Re: Client Verification with sub ca's
Hi, Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...). Regards Matt - Original Message From: leanmeandonothingmachine leanmeandonothingmach...@gmail.com To: modssl-users@modssl.org Sent: Thursday, March 12, 2009 2:03:07 PM Subject: Client Verification with sub ca's I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a Certificate Verification: Error (2): unable to get issuer certificate error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Can i use CA signed cert to create client authentication certificates ?
Hi, Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. As you know there isn't an ask once option, which would be very nice. I don't think there is much that can be done to fix it other than coding up an ask once option in FF (which I haven't got the time to do :( ). Anyway you may also want to use/need the SSLOptions +OptRenegotiate if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, September 25, 2008 9:37:00 AM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Thank you very much Matt . That solved it :). I now have Client Certificate Authentication working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to Ask me every time instead of auto select client certificate I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading one and one item(image) on the website. If i switch to Auto select certificate it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use
Re: Authenticating users based on S/MIME certificate
Hi, Have a look at mod_authz_ldap (ldap baseed white listing, http://authzldap.othello.ch/). Probably far more than you need but it does things along the same lines and has some nice notes how to do various bits and pieces. You can add env vars that you can use php have a look at SSLOptions +StdEnvVars and +ExportCertData. Regards Matt - Original Message From: Gunnar Vestergaard [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Sunday, September 21, 2008 12:10:16 AM Subject: Authenticating users based on S/MIME certificate Hi. I am an administrator of a user account at an Apache web server. Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my web server will be run on Apache 1.3.37 or Apache 2.0. My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. Now, my current S/MIME certificate for personal e-mail is approved for the following purposes: Email Signer Certificate Email Recipient Certificate Is it possible to have such a certificate authenticate its user towards an SSL web server? In any case I want to have a limited crowd of users seeing a subdirectory of pages without bothering the user with a user name/password dialog. Just their personal certificate lets them see pages in a certain subdirectory. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? Gunnar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?. Ie. I have generated a : apache_server.key made a apache_server.csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: reduce handshake overhead in a reverse mod_proxy (SSL front-end + SSL back-end)
You could possibly use stunnel to set up a persistent ssl connection. Connecting up to a local port with just http (only listen on localhost). I believe the sessions are reused with stunnel. It's extra config but quick to setup. Regards Matt --- Jeff Ambrosino [EMAIL PROTECTED] wrote: Hi Georg, after I emailed the list, I found this info: http://www.covalent.net/resource/documentation/faststart/2.0.0/userguide/html/sslconfigure.php#1176550 It appears that the Apache/mod_ssl SSLProxyProtocol directive lets you limit the ciphers that the proxy will use (as a client) to the back-end server. I also found the following research report, which talks about performance of SSL protocol and various ciphers: http://www.cs.ucr.edu/~bhuyan/papers/ssl.pdf I'll continue to work on this and report back to the list if/when I find something conclusive. In the meantime, if anyone on the mod_ssl list has further suggestions, I'm all ears :) thanks JB On 10/19/05, Georg Oppenberg [EMAIL PROTECTED] wrote: Hi, by chance I stumbled over the same problem here today. I'm very interested in answers you receive. Maybe you can write some sort of summary for the mailing list. [...] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Yahoo! Music Unlimited Access over 1 million songs. Try it free. http://music.yahoo.com/unlimited/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient fails
Hi, You have a intermediate and RootCA, try setting SSLVerifyDepth equal to 2. Regards Matt --- Sven Löschner [EMAIL PROTECTED] wrote: I got a big problem with SSLVerifyClient. I had a similar problem before, but now the error(s?) is really more strange (in my point of view). I used this tutorial: http://fra.nksteidl.de/Erinnerungen/OpenSSL.php I hae got two sections. One with only server-side-SSL (works), and a folder (called 'demo', with a file 'index.php') with client-side-SSL. When I call the site my browser askes me to choose a cert i want to uns to enter the site. I choose the right one (exportedvia pkcs), and then IE says cannot find server or dns , and firebird doesn't do anything (it stays on my startpage, but with the lock-symbol in Task). So I have got a Root_CA, a Server_CA and a User_CA. The Root_CA verifys the other 2 CAs. Server_CA verifys Server-Certificates (no problem). User_CA verifys Client-Certificates. I concated the Certificates from Root and User_CA cat /RootCA.cert.pem /UserCA.cert.pem UserCAchaincert.pem My integration in apache: NameVirtualHost xxx.xxx.xxx.xxx:443 VirtualHost xxx.xxx.xxx.xxx:443 ServerName test.de DocumentRoot /srv/www/htdocs/web3/html/test php_admin_value open_basedir /srv/www/htdocs/web3/html/test IfModule mod_ssl.c SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLProtocol all AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLOptions +StdEnvVars +ExportCertData ErrorLog /var/log/apache2/test/ssl.log LogLevel debug SSLVerifyClient none SSLCertificateFile /etc/ssl/ServerCA/testcert.pem SSLCertificateKeyFile /etc/ssl/ServerCA/testkey.pem SSLCACertificateFile /etc/ssl/UserCA/UserCAchaincert.pem SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown /IfModule Location /demo SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 /Location If you need something more, just let me know. And thank you very much in advance for every helping idea, because i try to get this to work since weeks. Sven P.S: I use Suse Linux 9.0 with mod_ssl and openssl 0.9.7b (would like to update) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: SSLVerifyClient fails
Try using openssl s_client to connect(? arg for options). It'll give alot of debug info. --- Sven Löschner [EMAIL PROTECTED] wrote: SSLVerifyDepth equal to 2. Thx, i tried Depth from 1 to 10but no effect. I think my certificates are wrongEspecially the concated one. Is there a way to proof these certificates? Sven __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: certificate weirdness
Hello Vlad, You are trying to use NameVirtualHost for ssl which will not work. Basically which cert does it use? The ssl connection needs to be setup before the site name (hence virtual host and cert) can be established by apache. You'll need two IPs, or use different ports (yuck). Regards Matt --- Vlad Ciubotariu [EMAIL PROTECTED] wrote: I'm doing something wrong in my config file. For some reason, when pointed to https://calendar.mydomain.ca the browser tells me the security certificate belongs to mail.mydomain.ca even though the two domains have been configured with different certificates. Could anyone shed some light, please? Thanks in advance. ## ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen 80 Listen 443 /IfDefine ... NameVirtualHost *:80 NameVirtualHost *:443 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org Redirect / https://mail.mydomain.org/ /VirtualHost VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org Redirect / https://calendar.mydomain.org/ /VirtualHost ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex sem # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLRandomSeed startup file:/dev/arandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL ## ## SSL Virtual Host Context ## VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/mail ServerName mail.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/webmail.crt SSLCertificateKeyFile /etc/ssl/private/webmail.key Location / SSLRequireSsl /Location /VirtualHost VirtualHost *:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virthosts/calendar ServerName calendar.mydomain.org SSLEngine on SSLCertificateFile/etc/ssl/calendar.crt SSLCertificateKeyFile /etc/ssl/private/calendar.key Location / SSLRequireSsl /Location Directory /var/www/virthosts/calendar Order allow,deny Allow from all /Directory Location /cgi-bin/ SetHandler perl-script PerlHandler Apache::Registry #PerlHandler Apache::PerlRun Options ExecCGI PerlSendHeader On /Location /VirtualHost # VirtualHost _default_:443 # General setup for the virtual host #DocumentRoot /var/www/htdocs #ServerName new.host.name #ServerAdmin [EMAIL PROTECTED] #ErrorLog logs/error_log #TransferLog logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP # Server Certificate: # Point
Re: Certificates...
You could use the ssl_var_lookup function in a module... cert = ssl_var_lookup(r-pool, r-server, r-connection, r, SSL_CLIENT_CERT); or a cgi/php page and env variables http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25. As for module writting look at the source of the modules that ship with apache (auth ones are an easy start). Not sure about forums. Regards Matt --- Pj [EMAIL PROTECTED] wrote: Does anyone know how to save incoming certificates to disk? Or can anyone suggest a forum for apache module writers? Cheers .. Pj. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.8.9/41 - Release Date: 5/07/2005 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] Sell on Yahoo! Auctions no fees. Bid on great items. http://auctions.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: change cipher suite of a virtual host without restarting apache
AFAIK this is not possible with a virtual host. However there is no reason you can't run each virtual host as it's own server (split off into own config, use the -f and -d options). It really depends on the your load and flexibility requirements. Currently some servers I manage have 50+ apache servers. While not the best for memory and efficency, the flexibility is good. Regards Matt --- Sourabh Bhandari [EMAIL PROTECTED] wrote: Hi, I've Apache running as reverse proxy on Linux with SSL (mod_ssl). There are multiple sites behind the Apache. There are cases when cipher-suite or certificate for a site has to be changed. In that case Apache is restarted to take changes in account. This results in disconnection of all the connected users (whether they are connected for site for which changes are done or for the sie for which nothing has been changed). Is there a way I can modify cipher-suite or certificate so that I dont need to restart the Apache and all the users session stay valid and working. (I wont mind if users connected to site for which changes are made get disconnected). Thanks in advance, -Sourabh __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football http://football.fantasysports.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client certificate expiry handling
Hi, I know this has been raised before but please read on. Currently AFAIK client certificate expiry checking is done by openssl and the connection is terminated before apache comes into play, hence no error page can be sent. This is a problem as IE doesn't tell the user the client certificate is expired. Hence the user experiences a horrible disconnect page (not nice for issue tracking either as its pretty generic). Both Netscape and IIS can send back an error to the browser under this condition. The company I work for would also like apache to be able to do this. There is a good possiblity that the changes would be funded. I'm looking for someone who has experience with apache/mod_ssl/openssl to give an idea on the feasibility and a time estimate to do the work. Suggestions on who could do this are also welcome. Regards Matt __ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl environment variables
You can try something like ... # Get SSL variables into subprocess... my $subr = $r-lookup_uri( $r-uri() ); # Get serial and issuer my $serial = $subr-subprocess_env('SSL_CLIENT_M_SERIAL') || ; my $issuer_slashes = $subr-subprocess_env('SSL_CLIENT_I_DN') || ; Hope that works. Regards Matt --- Jason Kaskel [EMAIL PROTECTED] wrote: This is technically both a mod_perl and mod_ssl question. Maybe I should harass their mailing list too. I have a PerlAccessHandler that needs to access certificate information. According to what I've read the environment isn't loaded with this information until the fixup phase which occurs right before the response phase (and well after the access phase). Is there any other way for me to access certificate information this early in the Apache process (specifically the data that gets loaded into SSL_CLIENT_S_DN_CN)? Failing that is there a way for me to force the fixup phase to occur before the access phase? Thanks for any help! -Jason [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache/mod_ssl/IE problem
I've also seen this problem. Haven't had the time to find a proper solution. However I lowered the server timeout to around 15 seconds, not ideal but keeps the site going. Hopefully someone has a better solution. Regards Matt --- [EMAIL PROTECTED] wrote: Hello, We have a problem with apache with the following symptoms - the number of apache processes hits MaxClients - the CPU on the box isn't doing much when we hit the max number of apache processes - sometimes apache recovers after about 5 minutes and we reduce to a more typical number of processes - other times apache has totally locked up an required a restart We see no pattern as to when this is occuring. It has occurred during quiet periods and during periods of heavy load. We have upped the MaxClients to 256, but we hit that level too. All our users connect over SSL. We have seen the following articles on the Microsoft site that makes us think that this could because of broken version of IE in our user community. However, we don't know from the articles the exact combination of OS and IE that would cause the problems and therefore haven't been able to recreate in a test environment. http://support.microsoft.com/default.aspx?kbid=305217 http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx We also get the following error in the SSL error log: [Tue Oct 26 06:43:04 2004] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Tue Oct 26 06:43:04 2004] [error] System: Connection timed out (errno: 145) We see this quite a lot during normal operation. However, during the periods were we hit the MaxClient processes, we see the number of these errors increase by an order of magnitude. Has anyone else seen similar problems and if so, what was their solution? If this is the problem described on the MS site, what version of Windows and IE do we need to recreate? Are there any server side only solutions? We are running on Solaris with apache 1.2.26 and mod_ssl 2.8.10 using a Sun Crypto 1 SSL accelerator card. Any help greatly apprecicated. Cheers, Dave. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl on sparc solaris
Hi, I haven't used authz_ldap in a while but I believe the following config should work. Also you should see mod_so.c listed for a httpd -l. ./httpd -l Compiled-in modules: http_core.c mod_so.c openssl: CC=$(CC) ./config shared no-idea modssl: ./configure \ --with-apache=$(COMP_DIR)/$(APACHE_DIR) \ --with-ssl=$(COMP_DIR)/$(OPENSSL_DIR) \ --with-mm=$(COMP_DIR)/$(MM_DIR) ) apache: ./configure --prefix=$(APACHE_PREFIX) \ --enable-module=rewrite --enable-module=ssl \ --enable-module=most \ --enable-shared=max \ --enable-rule=SSL_EXPERIMENTAL \ Regards Matt --- Helke_Schröder [EMAIL PROTECTED] wrote: Hi, we have some problems to get mod_ssl working on solaris First we tried at suse 8.2 and there was no problem at all, but now we have troubles and hope someone can give us a hint.. While doing config and make there seems to be no problem Even apache can be started and apachectl configtest says Syntax OK but when viewing the environment variables some of them are missing like SSL_CLIENT_S_DN only the server-variables are there and when trying to start mod_authz_ldap (which uses the variables provided by mod_ssl) it appears this message when typing apachectl configtest Syntax error on line 246 of /opt/webservers/apache/conf/httpd.conf: Cannot load /opt/webservers/apache/libexec/mod_authz_ldap.so into server: ld.so.1: /opt/webservers/apache/bin/httpd: fatal: relocation error: file /opt/webservers/apache/libexec/mod_authz_ldap.so: symbol ssl_var_lookup: referenced symbol not found We have experimented with ./config shared -fPIC for openssl and --enable-rule=SHARED_CORE (for mod_ssl and apache) but without success (we are using apache 1.3.31, openssl 0.9.7d, mod_ssl 2.8.19-1.3.31 on sparc solaris 8) thanks in advance Helke Schröder __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with SSLVerifyClient
You dont need the hash link for the SSLCACertificateFile just put the real filename in. Also are you using a root and intermediate cert, then add SSLVerifyDepth 2. Upgrading may be a good idea but I have Apache/2.0.48 (Unix) mod_ssl/2.0.48 OpenSSL/0.9.7c running with client cert auth. But then thats RH on i386 (custom compile). SSLCACertificateFile /etc/grid-security/certificates/33b4aee4.0 SSLVerifyClient require --- Fulvio LAZ [EMAIL PROTECTED] wrote: First of all does it work if you comment the SSLVerifyClient require directive out. Also do you get a core file and can you do a backtrace in gdb (with lib info)? Regards Matt Dear Matt, thanks for your reply If I set SSLVerifyClient optional (or comment it) apache work but client CA aren't send to my server (I need client distinguished name) If I set LogLevel debug and SSLVerifyClient require I can see into error_log: [info] Server built: Mar 16 2004 15:30:28 [debug] prefork.c(1037): AcceptMutex: pthread (default: pthread) [notice] child pid 18934 exit signal Segmentation fault (11) and into ssl_error_log [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 read client hello A [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write server hello A [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate A [debug] ssl_engine_kernel.c(1170): handing out temporary 1024 bit DH key [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write key exchange A [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 write certificate request A [debug] ssl_engine_kernel.c(1786): OpenSSL: Loop: SSLv3 flush data [debug] ssl_engine_io.c(1499): OpenSSL: read 5/5 bytes from BIO#818ab68 [mem: 81921e8] (BIO dump follows) [debug] ssl_engine_io.c(1446): +--+ [debug] ssl_engine_io.c(1471): | : 16 03 00 04 c9 | [debug] ssl_engine_io.c(1477): +--+ [debug] ssl_engine_io.c(1499): OpenSSL: read 1225/1225 bytes from BIO#818ab68 [mem: 81921ed] (BI O dump follows) . . Yahoo! Companion - Scarica gratis la toolbar di Ricerca di Yahoo! http://companion.yahoo.it __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with SSLVerifyClient
--- Fulvio LAZ [EMAIL PROTECTED] wrote: Dear Sirs I write to ask for a little help about a problem with Apache configuration. My system is: Apache-AdvancedExtranetServer/2.0.48 (Mandrake Linux/6mdk) mod_ssl/2.0.48 OpenSSL/0.9.7c PHP/4.3.4 I want read client distinguished name into php page (client using browser with pkcs12 certificate inside), so I add the following lines into /etc/httpd/conf.d/41_mod_ssl.default-vhost.conf SSLCertificateFile /etc/grid-security/tomcatcert.pem SSLCertificateKeyFile /etc/grid-security/tomcatkey.pem.plain SSLCACertificateFile /etc/grid-security/certificates/33b4aee4.0 SSLVerifyClient require When I try to contact http server in https mode, connection is refuse and in ssl_error_log a see [notice] child pid 11835 exit signal Segmentation fault (11) Could someone help me? Thanks Fulvio Lazzarato First of all does it work if you comment the SSLVerifyClient require directive out. Also do you get a core file and can you do a backtrace in gdb (with lib info)? Regards Matt __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTP to HTTPS redirect on virtual host on port 8080
--- Christopher McClan [EMAIL PROTECTED] wrote: Hi, I'm currently running an Apache web server with Mod_SSL, and have the following virtual host statement: VirtualHost mywebserver:8080 IfModule mod_ssl.c SSLEngine on SSLCertificateFile /xx/xxx/xxx.crt SSLCertificateKeyFile /xx/xxx/xxx.key SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown /IfModule ServerName mywebserver DocumentRoot /xxx/xxx/xxx/xxx Directory /xxx/xxx/xxx/xxx Options Indexes FollowSymLinks MultiViews +ExecCGI Allow from all /Directory /VirtualHost If I connect using http, I get an Apache error stating that this an SSL enabled server, and I should use https. My question is, how do I get it to redirect from http to https? This seems easy enough if you aren't running a virtual server on a specific port and just want to redirect to https for certain directories, but in this configuration I've not been able to achieve this. You'll have to run another virtual server on another port. Then redirect to your https server. You can't run http/https on the same port. Suggest 8080 as http and 8443 as https. Then ... RewriteEngine On RewriteLog logs/rewrite.log RewriteLogLevel 0 RewriteRule ^/(.*) https://:8443/$1 [R=301,L] __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Redirecting and proxying through ssl
Hi Mike, I use the setup you want quite a lot (All cmds left in but some altered)... Listen XX:80 VirtualHost XX:80 DocumentRoot /usr/docs ServerName webserver.net ServerAdmin [EMAIL PROTECTED] CustomLog .. RewriteEngine On RewriteLog logs/rewrite.log RewriteLogLevel 0 RewriteRule /(.*) https://webserver.net/$1 [R=301] /VirtualHost Listen XX:443 VirtualHost XX:443 DocumentRoot /usr/docs ServerName webserver.net ServerAdmin [EMAIL PROTECTED] CustomLog .. SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /apache/somthing.crt SSLCertificateKeyFile /apache/something.key SSLCACertificateFile /apache/CA.crt SetEnvIf User-Agent .*MSIE.* ssl-unclean-shutdown RewriteEngine On RewriteLog logs/rewrite.log RewriteLogLevel 0 RewriteRule /(.*) http://webserver.net:7900/$1 [P] ProxyPassReverse / http://webserver.net:7900/ /VirtualHost This definately works as have about 50 servers doing this (may need to check the ProxyPassReverse line). Regards Matt --- Mike Alberghini [EMAIL PROTECTED] wrote: I'm in charge of a box here that's running multiple apache servers. I run the front end servers which handle the front end and proxying. The third apache server is run by another group and interfaces with backend databases and other apps. Here's what everying does: 1. Server1 runs on port 80 and redirects all traffic to port 443 as https 2. Server2 runs on port 443 does nothing but proxy to the third server running on port 7900 3. Server3 interfaces with a bunch of apps. I can't touch it. I want to combine the first two servers. I want one apache server that redirects all port 80 http traffic to port 443 https traffic and then proxies everything through SSL to the server on port 7900. Is this possible? Right now when I try to combine a Rewrite for port 80 with a proxy on 443 the proxy takes over all traffic before the rewrite can trigger. I've tried putting the rewrite and the proxy in seperate virtual hosts with no luck either. -- Michael Alberghini Software Systems Engineer Georgia State University [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache ssl handshake timeout on ie6 and windows 2000
Not much help to you but I'm also seeing this. One client can hang up 100 apache children. User agent is Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; SD; .NET CLR 1.1.4322). Lasts for around 2-4 minutes. (server timeout at 30). Matt --- R McIntosh [EMAIL PROTECTED] wrote: Hello OpenSSL and ModSSL users, I am running apache-1.3.29, mod_ssl-2.8.16-1.3.29, and openssl 0.9.7c. Users at a specific lan on the internet accessing our cgi application sometimes lock at some random place in our application. Once this happens, it will lock up again at the same page if the quit their browser and try again. They are running a patched ie6 on windows 2000. We only have this problem with this one client's site. Here is the error from my log file: [Tue Dec 30 08:19:10 2003] [error] mod_ssl: SSL handshake timed out (client X.X.X.X, server www.partnersmith.com:443) The ssl-engine log has no additional information. When the connection does work, it uses Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) I have the usual stuff for ie in my httpd.conf: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 I have been researching this with no luck. I have found hints of people having this problem with w2k in the archives but never any solution. Thank you for your time. -R __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Hotjobs: Enter the Signing Bonus Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape ask always certificat
Hi, Try using the status module ExtendedStatus On Location /server-status SetHandler server-status /Location That gives some info about ssl sessions near the bottom. Currently I'm using client certs and firebird with ask every time set. This results in a prompt every 300 seconds as the session times out. Which version of netscape? Regards Matt --- xavier jeannin [EMAIL PROTECTED] wrote: Hello I have looked for information in Archive about my problem. I don't find answer to my problem, sorry in advance to ask a question about a very known problem. I have developped Web application, that uses X509 certificat. Netscape ask at each time (page) the certificat. As my users have several certificates they do not use the option Select Automaticly in netscape, I have to say to my user to use now this option and create a netscape's profile for every certificat. First, I have compile Apache with MM and use : SSLSessionCache shm:/usr/local/apache/logs/ssl_gscache(2048000) SSLSessionCacheTimeout 1800 but it does not work. Does anyone got a better idea ? Thanks in advance --xj -- _ Xavier Jeannin UREC/CNRS Université P. M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05 Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Client authentication and Chain certs
I have this setup, this should work... SSLCertificateFile /opt/DKBapache/conf/ssl.crt/server.crt SSLCertificateKeyFile /opt/DKBapache/conf/ssl.key/server.key SSLCACertificateFile /opt/DKBapache/conf/ssl.crt/CA.crt SSLVerifyClient require SSLVerifyDepth 2 The CA.crt file contains the Root and intermediate certs. These are also used at startup to make the server cert chain (our client and server certs have the same root, use SSLCertificateChainFile for the server chain if not). Make sure you you have the SSLVerifyDepth 2 line. Regards Matt --- Chris Covell [EMAIL PROTECTED] wrote: Hello there Martial, many thanks for you quick reply. We also have: root CA - sub CA - client or server cert we have put the root and sub CA in a directory pointed by: SSLCACertificatePath In seperate files ? In this directory we have the attatched Makefile that we run to make a hash of all CA and link the result of the hash to eatch CA. This work fine whith apache 1.3.3x to the latest 2.4. Did you use SSLCertificateChainFile in the httpd.conf ? Chris... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SIGBUS after upgrading to mod_ssl-2.8.15-1.3.28 and using +OptRenegotiate
Hi, With the release of openssl-0.9.6k I recompiled and updated my apache installs to 1.3.28/modssl-2.8.15 from 1.3.27/modssl-2.8.12. I compiled up on Linux and Solaris. When running I randomly get a SIGBUS on Solaris and a SIGSEGV on linux. I'm using client certificates. I've a large number of servers (50) running fine on 1.3.27/2.8.12. The issue seems to be with the SSLOptions +OptRenegotiate option. When going from a non client cert location to a client cert location. The backtrace from dbx on solaris is [EMAIL PROTECTED] ([EMAIL PROTECTED]) signal BUS (invalid address alignment) in sk_value at 0xfebed534 0xfebed534: sk_value+0x0014:ld [%g3 + %g2], %o0 (/opt/SUNWspro/bin/../WS6/bin/sparcv9/dbx) where current thread: [EMAIL PROTECTED] =[1] sk_value(0x132990, 0x0, 0x3, 0xfed27eb0, 0x260, 0x132980), at 0xfebed534 [2] X509_NAME_oneline(0x132980, 0x0, 0x0, 0x0, 0xc7, 0xffbef4d0), at 0xfec1e6dc [3] ssl_hook_Access(0xf0f30, 0xfed64cf4, 0xad400, 0x24bec, 0x0, 0xf26b8), at 0xfed65b74 [4] run_method(0xf0f30, 0x10, 0x1, 0x0, 0x0, 0xff00), at 0x2052c [5] ap_check_access(0xf0f30, 0x93460, 0x93400, 0x91659, 0x45, 0x65), at 0x20620 [6] process_request_internal(0xf0f30, 0x0, 0x16, 0xcd, 0xec00, 0x1), at 0x40180 [7] ap_process_request(0xf0f30, 0xc8, 0xf0f30, 0xffbef8e0, 0xffbef8f0, 0x5), at 0x405ac [8] child_main(0x5, 0x31298, 0x31000, 0xff17b250, 0xff175980, 0xff16efe0), at 0x33284 [9] make_child(0xb0bf0, 0x5, 0x3f8154e3, 0xcd, 0xff23b1d4, 0xffbefa18), at 0x335fc [10] perform_idle_server_maintenance(0x0, 0xffbefb1c, 0x0, 0xb0bf0, 0x90ed8, 0x8fa80), at 0x33b10 [11] standalone_main(0x6, 0xffbefc4c, 0x0, 0x0, 0xff23b02c, 0x90ff0), at 0x34384 [12] main(0x6, 0xffbefc4c, 0xffbefc68, 0xadd98, 0x0, 0x0), at 0x34cc4 the cofiguration for a typical SSL server is ... SSLEngine on SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /opt/apache_test/conf/ssl.crt/server.crt SSLCertificateKeyFile /opt/apache_test/conf/ssl.key/server.key SSLCACertificateFile /opt/apache_test/conf/ssl.crt/CA.crt SSLVerifyDepth 2 SSLOptions +StdEnvVars +ExportCertData SSLPassPhraseDialog builtin SSLSessionCache shmcb:/opt/apache_test/sites/debug.internal.net/logs/ssl_scache(512000) SSLSessionCacheTimeout 300 SSLMutex file:/opt/apache_test/sites/debug.internal.net/logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog /opt/apache_test/sites/debug.internal.net/logs/ssl_engine_log SSLLogLevel Warn LocationMatch /images/.* SSLVerifyClient optional SSLOptions +OptRenegotiate /LocationMatch When entering the images directory some but not all of the httpd children die. I'm going to get a linux debug server running. Hopefully someone can replicate the issue? Or suggest a fix. Thanks Matt __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl question
But I did a self-signed cert for testing purposes. Shouldn't that work? -- Matt At 04:34 PM 7/31/2002 +1000, you wrote: Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If you are not releasing this web app to the public you could simply install the certificate and you shouldn't get the message again. Good luck, Vincent Montuoro Solution Engineer Request Level 12 461 Bourke Street Melbourne Vic 3000 Email: [EMAIL PROTECTED] Office:+61 3 8628 2764 Mobile: 0408 005 979 -Original Message- From: Mike Boyer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 4:57 AM To: [EMAIL PROTECTED] Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.comhttps://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl question
But I'm never even getting a response on the browser, httpd is never even starting due to this error. I thought I had it corrected this morning, the log kept complaining about not finding the cert, I worked with that for a while, then came back to the same error. Frustrating, but I'm not giving up just yet. I'd like someone to take a look at my httpd.conf and tell me if I'm got something wrong there, or just what the problem can be. I've tried to follow the docs as close as I can, but obviously I've missed something. -- Matt At 09:23 AM 7/31/2002 -0400, you wrote: No, because your browser does not have the signing authority in its list of trusted / root CAs. There are three options, but really only two are practical. The first would be to just import the certificate the first time you see this pop up and you can do that by clicking on View certificate when you get the pop up (I'm talking IE here). The second option would be to purchase and use a cert from a CA which is in your browsers list of trusted/root CA (someone like verisign). You can get the list by clicking on Tools-Internet options-The content tab-Certificates button-Trusted Root Certification Authorites tab. The third option would be to become a CA on that list by paying MS big bucks and setting your own company to do it (not what I would call viable :-). -Noah -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: RE: ssl question But I did a self-signed cert for testing purposes. Shouldn't that work? -- Matt At 04:34 PM 7/31/2002 +1000, you wrote: Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If you are not releasing this web app to the public you could simply install the certificate and you shouldn't get the message again. Good luck, Vincent Montuoro Solution Engineer Request Level 12 461 Bourke Street Melbourne Vic 3000 Email: [EMAIL PROTECTED] Office:+61 3 8628 2764 Mobile: 0408 005 979 -Original Message- From: Mike Boyer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 4:57 AM To: [EMAIL PROTECTED] Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.comhttps://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 - Static or DSO? I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
Well I may have figured this out, https is now running, cert was in the wrong place, but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 - Static or DSO? I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though, and soon. Thanks much -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Error message help
Hi all, I'm new to the list and to mod_ssl, and well ssl in general, so I hope you'll forgive what may be dumb questions. I've been tasked with setting up a ssl site for a small company that wants to sell online. I've never done anything other than plain sites before, so I'm having to learn. I've done what all the docs have told me to, as near as I can tell, and I've gotten pretty far along. I'm still fuzzy on the exact syntax of the directives, but I've gotten it nearly working I think. This is all being done on a stock Caldera 3.11 server box. Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long I've googled on it, and searched FAQ's, etc, and nothing of help has appeared. I'd appreciate some help on this, I hate when I can't find help in the docs, I hate having to bother anyone. Thanks -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE discards pages once a while
Henning, Peter, Try putting these lines in your conf (not in your v-hosts directives) (in the mod_setenvif section) BrowserMatch MSIE [5-9] ssl-unclean-shutdown (make sure you have this in there also..) # SSL Stuff SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none It made it better for me. I was having the same problems. It still happens rarely for me. Matt - Original Message - From: Henning Sittler [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 31, 2001 7:51 AM Subject: RE: IE discards pages once a while I have older versions of apache and mod_ssl and I'm having the same problem... I thought I was going crazy. Everything works fine, and then all of a sudden I'll refresh a page or click a link and I get the same 'page not found' msg you are getting. For me this problem occurs about two or maybe three times per day, while the rest of the time my ssl vhost works just fine. Again, I have found no error msgs in any of my logs to indicate any problem related to this. I'm also trying to figure out how to upgrade my apache properly in the quickest way so my public server has as little downtime as possible. I thought that upgrading apache might fix the problem, but it looks like you are stuck in the same situation with a newer version. Have you tried any other browsers? I get this problem with different browsers on different OS's. So I suspect it's not the browser. Henning Sittler www.inscriber.com -Original Message- From: Peter Vinnemeier [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 31, 2001 3:24 AM To: [EMAIL PROTECTED] Subject: IE discards pages once a while Hi @ll, I have apache 1.3.22 with mod_ssl 2.8.5 and php 4.0.6 installed on RH7.1 with self signed certificates. When accessing the site it usually works fine, but once a while I get the IE error The page cannot be displayed, server or dns not found. The apache access and error logs do not show anything. When going back and pressing the same link again it works fine again. The problem occurs with IE5 and IE5.5 and it not really reproducable on cetrain actions. Does anybody have a clue? Thanks a lot in advance Peter __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Split private Key
On Wed, 12 Sep 2001, Averroes wrote: Any ideas for splitting and rebuilding Private key Use dd(1). Say the key is 1000B: $ dd if=key.file of=key.file.1 bs=300 count=1 $ dd if=key.file of=key.file.2 bs=300 skip=1 count=1 $ dd if=key.file of=key.file.3 bs=300 skip=2 Will give you 3 parts of the key. (Using skip to jump over previous bits, not specifying count for the last part so we get the rest of the file, not just 300B). (be sure, with no damages) will be appreciated! $ cat key.file.1 key.file.2 key.file.3 key.file.new $ md5sum key.file.new key.file to check. Matt -- #!/usr/bin/perl $A='A';while(print+($A.=(grep{($A=~/(...).{78}$/)[0]eq$_} A A A =~m{(...)}g)?A: )=~/([ A])$/){if(!(++$l%80)){print\n;sleep 1}} __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Creating a UK CSR
Hey all, I checked out the Thawte IRC support, and was told there that I should just put London twice, once for state and once for location. I now have my certificate and its all OK, and works fine (cleared up some Macintosh IE5 problems too.) So thanks all for the help you've given, I'm now running a modssl with Apache and I think I understand most of the important issues! Matt -- #!/usr/bin/perl $A='A';while(print+($A.=(grep{($A=~/(...).{78}$/)[0]eq$_} A A A =~m{(...)}g)?A: )=~/([ A])$/){if(!(++$l%80)){print\n;sleep 1}} __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Creating a UK CSR
Hey All, Just a quickie on UK certs. Can I just leave state blank, and use London for locality, or should I use London for both? Also GB is the correct ISO country code right? Thanks, Matt -- #!/usr/bin/perl $A='A';while(print+($A.=(grep{($A=~/(...).{78}$/)[0]eq$_} A A A =~m{(...)}g)?A: )=~/([ A])$/){if(!(++$l%80)){print\n;sleep 1}} __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: negative LocationMatch syntax?
On Thu, 12 Apr 2001, Paul wrote: Hi all. I need to leave a few areas of our site freely accessible, but most of the site is restricted, and I'd like the default behavior to be restrictive. I don't want to have to remember to change the config if I add new directories, as in adding Location SSLVerifyClient require /Location Is there a way I could use LocationMatch to specify a not condition? as in LocationMatch !~ "/(thisfile|thatDir|whatever).*" SSLVerifyClient require /LocationMatch That would let me list the exceptions, and everything else would be restricted by default.. It's really frustrating, but this is *not* possible... However here's a hack I've used that kinda works: LocationMatch "([^[.thisfile.]]|[^[.thatDir.]]|[^[.whatever.]]).*" It's ugly, but it works for some cases, but not all (in fact the above might not work - I haven't tested it). See regex.7 in src/regex in the apache distribution for more docs on what you can do. -- Matt/ /||** Founder and CTO ** ** http://axkit.com/ ** //||** AxKit.com Ltd ** ** XML Application Serving ** // ||** http://axkit.org ** ** XSLT, XPathScript, XSP ** // \\| // ** mod_perl news and resources: http://take23.org ** \\// //\\ // \\ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
One ssl/non-ssl server or two?
Hi I'm setting up an server cluster that will be serving both SSL and non-SSL content. We'll be serving millions of hits a day - probably around 0.5% of these will be under SSL. The same physical hosts will be serving both the http and the SSL content. My question is: is it better to have one image of Apache, with mod_ssl compiled in, serving all requests, or is it better to have two seperate images of apache running on the same machines, one serving only http and the other only https? My main concern is with performance. My tests indicate that there's not much difference, but I'm not sure that this will be true in a real-world situation. Does anyone have any experience with this? Am I overlooking any important factors? Thanks, Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MSIE Woes..
I have read through the mailing list for ModSSL and have been unable to find a solution that works for my server. Here is the error: [08/Feb/2001 12:22:21 14788] [info] Connection to child 10 established (server secure2.pinn.net:443, client xxx.xxx.xxx.xxx) [08/Feb/2001 12:22:21 14788] [info] Seeding PRNG with 1160 bytes of entropy [08/Feb/2001 12:22:26 14788] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] I have added the following to my Apache configuration in hopes of getting it to work for a customer: SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLProtocol all -SSLv3 SSLVerifyClient none SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 I am using Apache/1.3.14 (Unix) PHP/4.0.4 mod_ssl/2.7.1 OpenSSL/0.9.6 on a Solaris 2.6 box. I compiled ModSSL with the following flags: ./configure \ "--with-apache=../apache_1.3.14" \ "--with-ssl=../openssl-0.9.6" \ "--prefix=/WWW" \ "--activate-module=src/modules/php4/libphp4.a" \ "--enable-suexec" \ "--suexec-caller=nobody" \ "--suexec-logfile=cgi.log" \ Any ideas? Any help would be wonderful! -- Matt Glaves Systems Engineer Pinnacle Online www.pinn.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Where is mod_ssl.so?
I'm trying to compile a DSO version of mod_ssl but can't find a mod_ssl.so file to use as a module. Perhaps my understanding of the terms is wrong, but does a DSO version mean that a module (ie. mod_ssl.so) is created? I used the '--enable-shared=ssl' directive when I ran the configure script, was there something else I needed to do? mod_ssl appears to have been compiled properly, but not modularly. Here's what I did on my RedHat 6.2 system with the Apache 1.3.12 sources in /tmp/apache_1.3.12, openssl-0.9.6-1 and mod_ssl-2.6.6-1.3.12: $ export SSL_BASE=SYSTEM $ cd mod_ssl-2.6.6-1.3.12 $ ./configure --with-apache=/tmp/apache_1.3.12 $ cd /tmp/apache_1.3.12 $ ./configure --enable-module=ssl --prefix=/tmp/apache_1.3.12 \ --enable-shared=ssl $ make $ sudo make install This put Apache in /usr/local/apache, the default, but there are no LoadModule directives in the default httpd.conf so I'm assuming no modules were created. I'm sorry if this is a silly question, but I've read the FAQ and other excellent documentation on the website and don't see anything that helps me with this particular problem. -- Matt McParland [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
HOW TO?: mod_ssl w/RASref + mod_perl
I'm trying to build a web server with mod_ssl w/RSAref + mod_perl and can't find any directions on how to do it. My attempts at figuring it myself haven't turned out good either. Building without RSAref is easy enough, but I need that, so how can I do it? Ideally, I'd like to have mod_php3 too. How can I integrate all this together? (John 3:16) Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL Conf files
I am running a Shopping Cart package on my Cobalt RaQ2 Server (RedHat 5.1 with some 5.2 optimizations) and have SSL installed. I am trying to get the Secure Web Server (RedHat SWS 3) to use the paths that the shopping cart needs after the user moves from the Non-SSL area to the httpsd. The shopping cart people told me that I was to modify the srm.conf files with a ScriptAlias for there packages paths. Which I did and still the Secure Web Server doesn't find the required files. Than they told me to add the same ScriptAlias to my httpsd.conf file... which I did... I restart httpsd and rebooted then restarted httpsd and still the Secure Web Server doesn't see the proper paths and will not let the user finish their orders. Any help would be greatly appreciated. Regards M@ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]