from:"Peter"

RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate

2010-01-22 Thread Peter

I proposed this a while back but never got any responses.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46897

-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Jaz
Sent: Friday, January 22, 2010 9:11 AM
To: modssl-users@modssl.org
Subject: SSLVerifyClient optional redirect or be graceful upon revoked
certificate

When using "SSLVerifyClient optional" is there a way (or are there plans for
this) to redirect when mod_ssl detects a revoked certificate? What about
setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is when no
certificate is installed? In other words, why should the action be any
different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL
certificates. The login pre-test is intended for all cases (without cert,
with cert, and revoked cert) and detects by testing
$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" (This is in a dedicated directory
 carefully designed to eliminate risk from MitM attacks).
This works for the two cases no-cert & valid-cert, but for revoke-cert we
get an ugly hard-stop. For example from Firefox: "SSL peer rejected your
certificate as revoked".

If this isn't appropriate for modssl-users, is rather an apache issue, then
advice for an alternate forum is appreciated. Has it already been
discussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL
(separate options for no-cert and revoked-cert), and limit
initiate-renegotiation only by server, not by client. Any help is greatly
appreciated.

Thanks. 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

X509 variables ..UID

2008-10-10 Thread Peter Sylvester

in ssl_engine_vars, there seems to be a problem to me concerning the UID 
field.

The syntax for the field is a bitstring and not a "text".



static const struct {
   char *name;
   int   nid;
} ssl_var_lookup_ssl_cert_dn_rec[] = {
   { "C", NID_countryName},
   { "ST",NID_stateOrProvinceName}, /* officially(RFC2156) */
   { "SP",NID_stateOrProvinceName}, /* compatibility (SSLeay)  */
   { "L", NID_localityName   },
   { "O", NID_organizationName   },
   { "OU",NID_organizationalUnitName },
   { "CN",NID_commonName },
   { "T", NID_title  },
   { "I", NID_initials   },
   { "G", NID_givenName  },
   { "S", NID_surname},
   { "D", NID_description},
#if SSL_LIBRARY_VERSION >= 0x00907000
   { "UID",   NID_x500UniqueIdentifier   },
#else
   { "UID",   NID_uniqueIdentifier   },
#endif
   { "Email", NID_pkcs9_emailAddress },
   { NULL,0  }
};


--

<http://www.edelweb.fr>
*Edel/W/eb* Peter SYLVESTER
Consultant Sécurité des Systèmes d'Information
---
EdelWeb - Groupe ON-X
15, quai de Dion-Bouton
F-92816 Puteaux Cedex
Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58
www.edelweb.fr <http://www.edelweb.fr> / www.on-x.com <http://www.on-x.com>
---
To verify the message signature, see edelpki.edelweb.fr 
<http://edelpki.edelweb.fr/>
Cela vous permet de charger le certificat de l'autorité de racine 
<http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der>;

die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Back in the ModSSL group?

2006-01-23 Thread Peter Reilly

It happened to me as well.
- Original Message - 
From: "Joachim Feise" <[EMAIL PROTECTED]>

To: 
Sent: Monday, January 23, 2006 11:56 AM
Subject: Re: Back in the ModSSL group?

Kyle wrote on 01/23/06 06:55:

Hi, I quit this forum a while back, and today I am suddenly receiving
e-mails again.  What's going on?  How did I get back in the group?

Ditto here.

Can someone tell me how to opt-out again?  I no longer have any of my
old subscription info, and opt-out instructions aren't included in the
e-mails like other e-mail forums I use.

It says
Automated List Manager[EMAIL PROTECTED]
At the bottom of the mails. Just send an email to that address, and you 
get the

usual majordomo help email with unsubscribe info.
I agree, though, that this should not have happened in the first place.

-Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED] 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mac IE 5 ssl errors

2004-03-26 Thread Peter Burkholder

What's the underlying OS?

SSL Session caching just doesn't seem to work on older Linuxes is what I've
discovered, and falling back to SSL2 is one thing.

Another is the Mac IE is very picky and may crap out if a page includes
non-SSL content.

P.
On Fri, Mar 26, 2004 at 12:14:43PM -0500, Randall Perry wrote:
> 
> Just noticed that Mac IE 5 is having problems with ssl connections to my
> apache 1.3.29 server. I either get the 'Security failure. Data decryption
> error,' or it'll connect but graphics won't load on https pages, and I get
> this error in httpd error.log:
> 
> [Fri Mar 26 12:05:06 2004] [error] mod_ssl: SSL handshake interrupted by
> system [Hint: Stop button pressed in browser?!] (System error follows)
> [Fri Mar 26 12:05:06 2004] [error] System: Connection reset by peer (errno:
> 54)
> 
> Found these changes to httpd.conf on searching the list, and implemented
> them, but to no avail. Anyone got a solution?
> 
> > 
> > I just solved it. Do not use an SSLProtocol line. Comment out the
> > SetEnvIf line that does nokeepalive for MSIE. Use the following
> > instead.
> > 
> > BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
> >downgrade-1.0 force-response-1.0
> > BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown
> > 
> > I'm also using this cipher suite line, but the default might work, too:
> > 
> > SSLCipherSuite 
> > !EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:
> > +LOW:+SSLv2:+EXP:+eNULL
> 
> -- 
> Randall Perry
> sysTame
> 
> Xserve Web Hosting/Co-location
> Website Development/Promotion
> Mac Consulting/Sales
> 
> http://www.systame.com/
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
---+-+
|Peter Burkholder, System Administrator| |
|Digital Library for Earth System Education| Email)  [EMAIL PROTECTED] |
|DLESE® -- http://www.dlese.org| Office) +1-303-497-2663 |
|DLESE Program Center (DPC)| Fax)+1 303-497-8336 |
|UCAR/DPC, P.O. Box 3000   | Pager)  +1-303-201-1284 |
|Boulder, CO 80307-3000| or [EMAIL PROTECTED] |
||
|  ~~~  ~~  ~~~   __o|
|~~~  ~~~ ~~_`\<,_   |
|   ~~~ ~~~    (*)/ (*) |
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[no subject]

2004-02-18 Thread Peter Burkholder

I have httpd 2.0.48 built from source.  It's been running fine for weeks but
this morning it stopped responding to HTTPS although it kept going okay with
HTTP.  In the hopes that it would go away forever, I simply did an 
'httpd restart'.

A few hours later, Nagios told me that HTTPS connects were timing out again.
Damn.  Now I really do have a problem to fix.  I hope someone on the list
can help.

Packet tracing and ssldump indicate that clients are completing the TCP
handshake, but the server is mute after ClientHello:

SSLDUMP output:
---
New TCP connection #1: qaos(47914) <-> aegeanx.dpc.ucar.edu(443)
1 1  0.0458 (0.0458)  C>S  Handshake
  ClientHello
Version 3.1 
cipher suites
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_3DES_EDE_CBC_SHA
compression methods
  NULL
1 2  0.0754 (0.0296)  S>C  Handshake
  ServerHello
Version 3.1 
session_id[32]=
  7b a5 2d ba 12 bb 11 55 1d ed 87 28 42 87 f5 e6 
  a6 f9 9f d2 80 8d b9 d9 19 61 a2 72 19 d2 13 d5 
cipherSuite TLS_RSA_WITH_RC4_128_SHA
compressionMethod   NULL
1 3  0.0754 (0.)  S>C  Handshake
  Certificate
1 4  0.0754 (0.)  S>C  Handshake
  ServerHelloDone
1 5  0.1014 (0.0259)  C>S  Handshake
  ClientKeyExchange
1 6  0.1414 (0.0400)  C>S  ChangeCipherSpec
1 7  0.1414 (0.)  C>S  Handshake
1 8  0.1513 (0.0098)  S>C  ChangeCipherSpec
1 9  0.1513 (0.)  S>C  Handshake
1 10 0.1547 (0.0034)  C>S  application_data
---
After this the server sends an ACK,  then nothing.

I've changed the SSLSessionCache from shmht to dbm, but am I simply wishing
in the hopes that'll change anything?

Thanks,

Peter


--
Peter Burkholder, System Administrator
Digital Library for Earth System Education (DLESE® -- http://www.dlese.org)
[EMAIL PROTECTED]
DLESE Program Center (DPC)   ~~~  ~~     __o
UCAR/DPC, P.O. Box 3000   Ph) +1-303-497-2663  ~~~   ~~_`\<,_
Boulder, CO 80307-3000Fx) +1 303-497-8336  ~~~    (*)/ (*)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[no subject]

2003-12-12 Thread Peter Burkholder

I returned to an issue I'd had some time ago with older MSIE 5.x browsers.
I seemed to have solved the problem by making sure that all content is now
being fetched over https.  Previously I'd had some CSS and javascript coming
over straight http, which might raise an error in newer browsers, but seems
to cause MSIE 5.0 and 5.2 to choke completely.

Does Ralf read these posts?  It may have been obvious to more seasoned SSL
users out there, but if the FAQ had included this line.

Older MSIE 5.x browsers may choke completely if trying to load pages that
are a mix of HTTP and HTTPS.  

I would have been saved much time and anguish.

Thanks,

Peter


--
Peter Burkholder, System Administrator
Digital Library for Earth System Education (DLESE® -- http://www.dlese.org)
[EMAIL PROTECTED]
DLESE Program Center (DPC)   ~~~  ~~     __o
UCAR/DPC, P.O. Box 3000   Ph) +1-303-497-2663  ~~~   ~~_`\<,_
Boulder, CO 80307-3000Fx) +1 303-497-8336  ~~~    (*)/ (*)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: OT: cheap CA certificates

2003-11-17 Thread Peter Burkholder

http://www.geotrust.com/equifax/
On Mon, Nov 17, 2003 at 02:33:53PM -0500, Eric Wood wrote:
> From: "Eric Wood" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: OT: cheap CA certificates
> Date: Mon, 17 Nov 2003 14:33:53 -0500
> Reply-To: [EMAIL PROTECTED]
> 
> Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will
> authorize against?  Thawte and Verisign have outpriced themselves.
> 
> -Eric Wood
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
Peter Burkholder, System Administrator
Digital Library for Earth System Education (DLESE® -- http://www.dlese.org)
[EMAIL PROTECTED]
DLESE Program Center (DPC)   ~~~  ~~     __o
UCAR/DPC, P.O. Box 3000   Ph) +1-303-497-2663  ~~~   ~~_`\<,_
Boulder, CO 80307-3000Fx) +1 303-497-8336  ~~~    (*)/ (*)
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

apache 1.3.29?

2003-10-29 Thread Peter Horst

Just noticed that apache 1.3.29 was released. Will mod_ssl-2.8.15 work
with this? I'm using openssl-0.9.7c. 

Thanks much.

Peter

-- 
What do you use on Linux to do your word processing? spreadsheets? slide
shows? Do you feel that ms-dos and ms-dos-office is really a better
mouse trap and worth the price? We certainly differ on this point I
think, because I believe Linux is definitely good enough for the average
user, most of whom are idiots.
 -- Alan DuBoff, linux-elitists mailing list, 12/31/02
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Non SSL requires a certificate acceptance

2003-10-28 Thread Peter Brown

Takeshi,

Can you share with us how you stopped the warning message - presumably in IE?

Peter'

At 19:35 28/10/03 +0900, you wrote:
Everything is settled.
A reason is that a tiny Javascript in domainC index.html goes to a SSl
host every time accessed.
Thanks,
Takeshi
[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Securing directories

2002-11-10 Thread Peter Viertel

I'd set these up as virtual hosts - the essence of what you want to do 
here is to make http://www.domain.com/ return different information than 
https://www.domain.com.

Having done that (by following the links in the other reply you got) you 
then will need to set up what you want to happen on the http side of 
things - there is no automatic pop-up as you were asking for.

What many do is simply configure http to do a redirect to https, like this:

Redirect /https://www.domain.com/

or you can just put up a page with a link to https and explanatory text 
- which is often a good way of doing it so they have something to look 
at for explanation if their SSL client is not compatible with your site 
for example.

-PeterV.

Robert Lagana wrote:

Hello,
 
Using mod_ssl .. on Apache .. I would like to secure two directories..
 
https://www.domain.com/homedir
 
https://www.domain.com/homedir2
 
Now if user go to http://www.domain.com will users get a pop up saying 
that SSL is required?
 
Is this just a matter of having Port 80 and Port 443 enabled?
 
Do I set these directories up as virtual hosts?
 
Is there a link someone can provided that explains this?
 
Thanks,
Rob
 
 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Configuring Multiple Certicates SSL over an unique IP

2002-11-05 Thread Peter Viertel

The default:

Listen 443

achieves this already. Is there some advantage to doing separate Listen's?

Boyle Owen wrote:


Don't forget:

Listen 192.168.1.2:443 
Listen 192.168.1.3:443

-Original Message-----
From: Peter Viertel [mailto:peter.viertel@;itaction.co.uk]
Sent: Dienstag, 5. November 2002 14:17
To: [EMAIL PROTECTED]
Subject: Re: Configuring Multiple Certicates SSL over an unique IP


I'm thinking you need to use Virtual Host directives - as others have 
replied, you already know that NameVirtualHost wont help - so you need 
to put each virtual host on a different IP. (or different port if no 
spare IP's_).

firstly - configure your operating system to receive all the ip's you 
want to use - usually via ip-aliases - something you can do in unix and 
windows, but dont ask me how in windows.

an example:

your real ip is 192.168.1.2 , and you set up 192.168.1.3  as an extra
alias.

I'm assuming you started with httpd.conf as provided with mod_ssl - this
should have the basic SSL configuration bits.

Then in your httpd.conf near the end, in the  section, 
create a VHost for each cert/ip you want.


   ServerName www.cert1domain.com
   SSLCertificateKeyFile conf/ssl.key/cert1.key
   SSLCertificateFile conf/ssl.crt/cert1.crt
   SSLEngine on
   ...other conf...



   ServerName www.cert2domain.com
   SSLCertificateKeyFile conf/ssl.key/cert2.key
   SSLCertificateFile conf/ssl.crt/cert2.crt
   SSLEngine on
   ...other conf...



[EMAIL PROTECTED] wrote:

 

Hello,

There are some way to configuring the Apache Server to utilize
   

multiple 
 

certificates SSL, over an unique ip, once for each virtual domain ?

What the Apache configure sintax ?

Alex Moraes

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

   


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Configuring Multiple Certicates SSL over an unique IP

2002-11-05 Thread Peter Viertel

I'm thinking you need to use Virtual Host directives - as others have 
replied, you already know that NameVirtualHost wont help - so you need 
to put each virtual host on a different IP. (or different port if no 
spare IP's_).

firstly - configure your operating system to receive all the ip's you 
want to use - usually via ip-aliases - something you can do in unix and 
windows, but dont ask me how in windows.

an example:

your real ip is 192.168.1.2 , and you set up 192.168.1.3  as an extra alias.

I'm assuming you started with httpd.conf as provided with mod_ssl - this 
should have the basic SSL configuration bits.

Then in your httpd.conf near the end, in the  section, 
create a VHost for each cert/ip you want.


   ServerName www.cert1domain.com
   SSLCertificateKeyFile conf/ssl.key/cert1.key
   SSLCertificateFile conf/ssl.crt/cert1.crt
   SSLEngine on
   ...other conf...



   ServerName www.cert2domain.com
   SSLCertificateKeyFile conf/ssl.key/cert2.key
   SSLCertificateFile conf/ssl.crt/cert2.crt
   SSLEngine on
   ...other conf...



[EMAIL PROTECTED] wrote:

Hello,

There are some way to configuring the Apache Server to utilize multiple 
certificates SSL, over an unique ip, once for each virtual domain ?

What the Apache configure sintax ?

Alex Moraes

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Certificate Server

2002-11-03 Thread Peter Viertel

You certainly can. See the openssl  FAQ

http://www.openssl.org/support/faq.cgi#USER4

Miguel Angel Gomez Animas wrote:





Hi all

I want to know if is possible create a server certificate with modssl, 
something like a personal verisign or something like this...

What do i have to do???, can you help me with this???

Thanks a lot


_
Internet access plans that fit your lifestyle -- join MSN. 
http://resourcecenter.msn.com/access/plans/default.asp
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: httpd.conf

2002-09-11 Thread Peter Viertel


I notice that your virtual hosts are all using the ip address of your 
machine, but your testing example uses http://localhost/
It's probably worth pointing out that localhost usually resolves to 
127.0.0.1 which is not the same thing as your machine's ip address.
Try testing against https://192.168.0.3/


Cuong Tran wrote:

>Thanks for the tip John,
>
>But that shuts down port 443 altogether. I still need
>it open for my 1 SSL host
>
>
>ServerName secure
>DocumentRoot /path
>ServerAdmin root@localhost
>ServerSignature email
># Turning the 3 below on is VERY important
>SSLEngine on
>SSLCertificateFile
>/etc/httpd/conf/ssl.crt/server.crt
>SSLCertificateKeyFile
>/etc/httpd/conf/ssl.key/server.key
># must manually create file first
>SSLLogFile
>/var/www/html/WEBSITES/SITE2/logs/ssl.log
>
>
>
> --- John Ott <[EMAIL PROTECTED]> wrote: > Cuong Tran
>wrote:
>  
>
>>> The problem I am
>>>having is that all the
>>>normal virtual hosts as a result have been SSL
>>>readable as well.
>>>  
>>>
>>>#  (below) won't make it automatically listen on
>>>  
>>>
>>the
>>
>>
>>>virtual server's port.
>>>Listen 443
>>>  
>>>
>>Change the above to
>>Listen 192.168.0.3:443
>>that will get the result you desire.
>>
>>later
>>John
>>
>>
>>>begin:vcard 
>>>  
>>>
>>n:Ott;John
>>tel;pager:202 688 9735
>>tel;cell:301 502 4356
>>tel;work:202 687 8929
>>x-mozilla-html:FALSE
>>org:Georgetown University;UIS-SNS
>>version:2.1
>>email;internet:[EMAIL PROTECTED]
>>title:UNIX Systems Programmer
>>adr;quoted-printable:;;304E St. Mary's
>>Hall=0D=0A3800 Reservoir Road, NW;Washington
>>;DC;20007;USA
>>x-mozilla-cpt:;-13752
>>fn:John Ott
>>end:vcard
>> 
>>
>>
>
>http://www.sold.com.au - SOLD.com.au
>- Find yourself a bargain!
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Using a different CA

2002-09-06 Thread Peter Hicks


Hello List,

I have a question regarding the use of a different CA. I recently
purchased an SSL certificate from comodo.net and I have not been able
to get it to work properly. My browser responds that it cannot
recognize the issuer of the certificate. I am running apache 1.3.26,
mod-ssl 2.8.9, and openssl 0.9.6c on a debian woody system.


The global-ca.txt file has been downloaded from their site, and I have
contacted their tech support, who have provided me with no answers.

I have the following directive in my
vitual host container tags:


SSLEngine on
SSLCertificateFile/etc/apache/ssl.crt/site.crt
SSLCertificateKeyFile /etc/apache/ssl.key/site.key
SSLCACertificateFile /etc/apache/ca-bundle/global-ca.txt
SetEnvIf User-Agent ".*MSIE.*"  nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0



Has anyone else had any experience with comodo? Should I break down
and shell out the extra $$ for a Thawte cert?

Any help would be greatly appreciated!

-- 
Peter Hicks
GnuPG public key: http://jah.net/~petong/public_key.txt
Key Fingerprint: 4E24 3C78 A165 537C 729C  8D25 3547 3CE9 9E7D 42B6
Every why hath a wherefore. -- William Shakespeare, "A Comedy of Errors"
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: MSIE Bugs, Summary available ?

2002-08-22 Thread Peter Viertel

My money is on a SSL session resume problem. Make sure your SSL session 
cache is configured correctly - one thing that really bites us all in 
the butt is that some MSIE versions get annoyed when it tries to resume 
a session in what it thinks is a reasonable amount of time and finds the 
server refuses to do it - to satisfy this requirement you need SSL 
sessions to be cached for long enough - try 10 minutes - and use ssldump 
to verify that sessions are actually being resumed. The point here is 
that according to the SSL/TLS spec it's alright for the server to refuse 
to resume a session, and most other browsers handle that bit correctly.

Christoph Gröver wrote:

>Hi All.
>
>
>We have also these "popular" MSIE SSL 3.0 Problems.
>
>The Problem as we have found it:
>
>We have the Apache Versions 1.3.19, 1.3.22, 1.3.23 with the mod_ssl
>Versions 2.8.4 - 2.8.7 running on different systems.
>No proxy, no Firewall in between, just plain LAN.
>
>We have tested all available browsers. The result is pretty obvious:
>
>All non-Microsoft browsers work flawlessly ( Netscape, Mozilla, konqueror,
> galeon, wget, cURL etc. )
>
>All MSIE's do not work (incl. 5.0, 5.5, 6.0x Versions).
>
>Not working means: They work most of the time, but now and then especially
>if the webuser is a minute or more idle the next request gives the infamous
>"page cannot be displayed,  server or dns error" - blaming nonsense.
>
>Of course all standard MSIE workarounds are enabled.
>Also I have found a document via Google with a list of especially
>buggy implemented ciphers and have disabled them all.
>
>But to no avail.
>
>
>Does anybody have any summary for any possible solution to these bugs.
>
>(Yes, I know the only real solution is to not use MSIE, but we cannot force
>every user to use a real webbrowser).
>
>Thanks for your time.
>
>
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Failure to generate CSR WinNT/Apache - Help

2002-08-21 Thread Peter McMillan


I have followed the Apache+SSL Win32 howto to the letter.
I am unable to to get openssl to generate a CSR on a WinNT 4 server.

I issue the command:
openssl req -config openssl.cnf -new -out my-server.csr
Follow the script making the appropriate entries.

At then end of the script, I fail to write out any of the files.

I re-ran the same installer on a Win2k box with no problem.

Are there known Apache 1.3.26+SSL issues? I've searched this list but
haven't seen a conclusive answer.

Thank you,

Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Resetting passphrase

2002-08-20 Thread Peter Viertel

you have only one option - renew the certificate

you have to pay up again, and submit a new csr based on a new key, but 
with identical certificate information.
not sure about verisign, but at least with thawte the renewal adds a 
year to the expiry date of the previous certificate, so at least you're 
not losing money on the deal, you're just renewing earlier than needed.

Ben Ricker wrote:

>I (stupidly) forgot what my passphrase is for a server cert I have
>created using OpenSSL. The cert is certified by verisign. Is there a way
>I can reset the passphrase WITHOUT recreating the cert?
>
>Ben Ricker
>Wellinx, Inc.
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problem starting Apache (yes I have read the FAQs!)

2002-08-20 Thread Peter Viertel

there's more info on this in the reference manual, than the FAQ.

http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4

Basically try changing the 'startup' one to use a 
file:/path/to/file/with/junk/in/it that points at a file with something 
random enough in it - I'm not mr crypto, but, by random I take it that 
something an outside party cant guess ought to be enough, and you need 
to experiment with file lengths a bit to find what works enough - some 
people advocate using the syslog output. Of course if you're just 
hacking around and you dont care that the NSA or the Home Office might 
be able to decrypt your ssl streams, then why stress out about it?

the 'connect' one however should get by using the builtin or see if you 
can get egd working - this one does affect performance, so avoid using 
the exec: option because spawning processes is not cheap on resources.

[EMAIL PROTECTED] wrote:

>Hi all -
>
>This seems to be a commonly reported problem, but for all the archives
>and FAQs I've read, I am no further forward. Here is the situation: 
>
>Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX
>4.0F.
>
>On starting Apache, it immediately exits and logs the following in the
>error log file:
>
>[Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate
>temporary 512 bit RSA private key (OpenSSL library error follows)
>[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number
>generator:SSLEAY_RAND_BYTES:PRNG not seeded
>[Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa
>routines:RSA_generate_key:BN lib
>
>The FAQ refers to the SSLRandomSeed directive; this is set in the
>httpd.conf file as
>
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
>
>(As I'm running on Tru64 I don't have the option of using /dev/random)
>
>It also refers to problems at the "make certificate" stage; that seems
>to have gone through without any problems.
>
>I've also read that there are problems with PHP, so I have removed all
>reference in the httpd.conf file to the dynamic PHP module, and for good
>measure the dynamic Apache Jserv module, so these are not loading. Still
>no diference.
>
>Can anyone offer me some more pointers?
>
>Thanks
>
>Richard
>
>--
>
>Richard Rogers
>IT Services, Staffordshire University
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL Accelerators

2002-08-02 Thread Peter Viertel


My recommendation is to look through openssl-engine doco and pick a 
supported card.

 From experience, I can say that the nCipher ones work just fine on 
sparc-solaris, I'm sure the other cards there do the job too.

I was testing out an nCipher nFast800 PCI card in a netra T1 today - 
seems to work as advertised... 800 sessions/second is what they say - 
it's based on the broadcom chip which a few vendors seem to have 
utilised. I don't know what your idea of affordable is and I dont 
actually know what they retail for though  - see www.ncipher.com for 
sales contacts i guess, unfortunately you dont see these on ebay very often.

The openssl-engine support for this one is invoked with the name 'ubsec'

for comparison here's the output of openssl speed -engine ubsec on my 
440Mhz Netra T1 test machine:

  signverifysign/s verify/s
rsa  512 bits   0.0001s   0.0001s  14426.2  19789.0
rsa 1024 bits   0.0001s   0.0001s  15316.7  14650.9
rsa 2048 bits   0.s   0.s  24600.0  83740.0
rsa 4096 bits   0.0250s   0.0247s 40.0 40.5
  signverifysign/s verify/s
dsa  512 bits   0.s   0.s  30890.0  26485.6
dsa 1024 bits   0.s   0.s  29602.1  26078.6
dsa 2048 bits   0.s   0.s  29574.0  27347.2

and without acceleration.

  signverifysign/s verify/s
rsa  512 bits   0.0058s   0.0005s171.6   1835.3
rsa 1024 bits   0.0325s   0.0018s 30.8566.0
rsa 2048 bits   0.2085s   0.0063s  4.8159.6
rsa 4096 bits   1.4543s   0.0232s  0.7 43.2
  signverifysign/s verify/s
dsa  512 bits   0.0054s   0.0067s185.2149.6
dsa 1024 bits   0.0173s   0.0216s 57.8 46.4
dsa 2048 bits   0.0607s   0.0758s 16.5 13.2



Daniel Lopez wrote:

>On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote:
>  
>
>>Can anyone out there recommend an affordable ssl accelerator that will
>>work with a sun enterprise 420? I'm interested in either a pci card or a
>>standalone unit.
>>
>>Unfortunately I'm about to launch a website under ssl and we really don't
>>know just how much that's going to hamper performance.
>>
>>Also, any performance tuning tips for ssl would be appreciated (for
>>apache webserver with mod_perl and bea weblogic)
>>
>>
>
>My first advice would be to compile openssl with assembly optimizations on,
>and make sure you configure session caching in the mod_ssl side.
>Have you considered having dedicated boxes doing the ssl, serving static
>content, and reverse proxying to the real servers?
>That will also reduce the load in Apache, since each request ties a process
>and in turn that child has a expensive Perl interpreter embedded, whether it
>is serving static content or not. (I am assuming you are using 1.3 here)
>
>Cheers
>
>Daniel
>
>--
>Teach Yourself Apache 2 -- http://apacheworld.org/ty24/
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: turning of SSL v2 in modssl

2002-08-01 Thread Peter Viertel


that will turn it off...see refguide at  
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9

I wonder if it's time to leave SSLv2 off completely? how many browsers 
out there dont work with v3 these days?

Aditya wrote:

>Is it sufficient to change:
>
> +SSLv2
>
>to 
>
> -SSLv2
>
>in SSLCipherSuite to disable SSLv2 in modssl? Is that enough to at least
>temporarily limit the exposure to the latest openssl vulnerability while I
>upgrade multiple machines?
>
>Thanks,
>Adi
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apachectl restart problem...

2002-07-31 Thread Peter Viertel


reloads dont work if your keys are encrypted - is this the case here?

i have happliy sent a sig USR1 to an ssl apache setup each night for two 
years - and never a problem - only goes awry if a cert or key changes.

Sean M Alderman wrote:

>I thought it might be something like that, but typically when I've run
>into this, I've made a change to a http virtual host, and all the other
>virtual hosts ssl or not, are then not accessible.  Maybe apache needs a
>better way to reload configs for virtual hosts (such that it doesn't
>bother anything else)...but that's not a topic for this list.  :) 
>Thanks for the response.
>
>On Wed, 2002-07-31 at 09:48, Boyle Owen wrote:
>  
>
>>>From: Sean M Alderman [mailto:[EMAIL PROTECTED]]
>>>
>>>Greetings all,
>>> I'm curious if anyone has come across issues with starting apache
>>>using -
>>># $APACHE_HOME/bin/apachectl startssl
>>>and then having apache hang when issuing this -
>>># $APACHE_HOME/bin/apachectl restart
>>>
>>>I'm running 1.3.26 with the latest mod_ssl on Solaris 8.  I don't get
>>>any error messages in the logs, and apachectl says that it 
>>>restarts just
>>>fine, but when you point a browser back to the server it does not
>>>respond.  I can fix it with an apachectl stop;apachectl startssl, but
>>>I'm just curious about not being able to do the restart.
>>>  
>>>
>>Restart sends a HUP to apache. I've found that this is sometimes insufficiently 
>forceful to make apache reload certain SSL parameters (e.g. if you change the 
>certificate). However, it should be sufficient for non-SSL edits.
>>
>>Rgds,
>>Owen Boyle
>>__
>>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>>User Support Mailing List  [EMAIL PROTECTED]
>>Automated List Manager[EMAIL PROTECTED]
>>
>>
>>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl and mod_jk

2002-07-30 Thread Peter Choe


i am trying to get mod_jk to work with mod_ssl.  i am able to compile 
mod_jk.  but when i try to start apache and i have mod_jk and mod_ssl 
enable, i get a message saying that apache cannot start.

if i have one or the other, apache can start.  is this a known 
problem?  how i can fix this?

Peter Choe

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl newbie

2002-07-30 Thread Peter Choe


you probably want to look at .htaccess which would prompt people for userid 
and password to access certain parts of your webserver.

ssl provides encryption so that data being sent back and forth between your 
server and the client can't be easily read.

At 03:37 PM 7/30/2002, you wrote:
>Hello,
>I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web
>server. I downloaded the mod_ssl package from the website. I changed the
>port on my apache web server to 443. On a high level what do i need to do to
>create a secure web server? I guess my real problem is i don't know what ssl
>does for me. What i am looking for is something that can password protect
>the files on my server. I want to let specific people to access my site and
>that is it. They must have a password to use it. Is mod_ssl what i want or
>should i be looking else where?
>thanks for any input,
>brian
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]

Peter Choe

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: using rewrite with mod_ssl

2002-07-30 Thread Peter Viertel


If you cut and pasted that straight from your config then you have a 
typo in the rule

Instead of:

RewriteCond %{SERVER_PORT}  !^443$
RewriteRule ^/manual/(.*)   https://%{SERVER_NAME}/$1 [L,R]

try

RewriteCond %{SERVER_PORT}  !^443$
RewriteRule ^/(manual/.*)   https://%{SERVER_NAME}/$1 [L,R]



Peter Choe wrote:

> i have successfully limited access to a dirctory using mod_ssl.  
> meaning that the files in that directory will only show when it uses 
> ssl protocol.  but when it doesn't uses ssl protocol but just, 
> http://hostname/manual, it gives me a page can't be displayed message.
>
> i thought that with the rewrite, it would automatically send it to the 
> ssl protocol (https://hostname/manual).  i am wrong to think this?
>
> this is the rewrite statement i have in my httpd.conf
>
> RewriteCond %{SERVER_PORT}  !^443$
> RewriteRule ^/manual/(.*)   https://%{SERVER_NAME}/$1 [L,R]
>
> how can i set up my server so that when someone goes to 
> http://hostname/manual, they will automatically get redirected?
>
>
> Peter Choe
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

using rewrite with mod_ssl

2002-07-30 Thread Peter Choe


i have successfully limited access to a dirctory using mod_ssl.  meaning 
that the files in that directory will only show when it uses ssl 
protocol.  but when it doesn't uses ssl protocol but just, 
http://hostname/manual, it gives me a page can't be displayed message.

i thought that with the rewrite, it would automatically send it to the ssl 
protocol (https://hostname/manual).  i am wrong to think this?

this is the rewrite statement i have in my httpd.conf

RewriteCond %{SERVER_PORT}  !^443$
RewriteRule ^/manual/(.*)   https://%{SERVER_NAME}/$1 [L,R]

how can i set up my server so that when someone goes to 
http://hostname/manual, they will automatically get redirected?


Peter Choe

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

simple question

2002-07-29 Thread Peter Choe


i am very new to mod_ssl. i am trying to figure out how to set up some
specific directories to accept ssl connection. i have looked at the
documentation and the mail archives, but was unable to decpiher how to do this.
when i look at the httpd.conf file, i saw a documentroot specifing the root
directory of my webserver. if i changed that to a directory below, it
doesn't seem to affect whether or not the root document is no longer ssl
enable.

any help would be appreciated.


Peter Choe

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: startssl means nothing.

2002-07-07 Thread Peter Viertel

All startssl does in the apachectl script is run httpd with -DSSL, this 
activates any directives in httpd.conf that are between  
 so if you have not got an appropriately patched 
httpd.conf then it wont do anything.

It looks as if you're using the with-apxs method to build libssl, that 
is you're building against the precompiled rpm of apache, in this method 
the httpd.conf  would not get touched i dont think, or maybe it alters 
conf/httpd.conf-dist.

the patch script under mod_sslx/pkg.sslcfg/sslcfg.patch should add 
the bits in that you need - including the Listen 443 directive that is 
missing.

But my advice is that for security reasons you should start with the 
source trees of apache 1.3.26 and mod_ssl 2.8.10 - use the first method, 
in which mod_ssl patches the apache source tree, and build apache 
yourself. The rpm version you have is subject to a security advisory.

Mark-Nathaniel Weisman wrote:

> Hello List:
>   I'm kinda stuck here so I figured I'd try the list to see if I can 
> get any movement. I've got my local server certificate created, I've 
> even created a ca.key so that I can sign my own certs. I've installed 
> the following on my redhat 6.2 webserver:
> apache-1.3.22-5.6
> apache-devel-1.3.23-15
> openssl-0.9.5a-7.6
> mod_ssl-2.8.7-6
>   I've used only rpm files with this install. I've installed all three 
> packages with their dependancies, the openssl and mod_ssl were 
> compiled from source. However, two things did not happen,
>  1. There were no changes made to my httpd.conf file?
>  2. My httpd script does not recognize startssl as an option.
>  3. Port 443 is not open on the box even if I set a VirtualHost 
> directive.
>
> Any ideas?
>
> His Faithful Servant,
> Mark
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache mod_ssl hanging browser

2002-06-27 Thread Peter Cronin




Was wondering if anyone can help me? I believe I 
have mod_ssl loaded correctly and configurd correctly, but I get the following 
situation when I access my SSL site. 
- https://secure.aebdemo.com, it just hangs 
on site, but says host contacted...
- this is what the SSL.log says: It looks like it 
confgures ok for secure.aebdemo.com:443
 

[26/Jun/2002 22:01:53 02320] [info] Init: Configuring server 
secure.aebdemo.com:443 for SSL protocol
[26/Jun/2002 22:01:53 02404] [info] Server: Apache/1.3.26, Interface: 
mod_ssl/2.8.9, Library: OpenSSL/0.9.6d
[26/Jun/2002 22:01:53 02404] [warn] You are using mod_ssl under Win32. This 
combination is *NOT* officially supported. Use it at your own risk!
[26/Jun/2002 22:01:53 02404] [info] Init: 1st startup round (still not 
detached)
[26/Jun/2002 22:01:53 02404] [info] Init: Initializing OpenSSL library
[26/Jun/2002 22:01:53 02404] [info] Init: Loading certificate & private 
key of SSL-aware server secure.aebdemo.com:443
[26/Jun/2002 22:01:53 02404] [info] Init: Seeding PRNG with 136 bytes of 
entropy
[26/Jun/2002 22:01:53 02404] [info] Init: Generating temporary RSA private 
keys (512/1024 bits)
[26/Jun/2002 22:01:53 02404] [info] Init: Configuring temporary DH parameters 
(512/1024 bits)
[26/Jun/2002 22:01:53 02404] [info] Init: Seeding PRNG with 136 bytes of 
entropy
[26/Jun/2002 22:01:53 02404] [info] Init: Configuring temporary RSA private 
keys (512/1024 bits)
[26/Jun/2002 22:01:53 02404] [info] Init: Configuring temporary DH parameters 
(512/1024 bits)
[26/Jun/2002 22:01:53 02404] [info] Init: Initializing (virtual) servers for 
SSL
[26/Jun/2002 22:01:53 02404] [info] Init: Configuring server 
secure.aebdemo.com:443 for SSL protocol
[26/Jun/2002 22:02:02 02404] [info] Connection to child 0 established (server 
secure.aebdemo.com:443, client 205.229.222.70)
[26/Jun/2002 22:02:02 02404] [info] Seeding PRNG with 0 bytes of 
entropy
 
My current configuration is:
Windows 2000 SP2
Apache 1.3.26
mod_ssl 2.8.9
openssl .0.9.6d
 
my configuration in httpd.conf is:

SSLMutex semSSLRandomSeed startup builtinSSLRandomSeed connect 
builtinSSLSessionCache noneSSLLog logs/SSL.logSSLLoglevel 
info

NameVirtualHost 205.229.222.9:443

Port 443ServerName 
secure.aebdemo.comDocumentRoot d:/data/lmErrorLog 
logs/secureaeb-error_logCustomLog logs/secureaeb-access_log 
combinedSSLEngine OnSSLCertificateFile 
conf/ssl/secure.aebdemo.com.certSSLCertificateKeyFile 
conf/ssl/secure.aebdemo.com.key
Any help would be appreciated.
 
 
Peter S. CroninPlexsys Technologies, Inchttp://www.psconcepts.com732-280-9550

Re: getting close with apache2, ssl, solaris 8

2002-06-26 Thread Peter Viertel


I think your confusion is in using the cakey when in fact you should use 
the key that you made the cert request from for the Server Private key 
directive

eg: if you used the following two invocations of  openssl

openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr

...then however you get a cert from the csr...(use CA.sh or pay a real 
CA, or sign.sh) . and the cert gets saved as server.crt

then the Apache conf would be:

SSLCertificateKeyFile conf/ssl.key/server.key
SSLCertificateFile conf/ssl.crt/server.crt

if I'm not making any sense, then see if the Modssl FAQ is better for 
you : http://www.modssl.org/docs/2.8/ssl_faq.html#cert-real


Jeff Landers wrote:

>I am getting the key values mismatch error which seems like it should be pretty basic 
>in that they don't match just like it says. However, I remade the CA, cert request, 
>and signed it using the CA.sh -newca, CA.sh -newreq, and CA.sh -sign  which created 
>the cakey.pem and the newcert.pem. I pointed the Server Private Key directive at the 
>cakey.pem and the Server Certificate directive at the newcert.pem  but still get the 
>mismatch error. I searched the archives for this rookie mistake but can't figure out 
>what I am doing wrong. Point me in the right direction, please. Thank you everyone 
>for all of the help in getting this far. Sign me...
>
>Close but no cigar.
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)

2002-06-24 Thread Peter Viertel





Perhaps if you watch the session with Eric Rescorla's excellent ssldump tool
you may get to the bottom of it

http://www.rtfm.com/ssldump/

Or another possibility altogether... I had a problem which looked similar
to this which was some solaris specific mutex bug which meant that child
processes did not get released properly after certain types of SSL connections
- this was fixed only with rev 1.3.24, and also by adding 'AcceptMutex pthread'
to the config file.

Alex Kotov wrote:

  I've seen strange problems with IE5, too, but these connections have
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)" as
User-Agent. Unfortunately, changing tcp keepalive setting is not an
option for us.

I don't know all the intricacies of SSL handshake, but it looks like it
starts by the server trying to read 11 bytes from the client, and this is
where mod_ssl may wait for a long time without checking for a timeout.
Could someone point me to the place in the code where this read happens? I
would hate to switch to stronghold :(

Thanks,
- Alex


On Mon, 24 Jun 2002, Andy Osborne wrote:

  
  
I've seen this happen sometimes on our SSL servers (which do
quite a lot of traffic).  A quick search of the logs for
recent connections from the same address always shows the
client as IE5.0 - which is known to be broken.  The connections
seem to stall in the SSL negotiation and get killed off
but our rather intolerant tcp keepalive settings.  I've never
found a real answer to the problem.

Andy

Alex Kotov wrote:



  Hi Cliff,

Thanks for your response.

I'm using

SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

and 5 is definitely the file descriptor for the network connection.

Is there anything else I should check?

Thanks,
- Alex


On Mon, 24 Jun 2002, Cliff Woolley wrote:


  
  
On Sun, 23 Jun 2002, Alex Kotov wrote:




  After a while the server processes become stuck while waiting for
the data from a socket.
Running strace on a hung process produces
read(5,
for a long time, eventually followed by
read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out)

  

Are you sure that file descriptor 5 is the connection to the client?

What SSLRandomSeed are you using?  This sounds like one of those
/dev/random not-enough-entropy problems to me.

--Cliff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]



  
  __
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


  


--
Andy Osborne    "Vertical B2B Communities"
Senior Internet Engineer
Sift Group100 Victoria Street, Bristol BS1 6HZ
tel:+44 117 915 9600  fax:+44 117 915 9630   http://www.sift.co.uk

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


  
  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Two copies of Apache running on the same server...

2002-06-24 Thread Peter Viertel

you can run as many instances of apache that your system can support so 
long as no two instances listen on the same port - at least thats the 
theory.
In practice, apache writes to various files such as the .pid file, 
lockfiles, mutex lockfiles etc - and it can be difficult to make sure 
the different instances dont run into each other. (and remembering this 
each time you compile a new version).

On the other hand, it's just not necessary usually to run multiple 
instances - one apache instance can server http and https on multiple 
ports at the same time using VirtualHost stanzas.

You've probably noticed that apache pre-forks several copies of itself, 
and its these children that handle connections in a parallel fashion and 
go some way to taking advantage of multiple CPU's, but it's not the 
absolute best possible - that would be if you were using solaris 
threads. As it happens Apache 2 is multi-threaded, yet still supports 
pre-forked children, so you can tune it up a lot better.

On the balance of things, I feel it would be harder to get good 
performance out of a system if you used two separate apaches, than if 
you worked on tuning it up with just one.

Yu, Ming wrote:

>I have a web environment that support both http and https on the same
>machine.  The machine is a powerful SParc 450 with a lot of memory and CPU
>power.  I am wondering if I can install copies of apache on the same
>machine, one runs http, and another runs https.  Will this improve the
>server performance?
>
>- Ming 
>- System Engineer 
>- APL
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 56-bit/128-bit IE problems

2002-06-21 Thread Peter Viertel

The problem here as usual is that he HAS got a SGC certificate - and 
some ie's barf unless you drop EXPORT56 from your offering when you have 
one of those certs.

not worth the money as far as I'm concerned, not even when getting 
thawte's one. I feel its a scam the way they sell SGC's as some sort of 
premium security prouct when all they're doing is enabling functionality 
the browser already has. These were designed for another purpose 
altogether before the USA relaxed its crypto export rules a few years ago.

Thomas Binder wrote:

>Hi!
>
>On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote:
>  
>
>>You could also consider getting a Thawte "super cert" which has
>>a capability to allow the 56-bit export version of IE to not be
>>so stupid and connect at the higher 128-bit when accessing your
>>site.
>>
>>
>
>Just for the record, Thawte's "Super Certs" are what VeriSign
>calls "Secure Site Server Pro (Global) ID". But they are quite a
>lot cheaper.
>
>
>Ciao
>
>Thomas
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 1.3.26 Upgrade Question

2002-06-20 Thread Peter Viertel


Why dont you just buy Stronghold? Sounds like you ought to be paying 
someone to do this work for you.

   -->> http://www.redhat.com/software/apache/stronghold/index.html

Jim Lee wrote:

>
> Hi,
>
> Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x 
> file from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released 
> recently.
>
> Thanks.
>
> Bye,
> -Jim.
>
>
> On Wed, 19 Jun 2002, Jim Lee wrote:
>
> We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in 
> the http://www.modssl.org/contrib/ area.
>
> Nobody's contributed one yet.  I imagine it won't be that far off, it
> usually doesn't take too long.
>
> We also wish to know if the SSL certificate has to be re-created after
> Apache is upgraded to 1.3.26 with the new mod_SSL.
>
> No.
>
> --Cliff
>
>
>
> _
> Chat with friends online, try MSN Messenger: http://messenger.msn.com
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL site loads regardless of URL??

2002-06-18 Thread Peter Viertel


I went back and read your question again, and can see I missed your 
problem entirely.

You can only have one SSL certificate per IP - that is to say that 
namevirtualhost does work on https, but always only one cert.. .this is 
because of the number one most FAQ on this list which is what Ralf 
describes as 'Some sort of chicken and egg problem' in his mod_ssl FAQ.

If you want to make it so your ssl pages only come up when the client 
uses the right hostname then try this hack:

NameVirtualHost 192.168.1.9:443


ServerName oddshostnames
RewriteEngine On
RewriteRule^[F,L]



ServerName www.donations.org.nz
DocumentRoot /var/www/html/donations
ErrorLog /var/log/httpd/donations-error_log
TransferLog /var/log/httpd/donations-access_log



David wrote:

> Hi,
>
> I tried adding port 80 to the virtual hosts as you suggested but the
> issue still persists?
>
> -David.
>
>
> Peter Viertel wrote:
>
>> Virtual hosts are defined agains the listening addresses you have for
>> your host:
>>
>> Not sure what some of the host names resolve to but assuming 192.168
>> addresses are the actual ip of your host, and the other ip is the nat
>> outside address for your host then the config would look like this:
>>
>> 
>> ServerName www.donations.org.nz
>> DocumentRoot /var/www/html/donations
>> ErrorLog /var/log/httpd/donations-error_log
>> TransferLog /var/log/httpd/donations-access_log
>> 
>>
>> NameVirtualHost 192.168.1.9:80
>>
>> 
>> ServerName stats.domain1.co.nz
>> DocumentRoot /var/www/html/domain1
>> ErrorLog /var/log/httpd/domain1-error_log
>> TransferLog /var/log/httpd/domain1-access_log
>> 
>>
>> 
>> ServerName stats.domain2.co.nz
>> DocumentRoot /var/www/html/domain2
>> ErrorLog /var/log/httpd/domain2-error_log
>> TransferLog /var/log/httpd/domain2-access_log
>> 
>>
>> 
>> ServerName stats.domain3.co.nz
>> DocumentRoot /var/www/html/domain3
>> ErrorLog /var/log/httpd/domain3-error_log
>> TransferLog /var/log/httpd/domain3-access_log
>> 
>>
>>
>> David wrote:
>>
>>> Hi,
>>>
>>> I have several virtually hosted web sites and only one site that is
>>> configured for SSL on my server.
>>>
>>> The issue is if someone uses https instead of http the certificated 
>>> site
>>> pages load regardless of the url ie
>>>
>>> http://stats.domain1.co.nz loads pages from ../domain1 which is 
>>> correct.
>>>
>>> https://stats.domain1.co.nz loads pages from ../donations, and the url
>>> remains https://stats.domain1.co.nz
>>>
>>> I assume I have a misconfigured .conf file?
>>>
>>> How can I resolve this, do I need to specify port 80 on the http sites
>>> or do I need to multi home the server with a unique IP for the SSL 
>>> site?
>>>
>>>
>>> Thanks
>>>
>>> -David.
>>>
>>>
>>> Below is an illustration of the httpd.conf.
>>>
>>> 
>>> ServerName www.donations.org.nz
>>> DocumentRoot /var/www/html/donations
>>> ErrorLog /var/log/httpd/donations-error_log
>>> TransferLog /var/log/httpd/donations-access_log
>>> 
>>>
>>> NameVirtualHost 219.88.240.45
>>>
>>> 
>>> ServerName stats.domain1.co.nz
>>> DocumentRoot /var/www/html/domain1
>>> ErrorLog /var/log/httpd/domain1-error_log
>>> TransferLog /var/log/httpd/domain1-access_log
>>> 
>>>
>>> 
>>> ServerName stats.domain2.co.nz
>>> DocumentRoot /var/www/html/domain2
>>> ErrorLog /var/log/httpd/domain2-error_log
>>> TransferLog /var/log/httpd/domain2-access_log
>>> 
>>>
>>> 
>>> ServerName stats.domain3.co.nz
>>> DocumentRoot /var/www/html/domain3
>>> ErrorLog /var/log/httpd/domain3-error_log
>>> TransferLog /var/log/httpd/domain3-access_log
>>> 
>>>
>>>
>>>
>>>
>>> __
>>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>>> User Support Mailing List  [EMAIL PROTECTED]
>>> Automated List Manager[EMAIL PROTECTED]
>>
>>
>>
>>
>>
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  [EMAIL PROTECTED]
>> Automated List Manager[EMAIL PROTECTED]
>>
>
>
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 1 certificate for several sites using redirection ?

2002-06-12 Thread Peter Viertel


thats basically right.

the proxy spec in http/1.1 etc copes with rewriting headers - but 
nothing I've seen rewrites the actual html content - this would be 
possible of course, but there would have to be a new module for apache 
to do it, and architecturally you'd be creating a potential bottleneck 
as the proxy server would have to parse all of the content passing 
through it.

Wim Godden wrote:

>So there's no system which allows me to really proxy pages and 'modify' them so
>that all future connections go through this 'proxy' as well ?
>
>Greetings,
>
>Wim
>
>Peter Viertel wrote:
>
>  
>
>>yes, i think thats whats happening - you need to review the website
>>content you are pointing at. For this to work you can't have any
>>absolute hrefs, and also the backend site may issue redirects, for these
>>to work you need a ProxyPassReverse which will rewrite the Location:
>>header on any redirects the backend site may send.
>>
>> For example:
>>
>>ProxyPass /testhttp://other.subdomain.ourdomain.com/
>>ProxyPassReverse /test  http://other.subdomain.ourdomain.com/
>>
>>proxypassreverse unfortunately is not case insensitive, and the backend
>>webserver may refer to itself canonically, so the location headers may
>>have another hostname. Either fix up the backend webserver to match the
>>proxypassreverse, or add extra proxypassreverse lines.
>>
>>The most common cause of redirects is the / bug handlers of tomcat, and
>>IIS which kick in if your url ends with / and that resolves to a
>>directory, then the webserver looks up what the directoryindex script is
>>(eg. index.html) and sends a redirect. This is something to do with
>>early revision browser releases, I have no idea which ones or if it
>>matters anymore.
>>
>>Also note that mod_proxy got a big upgrade at apache release 1.3.23 that
>>may help things along too in certain cases.
>>
>>[EMAIL PROTECTED] wrote:
>>
>>
>>
>>>Sounds like you have some absolute links rather than relative links. You can
>>>also use
>>>proxypass /test https://other-subdomain.ourdomain.com
>>>
>>>If the data needs to be secured between the proxy and the destination
>>>server.
>>>
>>>-
>>>John Airey
>>>Internet systems support officer, ITCSD, Royal National Institute of the
>>>Blind,
>>>Bakewell Road, Peterborough PE2 6XU,
>>>Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
>>>
>>>Is the statement 'There is no such thing as truth'  true?
>>>
>>>
>>>
>>>
>>>  
>>>
>>>>-Original Message-
>>>>From: Wim Godden [mailto:[EMAIL PROTECTED]]
>>>>Sent: 12 June 2002 11:06
>>>>To: [EMAIL PROTECTED]
>>>>Subject: Re: 1 certificate for several sites using redirection ?
>>>>
>>>>
>>>>proxypass /test http://other-subdomain.ourdomain.com
>>>>doesn't work properly... I get errors about the images being
>>>>insecure and all links
>>>>point to the wrong position.
>>>>
>>>>
>>>>Peter Viertel wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>You could do that using reverse proxy, ie mod_proxy.
>>>>>Redirects are not going to help.
>>>>>
>>>>>Wim Godden wrote:
>>>>>
>>>>>
>>>>>
>>>>>  
>>>>>
>>>>>>Hi,
>>>>>>
>>>>>>I'd like to use a certificate to secure several of our
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>subdomains...
>>>>
>>>>
>>>>
>>>>
>>>>>>buying hundreds of certificates is simply too expensive.
>>>>>>Is there some way to do this :
>>>>>>
>>>>>>- Install certificate on secure.ourdomain.com
>>>>>>- Let people surf to
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh
>>>>>
>>>>>
>>>>>  
>>>>>
>>>at-ever-page.html
>>>
>>>
>>>  
>>>
>>>>>Thanks in advance.
>>>>>
>>>>>

Re: 1 certificate for several sites using redirection ?

2002-06-12 Thread Peter Viertel


yes, i think thats whats happening - you need to review the website 
content you are pointing at. For this to work you can't have any 
absolute hrefs, and also the backend site may issue redirects, for these 
to work you need a ProxyPassReverse which will rewrite the Location: 
header on any redirects the backend site may send.

 For example:

ProxyPass /testhttp://other.subdomain.ourdomain.com/
ProxyPassReverse /test  http://other.subdomain.ourdomain.com/

proxypassreverse unfortunately is not case insensitive, and the backend 
webserver may refer to itself canonically, so the location headers may 
have another hostname. Either fix up the backend webserver to match the 
proxypassreverse, or add extra proxypassreverse lines.

The most common cause of redirects is the / bug handlers of tomcat, and 
IIS which kick in if your url ends with / and that resolves to a 
directory, then the webserver looks up what the directoryindex script is 
(eg. index.html) and sends a redirect. This is something to do with 
early revision browser releases, I have no idea which ones or if it 
matters anymore.

Also note that mod_proxy got a big upgrade at apache release 1.3.23 that 
may help things along too in certain cases.

[EMAIL PROTECTED] wrote:

>Sounds like you have some absolute links rather than relative links. You can
>also use
>proxypass /test https://other-subdomain.ourdomain.com
>
>If the data needs to be secured between the proxy and the destination
>server.
>
>-
>John Airey
>Internet systems support officer, ITCSD, Royal National Institute of the
>Blind,
>Bakewell Road, Peterborough PE2 6XU,
>Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
>
>Is the statement 'There is no such thing as truth'  true?
>
>
>  
>
>>-Original Message-
>>From: Wim Godden [mailto:[EMAIL PROTECTED]]
>>Sent: 12 June 2002 11:06
>>To: [EMAIL PROTECTED]
>>Subject: Re: 1 certificate for several sites using redirection ?
>>
>>
>>proxypass /test http://other-subdomain.ourdomain.com
>>doesn't work properly... I get errors about the images being
>>insecure and all links
>>point to the wrong position.
>>
>>
>>Peter Viertel wrote:
>>
>>
>>
>>>You could do that using reverse proxy, ie mod_proxy.
>>>Redirects are not going to help.
>>>
>>>Wim Godden wrote:
>>>
>>>  
>>>
>>>>Hi,
>>>>
>>>>I'd like to use a certificate to secure several of our
>>>>
>>>>
>>subdomains...
>>
>>
>>>>buying hundreds of certificates is simply too expensive.
>>>>Is there some way to do this :
>>>>
>>>>- Install certificate on secure.ourdomain.com
>>>>- Let people surf to
>>>>
>>>>
>>>https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh
>>>  
>>>
>at-ever-page.html
>  
>
>>>Thanks in advance.
>>>
>>>
>>>Greetings,
>>>
>>>Wim Godden
>>>
>>>__
>>>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>>>User Support Mailing List  [EMAIL PROTECTED]
>>>Automated List Manager[EMAIL PROTECTED]
>>>
>>>
>>>  
>>>
>>__
>>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>>User Support Mailing List  [EMAIL PROTECTED]
>>Automated List Manager[EMAIL PROTECTED]
>>
>>
>
>--
>--
>Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande
>sites !
>
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>-
>
>NOTICE: The information contained in this email and any attachments is
>confidential and may be legally privileged. If you are not the
>intended recipient you are hereby notified that you must not use,
>disclose, distribute, copy, print or rely on this email's content. If
>you are not the intended recipient, please notify the sender
>immediately and then delete the email and any attachments from your
>system.
>
>RNIB has made strenuous efforts to ensure that emails and any
>attachments generated by its staff are fre

Re: 1 certificate for several sites using redirection ?

2002-06-12 Thread Peter Viertel


You could do that using reverse proxy, ie mod_proxy.
Redirects are not going to help.

Wim Godden wrote:

>Hi,
>
>I'd like to use a certificate to secure several of our subdomains...
>buying hundreds of certificates is simply too expensive.
>Is there some way to do this :
>
>- Install certificate on secure.ourdomain.com
>- Let people surf to
>https://secure.ourdomain.com/other-subdomain.ourdomain.com/what-ever-page.html
>
>Thanks in advance.
>
>
>Greetings,
>
>Wim Godden
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Hardware key storage

2002-06-12 Thread Peter Viertel


Whether this can be done is something you should talk to the vendor of 
your HSM about. If you're still looking for one to buy, I can confirm 
that it can be done with nCipher's gear using openssl-engine and some 
extra binaries they provide, I personally have experience with Solaris 
and using an HSM protected key. They trick mod_ssl into running with a 
dummy key, and then openssl engine offloads the key transforms via their 
CHIL api.

At http://www.ncipher.com/resources/index.html you will find their 
whitepapers on the subject.

I work for an nCipher Solutions partner, so my view here is obviously 
biased, there are other HSM vendors apparently.

-PeterV.

Imran Badr wrote:

>Engine support inlcudes offloading RSA/DSA operations but I haven't found
>any way to notify moddssl that the key is in hardware key storage. Modssl
>always looks for disk files for private key and certificate files and I
>haven't figured out how to use hardware key storage. Apache will never start
>if those files are not in disk.
>
>Thanks for the reply.
>Imran.
>
>
>
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]On Behalf Of Francois Desarmenien
>Sent: Saturday, June 08, 2002 5:56 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Hardware key storage
>
>
>Le Wed, 5 Jun 2002 19:18:26 -0700
>"Imran Badr" <[EMAIL PROTECTED]> a ecrit:
>
>  
>
>>Hi,
>>I am sorry if this question has been asked before in this group. I wanted
>>
>>
>to
>  
>
>>find out what would be required to use private keys stored in hardware
>>
>>
>with
>  
>
>>apache and modssl ? Modssl code looks for private key file in the host
>>machine and calls use_private_key() sort of function of openssl to store
>>private key in ssl context. Is it possible to use modssl with apache when
>>keys are created in tamper proof hardware and never leaves that? Is there
>>any patch to do that?
>>
>>
>
>mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some
>cryto cards.
>
>F.
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache + MOD_SSL Win32 crash

2002-05-23 Thread Peter Viertel


That sounds like the ssl mutex mechanism not working properly. Not sure 
whether anyones got it working on win32 and mod_ssl on win32 is still 
listed as an alpha release.

I too would choose to ditch windows, but if you do need it, then you 
should try apache 2 at least the asf say its production quality on win32 
- not sure if there are precompiled win32 binaries with ssl though.

Mike Campbell wrote:

> Hello,
> I'm running Apache 1.3.24 with MOD_SSL 2.8.8 on a Windows 2000 server.
>  
> I've installed and configured according to the "Apache + SSL on Win32 
> Howto"  and I've 
> gotten a certificate from Thawte. I can and always have been able to 
> make an (unsecure) http hit on the server. I can also make a secure 
> https hit. However, if I reload the secure page a few times, sooner or 
> later Apache crashes.
>  
> The error message that pops up says "Apache.exe has generated errors 
> and will be closed by Windows. You will need to restart the program. 
> An error log is being created." The Windows error log says it was an 
> access violation and gives a stack dump, which I don't know how to 
> read. The Apache error log and the SSL log are free of errors.
>  
> When starting Apache, the only complaint I was getting from the config 
> file was:
> "Cannot add module via name 'mod_ssl.c': not in list of loaded modules"
> so I've commented that line out.
>  
> Does anyone have any suggestions?
>  
>  
> These are the relevant lines in httpd.conf:
>
>  ### (other AddModules) ###
> #AddModule mod_ssl.c
> ...
>  
>  ### (other LoadModules) ###
> LoadModule ssl_module modules/mod_ssl.so
> ...
>  
> Listen 80
> Listen 443
> ...
>  
> SSLMutex sem
> SSLRandomSeed startup builtin
> SSLSessionCache none
>  
> SSLLog logs/SSL.log
> SSLLogLevel info
>  
> 
> DocumentRoot c:/...
> ServerName www.mydomain.com 
> 
> ...
>  
>  ### (many other VirtualHosts) ###
>  
> 
> SSLEngine On
> SSLCertificateFile conf/ssl/pubkey.cert
> SSLCertificateKeyFile conf/ssl/prvkey.key
> DocumentRoot c:/...
> ServerName www.mydomain.com 
> 
>  
>  
> -
> Mike Campbell  Aktiv Software Corporation
> [EMAIL PROTECTED]   
> http://www.aktiv.com
> (250) 708-0027



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [Q] VirtualHost problems..

2002-05-22 Thread Peter Viertel


Try reading the FAQ.

http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47

Han, Donghoon wrote:

>Hi everyone,
>
>I recently configured several named virtual hosts on my Apache 1.3.24
>server.
>
>NameVirtualHost A.B.C.D:80
>NameVirtualHost E.F.G.H:80
>NameVirtualHost A.B.C.D:443
>NameVirtualHost E.F.G.H:443
>
>-- Several :80 virtual hosts --
>
>
>ServerName blah.blah.com
>SSLCertificateFile A.crt
>SSLCertificateKeyFile A.key
>-- other configurations --
>
>
>ServerName blah2.blah2.com
>SSLCertificateFile A2.crt
>SSLCertificateKeyFile A2.key
>-- other configurations --
>
>
>I configured like this, but when I connect to blah2.blah2.com
>Explorer gets the certificate of the first virtual host.
>The other configurations are ok, I get authentication dialogs and
>I get the right file as I configured the virtual host.
>The only one problem is that I get the different certificate from the
>one I configured. Did I miss something?
>
>Thanks in advance.
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Password protected access

2002-05-20 Thread Peter Viertel

Sure,

If you're going to use the default http auth mechanism, then use SSL.

if the URL is https:// something then it's all encrypted. (ok, unless
you do something really odd with the server config).

Note that the 'password window' is something your browser displays -
once it's got the password it will usually post that password in a
header in every  subsequent request to the same domain name.

If you're not planning on using SSL (one would then ask why you posted
the question to modssl-users) then consider using mod_auth_digest.

Potts, Ross A. wrote:

>Is there a way to encrypt the login window That I get when I want to reach
>restricted areas?  I have the password file setup and can log in, but I
>understand that the password is sent in plaintext.  I didn't see much in the
>way of documentation about this.
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: IE 5.00 - 5.01 SSL Connection Failures

2002-05-17 Thread Peter Viertel







  Let me guess you have a  '128 bit' SGC certificate on  your
server? If you do then change your cipher  suite to not offer EXPORT56  for
example:
 
 SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 
This  results in  most  people with  older clients  using 40 bit encryption,
and people who care about security and upgrade their software get 128bit
SSL3 or TLS..
 
 You should alter your logs to log the resultant SSL cipher type and length
so you can get some info on which clients give you problems - and you could
put some warning notes about the browser types on the site somewhere to cover
your butts.

 
 Louis Sabet wrote:


  On Fri, 17 May 2002 13:51:15 +0100
"Jeff" <[EMAIL PROTECTED]> wrote:

  

  
MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced
with 5.01, mainly for security reasons. You should be able to get any
reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has
some serious bugs when using SSL and cacheing, so you may be able to
tweak all your users caching settings, and also to look at making your
pages non-cacheable. I have to say though that in our experience with a
group of 10 users of 5.00 it was far easier to get them to switch to
Netscape until their 5.01 (in fact they went for 5.5) to arrive.

   

  
Unfortunately in this sector of retail, our target audience is very
fickle, and an abundance of similar online retailers in recent years
have made this an extremely competitive market. We cannot afford to
aggravate any customers at this point.

In addition, a large proportion of our customers have little or no
previous IT experience and cannot be expected to apply patches no matter
how trivial it may seem to us!

***SNIP***

  

  
The problems you describe with 5.01, I have seen when SSL keepalive
settings were enabled on the web-server. The SSLKeepAlive settings were
invented to speed up a clients access to your site, so that as
subsequent requests for images, css, etc etc were made, the SSL
negotiation overhead was short-circuited. Unfortunately the MS 5.xx
browsers never quite got it right. We use Apache, and this is the
setting in httpd.conf
  SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

   

  
I checked our httpd.conf, and indeed we have the same line in all our
SSL sites. So this particular problem must lie elsewhere.

I'll agree with peoples' comments on IE5 being terrible, but
unfortunately as an online retailer we have no choice as to what our
customers access our website with, and a disturbing number of customers
(33%) happen to be using IE5.00 to 5.01.

If anyone else has any comments, they would be very much appreciated at
this point!

  

  
You can check your SSL logs to see if the keepalive settings are active
- it they are you will see an incrementing number associated with each
request from the same user that indicates the SSL negotiation was
short-cut, and that previously negotiated keys are being used.

'nokeepalive' is fractionally slower, but at least your users will not
get the regular 'page cannot be found' issue.

As to sharing Client Certs between IE and NS - we do this happily for NS
4.0-4.75 and MSIE 5.01-6.0 without any issues.


Regards
Jeff




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet
Sent: 17 May 2002 13:29
To: [EMAIL PROTECTED]
Subject: IE 5.00 - 5.01 SSL Connection Failures


Hi List,

I work for a mobile phone retail company in the UK - www.mobiles.co.uk

Recently we discovered that several of our customers were unable to
complete the secure portions of their orders. The only common factor
with all these problems were that all customers were using IE 5.00 to IE
5.01.

Under Internet Explorer they receive "Page Connot Be Found". With
Netscape all works fine, and with all other recent Internet Explorer
versions, a successful connection can be made.

I found nothing useful on the Microsoft site other than this:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302

It may be the root of the problem, but we cannot ask the 33% of our
customers who use IE5 to patch their machines before accessing our site.

It is obvious that MOST connections to https sites can be made from IE5,
or it would have been better documented.

I contacted Verisign to find out if there was a reason some certificates
were useable with IE5, and others weren't, but I found their technical
support to be quite useless.

My last option is to ask you guys whether this could be a configuration
issue - or whether there is some configuration tweak I can make to get
around this problem for our IE5 users.

Best regards,

Louis

--
Louis Sabet <[EMAIL PROTECTED]>
http://www.webtedium.com/


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List

Re: Runs on local...but can't see it anywhere else

2002-05-17 Thread Peter Viertel

You say you can connect to the 'actual server address' while on the
actual machine but not from across the network.

You do not say which operating system you're using - but if it's redhat
linux for example, perhaps you've got iptables rules. Otherwise  is
network routing ok, like does the machien have it's default route set
correctly?

Alex Earl wrote:

>Hi!
>
>First off I would like to thank you for your help and knowledge! I enjoy
>this forum a lot!
>
>I have set up mod_ssl with Apache 1.3 and everything seems to run just fine
>on the local machine. I can curl https://localhost (and the actual server
>address) and get the right stuff...but when I try to access it from anywhere
>else I get a server not found error. Any ideas?!
>
>Thanks!
>
>Alex Earl
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: make certificate TYPE=custom?

2002-05-16 Thread Peter Viertel





make certificate does not work in apache 2 yet.

copy your key and certificate from the 1.3 installation


mineka fujimoto wrote:


  

  

  
   

  Hello

   

  I am a student to study  Linux.

  I want to use SSL in  apache2.0.36

  I stop apache 1.3 and tar  apache2.0.36.. 

  I use RedHat Linux7.1 

   

  I use ./configure  --prefix=/usr/local_apache2
--enable-mods-shared="ssl"

   

   Then I use make certificate  TYPE=custom.

   

  But I get message $B!V(Bno target to
 make  discontinuation$B!W(B 

   

  Please help me.

   

  Thanks.

   

  Micky

Re: Certificates and Apache/modssl

2002-05-10 Thread Peter Viertel





Keep-alive is a pain all round really...

But not necessarily so so as regards renegotiation.

SSL has a concept of session resuming. The first thing exchanged during an
ssl session is the previously negotiated session-id - the startup of these
resumed sessions is a lot cheaper than an initial ssl negotiation.
Some of the better load balancers can take advantage of this session-id to
ensure a client's ssl session, and subsequent resumed sessions go to the
same backend node.

It should be noted that using the same certificate on multiple servers requires
that the related private key is on each server too. commercial webservers
tend not to be too positive about this, they take the high ground quoting
best practice security etc etc, but I can't help feeling its more to do with
pushing more business to the CA's than anything else.

just so long as you remember that anyone with the private key can decode
all your SSL traffic, so take some care over protecting the key from prying
eyes.



Jeff wrote:

  
if you have two servers behind a load-balancer, you have to make sure
that once a client starts an HTTPS conversation with one server, all
subsequent requests are served by the same server.

  
  
True. AFAIK there are no versions of MSIE that correctly support the
keepalive setting, to unless you are willing to put up with the
mysterious-1-page-in-5-is-just-blank problem you have to turn keepalive
off, and every request gets renegotiated.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Owen Boyle
Sent: 10 May 2002 09:02
To: [EMAIL PROTECTED]
Subject: Re: Certificates and Apache/modssl


Greg Jones wrote:
  
  
All-

We are planning on using commercial load balancing software for two

  
  servers
  
  
running apache with modssl. Does Apache with modssl require that each

  
  server
  
  
have its own certificate or can I use the same certificate on both

  
  servers
  
  
since they'll be answering to the same virtual ip? Also, will my

  
  certificate
  
  
be based on the virtual ip or the ip of the server. Users will always

  
  get to
  
  
the web servers via virtual IP.

  
  
The certificate is assigned to a fully-qualified domain name, not to an
IP address. The idea is that when the browser goes to www.acme.com, it
expects to see a certificate containing "www.acme.com" - thus proving
that the site is really www.acme.com. This is authentication which is
the second but equally important aspect of SSL that everyone forgets
about... (the first aspect is encryption).

Therefore, as long as both your servers are serving the same site, they
can have the same certificate (indeed, they *should* have the same
cert).

There is one other problem, however. Remember that the
public-key/private-key encryption is used only to negotiate the
session-key. Once that has been established, the client and server
communicate using the session-key and the certificate is forgotten. Now,
if you have two servers behind a load-balancer, you have to make sure
that once a client starts an HTTPS conversation with one server, all
subsequent requests are served by the same server. In other words, if
the session-key negotiation takes place on one server but the next
request comes in to the second server, it will be encrypted with a key
known only to the first server. I guess the solution would be to ensure
requests are split on a client basis rather than request basis in the
load balancer.

Rgds,

Owen Boyle
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: N/A

2002-05-07 Thread Peter Viertel





You shouldnt be afraid of virtual hosts.

If you split them up as vhosts, then you can do what you want. If you don't,
you can't.
In my example i used seperate DocRoot's, but this is not necessary.

P.S. can you fix your PC's clock?  your timezone is 13 hours out.

David Flanigan wrote:

  Peter:

 This server is not running with virtual hosts (only a single domain), the
doc root for SSL and non-SSL is the same. Anyway I can do the automatic
redirect without moving the doc roots around?

 Thanks for your help.

--
Kind Regards,
David A. Flanigan



-- Original Message ---
From: "Peter Viertel" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Tue, 07 May 2002 12:55:04 +0100
Subject: Re: N/A

  
  
Use VirtualHost stanzas:

ie:


ServerName www.foo.com
Redirect/private  https://www.foo.com/private
DocumentRoot "htdocs"




ServerName www.foo.com
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
SSLEngine on
DocumentRoot "secure"



David Flanigan wrote:



  Hello,

My apologies if this has been discussed before, I did not turn up much in
  

  
  my
  
  

  archive search. I am new to modssl and to this list. Any help you can
  

  
  provide
  
  

  would be greatly appreciated.

I have a server wide SSL certificate for my domain, but only need SSL
support in certain areas. Is there a way to redirect non SSL requests (port
80) for particular directories to SSL without requiring the user to to do
anything? So automatically:

http://www.foo.com/private/

becomes

https://www.foo.com/private

I am currently using the SSLRequireSSL directive to lock out non-SSL
connections to those directories, resulting in a error to the user.

I have tried a location specific redirect like the following, but ended up
with a loop (and a couple thousand extra entries in my log file).

   
   Redirect seeother /private https://www.foo.com/private
   

Am I on the right track or making this to difficult? I have no mod-rewrite
skills, so have not tried that route as of yet.

Thanks in advance.
--
Kind Regards,
David A. Flanigan ([EMAIL PROTECTED])



  

__

  
  Apache Interface to OpenSSL (mod_ssl)   www.modssl.org User
Support Mailing List  [EMAIL PROTECTED] Automated
List Manager[EMAIL PROTECTED]
--- End of Original Message ---

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: N/A

2002-05-07 Thread Peter Viertel


Use VirtualHost stanzas:

ie:


ServerName www.foo.com
Redirect/private  https://www.foo.com/private
DocumentRoot "htdocs"




ServerName www.foo.com
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
SSLEngine on
DocumentRoot "secure"





David Flanigan wrote:

>Hello,
>
> My apologies if this has been discussed before, I did not turn up much in my
>archive search. I am new to modssl and to this list. Any help you can provide
>would be greatly appreciated.
>
> I have a server wide SSL certificate for my domain, but only need SSL
>support in certain areas. Is there a way to redirect non SSL requests (port
>80) for particular directories to SSL without requiring the user to to do
>anything? So automatically:
>
> http://www.foo.com/private/
>
> becomes
>
> https://www.foo.com/private
>
> I am currently using the SSLRequireSSL directive to lock out non-SSL
>connections to those directories, resulting in a error to the user.
>
> I have tried a location specific redirect like the following, but ended up
>with a loop (and a couple thousand extra entries in my log file).
>
>
>Redirect seeother /private https://www.foo.com/private
>
>
> Am I on the right track or making this to difficult? I have no mod-rewrite
>skills, so have not tried that route as of yet.
>
> Thanks in advance.
>--
>Kind Regards,
>David A. Flanigan ([EMAIL PROTECTED])
>
>
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL-Problem with Mac MSIE

2002-04-23 Thread Peter Viertel

No I wouldnt want to disable SSL3 either...

One case I know of like this is to do with advertising EXPORT56 ciphers 
on the server side... some variants of IE barf if they're talking to a 
site with a so called 128 bit certificate (an SGC cert).

I have used this when a site has an uber-cert for marketing reasons, and 
the crypto requirement is not high:

SSLCipherSuite 
!EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

the broken clients end up using SSL3 with 40bit keylength, good clients 
talk SSL3/128bit or TLS, it still gives the option for SSL2 and allows 
null encryption too.

Thomas Binder wrote:

>Hi!
>
>On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote:
>  
>
>>i found one (unsatisfying) solution:
>>I disabled SSLv3 by setting
>>
>>SSLProtocol -SSLv3
>>
>>If i do this MSIE on Mac runs but i worry about
>>other browser that would not run anymore :-(
>>
>>
>
>Btw, as for my understanding this does not disable TLSv1: Does
>IE's TLS1-support work any better than its SSL3 implementation?
>
>And what also bothers me: Why do these problems only seem to
>affect OpenSSL based webservers, and not for example iPlanet? Do
>these non-affected servers contain other/better workarounds? Or do
>they only support SSL2?
>
>Is it really such a serious drawback to disable SSL3? Most current
>browsers (e.g. links, Mozilla, Opera) seem to support and default
>to TLS1, anyway.
>
>
>Ciao
>
>Thomas
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>  
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

AW: Why https vs http

2002-04-22 Thread Peter Stöhr


you said, what I'm thinking...

on my pages, I still uses the 's' for the secure sites, and the customers
mostly don't notice it. They always come with http and if the want to
transfer something to us (e.g. order), the user will be redirect to the
https, but the sites look like the http, and the customer have not to type
https...

also my thoughts :-)

Peter
Pink Advertising Vienna

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Subscribed
Gesendet: Montag, 22. April 2002 23:24
An: [EMAIL PROTECTED]
Betreff: Re: Why https vs http


I'd have to agree, if they cant type "s" then they shouldnt have access
HOWEVER: People are sheep. (sorry, but its true) and if you put a redirect
in
youre sure to have less customer service issues and thats mantime you
shouldnt
need to spend.

Just MY thoughts. :)







"It is said that if you line up all the cars in the
world end to end, someone would be stupid
enough to try and pass them."

- Original Message -
From: "NickM" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 22, 2002 3:40 PM
Subject: Re: Why https vs http


> KISS - The user should not be made to think, if the data is secure data
then
> the user should be protected.  Most users wont even know much about ssl or
even
> the use of https in the url.  In the case where a decision is to be made,
for
> example if you are offering email and they can choose to have it secure or
not
> then a setting or link to switch between should be supplied.
>
> To say the client would be at fault is basically as ignorant a
> programmer/administrator as can be, again the user should not be the one
to
> think, if the design of the site is not transparent then its not fluid and
not
> easy.  Im sure a bit of Usability would shut them up, but thats not always
an
> option.
>
> As far as not being given the chance - this depends entirely on what the
data
> is and what the customer base is.  Will they possibly be using
incompatible
> browsers?  Is the data really so sensitive?  Should it be up to the user
being
> that its their data (or up to your company if its yours)?  Will the user
be
> happy about the loss of performance?  Is the data so sensitive, even
though its
> the customers, that they should be protected no matter what (credit cards,
> addresses etc)?
>
> My thoughts, Nick
>
>
>
> Quoting [EMAIL PROTECTED]:
>
> > Hello,
> >
> > Im looking for anyones thoughts on why it is not a good Idea to have
> > an https site be able to convert to an http site. I am having many
> > disscusions with co-workers that feel the client would be at fault if
> > they type in the http link instead of using the https link that is
> > provided??
> >
> > I feel that the customer should not even have the chance to enter
> > http and be able to log in. My response to my team is "It's our job
> > (web team) not to even let them have access to the http link, it
> > should redirect or give error." What do you people have to add to
> > this?
> >
> > Thanks,
> > Ron
> >
> >
> > --
> > Pop3Now Personal, Get quick remote access to your email accounts!
> > Sign Up Now!  Visit http://www.pop3now.com/personal
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
>
>
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: potential apachectl modification

2002-04-22 Thread Peter Viertel





httpd -t will error on SSL stuff not between  lines.
I think you'll find that your LoadModule is in an ifDefine while the unloadmodule
isnt.

httpd -DSSL -t is the way to check all the syntax in httpd.conf, without
the -DSSL you're only checking half of it.

Aryeh Katz wrote:

  
Use apachectl graceful.


  
  I suppose I should have done a little more research before posting.
I had a script that did a restart, and the restart reported an error. I then tried a
start and everything worked fine, so I assumed that restart did a kill then a
start, and thus needed to be changed for ssl.
Once I got these mails, I looked a little closer, and I'm seeing some strange
behavior.
apachectl configtest complains on SSLEngine off in my :80 virtual host.
Fine, doesn't bother me, I comment it out (wondering why only httpd -t
complains, and not a regular startup).
I then ran apachectl configtest again, and it reported no errors.
I ran httpd -t from the command line, and it said
Syntax OK
Segmentation Fault.
Call stack on the Segmentation Fault indicates that it's on the
unload_module.
I do have a module of my own that is loaded, which when removed, allows
httpd -t to run fine.
Does anyone have any suggestions for what my module might be doing to
cause the configtest to core on unload?
Thanks.
Aryeh

  
  
Frank

- Original Message -
From: "Aryeh Katz" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 22, 2002 9:23 AM
Subject: potential apachectl modification




  Does it make sense to have a restartssl directive, to match the
restart directive?

---
Aryeh Katz
VASCO
www.vasco.com


__ Apache Interface to OpenSSL (mod_ssl)
www.modssl.org User Support Mailing List
[EMAIL PROTECTED] Automated List Manager
 [EMAIL PROTECTED]

  

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

  
  

---
Aryeh Katz
VASCO
www.vasco.com

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: potential apachectl modification

2002-04-22 Thread Peter Viertel


soft restarts like this crash httpd if you have added/deleted SSL key or
certificate lines to the config file - in these cases you must fully
stop/restart the daemon.

So I would say there is a case for a restartssl option, although I'm
happy enough to run stop, check for all daemons dying, then running
startssl as changing certs/keys is usually an infrequent task.


Glen Mehn wrote:

>'restart' and 'graceful' will restart the server with -DSSL, if it's 
>(currently)running with -DSSL.
>
>'restart' sends a SIGHUP to apache
>'graceful' sends a SIGUSR1 to apache, which httpd reads as 'finish what you're doing, 
>then HUP yourself'.
>
>glen
>
>On Mon, Apr 22, 2002 at 12:23:35PM -0400, Aryeh Katz wrote:
>
>
>>Does it make sense to have a restartssl directive, to match the restart
>>directive?
>>
>>---
>>Aryeh Katz
>>VASCO
>>www.vasco.com
>>
>>__
>>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>>User Support Mailing List  [EMAIL PROTECTED]
>>Automated List Manager[EMAIL PROTECTED]
>>
>>
>
>--
>Glen S Mehn
>Contract Systems Administrator SquareTrade, Inc
>[EMAIL PROTECTED]   Building Trust in Transactions (sm)
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: encipher box

2002-04-22 Thread Peter Viertel

Yes, I've done it a few times with apache 1.3 on Solaris, still mucking
around with apache 2 though.

what you need is:

a) the nCipher software for the o/s - these are binary only and will set
up a daemon called hardserver, and another package that installs the
CHIL library. If they don't have packages for your o/s you are screwed.

b) get/compile openssl-engine not the standard openssl.

c) test openssl: on a sun it goes like this:

# LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk
# export LD_LIBRARY_PATH
# openssl speed -engine chil

d) now you have openssl talking nCipher ok, you need to recompile
mod_ssl to use openssl-engine... use apache 1.3.24, and configure with
SSL_EXPERIMENTAL option (without this, you cant get it to use nCipher).

e) check you built httpd right:

# LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk
# export LD_LIBRARY_PATH
# httpd -L | grep SSLCryptoDevice

f) add the following line to httpd.conf:

SSLCryptoDevice chil

Note this shows you how to get any nCipher to provide hardware
acceleration, I think the stuff about getting apache to use keys stored
in an nForce HSM is another topic altogether, and best left off-list
unless enough people want to hear the gory details...

Regards,

PeterV.

[EMAIL PROTECTED] wrote:

>Hi,
>
>does anybody have any experience, links or hints how connect mod_ssl and
>enchiper boxes ???
>
>
>As I am new to this list I am not sure if this is right place to ask this
>question.
>
>cheers Alex Apostolopoulos
>___
>WebTechnology & Smart Card Solutions
>
>Secartis AG-eSolutions by Giesecke & Devrient
>Bretonischer Ring 3, D-85630 Grasbrunn, Germany
>
>Phone: +49(0)89 4119-7086, Fax: +49(0)89 4119-7403
>Email: [EMAIL PROTECTED], Home: www.secartis.com
>___
>
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Regarding Certificate Authority

2002-04-17 Thread Peter Viertel

You have set your mod_ssl up correctly, however your browser is telling 
you that you did not pay from $100 to $1000 to one of the CA's listed as 
trusted by the vendor of your BROWSER.

To avoid the message, you need to store the certificate for the website 
in your browser's database of trusted CA's - in IE double click on the 
padlock - View the certificate, Install button, then explicitly save it 
to the Trusted Root Certification Authorities.

Of course if/when you go public, you will not be able to ask the public 
to do this - at that point go get the cheapest certificate you can buy 
that comes from a company listed as trusted by all the browsers out 
there. I recommend Thawte because they're cheap, and so far, in my 
experience,  have not cut any corners in verifying the legal status of 
the companies the certificates are for. look in the 'Trusted Root CA's' 
list on your browser to see all the CA's out there if you want to choose 
a CA.

(I have no affiliation to thawte, other than as a satisfied client).

Nisarg Rav wrote:

>helo gurus,
>
>i'm new on this group.  Plese guide me to solve my problem regarding openssl.
>
>I have successfully installed and configured Apache 1.3.23 + mod_ssl 2.8.7-1.3.23 and 
>openssl-0.9.6b.
>I also get success in generating Certificate Authority ca.key and ca.crt and on basis 
>on that also able to creat www.virtualhost.cxm.crt properly.
>even after starting apache these all is responding fine .
>
>But in my certificate i'm getting that " This certificate can not be verified upto 
>trusted certification authority. "
>
>As i have generated my ouw CA this is obvious but it there any way to remove this or 
>to remove the red cross sign from certificate ?
>
>Please guide me ..
>
>watiting for reply ..
>
>nisarg
>
>_
>Want a new web-based email account ? ---> http://www.firstlinux.net
>
>_
>Run a small business? Then you need professional email like [EMAIL PROTECTED] from 
>Everyone.net  http://www.everyone.net?tag
>__
>Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>User Support Mailing List  [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

AW: Dumb SSL question.

2002-04-02 Thread Peter Stöhr


Hi Eric,

For example you can buy a certificate from Thawte (www.thawte.com) or
Verisign (www.verisign.com)

I hope, this was helpful.

Rgds, Peter Stoehr
GAYNET.AT

-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Ladner, Eric
(Eric.Ladner)
Gesendet: Dienstag, 02. April 2002 22:23
An: '[EMAIL PROTECTED]'
Betreff: Dumb SSL question.



How can I enable mod_ssl and apache to use SSL encryption for browser to
server
communication without having to have the user accept a certificate?

I've noticed several sites do this on the web without asking for you
to accept or reject a certificate.  Basically, I want to use encryption, but
not have the user intervene to enable/disable it.

Thanks,

Eric Ladner

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

AW: [BugDB] PRIVATE: Build and install the SSL-aware Apache (PR#670)

2002-03-31 Thread Peter Stöhr


Hi folks!

I don't have this problem any more. I've taken the Apache 1.3.23 with
mod_ssl 2.8.5.


Happy eastern,

Peter Stoehr
Pink Advertsing - Vienna
www.gaynet.at


-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von
[EMAIL PROTECTED]
Gesendet: Samstag, 09. März 2002 21:28
An: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Betreff: [BugDB] PRIVATE: Build and install the SSL-aware Apache
(PR#670)


Full_Name: Peter Stoehr
Version: mod_ssl-2.8.5-1.3.22
OS: SuSE Linux 7.1 (Kernel 2.2.18)
Submission from: (NULL) (212.17.86.61)


Hello mod_ssl-Team!

I used the Step-by-Step installation illustration on your modssl.org site.
I've
build OpenSSL well. After this, i tried the next step (nr.3):

I started in the mod_ssl directory like next:

$ ./configure \
--with-apache=../apache_1.3.22 \
--with-ssl=../openssl-0.9.6c \
--prefix=/usr/local/httpd

Then it started and the massages were:

Configuring mod_ssl/2.8.5 for Apache/1.3.22
 + Apache location: ../apache_1.3.22 (Version 1.3.22)
 + OpenSSL location: ../openssl-0.9.6c
 + Auxiliary patch tool: ./etc/patch/patch (local)
 + Applying packages to Apache source tree:
   o Extended API (EAPI)
   o Distribution Documents
   o SSL Module Source
   o SSL Support
   o SSL Configuration Additions
   o SSL Module Documentation
   o Addons
Done: source extension and patches successfully applied.

Configuring for Apache, Version 1.3.22
 + using installation path layout: Apache (config.layout)
configure:Error: No such module named 'ssl'
./configure:Error: APACI failed

I really don't know, what the program wants. I also checked the FAQ and on
the
usenet, but I can't find any answer. Perhaps you could help me. Regarding
the
question, why I don't use Apache 1.3.23 is, that the new webserver of our
organisation runs on 1.3.22, so I'll tried to make a second server only for
testing.

Perhaps you also know a apache-site in german or a german forum for talking
about apache and modules.


Kind regards from Vienna

Peter Stoehr
Pink Advertising
www.gaynet.at

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Certificate Verification: Error (20): unable to get local issuer certificate (LONG)

2002-03-26 Thread Peter Chiu

rwxr-xr-x  2 rootwebbie512 Mar 26 12:37 ca.db.certs
-rw-r--r--  1 rootwebbie220 Mar 26 12:37 ca.db.index
-rw-r--r--  1 rootwebbie  3 Mar 26 12:37 ca.db.serial
-rw-r--r--  1 rootwebbie963 Mar 26 12:19 ca.key
-rw-r--r--  1 rootwebbie   2656 Mar 26 12:37 kingkong.crt
-rw-r--r--  1 rootwebbie660 Mar 26 12:36 kingkong.csr
-rw-r--r--  1 rootwebbie963 Mar 26 12:34 kingkong.key
-rw-r--r--  1 rootwebbie   2758 Mar 26 12:38 kingkong.p12
-rw-r--r--  1 rootwebbie   2745 Mar 26 12:25 server.crt
-rw-r--r--  1 rootwebbie716 Mar 26 12:23 server.csr
-rw-r--r--  1 rootwebbie963 Mar 26 12:22 server.key
-rwxr-xr-x  1 webbie  webbie   1785 Mar 26 12:24 sign.sh



httpd.conf
==

[snip]



ServerAdmin [EMAIL PROTECTED]
DocumentRoot /opt/webmail.ipfw.org
ServerName webmail.ipfw.org
ErrorLog logs/webmail-error_log
SSLEngine on
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM
SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key
SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /opt/apache/conf/ssl.crt
SSLVerifyClient require
SSLVerifyDepth  1

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
CustomLog /opt/apache/logs/ssl_request_log \
  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"





-- 
Peter
  \\|//
  (o o)   
+-oOOo-(_)-oOOo-+
 EMail  : mailto:pccb(at)ipfw(dot)org
 PGP Key: http://www.ipfw.org/pgpkey.txt
 PGP Fingerprint: 1379 3D8A 024E 3C0E 1962  4E12 3742 0684 C29C 3537
+---+
Its the InterNIC's fault.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

public key technology resiurces

2002-01-13 Thread Dr. Peter Kanyion - Pnetlinks.com




Hi,
 
I'm currently researching on public key 
technology and will appreciate any resource pointers 
that anyone could provide.
 
Thanks.
Peter

  - Original Message - 
  From: 
  Kuczborski, Carol L 
  To: '[EMAIL PROTECTED]' 
  Sent: Friday, January 11, 2002 8:30 
  PM
  Subject: RE: Problems with Apache / 
  mod_ssl and Internet Explorer 5/6
  
  I had this 
  problem and spent many, many hours researching.  In my research, I came 
  across many others with the same problem.  So you are not the only 
  one.  I received the "Page cannot be displayed" error along with "Cannot 
  find server or DNS error".  I tried the fix suggested in the 
  Apache mod_ssl FAQ (change to http.conf file to downgrade to http 1.0).  
  It did not work.  It looks like you also tried the fix, too. I filed a 
  bug report in the Bug Database for Apache mod_ssl and never received any 
  response in over 5 months.  I eventually worked with Oracle Worldwide 
  Support because I was using the Apache Web Server and mod_ssl as packaged with 
  the Oracle9i Application Server.  I had to work up through 
  the ranks to get the problem addressed.  Eventually, I 
  implemented two changes that seemed to reduce the error with much, much 
  less frequency.  I still get the error, but not 
  very often.
  It looks like you 
  have also tried one of the solutions I implemented (change to http.conf file 
  removing 'nokeepalive').  The other fix I implemented, Oracle 
  actually had to patch a DLL file of theirs that I believe works with the 
  mod_ssl component.  Anyways, I saw the code fix they implemented and 
  it has something to do with retrying the read from the port when it fails to 
  read the data (they enclosed the read in a "retry" loop until 
  successful).  I don't know if this information will help.  But, 
  I am providing the details:  
  
I received this error in two different cases. One case it happened 
intermittently on almost any page I tried to access from our website using 
SSL and the IE browser. I reduced the errors, quite significantly, but not 
entirely, by making the following change in the Apache http.conf file:
From: #SetEnvIf User-Agent ".*MSIE.*" nokeepalive 
ssl-unclean-shutdown
To: SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
In the other case, I always received the error when I tried to use Oracle 
Portal's Add-Item-Wizard pages to upload a document to Oracle Portal's 
Content Area. Here was the resolution for that case:
Implemented solution for Oracle Bug No. 1821195 (When uploading large 
file using modplsql & SSL error reading data from client) by replacing 
the existing ApacheModuleSSL.dll file with the patched file referenced in 
the bug details. According to the details for the ApacheModuleSSL.dll patch, 
there was mention of a bug in the "select" function in Windows NT 4.0:
"When checking a socket, if data can be read without blocking, select () 
returns yes, but when actually reading from the socket with recv(), that 
function returns WSAEWOULDBLOCK, which says that reading would block. It 
seems that this problem does not occur in usual operation, but only in an 
SSL enabled Apache (modssl or apache-ssl) with https. The code for WIN32, 
which handles writing to a socket, already contains a workaround for this. 
The code for reading from a socket did not have a workaround." 
  
  Carol 
  Kuczborski EDS - Enabling Business 
  Solutions MS A6N-B47 13600 EDS Drive Herndon, VA 20171 
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]]Sent: Friday, January 11, 2002 
  2:01 PMTo: [EMAIL PROTECTED]Subject: Problems with 
  Apache / mod_ssl and Internet Explorer 5/6
  
Hi everyone,
 
I´ve got a big problem:
I installed on SuSE Linux 7.3 the Apache Web 
Server including
the mod_ssl in order to run a secured 
webinterface for my
IMAP-Server...
Unsecured everything works just fine in every 
Browser.
After installing the SSL-Plugin I generated a 
custom certificate and everything
works fine with Netscape / Konquerer / 
w3m.But when I try to connect via https with any version of 
Microsofts
Internet Explorer I get the message, that the 
page cannot be
displayed.
I found out that there are many problems with 
MSIE, and I did all
the fixes. Here are parts of my httpd.conf. 
Does anyone has an idea?
Apache-Version 1.3.20
mod_ssl Version 2.8.4
openssl Version 0.96b
PHP Version Pear 4.1.0
MySQL Version 3.21
 
[...]
SSLPassPhraseDialog  builtin
SSLSessionCache 
dbm:/var/run/ssl_scacheSSLSessionCacheTimeout  300
SSLRandomSeed startup builtinSSLRandomSeed 
connect builtin
 
SSLEngine 
on
 
#*** here I tried both

RE: CA-Server on Win200

2002-01-08 Thread Dr. Peter Kanyion


Thanks for the swift response. No,I don't have the advanced server version
of Win2000. If I correctly understood your comments, the certificate server
is included in the advanced server, right? If that is the case, I'll strive
to get the Win2000 advanced server version.

Thanks.
Peter

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of madhon
Sent: Dienstag, 8. Januar 2002 12:40
To: [EMAIL PROTECTED]
Subject: Re: CA-Server on Win200


if you have win2000 server/advanced server you can install certificate
servers to do it

- Original Message -
From: "Dr. Peter Kanyion" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 08, 2002 11:15 AM
Subject: CA-Server on Win200




Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

CA-Server on Win200

2002-01-08 Thread Dr. Peter Kanyion




Hi,

I need to put up a CA Server on Win2000 for testing purposes. Any
recommendation for software will be highly appreciated.

Sorry, if this request is out of scope.

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

'multiply defined' errors in compile...

2001-12-11 Thread Peter Losher



I am trying to compile Apache v1.3.22 (w/ mod_ssl, PHP4 and
mod_auth_krb5) on a DEC True64 v5.0 system, and most of the compile goes
along smoothly, but when it gets to src/modules, it bombs...

-=-
<=== src/modules
[...]
gcc  -DOSF1 -DMOD_SSL=208105 -I/home/plosher/httpd/php-4.1.0
-I/home/pl/httpd/php-4.1.0/main -I/home/pl/httpd/php-4.1.0/main
-I/home/pl/httpd/php-4.1.0/Zend -I/home/pl/httpd/php-4.1.0/Zend
-I/home/pl/httpd/php-4.1.0/TSRM -I/home/pl/httpd/php-4.1.0/TSRM
-I/home/pl/httpd/php-4.1.0 -DEAPI -DUSE_EXPAT -I./lib/expat-lite
-DKRB5 -DKRB_DEF_REALM=\"DEFAULT\" `./apaci` -L/usr/local/lib-o httpd
buildmark.o modules.o  modules/ssl/libssl.a  modules/extra/libextra.a
modules/php4/libphp4.a  modules/standard/libstandard.a  main/libmain.a
./os/unix/libos.a  ap/libap.a  lib/expat-lite/libexpat.a
-L/usr/local/krb5/lib -lkrb5 /usr/local/krb5/lib/libk5crypto.a -lcom_err
-Wl,-rpath,/usr/local/pgsql/lib  -L/usr/local/pgsql/lib -Lmodules/php4
-L../modules/php4 -L../../modules/php4 -lmodphp4   -lpq -lresolv -lm
-lresolv   -lm  -ldbm -lssl -lcrypto -lm
/usr/bin/ld:
/usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_get_time: multiply defined
/usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_set_timeout: multiply defined
/usr/local/lib/libssl.a(ssl_sess.o): SSL_SESSION_free: multiply defined
/usr/local/lib/libssl.a(ssl_sess.o): SSL_get_session: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_set_cipher_list: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_new: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_free: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_CTX_get_cert_store: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_clear: multiply defined
/usr/local/lib/libssl.a(ssl_lib.o): SSL_get_current_cipher: multiply defined
[...]
collect2: ld returned 1 exit status
*** Exit 1
Stop.
*** Exit 1
Stop.
*** Exit 1
Stop.
-=-

Has anyone encountered these 'multiply defined' errors, and figured out a
way around them?

Thanks - Peter Losher
-- 
[EMAIL PROTECTED] - Internet Software Consortium - http://www.isc.org/


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Name-Based Virtual Hosting via a Single IP and SSL implementation

2001-12-11 Thread Dr. Peter Kanyion


Hello folks,

I'll greatly appreciate any help you could offer in getting to the right
solution to my problems. I'm acquainted with Apche and SSL, but I'm not a
GURU.
I have two domains, let say mydomain1.com and mydomain2.com and a single
registered IP address. Both domains are mapped to the single IP address and
the domain lookup is working perfectly.

I've installed Apache 1.3.19 with mod_ssl version 2.8. Using the default
configuration, I could access the domain mydomain1.com via http(80) and
https(443) without problems.

Now I'm in the process of modifying the configuration to incorporate both
domains. I've not been very succesful in getting this accomplihed.

Here is in summary what I actually want to accomplish.

I want to access mydomain1.com via http (80) and https (443) and
mydomain2.com via http(80) and http(444). I have a single certificate.

Based on information gathered via threads in this mailing list, I understand
that I could accomplish this using name-based virtual host.

I've not been able to get this up and running.

Any input will be appreciated.


Here is the default configuration:


Listen 80
Listen 443
Listen 444
...
...
DocumentRoot "C:/websites/public"
...
...
#

Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all

#
#

Options FollowSymlinks
SSLRequireSSL
Order allow,deny
Allow from all
AuthName "Confidential Documentation"
AuthType Basic
AuthUserFile pwd/htpasswd.usr
Require valid-user

#
# SSL Options

SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none
SSLProtocol SSLv3

SSLCipherSuite MEDIUM:+HIGH:+RSA:+EXP56:!ADH:!EDH
# SSLVerifyClient require

SSLLog logs/SSL.log
SSLLogLevel info
# You can later change "info" to "warn" if everything is OK


SSLEngine On
SSLCertificateFile ssl/server.cert
SSLCertificateKeyFile ssl/server.key
DocumentRoot "C:/websites/confidential"
# SSLRequireSSL



I understand that I could use:


..
..


..
..


Could you please be kind to proivide specific implementation examples?

Thanks.
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: IE discards pages once a while

2001-10-31 Thread Peter Morelli


I have the SSLCipherSuite and SetEnvIf settings your describe, and it has
completely stopped on my setup (solaris, apache 1.3.20, modssl 2.8.4), aside
from the aforementioned file upload. If you search the mail archives, you'll
find alternative settings, basically variations of these settings, that
other people have had success with. 

>From what I can remember(please check), some alternatives include replacing
your SetEnvIf with the following lines:

BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown

This solves some Mac IE 5.0 problems, and lets 5.x browsers enjoy the
benefits/speed of 1.1 keepalive...

Also, make sure you have SSLSessionCache enabled. MSIE apparently doesn't
like not having that.

Again, I encourage you to do your own searching through the mailing list
archives. There is a lot of good information there...

<http://marc.theaimsgroup.com/?l=apache-modssl>

--pete

-Original Message-
From: Glen S Mehn [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 10:08 AM
To: [EMAIL PROTECTED]
Subject: RE: IE discards pages once a while


Pete:

What if you have these options set:

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

and

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

and you've even tried

SSLProtocol all -SSLv3

which minimize, but don't completely stop, the behaviour? Any ideas? (it
still invariably occurs on IE5.x)

glen

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Peter Morelli
Sent: Wednesday, October 31, 2001 09:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: IE discards pages once a while


This is a known problem.

>From the modssl FAQ:
<http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49>

Search the mailing list archives for MSIE, broken browser, for further
points.

The fix above works for everything except SSL file uploads. You can enable
that on the client side by unchecking Tools->Internet Options->Show Friendly
HTTP error pages, at least for IE 5.5. On the server side, it looks like
file uploads aren't downgraded correctly per the fix if that option is
enabled...

--pete

-Original Message-
From: Henning Sittler [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 5:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: IE discards pages once a while


I have older versions of apache and mod_ssl and I'm having the same
problem... I thought I was going crazy.

Everything works fine, and then all of a sudden I'll refresh a page or click
a link and I get the same 'page not found' msg you are getting.  For me this
problem occurs about two or maybe three times per day, while the rest of the
time my ssl vhost works just fine.  Again, I have found no error msgs in any
of my logs to indicate any problem related to this.

I'm also trying to figure out how to upgrade my apache properly in the
quickest way so my public server has as little downtime as possible.  I
thought that upgrading apache might fix the problem, but it looks like you
are stuck in the same situation with a newer version.

Have you tried any other browsers?  I get this problem with different
browsers on different OS's.  So I suspect it's not the browser.


Henning Sittler
www.inscriber.com



-Original Message-
From: Peter Vinnemeier [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 3:24 AM
To: [EMAIL PROTECTED]
Subject: IE discards pages once a while


Hi @ll,
I have apache 1.3.22 with mod_ssl 2.8.5 and php 4.0.6 installed on RH7.1
with self signed certificates.
When accessing the site it usually works fine, but once a while I get the
IE error "The page cannot be displayed, server or dns not found". The
apache access and error logs do not show anything. When going back and
pressing the same link again it works fine again. The problem occurs with
IE5 and IE5.5 and it not really reproducable on cetrain actions.
Does anybody have a clue?

Thanks a lot in advance
Peter



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   ww

RE: IE discards pages once a while

2001-10-31 Thread Peter Morelli

Make that Tools->Internet Options->***Advanced***->Show friendly http error
pages. sorry.

--pete

-Original Message-----
From: Peter Morelli 
Sent: Wednesday, October 31, 2001 9:21 AM
To: '[EMAIL PROTECTED]'
Subject: RE: IE discards pages once a while

This is a known problem.

>From the modssl FAQ:
<http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49>

Search the mailing list archives for MSIE, broken browser, for further
points.

The fix above works for everything except SSL file uploads. You can enable
that on the client side by unchecking Tools->Internet Options->Show Friendly
HTTP error pages, at least for IE 5.5. On the server side, it looks like
file uploads aren't downgraded correctly per the fix if that option is
enabled...

--pete

-Original Message-
From: Henning Sittler [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 5:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: IE discards pages once a while

I have older versions of apache and mod_ssl and I'm having the same
problem... I thought I was going crazy.

Everything works fine, and then all of a sudden I'll refresh a page or click
a link and I get the same 'page not found' msg you are getting.  For me this
problem occurs about two or maybe three times per day, while the rest of the
time my ssl vhost works just fine.  Again, I have found no error msgs in any
of my logs to indicate any problem related to this.

I'm also trying to figure out how to upgrade my apache properly in the
quickest way so my public server has as little downtime as possible.  I
thought that upgrading apache might fix the problem, but it looks like you
are stuck in the same situation with a newer version.

Have you tried any other browsers?  I get this problem with different
browsers on different OS's.  So I suspect it's not the browser.

Henning Sittler
www.inscriber.com

-Original Message-
From: Peter Vinnemeier [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 3:24 AM
To: [EMAIL PROTECTED]
Subject: IE discards pages once a while

Hi @ll,
I have apache 1.3.22 with mod_ssl 2.8.5 and php 4.0.6 installed on RH7.1
with self signed certificates.
When accessing the site it usually works fine, but once a while I get the
IE error "The page cannot be displayed, server or dns not found". The
apache access and error logs do not show anything. When going back and
pressing the same link again it works fine again. The problem occurs with
IE5 and IE5.5 and it not really reproducable on cetrain actions.
Does anybody have a clue?

Thanks a lot in advance
Peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: IE discards pages once a while

2001-10-31 Thread Peter Morelli


This is a known problem.

>From the modssl FAQ:
<http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49>

Search the mailing list archives for MSIE, broken browser, for further
points.

The fix above works for everything except SSL file uploads. You can enable
that on the client side by unchecking Tools->Internet Options->Show Friendly
HTTP error pages, at least for IE 5.5. On the server side, it looks like
file uploads aren't downgraded correctly per the fix if that option is
enabled...

--pete

-Original Message-
From: Henning Sittler [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 5:52 AM
To: '[EMAIL PROTECTED]'
Subject: RE: IE discards pages once a while


I have older versions of apache and mod_ssl and I'm having the same
problem... I thought I was going crazy.

Everything works fine, and then all of a sudden I'll refresh a page or click
a link and I get the same 'page not found' msg you are getting.  For me this
problem occurs about two or maybe three times per day, while the rest of the
time my ssl vhost works just fine.  Again, I have found no error msgs in any
of my logs to indicate any problem related to this.

I'm also trying to figure out how to upgrade my apache properly in the
quickest way so my public server has as little downtime as possible.  I
thought that upgrading apache might fix the problem, but it looks like you
are stuck in the same situation with a newer version.

Have you tried any other browsers?  I get this problem with different
browsers on different OS's.  So I suspect it's not the browser.


Henning Sittler
www.inscriber.com



-Original Message-
From: Peter Vinnemeier [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 31, 2001 3:24 AM
To: [EMAIL PROTECTED]
Subject: IE discards pages once a while


Hi @ll,
I have apache 1.3.22 with mod_ssl 2.8.5 and php 4.0.6 installed on RH7.1
with self signed certificates.
When accessing the site it usually works fine, but once a while I get the
IE error "The page cannot be displayed, server or dns not found". The
apache access and error logs do not show anything. When going back and
pressing the same link again it works fine again. The problem occurs with
IE5 and IE5.5 and it not really reproducable on cetrain actions.
Does anybody have a clue?

Thanks a lot in advance
Peter



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

IE discards pages once a while

2001-10-30 Thread Peter Vinnemeier


Hi @ll,
I have apache 1.3.22 with mod_ssl 2.8.5 and php 4.0.6 installed on RH7.1
with self signed certificates.
When accessing the site it usually works fine, but once a while I get the
IE error "The page cannot be displayed, server or dns not found". The
apache access and error logs do not show anything. When going back and
pressing the same link again it works fine again. The problem occurs with
IE5 and IE5.5 and it not really reproducable on cetrain actions.
Does anybody have a clue?

Thanks a lot in advance
Peter



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: MSIE POST problem

2001-10-25 Thread Peter Morelli


I changed to shm from dbm, but it doesn't seem to solve my problem.

The thing I don't understand is why unselecting "show friendly http error
pages" somehow lets the form post be downgraded. Does apache use some sort
of redirect header to downgrade the request, and MSIE interprets that header
as an error?

--peter

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 25, 2001 9:08 AM
To: [EMAIL PROTECTED]
Subject: RE: MSIE POST problem


try the shm version, eg:

SSLSessionCacheshm:/var/run/ssl_scache(512000)

Seems to work better for everyone.

- 
John Airey
Internet systems support officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] 


>-Original Message-
>From: Peter Morelli [mailto:[EMAIL PROTECTED]]
>Sent: 25 October 2001 16:37
>To: '[EMAIL PROTECTED]'
>Subject: RE: MSIE POST problem
>
>
>Yes, using the dbm version...
>
>--pete
>
>-Original Message-
>From: David Rees [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, October 24, 2001 6:55 PM
>To: '[EMAIL PROTECTED]'
>Subject: Re: MSIE POST problem
>
>
>On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote:
>> Sorry, I have the same situation after using those config 
>lines. I had
>seen
>> them on the mailing list before, but just to be sure I've 
>just retested
>> them. No change. Same symptoms and solutions...
>
>And you do have a ssl session cache defined?
>
>-Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: MSIE POST problem

2001-10-25 Thread Peter Morelli


Yes, using the dmb version...

--pete

-Original Message-
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 24, 2001 6:55 PM
To: '[EMAIL PROTECTED]'
Subject: Re: MSIE POST problem


On Wed, Oct 24, 2001 at 05:38:40PM -0700, Peter Morelli wrote:
> Sorry, I have the same situation after using those config lines. I had
seen
> them on the mailing list before, but just to be sure I've just retested
> them. No change. Same symptoms and solutions...

And you do have a ssl session cache defined?

-Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Modssl on Openbsd 2.9

2001-10-24 Thread Peter Morelli


Those don't look like errors, just notices, or informational events. The
first one is apache shutting down, looks like from a kill command. The
second is Apache starting up again. No idea on the third. I get the first to
all the time in my error_log...

--pete

-Original Message-
From: Doug Dalton [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 24, 2001 5:41 PM
To: [EMAIL PROTECTED]
Subject: Modssl on Openbsd 2.9


Any idea why this error is occuring?

[Wed Oct 24 15:45:29 2001] [notice] caught SIGTERM, shutting down
[Wed Oct 24 15:47:12 2001] [notice] Apache/1.3.22 (Unix) mod_ssl/2.8.5
OpenSSL
/0.9.6b configured -- resuming normal operations
[Wed Oct 24 15:47:12 2001] [notice] Accept mutex: flock (Default: flock)



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: MSIE POST problem

2001-10-24 Thread Peter Morelli

Sorry, I have the same situation after using those config lines. I had seen
them on the mailing list before, but just to be sure I've just retested
them. No change. Same symptoms and solutions...

--pete 

-Original Message-
From: David Rees [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 24, 2001 5:03 PM
To: '[EMAIL PROTECTED]'
Subject: Re: MSIE POST problem

On Wed, Oct 24, 2001 at 03:47:11PM -0700, Peter Morelli wrote:
> I've done a little more testing, and it seems like turning OFF the "Show
> friendly http error pages" option in MSIE allows apache/mod_ssl to
downgrade
> the connection to HTTP/1.0 correctly. Turning it back on again leads to a
> situation where it is NOT downgraded, and you get the "server not found"
> page. Again, this is only for file uploads.

It seems that recent versions (5.x+) of MSIE don't like being downgrade to
HTTP/1.0.

Try this config in place of your current SetEnvIf or BrowserMatch directive:

BrowserMatch "MSIE [1-4]" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
BrowserMatch "MSIE [5-9]" ssl-unclean-shutdown

You may be able to get away without having the second line entirely, but I
haven't tested it myself.  Let us know how it works out.

-Dave
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: MSIE POST problem

2001-10-24 Thread Peter Morelli


I've done a little more testing, and it seems like turning OFF the "Show
friendly http error pages" option in MSIE allows apache/mod_ssl to downgrade
the connection to HTTP/1.0 correctly. Turning it back on again leads to a
situation where it is NOT downgraded, and you get the "server not found"
page. Again, this is only for file uploads.

--pete

-Original Message-
From: Peter Morelli 
Sent: Wednesday, October 24, 2001 11:59 AM
To: '[EMAIL PROTECTED]'
Subject: MSIE POST problem


I'm having quite a perplexing problem, and I was hoping someone could give
me a hint here on this list.

First, my environment:
- Solaris 2.6
- Apache 1.3.20
- modssl 2.8.4
- openssl 0.9.6b
- Weblogic 5.1
- MSIE 5.5 sp1

I'm using apache to frontend WebLogic through a BEA provided module.

My problem:
It seems similar to some of the archived posts on this list as well as a
section of the FAQ, as it is the "Server not found" error from MSIE. I start
out with a form retrieved over regular HTTP, and post a file upload to a
HTTPS URL. However, even after enabling the various fixes (SetEnvIf to
downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I
invariably get a server not found page. However, if I go to IE's
Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error
messages", everything seems to work fine. Very weird.

The error posts never even show up in my apache or weblogic logs, though
after I turned the modssl log up to debug I can see some activity, and snoop
picks up the packets between machines.

Some other variables:
- I use self generated certificates, which generate an accept certificate
box in IE when it does work
- Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The
SetEnvIf downgrade is out in the main server config.
- When I do standard form posts (just fields) this problem rarely crops up,
if ever. 
- From the modssl debug logs, it looks like the multi-part form request
(file upload) establishes a regular ssl connection, which closes with a
standard shutdown, while a regular post does downgrade and uses an unclean
shutdown...

I have tried MANY different configurations, and I can't seem to get it to
work. Any help would be greatly appreciated, as I'd rather not go back to
serving http with weblogic (which doesn't seem to have a problem with IE).

--peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

MSIE POST problem

2001-10-24 Thread Peter Morelli


I'm having quite a perplexing problem, and I was hoping someone could give
me a hint here on this list.

First, my environment:
- Solaris 2.6
- Apache 1.3.20
- modssl 2.8.4
- openssl 0.9.6b
- Weblogic 5.1
- MSIE 5.5 sp1

I'm using apache to frontend WebLogic through a BEA provided module.

My problem:
It seems similar to some of the archived posts on this list as well as a
section of the FAQ, as it is the "Server not found" error from MSIE. I start
out with a form retrieved over regular HTTP, and post a file upload to a
HTTPS URL. However, even after enabling the various fixes (SetEnvIf to
downgrade, etc) detailed in the FAQ and past posts, it still doesn't work. I
invariably get a server not found page. However, if I go to IE's
Tools->Internet Options->Advanced and uncheck "Show friendly HTTP error
messages", everything seems to work fine. Very weird.

The error posts never even show up in my apache or weblogic logs, though
after I turned the modssl log up to debug I can see some activity, and snoop
picks up the packets between machines.

Some other variables:
- I use self generated certificates, which generate an accept certificate
box in IE when it does work
- Non-standard ports: 8110 for http, 8115 for https, in a Virtual hosts. The
SetEnvIf downgrade is out in the main server config.
- When I do standard form posts (just fields) this problem rarely crops up,
if ever. 
- From the modssl debug logs, it looks like the multi-part form request
(file upload) establishes a regular ssl connection, which closes with a
standard shutdown, while a regular post does downgrade and uses an unclean
shutdown...

I have tried MANY different configurations, and I can't seem to get it to
work. Any help would be greatly appreciated, as I'd rather not go back to
serving http with weblogic (which doesn't seem to have a problem with IE).

--peter

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Connect Problem modssl-2.6.1 WINNT 4.0

2001-05-04 Thread Hans-Peter Straub


Hello all,

i have a problem with 

apache-1.3.12+modssl-2.6.1+Openssl-0.9.5.
and
apache-1.3.19+modssl-2.8.1+Openssl-0.9.6.

under WINNT4.0 SP3.

It seems that the certificate and module is loaded properly. The server says 
on the command line:

--
Apache/1.3.12 (Win32) mod_ssl/2.6.1 openssl/0.9.5 running.
--

But wenn i connect to the ssl Server with the following command:

--
openssl s_client -connect myserver.net:443
--

i get the error

--
Loading 'screen'into random state - done
connect: Bad file descriptor
connect:errno=10061
--

I think that the SSL server doesn't serve anything.

Do anybody have any idea what is wrong here??

Yours

Hans-Peter Straub


-- 
---*
I-NetPartner GmbH
Hans-Peter Straub
Seewiesenstrasse 12
D-73054 Eislingen
--
Phone: +49 7161 9849955
Fax: +49 7161 9849956
--
eMail: [EMAIL PROTECTED]
Web: http://www.I-NetPartner.de
---*

**  Informieren Sie Sich über
**   -->> GigaLan <<--
**  das Funknetz im Filstal
**  http://www.GigaLan.de

---*

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Connect Problem modssl-2.6.1 WINNT

2001-05-04 Thread Hans-Peter Straub


Hello again,

I have now tested a newer version with

apache-1.3.19+modssl-2.8.1+Openssl-0.9.6.

but the result is the same. Can anbody help??



i have a problem with apache-1.3.12+modssl-2.6.1+Openssl-0.9.5.

It seems that the certificate and module is loaded properly. The server says 
on the command line:

--
Apache/1.3.12 (Win32) mod_ssl/2.6.1 openssl/0.9.5 running.
--

But wenn i connect to the ssl Server with the following command:

--
openssl s_client -connect myserver.net:443
--

i get the error

--
Loading 'screen'into random state - done
connect: Bad file descriptor
connect:errno=10061
--


Do anybody have any idea what is wrong here??

Yours

Hans-Peter Straub


-- 
---*
I-NetPartner GmbH
Hans-Peter Straub
Seewiesenstrasse 12
D-73054 Eislingen
--
Phone: +49 7161 9849955
Fax: +49 7161 9849956
--
eMail: [EMAIL PROTECTED]
Web: http://www.I-NetPartner.de
---*

**  Informieren Sie Sich über
**   -->> GigaLan <<--
**  das Funknetz im Filstal
**  http://www.GigaLan.de

---*

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Connect Problem modssl-2.6.1 WINNT

2001-05-04 Thread Hans-Peter Straub


Hello all,

i have a problem with apache-1.3.12+modssl-2.6.1+Openssl-0.9.5.

It seems that the certificate and module is loaded properly. The server says 
on the command line:

--
Apache/1.3.12 (Win32) mod_ssl/2.6.1 openssl/0.9.5 running.
--

But wenn i connect to the ssl Server with the following command:

--
openssl s_client -connect myserver.net:443
--

i get the error

--
Loading 'screen'into random state - done
connect: Bad file descriptor
connect:errno=10061
--


Do anybody have any idea what is wrong here??

Yours

Hans-Peter Straub


-- 
---*
I-NetPartner GmbH
Hans-Peter Straub
Seewiesenstrasse 12
D-73054 Eislingen
--
Phone: +49 7161 9849955
Fax: +49 7161 9849956
--
eMail: [EMAIL PROTECTED]
Web: http://www.I-NetPartner.de
---*

**  Informieren Sie Sich über
**   -->> GigaLan <<--
**  das Funknetz im Filstal
**  http://www.GigaLan.de

---*

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

User authentication

2001-04-12 Thread Peter Jones


Hi,

I have got mod_ssl working using the default certificate, but I would
like to have user authentication rather than the current certificate.
All I get when I logon https://localhost is "do you trust this
certificate", when I say yes I am in.

How do I set that up?

regards,

Peter


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache 1.319 + modssl 2.8.1 on windows

2001-03-12 Thread Peter Arrenbrecht


Jonathon,

> forgot to say the reason i asked this is because
> when i used the patched configure.bat from cvs to build
> it comes back with file not found everytime i try to run it

I think it is a reference to os\win32\MakeModuleMak.mak which should be to
.cpp instead of .mak. You can run the configure.bat file with the option -v
to make it output more details.


peo <[EMAIL PROTECTED]>


- Original Message -
From: "Jonathon Douglas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 08, 2001 11:13 AM
Subject: Re: apache 1.319 + modssl 2.8.1 on windows


> forgot to say the reason i asked this is because
> when i used the patched configure.bat from cvs to build
> it comes back with file not found everytime i try to run it
>
> - Original Message -
> From: "Jan Dries" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, March 07, 2001 11:45 PM
> Subject: Re: apache 1.319 + modssl 2.8.1 on windows
>
>
> > Jonathon Douglas wrote:
> > >
> > > has anyone managed to get this comination to compile yet
> > > (i havent atm)
> >
> > I have, using the patches that were posted on this newsgroup (and that
> > have in the mean time been checked into CVS). Worked fine for me.
> > The only surprise was that it builds dynamic modules with a different
> > name and extension than in 1.3.14 (my previous version), i.e. it now
> > creates a "mod_ssl.so" instead of an "ApacheModuleSSL.dll".
> >
> > Regards,
> > Jan
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: 2.8.1 Instll bug on win32

2001-03-12 Thread Peter Arrenbrecht


Just precede it by "my", as in:

if (my $first2 =~ m|^\.\.|) {

(Search for "first2" to find this line.)
I seem to remember that I also had to change the following:

os\win32\MakeModuleMak.mak

to

os\win32\MakeModuleMak.cpp

(Again, just search for it.)

Finally, I had to add an include search path to os\win32 to one of the
mod_ssl makefiles. Don't remember which, however.

Finally, my builds for 1.3.19 (and 1.3.17 binary downloads) crash when
accessed by Netscape 4.7. I logged a detailed debug trace of this to the bug
database.


peo



- Original Message -
From: "tjww" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 06, 2001 8:37 AM
Subject: 2.8.1 Instll bug on win32


> Hi,
>
> When I run configure.bat to patch apache with modssl, it show error msg
>
> > Global symbol "$first2" requires explicit package name at configure.bat
line 269.
> > BEGIN not safe after errors--compilation aborted at configure.bat line
283.
>
> I am not family with perl, anybody who can tell me how to deal withit?
>
> Thanks.
>
> Bye, Sincerely yours tjww.
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Access to web page with suspended certificate possible!

2001-02-23 Thread Kaps, Jens-Peter


Hi,
 
I guess I discovered a bug in the CRL checking of mod_ssl, or I just
misconfigured my system. The symptoms are the following:
 
I have a web server using SSL on port 443 without access control. I do
require client certificates of a CA that I trust to access a sub directory.
I told Apache to check for CRLs in a directory. When I start IE, delete its
cache and hit the server I get the main page. When I click on the link for
the restricted area I get prompted to select a certificate. I select the
certificate that I suspended and I can access the page. When I press the
"reload" button in IE a couple of times I don't get the page but an error
code: 80090320. And the ssl_engine_log shows that my certificate has been
revoked. When I press reload again, I get the page, the Apache log shows
that it sent the page again. Restarting Apache does not help.
 
Now my question is, why does Apache only sometimes discover that my
certificate has been revoked? I think this is a sever security bug!
 
I use Internet Explorer Version 5.00.2014.0216CO with 128 bit encryption and
update 3725, German. The web server is Apache Version 1.3.14 with Mod-SSL
2.7.1 and OpenSSL 0.9.6 on Solaris 2.6.
 
Any ideas?
 
Jens

The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. This message and any attachments have been scanned for
viruses. Baltimore Technologies plc will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.


-
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

In addition, certain Marketing collateral may be added from time to time to 
promote Baltimore Technologies products, services, Global e-Security or 
appearance at trade shows and conferences.
 
This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: 3tier certificate + client authentication doesn't seem to work. (newest apache/modperl/openssl)

2001-02-20 Thread Kaps, Jens-Peter


Hi,

If you want to trust a sub CA than you have to trust it's Root. I.e. when
you trust a Client certificate issued by a SubCA, you trust the sub CA which
automatically means you trust all certificates issued directly of the Root.
Obviously you do not automatically trust all the certificates issued by
other SubCAs of the same root.

The options SSLCACertificateFile and the like refer to client certificates,
the SSLCertificateFile and the like to certificates for the server. I
believe there is no connection between them, i.e. the Server can trust a
commercial CA for the server certificate but does not trust it to issue
client certificates. I have not tried this though.

There are two solution for your scenario.

1) You use two CA's. I.e. you buy from a commercial CA
   a server certificate for your server and you run your
   own CA (or have it hosted by a provider) to issue
   client certificates of your own private root. Of course
   you can have your own private SubCA under your private root.
  
2) You use DN information of the client certificate to 
   figure out whether to allow them access to your server.
   For this to work you have to trust the Root never to 
   produce a certificate with that same information.
   It seems to be possible to use the issuers information
   of the client certificate for this too. Have a look
   at the HowTo: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC9

   SSLRequire   %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." and \
%{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
   
   It should be possible to use SSL_CLIENT_I_DN_O eq "Mastercard"

Hope this helps,

Jens

The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. This message and any attachments have been scanned for
viruses. Baltimore Technologies plc will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 20, 2001 9:42 AM
To: [EMAIL PROTECTED]
Subject: 3tier certificate + client authentication doesn't seem to work.
(newest apache/modperl/openssl)




How do I make the root CA known to apache but not valid for client
authentication? (only the sub root CA that signed the server/client should
be
valid. (apache1.3.17,modssl2.8,openssl0.9.6)

I've got a three tier cert hierarchy like:

root ca --signs--> project ca --signs--> server/client certs

The problem is that unless I place the root ca in SSLCACertificateFile or
SSLCACertificatePath apache complains about not being able to locate the
local
issuer.  If I place the root in either of these apache allows server/client
certs that were signed directly by the root ca to access the server (when I
only
want to allow certs signed by the project ca)

I would think that one should only need SSLCertificateFile,
SSLCertificateKeyFile and SSLCertificateChainFile (containing the project ca
and
root ca), SSLCACertificateFile (containing just the project ca),
SSLVerifyClient
require, and SSLVerifyDepth  2.  These settings do not work as advertised.
Only
the project CA is loaded startup (looking at the ssl_engine_log) and when
attempting to do a client connection, apache says it can't find the local
issuer
(this would seem to be the root ca, which IS IN the chain!! isnt that
enough?).
If I add the root ca to the SSLCACertificateFile or SSLCACertificatePath
apache
allows clients signed by the root CA access.  Does apache not support three
tier
certificate hierarchies? Any other things I should try?

I know that the last two paragraphs basically restated the same issue but
hopefully one of them will be clear enough for someone to understand.

-Matthew Lenz


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


This footnote confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Loading mod_ssl runtime

2001-02-20 Thread Peter Scott

It is my non-expert understanding that one way or another you will need to
recompile apache. Even using the mod_ssl there are hooks required that extend
beyond the module API. I don't know why you would want to load it in without
shutting down apache. First of all you're listening on a different port for the
most part, so if you don't want to shut down the web server you just compile it
seperately and start it up as a service under it's own right for port 443.

Dennis Montanje wrote:

> Does anyone know how to load mod_ssl runtime into Apache. Does it has to be
> compiled into Apache? Or does anyone has an other idea how to enable
> mod_ssl without shutting down Apache?
>
> Thanks in advance,
>
> Dennis Montanje
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: (newbie q) second-level domain certificate?

2001-02-09 Thread Peter Scott


It is my understanding that you need a seperate certificate for each
subdomain.
I seem to remember something about wildcard certificates, but a quick
inspection of Thawte/Verisign doesn't show anything.

regards,

Peter Scott

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: ssl connection for a particular directory

2001-02-09 Thread Kaps, Jens-Peter

Hi Samuel,

I'm sorry if my error reporting was a little confusing. The whole server on
port 443 runs SSL and has a server certificate. But for one subdirectory I
am requiring a client certificate of a certificate authority that I trust.
Apache should always check these client certificates against the CRLs. In my
set up it only checks it sometimes (average every third request).

Jens

-Original Message-
From: Paul [mailto:[EMAIL PROTECTED]]
Sent: Friday, February 09, 2001 3:03 PM
To: [EMAIL PROTECTED]
Subject: Re: ssl connection for a particular directory

> [EMAIL PROTECTED] wrote:
> > Is there anybody to tell me : How can i force in the apache
> > configuration file the use of a ssl connection for a particular
> > directory without using virtual hosts ?

You'll probably have to run a whole seperate server if you aren't using
vhosts.

The choice of protocol is done before the connection is established;
path translation is way later. What you *could* do, however, is to have
the index page in that directory check the port number or something.
mod_perl makes that pretty easy; Apache::Request probably does, too.
I'm not sure off the top of my head how you'd do it without perl. If
it's not secure, redirect to the secure server.

You could kind of do it anyway, just as a matter of course. Have the
index page (I'd recommend a CGI) do an external redirect to the secure
socket. Obviously, you have to have an SSL server running somewhere,
either as another server or as a vhost or *something*, but then the
default page in that directory will redirect to the https://
other-page.

But you can't have just one directory be SSL on one server, because the
SSL protocol has to be established *WAY* before the server knows what
directory the user wants.

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

This footnote confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

-
The information contained in this message is confidential and is intended 
for the addressee(s) only.  If you have received this message in error or 
there are any problems please notify the originator immediately.  The 
unauthorized use, disclosure, copying or alteration of this message is 
strictly forbidden. Baltimore Technologies plc will not be liable for direct, 
special, indirect or consequential damages arising from alteration of the 
contents of this message by a third party or as a result of any virus being 
passed on.

In addition, certain Marketing collateral may be added from time to time to 
promote Baltimore Technologies products, services, Global e-Security or 
appearance at trade shows and conferences.

This footnote confirms that this email message has been swept by 
Baltimore MIMEsweeper for Content Security threats, including
computer viruses.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Access to web page with suspended certificate possible!

2001-02-09 Thread Kaps, Jens-Peter


Hi,
 
I guess I discovered a bug in the CRL checking of mod_ssl, or I just
misconfigured my system. The symptoms are the following:
 
I have a web server using SSL on port 443 without access control. I do
require client certificates of a CA that I trust to access a sub directory.
I told Apache to check for CRLs in a directory. When I start IE, delete its
cache and hit the server I get the main page. When I click on the link for
the restricted area I get prompted to select a certificate. I select the
certificate that I suspended and I can access the page. When I press the
"reload" button in IE a couple of times I don't get the page but an error
code: 80090320. And the ssl_engine_log shows that my certificate has been
revoked. When I press reload again, I get the page, the Apache log shows
that it sent the page again. Restarting Apache does not help.
 
Now my question is, why does Apache only sometimes discover that my
certificate has been revoked? I think this is a sever security bug!
 
I use Internet Explorer Version 5.00.2014.0216CO with 128 bit encryption and
update 3725, German. The web server is Apache Version 1.3.14 with Mod-SSL
2.7.1 and OpenSSL 0.9.6 on Solaris 2.6.
 
Any ideas?
 
Jens

The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorised use, disclosure, copying or alteration of this message is
strictly forbidden. This message and any attachments have been scanned for
viruses. Baltimore Technologies plc will not be liable for direct, special,
indirect or consequential damages arising from alteration of the contents of
this message by a third party or as a result of any virus being passed on.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: .htaccess and https:// connections

2001-02-06 Thread Peter Scott


It sounds like you just need to configure the secure domain properly. Perhaps
you have done this for the non-secure section but not fir the secure section.

I suspect that you simply need to allow overrides for the directory you want to
protect.
There should not be an issue with .htaccess files and ssl, but you need to
configure as per standard apache.



AllowOverride All


James Hastings-Trew wrote:

> I think others have asked this question as well, but I would like a portion
> of my secure site to be blocked to access unless a name and password is
> entered. I have create a valid .htaccess file, pointing at a valid .htpasswd
> file, and it works provided that part of the site is accessed through an
> http: connection -- it correctly query's for the name and password before
> showing the page. However, when accessed through a  https: connection, no
> such query pops up - the script is run and the page shows as if there were
> no .htaccess file at all.
>
> I have tried putting the directives directly into the httpd.conf file, but
> the result is the same either way I do it - the .htaccess file only seems to
> work if the connection to the page is made through an unsecure connection. I
> would like the sessions to this page (an admin page to be used by authorized
> users off-site) to require authorization and be through an SSL session. The
> chances of anyone guessing the directory/script name is low, but still
>
> Any ideas?
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: problem !

2001-01-15 Thread Peter Scott


I have also had this problem. The only way I could get around the single
certificate restriction was to install multiple apache servers. Anybody know of a
better solution?

cheers,

Peter

NDSoftware wrote:

> Hi,
> I have this:
>
> 
> NameVirtualHost secure.ndsoftware.net:443
> DocumentRoot "/home/ndsoftware/www/secure"
> ServerName secure.ndsoftware.net
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /home/ndsoftware/logs/www/secure-error_log
> TransferLog /home/ndsoftware/logs/www/secure-access_log
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/secure.ndsoftware.net.crt
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/secure.ndsoftware.net.key
> 
>
> 
> #NameVirtualHost ads.ndsoftware.net:443
> DocumentRoot "/home/ndsoftware/www/ads/secure"
> ServerName ads.ndsoftware.net
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /home/ndsoftware/logs/www/secure-error_log
> TransferLog /home/ndsoftware/logs/www/secure-access_log
> SSLEngine on
> SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> SSLCertificateFile /usr/local/apache/conf/ssl.crt/ads.ndsoftware.net.crt
> SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/ads.ndsoftware.net.key
> 
>
> Why only the first certificate is run ???
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Unable to generate certificate

2001-01-13 Thread Peter Honegger


Hello!

I have on to Maschines the self Problem (1 SuSE 7.0, no own packages
installed and Solaris 2.6 with Apache 1.3.14 + openssl 0.9.6 + modssl
2.7.1)

I have use this documentation:
http://www.modssl.org/docs/2.7/ssl_faq.html#ToC29
But my certificate is always "your server has a invalid certificate,
you will not be able to connect to this site securly" You can look at:
https://mogli.homeip.net
The logifiles are from the solaris 2.6 Maschines. On the SuSE 7.0 it
looks same.

What is here wrong?


[root@mogli apache]# openssl genrsa -des3 -out server.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
++
++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@mogli apache]# openssl req -new -key server.key -out server.csr
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mogli.homeip.net
Email Address []:[EMAIL PROTECTED]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@mogli apache]# openssl genrsa -des3 -out ca.key 1024
warning, not much extra random data, consider using the -rand option
Generating RSA private key, 1024 bit long modulus
...++
++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:^C
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:mogli.homeip.net
Common Name (eg, YOUR name) []:^C
[root@mogli apache]# openssl req -new -x509 -days 365 -key ca.key -out
ca.crt
Using configuration from /usr/local/ssl/openssl.cnf
Enter PEM pass phrase:
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:Zurich
Locality Name (eg, city) []:Au (ZH)
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Legends
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:mogli.homeip.net
Email Address []:[EMAIL PROTECTED]
[root@mogli apache]# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName   :PRINTABLE:'CH'
stateOrProvinceName   :PRINTABLE:'Zurich'
localityName  :PRINTABLE:'Au (ZH)'
organizationName  :PRINTABLE:'Legends'
commonName:PRINTABLE:'mogli.homeip.net'
emailAddress  :IA5STRING:'[EMAIL PROTECTED]'
Certificate is to be certified until Jan  9 14:39:36 2002 GMT (365
da

Re: Sorry for delayed postings...

2001-01-01 Thread Peter 'Luna' Runestig


> Sorry for the currently occuring delayed postings to modssl-users.
They were
> filed without my notice to the wrong admin mailbox because of changes
a few
> weeks ago.  I've nevertheless approved them today. So don't be
confused by if
> the date of the postings is 2-4 weeks old.
>
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com

Nevertheless, attend your wife and child, Ralf, and a Happy New Year!
- Peter
--
Peter 'Luna' Runestig (fd. Altberg), Sweden <[EMAIL PROTECTED]>
PGP Key ID: 0xD07BBE13
Fingerprint: 7B5C 1F48 2997 C061 DE4B  42EA CB99 A35C D07B BE13
AOL Instant Messenger Screenname: PRunestig


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

apache Server with several SSL certificates

2000-12-01 Thread Kniess, Klaus-Peter


Hello,
I want to set up a apache Server with several SSL certificates.
It depends from a parameter in the URL.
How can I set up the server, that he is using several SSL certificates,
and what I have to
do, that he take several certificates to several parameters.
Or is it impossible?
Thanks
Klaus-Peter

__
Klaus-Peter Knieß

FJA Innosoft GmbH
Elsenheimer Straße 48
80687 München
Tel.:   +49 (0)89 57879-150
Fax:+49 (0)89 57879-599
e-mail: Klaus-Peter [EMAIL PROTECTED]
web:http://www.fja.com
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

mod_ssl for NT

2000-11-11 Thread HUANG,PETER (HP-Cupertino,ex1)



I built the mod_ssl 2.7.1 on NT and I can run apache in ssl mode using
"apache -D SSL".  Is there a way to do it with service (e.g. net start
apacheSSL)

BTW, minor bugs: 
1. mod_ssl change the NT makefile name from Makefile.nt to Makefile.win, the
configure.bat is still using "Makefile.nt" so the configure.bat will fail.

2. ssl/Makefile is reference ssl_engine_scache.obj where the actual files
should be ssl_scache.obj ....etc

cheers
-peter huang 
 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Verisign GLOBAL SERVER CERTIFICATE

2000-10-29 Thread Moss, Peter


All,

I thought I share this with the rest of modssl group.

For all of you who applied for the VeriSign GLOBAL Server Certificate:

Verisign generates the intermediate CA and the server certificate as one
CRT file.  You have to split it with scginst.exe (Microsoft Tool)
like this:
c:\scginst -i -o server.crt name_of_file_from_verisign.crt

Copy the Intermediate CA certificate from the VeriSign website, and
install it along with the server.crt above.

If you try to use CRT file from VeriSign you will get the following error:

service# pwd
/usr/local/apache/openssl-0.9.6/apps
service# openssl x509 -noout -text -in /usr/home/pmoss/proxy2.crt
unable to load certificate
26869:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1
sequ
ence:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/x_cin
f.c:
106:address=134766594 offset=0
26869:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1
error:/usr/src/
secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/x_x509.c:99:address
=134
766592 offset=2
26869:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:/usr/src/secure/lib
/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:239:
service#




 sgcinst.exe

Verisign server.crt loading error!

2000-10-20 Thread Moss, Peter


All,

I'm getting the following error when I try to print contents of server.crt
we got from VeriSign.

$ openssl x509 -noout -text -in server.crt
unable to load certificate
3647:error:0D0A2007:asn1 encoding routines:d2i_X509_CINF:expecting an asn1
seque
nce:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/x_cinf
.c:1
06:address=134774786 offset=0
3647:error:0D09F004:asn1 encoding routines:d2i_X509:nested asn1
error:/usr/src/s
ecure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/x_x509.c:99:address=
1347
74784 offset=2
3647:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
lib:/usr/src/secure/lib/
libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:239:
$

Platform is FreeBSD 4.0
openssl ver. 0.9.6
mod-ssl ver. 2.7.1
apache ver. 1.3.14

What am I doing wrong?  I get similar error when I try to start apachectl
startssl


>  ___
> |   |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: FreeBSD Port: apache+mod_ssl-1.3.12+2.6.6_1

2000-10-18 Thread Moss, Peter


Christian,

What version of openssl do you have installed on your system?

I've installed ( http://www.modssl.org/example/ ) the latest
build on FreeBSD 4.0 with no major problems.

>  ___
> |   |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 


-Original Message-
From: Chahn [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 18, 2000 4:54 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: FreeBSD Port: apache+mod_ssl-1.3.12+2.6.6_1


Hi Adam,

please look at my notes in the text.

Christian

> -Original Message-
> From: Adam Nealis [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, October 18, 2000 10:08 AM
> To: [EMAIL PROTECTED]
> Subject: Re: FreeBSD Port: apache+mod_ssl-1.3.12+2.6.6_1
> 
> 
> Chahn wrote:
> > 
> > Hi,
> > 
> > i installed the ported package above using pkg_add.
> > All works well. But if i want to start apache it gives me 
> the following error:
> > 
> > Cannot load /usr/local/etc/apache/libexec/pache/libssl.so 
> into server:   
> > /usr/local/etc/apache/libexec/apache/libssl.so: Undefined 
> symbol "ASN1_INTEGER_cmp"
> Your path looks a bit suspect. I would expect to find
> .so stuff in /usr/local/libexec/apache/.

It looks really strange but it depends on the ported package i've installed.
The apache.conf is located in /usr/local/etc/apache and it requires the
modules under this path in libexec/apache. I copied the /libexec/apache
stuff to this directory instead of changing the lines in the apache.conf.

> 
> > OS is FreeBSD 4.1
> I'm running 'BSD 4.1-STABLE, and I also have an
> installation of apache+mod_ssl-1.3.12+2.6.6, and
> it works fine.
> 
> I built mine straight out of the ports collection.
> How did you build yours?

I don't built the code, i'd installed the precompiled ported package. But i
believe this was not the way it could work so i'm planning to build the code
today or tomorrow and hope this will work.

> 
> Have you manually changed the ServerRoot? Mine is
> set to /usr/local. Also, do your LoadModule and
> lines look like this?

Yes!

> 
> LoadModule env_module libexec/apache/mod_env.so

Yes too!

thank you for your response. I will give you a note if i'm finished that
stuff.
> 
> Adam.
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: HTTP/HTTPS and HTTP Proxy

2000-10-17 Thread Moss, Peter


it was as simple as adding "--enable-module=proxy" on line 674
of /mod_ssl../configure script

HTTP, HTTPS and proxy to HTTP sites works like a charm.

Anyone knows (done) conversion of IIS/COM objects to apache modules ? I
think I'm going to try mod_plsql? I saw on modules.apache.org

>  ___
> |       |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 


-Original Message-
From: Hansknecht, Deborah A [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 17, 2000 10:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: HTTP/HTTPS and HTTP Proxy


Since no one else has answered, I'll at least ask for clarification and then
maybe I'll be able to help...
I gather you've successfully installed Apache with mod_ssl and mod_proxy. It
starts okay and serves pages for both HTTP and HTTPS requests? Is that
right? So now are you asking how to configure a reverse proxy?

Given that I believe you joined the list during the "CLUELESS MORON" storm
(not a pretty sight), I can understand some reluctance on your part to risk
ticking some one off by sending a huge long email - but more detail is
always better. I'm sure with a bit more detail on exactly what you're trying
to do and in what way it's failing, someone on this list will be able to
help.

Deb

> -Original Message-
> From: Moss, Peter [mailto:[EMAIL PROTECTED]]
> Sent: October 16, 2000 3:22 PM
> To: '[EMAIL PROTECTED]'
> Subject: HTTP/HTTPS and HTTP Proxy
> 
> 
> All,
> 
> My setup is:
> apache 1.3.14
> openssl 0.9.6
> mod-ssl 2.7.1
> 
> FreeBSD 4.0
> 
> Rebuilt/Installed it today, not problems so far. (Test CERT)  
> SSL works
> in IE and NS
> 
> Question:
> ===
> I want to configure Apache as HTTPS --> HTTP proxy, basically
> I want to "hide" a couple of application servers behind 
> Apache-mod-ssl-proxy
> server and "proxy" HTTPS requests to them.
> 
> How do I make the Proxy work with apache-mod-ssl ?
> 
> I've tried the following:
> - modified the build to include proxy module, it compiles and 
> links into the
> httpd
> - changed httpd.conf to enable the "Proxy support" via the  tag
> 
> I did all changes to Makefiles by hand so I might have crew 
> something up
> along
> the way.
> 
> What is the "proper" way of including "PROXY" module in mod-ssl
> distribution?
> 
> All replies would be appreciated.
> Thanks,
> 
> >  ___
> > |   |
> > |Peter Moss, P.Eng. |
> > |IT Consultant  |
> > |Buck Consultants   |
> > |95 Wellington St., Toronto, Ont.   |
> > |Tel. (416) 865-0060 ext. 776   |
> > |mailto:[EMAIL PROTECTED]|
> > |___| 
> > 
> > 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: HTTP/HTTPS and HTTP Proxy

2000-10-17 Thread Moss, Peter


Deborah, all,

I've setup HTTP/HTTPS 2.7.1-1.3.14 mod-ssl.
HTTP and HTTPS services work!

The proxy does not work.

I'm using the same proxy directives as I used in my 1.3.12 proxy
installation, ProxyPass, ProxyPassReverse directives etc.

I think proxy is an optional module so I had to change /src/Configuration
file to include that module and reconfigure.

But what else needs to be done to make proxy/reverse proxy work?

I'd like to setup Apache HTTPS proxies infront of our application servers.
We have a load balancer (soon to be an Apache module) to load balance the
proxies.

Solaris 8 (load balancer, part of Apache server)
Free BSD 4.0 (two or more HTTPS Apache proxies)
IIS, HTTP, ASP/COM applications (20+ servers)

If what I preach (i.e Unix solution) works, we'll be dumping IIS 
alltogether.

Our objective is to lower the cost.  We want to pay only for the
two+ SSL certificates for the two Apache proxies. Otherwise,
we'd have to pay for all 20+ certificates.




>  ___
> |   |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 


-Original Message-
From: Hansknecht, Deborah A [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 17, 2000 10:40 AM
To: '[EMAIL PROTECTED]'
Subject: RE: HTTP/HTTPS and HTTP Proxy


Since no one else has answered, I'll at least ask for clarification and then
maybe I'll be able to help...
I gather you've successfully installed Apache with mod_ssl and mod_proxy. It
starts okay and serves pages for both HTTP and HTTPS requests? Is that
right? So now are you asking how to configure a reverse proxy?

Given that I believe you joined the list during the "CLUELESS MORON" storm
(not a pretty sight), I can understand some reluctance on your part to risk
ticking some one off by sending a huge long email - but more detail is
always better. I'm sure with a bit more detail on exactly what you're trying
to do and in what way it's failing, someone on this list will be able to
help.

Deb

> -Original Message-
> From: Moss, Peter [mailto:[EMAIL PROTECTED]]
> Sent: October 16, 2000 3:22 PM
> To: '[EMAIL PROTECTED]'
> Subject: HTTP/HTTPS and HTTP Proxy
> 
> 
> All,
> 
> My setup is:
> apache 1.3.14
> openssl 0.9.6
> mod-ssl 2.7.1
> 
> FreeBSD 4.0
> 
> Rebuilt/Installed it today, not problems so far. (Test CERT)  
> SSL works
> in IE and NS
> 
> Question:
> ===
> I want to configure Apache as HTTPS --> HTTP proxy, basically
> I want to "hide" a couple of application servers behind 
> Apache-mod-ssl-proxy
> server and "proxy" HTTPS requests to them.
> 
> How do I make the Proxy work with apache-mod-ssl ?
> 
> I've tried the following:
> - modified the build to include proxy module, it compiles and 
> links into the
> httpd
> - changed httpd.conf to enable the "Proxy support" via the  tag
> 
> I did all changes to Makefiles by hand so I might have crew 
> something up
> along
> the way.
> 
> What is the "proper" way of including "PROXY" module in mod-ssl
> distribution?
> 
> All replies would be appreciated.
> Thanks,
> 
> >  ___
> > |   |
> > |Peter Moss, P.Eng. |
> > |IT Consultant  |
> > |Buck Consultants   |
> > |95 Wellington St., Toronto, Ont.   |
> > |Tel. (416) 865-0060 ext. 776   |
> > |mailto:[EMAIL PROTECTED]|
> > |___| 
> > 
> > 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

HTTP/HTTPS and HTTP Proxy

2000-10-16 Thread Moss, Peter


All,

My setup is:
apache 1.3.14
openssl 0.9.6
mod-ssl 2.7.1

FreeBSD 4.0

Rebuilt/Installed it today, not problems so far. (Test CERT)  SSL works
in IE and NS

Question:
===
I want to configure Apache as HTTPS --> HTTP proxy, basically
I want to "hide" a couple of application servers behind Apache-mod-ssl-proxy
server and "proxy" HTTPS requests to them.

How do I make the Proxy work with apache-mod-ssl ?

I've tried the following:
- modified the build to include proxy module, it compiles and links into the
httpd
- changed httpd.conf to enable the "Proxy support" via the  tag

I did all changes to Makefiles by hand so I might have crew something up
along
the way.

What is the "proper" way of including "PROXY" module in mod-ssl
distribution?

All replies would be appreciated.
Thanks,

>  ___
> |   |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Dipstick

2000-10-13 Thread Moss, Peter


I beg your pardon?
What did I do?  I just tried to sign up to modssl mailing list.


>  ___
> |   |
> |Peter Moss, P.Eng. |
> |IT Consultant  |
> |Buck Consultants   |
> |95 Wellington St., Toronto, Ont.   |
> |Tel. (416) 865-0060 ext. 776   |
> |mailto:[EMAIL PROTECTED]|
> |___| 
> 


-Original Message-
From: Bill Moran [mailto:[EMAIL PROTECTED]]
Sent: Friday, October 13, 2000 11:17 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Dipstick


Thank you ever so kindly for childishly spamming a technical
newsgroup.
I do not appreciate the multiple hundreds of messages that crowded my
inbox. I'm upset that you have absolutely no respect for bandwidth
usage, and seem to be a complete moron.
I'm considering this a pre-emptive warning. Considering your actions,
I will be setting my domain mail servers to reject any attempt by your
domain to send email to my domains, since you'll probably end up being
a source of spam in the future. Keep in mind that while you "own" that
one incredible ahresources.org, I manage 8 domains, and I'm small
time.
You might want to acquire some tact, as pissing off people who hold
technical positions on the Internet can make your ability to function
there difficult. Imagine if you pissed off the technical manager for a
domain that you would like to work with?

Good luck,
Bill Moran

--
FreeBSD ('BSD'):
No battles to the death are recalled. It is a small Daemon wearing
sneakers. It
is normally found on Internet servers and powerful desktops, and moves
very
quickly. A kill of this poweful creature is enough to tick off any
sysadmin. It
is highly magical, having the power to serve. It resists DoS and SYN
flood
attacks. Nothing is known about its attack.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Installation procedures...

2000-10-02 Thread Peter Gebauer


Hello!

I'm not a real UNIX guru so this mail could be total nonsense, but here
goes.

I have an Apache server that I compile myself (I rarely use RPM's, they
make me feel uncomfortable since I feel I have less control, but I am a
rookie on RPM's) and I have PHP compiled into it as well.

Since I have modules that are compiled into Apache I would still like to
have them there after the mod_ssl installation too. But when running the
Step-By-Step installation on the modssl.org site I realized that this
would most likely destroy any previous makefiles created for Apache.
And it did, my PHP apaci (what does it mean?) configuration was lost.

So, I tried to install OpenSSL as a shared object library (I noticed
that /src/modules/ssl/libssl.a was available) so I ran this
configure for Apache:

./configure --activate-module=src/modules/php4/libphp4.a
--activate-module=src/modules/ssl/libssl.a

The Apache makefile was altered and I now have the rule for creating
certificates. I created a certificate for my local hostname.

I fired up the new httpd binary that should contain (staticly linked?) PHP
and mod_ssl.
I run "netscape https://myhostname/" which makes netscape tell me that
"Server connection refused or server busy".

What I have managed to figure out (with my small portion of compilation
and UNIX knowledge) is that /src/modules/ssl is NOT the
mod_ssl library. But where is it then?

Now for the question:
Can I staticly link mod_ssl together with other staticly linked modules?

I am used to compiling stuff into Apache by activating them as modules
during the configuration of Apache.

If I got any terminology wrong in this mail, please tell me so that I can
communicate with other users more effiecently in the future, thank you!

Best regards, Peter Gebauer!
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: connection to vhost from the internet

2000-09-27 Thread Peter Clark


Enrique,

Perhaps its because you're using 'localhost', which makes the server bind to
127.0.0.1, which is not accessible outside your machine.

Try using  instead.  Btw, the _'s are to tell
Apache it's a magic word, not to be snitty, so keep them in. ;)


 -pete

-Original Message-
From: Enrique Mochales Estany
To: modssl-users
Sent: 9/27/00 7:22 AM
Subject: connection to vhost from the internet

Hi, 
I'm running a normal host (port 80) and a vhost for ssl. Everything
works fine when accessed locally -- http://localhost 
and https://localhost/secure  -- but when I
access from the internet the browser gets stuck waiting for a reply from
the vhost. 

The connection is through an ISP, so they give me a temporary
address x.y.z.u each time I connect, and then I test the web pages using
http://x.y.z.u   and https://x.y.z.u/secure
 . With http there's no problem, but I can't
access to the secure pages with https://x.y.z.u/secure
 . 


I defined the vhost as follows: 


 
port 443 
ServerAdmin root@localhost 
DocumentRoot /home/www/htdocs/secure 
ServerName localhost 
ErrorLog /usr/local/apache/var/log/error_log 
TransferLog /usr/local/apache/var/log/access_log 
SSLEngine on 
SSLCACertificatePath /usr/local/apache/apache_1.3.3/conf/ssl.crt 
SSLCertificateKeyFile
/usr/local/apache/apache_1.3.3/conf/ssl.key/server.key 
SSLCertificateFile
/usr/local/apache/apache_1.3.3/conf/ssl.crt/server.crt 
#SSLCACertificateFile
/usr/local/apache/apache_1.3.3/conf/ssl.crt/ca-bundle-client.crt 
SSLVerifyClient none 
SSLVerifyDepth 10 
SSLLog /usr/local/apache/var/log/ssl_engine_log 
SSLlogDevel debug 
 


Perhaps am I missing something important in the configuration of the
vhost? 
Why can I access the secure pages only with https://localhost/secure
  and not https://x.y.z.u/secure
 ? 


TIA --E. 
  
 

__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support
Mailing List [EMAIL PROTECTED] Automated List Manager
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: -DEAPI errors

2000-09-26 Thread Peter Clark


Christopher, 

It sounds likely that you've got DSO's in your libexec directory that you're
telling apache to load in the httpd.conf.  And, with the new apache, have it
configured the APACI compiled-in way.

Try running httpd -l and see if those modules are being told to load even
after apache has compiled-in versions of them.

 -pee 

-Original Message-
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 9/26/00 5:44 PM
Subject: -DEAPI errors

hi, 
 
need a solution to this problem
 
[Tue Sep 26 14:45:17 2000] [warn] Loaded DSO
/usr/local/apache/libexec/mod_jserv
..so uses plain Apache 1.3 API, this module might crash under EAPI!
(please recom
pile it with -DEAPI)
 
this occurs with each module
the complier command lines show -DEAPI flag
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

1 2 >

1 - 100 of 119 matches

Mail list logo