Re: [ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
On Mon, Sep 10, 2007, Ralf S. Engelschall wrote:
> Apache 1.3.39 was released recently.
> An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too.
> Find it on: http://www.modssl.org/
Unfortunately, there was a bug in the auto-generated patch caused by a
changed amount of patch hunks in the mod_status.c patch set. This is now
fixed with mod_ssl 2.8.30. Please use this updated version. Sorry for
the inconvenience.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
Official Announcement Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
Apache 1.3.39 was released recently. An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too. Find it on: http://www.modssl.org/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.28 for Apache 1.3.37
Apache 1.3.37 was released because of security issues. Find a corresponding mod_ssl 2.8.28-1.3.37 at modssl.org now, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.27 for Apache 1.3.36
Today Apache 1.3.36 was released. An updated mod_ssl 2.8.27 for Apache 1.3.36 is now available, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.26 for Apache 1.3.35
mod_ssl 2.8.26 for Apache 1.3.35 is now available: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.26 (18-Oct-2005 to 08-May-2006) *) Upgraded to Apache 1.3.35 *) More correct prototype usage for passphrase callback. *) Some Win32 fixes. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Cleanup of mod_ssl compiler warnings
On Fri, Feb 10, 2006, William A. Rowe, Jr. wrote:
> The following patches mop up some unnecessary compile warnings, when the
> functions are properly decorated. It's been sitting in my drafts waiting
> for a subscription to go through for 3 months, so feel free to verify that
> they are still appropriate.
> [...]
I had to add some "#if SSL_LIBRARY_VERSION < 0x00904000
...#else..#endif" to the patches to let it still work on older OpenSSL
versions, but after this I've added to mod_ssl for release with version
2.8.26. Thanks for your contribution.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: ssl_callback_SSLVerify re-negotiation handshake crash
On Tue, Apr 04, 2006, Love Hörnquist Åstrand wrote: > We are running 2.8.25-1.3.34 with openssl 0.9.7g. When using > client authentication we have crashes in ssl_callback_SSLVerify > relasted calls. Please see backtrace below. > > The last entires in the log before the child httpd starts crashing is: > > Awaiting re-negotiation handshake > > Have anyone seen problems like this before and have a solution ? > If not, we'll go ahead and add more logging and do more debugging of > the problem. > > Love > > > (gdb) bt > #0 CRYPTO_get_ex_data (ad=0xe8, idx=137019688) at ex_data.c:628 > #1 0x4035c035 in SSL_get_ex_data (s=0x1, idx=296) at ssl_lib.c:2220 > #2 0x4031cf08 in ssl_callback_SSLVerify (ok=1, ctx=0xbfffed20) > at ssl_engine_kernel.c:1507 > #3 0x404125ec in internal_verify (ctx=0x87f55e0) at x509_vfy.c:880 > #4 0x40411e66 in X509_verify_cert (ctx=0xbfffed20) at x509_vfy.c:306 > #5 0x0002 in ?? () I've checked the source and I it seems like the SSL* returned by X509_STORE_CTX_get_app_data() at ssl_engine_kernel.c:1506 is the root of the problem. But I've no clue why it is not a valid one for you... you have to add more debugs to the code to determine the problem. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: PATCH Prevent segfaults in connection state
On Fri, May 05, 2006, William A. Rowe, Jr. wrote:
> Ping, in anticipation of a 2.8.26 for 1.3.35 (are we expecting one?)
>
> I didn't see any feedback, do any of the Apache guru's have comments? Any
> clarifications? (I hope I made the specifics clear enough, below.)
Hmmm... the cleanup is done in the ssl_hook_CloseConnection()
function which comes after your ssl_hook_LogRequest() anyway. Do I
understand correctly: under Win32 the r->pool is cleaned up _before_
ssl_hook_CloseConnection() is called?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.25-1.3.34 for Apache 1.3.34
Apache 1.3.34 was released, so I've upgraded mod_ssl to apply cleanly to this Apache version. No other changes. Fetch mod_ssl 2.8.25-1.3.34 from the usual locations: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.24-1.3.33
A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where
where "SSLVerifyClient require" was not enforced in per-location context
if "SSLVerifyClient optional" was configured in the global virtual
host configuration. This bug is now fixed in mod_ssl 2.8.24 for Apache
1.3.33. Get it from:
o http://www.modssl.org/source/
o ftp://ftp.modssl.org/source/
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.23 for Apache 1.3.33 and OpenSSL 0.9.8
As OpenSSL 0.9.8 was released today, I've released another maintenance version mod_ssl 2.8.23 for use with Apache 1.3.33 and OpenSSL 0.9.8. Included are also a few other changes (see below for details). Get mod_ssl 2.8.23 from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.23 (30-Oct-2004 to 06-Jul-2005) *) Ported to OpenSSL 0.9.8 *) Fixed connection timeout handling by calling the EAPI connection close hook after (and not before) the B_OUT flag was set on the underlying I/O buffer in order to prevent attempted buffer flushes from blocking the connection. *) Updated the ca-bundle.crt file from Mozilla's "certdata.txt" (CVS revision 1.37). *) Fix timeout handling in POST request processing by resetting timeouts. *) Fixed double-definition of OPENSSL_free under OpenSSL 0.9.6 by fixing the version test in ssl_util_ssl.h *) Adjusted all copyright messages to contain the new year 2005 ;) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Connection time out problems
On Fri, Jun 10, 2005, Brian J. France wrote: > I have a case where a https connection times out, which causes an alarm > to trigger, apache start shutting down and mod_ssl tries to flush the > buffer in a non-blocking way and hangs the connection until restart > (see the backtrace below). > > I think the cause of this is the http_main.c patch for EAPI (see below) > because it inserts the ap_call_close_connection_hook before setting > B_EOUT instead of after. If it would set B_OUT first and then call > ap_call_close_connection_hook, any ap_bflush or ap_bwrite calls would > return (-1) instead of trying to write data to the socket (in a > non-blocking way). > > Thoughts? I've now looked into this subtle problem in more detail and I think your analysis is correct. The ap_bflush() in mod_ssl will hang the connection if we don't set B_EOUT before calling the EAPI connection close hook. For mod_ssl 2.8.23 I've now adjusted the two calls to ap_call_close_connection_hook() to occur _after_ the ap_bsetflag() call. Thanks for your feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: updating ca-bundle.crt
On Wed, Feb 02, 2005, Joe Orton wrote:
> There was some discussion on modssl-users a while back on this topic; we
> had some concerns about extracting ca-bundle.crt directly from the
> Mozilla CA list sources. But after discussing this with Frank Hecker
> and some others there is agreement that there are no licensing issues
> here really.
>
> So, attached is a Perl script which regenerates ca-bundle.crt directly
> from the Mozilla certdata.txt: Ralf, feel free to include this in
> mod_ssl or just update the mod_ssl ca-bundle.crt using it ;)
Thanks, Joe. I'll include this script into mod_ssl 2.8.23 together
with its latest output.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: Bug+Patch: mod_ssl 2.8.22 ssl_io_suck() timeout handling
On Mon, Jun 27, 2005, Douglas K. Fischer wrote:
> In debugging a number of issues we encountered on some of our web
> platforms, I discovered that the "presucking" routine in mod_ssl
> handles the timeout of pre-sucking the POST data in such a manner that
> the entire POST body must be read within the Timeout value (per the
> Apache conf). This seems contrary to the handling of POST reading,
> especially per mod_perl's handling of this, as well as the manner in
> which Apache handles writing of data. In both of these cases a call to
> ap_reset_timeout() is used in between successful reads/writes to reset
> the timeout. This allows a large and/or slow transfer to succeed,
> provided that data is read/written at such a pace that some chunk is
> sent/received within the Timeout value. Without such a reset, either
> the Apache Timeout value has to be set to a very high number, or else
> slow/large transfers will always fail if a pre-suck is required.
>
> Correcting this requires a simple 1-line patch to ssl_engine_io.c,
> listed below.
>
> --
> diff -Pur mod_ssl-2.8.22-1.3.33.orig/pkg.sslmod/ssl_engine_io.c
> mod_ssl-2.8.22-1.3.33/pkg.sslmod/ssl_engine_io.c
> --- mod_ssl-2.8.22-1.3.33.orig/pkg.sslmod/ssl_engine_io.c Sat
> Jul 17 02:52:22 2004
> +++ mod_ssl-2.8.22-1.3.33/pkg.sslmod/ssl_engine_io.cMon Jun 27
> 12:32:10 2005
> @@ -228,6 +228,7 @@
> ~ while ((len = ap_get_client_block(r, buf, buflen)) > 0) {
> ~ ssl_io_suck_record(r, buf, len);
> ~ sucked += len;
> +ap_reset_timeout(r);
> ~ }
> ~ ssl_io_suck_end(r);
> ~ ap_kill_timeout(r);
> --
Ok, finally taken over for inclusion into mod_ssl 2.8.23.
Thanks for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: macro redefined: OPENSSL_free
On Tue, Nov 02, 2004, Hans Werner Strube wrote: > When compiling modssl (at least 2.8.17 to 2.8.22, have overlooked this > earlier), there are many warnings: > "./ssl_util_ssl.h", line 90: warning: macro redefined: OPENSSL_free > My openssl version is 0.9.6m (the latest 0.9.6 release), defining > in opensslv.h and crypto.h, respectively: > #define OPENSSL_VERSION_NUMBER 0x009060dfL > #define OPENSSL_free(addr) CRYPTO_free(addr) > > Thus, since 0x009060df < 0x00906100, modssl uses free() instead of > CRYPTO_free(). Is this really intended? > Otherwise the SSL_LIBRARY_VERSION test in ssl_util_ssl.h, line 89, should > use a smaller number than 0x00906100. AfaIk the macro OPENSSL_free was > already introduced on the transition from 0.9.5 to 0.9.6. Hmmm... yes, the problem was that between 0.9.5 and 0.9.6 the encoding of OPENSSL_VERSION_NUMBER changed and it seems I adjusted the definition in ssl_util_ssl.h without recognizing this. I'll use the following now: -#if SSL_LIBRARY_VERSION < 0x00906100 +#if SSL_LIBRARY_VERSION < 0x00906000 Thanks for the hint. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.22 for Apache 1.3.33
Apache 1.3.32's mod_ssl 2.8.21 still works fine for Apache 1.3.33.
Nevertheless I've rolled a new patch-adjusted version mod_ssl 2.8.22
which fits 1:1 for Apache 1.3.33.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.21 for Apache 1.3.32
Apache 1.3.32 was released. Although mod_ssl 2.8.20-1.3.31 both applies and works fine with Apache 1.3.32 I've upgraded mod_ssl to this new Apache version and released the results as mod_ssl 2.8.21-1.3.32. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.20-1.3.31
Prompted by a security issue (see below), mod_ssl 2.8.20 for Apache 1.3.31 was released today. You can get it at the usual location: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.20 (16-Jul-2004 to 15-Oct-2004) *) With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable to mod_ssl) cipher suite. Additionally, ensure that a correct cipher suite has been negotiated afterwards (CAN-2004-0885). *) Fixed more printf(3) style format string bugs (not security related) which could crash the server if mod_ssl's trace or debug log level is enabled. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.20-1.3.31
Prompted by a security issue (see below), mod_ssl 2.8.20 for Apache 1.3.31 was released today. You can get it at the usual location: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.20 (16-Jul-2004 to 15-Oct-2004) *) With OpenSSL 0.9.7, prevent session resumption during a renegotiation to force the client to negotiate a new (and acceptable to mod_ssl) cipher suite. Additionally, ensure that a correct cipher suite has been negotiated afterwards (CAN-2004-0885). *) Fixed more printf(3) style format string bugs (not security related) which could crash the server if mod_ssl's trace or debug log level is enabled. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Remarks to [ANNOUNCE] mod_ssl 2.8.19
In article <[EMAIL PROTECTED]> you wrote: > Ralf S. Engelschall wrote: > > > Yes, although they are not security related, they could crash the > > server, too. So we should fix those formatting bugs, too. A little bit > > of extra casting might be required, I think. I've now committed to my > > CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback. > > Might mod_ssl 2.8.20 be released in the near future, e.g within a week? No, I'll certainly accumulate more fixes before a release, I think. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
On Fri, Jul 16, 2004, Joe Orton wrote:
> I'm checking an older version of mod_ssl but there are a couple of other
> uninteresting format string warnings from gcc. I think it's portable to
> assume time_t is a long...
> [...]
Yes, although they are not security related, they could crash the
server, too. So we should fix those formatting bugs, too. A little bit
of extra casting might be required, I think. I've now committed to my
CVS for mod_ssl 2.8.20 the following patch. Thanks for your feedback.
Please commit a similar patch to mod_ssl for Apache 2.x, please.
Index: ssl_engine_io.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v
retrieving revision 1.36
diff -u -d -r1.36 ssl_engine_io.c
--- ssl_engine_io.c 11 May 2004 18:44:15 - 1.36
+++ ssl_engine_io.c 17 Jul 2004 06:52:22 -
@@ -682,7 +682,7 @@
}
if (trunc > 0)
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
-"| %04x - ", len + trunc);
+"| %04lx - ", len + trunc);
ssl_log(srvr, SSL_LOG_DEBUG|SSL_NO_TIMESTAMP|SSL_NO_LEVELID,
"+-+");
return;
@@ -704,21 +704,21 @@
|| cmd == (BIO_CB_READ |BIO_CB_RETURN) ) {
if (rc >= 0) {
ssl_log(s, SSL_LOG_DEBUG,
-"%s: %s %ld/%d bytes %s BIO#%08X [mem: %08lX] %s",
+"%s: %s %ld/%d bytes %s BIO#%08lX [mem: %08lX] %s",
SSL_LIBRARY_NAME,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"),
-bio, argp,
+(long)bio, (long)argp,
(argp != NULL ? "(BIO dump follows)" : "(Ops, no memory
buffer?)"));
if (argp != NULL)
ssl_io_data_dump(s, argp, rc);
}
else {
ssl_log(s, SSL_LOG_DEBUG,
-"%s: I/O error, %d bytes expected to %s on BIO#%08X [mem: %08lX]",
+"%s: I/O error, %d bytes expected to %s on BIO#%08lX [mem:
%08lX]",
SSL_LIBRARY_NAME, argi,
(cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"),
-bio, argp);
+(long)bio, (long)argp);
}
}
return rc;
Index: ssl_engine_kernel.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.146
diff -u -d -r1.146 ssl_engine_kernel.c
--- ssl_engine_kernel.c 27 May 2004 13:13:32 - 1.146
+++ ssl_engine_kernel.c 17 Jul 2004 06:50:10 -
@@ -1793,10 +1793,10 @@
* Log this cache operation
*/
ssl_log(s, SSL_LOG_TRACE, "Inter-Process Session Cache: "
-"request=SET status=%s id=%s timeout=%ds (session caching)",
+"request=SET status=%s id=%s timeout=%lds (session caching)",
rc == TRUE ? "OK" : "BAD",
SSL_SESSION_id2sz(pNew->session_id, pNew->session_id_length),
-t-time(NULL));
+(long)(t-time(NULL)));
/*
* return 0 which means to OpenSSL that the pNew is still
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31
We've today found an ssl_log() related format string vulnerability in the mod_proxy hook functions of mod_ssl for Apache 1.3.x (mod_ssl for Apache 2.x is not affected). A mod_ssl 2.8.19 for Apache 1.3.31 was created which fixes this potential security hole. Get mod_ssl-2.8.19-1.3.31.tar.gz from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
spam to internal exploder list now rejected
Recently there was often spam on modssl-users because spammers directly sent to the internal mailing list exploder address and the prevention configuration for this had a subtle bug. The filter is now fixed and such mails are now successfully rejected. Sorry for the inconvenience. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.18
A security issue was discovered. It is now fixed with mod_ssl 2.8.18. Please upgrade your installations ASAP. o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004) *) Fix buffer overflow in "SSLOptions +FakeBasicAuth" implementation if the Subject-DN in the client certificate exceeds 6KB in length. (CVE CAN-2004-0488). *) Handle the case of OpenSSL retry requests after interrupted system calls during the SSL handshake phase. *) Remove some unused functions. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.17 for Apache 1.3.31
On Fri, May 14, 2004, a k wrote:
> Did you add my eintr fix ?
> [...]
Ops, I seem to have overlooked this.
I'll include this into mod_ssl 2.8.18.
Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.17 for Apache 1.3.31
Yesterday Apache 1.3.31 was released. I've updated mod_ssl 2.8 to this version and released the result (together with some other pending bugfixes; see below) as mod_ssl 2.8.17-1.3.31. You can find it under the usual locations: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.17 (01-Nov-2003 to 11-May-2004) *) Upgraded to Apache 1.3.31 *) Log the OpenSSL error stack contents if the crypto engine load/init fails. *) Fixed segfault in lookup of variable SESSION_ID in case SSL_get_session() returns NULL. *) Bugfix "dbm" session cache: the DBM file was closed too early (before accessing the data). *) Bugfix "shmcb" session cache for situations where the session data is bigger than the cache size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: A suggestion
On Wed, Mar 31, 2004, Bryn Dyment wrote:
> Let's assume that the list masters are now aware there's a serious problem
> with the list. I suggest we give them a couple of days to solve the
> problem, then send a "things are fixed" e-mail to the list (or a status
> update if things are still not fixed after a few days).
> [...]
The web interface had a bug. I've fixed it and it should now work again.
The email interface to Majordomo is not broken AFAIK. There are plenty
of people successfully subscribing and unsubscribing from the list. The
reason why people will have problems to unsubscribe is because they
subscribed under a different email address than the one under which
they try to unsubscribe. For instance I search for four people on the
previous thread which wanted to unsubscribe and only one I was able to
find (I tried all forms of substrings of their name, email address,
etc).
The others definetely have subscribed under totally different addresses
and until they tell Majordomo or me what address this was, there is no
chance to unsubscribe them, of course. But please stop complaining on
the list. Contact me personally and tell me all your email addresses
you used in the past and I will try to remove all of them from the list
manually.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.16 for Apache 1.3.29
Apache 1.3.29 was released a few days ago. Although mod_ssl 2.8.15 would still work fine with it, as usual, I take this new Apache release as the trigger for releasing a corresponding mod_ssl version -- which is again 100% aligned to Apache 1.3.29 and also includes a few bugfixes which were pending in my maintainance queue (see CHANGES entries below). Fetch mod_ssl 2.8.16 from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.16 (18-Jul-2003 to 01-Nov-2003) *) Upgraded to Apache 1.3.29 *) Avoid memory corruption in certificate handling caused by a heap memory double-freeing situation. *) Allow "HTTPS" variable to be passed through by suEXEC. *) Clear the OpenSSL error code in pass phrase reading code to workaround the following situation: multiple keys, all with different passphrases -- entering the correct pass phrase at each prompt leads to an OpenSSL error message after the last prompt. *) Reverted the recent change where ap_cleanup_for_exec() called ap_kill_alloc_shared(). This caused nasty side-effects in other processes and is not necessary at all (because shared memory segments are not inherited across exec). *) mod_ssl was checking the OpenSSL error reason code against SSL_R_HTTP_REQUEST and concluded the result is an SSL error. Since OpenSSL reason codes are not unique, this isn't always the case. It now additionally checks that the library is the SSL library. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.29?
In article <[EMAIL PROTECTED]> you wrote: > Andreas Gietl wrote: >> >> On Wednesday 29 October 2003 15:39, Jim Jagielski wrote: >> >> i guess there will be a new patch within the next days/hours? > > I would guess, but that's not my area :) Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've already upgraded mod_ssl to Apache 1.3.29, but I've still to include some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need to hurry here... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.15 for Apache 1.3.28
As you've certainly recognized, Apache 1.3.28 was released. I've
prepared the companion mod_ssl 2.8.15 which cleanly (without any
conflicts) patches into its source tree.
As usual, you can find it under:
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.14-1.3.27
Sorry, mod_ssl 2.8.13 introduced two nasty bugs which let the server crash. This is now fixed with mod_ssl 2.8.14 together with one more long-standing crash bug related to the SHMHT session cache. Please upgrade to this latest mod_ssl 2.8 version for Apache 1.3. Thanks. o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.14 (18-Mar-2002 to 21-Mar-2003) *) Fixed logic in the destruction of a temporary certificate structure and this way avoid a crash due to freeing NULL object. *) Removed one newly introduced X509_free() call in the context of SSL_get_certificate(), because this function does not increment a reference count (although SSL_get_peer_certificate() does). *) Fixed hash-table based shared memory session cache (shmht) implementation by making sure that the underlying hash table library does not crash if memory cannot be allocated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
On Fri, Mar 21, 2003, Ralf S. Engelschall wrote:
> > I can see the same segmentation fault :
> [...]
Ok, can the people who are able to reproduce the segfault problem,
please apply the following patch, retry it and give feedback? I think
these two bugfixes should fix the problem now. If yes, I'll release
mod_ssl 2.8.14 with it. Thanks for your help.
Index: ssl_engine_kernel.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.136
diff -u -d -r1.136 ssl_engine_kernel.c
--- ssl_engine_kernel.c 19 Nov 2002 13:57:01 - 1.136
+++ ssl_engine_kernel.c 21 Mar 2003 12:39:47 -
@@ -1048,13 +1048,15 @@
"Re-negotiation handshake failed: Client verification
failed");
return FORBIDDEN;
}
+cert = SSL_get_peer_certificate(ssl);
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
-&& (cert = SSL_get_peer_certificate(ssl)) == NULL) {
+&& cert == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client certificate
missing");
-X509_free(cert);
return FORBIDDEN;
}
+if (cert != NULL)
+X509_free(cert);
}
}
Index: ssl_engine_vars.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.53
diff -u -d -r1.53 ssl_engine_vars.c
--- ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
+++ ssl_engine_vars.c 21 Mar 2003 12:40:12 -
@@ -322,7 +322,9 @@
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
-X509_free(xs);
+/* SSL_get_certificate() as of OpenSSL 0.9.7a does not increment
+ the reference count the same way SSL_get_peer_certificate does,
+ so no need to X509_free(xs) the stuff here. */
}
}
return result;
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
On Fri, Mar 21, 2003, Joe Orton wrote:
> On Fri, Mar 21, 2003 at 12:30:36PM +0100, Ralf S. Engelschall wrote:
> > -if ((xs = SSL_get_certificate(ssl)) != NULL)
> > +if ((xs = SSL_get_certificate(ssl)) != NULL) {
> > result = ssl_var_lookup_ssl_cert(p, xs, var+7);
> > +X509_free(xs);
> > +}
> > }
>
> That isn't safe, SSL_get_certificate doesn't increase the refcount on
> the certificate (unlike SSL_peer_get_certificate).
Ops, great catch! Yes, you're right, I was not aware of this subtle
difference. Will be fixed.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
On Thu, Mar 20, 2003, Artur Pydo wrote:
> I can see the same segmentation fault :
>
> FreeBSD 4.8-STABLE
> Apache 1.3.27
> Openssl 0.9.7a
> Modssl 2.8.13
> PHP 4.3.1 / PHP 4.3.2RC1 / PHP 4.3.2-snapshot
>
> It happens both with static compilation and as DSO.
>
> The backtrace seems pointing out an error in
> ssl_var_lookup_ssl_cert().
>
> This problem only appears with PHP compiled in and
> asking for a .php document. I mean asking for a html
> document works fine.
>
> Backtrace (sorry for the formatting) :
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x283a6e9a in ssl_var_lookup_ssl_cert () from
> /usr/local/apache/libexec/libssl.so
> (gdb) bt
> #0 0x283a6e9a in ssl_var_lookup_ssl_cert () from
> /usr/local/apache/libexec/libssl.so
> #1 0x283a6d49 in ssl_var_lookup_ssl () from
> /usr/local/apache/libexec/libssl.so
> #2 0x283a6291 in ssl_var_lookup () from /usr/local/apache/libexec/libssl.so
> #3 0x283a11c8 in ssl_hook_Fixup () from /usr/local/apache/libexec/libssl.so
> #4 0x805472b in run_method (r=0x815d034, offset=29, run_all=1) at
> http_config.c:370
> #5 0x805480a in ap_run_fixups (r=0x815d034) at http_config.c:397
> #6 0x806a7cc in process_request_internal (r=0x815d034) at
> http_request.c:1303
> #7 0x806a866 in ap_process_request (r=0x815d034) at http_request.c:1324
> #8 0x80610eb in child_main (child_num_arg=0) at http_main.c:4689
> #9 0x80612cd in make_child (s=0x80b0034, slot=0, now=1048177481) at
> http_main.c:4813
> #10 0x8061446 in startup_children (number_to_start=5) at http_main.c:4895
> #11 0x8061a74 in standalone_main (argc=5, argv=0xbfbffb04) at
> http_main.c:5203
> #12 0x80622f0 in main (argc=5, argv=0xbfbffb04) at http_main.c:5566
> #13 0x804f4b1 in _start ()
Hmmm... I've in-depth looked at the changes to ssl_engine_vars.c
and they all look correct:
Index: ssl_engine_vars.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.51
retrieving revision 1.53
diff -u -d -u -3 -r1.51 -r1.53
--- ssl_engine_vars.c 29 Jun 2002 07:42:51 - 1.51
+++ ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
@@ -314,12 +314,16 @@
result = ssl_var_lookup_ssl_cert_verify(p, c);
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
-if ((xs = SSL_get_peer_certificate(ssl)) != NULL)
+if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+X509_free(xs);
+}
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
-if ((xs = SSL_get_certificate(ssl)) != NULL)
+if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+X509_free(xs);
+}
}
return result;
}
@@ -352,7 +356,7 @@
xsname = X509_get_subject_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
-free(cp);
+OPENSSL_free(cp);
resdup = FALSE;
}
else if (strlen(var) > 5 && strcEQn(var, "S_DN_", 5)) {
@@ -364,7 +368,7 @@
xsname = X509_get_issuer_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
-free(cp);
+OPENSSL_free(cp);
resdup = FALSE;
}
else if (strlen(var) > 5 && strcEQn(var, "I_DN_", 5)) {
@@ -543,6 +547,10 @@
else
/* client verification failed */
result = ap_psprintf(p, "FAILED:%s", verr);
+
+if (xs != NULL)
+X509_free(xs);
+
return result;
}
Additionally, I still cannot reproduce the problem myself. So, can you
help me here by using a breakpoint at ssl_var_lookup_ssl_cert() and the
single-stepping until the problem occurs? This would help us in really
locating the problem.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.13
Another maintainance release of mod_ssl 2.8 for Apache 1.3 delivers to you mod_ssl 2.8.13 for Apache 1.3.27. Changes are listed below. Grab it from the following locations: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.13 (23-Oct-2002 to 18-Mar-2003) *) Always enforce RSA blinding on RSA private keys in order to be resistent to timing attacks. *) Added timeout also to the "pre-sucking" of the trailing data in POST request handling. *) Correctly shutdown shared memory pools on fork+exec situations. *) Bugfix SSL client certificate verification: OpenSSL was not informed with SSL_set_verify_result(ssl, X509_V_OK) in case mod_ssl forced the verification to be ok. *) Consistently use OPENSSL_free() instead of plain free() to deallocate memory chunks allocated inside OpenSSL. *) Fixed various memory leaks related to X509 certificates. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
In article <[EMAIL PROTECTED]> you wrote: >> > > Just for your information: the Apache mod_ssl project environment was >> > > migrated to a new location. In case of any problems, contact me. >> > > >> > It seems that cvs is broken - http://www.modssl.org/source/cvs/ and >> > the docs taken from the sorce - like >> > http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL >> > both result in Internal Server Error. >> >> Ops, yes, of course. Because there is no more active development on >> mod_ssl for Apache 1.3, the CVS environment is no longer provided >> publically (because there would be no interesting things to monitor at >> all) and hence the new public project environment has no CVS setup. >> So, CVS related things are now gone from the website. Just my fault in >> forgetting to synchronize the website. Now fixed. Thanks for the hint. > > does this imply there are to be no more apache 1.3 developement or version > updates, thus modssl is now moving entirely into the source for apache > 2.0? Err... mod_ssl already _IS_ included in the official Apache 2 source tree... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002, Mads Toftum wrote:
> On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote:
> > Just for your information: the Apache mod_ssl project environment was
> > migrated to a new location. In case of any problems, contact me.
> >
> It seems that cvs is broken - http://www.modssl.org/source/cvs/ and
> the docs taken from the sorce - like
> http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL
> both result in Internal Server Error.
Ops, yes, of course. Because there is no more active development on
mod_ssl for Apache 1.3, the CVS environment is no longer provided
publically (because there would be no interesting things to monitor at
all) and hence the new public project environment has no CVS setup.
So, CVS related things are now gone from the website. Just my fault in
forgetting to synchronize the website. Now fixed. Thanks for the hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
mod_ssl Project Environment Migrated
Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.12
Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.12
Because of a found Cross-Side-Scripting (XSS) bug in mod_ssl, the fixed maintainance version mod_ssl 2.8.12 is available for use with Apache 1.3.27. http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.12 (04-Oct-2002 to 23-Oct-2002) *) Fixed potential Cross-Site-Scripting bug. *) Allow also 8192 bytes of shared memory data size. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.11-1.3.27
As you've hopefully recognized, the ASF released Apache 1.3.27, which includes important security fixes. The corresponding mod_ssl 2.8.11 for this version is now available, too. Fetch it from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.11 (24-Jun-2002 to 04-Oct-2002) *) Upgraded to Apache 1.3.27. *) Fixed internal error handling for CRL verification. *) Initialize OpenSSL ENGINE before initializing OpenSSL to workaround problems with the PRNG. *) Also find "openssl" executable in "sbin" directories. *) Honor specified number of maximum bytes on SSLRandomSeed if reading from EGD. *) Fixed generation of SSL_CLIENT_CERT_CHAIN_[0-9] variables. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.10
Another bugfixing round in the maintainance of mod_ssl 2.8 for Apache 1.3. Fetch it and upgrade from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002) *) Fixed off-by-one buffer overflow bug in the compatibility functionality (mapping of old directives to new ones). *) Fixed memory leak in processing of CA certificates. *) In case there is actually a certificate chain in the session cache, we now use the value of SSL_get_peer_certificate(ssl) to verify as it will have been removed from the chain before it was put in the cache. *) Seed the PRNG with a maximum of 1K from the internal scoreboard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.9 for Apache 1.3.26
On demand by the release of Apache 1.3.26 I've made available mod_ssl 2.8.9. The details are appended below. Fetch it from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.9 (27-Mar-2002 to 19-Jun-2002) *) Upgraded to Apache 1.3.26. *) Support for OpenSSL 0.9.7. *) Open random files in binary mode under Win32 to not stop on EOS characters. *) Additional internal consistency check on vhost sanity checking in case no DNS entries are found for virtual hosts. *) Fixed detection of a faked "Faked Basic Auth" situation for internal redirection situations. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 and mod_ssl
On Tue, Jun 18, 2002, Matthew Ruzicka wrote:
> Pardon my possible ignorance here, but has anyone come up with any good
> work arounds for getting mod_ssl to work with the (patched) Apache 1.3.26
> since 2.8.8-1.3.24 only wants to work with 1.3.24?
>
> I assume a new version of mod_ssl will be on its way shortly, but was
> looking for something in the meantime to close up any possible problems.
mod_ssl 2.8.9 will be released within a few hours. Just be patient, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: A new website [auto-reply]
Your Email concerning
"A new website"
was successfully received by me today and filed into my personal mail
folder for consideration. But because I'm chronically busy due to the
large amount of requests directed to my person from free software
projects I'm involved in, I certainly cannot immediately reply to you.
So, if you need immediately support for...
o OpenPKG then send to [EMAIL PROTECTED]
o OSSP then send to [EMAIL PROTECTED]
o OpenSSL then send to [EMAIL PROTECTED]
o mod_ssl then send to [EMAIL PROTECTED]
o Apache then post to comp.infosystems.www.servers.unix
o GNU Pth then send to [EMAIL PROTECTED]
o WML then send to [EMAIL PROTECTED]
o ePerlthen send to [EMAIL PROTECTED]
If you have problems with other free software packages I wrote (MM,
GNU shtool, gFONT, iSelect, LCWA, NLP, Slice, SMTPclient, SMake,
etc.), please first try to solve your problems by investigating again
and by utilizing other support resources (documentation, FAQ, other
users, etc).
Otherwise please wait for my reply if you expect one. But be aware
that because of the constant high volume traffic to my Email address,
support related questions might be rejected if the question cannot be
answered in a reasonable short time.
Thanks for your understanding.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.8-1.3.24
Apache 1.3.24 was released and so I take this opportunity to both provide an aligned mod_ssl version for it and flush the pending bugfixes. The corresponding CHANGES entries are appended below. Fetch mod_ssl 2.8.8 from the following locations: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.8 (23-Feb-2002 to 27-Mar-2002) *) Upgraded to Apache 1.3.24 *) Support leading whitespaces in commands of SSLLog "|..." directives. *) Fixed timeout handling on connection establishment by correctly resetting the timeout on errors. *) Fixed two memory leaks related to CA certificate configuration. *) Fixed memory leak related to temporary DH key handling. *) Fixed memory leak on shutdown if CRLs are used. *) Fixed remaining SIGBUS problems on SPARC inside SHMCB session cache implementation. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] outstanding shmcb fixes
On Mon, Mar 25, 2002, Joe Orton wrote:
> Here are the outstanding shmcb changes which didn't make it into 2.8.7,
> extracted from Geoff's patch. These fix the remaining SIGBUS problem(s)
> on SPARC etc.
Now comitted for mod_ssl 2.8.8. Thanks for remembering me.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.24?
In article <[EMAIL PROTECTED]> you wrote:
> Just wanted to know if there's a mod_ssl version for apache 1.3.24?
> Since the current version will not compile with apache 1.3.24.
Will be released within the next 48 hours.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.7-1.3.23
Another little round in maintaining mod_ssl 2.x for Apache 1.3.x brings to you today mod_ssl 2.8.7 for Apache 1.3.23. The corresponding CHANGES entries follow for your convinience. Fetch it from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.7 (01-Feb-2002 to 23-Feb-2002) *) Support for the latest OpenSSL 0.9.7 snapshots. *) Fixed potential buffer overflow in DBM and SHMHT session cache if very very large certificate chains are used. *) Compliance with POSIX 1003.1-2001 (SUSv3) by replacing obsolete "head -1" and "tail -1" constructs with sed variants in scripts. *) Fixed file descriptor leakage under Win32. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: https without certificate
In article <[EMAIL PROTECTED]> you wrote:
> I was wondering if it may be possible to configure modssl to do crypto
> with no certificate.
No.
> I know that it should be possible because certificates are just a way to
> authenticate the server, not to establish the crypto.
No, the server certificate is also important and required for the secure
exchange of the crytography parameters of SSL/TLS. Without this, the
client and server would not be able to securely exchange the necessary
symmetric encryption parameters.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: directing http --> https
In article <[EMAIL PROTECTED]> you wrote:
> Quoting Owen Boyle <[EMAIL PROTECTED]>:
>
>> If you want to be more specific so that
>> http://d.com/foo/bar.html --> https://d.com/foo/bar.html
>> then use something like:
>>
>> RedirectMatch (.*) https://d.com$1
>>
>
> Won't this create an infinate loop?
> I could be wrong, but I think RedirectMatch will pick up the hit via http or https,
>and attempt to send the user to https://d.com$1 even if the user came via https in
>the first place.
>
> mod_rewrite seems to be the only alternative I've seen so far. If I'm
> wrong, let me know...
Either you have to put the RedirectMatch only into the of
the HTTP-only virtual server or (in case you do it globally) you have to
use a RewriteRule with a RewriteCond which checks the %{HTTPS} variable
to avoid looping.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.6 (for Apache 1.3.23)
mod_ssl 2.8.6 for Apache 1.3.23 is now available. The corresponding CHANGES entries are appended. You can fetch it from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.6 (16-Oct-2001 to 01-Feb-2002) *) Upgraded to Apache 1.3.23 *) Fixed a subtle indexing bug in SHMCB. Each sub-cache used an indexing structure that (correctly) used index values (and ranges) as "unsigned int", but the meta-structure in the header had these ranged as "unsigned char". *) Perform the SHMCB remove operation under mutual exclusion to prevent a inter-process synchronization problem. *) Made sure that mod_ssl does not segfault in case of SCOREBOARD_SIZE < 1024. *) Merged in the SDBM patch from Uwe Ohse which fixes a problem with sdbms .dir file, which arrises when a second .dir block is needed for the first time. read() returns 0 in that case, and the library forgot to initialize that new block. A related problem is that the calculation of db->maxbno is wrong. It just appends 4096*BYTESIZ bits, which is not enough except for small databases (.dir basically doubles everytime it's too small). __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
In article <[EMAIL PROTECTED]> you wrote:
> When is planned the final release ?
For today.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
On Mon, Jan 28, 2002, Ralf S. Engelschall wrote: > > [...] > > And, the mod_ssl I get from CVS is for 1.3.20, which is *less* than the > > one that is downloadable already built for 1.3.22, shooting holes in my > > initial theory that going to the CVS was even getting me closer to now... > > Ops, my fault. The rsync cronjob was broken which updated the CVS copy > from my master machine. Now fixed. > > For Apache 1.3.23: Expect an mod_ssl update for 1.3.23 within the next > days. The mod_ssl CVS not got Apache 1.3.23 imporated and the patch set was updated. I'm still incorporating other bugfixes before 2.8.6 will be released the next days. In the meantime you already can find the latest CVS state as mod_ssl-SNAP-20020128.tar.gz (or any newer) on the FTP server. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ??? 1.3.23
On Sun, Jan 27, 2002, Tom Oehser wrote:
> [...]
> And, the mod_ssl I get from CVS is for 1.3.20, which is *less* than the
> one that is downloadable already built for 1.3.22, shooting holes in my
> initial theory that going to the CVS was even getting me closer to now...
Ops, my fault. The rsync cronjob was broken which updated the CVS copy
from my master machine. Now fixed.
For Apache 1.3.23: Expect an mod_ssl update for 1.3.23 within the next
days.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-X.X.X-2.0.YY-tar.gz?
In article <[EMAIL PROTECTED]> you wrote:
>When?
Apache 2.0.X already ships with mod_ssl, because we already ported mod_ssl to
Apache 2 a few months ago and gifted the source code to the ASF. This way
you no longer need an SSL/TLS add-on module for Apache 2.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] OpenPKG 1.0 (cross-platform RPM-based Unix software packaging)
Please excuse this slightly off-topic posting.
People have wondered what I've done over the last 14 months and why
further development on mod_ssl and my engagement in the OpenSSL
and Apache projects had to be slowed down in this time. Most of my
contributions were moved to the silent background. Some people even
feared that Ralf is doing closed source software development now. No,
the opposite is true. I'm still the same Open Source fanatic, believe
me. I just avoided to make something public until is is really ready
for the public. But since today the result of over one year of strong
development is now publically available and I'm proudly announcing it:
OpenPKG, the world of cross-platform RPM-based Unix software packaging.
OpenPKG is one of the largest projects I've ever done in my life. My
development team at Cable & Wireless Germany plus dozens of contributors
have helped together since November 2000 to solve a problem I already
tried to solve two times in the last 10 years. And the third solution
OpenPKG is the one which finally successfully solved it (at least for
me ;) We are using it in production since April 2001 to establish all
customer servers in the Internet Solution Center (ISC) of Cable &
Wireless Germany and certainly there will be some other groups in this
world which benefit from our work, too. That's why it is both based on
Open Source software and itself released again as Open Source.
If you want to know more, glance over the attached PR text and visit our
project site at http://www.openpkg.org/. Thanks for listening and...
happy packaging! Oh, and we have also packaged OpenSSL and Apache+modssl
in OpenPKG, of course ;)
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
=
Now available:
OpenPKG 1.0
www.openpkg.org
A flexible and powerful software packaging facility, OpenPKG eases
installation and administration of Unix software across several
platforms. It primarily targets the Unix platforms FreeBSD, Linux
and Solaris, but is portable across mostly all modern Unix flavors.
Consolidating different vendor approaches into a unified architecture,
it assists in administration of large networks previously complicated by
nonconformant systems.
OpenPKG leverages proven technologies like Red Hat Package Manager (RPM)
and neatly provides an additional system layer on top of the operating
system. It is a fully self-contained with minimal external dependencies
(no RPM pre-installation required), and installs itself by means of a
tricky bootstrapping procedure with minimal operating system intrusion.
OpenPKG especially supports multiple installation instances on the same
system.
OpenPKG was created in November 2000 and after over one year of
development it is already a mature technology in production use. It
is available as Open Source and is further maintained by both Ralf S.
Engelschall's development team at Cable & Wireless Germany and their
contributors.
For more details visit:
http://www.openpkg.org/
ftp://ftp.openpkg.org/
=
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.5 for Apache 1.3.22
The updated mod_ssl v1 distribution for the new Apache 1.3.22 is now available. Nowthing fancy both inside Apache and mod_ssl (see appended ChangeLog entries below), so don't rush. You can grab the stuff from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.5 (20-May-2001 to 16-Oct-2001) *) Upgraded to Apache 1.3.22 *) Fixed check whether server certificate wildcard CommonName (CN) matches the configured server name. *) Use correct ANSI C prototypes also in (semi-automatically generated) ssl_engine_dh.c *) Fixed buffer overflow in ssl_expr_eval_func_file(). __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.22 and modssl
In article <[EMAIL PROTECTED]> you wrote: >> apache 1.3.22 has been released so will modssl 2.8.4 work with it or do we >> have to wait for an upgrade >> > AFAICT from looking at cvsweb, there is nothing in there that has changed > since 1.3.20 release. So yes, it will definetely complain[1] - but I think > most changes between .20 and .22 are to other parts of Apache than the > ones that mod_ssl touches, so it probably won't be too hard to fix if you > can't wait. > Ralf is usually pretty quick to release new versions of mod_ssl. I plan to provide an upgraded mod_ssl version for 1.3.22 on Monday or Tuesday. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.4-1.3.20
As you should now, our Apache 1.3.20 is available since yesterday. So here is the corresponding mod_ssl 2.8.4. The CHANGES entries are appended below. Fetch mod_ssl 2.8.4 from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.4 (04-May-2001 to 20-May-2001) *) Removed old db1/ndbm.h kludge from mod_ssl.h, because it should be not needed at all, because mod_ssl downgrades to SDBM anyway on all Linux platforms. Additionally made the Linux check more accurate by using src/Configure's $PLAT variable instead of $OS. *) Upgraded to Apache 1.3.20 *) +--+ | Officially moved mod_ssl to Apache 2.0: | | The mod_ssl 2.8.x source tree is now frozen for development | | and will only be updated for bugfixes and Apache 1.3.x version | | upgrades. The last release (2.8.3) was imported to the ASF CVS | | repository under httpd-2.0/modules/ssl/. All development efforts | | are now directed to the Apache 2.0 area. Nevertheless, mod_ssl | | 2.8.x releases will occur as long as Apache 1.3.x releases occur.| +--+ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: List configuration (posting from a different email)
On Fri, May 18, 2001, Mads Toftum wrote: > > Rich Salz <[EMAIL PROTECTED]> writes: > > > It is a deliberate anti-spam feature. > > > > That much I figured out. Leaving out the discussion of > > questionability of such measure, I think that a bounce should be sent > > if a post is not accepted. > > AFAIK it hasn't been sent to /dev/null yet - it has simply been sent > to the mailing list admin (Ralf) to be approvede... He just haven't > had the time to approve them yet. Yes, exactly: nothing is dropped automatically. All those postings are relayed through the [EMAIL PROTECTED] account. Unfortunately I'm such horrible busy with all the open source projects I'm involved in that I only can walk though this mailbox once per week and approve all non-spam mail manually. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: make fails with db1/ndbm.h: No suh file
On Sun, May 20, 2001, Sundar @local wrote:
> I am trying to install mod_ssl on SuSE 7.1(kernel 2.4) with apache 1.3.19
> and openssl-0.9.6a. The mod_ssl make failes with db1/ndbm.h: no such
> fail
> And I don't see that header in my installation
mod_ssl should use the shipped SDBM on all Linux platforms. Can you
figure out why the "$OS" based check in src/modules/ssl/libssl.module
does not apply for your platform?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Newbie question
On Fri, May 04, 2001, Jack Gostl wrote:
> Just set up modssl in apache 1.3.17. When I start apache, I get prompted
> for the passphrase on the key. This could get ugly if the web server has
> to do an unattended restart.
>
> How should this be handled?
Read the FAQ and remove the pass-phrase from your private key.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.3
Now available: mod_ssl 2.8.3 for Apache 1.3.19. Just the usual amount of cleanups and bugfixes (see CHANGES entries below). Grab it from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.3 (30-Mar-2001 to 04-May-2001) *) Allow loadcacert.cgi script to work inside mod_perl. *) Fixed typo in the directive descriptions in mod_ssl.c *) Fixed EAPI context usage in http_request.c: a context pointer potentially can be NULL requests and can cause a segfault if dereferenced. *) Fixed ENGINE support: the engine support is are now already loaded at configure time. Else mod_ssl fails to find them. *) Fixed typo in httpd.conf-dist. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MM
On Mon, Apr 23, 2001, Diana Shepard wrote:
> Well I asked this about a week ago, but I'll ask again
> because I can't figure out what the heck MM wants.
> I'm trying to install mod_ssl2.8.2-1.3.19 on a Solaris 8
> system. I'm at step 4 of the mod_ssl INSTALLATION instructions,
> the MM Shared Memory Library build. Here is the error I keep
> getting:
>
> decision on shared memory allocation method... 4.4BSD-style mmap() via
> MAP_ANON
> checking for shared memory maximum segment size... configure: error: Unable
> to determine maximum shared memory segment size
>
> Now I've checked via "sysdef -i" that a shared memory maximim
> segment size is set and it is, with a value of 1048576. Surely
> someone else has seen this error. I sure would appreciate some help.
First, to workaround your problem is simple. Just execute the
following command before you run the configure script:
$ echo "ac_cv_maxsegsize=${ac_cv_maxsegsize='128000'}" >config.cache
This gives you 128KB for a maximum shared memory segment (which usually
always works).
Second, to find out why the Autoconf test fails for you, I need the
resulting config.log file which Autoconf created on your machine.
Without this I cannot help you. Oh, and can you also show us the output
of "gcc -v" and "uname -a"?
On one of my Solaris 2.8 boxes on SPARC I see a fine "checking for
shared memory maximum segment size... 64MB (soft limit)" so it certainly
is not a problem in general with Solaris 2.8.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: add_all_algorithms
On Wed, Apr 25, 2001, Rich Salz wrote:
> we need to call openssl_add_all_algorithms so that we can decrypt the
> server key (our own use of standard encryption). What's the cleanest
> way to add that it -- a vendor hook?
Yes, a vendor EAPI hook somewhere in the init routines of mod_ssl.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Build problems
On Thu, Jun 01, 2000, Vinod Mehra wrote:
> I am trying to install "The All-In-One mod_ssl+APACI". But the Apache build
> fails for
> me. The build without modssl always work. This is what I have got:
>
> - apache_1.3.9.tar.gz
> - mod_ssl-2_4_10-1_3_9_tar.gz
> - openssl-0_9_5a_tar.gz
> - rsaref20_tar.Z
> - mm-1_1_2_tar.gz
> [...]
The README.Versions file I update for us shows:
08-Jan-2000 2.4.101.3.90.9.3-0.9.4
So, the mod_ssl version you're trying is too old for use with such a newer
OpenSSL version. You have to use OpenSSL 0.9.4 or 0.9.4 with this mod_ssl
version. Or (what I strongly recommend) use the current Apache 1.3.12 and
mod_ssl 2.6.4 version.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Unexplained http_main.c patch
On Thu, Apr 05, 2001, Harrington, Thomas wrote:
> The mod_ssl patch file changes a bunch of things, most of which make sense.
> One has me scratching my head. In http_main.c, in the setup_listeners()
> function, it adds the following lines:
>
> if (fd >= 0) {
> FD_SET(fd, &listenfds);
> if (fd > listenmaxfd)
> listenmaxfd = fd;
> }
>
> This wouldn't be odd except for a couple of things:
> * setup_listeners() already does all of this, so once patched, it happens
> twice. Granted, the existing one does not check the fd value first, and
> this might be considered broken. But then the patch doesn't stop values
> less than zero from being used, so it doesn't actially fix this behavior.
> * Most patches are clearly delineated by "#ifdef EAPI". This one has no
> "#ifdef".
>
> What gives? Why do this twice?
This should be already gone with 2.8.2.
I guess you are looking at an older version, right?
Please use the latest one.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: ApacheCon 2001...
On Tue, Apr 03, 2001, Ralf S. Engelschall wrote:
> I'm now leaving for attending ApacheCon 2001 in Santa Clara, CA.
> For the modssl-user's who also attend ApacheCon: freel free to
> share our interest by visiting our talk W24 on Wednesday evening.
> For those of us who are not attending ApacheCon: you can go to
> http://www.modssl.org/docs/apachecon2001/ and at least watch the
> presentation's slide-set.
Thanks to all of you who attended our SSL presentation
yesterday here at ApacheCon 2001 in Santa Clara, CA.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: explusion?
On Thu, Apr 05, 2001, Paul wrote: > I have been looking at this for a while, and must be looking in the > wrong places. From httpd.conf: > > # Semaphore: > # Configure the path to the mutual explusion semaphore the > # SSL engine uses internally for inter-process synchronization. > > "mutual eplusion semaphore"? OK, expulsion I would understand. > Exclusion I would understand even better. Explusion? > > Is it just a typo? Or if not, what the hell is "explusion", and where > can I find docs on it? =o) Sure, it's a typo. "exclusion" is the word. Now fixed for 2.8.3 Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ApacheCon 2001...
I'm now leaving for attending ApacheCon 2001 in Santa Clara, CA.
For the modssl-user's who also attend ApacheCon: freel free to
share our interest by visiting our talk W24 on Wednesday evening.
For those of us who are not attending ApacheCon: you can go to
http://www.modssl.org/docs/apachecon2001/ and at least watch the
presentation's slide-set.
cu@ApacheCon!
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.8.2 (minor bug)
On Fri, Mar 30, 2001, Geoff Thorpe wrote:
> I've just taken a look at mod_ssl-2.8.2 (I had skipped over 2.8.1 which is
> unfortunate, as this relates to 2.8.1 also).
>
> Ralf, you mentioned in the ChangeLog that you'd updated mod_ssl to build/run
> with 0.9.7-dev snapshots of OpenSSL. However, the configuration stuff for
> enabling ENGINE support (pkg.sslmod/libssl.module: line 369) uses a test on
> SSL_VERSION_ID of the form;
> *0.9.6*engine*
>
> Of course, this won't work for 0.9.7 snapshots. :-)
>
> Also related to that, in 0.9.7-dev snapshots, it is necessary to call
> ENGINE_load_builtin_engines() at some point prior to the first ENGINE_by_id()
> call otherwise there will be no engines available except "openssl". FWIW: the
> reason for this is that linkers can then work out if applications needs the code
> for all the engines linked in or not, because not only does it otherwise bloat
> the application with code it may not need, it also drags in the DSO code by
> dependancy, and that requires extra linker flags on some platforms. If you call
> that function, it all gets linked in - if you don't, it doesn't.
Thanks for the hints, Geoff. How about the following for mod_ssl 2.8.3?
Index: libssl.module
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/libssl.module,v
retrieving revision 1.62
diff -u -d -r1.62 libssl.module
--- libssl.module 2001/03/12 19:50:10 1.62
+++ libssl.module 2001/03/31 07:52:35
@@ -367,7 +367,7 @@
# SSL engine support
#
case $SSL_VERSION_ID in
-*0.9.6*engine* )
+*0.9.6*engine* | *0.9.[789]* )
SSL_CFLAGS="$SSL_CFLAGS -DSSL_ENGINE"
;;
esac
Index: ssl_engine_config.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_config.c,v
retrieving revision 1.77
diff -u -d -r1.77 ssl_engine_config.c
--- ssl_engine_config.c 2001/03/30 10:03:04 1.77
+++ ssl_engine_config.c 2001/03/31 07:51:25
@@ -450,7 +450,14 @@
SSLModConfigRec *mc = myModConfig();
const char *err;
ENGINE *e;
+#if SSL_LIBRARY_VERSION >= 0x00907000
+static int loaded_engines = FALSE;
+if (!loaded_engines) {
+ENGINE_load_builtin_engines();
+loaded_engines = TRUE;
+}
+#endif
if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL)
return err;
if (strcEQ(arg, "builtin")) {
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Which SSLSessionCache to use for best performance?
On Fri, Mar 30, 2001, Geoff Thorpe wrote: > > > Hmmm.. yes, I think we can try this for 2.8.2. Let's move it out > > > of SSL_EXPERIMENTAL, but still do not use it by default in the > > > configuration. I've arranged this for us for 2.8.2. Hopefully it will > > > not blow away our legs ;) > > > > Cool. > > Maybe an explanation of the different shm session cache options > > would be nice as part of the ApacheCon presentation? (it wasn't too > > Damn, now I'm *definitely* not going to show up. Actually, I may be there > Ralf - so you can unequivocably blame me if the shmcb blows off any legs. Ok, then I'll try to add another slide, dedicated to the session caching variants Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Any help for a novice on RH 7.0 / Apache 1.3.14
On Fri, Mar 30, 2001, Aage J. Skjolingstad wrote: > When crond is log rotating (crond.weekly) - httpd feil to start up > again. I'm running RH 7.0 with Apache/1.3.14 (Unix) (Red-Hat/Linux) > mod_ssl/2.7.1 OpenSSL/0.9.5a mod_perl/1.24 > > The kill HUP does not restart the server since some of the childs does > not die > > The / ../httpd restart command works, and I have done no changes to any > of the crond services or conf files. > > Is this a problem with mod_ssl ?? Hmmm... I don't think is is mod_ssl related. At least I've never heard that mod_ssl caused such problems. What does the error logfile say? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Which SSLSessionCache to use for best performance?
On Fri, Mar 30, 2001, [EMAIL PROTECTED] wrote:
> Not strictly related to this, but since you are active today Ralf, can you
> give me some idea of when the SSL crypto device code will move out of
> SSL_EXPERIMENTAL. ie, will this be once openssl 0.9.7 is released?
Exactly. It should remain SSL_EXPERIMENTAL until we have no first
release version of OpenSSL available with this functionality.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Invalid method in request
On Fri, Mar 30, 2001, Pavel Hlou¹ek wrote:
> I cannot connect to apache+mod_ssl with command recommended by mod_ssl documentation
>(openssl s_client -connect localhost:443 -state -debug
> ). It results in a message in error_log of apache:
>
> Ivalid method in request
>
> Any idea?
You connect with HTTPS to a port where only HTTP is spoken.
Check your server configuration, it's certainly a configure error.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Why stdin in mod_ssl?
On Thu, Mar 22, 2001, [EMAIL PROTECTED] wrote: > Browsing through the mod_ssl source code, I notice that ssl_engine_config.c > has a reference to stdin. Err... you mean ssl_expr_scan.c, I think. I see no reference to stdin in ssl_engine_config. > Unfortunately I don't know lex/flex well enough > to understand why. What's up? When does mod_ssl need to read stdin? > > I know that the default SSLPassPhraseDialog setup will cause it to prompt > for a pass phrase, but that's handled through OpenSSL calls > (EVP_read_pw_string(), if I'm not mistaken). This is something different. > But what? Thanks for any pointers. mod_ssl doesn't read from stdin. The code is generated by Flex and only used if the application doesn't provide a yyinput() function. But such a function _IS_ provided by mod_ssl, so the scanner never uses stdin to read the input data. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.2
The usual fun amount of bugfixes leads to the next maintainance release of mod_ssl: 2.8.2. The corresponding ChangeLog entries for version 2.8.2 are appended below. Feel free to upgrade your server installations after grabbing it from the following locations: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.2 (03-Mar-2001 to 30-Mar-2001) *) Moved the Shared Memory Cyclic Buffer (SHMCB) session cache variant from "experimental" state to "production" by removing the `#ifdef SSL_EXPERIMENTAL_SHMCB ...#endif' wrappers. This means that now `SSLSessionCache shmcb:...' is unconditionally available. *) Modified (only) Win32's specific function SSL_recvwithtimeout() to use the same retry logic as SSL_writewithtimeout(). This fixes some problems with MSIE 5.x clients. *) Made the mutex handling more robust by retrying the semaphore-based operations in interrupt situations (errno == EINTR). *) Also log the OpenSSL error message if the RSA temporary key(s) cannot be generated. *) Mention in INSTALL document that building OpenSSL with `no-threads' increased performance without negative side-effects because Apache 1.3 is never multi-threaded. *) Fixed mod_ssl Auth handler: it now returns DECLINED instead of OK if authentication is passed successfully to allow other modules (usually mod_auth) to still deny the request. *) Allow IPC semaphore support also under Tru64 5.x. *) Fixed certificate DN handling under EBCDIC platforms. *) Try to avoid casting warnings by using "unsigned long" type instead of "unsigned int" in the EAPI macros AP_CTX_. *) Make sure that the default path /usr/include is never added to CFLAGS with an explicit -I options to avoid conflicts with vendor include paths. *) Make extra sure the ssl_expr_parse.[ch] and ssl_expr_scan.c files are not regenerated for regular users by timestamping them in a little bit more conservative way. *) More fixes to configure.bat and Makefile.win32 to make mod_ssl work again under Win32. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRequireSSL and deny
On Wed, Mar 28, 2001, [EMAIL PROTECTED] wrote: > Wondering if anybody came across this problem before. > Say I have > > > ServerName pikachutest > DocumentRoot /home/httpd/devel/TonyC/ > > > SSLRequireSSL > order deny,allow > deny from all > > > > > That is I am trying to ensure ssl connections to pikachutest > and denying them acces with deny from all. However its seems that > when I include the SSLRequireSSL directive that the deny from clause > is ignored. If I remove the SSLRequireSSL directive then it works fine. I think I found the reason. mod_ssl's auth handler returned OK instead of DECLINE and so mod_auth was no longer called from the Apache module dispatching code. Should be fixed for mod_ssl 2.8.2. Thanks for your feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Which SSLSessionCache to use for best performance?
On Thu, Mar 22, 2001, David Rees wrote:
> [...]
>
>
> Thanks for the lowdown on both session caches, Geoff.
>
> It really seems to me that at this point, the shmcb cache should no longer
> be part of the SSL_EXPERIMENTAL code, and even be made the default shm
> cache.
>
> Has anyone had BAD experiences with it?
>
> What do you think, Ralf?
Hmmm.. yes, I think we can try this for 2.8.2. Let's move it out
of SSL_EXPERIMENTAL, but still do not use it by default in the
configuration. I've arranged this for us for 2.8.2. Hopefully it will
not blow away our legs.... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: can anyone help me....
On Thu, Mar 29, 2001, Rene Labiran wrote:
> i been having this error:
>
> "invalid command loadmodule perhaps mispelled or defined by a module
> notincluded in the server configuration sshd."
"sshd"? Errr.. h... Anyway, if you get this message from Apache, it
clearly says what the problem is. Make sure the module which implements
"LoadModule" is present. In your case, this is mod_so and can be enabled
with --enable-module=so on the APACI command line while building Apache.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] EBCDIC Fix for mod_ssl 2.8.x
On Thu, Mar 22, 2001, Martin Kraemer wrote: > The appended patch fixes the (on EBCDIC-based machines) erroneous > comparison between the configured ServerName (EBCDIC) and the Canonical > Name from the certificate (extracted raw => ASCII). > > The effect of this bug was a warning during startup: > > [22/Mar/2001 12:55:17 00052] [warn] Init: (BCAMSR03.mch.fsc.net:443) RSA server >certificate CommonName (CN) `' does NOT match server name!? > >Martin > -- > <[EMAIL PROTECTED]> | Fujitsu Siemens > Fon: +49-89-636-46021, FAX: +49-89-636-41143 | 81730 Munich, Germany > --- ssl_util_ssl.cx Mon Jan 1 11:49:05 2001 > +++ ssl_util_ssl.cTue Nov 21 13:43:57 2000 > @@ -384,6 +384,9 @@ > *cppCN = ap_palloc(p, xsne->value->length+1); > ap_cpystrn(*cppCN, (char *)xsne->value->data, xsne->value->length+1); > (*cppCN)[xsne->value->length] = NUL; > +#ifdef CHARSET_EBCDIC > + ascii2ebcdic(*cppCN, *cppCN, strlen(*cppCN)); > +#endif > return TRUE; > } > } Committed for mod_ssl 2.8.2. Thanks for your feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl's mod_proxy support
On Mon, Mar 19, 2001, Martin Lichtin wrote: > Anyone know how to configure mod_ssl parameters when > it's doing the client requests inside mod_proxy? > > I have something like > > > ProxyRequests On > NoCache * > > > as part of a mod_ssl-enabled server. It handles https:// > proxy requests just fine, but I also need the ability > to force a SSL version, eg. SSLv2, for making requests > to the outside world. > > Any ideas? > > Also, how can I trace these SSL requests? I set > SSLLogLevel to debug but it wouldn't show anything. By default you cannot adjust any parameters. But look at the CHANGES file, there is experimental support for SSLProxy directives which can help you. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE5 client certs
On Mon, Mar 19, 2001, Torsten Curdt wrote:
> [...]
> For each CA there is much more information besides the
> PEM data (which is the only thing in my ca-dff.crt).
> It's pretty verbose including the fingerprint as well
> as some plain text infos about the cert.
> [...]
All text around the PEM data is just for information. It not parsed by
mod_ssl/OpenSSL. It is there just for human reading.
> I wonder how I can create such a format for my CA cert.
> Do you have an idea?
$ openssl x509 -text -noout -in
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core file created)
On Fri, Mar 16, 2001, Karlos Z. Smith wrote:
> [...]
> Ok, is this a glibc issue? I know they made quite a few changes in
> glibc-2.2.2 maybe they screwed something up? Or maybe mod_ssl was using
> some workaround for something that _was_ broke and now its fixed?
> [...]
No, there are no glibc bug workarounds in mod_ssl.
I'm sure your glibc is broken.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: version numbers
On Wed, Mar 14, 2001, Brett Tofel wrote:
> I can't seem to find where the mod_ssl version numbers are explained.
In the FAQ AFAIK.
> if we are using an older apache, must we use an older mod_ssl?
> For instance, if we were using apache 1.3.12 would we have to use:
>
> mod_ssl-2.6.6-1.3.12
Yes.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Security certs on MSIE
On Sat, Mar 10, 2001, David Rees wrote: > On Sat, Mar 10, 2001 at 11:00:57AM +0100, Mads Toftum wrote: > > On Sat, Mar 10, 2001 at 09:35:25AM +, Jonathan Shahariw wrote: > > > On certain versons of MSIE (ie, 5.0) The browser cant find a connection > > > with the server but with netscape it works?? What could be the cause? > > > > > See the FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#io-ie > > Ugh, looks like I posted a link to the old FAQ (luckily it still has > the right information). > > The link to the FAQ on the front page (http://www.modssl.org/) still > links to the 2.6 version of the FAQ, Ralf, can you update the link? Ops, good catch. Fixed. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
On Mon, Mar 05, 2001, ModSSL user wrote: > What about mod_ssl port to Apache 2.0. > You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree > but there is still nothing. Although I offered the whole mod_ssl 2.8 code basis under the ASF license to the ASF, there was no group consensus on using mod_ssl for Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache 2.0 and you should be able to imagine yourself why our mod_ssl code was not accepted as the code base. Actually the whole "SSL/TLS for Apache 2.0" situation over the last months was finally "solved" by a rather clever trick by someone of the group - and this was not obvious even to me until recently. But because of this, as a result, we failed to bring mod_ssl directly into Apache 2.0. Sorry, perhaps my fault in being to optimistic and thinking that political things inside the group were already gone. Seems like someone else was a lot more clever than me... > Will you instead works with Ben Laurie on mod_tls ? I still don't know. As I said, the whole SSL/TLS issue again is a _highly_ political thing in Apache 2.0 and I certainly will try hard to stay out of those things as far as I can. Whether it finally means that mod_ssl has to be externally maintained again, I still don't know. The only thing I currently know is that with Apache 2.0 it seems that we again will have the same SSL/TLS problem as we had three years ago with Apache 1.3 (means: an unpolished 70% percent solution). And I also know that someone (not necessarily me) will again find this not satisfactory. What approach then is used to change this we all still don't know... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem with modssl 2.81/apache 1.3.19 on windows
On Sat, Mar 03, 2001, Joachim Feise wrote: > > > when running configure.bat i get an error as follows > > > > > > C:\apdev\modssl>configure.bat --with-apache=..\apache --with-ssl=c:\apdev\op > > > enssl > > > Global symbol "$first2" requires explicit package name at configure.bat line > > > 269 > > > . > > > BEGIN not safe after errors--compilation aborted at configure.bat line 283. > > > C:\apdev\modssl> > > > > Ops, I forgot a complete line to add to configure.bat. > > Now fixed in CVS. The next CVS snapshot will have it fixed. > > Even with that, there are still 2 bugs that prevent it from compiling on Win32. > I attach a diff file. Thanks for your feedback. I've comitted your additional patches to CVS now, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.19 and modSSL
On Thu, Mar 01, 2001, Paolo Fiorenzani wrote:
> I would like to upgrade my Web Server to Apache 1.3.19 + mod_jk (for Servlet/JSP
> exstention) and SSL security support.
> Is it possible to use mod_SSL2.8.0-1.3.17 with the last release of Apache or I
> have to use Apache 1.3.17 ?
mod_ssl-2.8.0-1.3.17.tar.gz can only be used with Apache
1.3.17. But if you want to use Apache 1.3.19 you now should use
mod_ssl-2.8.1-1.3.19.tar.gz. It is already available.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: problem with modssl 2.81/apache 1.3.19 on windows
On Sat, Mar 03, 2001, Jonathon Douglas wrote:
> when running configure.bat i get an error as follows
>
> C:\apdev\modssl>configure.bat --with-apache=..\apache --with-ssl=c:\apdev\op
> enssl
> Global symbol "$first2" requires explicit package name at configure.bat line
> 269
> .
> BEGIN not safe after errors--compilation aborted at configure.bat line 283.
> C:\apdev\modssl>
Ops, I forgot a complete line to add to configure.bat.
Now fixed in CVS. The next CVS snapshot will have it fixed.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl vs Apache-SSL
On Fri, Mar 02, 2001, [EMAIL PROTECTED] wrote: > [...] > In my opinion, this is one of the best support lists I've ever seen, > although I think it would be safe to say that it is very difficult to elicit > a response from Ralf (I've never had a reply regarding removing broken RPMs > from the ftp site, for example). Please don't take offence Ralf, I realise > you are very busy. > [...] Yes, I know that (mainly because of my participation in lots of other Open Source projects and the fact that my own little family claims more and more time from me) since a longer time I'm no longer being able to participate _actively_ in modssl-users discussions. Nevertheless I monitor modssl-user on a regular basis and try to take your wishes into account for the next maintainance releases (that's why 2.8.1 was delayed two days because I wanted to integrate parts of the posted Win32 patches). So, don't be unhappy that I personally cannot respond, because we have other really great guys here who do an even better job in answering questions than I ever would be able to do. Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.19 / mod_ssl 2.8.1
On Thu, Mar 01, 2001, ModSSL user wrote: > Just to know when mod_ssl 2.8.1 for apache 1.3.19 will be > available ? Now ;) Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.1 for Apache 1.3.19
Sorry for the short delay, but here it finally is: mod_ssl 2.8.1 for Apache 1.3.19. The corresponding CHANGES entries are appended below. Grab it from: http://www.modssl.org/source/ ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.1 (30-Jan-2001 to 03-Mar-2001) *) Conditionally adjusted source to build quietly also under latest OpenSSL 0.9.7-dev versions. *) Added a bunch of (untested!) adjustments and fixes for the Win32 platform as posted to modssl-users some time ago by various people. *) Fixed SSLCipherSuite example in httpd.conf-dist: The string EXP56 is actually EXPORT56, although OpenSSL internally the variable is named SSL_TXT_EXP56. *) Upgraded to Apache 1.3.19 as base version. *) Extended FAQ entry for MSIE problems. *) Added FAQ entry for questions "Why do I get lots of random SSL errors under heavy load?" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache, OpenSSL and Internet Explorer
On Sat, Feb 03, 2001, David Rees wrote: > On Sat, Feb 03, 2001 at 04:36:07PM -0600, James Hastings-Trew wrote: > > Thank you for your help. :) I am happy to say, that I *finally* managed to > > get the silly thing working, and I am going home now to nurse my aching head > > and sour stomach (nasty cold bug going around). The thing that did the trick > > was to add the following to near the end of the httpd.conf file: > > > > SSLSessionCache dbm:/var/cache/httpd/ssl_cache > > SSLSessionCacheTimeout 300 > > We found someone else with this same problem a while back, some versions of > IE require that the SSL session be cached. > > I also recommend that you use the shm session cache, I found it to be 30% > faster than the dbm session cache during benchmarks. Others have found > the dbm session cache to be unreliable under heavy load. > > We really do need to get Ralf to add the check for SSLSessionCache under > the FAQ for IO errors with MSIE browsers. /bin/done -- for mod_ssl 2.8.1. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compiling 2.8.0 on NT
On Wed, Jan 31, 2001, Nikolai Petroff wrote: > Configure.bat points to the wrong *.mak filenames. When I changed them, > configure.bat ran okay, but on running: > > nmake /f makefile.win > > I get the following error: > > ApacheCore.def : error LNK2001: unresolved external symbol ap_aquire_pool > ApacheCore.def : error LNK2001: unresolved external symbol > ap_make_shared_pool > .\Debug\ApacheCore.lib : fatal error LNK1120: 2 unresolved externals > LINK : fatal error LNK1141: failure during build of exports file > NMAKE : fatal error U1077: 'link.exe' : return code '0x475' > Stop. > NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual > Studio\VC98\bin\NMAKE.EXE"' : return > code '0x2' > Stop. > NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual > Studio\VC98\bin\NMAKE.EXE"' : return > code '0x2' > Stop. Yes, sure. The whole Windows build environment for 1.3.17 was cleanup and adjusted by our Win32 guys inside the ASF. I expect that building mod_ssl is now horribly broken under Win32. But as I already said: I cannot fix this myself. A Win32 guys has to fix this and provide the necessary patches. I'm happy to take them over... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.8.0 for Apache 1.3.17
Yesterday, finally, the new Apache version 1.3.17 was released (for
those wondering: 1.3.15 and 1.3.16 were not released). As usual, I
already prepared mod_ssl in advance to make sure you immediately have a
corresponding mod_ssl version available for use with the latest Apache
version. The ChangeLog entries are appended below.
Grab mod_ssl-2.8.0-1.3.17.tar.gz from:
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.8.0 (14-Oct-2000 to 30-Jan-2001)
*) Upgraded to Apache 1.3.17 as base version.
*) Changed ApacheModuleSSL.dll to mod_ssl.so in Makefile.Win32 to
make mod_ssl not too broken after Apache 1.3.16's Win32 changes.
*) Enhanced ApacheCore.def patch for Win32 folks.
*) Upgraded to Apache 1.3.16 as base version.
*) Fixed ssl_intro.wml: DES uses 56 bit, not 54 bit.
*) Allow %{ENV:variable} in SSLRequire expressions, too.
*) Fixed version parsing for APXS stuff in configure.
*) Fixed Geoff Thorpe's Email addresses in various places.
*) Fixed typo in INSTALL document.
*) Make sure the user is not able to fake the client certificate
based authentication by just entering an X.509 Subject DN
("/XX=YYY/XX=YYY/..") as the username and "password" as the
password if "SSLVerifyClient optional" is used in combination
with "SSLOptions +FakeBasicAuth".
*) Fixed URLs in FAQ.
*) Various fixes for the Win32 world:
reflect renaming of "makefile.nt" to "makefile.win"; scache
reorganisation adjustments; etc.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and Apache 2.0 ?
On Wed, Jan 24, 2001, ModSSL user wrote:
> A direct question to Ralf, will you port mod_ssl to Apache 2.0 ?
Yes.
> API tends to move less (even if ap_r* are still discussed) and we may
> see a first beta in some weeks.
>
> Not related but Apache 2.0 is still using mm-1.1.1 (patched) and you're
> at mm-1.1.3. Will you also release a mm-1.1.4 with the patch from apr
> applied ?
Yes, but not with all APR changes (because some are not needed).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Compiling modssl on Windows 2000
On Wed, Jan 17, 2001, Andy Malato wrote: > I know that modssl is really only in the early developement stages for > windows, however I have attempted to try and compile it, but for some > reason it seems that the modssl modules are not being compiled. > > when I actually cd into the modules/ssl directory and try running nmake > from there: NMAKE : fatal error U1073: don't know how to make > 'ssl_engine_scache.obj' This is already fixed in the lastest snapshots AFAIK. But currently I'm on the way rolling mod_ssl 2.8.0 for Apache 1.3.16 and it will be certainly again broken for Win32, because the Win32 guys inside the ASF changed a lot again and I don't have any chance to fix this (I've no Win32 development environment available). So, sorry, but Windows users are on their own... but if someone is able to fix the stuff for Win32, I'm happy to incorporate the patch into the official distribution. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question about SSLSessionCache using SHMHT
On Fri, Jan 12, 2001, Doremus, Matthew wrote:
> I have been looking through the mod_ssl v7.2.1 SHMHT code and it appears
> that each server creates it's own hash table in the allocated shared memory.
> Does this imply that when using SHMHT servers only retrieve sessions that
> they themselves have stored ?
No, the hash table is shared over all server processes, because the
underlaying memory allocator is shared memory based. This means that all
server processes can store sessions and every other can reuse it.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
