ca cert questions (was Re: Dumb SSL question)
On Tue, 2002-04-02 at 13:50, Ladner, Eric (Eric.Ladner) wrote: What mechanism is it that will allow an encrypted communication (a connection to the https side of the web server) without popping up the View/Accept/Whatever dialog for the certificate? All that's required is a valid cert ( valid date, correct servername) signed by a valid CA (installed on your web browser or on the remote server). which brings me to my question: my company purchased a cert from geotrust. initially, we couldn't make the cert work (we got ie dialog saying that the cert was from a company we had not chose to trust). geotrust had me install a CA cert on the server and use 'SSLCACertificateFile' to point to it. magically, ie then trusted the certificate. so why does this work? i mean, why can't i start forging ssl certificates that are trusted by my own ca files that i host locally? do browsers do any verification of ca files served up by remote machines? feel free to point me to documentation on this one... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: Problem with reading client certificate - downgrade doens'tseem to work
On Mon, 2002-03-11 at 08:45, Bruno Georges wrote: It looks like it is not possible to get anything from the client, and the connection is broken. I am a bit confused, according to the SetEnvIf directive IE response should be HTTP/1.0, also we force the form method to POST, which has no effect. I had this problem w/ 1.3.20 + 1.3.22 + the appropriate mod_ssl + mod_perl-1.2.26 on linux systems. It magically fixed itself with the release of apache-1.3.23 + mod_ssl-2.8.6. Try this and see what happens (to see if your setenvif is working): [jon@devotchka jon]$ openssl s_client -quiet -connect devotchka:23456 EOF GET / HTTP/1.1 Host: devotchka User-Agent: Mozilla/4.0 Compatible (MSIE) EOF Inside of my reply, I get (among other things): HTTP/1.0 200 OK Date: Mon, 11 Mar 2002 19:27:28 GMT Server: Apache/1.3.23 (Unix) mod_ssl/2.8.6 OpenSSL/0.9.6b mod_perl/1.26 I haven't upgraded to 2.8.7 yet, so i wonder if this problem was reintroduced -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: IE browser does not disply proper error message if thecertificate is expired
On Mon, 2002-03-04 at 09:20, Shiva Murugesan wrote: It just displays the misleading error Page cannot be displayed DNS errors. if you uncheck Tools - Internet Options - Advanced - Show Friendly HTTP error messages, you can get more useful info. Unfortunately, the default is to show the same error message for everything. You'll have to change this by hand on your end users' machines (or write an ActiveX control to do it for you). -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: apache and mod_ssl
On Thu, 2002-02-07 at 16:02, bhawna sinha wrote: Also in the error log it says invalid method in request. that means you're talking SSL to a normal http server. in other words, port 443 is not listening for ssl connections. -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
RE: [BugDB] IE Problems connecting to mod_ssl server Linux (PR#66 3)
On Thu, 2002-01-31 at 07:59, R. DuFresne wrote: It was my understanding, and perhaps I've misread posts here, that the list here has long advocated this setting for IE issues: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown except on current (apache 1.3.22) builds, this doesn't work (see my long thread about this here and on httpd-users). -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: strange problem with unclean shutdown
On Thu, 2002-01-24 at 08:24, Thomas Binder wrote: Test this using OpenSSL's s_client: [jon@devotchka jon]$ openssl s_client -quiet -connect devotchka:23456 EOF GET / HTTP/1.1 Host: devotchka EOF snip HTTP/1.1 200 OK Date: Fri, 25 Jan 2002 17:56:17 GMT Server: Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6b mod_perl/1.26 ---snip again, ignoring the environment variables i set. I'm now fairly positive that this is an apache bug, because these lines: SetEnv downgrade-1.0 SetEnv force-response-1.0 aren't respected in the main (non-ssl) container either: [jon@devotchka conf]$ telnet devotchka 12345 Trying 192.168.1.106... Connected to devotchka. Escape character is '^]'. GET / HTTP/1.1 Host: devotchka.sonicopia.com User-Agent: Mozilla/4.0 Connection: close HTTP/1.1 200 OK Date: Fri, 25 Jan 2002 18:00:42 GMT Server: Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6b mod_perl/1.26 Since apache 1.2.23 came out last night, I'm going to wait until mod_ssl is released for 1.2.23. If the problem still exists, i'm submitting this to the apache-httpd bug db... -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
Re: strange problem with unclean shutdown
On Wed, 2002-01-23 at 10:12, Andreas Gietl wrote: i've got a really really strange problem with mod_ssl 2.8.5-1.3.22 on Apache 1.3.22 with openssl 0.9.6c. ---snip--- This are the user-agent for these browsers: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; DT) Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0; DT) This is the same problem i reported yesterday (to this list and apache-users). Check your logs; is apache aware of the User-Agent value when a ssl connection is made? In my particular setup, it wasn't (even though the value was set), and that caused the regex to fail. -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. msg12994/pgp0.pgp Description: PGP signature
Re: strange problem with unclean shutdown
On Wed, 2002-01-23 at 12:10, Andreas Gietl wrote:
uh - how did you fix this problem?
I haven't fixed it. I've gotten no feedback from either list
(modssl-users and apache-users) on this, and i've found older reports in
the apache bug db. so i'm not sure what to do. i've tried
unconditionally setting the broken ssl variables like so:
SetEnv nokeepalive
SetEnv ssl-unclean-shutdown
SetEnv downgrade-1.0
SetEnv force-response-1.0
inside of the ssl virtualhost container, but they're still being
ignored, and the errors still show up in the log.
I don't see any logentry in the ssl-access-log.
Do you log user agents? i use this to log:
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\
\%{User-Agent}i\ combined
What's not being logged on my setup is the user-agent field...
-jon
--
[EMAIL PROTECTED] || www.divisionbyzero.com
gpg key: www.divisionbyzero.com/pubkey.asc
think i have a virus?: www.divisionbyzero.com/pgp.html
You are in a twisty little maze of Sendmail rules, all confusing.
msg12996/pgp0.pgp
Description: PGP signature
