Re: libssl.so - mod_ssl.so
On Mon, Apr 14, 2008 at 10:13 AM, John Minson [EMAIL PROTECTED] wrote: I have to re-create mod_ssl 2.8.1 for an old version of apache (1.3.19) and even though I have it/they compiled I'm confused about 2 things . I have several servers with various kevels of apache and mod_ssl. The mod_ssl lib seems to be called 'mod_ssl.so' in some cases and 'libssl.so' in others . ? The 'libssl.so' I just created is 272328 bytes in size where on another server its 1884650 bytes in size . Is this due to the way it was linked ? I have not yet tested my newly compiled libssl . Sounds like the libssl.so file you create is dynamically linked whereas the old version is statically linked. what does ldd show you for both? Btw I hope this apache server is internal unless you like getting your server compromised. Look at all the changes (especially security wise) that has been fixed since that version: http://www.apache.org/dist/httpd/CHANGES_1.3 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Urgent help please
Actually more specifically a web site development issue. You most likely have static links pointing to content in your web development code (html, css, php, whatever language they have). mod_rewrite doesn't rewrite your actual code, you need to do that. An *example* would be img src=http://www.example.com/example.jpg;. When you attempt to access this on a secure page a certain web browser (HINT: IE) goes all nutty and complains like you mention in your original request. This is definitely not the correct place for the problem you experience. A good decent google search would've clued you in on any of this. I highly suggest this website on how to use Google: http://www.googleguide.com/ On 9/19/07, a k [EMAIL PROTECTED] wrote: Pretty sure that is a browser issue and not a web site issue. Lindsay Hausner [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jones, Stephen (SJONES) Sent: Friday, August 03, 2007 10:16 AM To: modssl-users@modssl.org Subject: Urgent help please Hello, My site just did a redesign and now the SSL's do not work as desired and I have no clue why. Here is the scenario: The Home page on initial connection is NOT using SSL. I can select any noon SSL page and remain a noon SSL page I select one of the 2 SSL pages and I get SSL (ie: https in the address bar and the lock icon in the browser) From this point on every page is now defined as SSL. I see this by picking any link on the page and the link displayed in the lower left corner is listed as https. If I choose the link the address bar is https and the lock icon appears. The problem is that if I choose any of the links back to the Home page I get the POP up This page contains both secure and non secure item. The address bar stays as https but the lock icon disappears. No changes were made to the httpd.conf or ssl.conf files. I have the following redirects in place and I can see the first 2 working when I enable rewrite logging. I never see the 3rd one run. RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} ^.*/cf/store/.* RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] ## For Digsig RewriteCond %{HTTPS} !=on RewriteCond %{REQUEST_URI} ^.*/cf/digsig/.* RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R] ## For Everything Else RewriteCond %{HTTPS} =on RewriteCond %{REQUEST_URI} ^.*/.* RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R] Any suggestions as to what or where to look would be greatly appreciated. Sorry for the delay. This page contains both secure and non secure item. means there are url paths in page oontent (usually graphics...image sources for links and the like) which are http (and need to be https). I'm not to familiar w/ mod_rewrite, but a guess is that your rules apply to actual links, but not urls for content such as .gif or .jpg files. Hope this helps. lh.. Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Apache
Considering this a mailing list for modssl 1.x not 2.x, which is part of the apache distribution... you may need to seek help on the apache mailing lists. modssl 1.x =! modssl 2.x On 9/11/07, Aaron Smith [EMAIL PROTECTED] wrote: Not sure if these messages are getting through or not. I'm having trouble with mod_ssl 2.0.55 and apache 2.0.55. The compile and make goes fine, but when the server is running, and connections are made via SSL, the child processes segfault. If mod_ssl is compiled into the apache binary statically, the processes simple hang and build up until the server can no longer handle the load. When compiled as a shared module, the segfaults occur. Setting the loglevel to Debug results in these errors: [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 established (server ourserver.name.scrubbed:8040, client client IP scrubbed) [Tue Sep 11 10:10:43 2007] [info] Seeding PRNG with 136 bytes of entropy [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1512): OpenSSL: read 11/11 bytes from BIO#401a3500 [mem: 401aabb0] (BIO dump fo llows) [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1459): +--- --+ [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1484): | : 80 67 01 03 01 00 4e 00-00 00 10 .gN | [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1490): +--- --+ [Tue Sep 11 10:10:43 2007] [info] SSL library error 1 in handshake (server ourserver.name.scrubbed:8040, client client IP scrubbed) [Tue Sep 11 10:10:43 2007] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 closed with abortive shutdown(server ourserver.name.scrubbed:8040, client IP scrubbed) Thoughts anyone? -Aaron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod-ssl and Apache
On 9/11/07, Mads Toftum [EMAIL PROTECTED] wrote: On Tue, Sep 11, 2007 at 01:10:20PM -0400, Aaron Smith wrote: Oh! My apologies. I thought this was a mailing list for mod_ssl independent of version. It has been used for both versions over time - this is pretty much the first time anyone complained. vh Mads Toftum -- http://soulfood.dk __ Its not really complaining, more in that modssl.org and its downloads are geared for apache 1.3.x not apache 2.x as they took incorporated modssl into the source thus you can pretty much expect better support for apache 2.x related modules, incl. modssl, on the apache mailing lists. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache wont start with ssl
Sounds to me like sem files have gotten the best of you. Did you compile Apache with mm? Try using ipcclean to clean up the semaphores. Google for ipcclean, while its intentions and uses were meant for postgres, it basically removes the semaphores for any user (including apache's user, what ever that may be on your server). Btw this is more of an Apache related problem as opposed to mod_ssl problem :-). On 5/2/07, Ryan Forrester [EMAIL PROTECTED] wrote: Mqueue dir had only 5mb files in it. [EMAIL PROTECTED] ~]# df -h FilesystemSize Used Avail Use% Mounted on /dev/mapper/VolGroup00-LogVol00 15G 5.0G 8.8G 36% / /dev/ida/c0d0p199M 16M 78M 17% /boot tmpfs 569M 0 569M 0% /dev/shm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Paris Sent: Sunday, April 01, 2007 3:10 PM To: modssl-users@modssl.org Subject: Re: Apache wont start with ssl -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Occasionally, /var/spool/clientmqueue can bite you as well. The filesystem will not show 100% used but you'll be out of inodes. (If that happens, you'll have loads of fun clearing it out ;-) Good Luck! - -dsp Andy Cravens wrote: Judging from the error message No space left on device sounds like some file system is full... maybe /tmp. The next time this happens open a shell window and type: df -k Check the output to see if one of your file systems is full. Look at /tmp and /swap specifically Ryan Forrester wrote: When attempting to start apache in SSL mode: $ /home/servers/apache_1.3.37/bin/apachectl startssl $ semget: No space left on device Rebooting the machine allows me to start apache once more.. but after a few days, apache wil fail and the same error occurs again, and the only way to resolve is to reboot. - Apache will start in mornal mode without a reboot. error_log doesnt contain any useful information to help troubleshoot the problem. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFGDz62KmNPF3QynfQRAgjmAJ0XOdj2FH9O8oPRk9wD+IEEGgQHIwCfZmjc +urX+xVcjjO+b/XjbsSfz6c= =cMPQ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Cannot load mod_ssl.so into server: The operating system cannot run %1
This list is about mod_ssl under Apache 1.3.xx, just like modssl.org said it was. Furthermore as the apache website states, mod_ssl is now part of Apache 2.x thus the support would be there. On 2/15/07, Andrew Madu [EMAIL PROTECTED] wrote: Operating system: Windows XP Professional Version: 2002 Service Pack: 2 Apache HTTP version: 2.2.4 (Binary) Syntax error on line 114 of httpd.conf: Cannot load mod_ssl.so into server: The operating system cannot run %1 Of course line 114 in my httpd.conf document is: LoadModule ssl_module modules/mod_ssl.so The mod_ssl.so module is situated in C:\Program Files\Apache Software Foundation\Apache2.2\modules. What is the issue here and how can I best resolve it? -- Regards Andrew __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: apache segfaults on startup after specifying the certificate file and key
You will have better luck on the apache mailing lists ( http://httpd.apache.org) as mod_ssl on this website, as told on modssl.org, is only for apache 1.x. As of 2.x modssl is incorporated into the apache distribution and is also maintained by the apache http server project. On 12/29/06, Mark Robinson [EMAIL PROTECTED] wrote: Hi all, I am running freebsd 6.1 and apache 2.2.0_7 I am new to SSL and have configured a self-signed certificate according to http://slacksite.com/apache/certificate.html I placed the .crt and .pem files in /usr/local/etc/apache22 and set the .pem file readable only by root When I start up apache it gives a segmentation fault and stops. When set the logging option in httpd.conf to debug. The log file shows the following before the seg fault: [Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes of entropy [Sat Dec 30 00:48:27 2006] [info] Loading certificate private key of SSL-aware server [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469): unencrypted RSA private key - pass phrase not required [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA private keys (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH parameters (512/1024 bits) [Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual) servers for SSL [Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: +MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729): Configuring RSA server certificate [Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName (CN) `mail.reoins.com' does NOT match server name!? [Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768): Configuring RSA server private key [Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface: mod_ssl/2.2.0, Library: OpenSSL/0.9.8a [Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr 209.163.210.42 Thanks for any help or suggestions. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL access from my apache.
You'll probably have better luck going to the httpd users mailing list (found at http://httpd.apache.org) as opposed to this one as this mod_ssl is developed for apache 1.x not apache 2.x On 11/29/06, Tsurutani Naoki [EMAIL PROTECTED] wrote: Hi, I have a question about ssl_engine_io.c. On my system of FreeBSD 6-STABLE, apache with following signature is working : Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2 PHP/4.4.4 with Suhosin-Patch configured. I found some log entries like localhost - - [29/Nov/2006:09:54:01 +0900] GET / 400 653 - - localhost - - [29/Nov/2006:09:54:02 +0900] GET / 400 653 - - localhost - - [29/Nov/2006:09:54:03 +0900] GET / 400 653 - - localhost - - [29/Nov/2006:10:43:04 +0900] GET / 400 653 - - in my log file about ssl access. These entries are not found in normal http access log. This is caused by ssl_io_filter_disable() function in modules/ssl/ssl_engine_io.c, as I think, and I have no idea why these accesses are necessary. Referencing to http access log, many accesses are found just before this log's timestamp, but they were not about ssl (I checked firewall log and found no entries about tcp/443). These logs were not found with apache-2.0.x before 1 year ago. I want to know why this access occures. Please tell me. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: About FakeBasicAuth
That seems like an odd way of doing it. Seems more like an apache issue then anything as this can be achieved with apache's included modules (like mod_auth and mod_access). Something like VirtualHost 192.168.1.1:80 ServerName example.com DocumentRoot /great/example/here Directory /great/example/here Order Allow, Deny Deny from All Allow from IP (like 192.168.1 or 192.168 etc) AuthType Basic AuthName Example AuthUserFile /path/to/your/htpasswd/file Satisfy Any /Directory /VirtualHost You could easily just change the port to 443 and add the necessary SSL info to have this work on a SSL'd host. On 11/22/06, Luis Carlos Peinado Bravo [EMAIL PROTECTED] wrote: Hi, I'm trying to do the following. When users from the Intranet access to the website nothing will be required but if the users come from the Internet a client certificate will be required to use it with the basic authentication using the FakeBasicAuth option. I did what the link http://www.modssl.org/docs/2.8/ssl_howto.html#ToC10 says but if I come from the Intranet a client certificate is required (if cancel it I get access to the webste) and if I come from the Internet a login box pops up. Could you help me?
Having modssl run on different ports, is this even possible?
I am running Apache2 with the included mod_ssl module, I figure this a good place to start, but if it belongs on the apache httpd mailing list you can bluntly tell me.The servers I administer run in an environment that is pretty painful, but common i hear. Another team at corporate headquarters administer the firewall and what they are planning to do is as follows. I have no control over the firewall what so ever. Any port 80 (http) request sent to the firewall for domain www.example.com will be then rerouted to an internal IP, such as 172.16.15.102 (behind the firewall), on port 8000. Thus I have apache listening on port 8000. Any port 443 (https) request sent to the firewall for domain www.example.com will be then rerouted to to an internal IP, such as 172.16.15.102 (behind the firewall), on port 9000. I want to have mod_ssl listening on port 9000, is this possible?Should a virtualhost entry just work such VirtualHost 172.16.15.102:9000 and have the usual items such as SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc?Any help is appreciated. Yvo