Re: SSL reverse proxy + Client Cert auth

2002-08-16 Thread Thomas Gagné 

I'm not sure about checking another authority, but suspect the configs 
would be in conf/ssl.conf.  For doing the reverse proxying, I edited 
proxy.conf and included it inside ssl.conf.  Inside proxy.conf, 
statements like:

ProxyPass /cgi/ http://10.0.10.1/cgi/
ProxyPassReverse /cgi/ http://10.0.10.1/cgi/

are what accomplishes the reverse proxying.  In our case, https: comes 
into the proxy and we talk (behind the DMZ) http to the web servers.

Danny Kruitbosch wrote:

> Hi,
>
> We want to build the following situation:
>
> - Apache with mod_ssl as a reverse SSL proxy (Client  --->  SSL/HTTPS 
> ---> Rev. proxy ---> HTTP ---> Web/App server)
> - We need to check for client certificates. These certs are handed out 
> by another party (not a real TTP). We need to check the signature on 
> the client certs and the validity of the client certs.
>
>
> What's the best way to do this. I've read the mod_ssl manual, but I 
> don't understand how I can check client certs from another (third) party.
>
> How do I setup Apache as an SSL reverse proxy?
>
> Any help on this would be great!
>
> Cheers,
>
> Danny Kruitbosch
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>

-- 
.tom


-- 
.tom
http://isectd.sourceforge.net

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[Fwd: Re: Problem with: Apache/2.0.36 (Unix) mod_ssl/2.0.36 OpenSSL/0.9.6d]

2002-06-06 Thread Thomas Gagné 



 Original Message 
Subject: Re: Problem with: Apache/2.0.36 (Unix) 
mod_ssl/2.0.36 OpenSSL/0.9.6d
Date: Tue, 04 Jun 2002 15:48:36 -0400
From: Thomas Gagné <[EMAIL PROTECTED]>
Organization: http://extra.newsguy.com
Newsgroups: comp.infosystems.www.servers.unix
References:  
<[EMAIL PROTECTED]> 
<[EMAIL PROTECTED]>

I'm having a similar problem with hangs using 2.0.36, but
didn't know it may have been caused by going from http: to
https:.  Regardless, I noticed my SSLMutex setting was
file:logs/ssl_mutex.  The documentation doesn't say the file
must exist, and on my system it didn't exist before
'startssl' and it didn't exist after 'startssl'.  I'm
curious if anyone else noticed that.

Also, if "SSLMutex none" fixes it, I wonder if "SSLMutex
sem" could similarly fix it.  Is it just a problem with file:?

Ken Roser wrote:
 > I also am experiencing the same problem as Harley on my 
Redhat 7.3 box.
 > I tried updating from OpenSSL 9.6b to 9.6d to fix it but 
that didn't work.
 >
 > Jan's fix of  "SSLMutex none" does solve the problem for 
me but I'd like
 > to learn more about the consequences of eliminating the 
mutexes.  Can
 > someone provide more detail on this issue?
 >
 > Jan P. Sorensen wrote:
 >
 >> Well known error at least om Mandrake 8.2
 >>
 >> Try: SSLMutex none
 >>
 >> Jan
 >>
 >> On Tue, 4 Jun 2002, Harley Puthuff wrote:
 >>
 >>
 >>
 >>> I used to use Apache 1.3.19 and Apache SSL without any 
problem. After
 >>> installing Apache v.2, though, I get sporadic 'hangs' 
when a client
 >>> switches
 >>> from an http page to an https page. I see in the 
ssl_engine_log that
 >>> mutex
 >>> is mentioned a lot. I've tried different options for 
the SSLMutex
 >>> directive,
 >>> but it doesn't seem to make the warning go away.
 >>>
 >>> This is what I'm using now:
 >>>
 >>> SSLPassPhraseDialog  builtin
 >>> SSLSessionCache 
dbm:/usr/local/apache2/logs/ssl_gcache
 >>> SSLSessionCacheTimeout  300
 >>> SSLMutex  file:/usr/local/apache2/logs/ssl_mutex
 >>> SSLRandomSeed startup builtin
 >>> SSLRandomSeed connect builtin
 >>> SSLLog  /usr/local/apache2/logs/ssl_engine_log
 >>> SSLLogLevel info
 >>>
 >>> And this is an example of what happens according to the 
SSL log. The
 >>> first
 >>> connection succeeded, the second one hung up:
 >>>
 >>> [03/Jun/2002 18:37:03 03630] [info]  Connection to 
child 19 established
 >>> (server www.astdgoldengate.org:443, client 12.236.195.38)
 >>> [03/Jun/2002 18:37:03 03630] [info]  Seeding PRNG with 
136 bytes of
 >>> entropy
 >>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to acquire 
global mutex lock
 >>> [03/Jun/2002 18:37:03 03630] [warn]  Failed to release 
global mutex lock
 >>> [03/Jun/2002 18:37:03 03630] [info]  Connection: Client 
IP:
 >>> 12.236.195.38,
 >>> Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
 >>> [03/Jun/2002 18:37:03 03630] [info]  Initial (No.1) 
HTTPS request
 >>> received
 >>> for child 19 (server www.astdgoldengate.org:443)
 >>> [03/Jun/2002 18:37:19 03630] [info]  Connection to 
child 19 closed with
 >>> standard shutdown(server www.astdgoldengate.org:443, 
client
 >>> 12.236.195.38)
 >>> [03/Jun/2002 18:40:49 03642] [info]  Connection to 
child 25 established
 >>> (server www.astdgoldengate.org:443, client 12.236.195.38)
 >>> [03/Jun/2002 18:40:49 03642] [info]  Seeding PRNG with 
136 bytes of
 >>> entropy
 >>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to acquire 
global mutex lock
 >>> [03/Jun/2002 18:40:49 03642] [warn]  Failed to release 
global mutex lock
 >>>
 >>> I'd appreciate any input anyone has with a similar 
scenario.
 >>>
 >>> Thanks,
 >>>
 >>> /s/ Harley Puthuff
 >>>
 >>>
 >>>
 >>>
 >>
 >>
 >>
 >>
 >
 >


-- 
.tom


-- 
.tom
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

[2.0.36] Last message: Seeding PRNG with 136 bytes of entropy

2002-05-28 Thread Thomas Gagné 

./configure --enable-ssl --enable-proxy

First, I'm reverse-proxying another box.  When I do
everything using just HTTP, it all works.

Requests from the browser (IE 5) coming-in HTTPS using a
home-made
certificate (openssl, CA.pl -newcert).  Everything works
fine for a while.  Then, for no good reason the server
writes
in the ssl_engine_log:

[datetime 31272] [info]  Connection to child 7 established
(servername:443, client 10.0.0.52)
[datetime 31272] [info]  Seeding PRNG with 136 bytes of
entropy

and the browser hangs.

After I close the browser and login again, I start seeing a
bunch of
[datetime 31257] [warn]  Failed to acquire global mutex lock

[datetime 31257] [warn]  Failed to release global mutex lock

I have to recycle the apache proxy server to clear its
head.  Where should I look to find out what the problem is?

I've got it configured so that it's reverse-proxying
everything from DocumentRoot.

Like I said, everything works fine until it hangs (isn't
that always the case).

--
.tom
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]