Re: preventing client certs to be used by multiple users??
- Original Message - From: "Conrad Friedrich" <[EMAIL PROTECTED]> To: Sent: Wednesday, August 31, 2005 11:49 PM Subject: preventing client certs to be used by multiple users?? > Hello, > Is there a way to prevent users (that got a client ssl-certificate (pkcs12) > for accessing my server) from giving their certs away to others and in that > way enabling "unwanted" users access to my site? > Or if there is no elegant solution, maybe someone knows how apache (or a log > analyzer etc.) can inform me if two different IPs have tried to connect > simultaneously using the same certificate? > > Many thanks > Conrad Friedrich The other replies pretty much says it all. If you're trying to prevent people from sharing their access to your data then have them sign some papers instead. Certificates and login credentials just won't do that for you. /Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: errors
That is not very much information but one possible reason I can think of from the top of my head (I'm no guru) is this. Make sure you're connecting with ssl and not http. Most browsers need to have https:// specified as far as I know. Trying to connect to http://www.example.com:443/ will not work since it's trying to connect with http protocol on a server only allowing ssl-protocol (they are completely different). Use https://www.example.com instead. SSL establishes connection and then HTTP is tunneled inside of the SSL protocol. Just a thought. Kind regards /Daniel - Original Message - From: Cosmin To: modssl-users@modssl.org Sent: Monday, July 11, 2005 1:50 PM Subject: errors Hi,I'm tring to configure apache with mod_ssl and I get some weird errors:[Mon Jul 11 14:53:10 2005] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client 192.168.1.2) (System and OpenSSL library errors follow)[Mon Jul 11 14:53:10 2005] [error] System: Permission denied (errno: 13)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:81086072:lib(129):func(134):reason(114)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:81095076:lib(129):func(149):reason(118)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH libDoes anybody know what I'm doing wrong. Please helpMy server configuration: - Apache/1.3.33 (Unix, Solaris) - mod_ssl/2.8.22 - OpenSSL/0.9.7d
Re: https
There has been some discussion about that here lately. RS Engelschall said he would include a script that would produce a ca-bunde.crt from the Mozilla certdata.txt file in version 2.8.23 of mod_ssl which should be available now. kind regards /Daniel - Original Message - From: "kalin mintchev" <[EMAIL PROTECTED]> To: Sent: Wednesday, July 13, 2005 10:51 AM Subject: https > hi all... > > i tried http-users list without success... > > i recently upgraded httpd from 1.3.x to 2.0.54. compiled httpd with mod_ssl. > OpenSSL 0.9.7e... > i remember that when building 1.3.x with mod_ssl the certificate was done > at the time of compilation of the server. now with 2.0.54 i'm trying the > instruction on: > http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#realcert > > i did follow this a few times and that didn't work. then i did this a few > times: > http://www.samspublishing.com/articles/article.asp?p=30115&seqNum=4&rl=1 > > it didn't work either.. in both cases the message i get is that the > connection is refused... > > the only difference between the old 1.3.x apache build on the machine and > the new 2.0.54 is these two lines below in the ssl conf section. > when i start the new one i get a message that ca-bundle.crt is missing - > and it is. on the old machine it came with the apache src. there isn't > such file here now. i could copy it but maybe that's not a great idea, is it? > > SSLCACertificatePath /usr/local/httpd/conf/ssl.crt > SSLCACertificateFile /usr/local/httpd/conf/ssl.crt/ca-bundle.crt > > i need this issue resolved relatively soon because that's the only thing > stopping this machine to go in production... > > thanks a lot... > > > -- > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: change your autoreply configuration!!!!
I'm so sorry, I had no idea that was happening. I'm using a company mail here. The only thing I can do about it is unsubscribe, I'll do that immediately. /Daniel - Original Message - From: Harald Langaker To: [EMAIL PROTECTED] Cc: modssl-users@modssl.org Sent: Friday, June 24, 2005 11:26 AM Subject: change your autoreply configuration Hey! You autoryply "out of office" to modssl-users@modssl.org Can you please STOP that, I DO NOT WANT TO GET A MAIL FROM YOU EVERY TIME SOMEONE SENDS A MAIL TO modssl-users@modssl.org!!! Otherwise there has to be taken action to get you off the list! Harald Langaker Senior Quality Assurance EngineerFon +49.6151.82897-46 Fax +49.6151.82897-26 www.secude.com mailto:[EMAIL PROTECTED] SECUDE IT Security GmbH Goebelstraße 21, 64293 Darmstadt, Germany CEO: Dr. Heiner Kromer SECUDE is member of iT_SEC SWiSS AG www.itsec-swiss.com
Re: certificate and authentication re-prompting
Could be your browsers settings. If you're running Firefox go to the menu Tools > Options. Select Advanced and scroll down to the Certificates area. Set Client Certificate Selection to Select Automatically. This is often the cause of such behaviour. Hope this helps. Best regards /Daniel - Original Message - From: C T To: modssl-users@modssl.org Sent: Wednesday, June 22, 2005 2:34 AM Subject: certificate and authentication re-prompting I need some advice/help. I am running...well my web host service is running... Apache/2.0.46 (Red Hat) Server openssl-0.9.7a-33.12 mod_ssl-2.0.46-44.ent Also, I was originally set up through some kind of "virtual hosting", but I paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new to this) I also use .htaccess with .htpasswd for user authentication. Everything seems to be working fine, but my problem is... I can enter my domain with the https://. OK I get prompted to accept the certificate, and I get prompted for the username/password. OK The problem surfaces when I begin to browse around in the https area. Sooner or later I will get re-prompted to accept the certificate and enter my username/password, again. I don't know why it does this, and my web hosting service can't seem to explain it either. I've reproduced the error on more than 4 computers. I can't find anything that would cause my browser session to expire, in mid-session. Can anyone help me or give me a direction to go in? Be Kind, I'm a new to apache and mod_ssl. Thanks, Craig [EMAIL PROTECTED]
AW: Apache Proxy on SSL enabled server CONNECT hangs
Look at thishttp://issues.apache.org/bugzilla/show_bug.cgi?id=19188 Best regards > -Ursprüngliche Nachricht- > Von: Emmanuel E [mailto:[EMAIL PROTECTED] > Gesendet: Mittwoch, 8. Juni 2005 16:47 > An: modssl-users@modssl.org > Betreff: Apache Proxy on SSL enabled server CONNECT hangs > > > Sorry for the repost but there is a bug report also open at > http://issues.apache.org/bugzilla/show_bug.cgi?id=11232 > The bug id is 11232. > > Hi, > > I have the following setup of Apache on Win 32. > > Apache running only on port 443 with SSL enabled and proxying > enabled. > > I am using the precompiled binaries available at > http://www.apache.org/dyn/closer.cgi/perl/win3> 2-bin/ > > The > normal usage is like this: > > web client <-https > connection to proxy-> Apache Proxy on port 443 <-normal > processing of proxy request-> Remote web server. > > The connection between the web client and the proxy is https > or ssl encrypted. The connection between the proxy and the > remote web server may or may not be. > > This setup works fine as long as the client issues only GET > and POST requests. But when the client issues a CONNECT > request (to reach a secure remote web server via the secure > proxy) the proxy server abruptly drops the connection after a > few seconds. > > Without an SSL connection between the client and the proxy > CONNECT works fine. > > The problem exists both on the latest version of apache 1.3 > and 2.0. I have tested them on a winxp box. > > Possibly mod_ssl on win32 is not able to handle streams of > unknown length properly? > > Is it possible to have a stable port of OpenSSL/mod_ssl on win32 :( ? > > Regards, > Emmanuel > > -- > Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis > ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++ > > -- > Weitersagen: GMX DSL-Flatrates mit Tempo-Garantie! > Ab 4,99 Euro/Monat: http://www.gmx.net/de/go/dsl > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Redirection limit for this URL exceeded.
Do you have different VirtualHosts configured for the domain-name and the IP-address? If so, do they differ in configuration? /Daniel - Original Message - From: Rob Waldrum To: modssl-users@modssl.org Sent: Thursday, June 02, 2005 3:36 PM Subject: Redirection limit for this URL exceeded. Hi, I'm still getting this error: Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked. I have configured Tomcat for SSL on port 8443. I can bring tomcat up at https://www.mydomain.com:8443 just fine. But when I add the apps portion, such as: https://www.mydomain.com:8443/apps, I get the above error. However, when I just use the IP address, such as: https://12.34.56.78:8443/apps it works just fine. I have poured over tomcat documentatiom, reviewed my setup and configuration, checked the logs, everything. I'm stumped. Any ideas? Rob
Re: SSL Client Auth with Virtual Hosts
I'm not a guru but I would suspect that your NameVirtualHost directives need to differ. You probably need to configure the virtual hosts using their domain names, like this: NameVirtualHost abc1-no-client-auth.com:443 ... NameVirtualHost abc1-ssl-client-auth.com:443 ... Otherwise I think one will just overwrite the other. Also for MSIE compatibility it is recommended that you add the following to the virtual host configuration: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Hope this was helpful. /Daniel - Original Message - From: "Hoda Nadeem" <[EMAIL PROTECTED]> To: Sent: Thursday, June 02, 2005 3:26 PM Subject: RE: SSL Client Auth with Virtual Hosts Are there any parameters that I am missing, or am I doing something incorrect? On my setup, client authentication is either on or off globally. I can't seem to isolate it at the virtual host level. Thanks. Nadeem Example again: NameVirtualHost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-no-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-ssl-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt SSLOptions +StdEnvVars +ExportCertData __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL Client Auth with Virtual Hosts
Yes, I've had an environment like that running. /Daniel - Original Message - From: "Hoda Nadeem" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 6:05 PM Subject: SSL Client Auth with Virtual Hosts Does anybody know if it is possible to use virtual hosts with one virtual host with ssl client authentication, but the other one without? Example: NameVirtualHost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-no-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key NameVirtualHost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-ssl-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt SSLOptions +StdEnvVars +ExportCertData SSLSessionCache none __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Getting 'no shared ciphers' while connecting to the server
Here follows a simple full server SSL setup for reference. -- SSLRandomSeed startup builtin SSLRandomSeed connect builtin AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default SSLCertificateFile conf/ssl/www.yourdomain.com.crt SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key SSLCACertificatePath conf/ssl SSLCACertificateFile conf/ssl/YourCA.crt SSLCARevocationFile conf/ssl/YourCA.crl SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -- This will allow connections with SSLv3 and TLSv1 from clients with proper certificates. To skip client auth just remove these two lines: -- SSLVerifyClient require SSLVerifyDepth 1 -- Hope that was helpful. /Daniel, Gizmondo Studios - Original Message - From: "Alaka Pathy" <[EMAIL PROTECTED]> To: Sent: Tuesday, May 31, 2005 9:44 AM Subject: Getting 'no shared ciphers' while connecting to the server > Hi All, > > I'm using Apache 1.3.31 with mod_ssl 2.8.17 and > OpenSSL 0.9.7d binaries. I use RSA based self signed > certificates for SSL communication. > My httpd.conf has the following SSLCipherSuite > configured > > SSLSessionCacheTimeout 600 > SSLOptions +StdEnvVars +ExportCertData > SSLCipherSuite > ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > But, in a freshly installed server, the server doesn't > accept any requests and I get the following errors > repeatedly in the Apache error log > > mod_ssl: SSL handshake failed (server > 198.149.32.40:443, client 198.149.32.32) (OpenSSL > library error follows) > [Mon May 23 13:37:43 2005] [error] OpenSSL: > error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no > shared cipher > [Hint: Too restrictive SSLCipherSuite or using DSA > server certificate?] > > I browsed the modssl FAQ and got, that sometimes > regenerating certificates helps. I regenerated the > server certificates, but I'm still facing the same > issue. > > Has anybody experienced such an error ? Any help is > appreciated. > > Thanks in advance, > -Alaka > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Enabling SSL
How can I use a .htaccess file to enable ssl connections on a dedicated server? When I try to connect to a page on the site, I get a 404 Not Found error. The configuration from the server is: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.9 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a PHP-CGI/0.1b (from phpinfo()). It seems like I should be able to connect using an https prefix, and that I should be able to use a .htaccess file to accomplish this, but I'm having trouble finding exactly how to do this. Can anyone point me to an example? TIA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Combining Reverse Proxy with a Forwarding Proxy and SSL
Hello guys, I have a problem with a special environment: Client ---http>Apache Reverse Proxy (1.1.1.1) -https-> Squid Forwarding/Chaching Proxy (1.1.1.2) https-> Webserver (1.1.1.3) The client makes http-request to my apache reverse proxy. This reverse proxy should forward this request via https to the real webserver. But this request should go trough a forwarding/caching proxy (squid). If I setup this environment with apache 2.0.51 and this config: ServerName XX ServerAdmin [EMAIL PROTECTED] ProxyRequests Off ProxyRemote * http://1.1.1.2:3128 <http://1.1.1.2:3128> SSLProxyEngine on ProxyPass / https://1.1.1.3/ <https://1.1.1.3/> ProxyPassReverse / https://1.1.1.3/ <https://1.1.1.3/> I got following error message: [error] (20014)Error string not specified yet: proxy: request failed to 1.1.1.2:3128 If I use http between reverse proxy and the webserver it works with the forwarding proxy: Client ---http>Apache Reverse Proxy (1.1.1.1) -http-> Squid Forwarding/Chaching Proxy (1.1.1.2) http->Webserver (1.1.1.3) It also works with https, if I don't use the proxy: Client ---http>Apache Reverse Proxy (1.1.1.1) -https-> Webserver (1.1.1.3) Is my environment supported by apache with modssl??? If yes, how I have to configure the apache?? Thanks and best regards daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Clientauthentication with Certificates and Apache
Hello guys, I have following pki-environment: RootCA | | Issuing SubCA-1 Issuing SubCA-2 | | UserCert-A UserCert-B I want to make clientauthentication with certificates only for user with certs from the Issuing SubCA-2. So I made the follwing configuration: SSLVerifyClient require SSLCACertificateFileCACHAIN.PEM SSLVerifyDepth 2 CACHAIN.PEM includes the cert from RootCA and from the Issuing SubCA-2. Now comes the problem. Not only users with certs from SubCA-2 can connect, also users with certs from the SubCA-1 (f.i. UserCert-A) can connect. How can I avoid this??? I tried to use only the certificate from SubCA-2 in the directive (SSLCACertificateFile SubCA-2.pem), but with this config noone can connect, also not the clients with certs from SubCA-2. I know the possibility to check for various ingredients of the client certficate (http://www.modssl.org/docs/2.8/ssl_howto.html#auth-particular) but I don't want to use this. I readed an old post (http://www.mail-archive.com/modssl-users@modssl.org/msg10335.html) in this mailinglist. This post said, that users with certs from SubCA-1 should not be connect. Please help, I have no new ideas. Best regards daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: A method to enable secure non-HTTP protocols
Nice :) Apache 2 protocol modules should allow you to do this without having to patch the server (using filters), as in Apache 2 HTTP is just another protocol module that can be inserted or removed. In Apache 2 mod_ssl itself is implemented as a filter On Mon, Jul 26, 2004 at 06:22:55PM +0200, Pablo Royo Moreno wrote: > > > For some years, we have been in my company running a secure non-http file transfer > system. Nowadays, with more and more system administrators allowing secure incoming > connections only trough 443 port , that system doesn´t work, because it does not > speak HTTP and 443 port is usually already used by web servers, so we cant use it > for our systems. > So there is no solution, if system admin does not open another port, except to use > 443 port. > > Now we have made a mod_ssl patch to allow non-HTTP secure incoming connections to be > deciphered and forwarded to a selected server, configured in conf file, while also > serving HTTP in the usual way. I´m not sure if this can be done in any other way > with Apache modules, but it works and its all i need. > > The patch is in > > http://spipe.sourceforge.net > > If you see documentation, you will see there are some other interesting (I think) > use cases to create secure "pipes" from one web server to another. > > Hope it will be of help to someone in the same situation. If not, just consider it a > more or less summer academic experiment. > > Thank you > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Encryption and weblogic module
But that module is for when Apache has been compiled with SSL (EAPI patches) does not provide SSL support. > Weblogic used to provide an ssl version of the mod_wl module, I think it > was named mod_wl_ssl. Obtaining the correct mod_wl_ssl may be dependent > on which version of weblogic and apache are being used. > > We have run this configuration on Apache 1.x > > client --> FireWall --> Apache --> Firewall ---> Weblogic > only port 443 mod_wl_ssl port > is configurable > > David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Encryption and weblogic module
client (a)-> Apache -(b)> Weblogic If the client connects to Apache using SSL, (a) will be encrypted but (b) will not (unless you can configure mod_wl to use SSL, which I dont believe you can). the assumption is that (b) is occurring over a private, trusted network. If you need to encrypt (b) I would suggest either setting up a VPN or using Apache as a reverse proxy with SSL (the weblogic protocol in modern versions is basically HTTP with a couple of extra headers) cheers Daniel > Hello everyone. > > I am quite new to ssl, so I have a question. > > While a connection between a pc client and > a web server is encrypted, I do not know if > the connection that may result thereafter is > encrypted too, that is, if ssl.conf contain > an entry that look like this: > > > SetHandler weblogic-handler > WebLogicCluster host1.dom.dom.se:9,host2.dom.dom.se:9 > ErrorPage /xx/xxx/xxx/xxx/errpage.html > > > Is the data that is sent and received between the > webserver and host1/2.dom.dom.se also encrypted, and > is there a way to check that ? > > Or is the question about encryption something that > (in this case) the weblogic module (that Apache uses) > is responsible for ? > > > Regards > > Anders > > > -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
force mod_ssl to choose 3DES over RC4 ciphers?
Hello all, I would like our secure server to default to 3DES 168-bit high encryption for SSL sessions, but with the ability to fall back to 128- bit RC4 _only_ if the client doesn't support 3DES. My current cipher- spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my version of OpenSSL, equates to: EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3- MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5 Is it possible to construct a cipher-spec string that will make Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are 'offered' by the client (most clients seem to offer RC4 ciphers before 3DES ones in the 'Client Hello'). It seems that unless I completely disable RC4 on the server, it always gets chosen ahead of 3DES :-( This is my first post here so thanks in advance for any help. Kind Regards, Daniel Eggleston Senior Network Developer Boxing Orange Ltd t: 0871 871 2774 f: 0871 871 0068 [EMAIL PROTECTED] http://www.boxingorange.com/ This message (and any associated files) is intended only for the use of the individual or entity to which it is addressed and may contain information that is confidential, subject to copyright or constitutes a trade secret. If you are not the intended recipient you are hereby notified that any dissemination, copying or distribution of this message, or files associated with this message, is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and deleting it from your computer. Messages sent to and from us may be monitored. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Therefore, we do not accept responsibility for any errors or omissions that are present in this message, or any attachment, that have arisen as a result of e-mail transmission. If verification is required, please request a hard-copy version. Any views or opinions presented are solely those of the author and do not necessarily represent those of the company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: symmetric or asymmetric ?
> 1. The modssl web site refers to the SSL cryptography algorithm >as being conventional, or symmetric. But mod-ssl uses public >and private keys, which are known as parts of asymmetric >cryptography. Any explanation ? Asymmetric cryptography is used to agree and exchange keys for symmetric cryptography (much faster) > 2. I copied a mod-ssl-enhanced apache-2.0.48 installation to >another machine, replaced the certificate file ( server.crt ) >with another certificate ( but same file name ), and made >some small changes in httpd.conf and ssl.conf. Of course, >this did not work. Is there any way that I can generate a >new private key ( server.key file ) according to the >public key in the new certificate file ? Or should I remove >everything and install again, the proper way ? "it did not work" does not tell us much :) Which errors did you get? What did you change? What is the current conf? Since you are just starting with mod_ssl, I suggest reinstalling from scratch rather than trying to figure out what may be going wrong. You can find detailed information on how SSL works (symm/asymm., certificates, etc.) and how to get Apache 2 + mod_ssl working on a chapter I have online at http://www.apacheworld.org/ty24/site.chapter17.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl & kerberos ?
Hello, I want to ask if the following setup is possible: Clients will be authenticated towards apache with x509 certificates (mod_ssl). Would it now be possible to give authenticated clients a kerberos ticket which could be read out in php/perl? I would like to use this ticket to authenticate the client towards a database like postgresql. (Background: In my web application a use postgresql, where I will write rules which automatically log certain actions of the client like update or delete queries. So I do need every client to be loged in the database with a different name, but I don't want to store the usernames & userpasswords in a file accessible to php, nor do I want to do the logging in php. I want to move as much logic as possible to the database, which will make it easier in future to change the interface from php to java for example.) Best regards, Daniel Struck -- Retrovirology Laboratory Luxembourg Centre Hospitalier de Luxembourg 4, rue E. Barblé L-1210 Luxembourg phone: +352-44116105 fax: +352-44116113 web: http://www.retrovirology.lu e-mail: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.45, mod_ssl, and virtual hosts
Okay, I've been working on this for the past few days, and it's just bugging the HECK out of me. I can get mod_ssl to work, I can get virtual hosts to work, but for the LIFE of me, I can't get them to work AT THE SAME TIME. httpd2 --help gives: [warn] VirtualHost {IP}:0 overlaps with VirtualHost {IP}:0, the first has precedence, perhaps you need a NameVirtualHost directive [warn] VirtualHost {IP}:80 overlaps with VirtualHost {IP}:0, the first has precedence, perhaps you need a NameVirtualHost directive 41_mod_ssl.default-vhost.conf: DocumentRoot /var/www/html ServerName VirtServ1.domain.tld DocumentRoot /var/www/html/vs1 DocumentRoot /var/www/sslstuff In this example, SSL works, but virtual hosts do not (I should mention that Vhosts.conf is just plain blank (everything commented out)). Now, I make it: NameVirtualHost {IP} DocumentRoot /var/www/html ServerName VS1.domain.tld DocumentRoot /var/www/html/vs1 DocumentRoot /var/www/sslstuff Lo and behold, virtual hosts work, but SSL does not. 'httpd2 --help' replies with: [error] VirtualHost {IP}:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results var/log/httpd/error_log reads: [error] [client {IP}] Invalid method in request F^A^C Replacing with results in the same. I don't see where the '[error] VirtualHost {IP}:80 -- mixing * ports and non-* ports' comes from, as I'm not defining anything with :80 (unless it's automatically 'assumed' somewhere since I'm defining :443) Basically, it's requiring a and NO NameVirtualHost {IP} in order to get SSL working. And yes, I've tried entry, sslconfig , followed then by NameVirtualHost {IP} for all the rest of the virtual hosts. SSL doesn't work then either (and virtual hosts do), though httpd2 --help now reports: (98)Address already in use: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs So, any thoughts/ideas? -- Daniel Bentley - Network Technician, QSI Corporation (www.qsicorp.com) chown -R us *base* __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.x SSL failing -- "no listening sockets available, shutting down"
> Hello, I have attempted several times on 2 platforms to install and run Apache > SSL. Linux PPC and Linux Redhat8.0 [...] > I wondered, of course, if some mod_ssl package is requried in the mod > structure, but found no documentation for Apache 2.x to that effect anywhere I > looked. Take a look at http://www.apacheworld.org/ty24/, in the secure server chapter for detailed instructions on how to get Apache 2 working with SSL Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using ssl/mod_ssl on non-apache HTTP server
Take a look at the code of Webmin, it uses a Perl based webserver that can use SSL if available. http://www.webmin.com I have a chapter online introducing the main SSL concepts, it is focused on apache but it should be useful for the basics: http://www.apacheworld.org/ty24/ then, for the programming side of things, this is a good book: http://www.amazon.com/exec/obidos/tg/detail/-/059600270X As a reference book, I found this one invaluable: http://www.amazon.com/exec/obidos/tg/detail/-/0201615983 Cheers Daniel > Hi - > > I'm new to ssl/mod_ssl so please forgive me if this post > is out in left field. I have a new contract to develop > secure TCP/IP communication between many customer sites. > I have prototyped a non-secure HTTP server/client system > written in Perl. My client likes it - but he demands high- > level security. > > In my years of web programming, there has always been the > 'security' guy around to take care of these 'details' for > me, but now I am him... :) > > I have been plowing through the Openssl, Perl modules > (Net::SSLeay, etc.) documentation, but it's slow going > and it hasn't 'clicked' yet for me. > > Do any of you have suggestions of other resources that > might help me? HOWTOs, FAQs, Articles, Books, anything? > > Aloha => Beau. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: new to Apache-SSL world needs help
> At this point I have to customize http.conf and ssl.conf files. > Could you send me an example of such files already modified? I need to > understand what I must change. You can take a look at http://apacheworld.org/ty24/site.chapter17.html for building instructions and example minimal configuration. Notice that you also need to pass --enable-ssl whem building, that should crete a sample ssl.conf file in the conf directory Cheers Daniel On Wed, Jan 29, 2003 at 02:43:06PM +0100, Zampognaro Sergio wrote: > Hi all, > I need to migrate a web site from http to secure https. Mine is a Digital > UNIX V4.0F (Rev. 1229) server. > > I downloaded following packages: > - openssl-0.9.7 > - httpd-2.0.44 > > > 1) openssl installation - steps performed: > > ./config --prefix=/home/aspprod/aspapp/mySSL/openSSL > > make > I got this warnings on stderr: > ar: Warning: creating ../libcrypto.a > ar: Warning: creating ../libssl.a > > make test > On stderr I got this messages contained in attached fiel: > errore3.txt > > make install > I got this messages on stderr: > ./pod2mantest: pod2man: not found > pod2man does not work properly ('BasicTest' failed). Looking for > another pod2man ... > No working pod2man found. Consider installing a new version. > As a workaround, we'll use a bundled old copy of pod2man.pl. > > First of all do you think all this warnings are fatal for my openssl > installation? > > 2) apache2 installation - steps performed: > > ./configure --prefix=/home/aspprod/aspapp/mySSL/apache2 > --with=/home/aspprod/aspapp/mySSL/openSSL > > make > I got a lot of warnings on stderr! > > make install > > At this point I have to customize http.conf and ssl.conf files. > Could you send me an example of such files already modified? I need to > understand what I must change. > > thanks in advance! > Sergio > > > > > SchlumbergerSema > ing. Sergio Zampognaro > System Integration - SMA > Via Antiniana 2A - 80078 Pozzuoli (NA) - ITALY > > Mobile*+39 335 131 54 26 > > Phone * +39 081 6103 483 > > Fax 6 +39 081 6103 200 > > e-mail * [EMAIL PROTECTED] > > > This email is confidential and intended solely for the use of the individual > to whom it is addressed. Any views or opinions presented are solely those of > the author and do not necessarily represent those of SchlumbergerSema SpA. > If you are not the intended recipient, be advised that you have received > this email in error and that any use, dissemination, forwarding, printing, > or copying of this email is strictly prohibited. > If you have received this email in error please notify the SchlumbergerSema > Helpdesk, by telephone on +39.0125.810500 or by e-mail on > [EMAIL PROTECTED] > > > > > test BN_add > test BN_sub > test BN_lshift1 > test BN_lshift (fixed) > test BN_lshift > test BN_rshift1 > test BN_rshift > test BN_sqr > test BN_mul > test BN_div > test BN_div_recp > test BN_mod > test BN_mod_mul > test BN_mont > test BN_mod_exp > test BN_exp > test BN_kronecker > ..++ > > > test BN_mod_sqrt > . > . > . > . > . > . > . > . > ... > . > . > . > ... > . > .. > . > ... > . > ... > . > > . > ... > . > bc does not work properly ('SunOStest' failed). Looking for another bc ... > /usr/bin/bc does not work properly ('SunOStest' failed). Looking for another bc ... > No working bc found. Consider installing GNU bc. > > 0 tests passed > Generating a 512 bit RSA private key > . > > writing new private key to 'testkey.pem' > - > You are about to be asked to enter information that will be incorporated > into your certificate request. > What you are about to enter is what is called a Distinguished Name or a DN. > There are quite a few fields but you can leave some blank > For some fields there will be a default value, > If you enter '.', the field will be left blank. > - > Country Name (2 letter code) [AU]:AU > State or Province Name (full name) [Queensland]: > Locality Name (eg, city) []:Brisbane > Organization Name (eg
Re: Apache-SSL vs mod_ssl
> Whats the benefit of mod_ssl compared to Apache-SSL??? mod_ssl is derived originally from Apache SSL mod_ssl is more widely used than Apache SSL Apache SSL supports Apache 1.x mod_ssl supports Apache 1.x and 2.x Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Create new SSL certificate for https
> I need to create new certificate's for my apache server. I'm a little confused on how to do this. Does anyone have a good link they can tell me or anything. This should give you a good understanding of certificates and how to use the openssl command line tool to manage them: http://apacheworld.org/ty24/site.chapter17.html Best regards Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
For mod_ssl on Apache 2.0 you may want to check also the secure server chapter I have online, which contains step by step instructions http://www.apacheworld.org/ty24/ Best regards Daniel > Hi! > > Im not here to quarrel with you kid. Im here to get some help, and your > insults are not helping very much. > > I thought this was the modssl-users list for people with > not-so-much-expert-knowledge and not the linux-experts-with-nolife > mailinglist. > > Im working under time pressure and cannot afford reading old documentation > all day and then guess how the latter versions work (but of course I have > read most of the old documentation anyway...). > > If I understand the example below I could rewrite it: > > CC="pgcc" CFLAGS="-O2" \ > ./configure --prefix=/sw/pkg/apache \ > --enable-ssl=shared > ? > > ... and load "mod_ssl.so" dynamically with "Loadmodule" latter on? Right? > (Of course its right.. ;) ) > > "Now you have to do some work on your own, you can't expect others to do it > all for you and remain lazy." > > You call me lazy and think you know me after one email, that's cute. ;) I > was asking a question and not hiring you or anybody else for a job. You even > didnt have to answer. Im not demanding anything. (This is the first time I > ask a usergroup a question at all, silly.) > > "The new apache is not the best as far as documentation concerns, certainly > not up to the documentation that the older apache with or without mod-ssl > integration, but, there is info to be gleened, if one looks" > > Right, I and other developers still havnt all day, thats why it exists > user-groups to ask someone who already knows and perhaps have some time over > for an clear answer. > > If I had some time over myself I would be happy to contribute with some > quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with > SSL must be one of the most common configurations... Perhaps I will > contribute in not-so-distance-future. ;) > > Regards > > /Johan > > > > > > > > -Original Message- > From: R. DuFresne [mailto:[EMAIL PROTECTED]] > Sent: den 4 december 2002 16:53 > To: Johan Bryssling > Cc: [EMAIL PROTECTED] > Subject: Re: Mod_ssl in apache 2.X > > > > Didn't read any of the documentation in that tarball did ya? > >INSTALL > > [SNIP] > > For a short impression of what possibilities you have, here is a > typical example which configures Apache for the installation tree > /sw/pkg/apache with a particular compiler and flags plus the two > additional modules mod_rewrite and mod_speling for later loading > through the DSO mechanism: > > $ CC="pgcc" CFLAGS="-O2" \ > ./configure --prefix=/sw/pkg/apache \ > --enable-rewrite=shared \ > --enable-speling=shared > > The easiest way to find all of the configuration flags for Apache 2.0 > is to run ./configure --help. > > [SNIP] > > The new apache is not the best as far as documentation concerns, certainly > not up to the documentation that the older apache with or without mod-ssl > integration, but, there is info to be gleened, if one looks. > > How about the apache web pages, read that at all? > > Now you have to do some work on your own, you can't expect others to do it > all for you and remain lazy. > > Thanks, > > Ron DuFresne > > On Wed, 4 Dec 2002, Johan Bryssling wrote: > > > Hi! > > > > I have a couple of questions: > > > > If mod_ssl is included in apache2.x why doesnt it show up in the > modulelist > > when I use: > > > > %> httpd -l > > > > ? > > > > If it's not "included" when I "default" compile (using the INSTALL-file > > instructions), how do I know how to compile in the mod_ssl into the apache > > (if this is my first time)? > > > > Where do I find information about these things, I certanly dont install > > apache at a regulary basis.. ;-) > > > > I noted a default config file for SSL (I also found an include into the > > httpd.config-file) and used the command: > > > > %>httpd -DSSL -k start > > > > .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I > > shouldnt bother or?... Something I missed? > > > > All help will be appricated. > > > > Thanks... > > > > /Johan > > > > ps. Thinking of using Apache 1.3.7 instead due to the extended source of > > good documentation.
Re: certificate problems
> Just installed our new Verisign cert on our apache box but are having two > problems with it: > > 1. The person who generated the key that was sent to verisign used the wrong > common name so the secure URL we use doesn't match the URL on the cert, > throwing up a warning screen...any way around this other than starting over > with a new cert? Unfortunately no, you will need to get a new one or move your secure pages to that domain. > 2. Whenever we start httpd we are promoted for a password for ssl to start, > which doesn't work for us as httpd restarts itself ever night. Our old cert > never did this, is this something new? The key is encrypted, so in case anyone broke into your server, the attacker would not be able to simply take your certificate and key and impersonate you. He would also need that passphrase. The way of doing this is to decrypt the key : # ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \ -out www.example.com.key.unsecure (more info at http://www.apacheworld.org/ty24/site.chapter17.html) mod_ssl also has a directive so you can have a script provide that phrase automatically. It is convenient, but not really any more secure, see the "How can I get rid of the pass-phrase dialog at Apache startup time?" entry at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl for apache 2.0.x - wasn't compiled
> [Questions] > 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? I have a detailed chapter online just on that : http://www.apacheworld.org/ty24/ > 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default > "ssl" module in Apache 2.0.39 is not recommended.) the one that comes with apache is fine Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2 +SSL
You can checkout a chapter I put at http://www.apacheworld.org/ty24/site.chapter17.html for detailed explanation on how to get SSL working with Apache 2, including a conf snippet with the minimum set of directives to enable SSL Cheers Daniel > I searched through some archives and found out Apache 2 comes with mod_ssl > code included, and that to enable SSL/TLS support in Apache 2, one has to > compile OpenSSL first, then compile Apache 2 and --with-ssl=/path/to/openssl > I did exactly that. Isn't the default configuration file I get supposed to > have some SSL directives in there? Am I brain dead? What am I missing? > > > -- > > Christopher Chaduka > Webmaster/Systems Administrator > Technical Department > M-Web Zimbabwe > Tel: +263 4 25 Fax: +263 4 708055 > Mobile: +263 11 600994 > http://www.mweb.co.zw > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Make CA for WebServer ( Apache )
It's in the mod ssl INSTALL file... Basically it's an added step when you make apache... --from readme file... $ cd apache_1.3.x ALL $ SSL_BASE=../openssl-0.9.x \ ALL EAPI_MM=../mm-1.1.x \ OPTIONAL ./configure \ALL --enable-module=ssl \ALL --prefix=/path/to/apache \ ALL [--enable-shared=ssl] \ OPTIONAL [--disable-rule=SSL_COMPAT] \OPTIONAL [--enable-rule=SSL_SDBM] \ OPTIONAL [--enable-rule=SSL_EXPERIMENTAL] \ OPTIONAL [--enable-rule=SSL_VENDOR] \ OPTIONAL [...more APACI options...] OPTIONAL $ make ALL $ make certificateOPTIONAL $ make installOPTIONAL $ cd .. Daniel. [EMAIL PROTECTED] wrote: Hello, How to create CA ( invalid: NOT real ) for Web Server ( Apache ) ? Thank for your help ! Edward. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Prblems understanding on how to install mod_ssl!
For detailed instructions on running mod_ssl for Apache 2 you can checkout a chapter I have online: http://www.apacheworld.org/ty24/site.chapter17.html It includes details on how to build openssl and use the openssl command line tool to generate your certificate and key Cheers Daniel On Thu, Oct 24, 2002 at 03:47:32PM -0500, [EMAIL PROTECTED] wrote: > The INSTALL file when I untar mod_ssl says: > Configure and build the SSL library: > ./config > make > make test > > but it does not says to install nor does it gives you the instruction to do: > make install > > Do I have to do this step. > Then what is server.key and server.crt > What step of which program generates them and where does it put them. > Once again the INSTALL file says if your server (which server? apache is not > installed yet) > has certificates allreaty provide the path else run make certificate! Run > certificate where? > > Thanx in advance > Dino > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy* directives
> The Apache documentation (www.apache.org) describes SSLProxy* as part of > mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org? > (Probably Ralf Engelschall can explain this.) Because nobody wrote it :( I was the one who wrote it for Apache 2, based on some stuff we had for Covalent SSL > Is this Apache 2.0 feature available in Apache 1.3 too? I think so, you need to compile with SSL_EXPERIMENTAL flag. But I do not think it worked very well Doug MacEachern rewrote a big part of it to work more cleanly in Apache 2.0 > I think the current documentation of SSLProxyMachineCertificateFile is at > least misleading. Please correct and submit a patch to [EMAIL PROTECTED] :) Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
a big hairy problem....
Hi I need some help with this big prob I got. I have a working mod_ssl setup. That is until I put in another virtual server with a rewrite rule. Apache spits the dummy and says I don't have the rewrite module installed, which is a lie because when I do a http -l I can see it. So I thought I would attack the problem the other way. I put the virtual host with the rewrite rule after the mod ssl virtual host and Apache spits when it gets to the SSLEngine bit... and it was just working! In fact when both http conf files are seperated they *both* work! I am about to pull my hair out, can someone help? In fact when I put the mod ssl stuff in and the other virtual host it all works if I leave out the rewrite stuff... I am running a recent release of freebsd, apache 1.3.24 with the concurrant version of mod_sll and OpenSLL. Here is a copy of my httpd.conf file for anyone kind enough to look: I'll be so happy to get some clues, thanks. D. ps Sorry if this comes through twice it didn't seem to send the first time... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Maintainership of mod_ssl
Part of the reson is that mod_ssl was moved into the Apache 2.0 codebase, development has been quite active there. So although 1.3 development may be necessary and useful, long term I think 2.0 is the way to go Cheers Daniel > Hi all > > I agree, I haven't seen much movement/improvements with mod_ssl in the > last months and in this industry things need to get moving in order to > keep the software in touch with its neighbours (apache, open_ssl, > mod_authz_ldap to name a few) and therefore each one improving on the > other. > > If Ralf cannot afford the time then I am for someone else (like you > Tim) to take over the reigns (either fully or partially). It is really > important that users see mod_ssl constantly improving itself. > > Best regards > Jose Correia > > > > -Original Message- > From: Tim Tassonis [mailto:[EMAIL PROTECTED]] > Sent: 25 September 2002 15:50 > To: [EMAIL PROTECTED] > Subject: Maintainership of mod_ssl > > > Hi Ralf and everybody > > Wouldn't it now be about time to transfer maintainership of mod_ssl to > somebody else (if there is anybody willing and capable available) , as > this software is now obviously unmaintained except for important > security > fixes. > > Ralf has done a tremendous job in providing and maintaining mod_ssl, > but > obviously has no more time left to actively work on it. > > But there are still people (me at least) who would like to enhance > mod_ssl > beyond the very neccessary. Unfortunately mails with patches to do so > are > not even replied. > > How do other people and most of all, how does Ralf think about this? > > Bye > Tim > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Windows Builds?
On Fri, Sep 20, 2002 at 09:20:41AM -0700, David Buerer wrote: > I feel like an idiot this morning...but not more than six months ago I > installed apache+openssl+modssl on an NT machine and I downloaded the binary > build from somewhere. For the life of me thought, I can not find the site! > Anyone have any ideas? I am trying to find an updated version with a more > current version of apache, bug fixes, and the like. You can find binaries at http://www.modssl.org/contrib/ftp/contrib/ (not updated to the very latest ones) If you use 2.0.40 binary from ASF (http.apache.org) you can get modssl unofficial binary from http://www.madhon.co.uk/modssl/ Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Accelerators
On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote: > Can anyone out there recommend an affordable ssl accelerator that will > work with a sun enterprise 420? I'm interested in either a pci card or a > standalone unit. > > Unfortunately I'm about to launch a website under ssl and we really don't > know just how much that's going to hamper performance. > > Also, any performance tuning tips for ssl would be appreciated (for > apache webserver with mod_perl and bea weblogic) My first advice would be to compile openssl with assembly optimizations on, and make sure you configure session caching in the mod_ssl side. Have you considered having dedicated boxes doing the ssl, serving static content, and reverse proxying to the real servers? That will also reduce the load in Apache, since each request ties a process and in turn that child has a expensive Perl interpreter embedded, whether it is serving static content or not. (I am assuming you are using 1.3 here) Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL V3.0
On Thu, Aug 01, 2002 at 11:16:22PM -0500, Austin Gonyou wrote: > Does mod SSL support SSL v3.0? Haven't investigated this yet, but > thought I'd ask here first. Yes it does, it is right there, in the front page for www.modssl.org Nothing to investigate :) Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTPASSWD Utility
On Wed, Jul 31, 2002 at 12:59:20PM -0500, Cagle Larence G Contr 96 CG/SCTOA wrote: > The htpasswd.exe utility in Apache_2.0.39-Mod_SSL-OpenSSL-0.9.6d-Win32.zip > aborts with an error message when you try to add or update a password. It > responds with "The process cannot access the file because it is being used > by another process". I thought perhaps that Apache had not closed the > password file when it was started, so I stopped the tasks related to Apache > and tried it again. Same result. I'm running the server on a PC with > Windows XP Professional OS. > > > > I downloaded and unzipped htpasswd.exe from the > Apache_2.0.37-dev_mod_ssl_2.0.37_dev_OpenSSL-0.9.6c-WIN32.zip file and it > works like it used to in earlier versions. The htpasswd.exe utility on Windows has known bugs that have been fixed for 2.0.40 You can use previous versions like the one you mention, they are ok. Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
For that you do not want SSL. Checkout: http://httpd.apache.org/docs-2.0/howto/auth.html For an introduction to SSL and Apache, you can check out a chapter I have online : http://apacheworld.org/ty24/site.chapter17.html Cheers Daniel On Tue, Jul 30, 2002 at 02:37:14PM -0500, Henning, Brian wrote: > Hello, > I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web > server. I downloaded the mod_ssl package from the website. I changed the > port on my apache web server to 443. On a high level what do i need to do to > create a secure web server? I guess my real problem is i don't know what ssl > does for me. What i am looking for is something that can password protect > the files on my server. I want to let specific people to access my site and > that is it. They must have a password to use it. Is mod_ssl what i want or > should i be looking else where? > thanks for any input, > brian > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Thu, Jul 25, 2002 at 10:14:22AM -0500, David Iungerich wrote: > Daniel, > > Does your book or somewhere else give the specifics of what all I need to do When the book was released, Doug (who sits 2 cubicles next to me :) had not yet cleaned up and ported that functionality, so I mention it but could not give any specifics. > to get this done. If so I'll go buy it, or wherever I need to look. I've > got to get this thing implemented today. At this point, I'm thinking I'll > strip off the Apache 1.3.23 that came with Suse and install Apache 2.0. > Bear in mind with all of this, that I'm new to Apache and Linux, so any > specifics you can provide on what ALL is need to implment this would be > greatly appreciated. Yesterday I submitted a patch to the Apache docs@ mailing list documenting those directives. I can try and help you with the setup, first step is to get Apache compiled with SSL support and understand how to generate certificates: http://www.apacheworld.org/ty24/site.chapter17.html and the mod_ssl docs/tutorial at apache.org For the SSLProxy* directives these docs are old and for raven ssl, but apply for the most part http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Cheers Daniel > Thanks again, > David > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez > Sent: Wednesday, July 24, 2002 5:49 PM > To: [EMAIL PROTECTED] > Subject: Re: http to https forward > > > On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: > > Thanks Daniel. What all is needed as adjustments to my conf file? As I > > understood it, there was an issue with Apach taking an http POST reqest > and > > encrypting it with a given cert, then sending it along via https. If you > > could tell me exactly what I need version-wise and what to add/change in a > > standard conf file, I'd greatly appreciate it. > > I am not sure I understand what you mean with "encrypting it with a given > cert". I am guessing it means that your client must present a specific > client certificate to the remote server. This SSL functionality was present > in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but > was not working very well. > Apache 2.0 includes robust support for that functionality (thanks to Doug > MacEachern of mod_perl fame) and I recommend you use that. The directive you > want is SSLProxyMachineCertificateFile, for specifying the client > certificate(s) to present to the remote server. It is not documented > currently on the Apache project, but take a look at : > http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfi > gure.php#1138492 > > Hope it helps > > Daniel > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez > > Sent: Wednesday, July 24, 2002 4:30 PM > > To: [EMAIL PROTECTED] > > Subject: Re: http to https forward > > > > > > > > > yes, that is correct. I meant http to https. So, there is no way to do > > > this with existing mods? I have to use something else? Java or Python > > > program? Anyone already have anything? > > > > You can already do it with Apache 2, and I am pretty sure you can do it > with > > Apache 1.3 too. The directives are just not documented, I am working on a > > patch for the docs. But you are able to do > > > > SSLProxyEngine on > > ProxyPass / https://some.host.com > > > > And you can also use other SSLProxy* directives like SSLProxyVerify, etc. > > > > Daniel > > > > -- > > Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > ___
Re: http to https forward
On Wed, Jul 24, 2002 at 10:40:55PM +0100, Michael Pacey wrote: > Quoting David Iungerich <[EMAIL PROTECTED]>: > > > yes, that is correct. I meant http to https. So, there is no way to > > do > > this with existing mods? I have to use something else? Java or > > Python > > program? Anyone already have anything? > > > > I couldn't find anything to do this besides the two proprietary programs I > mentioned before. My impression is this is a big hole in the open-source > toolkit, and proprietary software is going to fill it if someone more capable > than me doesn't fix things... Come on... his is the 4th mail I send in the last couple hours mentioning that this capability exists already in Apache 1.3 and, improved and more robust, in Apache 2.0 They are just not documented, see my other emails for links and example. I am preparing a patch to the Apache documentation that includes them. As other people mentioned, you can also use stunnel or similar programs to set SSL tunneling (I have used it successfully in the past with HTTP and POP3) > I see this sort of thing being a requirement for more and more big companies who > have established functional ecommerce infrastructures but need to start worrying > about security for all sorts of reasons including regulatory requirements > (especially secure comms between internal networks and DMZ). I'm not saying > there's any law requiring specifically this but big financial companies are > legally bound to protect data and they like to cover their bottoms. > > I searched Freshmeat and Sourceforge. I found things that you can wrap http > servers in to make them look like https servers to the outside world but that is > the opposite of what you (and I) want to achieve. > > > -- > Web: http://sydb.dyndns.org > ICQ: 152392113 (New to ICQ? http://www.mirabilis.com) > IRC: #sydb on EFnet (New to IRC? http://www.irchelp.org) > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
> Quoting David Iungerich <[EMAIL PROTECTED]>: > > > I need to implement Apache as an https to http forwarder. I belive I > > need > > to use > > ProxyPass or Redirect, but am having difficulty figuring out the > > correct > > configuration. > > > Just to clarify, I think you mean http to https forwarder, as in your subject; > Apache forwards https to http without any problems. > > But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't > have the code for initiation of HTTPS connections. I've looked! > > Everybody told me it wouldn't work, I didn't believe them, I couldn't make it > work, I read the code, it's not there! > > The only product I know of that might be able to do this is IBM EdgeServer, and > possibly Netscape. Have to say I don't like EdgeServer and I have no experience > of Netscape. > > Is there no-one around who'd like to code this? There are quite a few people who > want to use Apache to initiate HTTPS connections. I don't have the time / coding > skills. Um, no, you can already do it SSLProxyEngine on ProxyPass / https://some.other.host Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: > Thanks Daniel. What all is needed as adjustments to my conf file? As I > understood it, there was an issue with Apach taking an http POST reqest and > encrypting it with a given cert, then sending it along via https. If you > could tell me exactly what I need version-wise and what to add/change in a > standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with "encrypting it with a given cert". I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Hope it helps Daniel > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez > Sent: Wednesday, July 24, 2002 4:30 PM > To: [EMAIL PROTECTED] > Subject: Re: http to https forward > > > > > yes, that is correct. I meant http to https. So, there is no way to do > > this with existing mods? I have to use something else? Java or Python > > program? Anyone already have anything? > > You can already do it with Apache 2, and I am pretty sure you can do it with > Apache 1.3 too. The directives are just not documented, I am working on a > patch for the docs. But you are able to do > > SSLProxyEngine on > ProxyPass / https://some.host.com > > And you can also use other SSLProxy* directives like SSLProxyVerify, etc. > > Daniel > > -- > Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
> yes, that is correct. I meant http to https. So, there is no way to do > this with existing mods? I have to use something else? Java or Python > program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Distributed Session Cache
> How far along is the mod_ssl port to Apache 2? It is basically done, already bundled with Apache itself as a regular module > Has anyone hacked up a distributed session cache? The closest I know of is for Apache-SSL, which Ben Laurie mentioned at one of the Apachecons: http://anoncvs.aldigital.co.uk/splash/ based on http://spread.org Some discussion on this: http://marc.theaimsgroup.com/?l=apache-modssl&m=99055320101822&w=2 Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question about SSL for Apache 2.x
> Dear SSL companies, > > we are university students team from Czech Republic and we provide some expert >system based on Apache web server, but now we have some problem about SSL. > > Now we can install on our server Apache 2.x version but we need for this wersion >some SSL support. > > When we inspect your pages, we get informations about versions for Apache 1.3.x. > > And we have a question if will be some available version for Apache 2.x or we need >to install some older version. mod_ssl is already included with Apache 2. For instructions on getting mod_ssl working with 2.0, you can checkout http://www.apacheworld.org/ty24/site.chapter17.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Client-certificates are sporadically dying
Hello modssl-users! My suspicion is that IE5.5 has liability for this problem. But maybe someone has made similar experiences and can give a hint: I noticed a strange behaviour (mod_ssl/2.8.5, OpenSSL/0.9.3a, Internet Explorer 5.5 SP2). You install a client-certificate and everything works fine. After a while the certificate sporadic (some days - some weeks) "dies", and you can't connect to the secured site. The modssl-log just reports an ssl-handshake-failure if you try to connect with a "broken" cert. If you delete the cert and import (the same, old, original p12 file) it a second time, it works again. So I suppose the certificate itself has nothing to do with this strange effect. Best regards, D.C. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with IE
I am finding it very hard to believe that even late versions of IE, 5.5, 6.x have these problems, yet I encounter wacky form post bugs when I do not downgrade the connection. Is there nothing else that can be done? Is no one that is running Apache+mod_ssl able to use KeepAlives or HTTP/1.1, and are suffering severe performance hits when using MSIE? Once upon a time Shain Miley shaped the electrons to say... > I fixed a problem this morning by adding this line to my httpd.conf file: > > SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown > downgrade-1.0 force-response-1.0 > > Shain > > > Kuczborski, Carol L wrote: > > >Sorry, it is NOT the recommendation made in mod_ssl But it worked for > >me. > > > >Try the following setting for the IE browser in the httpd.conf file. I > >know > >it is the recommendation made in the mod_ssl FAQ, but it seemed to help me. > >I had the same problem you are having and researched it for months. After > >making the change to the http.conf below (and applying a patch from Oracle > >to the ApacheModuleSSL.dll file on Windows NT), it reduced the intermittent > >"Cannot find server or DNS error" and "Page cannot be displayed" messages > >received when using the IE browser. I never received these errors when > >using the Netscape browser. > > > >SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown -D -- God, root, what is difference? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Cedar Nannies !
Please, Chris, send me by e-mail the UK site URL, if you don't mind ! Daniel James Stevens wrote: > I just discovered the hardship of using a binary installation of Apache... > Can't install FP Extensions to it. (sigh) > > So I am preparring to build the apache server using the src's .. Question is > I already have SSL up and running (mod_ssl) ... Running under apache 1.3.19 > now the newest download from both apache and mod_ssl are the apache 1.3.20 > variants.. Question is if I use the newer .20 src's to build my appache can > I simply drop in the backed up copies of my key and crt files and will she > start up without throughing a fit? I have never upgraded a live server > before I have always waited untill the cert ran out and did everything then. > > In this case we just got the cert a week ago and now the clients are > demanding FP support so I need to get it installed one way or another. > > Spacifics on my system: > > OS: Linux Mandrake 8.0 > Current Web Server: Apache 1.3.19 (default install from Mandrake no source > avalible on server) > Current SSL Server mod_ssl 0.9.6 (version ID from 'openssl version' command) > > Upgrading to: Apache 1.3.20 (from source distribution files) > Upgrading to: 2.8.4-1.3.20 (from source distribution files) > > Thanks in advance! > > --JT > Network Administrator > http://www.webcommanders.com > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: AOL 6.0 and mod_ssl not working
> Thanks for this most interesting tip. But who's DNS are they querying for > the reverse lookup? And does the reverse lookup need to return the exact > same web server name in the certificate (i.e. www.yozons.com even though > my > reverse DNS might call it w1.yozons.com because that's the computer's real > name, and it has several other alias names)? > > I'd love to have this fixed, that's for sure. The real name doesn't matter. Your DNS provider must have a reverse entry in the DNS server, which points back to the IP-address, not the real name. lets say, your server is at 192.168.0.1, then you'll have a CNAME for www.yozons.com pointing to the real name and a reverse entry, which says, that www.yozons.com has the IP 192.168.0.1. Without this reverse entry, no AOL client will be able to acesss the site. Ask your DNS provider, if he has setup a reverse entry. If not, this can easily be done. Just a matter of seconds and the name server is updated and AOL users will be able to access the site. Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: AOL 6.0 and mod_ssl not working
> Does anybody have any idea why AOL would have trouble, but I can > access it from other ISPs okay? I had similar problems with out secure site. I found that these had nothing to do with my Apache/mod_ssl setup. The reason why AOL couldn't access the site, was a mssing reverse entry in the DNS server. Perhaps this is the same with your site. Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] PRIVATE: errno 10054, 10053 (PR#548)
I had a similar problem - the client left me before I could satisfactorily resolve the issue, but check out http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 -Dan > Full_Name: Chris Lyon > Version: 2.7.2 > OS: win2000 > Submission from: (NULL) (212.187.205.138) > > > Hopefully this is submitted to the right area. > > I am running Apache 1.3.17 and modsl 2.7.2 openssl 0.9.6 > > A number of clients of our site are repeatedly refused access on I.E. selecti > ng > secure pages. > > My error logs are filling up with blocks as below:- > > [17/Apr/2001 19:34:50 01816] [error] SSL handshake interrupted by system [Hin > t: > Stop button pressed in browser?!] (System error follows) > [17/Apr/2001 19:34:50 01816] [error] System: Unknown error (errno: 10054) > [17/Apr/2001 19:43:16 01816] [error] SSL handshake interrupted by system [Hin > t: > Stop button pressed in browser?!] (System error follows) > [17/Apr/2001 19:43:16 01816] [error] System: Unknown error (errno: 10053) > [17/Apr/2001 19:43:29 01816] [error] SSL handshake interrupted by system [Hin > t: > Stop button pressed in browser?!] (System error follows) > [17/Apr/2001 19:43:29 01816] [error] System: Unknown error (errno: 10054) > > Any thoughts or suggestions? > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem uploading a file with mod_ssl
Knowing *what* the error was would help, but: in general, HTTPS pages don't like serving HTTP images (since you don't want insecure information on your secure pages). In this case, the error comes from the browser, not the server - is that what you;re seeing? -Dan > I have a perl script that uploads a file to the server using the > tag. I have this script in the cgi-bin directory > of the nonsecure webserver and the secure webserver. It works > perfectly for the nonsecure version but i always get an error when > trying to upload to the secure version. The script seems to be fine > and in my httpd.conf file, I have a ScriptAlias pointing to the secure > cgi-bin and SSLOptions +StdEnvVars enabled. > > I am running Apache 1.3.19, modssl 2.8.2, openssl 0.9.6 on > Windows NT 4 > > I appreciate any assistance, > Mark Barton > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL problems
In the former case, do you have a DirectoryIndex in your secure server? In the latter case, I suspect that POSTed parameters may be passed, but the library which is looking at the parameters may not see them because of the GET parameters... -Dan > I've been working on this PHP driven shopping cart program called > phpshop. Everything works fine until I use the secure server url. The > urls generally look like this: > > http://www.eavalon.com/shop/?page=shop/flypage&product_id=24 > > and the file index.phtml is served up as the default. When I use the > secure url, it doesn't give out index.phtml but instead gives a listing > of the current directory. > > As a temporary fix, I changed the secure url to the full path: > > https://www.eavalon.com/shop/index.phtml?page=shop/flypage&product_id=24 > > Now what happens is no POSTed variables are being passed from script to > script. > > This problem would be due to other things but I'm checking out all > possibilities here. If anybody has any ideas, please let me know. > > Thanks > Joel > > --- > Nomopoly III now open. Join Today! > http://www.justthefaqs.org/nomopoly/ > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl + http-1.1 works?
> > Could anyone please explain what is namebased and what is IP based? What > are the differences and how they work for SSL connections handling? > Can I use the following declaration for Virtual Host declaration with > modSSL? I am having problems with IE Browsers ONLY while connecting from > dial-up connections. I want to know whether this is any reason for that.! I can't help much with the MSIE problem, but here's name-based vs. IP based: IP-based is where each VHost has it's own IP address, name-based is where many VHosts share a single IP address. HTTP/1.0 only supported IP based, due to the connection protocol: % telnet one.fish.com 80 Connected to 1.2.3.4 GET /index.html HTTP/1.0 % telnet two.fish.com 80# (assume one.fish and two.fish not same IP) Connected to 1.2.3.5 GET /index.html HTTP/1.0 With HTTP/1.1, a new request header (Host) was added, which is always transmitted from browser to server, and which *may* be interpreted by the server (it *is*, if name-based hosting is used, and not if not). % telnet one.fish.com 80 Connected to 1.2.3.4 GET /index.html HTTP/1.1 Host: one.fish.com % telnet two.fish.com 80# (assume one.fish and two.fish *same* IP) Connected to 1.2.3.4 GET /index.html HTTP/1.1 Host: two.fish.com With SSL, the connection is established *first* based on IP address, and once the connection is made, the HTTP/1.x communication occurs. You can't use name-based VHosting and SSL, because the connection is made to an IP address, the SSL communication is made based on the sertificate associated with the host-name associated with that address - and you can't "switch" names once the communication has started. -Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Weird interactions, SSL/FastCGI
I have a totally bizarre behavior to report and wonder if anyone has seen anything like this. I have this nice stable Apache/1.3.19 (Unix) mod_fastcgi/2.2.10 (I just built it after a week of headaches, and it seems fine). But I want more! I need to use mod_ssl, and have had no end of headaches. When I add SSL (I start with a fresh Apache, add mod_ssl and openssl, then add fastcgi, just like the instructions say), fastcgi hangs (processes don't work, or they run once and die). SSL also behaves erractically. Here's what I have tried: Apache/1.3.17 mod_fastcgi/2.2.2 mod_ssl-2.8.0-1.3.17 openssl-0.9.6 SSL DSO, FastCGI static: FastCGI cycles, no fcgi can run Apache/1.3.19 mod_fastcgi/2.2.10 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a Everything a DSO: FastCGI hangs, no fcgi can run, and when I try apachectl stop, the /usr/contrib/bin/fcgi- dispatcher won't die. Apache/1.3.19 mod_fastcgi/2.2.10 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a FastCGI static, SSL DSO: same as above Apache/1.3.19 mod_fastcgi/2.2.10 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a FastCGI DSO, SSL static: same as above Apache/1.3.19 mod_fastcgi/2.2.10 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a Everything static: same as above Apache/1.3.19 mod_fastcgi/2.2.10 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a FastCGI was compiled static but no directives used it (so it was in but unused), SSL was static and in use: all *regular* CGI scripts ran successfully, but the output was truncated at 16336 bytes (add in "Content-type: text/plain" and it is suspiciously close to 16Kbytes). WTF? Apache/1.3.19 mod_fastcgi/2.2.10 Obviously, no SSL, but FastCGI behaves normally. So: Apache+FastCGI works for me, but add SSL and everything gets weird. Does anyone have any clues? Other people have reported that they have: running with no headaches. Apache/1.3.19 mod_fastcgi/2.2.11-SNAP-Feb19-01.25 mod_ssl/2.8.1 OpenSSL/0.9.5a running with no headaches. Apache/1.3.19 mod_fastcgi/2.2.11-SNAP-Dec06-21.55 mod_ssl/2.8.1 OpenSSL/0.9.6 running with no headaches. I can't get things to work. I am running BSDI Unix version 4.1. Help? Please? I've been at it for a week! -Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Can't get it work reliably
I've tried everything... my current incarnation is: Apache/1.3.19 mod_ssl-2.8.2-1.3.19 openssl-0.9.6a (with and without mm-1.1.3) It compiles just fine. But I can't get it to run reliably. The connection appears secure sometimes, but here's the main symptoms: 1) Netscape clients on Mac (v4.76) and BSDI (v4.75) work fine. Viewing the certificate information reveals exactly the cert that I think I am using. 2) MSIE (4.01) on Mac complains that the identity certificate has expired. I took the .crt and .key files from the old server this was running on, and have them configured in the new server (and Netscape doesn't think they've expired). 3) MSIE on Windoze (assorted versions) works erratically Specifically, an http form that has an https action works the first time it is loaded and submitted, but if it is reloaded and the data is changed, and resubmitted, the browser seems to be sending no form parameters to the https server. 4) MSIE (5.0) on a Mac on my local network works fine. 5) MSIE (5.0) on a Mac on a remote network fails! The browser sends no form parameters to the https server (as above). The ssl_engine_log doesn't show any errors. In the server error logs I see a number of these: [Fri Apr 13 15:42:57 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Fri Apr 13 15:42:57 2001] [error] System: Connection reset by peer (errno: 54) However, I did a "tail -f" on the error log while condition 5 (above) was being exercised (3 times) and it did not appear then, nor did it appear when I tested condition 3 (above), so I think it was coincidence. My firewall admits port 80 and port 443. Help? Any ideas? -Dan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: remote admin of apache with mod_ssl
I am by no means the expert, but if you have a key file (I think it's the key file!) on your server, then that can contain your passphrase. And you won't be prompted. If it is an *encrypted* key file, then you need a passphrase to unlock the key, and *then* you get prompted. -Dan > I finalizing things and getting ready to compile apache 1.3.19 with mod_ssl > (2.8.2) and openssl and put it in place on a solaris 8 sun server. > > My problem is that I work on this server remotely. 99% of the time. > > So, when I have to reboot or re-initialize the web server, it will stop and > wait for the input of the ssl passphrase, right?. (I'm assuming it will > since my old linux box does this with it's apache-ssl server). > > Is there an alternate way to pass the passphrase to apache? is there a way > around this? > > I'm new enough to unix/solaris not to know some of the simpler things... :) > > donovan > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl 2.8.2 Win32 bug
Hy, found a bug in the mod_ssl Makefile for Win32. SSL_INC and SSL_LIB are wrong. After patching they look like this one: SSL_INC =..\..\..\..\openssl-0.9.6\include SSL_LIB =..\..\..\..\openssl-0.9.6\lib but they should be: SSL_INC =..\..\..\..\openssl-0.9.6\inc32 SSL_LIB =..\..\..\..\openssl-0.9.6\out32dll Greetings, Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
windows
I have set up apache on a win 98 PC. It works as a conventional web server and I have tested it. I want to include modssl and I thought I was very close to achieving this but it fails to encrypt the page info and returns an error page (the standard one for IE5). I get the following errors: on starting the server (apache -D SSL -k start ) command used to start it [Sat Mar 17 23:27:14 2001] [error] Failed to resolve server name for 127.0.0.1 ( check DNS) -- or specify an explicit ServerName Apache/1.3.14 (Win32) mod_ssl/2.7.2 OpenSSL/0.9.6 running... [Sat Mar 17 23:27:19 2001] [error] Failed to resolve server name for 127.0.0.1 ( check DNS) -- or specify an explicit ServerName and the following is in the error log: [Mon Mar 19 00:04:52 2001] [error] Failed to resolve server name for 127.0.0.1 (check DNS) -- or specify an explicit ServerName [Mon Mar 19 00:11:56 2001] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Mon Mar 19 00:11:56 2001] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] Any ideas ?? Anything would be great. by the way I did get a standard http virtual host working already. thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.319 + modssl 2.8.1 on windows
> It could be having trouble finding the openssl include files. > > In addition to the two files listed earlier, I interpreted: > > >Install OpenSSL into $INSTALLTOP. You have do this by hand: > > ... > >$ copy /b inc32\* p:\openssl\include\openssl > > ... YES, it was this one... SSL_INC and SSL_LIB were wrong: SSL_INC =p:\openssl-0.9.6\include SSL_LIB =p:\openssl-0.9.6\lib They should be: SSL_INC =p:\openssl-0.9.6\inc32 SSL_LIB =p:\openssl-0.9.6\out32dll __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.319 + modssl 2.8.1 on windows
> How far did you make it through INSTALL.Win32 before it failed? > Up to the build process, it crashed on mod_ssl.c. I downloaded the 2.8.1 distribution and fetched the files you listed from CVSweb, replaced them and started the build process. Perhaps you can send me the files you used to compile? That would be great. Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.319 + modssl 2.8.1 on windows
> Oops! I had the name for file (2) wrong, I think this is correct: > > The Apache_1.3.19 and modssl_2.8.1 source file from March 3 > needs the following from the CVSWeb: > (1) [modssl] / mod_ssl / pkg.mod_ssl / configure.bat > (2) [modssl] / mod_ssl / pkg.mod_ssl / pkg.sslmod / Makefile.win32 I'm trying to compile it on Win2k without success. Can you tell me exactly, which files you used to get it compiled. Thx, Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
lex problems...
Hello! I'm using apache 1.3.14 + modssl 2.7.1-1.3.14 + openssl 0.9.5a + HP-UX 10.20. Everything works fine until I tried to run 'make' on apache. It gaves the following error (see bellow). Does anyone have any idea what's wrong? Thank you very much. Regards, Daniel. [EMAIL PROTECTED] - gcc -c -I../../os/unix -I../../include -DHPUX10 -DMOD_SSL=207100 -DUS E_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED _MODULE -DSSL_COMPAT -I/tmp/openssl/include -DMOD_SSL_VERSION=\"2.7.0\" ssl_expr _scan.c && mv ssl_expr_scan.o ssl_expr_scan.lo lex.ssl_expr_yy.c:1753: parse error before `1' lex.ssl_expr_yy.c: In function `ssl_expr_yy_scan_string': lex.ssl_expr_yy.c:1758: number of arguments doesn't match prototype ssl_expr_scan.c:254: prototype declaration lex.ssl_expr_yy.c:1760: subscripted value is neither array nor pointer lex.ssl_expr_yy.c:1763: warning: passing arg 1 of `ssl_expr_yy_scan_bytes' makes pointer from integer without a cast *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 Stop. *** Error exit code 1 - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [BugDB] failure of win32 compile (PR#470)
> Here are 3 issues that I noticed that caused the build to fail on > the patching > and building in win32, There might be more but I haven't looked > hard enough ;) Try the latest snapshots from ftp://ftp.modssl.org/snapshot/ These issues have been fixed. Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: error in configure.bat
> As expected... Yes, before you ask, I've not even once tried > 2.7 under Win32 myself and I will not try mod_ssl again in my life on > this platform. Sorry if this might be nasty for the Win32 fans and > not what you appreciate, but I personally do not care about Win32. It's okay, i know that. Be glad that you don't have to care about Win32, i have to ;) > > o configure.bat doesn't recognize the openssl-0.9.6 source tree > >if i use --with-ssl=..\openssl-0.9.6, it says there's no openssl > >if i use --with-ssl=c:\openssl, it works > > I've no clue about this. The location checks in configure.bat were > not > changed by me. Silly me, is no bug, i'm using the VC++ project file from Andrew Gray (http://www.iconsinc.com/~agray/ossldev/) which have a different path for the .lib files. So not an error. > > Additionaly mod_ssl doesn't build under Win2k, stops with this error: > > > > cl.exe /nologo /c /O2 /MD /W3 /GX /DNDEBUG /DWIN32 /D_WINDOWS > > /DSHARED_M > > ODULE /DEAPI /DMOD_SSL=207101 /DMOD_SSL_VERSION=\"2.7.1\" > /I..\..\include > > /Ic:\p > > rogramme\opensa\openssl\include ssl_engine_pphrase.c > > ssl_engine_pphrase.c > > NMAKE : fatal error U1073: don't know how to make > 'ssl_engine_scache.obj' > > Ok, also fixed. Where can i get the fixed version? Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
error in configure.bat
Hy, just tried out mod_ssl 2.7.1 on Win2k. There are several problems within configure.bat: o configure.bat doesn't recognize the openssl-0.9.6 source tree if i use --with-ssl=..\openssl-0.9.6, it says there's no openssl if i use --with-ssl=c:\openssl, it works o in line 437 it points to makefile.nt, which is no longer existent with Apache 1.3.14, it's now called makefile.win Additionaly mod_ssl doesn't build under Win2k, stops with this error: cl.exe /nologo /c /O2 /MD /W3 /GX /DNDEBUG /DWIN32 /D_WINDOWS /DSHARED_M ODULE /DEAPI /DMOD_SSL=207101 /DMOD_SSL_VERSION=\"2.7.1\" /I..\..\include /Ic:\p rogramme\opensa\openssl\include ssl_engine_pphrase.c ssl_engine_pphrase.c NMAKE : fatal error U1073: don't know how to make 'ssl_engine_scache.obj' Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: french crypto
> We have tested it out here at Lucent (I haven't myself so I can only say > what happend, not why). Installing a 128bits certificate on the > web server, > and using 40bits french Netscape (v 4.5 or 4.6) on NT4 to access it : > computer crash ! > As I've said, I only share my experience, so maybe Florin will be better > fitted out with a 40bits certificate after all Here we use both 128 and 40 bits browsers without any problem ! AFAIK, during the SSL handshake, the browser and the server decides what strength they are going to us during their communication. So, the one that has the shortest key length will impose it for their comm. That's all I think! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: french crypto
Bonjour Florin, French law is now (since the very beginning of this year) more cool on key length! You can use 128 bits. However note that most of the browsers used by french people are still 40 bits browsers due to earlier restrictions. Daniel. > This is kinda off-topic, but maybe not... > > I'll have a https website in Paris very soon. I know there > are some problems > with the law in France, regarding crypto software. So, what i > wanna know is > what key length should i choose, 40 bit or 128 bit? > French people usually use 128 bit browsers? > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: encrypted keys: how to submit the passphrase to a script?
rob, thanks for your suggestions. although i adjusted your script to suse's apache-start-script there still was a problem: the 'expect/send' commands somehow could not catch the httpd-process invoked by the suse-script as suse actually first invokes startproc which then starts httpd: > startproc -t 7 /usr/sbin/httpd -f /etc/httpd/httpd.conf $MODULES || return=$rc_failed ^^ now i just removed 'startproc -t 7' which means that i need to watch out for already running httpd's prior to executing the script (for not starting multiple instances of httpd). but i get asked for the passphrase now, which is what i wanted to have :-) regards dani [EMAIL PROTECTED] wrote: > > I'd suggest using expect(1) , and write a script, such as the following > > --cut here-- > > #!/usr/local/bin/expect -- > > exp_version -exit 5.0 > > # Here is your password > set pword "53cr37" > > #spawn /usr/bin/kill -TERM `/usr/bin/cat /path/to/logs/httpd.pid` > > spawn /path/to/bin/apachectl stop > sleep 3 > > spawn /path/to/bin/apachectl startssl > sleep 6 > > expect "phrase" > > send "$pword\r" > > --end cut-- > > Enjoy > > --Ron -- Daniel Mettler http://www.icu.unizh.ch/~mettlerd make config. not war. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
encrypted keys: how to submit the passphrase to a script?
hi all, i already wrote to this mailinglist a few weeks ago without getting any answer so far :-( my preconditions: * - i use passphrase encrypted keys - all settings in httpd.conf related to mod_ssl are correct - among these settings i use: > SSLPassPhraseDialog builtin - httpd gets started through a bash-script (suse's /sbin/init.d/apache) - this script basically does the following: > startproc -t 7 /usr/sbin/httpd -f /etc/httpd/httpd.conf $MODULES || return=$rc_failed where $MODULES is a list of dynamically evaluated "-D" options for apache (they are okay) my problem: *** - i get prompted to enter the passphrase when i execute apache directly like > /usr/sbin/httpd -f /etc/httpd/httpd.conf -D SSL -D PERL (etc.) like this i enter the passphrase at the prompt and everything works fine (apache starts) - but when i use the script as mentionend above i do *not* get prompted to enter the passphrase, instead apache prints an error-message (private key not found etc. -> due to the missing passphrase, as expected) my desired postconditions: ** - i do not want to use the SSLPassPhraseDialog exec:/blabla option as this is not safer than having not encrypted keys - i do not like to start httpd directly as i like the script which dynamically sets the correct "-D" options for apache (depending on which modules are installed) - i would like to modify this script (~ the command-line above) the way that i can give my passphrase as the second command-line parameter ($2). i already tried to do some piping like > yes mypassphrase | startproc -t 7 /usr/sbin/httpd -f /etc/httpd/httpd.conf $MODULES >|| return=$rc_failed and > startproc -t 7 /usr/sbin/httpd -f /etc/httpd/httpd.conf $MODULES < `echo >mypassphrase` || return=$rc_failed but anything worked. i also replaced 'mypassphrase' with $2, it did not work either. i do not know whether this problem is just a problem of bash-scripting or whether apache somehow does not accept these pipes. i would be happy too if there just was a command-line option for httpd to set the passphrase i really hope that you can help me thanks daniel -- Daniel Mettler http://www.icu.unizh.ch/~mettlerd make config. not war. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: FYI: Compiling on Win32
> Ok, but then the question remains: Why was this extra include and this > extra lib not necessary in the past to build Apache+mod_ssl under Win32 > and why is it still not necessary for some users while users say it is? Apache required Winsock 2 from version 1.3.9 on, maybee thats the magic point. But as i use a Visual C++ workspace for mod_ssl, this problem never appeared because Visual C++ automatically added gdi and winsock2. /me -- Open Server Architecture projecthttp://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: FYI: Compiling on Win32
> Thanks for your patches. But I personally cannot decide whether these > are reasonable and correct or not. Can someone else confirm that these > patches are really necessary for mod_ssl to build under Win32? I'm still > very sceptic whether gdi32.lib and winsock2.h are generic things which > are available under all Win32 environments... GDI is available on all systems, as its part of every Windows version and winsock2.h must be, as Apache uses WinSock Version 2, too. So both are required to be there, other wise no Apache and no mod_ssl. /me -- Open Server Architecture projecthttp://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
suse's /sbin/init.d/apache script and encrypted private keys
hi, i got a problem concerning *encrypted* private key files and the script by suse i usually use to start apache. as mentioned in the mod_ssl manual i set the 'SSLPassPhraseDialog builtin' option for apache to prompt me for the passphrase at startup (of apache). but when i use '/sbin/init.d/apache restart' i do not get asked for this, instead the following error-message gets displayed: > flash:/etc/httpd # Apache/1.3.6 mod_ssl/2.3.5 (Pass Phrase > Dialog) > Some of your private key files are encrypted for security > reasons. > In order to read them you have to provide us with the pass > phrases. > > Server www.xyz.ch:443 > Apache:mod_ssl:Error: Private key not found. even if the paths are ok and the private key is readable by the webserver... what's wrong, how can i have apache to prompt me for the pwd? or is it something with the scope of the ssl-options in httpd.conf? currently i have my keys in subdirectories of /etc/httpd, which is the default if i am right (apache server-root is /usr/local/httpd with me). but i have also tried to place the keys inside the server-root with the same effect... thanks for your help daniel -- ----- Daniel Mettler [EMAIL PROTECTED] http://www.icu.unizh.ch/~mettlerd __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Keys...
Just to get complete understanding about the actual Certs that one would buy from someone like Verisign. Do you need 1 cert per Apache server, one per domain/IP address, or one per host on the domain? begin:vcard n:Chester;Daniel tel;cell:1-440-567-3459 tel;fax:1-801-730-2097 tel;home:1-440-734-9348 tel;work:1-440-734-4014 x-mozilla-html:TRUE url:www.RentPayment.Com org:RentPayment.Com adr:;;27521 Laurell Lane;North Olmsted;OH;44070;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Technical Architect fn:Daniel Chester end:vcard
RE: Invalid method in request C or F
I faced the same trouble, on NT. Fixed by simply restarting all the stuff on my side! HTH Daniel. > -Message d'origine- > De: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]De la part de jleung > Date: vendredi 24 mars 2000 20:52 > À: [EMAIL PROTECTED] > Objet: Invalid method in request C or F > > > We have Apache 1.3.12 with mod_ssl-2.6.1-1.3.12, and secure and non-secure > web server running on the same Solaris box. The SSL had been working fine > for weeks before the system rebooted a couple of days ago. Now, we > couldn't connect to the secure server, and the following is the error > message it logged into the error_log: > > [error] [client x.x.x.x] Invalid method in request C > [error] [client x.x.x.x]Invalid method in request F > > and for the access_log, its says: > > - - [24/Mar/2000:11:04:51 -0800] "F" 501 - > > Do you know what could be the problem here? We did start and stop the > secure server before with the system up and running with no ill effects. > Now, does it mean that we need to test the secure server with a system > reload as well? > > Regards, > Janet Leung E-mail: [EMAIL PROTECTED] > ISD USC, Los Angeles, CA 90089-0251 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SOLARIS 2.6
I had the same problem, I just went to the openSSL website and downloaded their latest snapshot. Works fine now. Kevin Lichwalla wrote: > use openSSL 0.9.4 and you will find that you have better luck I had > the same problem. > > Kevin > > At 11:44 AM 3/17/00 +0100, you wrote: > >On Fri, 17 Mar 2000, jessie wrote: > > > > > > > > I reinstalled Solaris 2.6 > > > and now i'm trying to install apache 1.3.12 with SSL module. > > > I was able to compile openSSL 0.9.5 with just the default settings. > > > I ran make test on my compilation and everything worked > > > I then applied the mod_ssl 2.6.1 patches to the apache source tree ... > > > again no errors > > > I then configured the apach source using > > > > > > SSL_BASE=../openssl0.9.5 \ > > > ./configure \ > > > --enable-module=ssl \ > > > --prefix=/usr/local/apache > > > > > > everything worked ... i then ran make and everything compiled > > > now i wanted to build test certificates so i ran > > > make certificates > > > then i just used all the defaults and then it asked me to enter a > > > passphrase > > > to encrypt the private key .. I entered 'test' twice then i got an > > > ERROR message: > > > > > > unable to write key > > > 26918:error:24064064:random number generator:SSLEAY_RAND_BYTES: > > > prng not seeded:md_rand.c:470: > > > mkcert.sh:Error: Failed to encrypt RSA private key > > > > > > can anyone help me? > > > >i got an error like this in a solaris 2.7+apache-1.3.12 when i configured > >openssl-0.9.5 as solaris-sparcv9-gcc. > > > >i changed that with solaris-sparcv7-gcc and it works fine. > > > >-- > > > > david manyé i robert > > departament d'enginyeria informàtica i matemàtiques > > universitat rovira i virgili > > autovia de salou, s/n > > 43006 tarragona > > > > tel.: 977-559706 > > e-mail: [EMAIL PROTECTED] > > > >__ > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >User Support Mailing List [EMAIL PROTECTED] > >Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] begin:vcard n:Chester;Daniel tel;cell:1-440-567-3459 tel;fax:1-801-730-2097 tel;home:1-440-734-9348 tel;work:1-440-734-4014 x-mozilla-html:TRUE url:www.RentPayment.Com org:RentPayment.Com adr:;;27521 Laurell Lane;North Olmsted;OH;44070;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Technical Architect fn:Daniel Chester end:vcard
Re: vitural hosting dilemma
couldn't you set up: Allan Jacobsen wrote: > "Robin P. Blanchard" wrote: > > > > here's the basic scenario: > > > > www.somedomain.com > > www.otherdomain.com (CNAME for www.somedoamin.com) > > www.anotherdomain.com (CNAME for www.somedomain.com) > > > > in my httpd.conf i have > > > > > > > > > > > > all, of course, have individual document roots. > > thus, http://www.somedomain.com works perfectly, > > as well as https://www.somedomain.com. > > http://www.otherdomain.com and http://www.anotherdomain.com > > also work fine. however, https://www.otherdomain.com and > > https://www.anotherdomain.com respond as > > https://www.somedomain.com. i don't want these two to > > respond at all to https requests. is there a way to > > accomplish this? > No, this question was asked less than a week ago, and > the only way to do it is to have 3 different ipadresses > for the 3 https servers. > > Best regards > Allan Jacobsen > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] begin:vcard n:Chester;Daniel tel;cell:1-440-567-3459 tel;fax:1-801-730-2097 tel;home:1-440-734-9348 tel;work:1-440-734-4014 x-mozilla-html:TRUE url:www.RentPayment.Com org:RentPayment.Com adr:;;27521 Laurell Lane;North Olmsted;OH;44070;USA version:2.1 email;internet:[EMAIL PROTECTED] title:Technical Architect fn:Daniel Chester end:vcard
Apache_1.3.12-mod_ssl_2.6.1-openssl_0.9.5-WIN32-i386.zip
All, Sorry if such message should not be sent here... If so, ignore and delete it! :-) I recently brought over the Win32 binaries packaged on Mar 14th, 2000: Apache_1.3.12-mod_ssl_2.6.1-openssl_0.9.5-WIN32-i386.zip Unfortunetaly, I can't the HTTPS server running... In fact, I didn't know how to start it using the included deliverables... Probably the contributor that has built it may help me... Thanks! Best regards, Daniel.
Announce: OpenSA release 0.20
The OpenSA Project team is pleased to announce the release of version 0.20 of our Open Source package for Win32. This new version incorporates several changes and bugfixes to the package (for a complete list see the http://www.opensa.org/news/changelog/). This Apache package provides a full implementation of Apache and it`s commonly used extension modules for the Win32 plattform, which means both Windows 9x and Windows NT and Windows 2000. The most significant changes are: o Changed build scheme for OpenSA, preparing OpenSA Apache for new command line based building. o Fixed bugs in installation, which created wrong path additions. o Added update feature for previous OpenSA installation. o Fixed some bugs in config files: httpd.conf and php.ini. o Upgraded to Apache 1.3.12. o Upgraded to mod_ssl 2.6.2-1.3.12. o Upgraded to OpenSSL 0.9.5. o Added support for ASP, using OpenASP package. o Added support for DAV, using mod_dav package. OpenSA version 0.20 is considered to be the best version of OpenSA available and users of previous versions are encauraged to upgrade as soon as possible. The OpenSA package is available for Download via HTTP and FTP from the following location: o http://www.opensa.org/download/0.20/opensa_0.20bin.exe (Binary distribution) o http://www.opensa.org/download/0.20/opensa_0.20src.exe (Source distribution) o ftp://ftp.opensa.org/source/0.20/ (both) Yours, The OpenSA Project Team Martin Horwath * Christian Meis David Norris * Daniel S. Reichenbach __ The OpenSA Project http://www.opensa.org/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ie4-5 and error messages
> Because the mod_ssl changes between 2.5 and 2.6 are not SSL/TLS protocol > > dependent, the problem has to be the changes between OpenSSL 0.9.4 and > > 0.9.5. Seems we have a major problem introduced between 0.9.4 and 0.9.5, > > because the IE4-related problem reports grow... I checked mod_ssl from version 2.6.0 to 2.6.2 with both OpenSSL 0.9.4 and OpenSSL 0.9.5 under Win 98 and NT/SP5, compiled with Visual C++ 6.0. All compile fine. But... With mod_ssl 2.6.2 no connect to an SSL site is possible. The startup logs look okay, but then connecting to the https site with both Netscape and IE just adds entries like these to the engine log (browser just hangs): [08/Mar/2000 19:47:06 -302453] [info] Connection to child 0 established (server localhost:443, client 127.0.0.1) This is what is logged on my system for every connection. I tried it with IE 5.0 and Netscape 4.7. /me __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ¡HELP!
> I'm using an Apache 1.3.12 (win32), ApacheJServ 1.1, > mod_ssl 2.6.0 and OpenSSL 0.9.4. > Starting Apache a warning message is appearing "Loaded > DSO [...]\ApacheModuleJServ.dll uses plain Apache 1.3 > API, this module might crash under EAPI! (please > recompile it with -DEAPI) > I'm trying to do that but in Visual C++ 6.0 (cl > command) there isn't a -DEAPI option. I think it's a > compiler option and not a linker option. Yes, it`s a compiler option. In the JServ makefile in Source\c\makefile.win32 should be a line like containing something like JSERV_DEFINE = /D "WIN32" /D "NDEBUG" /D "_WINDOWS" There you have to add /D "EAPI" to get JServ running without this error message. /me ______ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re(2): ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 bro ken
> > #ifdef WIN32 > > #include > > #endif > > > > These additions work also with vc++ 5.0 > > Ok, I've added these lines to mod_ssl.h for 2.6.1. Just checked it with NT5 and Win98. Works fine for both. Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 broken
> > Last version running was mod_ssl 2.4.10. Is there any cvs log or so, > > where i can take a look at things changed since 2.4.10 ? > > You can retrieve a copy of the CVS source repository via rsync as > explain on http://www.modssl.org/source/repos.html and then checkout > particular mod_ssl versions from there. Additionally you can easy see > differences between versions by running "cvs diff -u3 -rMOD_SSL_2_4_10 > -rMOD_SSL_2_6_0" (this for instance gives the diff between 2.4.10 and > 2.6.0"), etc. I`ll take a look, if i can find the reason for this compile error. Oh, and thanks for the fast reply. UND AUßERDEM WÜNSCHE ICH EUCH BEIDEN ALLES GUTE ! Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 broken
> i did a quick test with Apache 1.3.12, mod_ssl 2.6.0 and both OpenSSL > 0.9.4 and 0.9.5beta1 under Win98 and WinNT/SP5. And the story continues... > Did anyone else take a look? I couldn´t find any errors with mod_ssl. > Last version running was mod_ssl 2.4.10. Is there any cvs log or so, > where i can take a look at things changed since 2.4.10 ? I just did a quick check with many diff`s and loads of coffee :-) None of Ralf`s changes seem conflicting with Win32. The biggest change is the "POST for HTTPS" support, which is now conservative instead of experimental. All other changes i found, can`t cause this error message i posted yesterday. Anyone else out there, who has Apache with mod_ssl higher than 2.4.10 up and running ??? /me __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 broken
Hy, i did a quick test with Apache 1.3.12, mod_ssl 2.6.0 and both OpenSSL 0.9.4 and 0.9.5beta1 under Win98 and WinNT/SP5. Got the following error message using NMAKE Version 6.00.8168.0: cl.exe /nologo /c /O2 /MD /W3 /GX /DNDEBUG /DWIN32 /D_WINDOWS /DSHARED_MODULE /DEAPI /DMOD_SSL=206100 /DMOD_SSL_VERSION=\"2.6.0\" /I..\..\include /Ic:\programme\opensa\openssl\include mod_ssl.c mod_ssl.c ssl_util_ssl.h(96) : error C2059: syntax error : ',' ssl_util_ssl.h(96) : error C2143: syntax error : missing ')' before '(' ssl_util_ssl.h(96) : error C2143: syntax error : missing ')' before '(' ssl_util_ssl.h(96) : error C2091: function returns function ssl_util_ssl.h(96) : error C2091: function returns function ssl_util_ssl.h(96) : error C2143: syntax error : missing '{' before 'constant' ssl_util_ssl.h(96) : error C2059: syntax error : '' ssl_util_ssl.h(96) : error C2059: syntax error : ')' ssl_util_ssl.h(96) : error C2059: syntax error : ')' Did anyone else take a look? I couldn´t find any errors with mod_ssl. Last version running was mod_ssl 2.4.10. Is there any cvs log or so, where i can take a look at things changed since 2.4.10 ? /me __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Crypto law question...
> I though you're in Germany, Daniel? If yes, then why do you bother about > US export laws? For the Win32 problems I can only say that I've not > changed any Win32 stuff in mod_ssl recently, so I guess the problems > might be more related to changes in Apache. But if you have any patches > at hand, let us know about them, please. > >Ralf S. Engelschall Yes, i am in Germany :-) But Dave, who also helps in development is in the US and i`m not sure, if its okay to discuss code related things or even send code snippets to him. Oh and for the Win32 problems you`re right. It`s not with mod_ssl :-) More soon. Daniel [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Crypto law question...
Hy, just a little law thing: after the export laws now have changed to allow 128bit exports, how about discussing code related things??? For OpenSA we would have several mod_ssl related issues to be discussed. This would help to fix the Win32 problems in 2.5.0. Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 1.3.11, mod_ssl 2.5.0: Compilation problems on NT
> > [snap]... > > Now, my C is a bit rusty but I couldn't find anything wrong with > > line 96 in ssl_util_ssl.h... > > Line 96 is certainly correct, you'll not find a syntax error there. The > problem is more that some things in this line are not defined. I expect > that your OpenSSL header files do not provide some things. But I've no > clue what this is the case. Can someone find out more on Win32 for us? Just checked it with nearly the same config. System: NT4 SP5, VC6 SP3 Apache: Apache 1.3.11, mod_ssl 2.5.0, OpenSSL 0.9.4 (Same OpenSSL version works fine with mod_ssl 2.4.10-1.3.9.) I checked mod_ssl 2.5.0 and EAPI, but couldn`t find any probs. How about the changes for Apache 1.3.11? Maybe there? > Ralf S. Engelschall Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: windows
> > > is the modssl working under NT ? > > where can I get manual ? > > > > If not, who have any idea , what to do ? > > Read the INSTALL.W32 document in the mod_ssl distribution tarball and/or > go to www.opensa.org. >Ralf S. Engelschall Due to a server crash www.opensa.org was done for some hours. I`m currently updating the server, so the site may temporary down. I hope that all will be finished by tomorrow. Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: OT: How to Add a Module to Apache
> > > > Just run a single "nmake" in Apache_1.3.x\src and then "nmake > > install" and that`s it. > > Although it is a very positive progress, it is not what I meant. I > want a shared distribution for all the platforms, which can be built > simply (1-2 steps rather than dozens of steps and packages to load > from the net), under ALL of the platforms. Similar steps are not the > important thing (though they may help; BTW: Why don't you create a > batch file "make.bat" which will call nmake and translate its > parameters to nmake's syntax?). The important thing is that the ease > of build and installation that you achieved for Windows users, will > be shared by the UNIX users too. Hmm, little batch file could be done. If we do this, anyone could type "make" on both Unix and Win32 and get the compiled Apache ? So our "make.bat" would have to mimic the behaviour of a Unix makefile and you could do things like "make install" or in the case of mod_ssl "make certificate TYPE=..."? We would still have seperated builds. In that case we need the .sh files from mod_ssl as batches, too. I`m not sure, if this is the right way. Would`t it seperate the build process a bit more? Sounds like having the same things to do on all plattforms, but all on different ways. How about Cygwin32? This sounds cleaner to me. We could change the makefiles to detect Cygwin32 and then do the same things for Win32 as under Unix. ? Daniel __ The OpenSA Project http://www.opensa.org/ Project Information[EMAIL PROTECTED] Daniel S. Reichenbach [EMAIL PROTECTED] __ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: OT: How to Add a Module to Apache
> One last word to the OpenSA people: I believe that it will not be an > impossible job to make OpenSA portable to UNIX. Windows was always > harder for such stuff (Apache, mod_ssl, PHP, OpenSSL, etc.) to build > and install, but UNIX is not for newbies too. Maybe I can help. Yep, you`re right. Actually we`re currently on the way to get these things done: - update all HTML output to HTML4 / CSS2 (mod_status, mod_autoindex, mod_info) - clean up the build process: we have .mak for alll modules, mod_ssl now has a real Win32 makefile. This could be taken for future mod_ssl distribs. Ralf ? Which format would you need it? Additionaly a Visual Studio project has been created. The next release will have a new build scheme, which could be near to what Eli might want. The build can be done the Unix way. Just run a single "nmake" in Apache_1.3.x\src and then "nmake install" and that`s it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: OT: How to Add a Module to Apache
> I know OpenSA, and I'm even subscribed to its mailing list. I only > thought that its good idea, the integration, may help Apache and > mod_ssl too. Especially when you have one source tree for UNIX and > Windows (which is very simple, as I already tried and explained). Sorry me. Should have read to the end. You said that SSL_INC and SSL_LIB could be defined as env vars under Win32. I would vote +1 for it. The same is used in PHP4 for Cygwin32 integration in the makefiles. It works fine, even under Win98 (which i personally don`t like). And when EAPI will be part of Apache 1.3.10, we`ll be on the right way. If i get you right, you would like an Apache source tree, where you get the same result, when you do a make under Unix or a nmake under Win32, no matter what extensions or modules have been applied. Right? Daniel <[EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: OT: How to Add a Module to Apache
> In any case, last time I installed mod_ssl on an NT, I was forced to > download and install zillion of other things: Apache (of course...), > OpenSSL, perl (to run configure.bat), patch.exe (which is used by > configure.bat), etc., etc. I would be grateful if I could download a > big (if you insist to call 10MB "big"; It's less than IE5) package > instead of collecting many pieces from many sites. Under NT you can go to http://www.opensa.org/ and get Apache, mod_ssl, OpenSSL and PHP4 with a comfortable installation for about 3MB. Five to ten minutes download plus two minutes installation and that`s it. That should be ok ?! Daniel __ The OpenSA Project http://www.opensa.org/ Project Information [EMAIL PROTECTED] Daniel S. Reichenbach [EMAIL PROTECTED] __ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Secure Email
"Michael A. Clubine" wrote: > Has anyone setup SSL encryption for Email? I have the ssh package up > and running, but haven't read anything about securing email. I did > notice it in my Netscape options however. Sorry for the last reply, one too many glasses of Wine tonight :@) Wrong question answered completely and I even thought I was sending mail to the Greater New Hampshire Users Group mailing list. Oh dear! I believe a possible solution still lies with openssl though. I'm sure others can tell you how to do this better than me though. Especially in this brain addled state:-) Sorry all /dan -- Daniel Sutcliffe <[EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Secure Email
"Michael A. Clubine" wrote: > Has anyone setup SSL encryption for Email? I have the ssh package up > and running, but haven't read anything about securing email. I did > notice it in my Netscape options however. You want to do some searches on S/MIME, loads of info out there. Haven't seen many clients other than Netscape and M$ Outbreak that do it too well though. Does anyone know any different? > I am running i386 RH 6.1 and sendmail-8.9. Neither of which are involved in secure email :-) The only thing you need to do is generate (and get signed) a PKS#12 certificate. Which is usually done by your client and Certificate Authority (someone like Verisign). If you wish to do it all your self, including becoming a CA (useful for Intranets and small groups to save money) you need openssl (www.openssl.org). Hope this helps /dan -- Daniel Sutcliffe <[EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
The OpenSA Project moved to new domain opensa.org
The OpenSA Project has moved to the new domain http://www.opensa.org/. The old site under http://www.opensa.de/ will be closed soon. The new site will be finished tomorrow. New features include: - Anonymous FTP site under ftp.opensa.org - Anonymous CVS under cvs.opensa.org - New majordomo managed mailing lists under [EMAIL PROTECTED] and [EMAIL PROTECTED] Plase update your bookmarks. About the OpenSA Project: = The OpenSA Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source package, including Apache, mod_ssl, OpenSSL, Bind, PHP3 (or PHP4) and Sendmail on the Win32 Platform. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop OpenSA packages under Win32. Yours, Daniel __ The OpenSA Project http://www.opensa.org/ Project Information[EMAIL PROTECTED] Daniel S. Reichenbach [EMAIL PROTECTED] __ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Installation Problem
> put the same in openssl\bin directory, thinking it is a typo. I > proceeded to step 4 where I need to run the configure.bat file. But it > is giving error "Can't execute configure.bat". I don't know what to do. > Can anybody help me to successfully install it. Are you possibly using Win95 or Win98 ? Did you install ActivePerl? Perl is required to run configure.bat. Daniel Reichenbach __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: mod_ssl 2.4.9
> Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999) > >*) Now on Win32 a warning is logged once on startup that mod_ssl is > NOT officially supported under Win32 and people have to use > it there on their own risk (and so shouldn't complain if it doesn't > work). Because only the Unix platform is officially supported and > mod_ssl is checked for security issues only related this platform. > I just checked mod_ssl under Win32 (NT5, SP5 and Win2000). And again all compiles just out of the box and works. The latest fixes did it. Thanks for your work, Ralf. Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ANNOUNCE: OpenSA 0.1
> > o Upgrade to mod_ssl 2.4.2-1.3.9 > > [...] > > Just a question: Are there any reasons why you're using 2.4.2 and not the > latest 2.4.6 (or at least 2.4.5)? Yes, we did the code at a point, where no mod_ssl version after 2.4.2 was working. As I mailed earlier to the list, mod_ssl doesn`t compile correct after version 2.4.2. I didn`t have the time to check 2.4.6 or your posted patch, so we stayed with 2.4.2. I`ll check 2.4.6 and tell you, if it works. Daniel __ The OpenSA Project http://www.opensa.de/ Project Information [EMAIL PROTECTED] Daniel Reichenbach[EMAIL PROTECTED] __ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]