good luck for exams, was: ANNOUNCE: mod_ssl 2.4.5

[Steffen Dettmer]

> Now I've to went back to learning for my last (the forth of four) diploma
> exams which is "celebrated" in mid October... ;) 

** GOOD LUCK !! **

I'm sure you'll do your exams in such a pretty good way like mod_ssl!

Have a nice weekend!!

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: How to user SSL CA Revocation

[Steffen Dettmer]

> CA Revocation Lists.  I can revoke a certificate that update index.txt using
> 
> openssl ca -revoke cert.pem
> 
> However, how do I generate CLR files ?

I use the following:
 
   openssl ca -gencrl -config  -out  [-outform der]
 

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Re^2: Differences?

[Steffen Dettmer]

Hi!

> > As far as I understood [...] 
> > and to write a nice documentaion/manual (== doing the right software
> > engineering). [...]
> 
> You are wrong. I have nothing against the "module idea".

oki, sorry!!

> [...] But for various reasons the final pieces of the puzzle never
> quite fell into place. Not least of these reasons is the prohibition
> against crypto hooks.

Yepp, the old problem...

> BTW, I completely disagree that documentation equates to "doing the
> right software engineering". It is a symptom of having a great deal more
> spare time than I have, though.

("doing the right software engineering" refered not on documentation only)

Of course this is a matter of opionions... I think the documentation saved
time of many of users. I needed a lot of time to build and run the first
servers, since at this time there wasn't good documentation. With the
manual, I think it's quite easier and faster to work with. I think good
documentaion is really important.

Thank you for putting the things right!

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: [PHP3] mod_ssl & php3

[Steffen Dettmer]

Tom > From: Tom Fishwick <[EMAIL PROTECTED]>

Hi!

Tom > Is it possible to run a modssl enabled apache, suexec?  The
Tom > default seem to configure it to run _default_:443 for all
Tom > virtuals, which won't suexec...

I'm running a SSL/CGI Server with SuExec enabled without problems.
Did you use a User / Group directive in virtual host section? This would
cause SuExec a different behaivior.

Tom > What I want to do is provide all users with a ssl directory in
Tom > the home directory, or have their normal htdocs directory be
Tom > mapped to something like

I use different UserDir's, and it works fine.

Tom > https://secure.myserver/userid and to their virtual, so
Tom > switching to a ssl

or: https://ssl/~userid ?
^
If the users need URL's without "~", give mod_rewrite a chance...

Maybe you forgot some options at ./configure ?
Do you get any error messages? Does the server tells "SuExec wrapper
enabled" at startup?

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re^2: Differences?

[Steffen Dettmer]

> > can anyone drop me a line about the differences of Apache-SSL and Apache
> > with mod_ssl? Is the only difference that one is a patch and the other a
> > module or are there more differences (I guess so ;) ?
> 
> Neither is a module. They are both patches.

As far as I understood mod_ssl patches a EAPI into Apache only, to make
some "new" hooks aviable, the mod_ssl itself is a module and it should be
possible to load it dynamically. Second, mod_ssl developers (mostly Ralf
;) ) spent much attention on writing clean, stable, well-documented code
and to write a nice documentaion/manual (== doing the right software
engineering). mod_ssl was adapted from Apache-SSL and was intended to be
"the new" Apache-SSL as module design (tell me when I'm wrong, Ralf!), but
by the time there came up more differences (shared memory cache in mod_ssl
and so on), since the Apache-SSL developers didn't like the "module idea"
(tell me when I'm wrong, Ben!). 

oki,

Steffen 



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Perl Script to proccess Netscape Client and Microsoft certificate Request

[Steffen Dettmer]

Hi,

> I sent this out with no response. Can some one comment?

Well... Seems like nobody have such a script, ain't?

> Am looking for some Perl CGI script that can proccess Netscape and
>  The scrript must completely automate the process,

I don't think that you'll find such a script, because if you automate the
certification procedure, you have no security, and so you don't
need a cert at all... (IMHO)

oki,

Steffen



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Segfaulting...

[Steffen Dettmer]

> > Basically (you'll recognise this one) I fire up Apache 1.3.6 + Mod_SSL
> > (latest) and all I can get is at most one, possibly two requests out of it
> > before each child then segfaults.
> 
> I am having this exact problem.
> 
I had this under linux. I downgraded to 2.2.8, and it works...

If it helps, I may remail the section from the error log.

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Validating client certs

[Steffen Dettmer]

> when I connect to the server Netscape tells me that the certificate has expired
> because it is not yet valid.
> 
> I'm sure I must be missing something here. Expiry dates are set for 365 days.

Maybe the system date of the machines differs simply? It may be possible
that the cert has a date in the future, and so it's invalid, I had this
problem for myself (I forgot "rdate" cron...).

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Yow!! Horribly confused...

[Steffen Dettmer]

>  $ ./configure \ALL
>--prefix=/path/to/apache \   ALL
>^^^
> Exactly what is the substitution for this last path? I set it up 
> using WHERE THE APACHE SOURCES ARE. Is this supposed to REALLY be 
> WHERE I WANT APACHE INSTALLED?
> 
> Not too clear in the docs.

--prefix is a common option and specifies to path where you want to get
the installation, i.e. /usr/local/Apache or so.

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: accepting/ installing certificates

[Steffen Dettmer]

> how do people build SSL systems which do not require the client to
> accept certificates? E.g. if you want to order a book at www.amazon.de
> and you are using the SSL connection, users do not have to accept the
> certificates, although the certificate of the website is not in the
> browser implemented, yet and the site is used the first time.

The signer/issuer certificate of the server-certificate is in the browser
cert-db, this CA is "trusted", and so the issued Certs are trusted.
A client like Netscape knows about the CA Certificate of Thathwe, Verisign
and others. If the server uses a Certificate signed by one of these CA's,
it doesn't ask the user. So you have to go to Thathwe or Verisign (i.e.)
and buy a Certificate.  


oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Removing passphrase at boot

[Steffen Dettmer]

> Now from /usr/local/apache/bin I go httpsdctl stop and then httpsdctl
> start. I'm still asked for password as before. Is this correct? Assume
> it would do the same in the script from /etc/rc2 (solaris). Or maybe I

You may try "restart" or "graceful" as parameter instead of "stop".

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Question on upgrading from Stronghold

[Steffen Dettmer]

> I have same problem,where can I get RTFM?
> thanks a lot,

The FM you'll find at the modssl Website, but you'll have to read for
yourself ;)
just click on the Documentation Link.

oki,

Steffen

p.s.:BTW:
> You must use other modules for this. RTFM (not FM from mod_ssl but FM from
   ^ Read The F*** Manual!

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: mod-ssl on winnt

[Steffen Dettmer]

> errno.h, no such file or directory, even I continued to install mod-ssl,
> still had same error, what should I install on my system else? 
> I use redhat 5.2 on pentium 200,64M.

errno.h is part of libc...

You may re-install the RPM. Try a:
rpm -q -f /usr/include/errno.h
to get the filename of the RPM, and then:
RPM -i --force 
should help...  

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

check serverlogs!, was: Re More POST stuff.

[Steffen Dettmer]

> I would guess you have disabled (or more probably: not 
> enabled) POST for the SSL part. Remember: the SSL host
> is a complete separate VHost! 
> 
> > ---
> > Method Not Allowed
> > 
> > The requested method POST is not allowed for the URL
> > /bnl/bnlorder_confirm.php3.

I got this error at invoking a "normal" CGI-Script, but it was not caused
by a missing  or so. 

PLEASE check the serverlogs!!

I'm not sure how I solved it, but I thing it was caused by an error of the
suexec programm. My virtual hosts is running under a different uid, so
suexec is used to wrap CGI execution. Suexec failed (uid didn't match the
uid of the directory so so) because the owner of the file was wrong. The
suexec.log told that. I just changed the owner of the CGI Script, and it
worked!

oki,

Steffen 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: php3 and SSL

[Steffen Dettmer]

> > https://www.batesjackson.com/bnl.test/bnlorder_confirm.php3"
> > method="POST">
> >
> > I doesn't work with SSL. It gives me a An a I/O error has occured during
> > security authorization. Please try your connectiojn again. How does one
> > call a php file from a page thats called with https? Thank You.

I've got this error from a broken CGI Script ("premature end of script
header"). I don't know why I didn't got a "internal server error" as
usual. This worked for an older version of mod_ssl, the internal server
error has a "errordocument" for this case, but now I just get this I/O
error...

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: preset passwords for generating key

[Steffen Dettmer]

> I'm using SSLeay to generate keys for a csr.  Is there a way to automate the
> process so the user doesn't have to enter a passphrase,  but instead have
> the passphrase 'preset' from another process, like a username/password form
> on a webpage.
> 
> The command is...
> ./ssleay genrsa -des3 -out server.key 1024
> 
> which stops to ask for the passphrase,  but I was hoping to not have to stop
> and enter a passphrase

First, you could use an unencrypted RSA server.key 
./ssleay genrsa -out server.key 1024
but of course it's insecure.
Second, you could use the mod_ssl feature for PassphraseDialog (just take
a look to the pretty nice mod_ssl manual). But (except smartcards) I
haven't found a secure and automatic solution.

In your case you could work with an unencrypted key, and encrypt it at
last (when the CSR generation is finished). To encrypt a "plain" RSA key,
you may use:
./ssleay rsa -des3 -in server.key.rsa -out server.key && rm server.key.rsa
or so.

oki,

Steffen 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

V2.3.0: Netscape reload works sometimes only

[Steffen Dettmer]

Hi,

I'm useing mod_ssl-2.3.0 (and of course apache 1.3.6 + openssl 0.9.3)
It run's under (a very slightly modified) SuSE 6.0 Linux distribution
(i386 arch)

>From time to time I find this:
> >> [ssl-access.log]
> >> xx.xx.xx.x - - [20/May/1999:16:22:00 +0200] "€@
" 501 -
> >> xx.xx.xx.x - - [20/May/1999:16:24:41 +0200] "€@
" 501 -
> >> xx.xx.xx.x - - [20/May/1999:16:30:37 +0200] "€@
" 501 -
> >> [ssl-error.log]
> >> [Thu May 20 16:22:00 1999] [error] [client xx.xx.xx.x] Invalid method in
> >> request €@


in the log too,

> >This means you talk HTTPS to a HTTP port, i.e.  on that port SSL isn't
> >enabled. Check your server configuration. I guess your Listen and
> > sections do not match.

But I'm sure that I haven't talked HTTPS on HTTP port, since there is a
virtual host for http, and so http (without port specification :443 of
course) cannot get SSL connection (and it works).
The problem is the following (Netscape 4.5 / NT 4): When I connect to
https URL, I get the index.html corecctly, but without images. When I
click "reload", it fails often (aprox. 1 of 2 or 3 tries). I tried a page
with 2 images, Netscape loads the HTML, and ONE image!
When reload fails, I get a netscape messages like (immediatly): the server
didn't responsed...
Under IE 5 the images problem is the same, but the "reload" seems to work,
but I'm not sure if IE really reloads the data.
I tried to set "Keepalive off", but it didn't helped.

When I switch to mod_ssl 2.2.8, ssl works fine !!! (with a very similar
configuration).

I'm sorry, but it was late yesterday, so I cannot give more informations
so far. 

BTW: Both server versions running different keys/certs. When I "reload"
with Netscape after changeing the server version, I just get the usual
"accept certificate" dialog - no: "BIG FAT WARNING" or so!!!

Does anybody have an idea or a hint??

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Message when starting ssl

[Steffen Dettmer]

> just a trivial question: why is it that only the last virtual host is
> stated when starting ssl? Ive got a few virtual hosts and ive noticed
> that only the last one (in the httpd.conf file) is displayed. Bit
> intrigued ...

Maybe you tried to use name based virtual ssl hosts?
With SSL you can use ip based virtual hosts only, as described in the
mod_ssl documentation.

oki,

Steffen



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: R: R: access control with environment var

[Steffen Dettmer]

> >I've not looked at the documentation but in a shell script to test an
> >integer you use -eq (equals) and to test a string you use = (Perl is the
> >exact opposite) so it might be this.  Sorry if I'm completely wrong, just
> >though I'd try to help in a quick e-mail before I leave work for the night.
> Thanks Derek,
> but = for the string is sintax error.
> Andrea

Perl string compare is done with ($a eq "hallo"), numeric with ($a == 3).

try to use "perl -w" to enable warnings, i.e.:

#!/usr/local/perl -w
...


maybe it helps.

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: forcing secure via name (off topic?)

[Steffen Dettmer]

> I am curious.  IF the server certificate had a common name www.xxx.org and
> the virtual host is yyy.xxx.org, should the browser considering the server
> a fake?

If the Browser talks to yyy.x:443 he expects a X509 Cert with CN=yyy.xxx
In the case described by you the CN is invalid (from browsers point of
view).

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re^2: Revoke certificcate

[Steffen Dettmer]

> > How do  I revoke  one personal certificate created for my CA?
> 
> By creating a CRL for your CA where the pariticular certificate is revoked.
> With the current CVS snapshots of OpenSSL you already can use "openssl ca
> -revoke " to change the index.txt database file. 

To inform your browser of the revokation, you have to generate a new crl,
and download it (to inform your Web-Server, you'll need mod_ssl 2.3.0 or
the current snapshot).

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Making a http/https server

[Steffen Dettmer]

> "it's usually most simples to run a single instance where you enable SSL
> only for those virtual hosts that need it. " 
> 
> But it does not talk about making all this for only the main server.

at the end of the config, just use two virtual host sections, one on port
80 without SSL, one on port 443 with SSLEngine On.
put the other options before that sections (i.e. Directory, Logfiles
etc.), then both servers will use that (same) options, and you should get
what you want: two "symetric" virtual hosts.

> And by the way, no harm wanted, but this Certificate thing is quite a
> nightmare to configure... at least on my system. 

Just read the mod_ssl documentation, there you'll find a very good
explantation! There's a nice HowTo Chapter!

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Problem with client authentication

[Steffen Dettmer]

> I'm running apache 1.3.3, mod_ssl 2.2., ssleay 0.9.0b

I suggest you to upgrade to open-ssl 0.9.2b, since you'll be able to set
the X509v3 extensions directly.

> The browser (Netscape 4.5) shows me a NO USER CERTIFICATES message box. What
> could be happening ?

Did you set the CA Cert in the CACertificatePath correctly? Maybe you need
to download the CA Cert into Netscape (I'm not sure, since I downloaded it
always)

You should use a cert with "nsCerttype = client, email" extension set.
If you like, I could give you a cert/URL for testing?
(in that case just drop me a mail-to: [EMAIL PROTECTED])

oki,

Steffen



__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Off topic: Which browsers support AuthType Digest?

[Steffen Dettmer]

> > While I'm at it asking questions not belonging here: I found an apache log 
> > entry I am concerned about, the entry is
> > "GET http://www.somehost.com HTTP/1.1" 200 5647
> > (changed hostname). It looks like as if a request for a foreign host url 
> > succeeds?!?
> 
> Check your configuration. Seems like you've enabled mod_proxy.  Except when
> www.somehost.com is an alias for your local host. Then it's ok.

telnet www www
then a 
GET http://xxx_illegal_domain_name/ HTTP 1.1
is successful here too! It seems that the server is ignoring an illegal
servername and uses the default (or first or whatever ;) ) virtual host.

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: NameVirtualHost and Multiple SSL Keys

[Steffen Dettmer]

> HostNames.  What I am trying to do is allow each VirtualHost to have its own SSL 
> key for its respective HostName.

> serve a different server.key and server.crt file it seems to serve the same key 
> out of both VirtualHosts.  It serves the key/crt from the first instance of the 

This is a FAQ:
http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html#ToC30

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: beginer questions

[Steffen Dettmer]

> Our questions:
> 
> probably these're easy questions for a guru, but I do not want to 
> read all the documnatation about ssleay, mod_ssl, encryption law,...

I'm very glad that there IS at least very well mod_ssl documentation:
http://www.engelschall.com/sw/mod_ssl/docs/2.2/

That should answer your questions.

> - if I've got two virtual webserver on the same server (with same
>  IP) do I need two certificate ?

i.e. at http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html#ToC30



oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Mod SSL & Rewriting

[Steffen Dettmer]

> Any ideas on how to specify cert/key files for virtual hosts which do not
> exist?

Do you know that the cert is sent before any other information like a HTTP
request? So you cannot select the Servercert after the HTTP request came
in, and so you cannot use different certs with the same IP-Adress.

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: inconvenience in `configure' for mod_ssl

[Steffen Dettmer]

> a good sysadmin, you have the private key file unreadable for
> "normal users", and again if you are a good sysadmin, you configure
> and build programs being logged as "normal user".  I think that

Of course.

> ./configure should allow to specify the key file name and if the
> file is not accessible assume that it is OK and proceed.

BTW: Why does ./configure need the name of the keyfile? To produce the
default config? I upgraded as "user" (su -c 'make install' finally ;) ),
but I didn't specified any key or so?

2nd: I don't like "assume that it is ok" - in such a case a I
prefer a warning like "couldn't check file contents"...

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [BugDB] ssl virtualhosts won't bind unless the main server hasssl enabled (PR#155)

[Steffen Dettmer]

> Apache+mod_ssl just won't do shit unless the main server has SSL enabled on it.
> 
> if i just put the
> SSLEnable
> SSLEngine on
> (etc)
> 
> in the main server config, it works fine.

Maybe you should mail your (main) config file, otherwise it may be
diffcult to trace to the problem.

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

sorry, I was to fast with my mail.... :( , was: Yes! It works!, was:RfD: Certificate Revokation Lists (CRL)

[Steffen Dettmer]

> > looks GREAT! I just installed it, and it works! FINE, Thanks, Ralf!!
> > Next days I'll make some more tests, but it looks really good so far!
> 
> Great, thanks a lot for testing. Then I should start the next feature round.
> A lot of stuff is still waiting in my queue...

:( Yes, but this was a little bit to fast mailed...
ok: this works well if the base64 CRL is in the Cert-Bundle. For the tests
I included it of course. Anything fine so far.

Then I tried to use a hash-symlinked CRL. It *looked* as it were working,
but I had removed the wrong CRL (I'm not good in reading Base64 ;) )from
the bundle file, and so I *thought* that the hash-linked file had been
used. 
The CRL is not checked (or check in wrong way or so), if not in the
ca-bundle. I couldn't get it working. 

Any Ideas?



A second point is the logging - I don't understand it correctly I think:

[Fri Apr  9 18:32:13 1999] [error] mod_ssl: Certificate with serial number
2 (0x2) revoked per CRL (Issuer: /C=DE)

(quite clear - first line VERY nice :) )

then follows (side effect?) that well-known error block:

[Fri Apr  9 18:32:13 1999] [error] mod_ssl: Re-negotiation handshake
failed: Not accepted by client!?
[Fri Apr  9 18:32:13 1999] [error] mod_ssl: SSL error on writing data
(OpenSSL library error follows)
[Fri Apr  9 18:32:13 1999] [error] OpenSSL: error:1409E0E5:SSL
routines:SSL3_WRITE_BYTES:ssl handshake failure
[Fri Apr  9 18:32:13 1999] [error] mod_ssl: SSL error on reading data
(OpenSSL library error follows)
[Fri Apr  9 18:32:13 1999] [error] OpenSSL: error:1408F071:SSL
routines:SSL3_GET_RECORD:bad mac decode  

(looks like "signed by unknow CA")

Is netscape stopping the handshake, if there's no other user-cert, or what
caused that (especially  SSL error on reading data) ?



and again an other point:
Now I have files like:
x509: myTest8-cacert.pem.crt ... ef7c569b.0
 crl: myTest8-ca.crl  ... ef7c569b.1

but the x509 CA certs seems to be read only if .0, and not if .1 !
when I swap (in Makefile) I'll get:
 crl: myTest8-ca.crl  ... ef7c569b.0
x509: myTest8-cacert.pem.crt ... ef7c569b.1

And the CA is not known! What did I wrong? 

the core action in Makefile is:
hash="`$$ssl_program $$type -noout -hash <$$file`";
(with $type either "x509" or "crl")
ln -s $$file $$hash.$$n;  
(in this "simulated for loop", a while [ 1 ] counting up $n)

Any Ideas?


oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Yes! It works!, was: RfD: Certificate Revokation Lists (CRL)

[Steffen Dettmer]

> Some months ago people requested support for Certificate Revokation Lists
> (CRL) in mod_ssl and I've now found a little bit of extra time to port some
> old code from Douglas E. Engert and the GLOBUS project (which was posted to
> the SSLeay mailing lists one year ago) to mod_ssl+OpenSSL. 

> Just apply it to mod_ssl 2.2.7's src/modules/ssl/ directory and add your CRLs
> to the SSLCACertificatePath dir and make sure a hash symlink exists (use the
> "openssl crl -noout -hash" command manually until I add support for this to
> the ssl.crt/Makefile).

> Feedback is welcome!

looks GREAT! I just installed it, and it works! FINE, Thanks, Ralf!!
Next days I'll make some more tests, but it looks really good so far!

BTW:
If anybody else need a "Makefile with CRL support", just copy & paste the
text in the update-rule from " for file in *.crt; do \" until "done",
change *.crt into *.crl and "$$ssl_program x509 -noout" into
"$$ssl_program crl -noout" and this should be enough for now...

BTW:
Do use "SSLCACertificatePath" in config but do not use
"SSLCACertificateFile" - it seems that the "File" overrides "Path"

oki,

Steffen


__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [BugDB] SSLRequireSSL and AuthType Basic (PR#154)

[Steffen Dettmer]

Hi,

if "satisfy" any really means: satisfy "from" or "user" or "ssl" then I
think the function of satisfy should be changed that it not override
SSLRequireSSL (if possible) in next mod_ssl version... 
(Since the manual tells: "When this directive is present all requests are
denied which are not using SSL")

oki,

Steffen

> It seems that the First Basic auth is checked and then 
> SSLRequireSSL... Thus first Apache determines that BA
> is needed and askes for it immediatly. 
> > 
> >
> >   SSLRequireSSL
> >   Allow from x.x.x
> >   Require valid-user
> >   Satisfy any
> >

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

IE 4 works, and NS not, was: BUG Netscap 3.x 4.x 5.x & POST

[Steffen Dettmer]

> ...   I reloaded an SSL page, and it worked (yay!).  I then tried
> to POST to a CGI script and it failed.
> 
> work with their browser, please let me know which browser you are using.

https://www.duluoz.net/post.html

My Netscape Browers (4.08 Linux/4.05 Win95) fails with IO/error useing
this URL. 
But the Internet Explorer 4 (Ver.: 4.72.2106.8) works!

Maybe this helps?

oki,

Steffen



__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RfD: Certificate Revokation Lists (CRL)

[Steffen Dettmer]

> Some months ago people requested support for Certificate Revokation Lists
> (CRL) in mod_ssl and I've now found a little bit of extra time to port some
> old code from Douglas E. Engert and the GLOBUS project (which was posted to
> the SSLeay mailing lists one year ago) to mod_ssl+OpenSSL. The appended patch
> adds CRL support to the certificate verification process of mod_ssl and should
> do whatwhat people requested. 
> 
> Feedback is welcome!

Very well - this feature is nessesary I think. Very nice that you
implemented this :) Think I'll try it out...

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

access error reproduced, was: Client Test Suite: Summary

[Steffen Dettmer]

> clients. So, people which discovered the problem, please connect again, but
> avoid too much browsing on en4.engelschall.com (or we don't find the entries
> in 100MB debug logs). And give me the exact time and IP-address you used so I
> can find your entries.
ok:

(masquerading router:)
local  IP address 195.252.150.168

(date:)
Sat Mar 27 20:35:15 MET 1999

MSIE 4.72.2106.8 (german version)
---> https://en4.engelschall.com/manual/mod/mod_ssl
successfully loaded

(+30 sec:)

Sat Mar 27 20:35:48 MET 1999
---> reload: FAILED: 
"The Site http/mod_ssl could not be opened.  The
 Server supplied an invalid or unknown answer"


Hope it helps!

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: New Info (PR#136) repeatable on https://en4.engelschall.com

[Steffen Dettmer]

> With an IE4.0 or greater browser connect to
> https://en4.engelschall.com/manual/mod/mod_ssl
> Wait at least 16secs. (keep-alive is set to 15secs)
> Click Refresh.

I got an error too under this circumstances:
(tried to translate from german language)
"The Site http/mod_ssl could not be opened.
 The Server supplied an invalid or unknown answer"

Then I click "OK" and reload again, and this time it works...
Maybe an IE4 problem?

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Ok, Client Test Suite established

[Steffen Dettmer]

> >  https://en4.engelschall.com/
Netscape 4.5 [en]-98286
Linux 2.0.36

Everything looks fine...

oki,

Steffen

__
Apache Interface to OpenSSL (mod_ssl)  www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Now I can be my own CA but there's more...

[Steffen Dettmer]

> certificate expires, IE 3 disallows access altogether. Anyway I can hack
> the Registry or something like that so IE3/4/5 users can go to my site?
> Like, adding my phony CA to IE's list of CAs?
> 
> By the way, is there such hack to Netscape too?

take a .htaccess and include the following line:
AddType application/x-x509-ca-cert .cacert

Then convert your ca-cert into "der" Format (via "ssleay -in
 -out  -outform der")
(or was is "-infile" ? - no ssleay here ;) )

Then upload this file to the dir with .htaccess and it should work at
least with Netscape 3/4 (and I think IE 4 too)

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [BugDB] PRIVATE: SSLeay (PR#131) (fwd)

[Steffen Dettmer]

> On another note, I would suggest that you implement a feature that will preserve
> existing configuration files if apache+modssl is installed over an existing
> apache installation.
> ...  When I
> installed the port, it overwrote my existing httpd.conf (luckily I had enough
> sense to keep a backup readily available)

... I think my http.conf survied the "make install" with a comment
like "preserving existing data" ...

oki,

Steffen


__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re^2: [BugDB] configtest rejects SSLRequireSSL (PR#126)

[Steffen Dettmer]

> > When using configtest, I get this error:
> 
> "configtest"? What's this?

Apache/bin/apachectrl configtest
--> does: "httpd -t"

tests the configuration files for syntax errors.

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [BugDB] Runaway Children & Memory Usage (PR#120)

[Steffen Dettmer]

Hi,

Version: mod_ssl-2.2.4-1.3.4
OS: IRIX 5.3

here it looks good - no hanging processes, no high CPU comsume or so...
Some seconds after a connect the load goes back to 0.01 or so...

oki,

Steffen

> 2) Child processes randomly hang and consume a large amount of CPU.

> The problem is that after a client connects via SSL, the httpd
> process consumes all available cpu, and the system load goes
> to 1.00.  This occurs even when the client is idle.

> This tells me it is not only on a 2.2.2 kernel or glibc-2.1.



__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

again: serverkeys, was: Session Cache security

[Steffen Dettmer]

(an opinion)

> Just a thought.  To secure the key, it may be necessary to put the key on a
> different machine.  When the web server needs it, get it from there.  After
> using it, erase it from memory.  This solves the core dump problem.

No, I don't think so... The other machine has to decide, if it should send
the key or not. The program has to do some checks or so, but the hacker
could use a wrapper around httpd or simulate the request for the key -
it's easy to fake I think.

I think there wouldn't be *any* good solution at all, since a hacker could
fake all data/information that could be used as authorization...
The hacker could do anythink the server itself could do...
Even the pass phrase input from console could be passed through a kind of
wrapper or so...

I think: You can protect your key with anything, but if a hacker gained
root access, he can get the key!

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RFC: encrypted serverkeys WHY??

[Steffen Dettmer]

> > > > I thought that is "overrideable" using "ulimit -c 1000" ?
> > > 
> > Most "current" kernels do not allow a process to dump core after it 
> > has done a setuid() (unless it does an exec()) for security reasons;
> > there can be privileged information left over in memory.

Yes, you're right of course. I've just read: (IRIX 5.3) man 4 core:
... A process with an effective user ID different from the real user ID
will not produce a core image...

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: RFC: encrypted serverkeys WHY??

[Steffen Dettmer]

> > ... somewhere in a core dump from httpd ...
> That's why most Unix platforms do not create core files for daemon processes
> running under or started as UID=0 (root).

I thought that is "overrideable" using "ulimit -c 1000" ?

> > A different way would be to use a patched httpd/OpenSSL, which dumps all
> > passphrases is a file or so.
> 
> Not really, because neither mod_ssl nor OpenSSL stores the pass phrase.
> Only the key itself is stored in memory.

Yeah, I meant a PATCHED version! Some lines of extra code, and it _does_
store it ;)

> just needs root access and can immediately read your key from disk.  When
> you've it encrypted he also has to steal it from the running process. Sure,

Or the hacker uses a mini wrapper around httpd, that copies the passphrase
to file (something like the function of "tee").
Next server start he would had the phrase...

> One thing is actually true: You always have to protect the webserver machine
> itself as best as it can be. Just using a pass phrase on the keys is not
> enough, of course.

YES at all!!! We have very strict TCP-Wrappers and so on...
(it's easy to deny access to such "dedicated" servers for anything except
web)

> BTW, a few months ago we had a long thread about this topic.
> Look inside the sw-mod-ssl mailing list archives for details.

Sorry, I couldn't find it... I crawled through lot's of mails, but such a
discussion I haven't found...

What's about the feature "SSLPassPhraseDialog exec:/path/to/program" ? 
The manual tells: "The intent is that this external program first runs
security checks to make sure that the system is not compromised by an
attacker, and only when these checks were passed successfully it provides
the Pass Phrase"
What kind of security checks are possible? I think it's at least very
difficult to make a diffrence between server and good hacker: the same
IP, UID, calling situation and so on may be faked easyly (or:easy?).

Does somebody have a good idea?


oki,

Steffen



__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RFC: encrypted serverkeys WHY??

[Steffen Dettmer]

Hi,

It's recommned to use DES3-encrypted RSA Serverkeys with mod_ssl.
To steal this key, a hacker needs root permissions.
But if a hacker has root permission, it's easy to steal the DES3
passphrase too. I think at least somewhere in (RAM) memory the key is
decrypted, since the server needs the key. I think that the key is
somewhere in a core dump from httpd - and so the hacker could analyze it
and could steal the key.

A different way would be to use a patched httpd/OpenSSL, which dumps all
passphrases is a file or so.

All-in-all I think it's not more secure to use a DES3 key, since the
hacker who is able to get the keyfile, is able to get the passphrase too,
ain't???

So I cannot see the need for a passphrase at all...

What does the list mean to this question?


Thanks, 

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Trying the https://....

[Steffen Dettmer]

> > connect to server". Do i need to put the following in the httpd.conf
> > file:
> > 
> > 
> > Port 443
> > ...
> Sure, you need such an entry. Plus a corresponding ``Listen 443'', of course.

mmm - but why is that Port... needed? Are you sure thats needed?

> 
> > Im trying to run a non-ssl apache server (main server) and a ssl apache
> > server.  Do i need to open the port 443 in the firewall if im installing the
> > ssl apache server on the internal network? 
> 
> Yes, when you're firewall also filters ports, you've to allow connections to
> port 443 (HTTPS) in addition to 80 (HTTP), too.
> 
> Using http://www.abc.com:443 just leads to an error
> page saying that you're connecting via HTTP to an HTTPS port.

Yeah - really cool! (coded to avoid the TOP #1 FAQ ?! ;) )

> > Also why is the apache ssl server installed in the /usr/local/apache
> > directory when i did "./configure --prefix=/apache/apache_1.3.4"?
> 
> I'm sure --prefix works.

YES! It works.
I do a "make -n install" before installing, to take a look what will
happen - to go for sure :).
Even the _comments_ in the configuration file are "prefix-ed"!

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re^2: multiple config files - how to include from httpd.conf ?

[Steffen Dettmer]

> > since we have a large httpd.conf file I want to split it into serveral
> > files: one for "globals" one for each virtual host etc.
> > Is it possible?
> 
> Sure, use Apache's Include directive 

Exactly what I need...

Thanx!

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

multiple config files - how to include from httpd.conf ?

[Steffen Dettmer]

Hi,

since we have a large httpd.conf file I want to split it into serveral
files: one for "globals" one for each virtual host etc.

Is it possible?

Thanks,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

(OT!) - locality empty after signing? (fwd)

[Steffen Dettmer]

Sorry for beeing off topic, but I don't read the right list... ;)

From: Lars Eggert <[EMAIL PROTECTED]>
To: Steffen Dettmer <[EMAIL PROTECTED]>

Hi,

some weeks (?) ago there was a posting in the OpenSSL mailinglist, which
described a problem, that the "locality" in the DN got lost after signing.
I mailed to Lars Eggert and asked for help:

--
At 3:50 PM +0100 3/8/99, Steffen Dettmer wrote:
> ...
> did you resolved this problem? I have the same: I made a CSR with a "L=",
> signed it with a ca with the same "L=" - and the resulting certificate has
> a L= in "issuer" but _not_ in "belongs to".

never resolved this, and never got any other responses. Did you 
verify that the problem is due to the localities in the ca and user 
cert being the same (i.e. does the problem go away if they are 
different?)

(BTW: no, I haven't checked this with different L's )
---

Has anybody an idea? Is the problem known?

HELP please!

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: during config/install...

[Steffen Dettmer]

>  I also wish to be my own CA..   What changes would I need to make (and
> when) during the process would I do that?

You don't need to change the www-server to be your own CA. You need a
(secure) host with OpenSSL for CSR Signing, this should not be
your webserver. You copy (i.e. via scp or disk) the .csr file(s) to the ca
host, sign it (or better certificate), and then copy back the .crt
certificate. The (selfsigned) csr and the crt are not so security relevant
as the secret keys, so you may send then by mail I think...  

oki,

Steffen 

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: Client basic authorisation

[Steffen Dettmer]

> > I can't understand what I should put into my /etc/httpd/passwd and
> > /etc/httpd/group, and how I can get the `one line' version of the
> > client's X.509 certificate.
> 
> Why do you dislike the mod_ssl User Manual ? ;-)

Yeah, you should take a look - the manual is just great!

This topic is described in Chapter 5 "Howto" - "Client Authentication and
Access Control" - "How can I authenticated clients based on certificates
when I know all my clients?"

oki,

Steffen


__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: mod_ssl 2.2.4 (another FAQ? ;) )

[Steffen Dettmer]

> Contrib? No, that's for user contributions. The official
> distribution from me is under distrib, of course. 

Yes, I'm a camel ;)


> > >   switching to OpenSSL 0.9.2 as the minimum required toolkit version we
> It's proposed for March 15th, 1999.

Great. Currently I test with 0.9.1c (the compiler runs were all sucessful
under Linux), on monday I'll compile under Irix useing native cc.

(BTW: The 0.9.2 snapshot made a compiler error here, but I don't have
time to check it today)

Thanx,

Steffen



__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: mod_ssl 2.2.4 (another FAQ? ;) )

[Steffen Dettmer]

> >   switching to OpenSSL 0.9.2 as the minimum required toolkit version we
> 
> When it will be released? Is a pre-snapshot version for testing
> aviable? Maybe I should take a look, since I'll have some time...

Sorry, I've just found it...

It's a pitty that such guys like me doesn't read the "news" ;)

oki,

Steffen

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

mod_ssl 2.2.4 (another FAQ? ;) )

[Steffen Dettmer]

Hi,

I'm just preparing a test suite for upgrading our www servers to actual
versions (from  Apache/1.3.1 (Unix) mod_ssl/2.0.10 ;) )

> This week I was very busy with hacking on mod_ssl. The result is now
> available: mod_ssl 2.2.4. Beside a lot of small changes at all edges for

When it will be aviable at ".../mod_ssl/contrib/" (or where else)?

>   switching to OpenSSL 0.9.2 as the minimum required toolkit version we

When it will be released? Is a pre-snapshot version for testing
aviable? Maybe I should take a look, since I'll have some time...

Thank you,

Steffen

p.s.: in ftp://ftp.openssl.org/source/README
is a misspelled char: 
"... official OPenSSL" should read as 
"... official OpenSSL".

St.

__
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]