain fully functional. Plainly restarting httpd with the exact same, unchanged httpd.conf file does not resolve the problem. In fact, restarting doesn't even restart the lost vhost. I've re-checked the httpd.conf so many times I'm tired of looking at it... it should be correct. Anyone ever heard of ANYTHING like this? First of all, I assume you are starting apache with SSL..., i.e. # ./apachectl startssl or # ./httpd -DSSL or something similar. Unless you tell it specifically to use SSL, apache will start only HTTP. Having established that, when you say out of the blue - what happened? Did you or anyone else or some automatic process (e.g. log rotating cron job) restart the server? Did anyone do a kill -HUP or kill -USR1 causing apache to reload httpd.conf? Did httpd.conf change? By the way, I am not asking you to check your memory for these events - you must look in the logfile and check the modification date on httpd.conf. Check over the error_log - it contains all records of server shutdown or restart: e.g. this is what a normal shutdown and restart looks like in the log-file: [Tue Jul 3 17:02:21 2001] [notice] caught SIGTERM, shutting down [Tue Jul 3 17:02:24 2001] [notice] Apache/1.3.19 (Unix) PHP/4.0.4pl1 mod_perl/1 .25 mod_ssl/2.8.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Jul 3 17:02:24 2001] [info] Server built: Mar 19 2001 14:44:03 Look especially for errors there. Particularly, is your mod_ssl compiled in or loaded as a DSO? If DSO, could it have failed to load? Also check the SSLEngineLog. If nothing is apparent, try the restart again and tail -f both these files to see what's going on. Report back your findings. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL client authentication access to Perl script
Angus Lee wrote: I'm not sure if SSL client authentication used up all my system resources and CPU processing power or my poor Perl programming technique leads to the fault. Can someone help? Thank you. Easy way to check - make a normal HTTP virtualhost with the same content/functionality and see if you get the same problem. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem with mm library
Alexander Piavka wrote: But my apache instalation in not under /usr/local/apache ,while mm module tryes to create file only under /usr/local/apache/logs directory no matter where apache is really installed. And if I create a dummy directory /usr/local/apache/logs then it works fine. So my question is, how can i make the mm module create files under real apache instalation dir. Please check you configured mm correctly when you installed it. Go to the directory in which you unpacked mm-1.1.3 and look in the top-level Makefile. Check the prefix points to the correct directory. If not, recompile. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 127.0.0.1?
Jeshua Lacock wrote: I was wondering if when creating a test certificate, can the FQDN be 127.0.0.1 or must it be a live, qualified domain name? In other words can I enter 127.0.0.1 as the FQDN and ServerName and expect it to work? Currently I am getting a (HTTPS): Busy, Retry error... I can't think of any reason why it shouldn't work... As long as you have an SSL VH on 127.0.0.1 you should be able to connect to it. Note that you can even have a WRONG IP address in the certificate and SSL will still work - you only get a warning in the browser that the certificate and site addresses don't match. I suspect your error message is caused by something other than the use of 127.0.0.1... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 127.0.0.1?
Jeshua Lacock wrote: Greetings, Is it possible to have the FQDN 127.0.0.1? Or must it have to be a live domain name? I just am trying to (locally) test the functionality of the software... The address 127.0.0.1 on all systems is defined as the loopback address. So it can be used to establish a socket between transmitting and receiving processes on the same machine. The packets will pass through the full TCP/IP stack and so the session will emulate a real internet session (at least as far as the software is concerned). You don't even need a network card. All you need to do is: Listen 127.0.0.1:80 VirtualHost 127.0.0.1 DocumentRoot ... and then type http://127.0.0.1/ in a browser running on the same machine. rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: renewing certificate in modssl
Michelle Govender wrote: When installing a renewed certificate and updating the httpd.conf file to point to the new certificate file , then restarting , i still get the old certificate when connecting to the site via https. The certificate and key does match. Some random thoughts: - Why keep the old certs lying around? I would have simply copied the new files over the old ones... - Maybe the old files are stuck in a cache - do shift-reload in the browser, delete the browser cache etc. - You mention only the cert file - I take it you also swapped the key file too? - Do you go through a proxy? - what about its cache? Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Newbie Question
I am fairly new to mod_ssl and I have a question. I am wondering if there is an easy way to have support for two different certificates in mod_ssl? Certainly, just define the paths to the different certificates and keys in your IP-based or port-based VirtualHosts. (Obviously, it makes no sense to have more than one certificate for a given VH, nor can you have name-based SSL VHs). Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MacOS-X client dev box?
Bob Davis wrote: Hi folks - I'm trying to set up dev machine with Apache and mod_ssl. Using openssl s_client -connect 127.0.0.1:443 I can get to the machine, and establish a secure connection. However, when I issue the get / http/1.1 command, I get an error page - 501, method not implemented. This might sound silly, but did you try using capital letters? HTTP protocol is case-sensitive... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Autostart apache /w mod_ssl from init.d ?
Dave wrote: when I started the binary 'perlhttpdctl startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass phrase which I entered and all is well, but what happens when I reboot this server? I am not always physically at the machine when it is rebooted or powered down/up and I was wondering if there was a way I could automate this through /etc/init.d (rc startup scripts)? This whole idea of the pass-phrase is a bit debatable... The idea is that even if a bad guy steals your certificate and sets up a fake version of your site on his own server, he still can't start it up and impersonate your site. If you are pretty sure no-one can steal your certificate, do you really need a pass-phrase? If you don't need it, you can remove it; http://www.modssl.org/docs/2.3/ssl_faq.html#ToC25 Another approach is to have a script that echoes the pass-phrase at boot (described in the above FAQ). Personally, I think that is a pointless exercise since the script needs to know the pass-phrase and if a hacker can get your certificate, he can get the script... Some people keep the script on a floppy which they insert manually at boot - in which case they might as well type in the pass-phrase. I prefer to protect my machine from intrusion so no-one can look at any files that they're not supposed to. Rgds (starting another flame-war..), Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Weird IE Problem
Tim Pushor wrote: There is a first page, which POSTS form data to a second page. When I click the submit button on the first page, IE warns that we are about to leave the secure area. After clicking OK IE gives the famous 'can'd find server or dns error' message. If you look in the address field of IE, the proper https:// address (for the second page) is in it. If I click reload, repost the form data, it works. It then will work every time after that until IE has been shut down completely, then on the first invocation of the first page it happens again. There have been other reports like this recently. The common factor seems to be a POST request under SSL. I have a suspicion that the problem is to do with the POST request. When you submit a form with POST, the server gets a message that says I'd like to execute the CGI program - the data will be along in a separate packet, in a minute... It could be that the data packet containing the POST data is failing the SSL authentication somehow (e.g. not encrypted with the appropriate session-key, not identified as coming from the correct client or something). I don't know why this should be so - does anyone have any ideas? As a test, could you replace your POST with a GET and let us know what happens? Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Did it pass?
Are Hoel wrote: That's the chicken and egg problem, you need a different IP for each SSL-based VirtualHost: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 I have actually managed to get this working with only one IP :) That depends what you mean by working... What is happening with your set-up is the following: - HTTPS request comes in on port 443. - server needs a certificate to begin SSL-negotiation so takes the cert from the *first* VH on port 443. - SSL connection is established, symmetric session-keys are exchanged. - Now the server looks into the request and reads the Host: definition. - Using it's amazing NBVH powers, the server now gets the content from the desired VH. What's wrong with this? If the *first* SSL-VH is called www.banana.com and the requested host is www.kiwi.com then your browser will be a bit worried that the name in the certificate (banana) didn't match the site requested (kiwi). You will, at least, get a pop-up alert. You have to ask yourself why you are using SSL in the first place. If you just want to see the little padlock click shut in your browser then you're probably happy. But if you are serious about protecting the data stream between the client and server, this approach will NOT work. Authentication is an essential component of SSL. Encryption without authentication just means you have a secure channel to an insecure destination - i.e. you could be sending your credit card number, perfectly encrypted, to a crook... Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem serving to some browsers
Harold E. Boling wrote: I'm running Red Hat 6.2, Apache/1.3.14 and mod-ssl. My problem is this...When I submit a cgi script over ssl, I get a page can not be displayed, not even showing my error document. I can hit the back button on my browser and resubmit and all works fine. It never works on the 1st call, but always on the 2nd. It's not clear at what point you go SSL... Is the form which executes the CGI served on plain HTTP and the CGI script in an SSL virtual host? If so, and if you use the POST method, there might be a problem with the packet containing the POST data not surviving the SSL negotiation stage. You could try making sure the form is also in the SSL site (so that the negotiation is complete by the time you submit the form) or you could try using the GET method (so that the CGI parameters are sent with the request). I have the exact same script running on another similarly equipped server and all works fine... Then you are ideally placed to investigate what it is the difference between the two machines. Identify all the differences, then apply them, one-at-a-time to the faulty set-up until it starts to work. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Serving HTTP HTTPS in one VHost-Config?
Proxies, Intranets, mod_rewrite... Aren't we getting a little carried away? All the guy was trying to do was have two VHs running off the same DocumentRoot. Now we all know you can do this with two DocumentRoot directives pointing to the same directory but that violates the Prime Directive (which is: Never Define Anything Twice). Perhaps we need to be able to declare variables (or define constants...), something like; DeclareVariable common_doc_root /home/banana/html VirtualHost banana:80 DocumentRoot common_doc_root ... /VirtualHost VirtualHost banana:443 DocumentRoot common_doc_root ... /VirtualHost Although I can think of a few reasons why this would be hard to do... (size of data, how to tell if its a variable or a literal after a directive etc.) Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
