RE: cheap CA certificates
http://www.sslreview.com/content/index.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
unique cipher-text
Hi, Does anyone know why using the req -new option from the same private key, twice does not generate a unique CSR? As an example: I have an existing private key. I then generate a CSR from it. Openssl req -new -key privakey.key -out csr.txt I then generate another CSR from the private key and use identical DN information. I can understand why the exponents and modules are the same.. because they are using the same private key, however why does the cipher text look the same? Isn't it suppose to be random? I have trying to find the answer at http://www.openssl.org/docs/ but cannot.. Basically, I'd like to know what is responsible for the cipher text output? and can it be randomized each time without changing the DN levels. Thanks, R __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: openssl upgrade
Linux 7.2 RedHat Pentium -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, March 20, 2003 11:45 AM To: '[EMAIL PROTECTED]' Subject: Re: openssl upgrade On 20 Mar 2003 at 11:34, Robert Lagana wrote: > > On a linux 7.2 system, would it be easy to upgrade the current version of > OpenSSL to the most recent? > Are there any directions for this? > > Thanks linux 7.2 what? (RedHat, SuSE, etc.) Aloha => Beau; __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
openssl upgrade
On a linux 7.2 system, would it be easy to upgrade the current version of OpenSSL to the most recent? Are there any directions for this? Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: win32 apache and ssl
Sorry, nevermind .. I got it working.. Thanks for the help. -Original Message-From: Robert Lagana [mailto:[EMAIL PROTECTED]]Sent: Friday, January 17, 2003 2:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: win32 apache and ssl Thanks, I tried openssl -config and it does not recognize the option. I tried creating the directory and dummy file. It does not give the error finding the file anymore however.. after typing in the correct password it just hangs.. Is there a sample openssl.cnf ? Thanks, R -Original Message-From: Sergey Strakhov [mailto:[EMAIL PROTECTED]]Sent: Friday, January 17, 2003 2:08 PMTo: [EMAIL PROTECTED]Subject: Re: win32 apache and ssl I'm on a win 2000 sp2 box. Do you know why it's looking for /usr/local/ssl/openssl.cnf ?This is the default place for the config file of OpenSSL on Unix platforms. You can change it with the command line option -config . Otherwise you can create C:\usr\local\ssl\openssl.cnf (assuming you run openssl from some directory on your drive C:)...
RE: win32 apache and ssl
Thanks, I tried openssl -config and it does not recognize the option. I tried creating the directory and dummy file. It does not give the error finding the file anymore however.. after typing in the correct password it just hangs.. Is there a sample openssl.cnf ? Thanks, R -Original Message-From: Sergey Strakhov [mailto:[EMAIL PROTECTED]]Sent: Friday, January 17, 2003 2:08 PMTo: [EMAIL PROTECTED]Subject: Re: win32 apache and ssl I'm on a win 2000 sp2 box. Do you know why it's looking for /usr/local/ssl/openssl.cnf ?This is the default place for the config file of OpenSSL on Unix platforms. You can change it with the command line option -config . Otherwise you can create C:\usr\local\ssl\openssl.cnf (assuming you run openssl from some directory on your drive C:)...
win32 apache and ssl
Title: win32 apache and ssl Hi, Using http://hunter.campbus.com/Apache_2.0.42-OpenSSL_0.9.6g-Win32.zip I was able to create a private key but when I tried to create the CSR I received OpenSSL> req -key privatekey.key -out csr.txt Using configuration from /usr/local/ssl/openssl.cnf Unable to load config info Enter PEM pass phrase: I type in the pass phrase and it just hangs. I'm on a win 2000 sp2 box. Do you know why it's looking for /usr/local/ssl/openssl.cnf ? Thanks, R
RE: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0
Title: RE: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0 You can take your private key and public key from Apache.. import them into MS IIS 4.0 as a key pair set. IIS 4 will ask you for the private key and the public key. Backup the keypair set as a keypair file (.key) this will contain both the private key and public key in one .key file. Then go to your MS IIS 5.0 webserver and under directory security.. go through the server certificate wizard and choose the last option "Import" The "Import" option is designed for IIS 4.0 .key files. -Original Message- From: Emily Eileen Witcher [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 4:41 PM To: [EMAIL PROTECTED] Subject: Migrating Apache/ModSSL/OpenSSL certificate to Win2K/IIS 5.0 We have a 2-year Verisign Secure Site ID running on one of our Apache servers with ModSSL. The original CSR was generated using OpenSSL software. Now the site is moving to Windows 2000 / IIS 5.0 (bleah) and I was searching the web for information regarding how to transfer the certificate between the two environments. Verisign apparently does not provide support on this issue; I found some info at Thawte (http://www.thawte.com/html/SUPPORT/server/apachessl.html) but it appears to be incomplete. Microsoft's support site doesn't seem to have any word on the subject either (surprise). So if anyone has a better link than the one I found, I'd love to hear about it. Thanks so much... Emily Witcher - [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Securing directories
Title: RE: Securing directories Thank you very much Paul. Regards, Robert -Original Message- From: Paul Bleimeyer [mailto:[EMAIL PROTECTED]] Sent: Friday, November 08, 2002 2:45 PM To: '[EMAIL PROTECTED]' Subject: Re: Securing directories Rob, You might want to use a restricted realm setup and use the authnname and setup a number of users to control the access. Part I: Restricting access. Using a authorization file on the folder in question is also possible, but if your users create subfolders, then they will be prompted to reauthenticate as they traverse the subfolders. Using the Authusername might be easier. Part II: Secure vs. unsecure connections: If you have both 80 and 443 bound to each of these virtual websites, then users will be able to connect on each port. Inserting the access controls mentioned at the top will work across both. If you want to insure that users are not able to open this connection via 80, then do not include this port in your listen statements in http.conf. There are many different ways to deal with this. See the following for more details. Binding ports and the listen option: http://httpd.apache.org/docs-2.0/bind.html Authentication overview. http://httpd.apache.org/docs-2.0/howto/auth.html Users via a password file: http://httpd.apache.org/docs-2.0/howto/auth.html#gettingitworking Users via a groups file: http://httpd.apache.org/docs-2.0/howto/auth.html#lettingmorethanonepersonin On Fri, 8 Nov 2002, Robert Lagana wrote: > Hello, i> > Using mod_ssl .. on Apache .. I would like to secure two directories.. > > https://www.domain.com/homedir <https://www.domain.com/homedir> > > https://www.domain.com/homedir2 <https://www.domain.com/homedir2> > > Now if user go to http://www.domain.com <http://www.domain.com> will users > get a pop up saying that SSL is required? > > Is this just a matter of having Port 80 and Port 443 enabled? > > Do I set these directories up as virtual hosts? > > Is there a link someone can provided that explains this? > > Thanks, > Rob > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Securing directories
Hello, Using mod_ssl .. on Apache .. I would like to secure two directories.. https://www.domain.com/homedir https://www.domain.com/homedir2 Now if user go to http://www.domain.com will users get a pop up saying that SSL is required? Is this just a matter of having Port 80 and Port 443 enabled? Do I set these directories up as virtual hosts? Is there a link someone can provided that explains this? Thanks, Rob
Site for modssl.org
Title: Site for modssl.org Hi, I can't hit http://www.modssl.org I'm in need of the latest rpm or tarball for linux 7.2 Does anyone have another site I could use to download? Thanks, Rob
RE: How to Benchmark SSL on Apache based servers?
Title: RE: How to Benchmark SSL on Apache based servers? Thanks ! -Original Message- From: Josh Chamas [mailto:[EMAIL PROTECTED]] Sent: Friday, September 27, 2002 1:28 PM To: [EMAIL PROTECTED] Subject: Re: How to Benchmark SSL on Apache based servers? Robert Lagana wrote: > > Hi, > > Is it possible to benchmark the server load with mod_ssl enabled on Apache? > > Is there particular software that can do this? > In perl, you could do this by scripting a quick benchmark with LWP & Crypt::SSLeay libraries. ( LWP loads Crypt::SSLeay on the backend for https URLs ) Here's a crude command that will set 2 web clients hitting your SSL server at the same time: ]$ perl -MLWP::Simple -MBenchmark -e 'fork; timethis(25, sub { get(qq(https://localhost/)); }); wait;' timethis 25: 11 wallclock secs ( 2.78 usr + 0.07 sys = 2.85 CPU) @ 8.77/s (n=25) timethis 25: 11 wallclock secs ( 3.03 usr + 0.07 sys = 3.10 CPU) @ 8.06/s (n=25) The timethis() stats aren't really relevant in this case, but it gave 50 requests done in 11 seconds. Obviously, since the client was running on the same machine as the server, the servers real performance would be quite different by itself. Regards, Josh Josh Chamas, Founder phone:925-552-0128 Chamas Enterprises Inc. http://www.chamas.com NodeWorks Link Checking http://www.nodeworks.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
How to Benchmark SSL on Apache based servers?
Title: How to Benchmark SSL on Apache based servers? Hi, Is it possible to benchmark the server load with mod_ssl enabled on Apache? Is there particular software that can do this? Thanks, Rob
RE: certificate + network ACL + passwords problem?
Title: RE: certificate + network ACL + passwords problem? Hi, Does anyone know what the "Challenge Passphrase" is used for when creating a CSR ? I know it can be used for a Verisign renewal or reissue etc... Is there anything else? Thanks, Rob
Intermediate Certificates
Title: Intermediate Certificates Hi, Can you put more than one intermediate signer certificate for chaining in Apache? Meaning having two lines in the apache config file. SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca1.crt or 1 line pointing to the file but have both intermediate certs together.. such as -Begin Certificate- code -Begin Certificate- -Begin Certificate- code -Begin Certificate- SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt (containing both) Thanks, Rob
RE: Macs not able to access 128bit Security sites?
Title: RE: Macs not able to access 128bit Security sites? Ben, Can you try this site https://www.xe.com Thanks, Rob -Original Message- From: Ben Ricker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 9:25 AM To: Modssl List Subject: Re: Macs not able to access 128bit Security sites? The cipher is located within the browsers which is different then the way Microsoft puts it in the system (hence the patch to upgrade the cipher). Anyway, I use IE 5.1 for Mac on OS9 and have no problem with 128-bit sites. Are you using OSX? Ben Ricker Web Security System Administrator Wellinx.com On Tue, 2002-08-27 at 01:48, Vince Montuoro wrote: > Hi guys, > Just wondered if anyone encountered issues with Macs not able to access 128 bit encrypted sites? > > (The Particular Mac in question is a Powerbook G3 ) > > I have also encountered problems with IE5 and IE6 where by the only way I could get access to the site was by upgrading the security patches on the IE version. Mac on the other hand has 128 bit encryption standard. > > PLEASE HELP > > Vince > [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Macs not able to access 128bit Security sites?
Title: RE: Macs not able to access 128bit Security sites? I have an issue where MSIE on a MAC doesn't recognize the signer of the Entrust certificate, however when you look at the signers in the security preferences in MSIE (Mac OS 8.1 +, MSIE 5 +) The Entrust.net secure root is there as well as GTE Cybertrust Root CA.. whom Entrust uses to chain to. When the MAC MSIE browser connects .. users get a pop up saying .. "The issuer of the certificate is unknown" Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.0.4pl1 This is only happening with this particular server. Works fine another other Apache servers I have tested from a MAC MSIE. Weird. -Original Message- From: Vince Montuoro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 2:48 AM To: [EMAIL PROTECTED] Subject: Macs not able to access 128bit Security sites? Hi guys, Just wondered if anyone encountered issues with Macs not able to access 128 bit encrypted sites? (The Particular Mac in question is a Powerbook G3 ) I have also encountered problems with IE5 and IE6 where by the only way I could get access to the site was by upgrading the security patches on the IE version. Mac on the other hand has 128 bit encryption standard. PLEASE HELP Vince [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache and MSIE on Macs
Title: Apache and MSIE on Macs Hi, I have an issue where all web browser clients can connect to my Apache web server securly using https:// EXCEPT for MAC MSIE (5.0 or 5.1 etc..) clients. The ssl certificate that I have installed also uses an intermediate certificate for chaining. When the MAC MSIE browser connects .. users get a pop up saying .. "The issuer of the certificate is unknown" however, if you look in the prefs of MAC MSIE under security, you can clearly see the issuer. Netscape on the MAC works fine. Does anyone know the cause? I know this is Apache and Microsoft related. There is something on the server that I probably need to change to adapt to MAC MSIE users but I don't know what it is... Since I cannot find any articles in the MS KB.. and cannot find any in Apache newsgroups.. I am lost. I am Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.0.4pl1