Re: libssl.so - mod_ssl.so

2008-04-14 Thread Yvo van Doorn 
On Mon, Apr 14, 2008 at 10:13 AM, John Minson [EMAIL PROTECTED] wrote:
 I have to re-create mod_ssl 2.8.1 for an old version of apache (1.3.19) and
 even though I have it/they compiled I'm confused about 2 things .

  I have several servers with various kevels of apache and mod_ssl.

  The mod_ssl lib seems to be called 'mod_ssl.so' in some cases and
 'libssl.so' in others . ?

  The 'libssl.so' I just created is 272328 bytes in size where on another
 server its 1884650 bytes in size . Is this due to the way it was linked ?

  I have not yet tested my newly compiled libssl .


Sounds like the libssl.so file you create is dynamically linked
whereas the old version is statically linked. what does ldd show you
for both?

Btw I hope this apache server is internal unless you like getting your
server compromised. Look at all the changes (especially security wise)
that has been fixed since that version:
http://www.apache.org/dist/httpd/CHANGES_1.3
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Urgent help please

2007-09-19 Thread Yvo van Doorn 
Actually more specifically a web site development issue. You most
likely have static links pointing to content in your web development
code (html, css, php, whatever language they have). mod_rewrite
doesn't rewrite your actual code, you need to do that.

An *example* would be img src=http://www.example.com/example.jpg;.
When you attempt to access this on a secure page a certain web browser
(HINT: IE) goes all nutty and complains like you mention in your
original request. This is definitely not the correct place for  the
problem you experience. A good  decent google search would've clued
you in on any of this. I highly suggest this website on how to use
Google: http://www.googleguide.com/

On 9/19/07, a k [EMAIL PROTECTED] wrote:
 Pretty sure that is a browser issue and not a web site issue.


 Lindsay Hausner [EMAIL PROTECTED] wrote:


 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
 On Behalf Of Jones, Stephen (SJONES)
 Sent: Friday, August 03, 2007 10:16 AM
 To: modssl-users@modssl.org
 Subject: Urgent help please

 Hello,

 My site just did a redesign and now the SSL's do not work as desired
 and I have no clue why.

 Here is the scenario:

 The Home page on initial connection is NOT using SSL.

 I can select any noon SSL page and remain a noon SSL page

 I select one of the 2 SSL pages and I get SSL (ie: https in the address
 bar and the lock icon in the browser)

 From this point on every page is now defined as SSL. I see this by
 picking
 any link on the page and the link displayed in the lower left corner is
 listed as https. If I choose the link the address bar is https and the
 lock icon appears.

 The problem is that if I choose any of the links back to the Home page I
 get the POP up This page contains both secure and non secure item.

 The address bar stays as https but the lock icon disappears.

 No changes were made to the httpd.conf or ssl.conf files.

 I have the following redirects in place and I can see the first 2
 working when I enable rewrite logging.

 I never see the 3rd one run.

 RewriteCond %{HTTPS} !=on
 RewriteCond %{REQUEST_URI} ^.*/cf/store/.*
 RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]


 ## For Digsig
 RewriteCond %{HTTPS} !=on
 RewriteCond %{REQUEST_URI} ^.*/cf/digsig/.*
 RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]

 ## For Everything Else
 RewriteCond %{HTTPS} =on
 RewriteCond %{REQUEST_URI} ^.*/.*
 RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]

 Any suggestions as to what or where to look would be greatly
 appreciated.

 Sorry for the delay.

 This page contains both secure and non secure item. means there are url
 paths in page oontent (usually graphics...image sources for links and the
 like) which are http (and need to be https). I'm not to familiar w/
 mod_rewrite, but a guess is that your rules apply to actual links, but not
 urls for content such as .gif or .jpg files.

 Hope this helps.

 lh..




  
 Moody friends. Drama queens. Your life? Nope! - their life, your story.
  Play Sims Stories at Yahoo! Games.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod-ssl and Apache

2007-09-11 Thread Yvo van Doorn 
Considering this a mailing list for modssl 1.x not 2.x, which is part
of the apache distribution... you may need to seek help on the apache
mailing lists.

modssl 1.x =! modssl 2.x

On 9/11/07, Aaron Smith [EMAIL PROTECTED] wrote:




 Not sure if these messages are getting through or not.  I'm
 having trouble with mod_ssl 2.0.55 and apache 2.0.55.  The compile and make
 goes fine, but when the server is running, and connections are made via SSL,
 the child processes segfault.  If mod_ssl is compiled into the apache binary
 statically, the processes simple hang and build up until the server can no
 longer handle the load.  When compiled as a shared module, the segfaults
 occur.  Setting the loglevel to Debug results in these errors:



 [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 established (server
 ourserver.name.scrubbed:8040, client client IP scrubbed)

 [Tue Sep 11 10:10:43 2007] [info] Seeding PRNG with 136 bytes of entropy

 [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1512): OpenSSL: read
 11/11 bytes from BIO#401a3500 [mem: 401aabb0] (BIO dump fo

 llows)

 [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1459):
 +---

 --+

 [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1484): | : 80 67 01
 03 01 00 4e 00-00 00 10 .gN

   |

 [Tue Sep 11 10:10:43 2007] [debug] ssl_engine_io.c(1490):
 +---

 --+

 [Tue Sep 11 10:10:43 2007] [info] SSL library error 1 in handshake (server
 ourserver.name.scrubbed:8040, client client IP scrubbed)

 [Tue Sep 11 10:10:43 2007] [info] SSL Library Error: 336027900
 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
 protocol

  speaking not SSL to HTTPS port!?

 [Tue Sep 11 10:10:43 2007] [info] Connection to child 2 closed with abortive
 shutdown(server ourserver.name.scrubbed:8040, client IP scrubbed)



 Thoughts anyone?



 -Aaron


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod-ssl and Apache

2007-09-11 Thread Yvo van Doorn 
On 9/11/07, Mads Toftum [EMAIL PROTECTED] wrote:
 On Tue, Sep 11, 2007 at 01:10:20PM -0400, Aaron Smith wrote:
  Oh!  My apologies. I thought this was a mailing list for mod_ssl
  independent of version.
 
 It has been used for both versions over time - this is pretty much the
 first time anyone complained.

 vh

 Mads Toftum
 --
 http://soulfood.dk
 __

Its not really complaining, more in that modssl.org and its downloads
are geared for apache 1.3.x not apache 2.x as they took incorporated
modssl into the source thus you can pretty much expect better support
for apache 2.x related modules, incl. modssl, on the apache mailing
lists.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache wont start with ssl

2007-04-01 Thread Yvo van Doorn 

Sounds to me like sem files have gotten the best of you. Did you
compile Apache with mm? Try using ipcclean to clean up the semaphores.

Google for ipcclean, while its intentions and uses were meant  for
postgres, it basically removes the semaphores for any user (including
apache's user, what ever that may be on your server).

Btw this is more of an Apache related problem as opposed to mod_ssl
problem :-).



On 5/2/07, Ryan Forrester [EMAIL PROTECTED] wrote:

Mqueue dir had only 5mb files in it.

[EMAIL PROTECTED] ~]# df -h
FilesystemSize  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-LogVol00
   15G  5.0G  8.8G  36% /
/dev/ida/c0d0p199M   16M   78M  17% /boot
tmpfs 569M 0  569M   0% /dev/shm



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Paris
Sent: Sunday, April 01, 2007 3:10 PM
To: modssl-users@modssl.org
Subject: Re: Apache wont start with ssl

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Occasionally, /var/spool/clientmqueue can bite you as well.  The
filesystem will not show 100% used but you'll be out of inodes.  (If
that happens, you'll have loads of fun clearing it out ;-)

Good Luck!
- -dsp




Andy Cravens wrote:
 Judging from the error message No space left on device sounds like
 some file system is full... maybe /tmp.  The next time this happens
open
 a shell window and type:

 df -k

 Check the output to see if one of your file systems is full.  Look at
 /tmp and /swap specifically



 Ryan Forrester wrote:
 When attempting to start apache in SSL mode:
 $ /home/servers/apache_1.3.37/bin/apachectl startssl
 $ semget: No space left on device

 Rebooting the machine allows me to start apache once more.. but after
 a few days, apache wil fail and the same error occurs again, and the
 only way to resolve is to reboot.
 - Apache will start in mornal mode without a reboot.

 error_log doesnt contain any useful information to help troubleshoot
the
 problem.



 __
 Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
 User Support Mailing List  modssl-users@modssl.org
 Automated List Manager[EMAIL PROTECTED]
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFGDz62KmNPF3QynfQRAgjmAJ0XOdj2FH9O8oPRk9wD+IEEGgQHIwCfZmjc
+urX+xVcjjO+b/XjbsSfz6c=
=cMPQ
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Cannot load mod_ssl.so into server: The operating system cannot run %1

2007-02-15 Thread Yvo van Doorn 

This list is about mod_ssl under Apache 1.3.xx, just like modssl.org
said it was. Furthermore as the apache website states, mod_ssl is now
part of Apache 2.x thus the support would be there.

On 2/15/07, Andrew Madu [EMAIL PROTECTED] wrote:

Operating system: Windows XP Professional
Version: 2002
Service Pack: 2

Apache HTTP version: 2.2.4 (Binary)

Syntax error on line 114 of httpd.conf:
Cannot load mod_ssl.so into server: The operating system cannot run %1

Of course line 114 in my httpd.conf document is:
LoadModule ssl_module modules/mod_ssl.so

The mod_ssl.so module is situated in C:\Program Files\Apache Software
Foundation\Apache2.2\modules.

What is the issue here and how can I best resolve it?

--
Regards

Andrew


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: apache segfaults on startup after specifying the certificate file and key

2006-12-30 Thread Yvo van Doorn 

You will have better luck on the apache mailing lists (
http://httpd.apache.org) as mod_ssl on this website, as told on modssl.org,
is only for apache 1.x. As of 2.x modssl is incorporated into the apache
distribution and is also maintained by the apache http server project.

On 12/29/06, Mark Robinson [EMAIL PROTECTED] wrote:


Hi all,
I am running freebsd 6.1 and apache 2.2.0_7
I am new to SSL and have configured a self-signed certificate
according to http://slacksite.com/apache/certificate.html
I placed the .crt and .pem files in /usr/local/etc/apache22 and set
the .pem file readable only by root
When I start up apache it gives a segmentation fault and stops.
When set the logging option in httpd.conf to debug.
The log file shows the following before the seg fault:

[Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes
of entropy
[Sat Dec 30 00:48:27 2006] [info] Loading certificate  private key
of SSL-aware server
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469):
unencrypted RSA private key - pass phrase not required
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA
private keys (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH
parameters (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual)
servers for SSL
[Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating
new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601):
Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:
+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729):
Configuring RSA server certificate
[Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName
(CN) `mail.reoins.com' does NOT match server name!?
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768):
Configuring RSA server private key
[Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface:
mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr
209.163.210.42

Thanks for any help or suggestions.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL access from my apache.

2006-12-03 Thread Yvo van Doorn 

You'll probably have better luck going to the httpd users mailing list
(found at http://httpd.apache.org) as opposed to this one as this mod_ssl is
developed for apache 1.x not apache 2.x

On 11/29/06, Tsurutani Naoki [EMAIL PROTECTED] wrote:


Hi,

I have a question about ssl_engine_io.c.
On my system of FreeBSD 6-STABLE, apache with following signature is
working :
Apache/2.2.3 (FreeBSD) mod_ssl/2.2.3 OpenSSL/0.9.7e-p1 DAV/2
PHP/4.4.4
 with Suhosin-Patch configured.
I found some log entries like
localhost - - [29/Nov/2006:09:54:01 +0900] GET / 400 653 - -
localhost - - [29/Nov/2006:09:54:02 +0900] GET / 400 653 - -
localhost - - [29/Nov/2006:09:54:03 +0900] GET / 400 653 - -
localhost - - [29/Nov/2006:10:43:04 +0900] GET / 400 653 - -
in my log file about ssl access. These entries are not found in normal
http access log.
This is caused by ssl_io_filter_disable() function in
modules/ssl/ssl_engine_io.c,
as I think, and I have no idea why these accesses are necessary.
Referencing to http access log, many accesses are found just before this
log's timestamp,
but they were not about ssl (I checked firewall log and found no entries
about tcp/443).
These logs were not found with apache-2.0.x before 1 year ago.

I want to know why this access occures.
Please tell me.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: About FakeBasicAuth

2006-11-24 Thread Yvo van Doorn 

That seems like an odd way of doing it. Seems more like an apache issue then
anything as this can be achieved with apache's included modules (like
mod_auth and mod_access).

Something like

VirtualHost 192.168.1.1:80
ServerName example.com
DocumentRoot /great/example/here

Directory /great/example/here
Order Allow, Deny
Deny from All
Allow from IP (like 192.168.1 or 192.168 etc)
AuthType Basic
AuthName Example
AuthUserFile /path/to/your/htpasswd/file
Satisfy Any
/Directory

/VirtualHost

You could easily just change the port to 443 and add the necessary SSL info
to have this work on a SSL'd host.

On 11/22/06, Luis Carlos Peinado Bravo [EMAIL PROTECTED]
wrote:


 Hi, I'm trying to do the following. When users from the Intranet access
to the website nothing will be required but if the users come from the
Internet a client certificate will be required to use it with the basic
authentication using the FakeBasicAuth option. I did what the link
http://www.modssl.org/docs/2.8/ssl_howto.html#ToC10 says but if I come
from the Intranet a client certificate is required (if cancel it I get
access to the webste) and if I come from the Internet a login box pops up.

Could you help me?

Having modssl run on different ports, is this even possible?

2006-10-11 Thread Yvo van Doorn 
I am running Apache2 with the included mod_ssl module, I figure this a good place to start, but if it belongs on the apache httpd mailing list you can bluntly tell me.The servers I administer run in an environment that is pretty painful, but common i hear. Another team at corporate headquarters administer the firewall and what they are planning to do is as follows. I have no control over the firewall what so ever.
Any port 80 (http) request sent to the firewall for domain www.example.com will be then rerouted to an internal IP, such as 172.16.15.102 (behind the firewall), on port 8000. Thus I have apache listening on port 8000.
Any port 443 (https) request sent to the firewall for domain www.example.com will be then rerouted to to an internal IP, such as 172.16.15.102
 (behind the firewall), on port 9000. I want to have mod_ssl listening on port 9000, is this possible?Should a virtualhost entry just work such VirtualHost 172.16.15.102:9000
 and have the usual items such as SSLEngine, SSLCertificateFile, SSLCertificateKeyFile, etc?Any help is appreciated. Yvo