Re: Is it possible to not force SSL on port:443?
Also, here is my ssl.conf: - LoadModule ssl_module modules/mod_ssl.so AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLCryptoDevice builtin SSLProtocol +All SSLCipherSuite HIGH:MEDIUM:+SHA1:+NULL:+aNULL:+eNULL SSLRandomSeed startup file:/dev/urandom 1024 SSLRandomSeed connect file:/dev/urandom 1024 SSLProxyEngine off --- Then I setup my vhost like: DocumentRoot /var/www/websitename/ ServerName websitename ErrorLog /var/log/httpd/websitename-ssl-error.log CustomLog /var/log/httpd/websitename-ssl-access.log common sslengine on sslcertificatefile /etc/httpd/ssl/websitename/websitename.crt sslcertificatekeyfile /etc/httpd/ssl/websitename/websitename.key Right now I am using sslengine off and doing none encryption over 443, but I really need to make encryption optional on the same port. Any ideas? - Original Message - From: "Cliff Woolley" <[EMAIL PROTECTED]> To: Sent: Friday, October 14, 2005 7:36 AM Subject: Re: Is it possible to not force SSL on port:443? On 10/14/05, Pigeon <[EMAIL PROTECTED]> wrote: I am helping someone develop a product, and for the next little bit he will need to access port 443 with out the communication being encrypted (aka he could telnet to it if he wanted). But in the very near future, he will want to make 443 encrypted.. Is it possible to not force encryption on port443? Sure... you just tell Apache to listen on that port and don't turn the SSLEngine on. :) Or are you asking how to make it *optional*? You can do that too -- as long as "SSLRequireSSL" isn't set, it should work. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Is it possible to not force SSL on port:443?
I am helping someone develop a product, and for the next little bit he will need to access port 443 with out the communication being encrypted (aka he could telnet to it if he wanted). But in the very near future, he will want to make 443 encrypted.. Is it possible to not force encryption on port443? thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Grr.. where is my CA's Certificate file?
Hello, I am trying to setup apache to use a PKI (I think that is what it is called)... So each client will have to already have a public key to have access to my 'secure' apache server. I might hand out 5 of these public keys, and I want only those users to have access to this server. My issue is this.. I cannot find my CA's certificate file (so I can tell ssl.conf about it via SSLCACertificateFile). I have run CA.pl -newca and then it creates these files: --<< [EMAIL PROTECTED] demoCA]# ls cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial [EMAIL PROTECTED] demoCA]# ls -R .: cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial ./certs: ./crl: ./newcerts: EC895C0D3F2DC916.pem ./private: cakey.pem [EMAIL PROTECTED] demoCA]# --<< but now where is the file I tell ssl.conf about via SSLCACertificateFile. Sorry to bother you'll, but I have been trying to find this out nearly all day.. without sucess :( thanks for any input! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead (Thanks!)
Thanks for all the great info! It definitly gives me a nice footing from which I can start. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? thank you for all of your time and input! thanks Lee - Original Message - From: "Mads Toftum" <[EMAIL PROTECTED]> To: Sent: Monday, September 26, 2005 1:27 PM Subject: Re: Mod_ssl and how to reduce overhead On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
We are going to have 10k-100k concurrent users (yeah... ) We are transfering EXE files (no not warez) I am just trying to get some ideas.. I am concerned about all because I do not know what to be concerned about :/ thanks Lee - Original Message - From: "Martin Strandbygaard" <[EMAIL PROTECTED]> To: Sent: Monday, September 26, 2005 8:42 AM Subject: Re: Mod_ssl and how to reduce overhead Hi, A few words about intended usage would be of great help. - How many concurrent users - Type of transactions - You really think the http front is going to be you bottle neck? or are there back end systems that will pose a greater problem (I would think so) Why not just use a normal server as ssl accelerator? I know several SSL accelerator "appliancees" that are just that anyway. Unless you have specific keyhandling requirements (FIPS140-3 or something), using normal server hardware is much cheaper. regards martin On 26/09/2005, at 14.35, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Mod_ssl and how to reduce overhead
Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]