good luck for exams, was: ANNOUNCE: mod_ssl 2.4.5
> Now I've to went back to learning for my last (the forth of four) diploma > exams which is "celebrated" in mid October... ;) ** GOOD LUCK !! ** I'm sure you'll do your exams in such a pretty good way like mod_ssl! Have a nice weekend!! oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to user SSL CA Revocation
> CA Revocation Lists. I can revoke a certificate that update index.txt using > > openssl ca -revoke cert.pem > > However, how do I generate CLR files ? I use the following: openssl ca -gencrl -config -out [-outform der] oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re^2: Differences?
Hi! > > As far as I understood [...] > > and to write a nice documentaion/manual (== doing the right software > > engineering). [...] > > You are wrong. I have nothing against the "module idea". oki, sorry!! > [...] But for various reasons the final pieces of the puzzle never > quite fell into place. Not least of these reasons is the prohibition > against crypto hooks. Yepp, the old problem... > BTW, I completely disagree that documentation equates to "doing the > right software engineering". It is a symptom of having a great deal more > spare time than I have, though. ("doing the right software engineering" refered not on documentation only) Of course this is a matter of opionions... I think the documentation saved time of many of users. I needed a lot of time to build and run the first servers, since at this time there wasn't good documentation. With the manual, I think it's quite easier and faster to work with. I think good documentaion is really important. Thank you for putting the things right! oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [PHP3] mod_ssl & php3
Tom > From: Tom Fishwick <[EMAIL PROTECTED]> Hi! Tom > Is it possible to run a modssl enabled apache, suexec? The Tom > default seem to configure it to run _default_:443 for all Tom > virtuals, which won't suexec... I'm running a SSL/CGI Server with SuExec enabled without problems. Did you use a User / Group directive in virtual host section? This would cause SuExec a different behaivior. Tom > What I want to do is provide all users with a ssl directory in Tom > the home directory, or have their normal htdocs directory be Tom > mapped to something like I use different UserDir's, and it works fine. Tom > https://secure.myserver/userid and to their virtual, so Tom > switching to a ssl or: https://ssl/~userid ? ^ If the users need URL's without "~", give mod_rewrite a chance... Maybe you forgot some options at ./configure ? Do you get any error messages? Does the server tells "SuExec wrapper enabled" at startup? oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re^2: Differences?
> > can anyone drop me a line about the differences of Apache-SSL and Apache > > with mod_ssl? Is the only difference that one is a patch and the other a > > module or are there more differences (I guess so ;) ? > > Neither is a module. They are both patches. As far as I understood mod_ssl patches a EAPI into Apache only, to make some "new" hooks aviable, the mod_ssl itself is a module and it should be possible to load it dynamically. Second, mod_ssl developers (mostly Ralf ;) ) spent much attention on writing clean, stable, well-documented code and to write a nice documentaion/manual (== doing the right software engineering). mod_ssl was adapted from Apache-SSL and was intended to be "the new" Apache-SSL as module design (tell me when I'm wrong, Ralf!), but by the time there came up more differences (shared memory cache in mod_ssl and so on), since the Apache-SSL developers didn't like the "module idea" (tell me when I'm wrong, Ben!). oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Perl Script to proccess Netscape Client and Microsoft certificate Request
Hi, > I sent this out with no response. Can some one comment? Well... Seems like nobody have such a script, ain't? > Am looking for some Perl CGI script that can proccess Netscape and > The scrript must completely automate the process, I don't think that you'll find such a script, because if you automate the certification procedure, you have no security, and so you don't need a cert at all... (IMHO) oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Segfaulting...
> > Basically (you'll recognise this one) I fire up Apache 1.3.6 + Mod_SSL > > (latest) and all I can get is at most one, possibly two requests out of it > > before each child then segfaults. > > I am having this exact problem. > I had this under linux. I downgraded to 2.2.8, and it works... If it helps, I may remail the section from the error log. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Validating client certs
> when I connect to the server Netscape tells me that the certificate has expired > because it is not yet valid. > > I'm sure I must be missing something here. Expiry dates are set for 365 days. Maybe the system date of the machines differs simply? It may be possible that the cert has a date in the future, and so it's invalid, I had this problem for myself (I forgot "rdate" cron...). oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Yow!! Horribly confused...
> $ ./configure \ALL >--prefix=/path/to/apache \ ALL >^^^ > Exactly what is the substitution for this last path? I set it up > using WHERE THE APACHE SOURCES ARE. Is this supposed to REALLY be > WHERE I WANT APACHE INSTALLED? > > Not too clear in the docs. --prefix is a common option and specifies to path where you want to get the installation, i.e. /usr/local/Apache or so. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: accepting/ installing certificates
> how do people build SSL systems which do not require the client to > accept certificates? E.g. if you want to order a book at www.amazon.de > and you are using the SSL connection, users do not have to accept the > certificates, although the certificate of the website is not in the > browser implemented, yet and the site is used the first time. The signer/issuer certificate of the server-certificate is in the browser cert-db, this CA is "trusted", and so the issued Certs are trusted. A client like Netscape knows about the CA Certificate of Thathwe, Verisign and others. If the server uses a Certificate signed by one of these CA's, it doesn't ask the user. So you have to go to Thathwe or Verisign (i.e.) and buy a Certificate. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Removing passphrase at boot
> Now from /usr/local/apache/bin I go httpsdctl stop and then httpsdctl > start. I'm still asked for password as before. Is this correct? Assume > it would do the same in the script from /etc/rc2 (solaris). Or maybe I You may try "restart" or "graceful" as parameter instead of "stop". oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Question on upgrading from Stronghold
> I have same problem,where can I get RTFM? > thanks a lot, The FM you'll find at the modssl Website, but you'll have to read for yourself ;) just click on the Documentation Link. oki, Steffen p.s.:BTW: > You must use other modules for this. RTFM (not FM from mod_ssl but FM from ^ Read The F*** Manual! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod-ssl on winnt
> errno.h, no such file or directory, even I continued to install mod-ssl, > still had same error, what should I install on my system else? > I use redhat 5.2 on pentium 200,64M. errno.h is part of libc... You may re-install the RPM. Try a: rpm -q -f /usr/include/errno.h to get the filename of the RPM, and then: RPM -i --force should help... oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
check serverlogs!, was: Re More POST stuff.
> I would guess you have disabled (or more probably: not > enabled) POST for the SSL part. Remember: the SSL host > is a complete separate VHost! > > > --- > > Method Not Allowed > > > > The requested method POST is not allowed for the URL > > /bnl/bnlorder_confirm.php3. I got this error at invoking a "normal" CGI-Script, but it was not caused by a missing or so. PLEASE check the serverlogs!! I'm not sure how I solved it, but I thing it was caused by an error of the suexec programm. My virtual hosts is running under a different uid, so suexec is used to wrap CGI execution. Suexec failed (uid didn't match the uid of the directory so so) because the owner of the file was wrong. The suexec.log told that. I just changed the owner of the CGI Script, and it worked! oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: php3 and SSL
> > https://www.batesjackson.com/bnl.test/bnlorder_confirm.php3" > > method="POST"> > > > > I doesn't work with SSL. It gives me a An a I/O error has occured during > > security authorization. Please try your connectiojn again. How does one > > call a php file from a page thats called with https? Thank You. I've got this error from a broken CGI Script ("premature end of script header"). I don't know why I didn't got a "internal server error" as usual. This worked for an older version of mod_ssl, the internal server error has a "errordocument" for this case, but now I just get this I/O error... oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: preset passwords for generating key
> I'm using SSLeay to generate keys for a csr. Is there a way to automate the > process so the user doesn't have to enter a passphrase, but instead have > the passphrase 'preset' from another process, like a username/password form > on a webpage. > > The command is... > ./ssleay genrsa -des3 -out server.key 1024 > > which stops to ask for the passphrase, but I was hoping to not have to stop > and enter a passphrase First, you could use an unencrypted RSA server.key ./ssleay genrsa -out server.key 1024 but of course it's insecure. Second, you could use the mod_ssl feature for PassphraseDialog (just take a look to the pretty nice mod_ssl manual). But (except smartcards) I haven't found a secure and automatic solution. In your case you could work with an unencrypted key, and encrypt it at last (when the CSR generation is finished). To encrypt a "plain" RSA key, you may use: ./ssleay rsa -des3 -in server.key.rsa -out server.key && rm server.key.rsa or so. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
V2.3.0: Netscape reload works sometimes only
Hi, I'm useing mod_ssl-2.3.0 (and of course apache 1.3.6 + openssl 0.9.3) It run's under (a very slightly modified) SuSE 6.0 Linux distribution (i386 arch) >From time to time I find this: > >> [ssl-access.log] > >> xx.xx.xx.x - - [20/May/1999:16:22:00 +0200] "@" 501 - > >> xx.xx.xx.x - - [20/May/1999:16:24:41 +0200] "@" 501 - > >> xx.xx.xx.x - - [20/May/1999:16:30:37 +0200] "@" 501 - > >> [ssl-error.log] > >> [Thu May 20 16:22:00 1999] [error] [client xx.xx.xx.x] Invalid method in > >> request @ in the log too, > >This means you talk HTTPS to a HTTP port, i.e. on that port SSL isn't > >enabled. Check your server configuration. I guess your Listen and > > sections do not match. But I'm sure that I haven't talked HTTPS on HTTP port, since there is a virtual host for http, and so http (without port specification :443 of course) cannot get SSL connection (and it works). The problem is the following (Netscape 4.5 / NT 4): When I connect to https URL, I get the index.html corecctly, but without images. When I click "reload", it fails often (aprox. 1 of 2 or 3 tries). I tried a page with 2 images, Netscape loads the HTML, and ONE image! When reload fails, I get a netscape messages like (immediatly): the server didn't responsed... Under IE 5 the images problem is the same, but the "reload" seems to work, but I'm not sure if IE really reloads the data. I tried to set "Keepalive off", but it didn't helped. When I switch to mod_ssl 2.2.8, ssl works fine !!! (with a very similar configuration). I'm sorry, but it was late yesterday, so I cannot give more informations so far. BTW: Both server versions running different keys/certs. When I "reload" with Netscape after changeing the server version, I just get the usual "accept certificate" dialog - no: "BIG FAT WARNING" or so!!! Does anybody have an idea or a hint?? oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Message when starting ssl
> just a trivial question: why is it that only the last virtual host is > stated when starting ssl? Ive got a few virtual hosts and ive noticed > that only the last one (in the httpd.conf file) is displayed. Bit > intrigued ... Maybe you tried to use name based virtual ssl hosts? With SSL you can use ip based virtual hosts only, as described in the mod_ssl documentation. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: R: R: access control with environment var
> >I've not looked at the documentation but in a shell script to test an > >integer you use -eq (equals) and to test a string you use = (Perl is the > >exact opposite) so it might be this. Sorry if I'm completely wrong, just > >though I'd try to help in a quick e-mail before I leave work for the night. > Thanks Derek, > but = for the string is sintax error. > Andrea Perl string compare is done with ($a eq "hallo"), numeric with ($a == 3). try to use "perl -w" to enable warnings, i.e.: #!/usr/local/perl -w ... maybe it helps. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: forcing secure via name (off topic?)
> I am curious. IF the server certificate had a common name www.xxx.org and > the virtual host is yyy.xxx.org, should the browser considering the server > a fake? If the Browser talks to yyy.x:443 he expects a X509 Cert with CN=yyy.xxx In the case described by you the CN is invalid (from browsers point of view). oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re^2: Revoke certificcate
> > How do I revoke one personal certificate created for my CA? > > By creating a CRL for your CA where the pariticular certificate is revoked. > With the current CVS snapshots of OpenSSL you already can use "openssl ca > -revoke " to change the index.txt database file. To inform your browser of the revokation, you have to generate a new crl, and download it (to inform your Web-Server, you'll need mod_ssl 2.3.0 or the current snapshot). oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Making a http/https server
> "it's usually most simples to run a single instance where you enable SSL > only for those virtual hosts that need it. " > > But it does not talk about making all this for only the main server. at the end of the config, just use two virtual host sections, one on port 80 without SSL, one on port 443 with SSLEngine On. put the other options before that sections (i.e. Directory, Logfiles etc.), then both servers will use that (same) options, and you should get what you want: two "symetric" virtual hosts. > And by the way, no harm wanted, but this Certificate thing is quite a > nightmare to configure... at least on my system. Just read the mod_ssl documentation, there you'll find a very good explantation! There's a nice HowTo Chapter! oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Problem with client authentication
> I'm running apache 1.3.3, mod_ssl 2.2., ssleay 0.9.0b I suggest you to upgrade to open-ssl 0.9.2b, since you'll be able to set the X509v3 extensions directly. > The browser (Netscape 4.5) shows me a NO USER CERTIFICATES message box. What > could be happening ? Did you set the CA Cert in the CACertificatePath correctly? Maybe you need to download the CA Cert into Netscape (I'm not sure, since I downloaded it always) You should use a cert with "nsCerttype = client, email" extension set. If you like, I could give you a cert/URL for testing? (in that case just drop me a mail-to: [EMAIL PROTECTED]) oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Off topic: Which browsers support AuthType Digest?
> > While I'm at it asking questions not belonging here: I found an apache log > > entry I am concerned about, the entry is > > "GET http://www.somehost.com HTTP/1.1" 200 5647 > > (changed hostname). It looks like as if a request for a foreign host url > > succeeds?!? > > Check your configuration. Seems like you've enabled mod_proxy. Except when > www.somehost.com is an alias for your local host. Then it's ok. telnet www www then a GET http://xxx_illegal_domain_name/ HTTP 1.1 is successful here too! It seems that the server is ignoring an illegal servername and uses the default (or first or whatever ;) ) virtual host. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: NameVirtualHost and Multiple SSL Keys
> HostNames. What I am trying to do is allow each VirtualHost to have its own SSL > key for its respective HostName. > serve a different server.key and server.crt file it seems to serve the same key > out of both VirtualHosts. It serves the key/crt from the first instance of the This is a FAQ: http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html#ToC30 oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: beginer questions
> Our questions: > > probably these're easy questions for a guru, but I do not want to > read all the documnatation about ssleay, mod_ssl, encryption law,... I'm very glad that there IS at least very well mod_ssl documentation: http://www.engelschall.com/sw/mod_ssl/docs/2.2/ That should answer your questions. > - if I've got two virtual webserver on the same server (with same > IP) do I need two certificate ? i.e. at http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html#ToC30 oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Mod SSL & Rewriting
> Any ideas on how to specify cert/key files for virtual hosts which do not > exist? Do you know that the cert is sent before any other information like a HTTP request? So you cannot select the Servercert after the HTTP request came in, and so you cannot use different certs with the same IP-Adress. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: inconvenience in `configure' for mod_ssl
> a good sysadmin, you have the private key file unreadable for > "normal users", and again if you are a good sysadmin, you configure > and build programs being logged as "normal user". I think that Of course. > ./configure should allow to specify the key file name and if the > file is not accessible assume that it is OK and proceed. BTW: Why does ./configure need the name of the keyfile? To produce the default config? I upgraded as "user" (su -c 'make install' finally ;) ), but I didn't specified any key or so? 2nd: I don't like "assume that it is ok" - in such a case a I prefer a warning like "couldn't check file contents"... oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] ssl virtualhosts won't bind unless the main server hasssl enabled (PR#155)
> Apache+mod_ssl just won't do shit unless the main server has SSL enabled on it. > > if i just put the > SSLEnable > SSLEngine on > (etc) > > in the main server config, it works fine. Maybe you should mail your (main) config file, otherwise it may be diffcult to trace to the problem. oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
sorry, I was to fast with my mail.... :( , was: Yes! It works!, was:RfD: Certificate Revokation Lists (CRL)
> > looks GREAT! I just installed it, and it works! FINE, Thanks, Ralf!! > > Next days I'll make some more tests, but it looks really good so far! > > Great, thanks a lot for testing. Then I should start the next feature round. > A lot of stuff is still waiting in my queue... :( Yes, but this was a little bit to fast mailed... ok: this works well if the base64 CRL is in the Cert-Bundle. For the tests I included it of course. Anything fine so far. Then I tried to use a hash-symlinked CRL. It *looked* as it were working, but I had removed the wrong CRL (I'm not good in reading Base64 ;) )from the bundle file, and so I *thought* that the hash-linked file had been used. The CRL is not checked (or check in wrong way or so), if not in the ca-bundle. I couldn't get it working. Any Ideas? A second point is the logging - I don't understand it correctly I think: [Fri Apr 9 18:32:13 1999] [error] mod_ssl: Certificate with serial number 2 (0x2) revoked per CRL (Issuer: /C=DE) (quite clear - first line VERY nice :) ) then follows (side effect?) that well-known error block: [Fri Apr 9 18:32:13 1999] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Fri Apr 9 18:32:13 1999] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Fri Apr 9 18:32:13 1999] [error] OpenSSL: error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure [Fri Apr 9 18:32:13 1999] [error] mod_ssl: SSL error on reading data (OpenSSL library error follows) [Fri Apr 9 18:32:13 1999] [error] OpenSSL: error:1408F071:SSL routines:SSL3_GET_RECORD:bad mac decode (looks like "signed by unknow CA") Is netscape stopping the handshake, if there's no other user-cert, or what caused that (especially SSL error on reading data) ? and again an other point: Now I have files like: x509: myTest8-cacert.pem.crt ... ef7c569b.0 crl: myTest8-ca.crl ... ef7c569b.1 but the x509 CA certs seems to be read only if .0, and not if .1 ! when I swap (in Makefile) I'll get: crl: myTest8-ca.crl ... ef7c569b.0 x509: myTest8-cacert.pem.crt ... ef7c569b.1 And the CA is not known! What did I wrong? the core action in Makefile is: hash="`$$ssl_program $$type -noout -hash <$$file`"; (with $type either "x509" or "crl") ln -s $$file $$hash.$$n; (in this "simulated for loop", a while [ 1 ] counting up $n) Any Ideas? oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Yes! It works!, was: RfD: Certificate Revokation Lists (CRL)
> Some months ago people requested support for Certificate Revokation Lists > (CRL) in mod_ssl and I've now found a little bit of extra time to port some > old code from Douglas E. Engert and the GLOBUS project (which was posted to > the SSLeay mailing lists one year ago) to mod_ssl+OpenSSL. > Just apply it to mod_ssl 2.2.7's src/modules/ssl/ directory and add your CRLs > to the SSLCACertificatePath dir and make sure a hash symlink exists (use the > "openssl crl -noout -hash" command manually until I add support for this to > the ssl.crt/Makefile). > Feedback is welcome! looks GREAT! I just installed it, and it works! FINE, Thanks, Ralf!! Next days I'll make some more tests, but it looks really good so far! BTW: If anybody else need a "Makefile with CRL support", just copy & paste the text in the update-rule from " for file in *.crt; do \" until "done", change *.crt into *.crl and "$$ssl_program x509 -noout" into "$$ssl_program crl -noout" and this should be enough for now... BTW: Do use "SSLCACertificatePath" in config but do not use "SSLCACertificateFile" - it seems that the "File" overrides "Path" oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] SSLRequireSSL and AuthType Basic (PR#154)
Hi, if "satisfy" any really means: satisfy "from" or "user" or "ssl" then I think the function of satisfy should be changed that it not override SSLRequireSSL (if possible) in next mod_ssl version... (Since the manual tells: "When this directive is present all requests are denied which are not using SSL") oki, Steffen > It seems that the First Basic auth is checked and then > SSLRequireSSL... Thus first Apache determines that BA > is needed and askes for it immediatly. > > > > > > SSLRequireSSL > > Allow from x.x.x > > Require valid-user > > Satisfy any > > __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
IE 4 works, and NS not, was: BUG Netscap 3.x 4.x 5.x & POST
> ... I reloaded an SSL page, and it worked (yay!). I then tried > to POST to a CGI script and it failed. > > work with their browser, please let me know which browser you are using. https://www.duluoz.net/post.html My Netscape Browers (4.08 Linux/4.05 Win95) fails with IO/error useing this URL. But the Internet Explorer 4 (Ver.: 4.72.2106.8) works! Maybe this helps? oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RfD: Certificate Revokation Lists (CRL)
> Some months ago people requested support for Certificate Revokation Lists > (CRL) in mod_ssl and I've now found a little bit of extra time to port some > old code from Douglas E. Engert and the GLOBUS project (which was posted to > the SSLeay mailing lists one year ago) to mod_ssl+OpenSSL. The appended patch > adds CRL support to the certificate verification process of mod_ssl and should > do whatwhat people requested. > > Feedback is welcome! Very well - this feature is nessesary I think. Very nice that you implemented this :) Think I'll try it out... oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
access error reproduced, was: Client Test Suite: Summary
> clients. So, people which discovered the problem, please connect again, but > avoid too much browsing on en4.engelschall.com (or we don't find the entries > in 100MB debug logs). And give me the exact time and IP-address you used so I > can find your entries. ok: (masquerading router:) local IP address 195.252.150.168 (date:) Sat Mar 27 20:35:15 MET 1999 MSIE 4.72.2106.8 (german version) ---> https://en4.engelschall.com/manual/mod/mod_ssl successfully loaded (+30 sec:) Sat Mar 27 20:35:48 MET 1999 ---> reload: FAILED: "The Site http/mod_ssl could not be opened. The Server supplied an invalid or unknown answer" Hope it helps! oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: New Info (PR#136) repeatable on https://en4.engelschall.com
> With an IE4.0 or greater browser connect to > https://en4.engelschall.com/manual/mod/mod_ssl > Wait at least 16secs. (keep-alive is set to 15secs) > Click Refresh. I got an error too under this circumstances: (tried to translate from german language) "The Site http/mod_ssl could not be opened. The Server supplied an invalid or unknown answer" Then I click "OK" and reload again, and this time it works... Maybe an IE4 problem? oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: Ok, Client Test Suite established
> > https://en4.engelschall.com/ Netscape 4.5 [en]-98286 Linux 2.0.36 Everything looks fine... oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Now I can be my own CA but there's more...
> certificate expires, IE 3 disallows access altogether. Anyway I can hack > the Registry or something like that so IE3/4/5 users can go to my site? > Like, adding my phony CA to IE's list of CAs? > > By the way, is there such hack to Netscape too? take a .htaccess and include the following line: AddType application/x-x509-ca-cert .cacert Then convert your ca-cert into "der" Format (via "ssleay -in -out -outform der") (or was is "-infile" ? - no ssleay here ;) ) Then upload this file to the dir with .htaccess and it should work at least with Netscape 3/4 (and I think IE 4 too) oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] PRIVATE: SSLeay (PR#131) (fwd)
> On another note, I would suggest that you implement a feature that will preserve > existing configuration files if apache+modssl is installed over an existing > apache installation. > ... When I > installed the port, it overwrote my existing httpd.conf (luckily I had enough > sense to keep a backup readily available) ... I think my http.conf survied the "make install" with a comment like "preserving existing data" ... oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re^2: [BugDB] configtest rejects SSLRequireSSL (PR#126)
> > When using configtest, I get this error: > > "configtest"? What's this? Apache/bin/apachectrl configtest --> does: "httpd -t" tests the configuration files for syntax errors. oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Runaway Children & Memory Usage (PR#120)
Hi, Version: mod_ssl-2.2.4-1.3.4 OS: IRIX 5.3 here it looks good - no hanging processes, no high CPU comsume or so... Some seconds after a connect the load goes back to 0.01 or so... oki, Steffen > 2) Child processes randomly hang and consume a large amount of CPU. > The problem is that after a client connects via SSL, the httpd > process consumes all available cpu, and the system load goes > to 1.00. This occurs even when the client is idle. > This tells me it is not only on a 2.2.2 kernel or glibc-2.1. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
again: serverkeys, was: Session Cache security
(an opinion) > Just a thought. To secure the key, it may be necessary to put the key on a > different machine. When the web server needs it, get it from there. After > using it, erase it from memory. This solves the core dump problem. No, I don't think so... The other machine has to decide, if it should send the key or not. The program has to do some checks or so, but the hacker could use a wrapper around httpd or simulate the request for the key - it's easy to fake I think. I think there wouldn't be *any* good solution at all, since a hacker could fake all data/information that could be used as authorization... The hacker could do anythink the server itself could do... Even the pass phrase input from console could be passed through a kind of wrapper or so... I think: You can protect your key with anything, but if a hacker gained root access, he can get the key! oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RFC: encrypted serverkeys WHY??
> > > > I thought that is "overrideable" using "ulimit -c 1000" ? > > > > > Most "current" kernels do not allow a process to dump core after it > > has done a setuid() (unless it does an exec()) for security reasons; > > there can be privileged information left over in memory. Yes, you're right of course. I've just read: (IRIX 5.3) man 4 core: ... A process with an effective user ID different from the real user ID will not produce a core image... oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RFC: encrypted serverkeys WHY??
> > ... somewhere in a core dump from httpd ... > That's why most Unix platforms do not create core files for daemon processes > running under or started as UID=0 (root). I thought that is "overrideable" using "ulimit -c 1000" ? > > A different way would be to use a patched httpd/OpenSSL, which dumps all > > passphrases is a file or so. > > Not really, because neither mod_ssl nor OpenSSL stores the pass phrase. > Only the key itself is stored in memory. Yeah, I meant a PATCHED version! Some lines of extra code, and it _does_ store it ;) > just needs root access and can immediately read your key from disk. When > you've it encrypted he also has to steal it from the running process. Sure, Or the hacker uses a mini wrapper around httpd, that copies the passphrase to file (something like the function of "tee"). Next server start he would had the phrase... > One thing is actually true: You always have to protect the webserver machine > itself as best as it can be. Just using a pass phrase on the keys is not > enough, of course. YES at all!!! We have very strict TCP-Wrappers and so on... (it's easy to deny access to such "dedicated" servers for anything except web) > BTW, a few months ago we had a long thread about this topic. > Look inside the sw-mod-ssl mailing list archives for details. Sorry, I couldn't find it... I crawled through lot's of mails, but such a discussion I haven't found... What's about the feature "SSLPassPhraseDialog exec:/path/to/program" ? The manual tells: "The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase" What kind of security checks are possible? I think it's at least very difficult to make a diffrence between server and good hacker: the same IP, UID, calling situation and so on may be faked easyly (or:easy?). Does somebody have a good idea? oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RFC: encrypted serverkeys WHY??
Hi, It's recommned to use DES3-encrypted RSA Serverkeys with mod_ssl. To steal this key, a hacker needs root permissions. But if a hacker has root permission, it's easy to steal the DES3 passphrase too. I think at least somewhere in (RAM) memory the key is decrypted, since the server needs the key. I think that the key is somewhere in a core dump from httpd - and so the hacker could analyze it and could steal the key. A different way would be to use a patched httpd/OpenSSL, which dumps all passphrases is a file or so. All-in-all I think it's not more secure to use a DES3 key, since the hacker who is able to get the keyfile, is able to get the passphrase too, ain't??? So I cannot see the need for a passphrase at all... What does the list mean to this question? Thanks, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Trying the https://....
> > connect to server". Do i need to put the following in the httpd.conf > > file: > > > > > > Port 443 > > ... > Sure, you need such an entry. Plus a corresponding ``Listen 443'', of course. mmm - but why is that Port... needed? Are you sure thats needed? > > > Im trying to run a non-ssl apache server (main server) and a ssl apache > > server. Do i need to open the port 443 in the firewall if im installing the > > ssl apache server on the internal network? > > Yes, when you're firewall also filters ports, you've to allow connections to > port 443 (HTTPS) in addition to 80 (HTTP), too. > > Using http://www.abc.com:443 just leads to an error > page saying that you're connecting via HTTP to an HTTPS port. Yeah - really cool! (coded to avoid the TOP #1 FAQ ?! ;) ) > > Also why is the apache ssl server installed in the /usr/local/apache > > directory when i did "./configure --prefix=/apache/apache_1.3.4"? > > I'm sure --prefix works. YES! It works. I do a "make -n install" before installing, to take a look what will happen - to go for sure :). Even the _comments_ in the configuration file are "prefix-ed"! oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re^2: multiple config files - how to include from httpd.conf ?
> > since we have a large httpd.conf file I want to split it into serveral > > files: one for "globals" one for each virtual host etc. > > Is it possible? > > Sure, use Apache's Include directive Exactly what I need... Thanx! Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
multiple config files - how to include from httpd.conf ?
Hi, since we have a large httpd.conf file I want to split it into serveral files: one for "globals" one for each virtual host etc. Is it possible? Thanks, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
(OT!) - locality empty after signing? (fwd)
Sorry for beeing off topic, but I don't read the right list... ;) From: Lars Eggert <[EMAIL PROTECTED]> To: Steffen Dettmer <[EMAIL PROTECTED]> Hi, some weeks (?) ago there was a posting in the OpenSSL mailinglist, which described a problem, that the "locality" in the DN got lost after signing. I mailed to Lars Eggert and asked for help: -- At 3:50 PM +0100 3/8/99, Steffen Dettmer wrote: > ... > did you resolved this problem? I have the same: I made a CSR with a "L=", > signed it with a ca with the same "L=" - and the resulting certificate has > a L= in "issuer" but _not_ in "belongs to". never resolved this, and never got any other responses. Did you verify that the problem is due to the localities in the ca and user cert being the same (i.e. does the problem go away if they are different?) (BTW: no, I haven't checked this with different L's ) --- Has anybody an idea? Is the problem known? HELP please! oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: during config/install...
> I also wish to be my own CA.. What changes would I need to make (and > when) during the process would I do that? You don't need to change the www-server to be your own CA. You need a (secure) host with OpenSSL for CSR Signing, this should not be your webserver. You copy (i.e. via scp or disk) the .csr file(s) to the ca host, sign it (or better certificate), and then copy back the .crt certificate. The (selfsigned) csr and the crt are not so security relevant as the secret keys, so you may send then by mail I think... oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Client basic authorisation
> > I can't understand what I should put into my /etc/httpd/passwd and > > /etc/httpd/group, and how I can get the `one line' version of the > > client's X.509 certificate. > > Why do you dislike the mod_ssl User Manual ? ;-) Yeah, you should take a look - the manual is just great! This topic is described in Chapter 5 "Howto" - "Client Authentication and Access Control" - "How can I authenticated clients based on certificates when I know all my clients?" oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.4 (another FAQ? ;) )
> Contrib? No, that's for user contributions. The official > distribution from me is under distrib, of course. Yes, I'm a camel ;) > > > switching to OpenSSL 0.9.2 as the minimum required toolkit version we > It's proposed for March 15th, 1999. Great. Currently I test with 0.9.1c (the compiler runs were all sucessful under Linux), on monday I'll compile under Irix useing native cc. (BTW: The 0.9.2 snapshot made a compiler error here, but I don't have time to check it today) Thanx, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.2.4 (another FAQ? ;) )
> > switching to OpenSSL 0.9.2 as the minimum required toolkit version we > > When it will be released? Is a pre-snapshot version for testing > aviable? Maybe I should take a look, since I'll have some time... Sorry, I've just found it... It's a pitty that such guys like me doesn't read the "news" ;) oki, Steffen __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
mod_ssl 2.2.4 (another FAQ? ;) )
Hi, I'm just preparing a test suite for upgrading our www servers to actual versions (from Apache/1.3.1 (Unix) mod_ssl/2.0.10 ;) ) > This week I was very busy with hacking on mod_ssl. The result is now > available: mod_ssl 2.2.4. Beside a lot of small changes at all edges for When it will be aviable at ".../mod_ssl/contrib/" (or where else)? > switching to OpenSSL 0.9.2 as the minimum required toolkit version we When it will be released? Is a pre-snapshot version for testing aviable? Maybe I should take a look, since I'll have some time... Thank you, Steffen p.s.: in ftp://ftp.openssl.org/source/README is a misspelled char: "... official OPenSSL" should read as "... official OpenSSL". St. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]