Sylvain Maret/GVA/CH/E-Xpertsolutions is out of the office.
I will be out of the office starting 05.07.2002 and will not return until 15.07.2002. I will respond to your message when I return. - DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Sylvain Maret/GVA/CH/E-Xpertsolutions is out of the office.
I will be out of the office starting 19.10.2001 and will not return until 29.10.2001. I will respond to your message when I return. --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CRL questions
Yes, use restart ! --- usage: ./apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help) start - start httpd startssl - start httpd with SSL enabled stop - stop httpd restart - restart httpd if running by sending a SIGHUP or start if not running fullstatus - dump a full status screen; requires lynx and mod_status enabled status - dump a short status screen; requires lynx and mod_status enabled graceful - do a graceful restart by sending a SIGUSR1 or start if not running configtest - do a configuration syntax test help - this screen Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: CRL questions
Hello Ron, As I Know there is no way to "learn" the new CRL file without making an Apache stop and start. But you should be able to make a RELOAD only. I used it in my Apache on Unix and it works quite well. Maybe in the future Apache-ModSSL will support OCSP and it will solve this "problem". Sylvain -------- Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Ron Ridley <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09.08.2001 03:16 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: CRL questions Background: I have a win32 installation of apache 1.3.12 w/ mod_ssl 2.6.1 running on a NT4 server. I am using W2K CA to handle client certs. This setup is special b/c apache runs as a part of the firewall service (Raptor 6.5) to enable secure access to a web based auth page. Problem: Users can connect to the site fine with their certs, however, problems exists setting up a CRL. I want to update the CRL every couple of days, yet it requires a restart of apache to re-read the CRL. My problem lies in that this also requires a restart of the firewall. Question: Can someone verify my findings into the fact that apache must be restarted to load the updated CRL? If this is the case then are there plans to allow updating/reloading of the CRL without reloading apache(e.g. CRL expiration period)? Thanks in advance. Ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: Client certificate
Hello Juan, An idea could be to build your own internal Certificate Authority. With that you will be able to delivers client or personal certificates to your peoples. After this you should configure the Apache server to Trust the Internal CA certificate (ROOT CA or Signer). That it ! You can maybe have a look with some product like OpenCA or OSCAR . On other way is to by a Commercial CA like Keon from RSA, Baltimore or Entrust ! http://www.dstc.qut.edu.au/MSU/projects/pki/ Sylvain Maret Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Juan Carlos Albores Aguilar" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 25.07.2001 23:26 Please respond to modssl-users To: "modssl-users" <[EMAIL PROTECTED]> cc: Subject: Client certificate Hi again, looking in the modssl manual, chapter 6 FAQ, i found the way to create a server certificate and a CA, but i don't know how to create a client certificate in case that my server asks for a certificate in order to authenticate its clients, how can i create a client certificate?, please help me, thanks. Juan Carlos Albores Aguilar --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
RE: Reverse Proxy SSL
Roy, You are right, in your case it's not a good idea to authenticate at the reverse proxy level. We should find a secure solution to access your internal application and keep your internal authentication with X509 certs. With my best knowledge, I don't know a transparent "reverse proxy"solution ? Maybe it doesn't exist ? The solution I see for this case will be using VPN technology. Maybe you can use a tunneling solution with SSL or SSH (SSH v3 now support PKI). Or you can use standard IPSEC software. But if we use VPN technology, the main disavantage is that we need to install a software client. In my point of view I prefere the "reverse proxy" solution because we don't need to install a client and is easier to use and more "Glamour"... If somebody has an other solution, it will be nice . Sylvain -------- Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Roy Preece" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 14.07.2001 00:41 Please respond to modssl-users To: <[EMAIL PROTECTED]> cc: Subject: RE: Reverse Proxy SSL hm, Thanks Sylvain, but the perl scripts on my internal web server check cert details like issuer, common_name and expiry date before continuing. This is just additional security for permission to continue ie: If common name is in a db and issuer is myCA then continue - else - Nasty Msg. I would have to run these perl scripts on the external server for this to work. I am not comfortable with that idea. Therefore, I still need the following ; https client>Tunnel reverse proxy server--->https internal server with client Auth (X.509). Besides the users like it when the page presents prefilled web forms with details from their certificate mapped to a user db :-) You see, I have been running this system internally for quite some time, but now I need to open it up to some external users. The simplest secure way would be to reverse proxy SSL transparently. Is there really no-one else who needs to do this? Feeling like the odd one out again, Roy Preece -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 13, 2001 10:14 PM To: [EMAIL PROTECTED] Subject: RE: Reverse Proxy SSL What you can do is: https -> reverse proxy SSL with Client authentication (X509) >https to your internal web server (192.168.x.y) as exemple In this case you authenticate on the reverse proxy with your personal cert and the reverse proxy get the internal content with https (SSL) proxypass / https://172.20.1.10:444/ # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 It work on my side. Sylvain -------- Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Roy Preece" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 13.07.2001 14:02 Please respond to modssl-users To: <[EMAIL PROTECTED]> cc: Subject: RE: Reverse Proxy SSL Unfortunately, it seems that the answer is. #1. Nobody seems to have successfully reverse proxied to a https server on a private (192.168) network https>Straight thru proxy-->https cert authentication + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.) I will look at implementing the following less secure method. https>Authenticating Proxy + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.)-->Plain old http + NFS. OR VPN Cheers, Roy Preece -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roy Preece Sent: Wednesday, July 11, 2001 9:22 PM To: [EMAIL PROTECTED] Subject: Reverse Proxy SSL OK, from the lack of response to my previous email (SSLClient Browser <--> Apache Proxypassreverse <--> https://192.168.xxx.xxx) I can deduce one of two cases is true. 1. Nobody has successfully achieved a reverse proxy of SSL in the way I am describing, (Hard to believe) or... 2. You are really sick of this que
RE: Reverse Proxy SSL
What you can do is: https -> reverse proxy SSL with Client authentication (X509) >https to your internal web server (192.168.x.y) as exemple In this case you authenticate on the reverse proxy with your personal cert and the reverse proxy get the internal content with https (SSL) proxypass / https://172.20.1.10:444/ # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 It work on my side. Sylvain ---- Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Roy Preece" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 13.07.2001 14:02 Please respond to modssl-users To: <[EMAIL PROTECTED]> cc: Subject: RE: Reverse Proxy SSL Unfortunately, it seems that the answer is. #1. Nobody seems to have successfully reverse proxied to a https server on a private (192.168) network https>Straight thru proxy-->https cert authentication + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.) I will look at implementing the following less secure method. https>Authenticating Proxy + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.)-->Plain old http + NFS. OR VPN Cheers, Roy Preece -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roy Preece Sent: Wednesday, July 11, 2001 9:22 PM To: [EMAIL PROTECTED] Subject: Reverse Proxy SSL OK, from the lack of response to my previous email (SSLClient Browser <--> Apache Proxypassreverse <--> https://192.168.xxx.xxx) I can deduce one of two cases is true. 1. Nobody has successfully achieved a reverse proxy of SSL in the way I am describing, (Hard to believe) or... 2. You are really sick of this question.(Sorry) If you chose 2, I have read through all of the mail archives on this list and others with regard to reverse proxying https. The most popular config seems to be to run SSL between the browser and the proxy server and then plain old http between the proxy server and the backend private servers. However, I want the client browser to use a cert to authenticate directly on the back end server on a private network, therefore I just want the reverse proxy to pass the encrypted traffic back and forth. Is this possible..How? Tips and pointers greatly appreciated. TIA, Roy Preece --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: SSL Authentication Issues
Hello, One solution is to deliver private certificates to your clients. You can create a CA how delivers personal certs and give thoses certs in PKCS12 format protected with a PIN code ! Sylvain Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Chompsky Turing" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 11.07.2001 17:48 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: SSL Authentication Issues Let me propose the following hypothetical situation. I am running a apache/mod_ssl server (or anyother server for that matter) with a secure directory that requies client authentication. Two types of clients access this directory. There is a group of clients that only trust Verisign as a CA, and a group that only trusts Thwart as a CA. I have certificates signed by both CAs. Is there a way to set my server up so that it can send the correct certificate to every client? I believe the answer is no, but I thought I would check just in case. Perhaps there exists some sort of work around. Thanks. Chompsky _ Get your FREE download of MSN Explorer at http://explorer.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED]
Re: Client authentication - reviewers wanted
Yes, I can review your "How-To" ! Sylvain -------- Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] "Dan Langille" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 09.07.2001 15:35 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: Client authentication - reviewers wanted I've just finished writing a how-to for setting up client authentication using self-signed certficates. It includes details of creating the certificate authority, signing the certificate, web server configuration, and installing the certificate in a browser. In this instance, I'm using Apache, OpenSSL, and MSIE. I'm looking for people to review the article from a techincal point of view (I'm more concerned with technical errors at this point rather than spelling mistakes). Once the review recommendations are completed, the article will be publicly available. To that end, I'd prefer to provide the URL only to people who are knowledgable in this area. Please contact me for the URL. Thanks. -- Dan Langille pgpkey - finger [EMAIL PROTECTED] | http://unixathome.org/finger.php __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
RE: Reverse Proxy
Hello, You can use "port forwarder" to do that, but this technologie will not provide URL filter. I guess the best way to do is to use a normal reverse proxy and to protect pages on the final web server ! Sylvain -------- Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Sambit Nanda <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 14.06.2001 20:24 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: RE: Reverse Proxy Thanks This is a good idea to know about. I also like to know is there any thing like "port Forwarder" that i can inbuild with Apache. Here is some detail info what i want to know. My Application Server + Webserver 'Single Computer Box' is in Internal Network. I want to put a system on my DMZ network that is Apache on Solaris with SSL and reverse proxy and some kind of port forwarder. So it will help me allow external network mean people from internet can access to my Aplication webserver from the Apache server. Apache Server will help to forward the packet from DMZ network to internal and should have the ability to filter some URL which will not allow to External Wolrd to view some html pages like reverse proxy. OR each there any other aproch to it. thanks sambit --- [EMAIL PROTECTED] wrote: > If you want a secure-secure reverse proxy you can > also use > > ProxyPass / > https://www.foo.com/ > ProxyPassReverse / > https://www.foo.com/ > > This is useful for proxying secure connections > through a firewall, but the > last time I looked, the mod_rewrite command didn't > support this kind of > proxying. > > - > John Airey > Internet Systems Support Officer, ITCSD, Royal > National Institute for the > Blind, > Bakewell Road, Peterborough PE2 6XU, > Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 > [EMAIL PROTECTED] > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: 13 June 2001 07:19 > To: [EMAIL PROTECTED] > Subject: Re: Reverse Proxy > > > > Hello, > > I'am using a SSL reverse proxy solution with Apache > and Mod_SSL and it work > very well. I'am using Mod_proxy with the directive: > > ProxyPass / > http://www.foo.com/ > ProxyPassReverse / > http://www.foo.com/ > > (http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass) > > > An other way is to use Mod_Rewrite > > I hope it help, > > Sylvain > > > > Sylvain Maret > Senior Security Engineer > e-Xpert Solutions SA > Route de Pré-Marais 29 > 1233 Bernex / Geneva > Switzerland > > Tel: +41 22 727 05 55 > Fax: +41 22 727 05 50 > Mail: [EMAIL PROTECTED] > > > Sambit Nanda <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > 12.06.2001 22:37 > Please respond to modssl-users > > To: [EMAIL PROTECTED] > cc: > Subject: Reverse Proxy > > > > > Can any one guide me how to configure reverse proxy > in > Apache + SSL + mod_perl in Sun Sparc Environment. i > am > using Apache 1.3.13 > > Each there anyway build a module 'port forwarder' in > Apache. > > > Thanks > > Sambit > > > __ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail - > only $35 > a year! http://personal.mail.yahoo.com/ > __ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
Re: Client Authentication
Hello, I meet this problem before. It's seems this is a strange behavior from Netscape. The work around is to force the browser to present the Client Certificate. In netscape you can set up this option in Security --> Navigator --> Certificate to identify you to a web site: choose Sylvain -------- Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Hatop Goetz <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 07.06.2001 21:25 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: Client Authentication Hi, I have managed to get client authentification working on a directory basis. That is, apache ask for client certificate when I try to access a file in that directory, I am telling netscape to send my cclient cert and I do get the page requested. Thats fine so far, but when I try to get another page from that directory orf even the same page again, apache asks me again for a client cerrtificate, so I am having to send my client cert for evrey page again and again and again.. can someone please point me into the direction where to look further ? I would really like to get this running.. any helpappreciated, Goetz. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
Re: Reverse Proxy
Hello, I'am using a SSL reverse proxy solution with Apache and Mod_SSL and it work very well. I'am using Mod_proxy with the directive: ProxyPass / http://www.foo.com/ ProxyPassReverse / http://www.foo.com/ (http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass) An other way is to use Mod_Rewrite I hope it help, Sylvain -------- Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Sambit Nanda <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 12.06.2001 22:37 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject: Reverse Proxy Can any one guide me how to configure reverse proxy in Apache + SSL + mod_perl in Sun Sparc Environment. i am using Apache 1.3.13 Each there anyway build a module 'port forwarder' in Apache. Thanks Sambit __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] S/MIME Cryptographic Signature
OCSP and Mod SSL !
Hello, I'am looking for a solution to get Certificate Revocation via OCSP ! The idea is to have an integration with Mod SSL and my OCSP Responder or Valicert VA. Has somebody some experience with this kind of implementation ? Thanks for your help, Sylvain Maret Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] S/MIME Cryptographic Signature
SSL Client authentication problem
I installed a Secure Reverse Proxy to access some internal resources using I am using Apache/1.3.12 (Unix Solaris 2.6) with mod_ssl/2.6.3 and OpenSSL/0.9.5a. It work quite well. But now I want to use SSL client Certificate for authentication. It work but with a problem. The problem is when I connect on the reverse proxy, my browser ask me several time to present my client certificate. It's seems that for every session it ask me a client certificate. I guess this is not a normal behavior ??? I used to do the same with Stronghold and it ask me only one time for my certificate. Has some body an idea how to deal with that. Maybe a parameter to change on the apache mod_ssl server ? Sylvain -- -- Sylvain MARET, Network Security Engineer Datelec Networks SA Av. de la Praille 26 1227 Carouge / Geneva Member of Dimension Data HOLDINGS Switzerland Tel: +41 22 309.15.80 Fax: +41 22 309.15.85 Visit our Web Site: http://www.datelec.com PGP Fingerprint: BE06 F406 32CA 0886 BAC8 F794 9A75 7DF9 4CD4 D07C PGP Key: On request! --- Are you Secure? How do you know? __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify Datelec Networks. -- Mail To: [EMAIL PROTECTED] -- http://www.datelec.com _ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Secure Reverse Proxy
Hello, Why is better to use "RewriteRule" than traditionnal "ProxyPass" directive ? Do you have an example. Sylvain Michael J Schout wrote: > > On Tue, 18 Apr 2000, Joe Ammann wrote: > > > Now mod_proxy can obviously not forward https connections. It doesn't > > know anything about SSL. And I could not find any information that > > such a thing has already been done. > > I assume you are talking about mod_proxy on apache? We use it this way quite a > bit actually. Although, we are using "RewriteRule" directives to do it instead > of the traditional "ProxyPass" directives. E.g.: something like this: > > RewriteRule ^/foohttps://localhost/foo [P] > > Works great for us. > > Mike > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- -- Sylvain MARET, Network Security Engineer Datelec Networks SA Av. de la Praille 26 1227 Carouge / Geneva Member of Dimension Data HOLDINGS Switzerland Tel: +41 22 309.15.80 Fax: +41 22 309.15.85 Visit our Web Site: http://www.datelec.com PGP Fingerprint: BE06 F406 32CA 0886 BAC8 F794 9A75 7DF9 4CD4 D07C PGP Key: On request! --- Are you Secure? How do you know? __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify Datelec Networks. -- Mail To: [EMAIL PROTECTED] -- http://www.datelec.com _ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]