apache 2.0 fails on startup with SSL (no console or log errors found!)
Hi list folk! I'm having trouble getting mod_ssl working on a fresh install of apache 2.0 on SUSE Linux 9. The problem: when I start apache with 'APACHE_SERVER_FLAGS=-D SSL' in my sysconfig/apache2 file, it fails with no explanation: no errors in the error log, no errors on the console, other than returning failed. When I start apache without -D SSL, it runs with no problem, and I can use port 443 - it just points to the default location on my server. Running apache extreme-configtest yields Syntax: OK. This is the first time I've set up a secure site, so I assume I'm either missing something obvious or subtle... any help or advice is most appreciated! My configuration: --- my sysconfig/apache2 file contains: APACHE_SERVER_FLAGS=-D SSL APACHE_MODULES=... ssl ... (Consequently... LoadModule ssl_module /usr/lib/apache2-prefork/mod_ssl.so is in my loadmodule.conf) --- My VHost file contains: VirtualHost *:443 DocumentRoot (my path) ServerName *:443 ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log SSLEngine on SSLCipherSuite (default) SSLCertificateFile /etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache2/ssl.key/server.key Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory CustomLog /var/log/apache2/ssl_request_log ssl_combined /VirtualHost The certificate files are pointing to the correct place, and I've created self-signed keys/certs several times in several places with several different methods - to no effect - and am somewhat confident that the keys/certs are not the problem. --- My Directory directive for the SSL document root directory contains: SSLRequireSSL SSLOptions +StdEnvVars Options Includes AllowOverride All Order allow,deny Allow from all --- My ssl-global.conf file contains: AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/lib/apache2/ssl_scache SSLSessionCacheTimeout 600 SSLMutex file:/var/lib/apache2/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin Thanks for any help you can give! Heather Yager Database Programmer, Academy of Natural Sciences __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. Specifically, if I delete this line from my HTML: link rel=stylesheet type=text/css href=https://www.beileysoftware.com/main.css; then these problematic browsers can view the page fine. I've also changed the HTML to include the exact contents of the style sheet inline, and this works fine. It is only when the style sheet is external that the browser can't display the contents. If I leave the external style sheet in place, I can see in the logs the browser requesting the page and then the style sheet. Both are returned with no errors, but the browser just sits there with a blank page, and never really finishes. It seems like it is waiting for something to complete, but it never finishes. I'm guessing this was some bug in early versions of IE6, but does anyone know what the specific problem is, and how I can fix it by configuring Apache differently? Thanks, Mark http://www.beiley.com Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Interesting... I hadn't thought of that. I know some other sites using a Starfield certificate. I'll see if these customers experience the same problem when they go there. Thanks for your help! Mark http://www.beiley.com - Original Message - From: Sven Geisler [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, June 07, 2007 11:30 PM Subject: Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2) Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.0 + SSL + FreeBSD 5.1
Has anyone been able to successfully build Apache 2.0.48 --with-ssl and --enable-ssl?
It seems the stock SSL library with FreeBSD 5.1-RELEASE-p16 isn't up to snuff. Below is the section of the config.log related to mod_ssl.
configure:9764: checking whether to enable mod_ssl
configure:9800: result: checking dependencies
configure:9805: checking for SSL/TLS toolkit base
configure:9856: result: /usr
configure:9859: checking for SSL/TLS toolkit version
configure:9861: result: OpenSSL 0.9.7a-p1 Feb 19 2003
configure:9879: checking for SSL/TLS toolkit includes
configure:9897: result: /usr/include
configure:9900: checking for SSL/TLS toolkit libraries
configure:9915: result: /usr/lib
configure:10036: checking for SSL_set_state
configure:10073: gcc -o conftest -g -O2 -D_REENTRANT -D_THREAD_SAFE -L/usr/local/lib
conftest.c -lssl -lcrypto 5
/var/tmp//ccZ69MDl.o: In function `main':
/usr/local/src.local/httpd/httpd-2.0.48/configure:10063: undefined reference to
`SSL_set_state'
configure:10076: $? = 1
configure: failed program was:
#line 10041 configure
#include confdefs.h
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char SSL_set_state (); below. */
#include assert.h
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern C
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char SSL_set_state ();
char (*f) ();
int
main ()
{
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_SSL_set_state) || defined (__stub___SSL_set_state)
choke me
#else
f = SSL_set_state;
#endif
;
return 0;
}
configure:10092: result: no
configure:10106: checking for SSL_set_cert_store
configure:10143: gcc -o conftest -g -O2 -D_REENTRANT -D_THREAD_SAFE -L/usr/local/lib
conftest.c -lssl -lcrypto 5
/var/tmp//ccgL31OW.o: In function `main':
/usr/local/src.local/httpd/httpd-2.0.48/configure:10133: undefined reference to
`SSL_set_cert_store'
configure:10146: $? = 1
configure: failed program was:
#line 10111 configure
#include confdefs.h
/* System header to define __stub macros and hopefully few prototypes,
which can conflict with char SSL_set_cert_store (); below. */
#include assert.h
/* Override any gcc2 internal prototype to avoid an error. */
#ifdef __cplusplus
extern C
#endif
/* We use char because int might match the return type of a gcc2
builtin and then its argument prototype would still apply. */
char SSL_set_cert_store ();
char (*f) ();
int
main ()
{
/* The GNU C library defines this for functions which it implements
to always fail with ENOSYS. Some functions are actually named
something starting with __ and the normal name is an alias. */
#if defined (__stub_SSL_set_cert_store) || defined (__stub___SSL_set_cert_store)
choke me
#else
f = SSL_set_cert_store;
#endif
;
return 0;
}
configure:10162: result: no
--
Colin Faber
FPSN.Net Development staff
email: [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
problem with SSLVerifyClient required in apache 2.0
Hi,
My system configuration is as follows:
Mandrake 9.2
Apache 2.0.47
apache2-mod_ssl 2.0.47
OpenSSL 0.9.7b
I want to authenticate my clients with certificates. Here is apache-ssl configuration:
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
IfModule mod_log_config.c
TransferLog logs/ssl_access_log
/IfModule
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/apache/download_sapslnt2.tcmb.gov.tr.crt
SSLCertificateKeyFile /etc/ssl/apache/server_openca91.key
SSLCertificateChainFile /etc/ssl/apache/cacert.pem
SSLCACertificateFile /etc/ssl/apache/cacert.pem
SSLCARevocationFile /etc/ssl/apache/cacrl.crl
SSLVerifyClient require
SSLVerifyDepth 1
Files ~ \.(cgi|shtml|phtml|php?)$
SSLOptions +StdEnvVars
/Files
Directory /var/www/cgi-bin
SSLOptions +StdEnvVars
/Directory
IfModule mod_setenvif.c
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
/IfModule
IfModule mod_log_config.c
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/IfModule
IfModule mod_rewrite.c
RewriteEngine On
RewriteOptions inherit
/IfModule
If I turn off the SSLVerifyClient parameter everything works fine. But
when I turn on SSLVerifyClient as SSLVerifyClient require , the client (IE,mozilla)
can not connect to server.
and apache logs the following for every attempt:
[Wed Mar 03 12:57:37 2004] [notice] child pid 22462 exit signal Segmentation fault
(11)
I made the log level debug and get the following lines in ssl-error log file. Any help
will be appreciated.
thanks
Mahmut Eren
btw: it works in apache 1.3.23 with the same client certificate.
ssl-error log
__
[Wed Mar 03 13:06:18 2004] [info] Connection to child 0 established (server
sapslnt2.tcmb.gov.tr:443, client 10.5.54.91)
[Wed Mar 03 13:06:18 2004] [info] Seeding PRNG with 136 bytes of entropy
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/accept initialization
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1484): OpenSSL: read 11/11 bytes
from BIO#82e1738 [mem: 82d2530] (BIO dump follows)
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1431):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | : 80 4c 01 03 00 00 33
00-00 00 10 .L3 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1462):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1484): OpenSSL: read 67/67 bytes
from BIO#82e1738 [mem: 82d253b] (BIO dump follows)
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1431):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | : 00 00 04 00 00 05 00
00-0a 01 00 80 07 00 c0 03 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0010: 00 80 00 00 09 06 00
40-00 00 64 00 00 62 00 00 [EMAIL PROTECTED] |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0020: 03 00 00 06 02 00 80
04-00 80 00 00 13 00 00 12 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0030: 00 00 63 d2 6c 7d f0
59-be 40 5e fa a3 76 c0 10 [EMAIL PROTECTED] |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0040: 12 09 02
... |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1462):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
read client hello A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write server hello A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write certificate A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write certificate request A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
flush data
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1495): OpenSSL: I/O error, 5 bytes
expected to read on BIO#82e1738 [mem: 82d2530]
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1803): OpenSSL: Exit: error in
SSLv3 read client certificate A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1803): OpenSSL: Exit: error in
SSLv3 read client certificate A
[Wed Mar 03 13:06:18 2004] [info] (70014)End of file found: SSL handshake interrupted
by system [Hint: Stop button pressed in browser?!]
[Wed Mar 03 13:06:18 2004] [info] Connection to child 0 closed with abortive
shutdown(server sapslnt2.tcmb.gov.tr:443, client 10.5.54.91)
[Wed Mar 03 13:06:20 2004] [info] Connection to child 6
problem with SSLVerifyClient required in apache 2.0
Hi,
My system configuration is as follows:
Mandrake 9.2
Apache 2.0.47
apache2-mod_ssl 2.0.47
OpenSSL 0.9.7b
I want to authenticate my clients with certificates. Here is apache-ssl configuration:
DocumentRoot /var/www/html
ErrorLog logs/ssl_error_log
IfModule mod_log_config.c
TransferLog logs/ssl_access_log
/IfModule
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/ssl/apache/download_sapslnt2.tcmb.gov.tr.crt
SSLCertificateKeyFile /etc/ssl/apache/server_openca91.key
SSLCertificateChainFile /etc/ssl/apache/cacert.pem
SSLCACertificateFile /etc/ssl/apache/cacert.pem
SSLCARevocationFile /etc/ssl/apache/cacrl.crl
SSLVerifyClient require
SSLVerifyDepth 1
Files ~ \.(cgi|shtml|phtml|php?)$
SSLOptions +StdEnvVars
/Files
Directory /var/www/cgi-bin
SSLOptions +StdEnvVars
/Directory
IfModule mod_setenvif.c
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
/IfModule
IfModule mod_log_config.c
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/IfModule
IfModule mod_rewrite.c
RewriteEngine On
RewriteOptions inherit
/IfModule
If I turn off the SSLVerifyClient parameter everything works fine. But
when I turn on SSLVerifyClient as SSLVerifyClient require , the client (IE,mozilla)
can not connect to server.
and apache logs the following for every attempt:
[Wed Mar 03 12:57:37 2004] [notice] child pid 22462 exit signal Segmentation fault
(11)
I made the log level debug and get the following lines in ssl-error log file. Any help
will be appreciated.
thanks
Mahmut Eren
btw: it works in apache 1.3.23 with the same client certificate.
ssl-error log
__
[Wed Mar 03 13:06:18 2004] [info] Connection to child 0 established (server
sapslnt2.tcmb.gov.tr:443, client 10.5.54.91)
[Wed Mar 03 13:06:18 2004] [info] Seeding PRNG with 136 bytes of entropy
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1766): OpenSSL: Handshake: start
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop:
before/accept initialization
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1484): OpenSSL: read 11/11 bytes
from BIO#82e1738 [mem: 82d2530] (BIO dump follows)
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1431):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | : 80 4c 01 03 00 00 33
00-00 00 10 .L3 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1462):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1484): OpenSSL: read 67/67 bytes
from BIO#82e1738 [mem: 82d253b] (BIO dump follows)
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1431):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | : 00 00 04 00 00 05 00
00-0a 01 00 80 07 00 c0 03 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0010: 00 80 00 00 09 06 00
40-00 00 64 00 00 62 00 00 [EMAIL PROTECTED] |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0020: 03 00 00 06 02 00 80
04-00 80 00 00 13 00 00 12 |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0030: 00 00 63 d2 6c 7d f0
59-be 40 5e fa a3 76 c0 10 [EMAIL PROTECTED] |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1456): | 0040: 12 09 02
... |
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1462):
+-+
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
read client hello A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write server hello A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write certificate A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
write certificate request A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1774): OpenSSL: Loop: SSLv3
flush data
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_io.c(1495): OpenSSL: I/O error, 5 bytes
expected to read on BIO#82e1738 [mem: 82d2530]
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1803): OpenSSL: Exit: error in
SSLv3 read client certificate A
[Wed Mar 03 13:06:18 2004] [debug] ssl_engine_kernel.c(1803): OpenSSL: Exit: error in
SSLv3 read client certificate A
[Wed Mar 03 13:06:18 2004] [info] (70014)End of file found: SSL handshake interrupted
by system [Hint: Stop button pressed in browser?!]
[Wed Mar 03 13:06:18 2004] [info] Connection to child 0 closed with abortive
shutdown(server sapslnt2.tcmb.gov.tr:443, client 10.5.54.91)
[Wed Mar 03 13:06:20 2004] [info] Connection to child 6
problem with SSLVerifyClient required in apache 2.0
sorry, I've sent the same mail again accidentaly ==- Bu e-posta sadece yukarida isimleri belirtilen kisiler arasinda zel haberlesme amacini tasimaktadir. Size yanlislikla ulasmissa ltfen gnderen kisiyi bilgilendiriniz ve mesaji sisteminizden siliniz. Turkiye Cumhuriyet Merkez Bankasi A.S. bu mesajin icerigi ile ilgili olarak hicbir hukuksal sorumlulugu kabul etmez. This e-mail communication is intended for the private use of the people named above. If you received this message in error, please immediately notify the sender and delete it from your system. The Central Bank of The Republic of Turkey does not accept legal responsibility for the contents of this message. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All,
I want to provide updated information to my earlier described scenario using
mod_ssl + mod_proxy + mod_headers:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
The following discussion focuses on Apache 2.0.43 and 2.0.44.
I have implemented a solution to transfer the Web browser's client
certificate (and other SSL information) to the backend Web server:
Component: Web Browser --- Proxy (mod_proxy) --- Web Server
SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server
Client Cert (and other SSL information) -- Transfer
as HTTP Headers
The problem was that mod_headers' RequestHeader directive didn't really
matched the requirements.
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical
solution to
forward the client's certificate to the backend server for the
following reasons:
1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader
directive isn't able to transfer it into a correct multi-line HTTP header.
2. The decorations (-BEGIN/END CERTIFICATE-) and the multi-line
format are not very useful in this scenario.
Therefore I have introduced the option E in addition to e for putting
environment variables in headers. The E has the following meaning:
%{FOOBAR}E The base64 encoded content of the environment variable FOOBAR.
If the environment variable already contains a base64 encoded body (e. g.
SSL_CLIENT_CERT) the body will be set as the value of the header variable.
The result is in any case a single line of base64 characters only.
This behavior serves two requirements:
1. There is no problem escaping special characters when putting other SSL
information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably
contain characters that have to be escaped.
2. Reduces the overhead produced by decorations and multi-line format.
Here is an example for forwarding the SSL Client Certificate and other SSL
information:
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E
env=SSL_CLIENT_S_DN
RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E
env=SSL_CLIENT_CERT_CHAIN_0
RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E
env=SSL_CLIENT_CERT_CHAIN_1
RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e
env=SSL_CIPHER_USEKEYSIZE
RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e
env=SSL_CIPHER
To make this work I also patched two other things:
1. mod_headers' RequestHeader directive wasn't able to take an env clause as
a forth argument in contrast to the Header directive. I don't know the
reason
for that behavior, but env clause seams to work fine with the SSL
environment
variables for RequestHeaders. This was necessary to avoid an empty header if
the environment variable isn't present.
If there are objections, let me know.
2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried
to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the
introduction of the _ wasn't quite consistent. I patched that and now I
can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to
SSL_CLIENT_CERT_CHAIN_n in the environment.
Last but not least I have updated the mod_headers documentation with the new
option E and an example for forwarding the Web browser's client
certificate and some other SSL information.
I think the described patches and enhancements are quite reasonable and I
would like to make them part of the standard Apache distribution. I have
already produced a patch file that works for Apache 2.0.43 and 2.0.44. I
would appreciate guidance on how to proceed.
Comments welcome!
Regards,
Maik
Maik Mueller
Development Architect
SAP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Cool..
Can you please post the patch to the list, so that ppl can review the
code,
and give their comments.
-Madhu
No problem!
Here is my short README describing the patch and its history form Apache
version 2.0.43 to 2.0.44:
Hello!
This is the distribution point for the Apache 2.0 as SSL Intermediary Patch.
Currently you need this patch to use Apache 2.0 as a trusted intermediary
in configuration with the SAP J2EE Engine.
The patch is subject to become part of the standard Apache 2.0 distribution.
Feedback welcome!
Maik ([EMAIL PROTECTED])
INSTRUCTIONS:
- extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz)
- change directory to httpd-2.0.43
- apply the patch with -p1 (patch -p1 Apache-2.0.43-SSLintermediary.patch)
- follow the Apache INSTALL instructions
HISTORY:
02-12-30 initial release (available SAP internal)
03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added
In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is
already applied. More convenient for users not so familiar with the
usage of diff patch.
03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added
You cannot use the UNIX source to build the WIN32 binaries.
This ZIP archive contains the already patched version of
httpd-2.0.43-win32-src. Use it to build the WIN32 binaries.
If you want to apply Apache-2.0.43-SSLintermediary.patch to the
original httpd-2.0.43-win32-src be aware that you have to convert
CR-LFs in CR before applying the patch. In the successfully patched
files you can again expand CR to CR-LF.
03-01-20 Bug in base 64 padding found. The calculation of the number of
padding
characters ('=') needed computes wrong results in some cases.
03-02-07 Apache 2.0.44 Released
Apache-2.0.44-SSLintermediary.patch corresponds to
httpd-2.0.44.tar.gz
The documentation changes are NO longer part of the patch.
Download mod_headers_mai.html.en for proposed documentation
changes.
SSLproxy.conf is a good example for a proxy's mod_ssl
configuration.
The SAP proposed header names are use in the example added to the
mod_headers documentation (see mod_headers_mai.html.en).
And here follows the patch (My proposed changes to the HTML docu are now not
included in the patch. Please advice me if and how to post this changes to
mod_headers.html.en):
--- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002
+++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003
@@ -109,6 +109,7 @@
#include apr_lib.h
#include apr_strings.h
#include apr_buckets.h
+#include apr_base64.h
#include apr_hash.h
#define APR_WANT_STRFUNC
@@ -198,6 +199,62 @@
else
return (null);
}
+
+/* Base 64 encoded ASN.1 data is usually tagged with decorations of
+ * the following style:
+ * -BEGIN description-
+ * base64 encoded body
+ * -END description-
+ * The defines are used to search for such decorations.
+ */
+#define DECORATION_MARKER_BEGIN -BEGIN
+#define DECORATION_MARKER_END -END
+#define DECORATION_EOF_MARKER -
+
+static const char *header_request_env_varB64(request_rec *r, char *a)
+{
+ const char *s = apr_table_get(r-subprocess_env,a);
+ char *pStartBody = NULL;
+ char *pBehindBody = NULL;
+ char *ptr;
+
+ if (s) {
+/* search for decorations marking encapsulated base64 encoded data */
+ptr = strstr((char *)s, DECORATION_MARKER_BEGIN);
+if (ptr) {
+ ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN),
DECORATION_EOF_MARKER);
+ if (ptr (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') {
+ /* explicit check that there are sitll chars in the string */
+ pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1;
+
+ ptr = strstr(pStartBody, DECORATION_MARKER_END);
+ if (ptr strstr(ptr, DECORATION_EOF_MARKER))
+ pBehindBody = ptr;
+ }
+}
+
+if (pStartBody pBehindBody) {
+ /* encapsulated base64 encoded data found */
+ /* all except the body will be skipped */
+ *pBehindBody = '\0';
+ apr_base64_cleanB64(pStartBody);
+ return pStartBody;
+} else {
+ /* call apr_base64_encode() to encode the data */
+ int inlen = strlen(s);
+ int outsize = apr_base64_encode_len(inlen);
+ char *encoded = apr_palloc(r-pool, outsize);
+ int rc = apr_base64_encode(encoded, s, inlen);
+ if (rc outsize)
+ return (null);
+ else
+ return encoded;
+}
+ }
+ else
+return (null);
+}
+
/*
* Config routines
*/
@@ -407,7 +464,7 @@
/* Handle the envclause on Header */
if (envclause != NULL) {
-if (inout != hdr_out) {
+if (inout != hdr_out inout != hdr_in) {
return error: envclause (env=...) only valid on Header
directive;
}
if (strncasecmp(envclause, env=, 4) != 0) {
@@ -448,12 +505,23 @@
return
Re: mod-ssl for apache 2.0.x - wasn't compiled
Thanks a lot Daniel and Mads. It does work. I would love to use 2.0.43 instead of 2.0.39 but my developers have developed some experimental code on 2.0.39, so they prefer only 2.0.39 for this moment. - Original Message - From: Daniel Lopez [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 18, 2002 2:54 PM Subject: Re: mod-ssl for apache 2.0.x - wasn't compiled [Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? I have a detailed chapter online just on that : http://www.apacheworld.org/ty24/ 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) the one that comes with apache is fine Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod-ssl for apache 2.0.x - wasn't compiled
Hi There, [Situation] I'm trying to compile and run mod-ssl on Apache-2.0.39 but I couldn't find useful document after searching the web. Thus, I followed the mod-ssl document for Apache-1.3.x but it didn't work. What I did was : $ ./configure \ --with-apache=../apache_1.3.x \ --with-ssl=../openssl-0.9.x \ --with-mm=../mm-1.1.x \ --with-crt=/path/to/your/server.crt \ --with-key=/path/to/your/server.key \ --prefix=/path/to/apache \ --enable-shared=ssl $ make $ make install After the compilation, I couldn't find any mod_ssl.o (openssl's libssl.so was there). I also checked with : $ httpd -l but mod_ssl.c was not in the list. [Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) Thanks a lot for your time! Best Regards, Jirat. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl for apache 2.0.x - wasn't compiled
On Mon, Nov 18, 2002 at 02:11:47PM +0800, Xeruz at Hotmail wrote: [Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? httpd.apache.org/docs-2.0/ www.modssl.org/support/ (which has links to the archive of this list). 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) You should be using 2.0.43 - but other than that, what comes with apache should be just fine. The options from 1.3 won't work, but running ./configure --help in the 2.0 source tree will give you a list of the options that you need. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl for apache 2.0.x - wasn't compiled
[Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? I have a detailed chapter online just on that : http://www.apacheworld.org/ty24/ 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) the one that comes with apache is fine Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Cryptoswift + Apache 2.0
Hi, Just got back from travelling and you don't seem to have had a reply to this so here goes. On Fri, 13 Sep 2002, Estrade Matthieu wrote: I am actually running Apache 2.0 with mod_proxy (reverse-proxy) and SSL, on a Linux Redhat 7.2 dual AMD athlon 2Ghz MP with 1GB RAM. I am using an hardware accelerator Rainbow Cryptoswift 600. (for 600 TPS). When i benchmark the server without the reverse proxy with a local document, i have 560 TPS. When i benchmark the server with reverse proxy, i have 9 TPS... During all the test, the cryptoswift is blinking a little... and my cpu are only 5% loaded... The obvious suggestion would be that the machine you're reverse proxying to is the reason for the slow-down. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0 OpenSSL error
Hi, for few days, i am stressing my apache 2.0.40 with reverse proxy with a tools named Silkperformer. i have a really strange error, coming up often on some basic requests: the request is http://web2.test.com/manual/images/pixel.gif [Wed Sep 18 12:24:04 2002] [error] SSL error on reading data [Wed Sep 18 12:24:04 2002] [error] SSL Library Error: 336151579 error:1409441B:lib(20):func(148):reason(1051) I tested httpd-2.0.36 and i have the same error, so i tried with openssl 0.9.6g and 0.9.6d and the error is still here ! I tested with apache 1.3.26 and i don't get the error. If i force the client to do HTTP/1.0 on httpd-2.0.36, i still have the errors. If i benchmark with others product, depending on the product, i have or not the error I found on google 2 e-mails talking about the same error i have, but it's on apache 1.3 so i don't understand at all. I will try to find more information about the context of the error. If someone have an idea, Matthieu Etudiant: Wanadoo t'offre le Pack eXtense Haut Débit soit 150,92 euros d'économies ! Et pour 1 euro de plus, reçois le CD-ROM du jeu Dark Age of Camelot + 1 mois de jeu en réseau offert ! Clique ici : http://www.ifrance.com/_reloc/mail.etudiant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Cryptoswift + Apache 2.0
Hi, I am actually running Apache 2.0 with mod_proxy (reverse-proxy) and SSL, on a Linux Redhat 7.2 dual AMD athlon 2Ghz MP with 1GB RAM. I am using an hardware accelerator Rainbow Cryptoswift 600. (for 600 TPS). When i benchmark the server without the reverse proxy with a local document, i have 560 TPS. When i benchmark the server with reverse proxy, i have 9 TPS... During all the test, the cryptoswift is blinking a little... and my cpu are only 5% loaded... I tried to install mod_cache and run memory cache... but it seems not well working with the RP. If someone have the same problem or ideas about mine Best regards, Matthieu Etudiant: Wanadoo t'offre le Pack eXtense Haut Débit soit 150,92 euros d'économies ! Et pour 1 euro de plus, reçois le CD-ROM du jeu Dark Age of Camelot + 1 mois de jeu en réseau offert ! Clique ici : http://www.ifrance.com/_reloc/mail.etudiant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Failure to load mod_ssl under NT/apache 2.0
I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: Cannot load C:/apache2/modules/mod_ssl.so into server: The operating system cannot run %1 Any ideas greatfully received as I cannot see what I have done wrong, Alex Technical Manager Online Learning Support Unit Middlesex University Business School [EMAIL PROTECTED] 020 8411 5092 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Failure to load mod_ssl under NT/apache 2.0
-- Original Message -- From: Alex Moon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 11:37:20 +0100 I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: with apache 1.3.2* under windows (not cygwin) you had to load .DDL and not .SO maybe it a way to search Cannot load C:/apache2/modules/mod_ssl.so into server: The operating system cannot run %1 Any ideas greatfully received as I cannot see what I have done wrong, Alex Technical Manager Online Learning Support Unit Middlesex University Business School [EMAIL PROTECTED] 020 8411 5092 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failure to load mod_ssl under NT/apache 2.0
arcean wrote: -- Original Message -- From: Alex Moon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 11:37:20 +0100 I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: with apache 1.3.2* under windows (not cygwin) you had to load .DDL and not .SO maybe it a way to search Cannot load C:/apache2/modules/mod_ssl.so into server: The operating system cannot run %1 Any ideas greatfully received as I cannot see what I have done wrong, Alex Technical Manager Online Learning Support Unit Middlesex University Business School [EMAIL PROTECTED] 020 8411 5092 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] I have not done this for several weeks and maybe the distribution has changed, but... mod_ssl.so was not built with Apache 1.0.39 ...you have to build it. 1. place openssl into ?:\httpd-2.0.39\srclib ... there are instructions somewhere to follow... 2. follow the instructions in openssl and build it ... you need masm7, perl, vc6, etc. 3. build apache ... it finds openssl and builds mod_ssl.so ... you need awk, bison, sed and flex (new cygwin) ... I had to get newer version of cygwin before it worked, but then the newer perl was a problem. ... older perl must be in path before cygwin After it all comes to gether you can use nmake -f makefile.win installr Then I had trouble making certs... Try these hints ... I will make more detailed instructions later if needed but I think the newer packages (must) probably work better than what I used ... but I have not checked. I will have to download new source and try again to know what the situation is and I am sorry but I have to run off to work. Later, ok? Chris. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failure to load mod_ssl under NT/apache 2.0
-- Original Message -- From: hunter [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 09:22:37 -0400 arcean wrote: -- Original Message -- From: Alex Moon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 11:37:20 +0100 I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: with apache 1.3.2* under windows (not cygwin) you had to load .DDL and not .SO maybe it a way to search [over load sniped ... ] I said : with apache 1.3.2* under windows (not cygwin) you had to load .DDL ^^^^^ not cygwin, native win32 if you prefer (with DLL) 1.3.2* like 1.3.20 or 1.3.26 ... not 1.0.39 (not sure it existes) i know my english is bad but with cygwin i never try I have not done this for several weeks and maybe the distribution has changed, but... mod_ssl.so was not built with Apache 1.0.39 ...you have to build it. 1. place openssl into ?:\httpd-2.0.39\srclib ... there are instructions somewhere to follow... 2. follow the instructions in openssl and build it ... you need masm7, perl, vc6, etc. 3. build apache ... it finds openssl and builds mod_ssl.so ... you need awk, bison, sed and flex (new cygwin) ... I had to get newer version of cygwin before it worked, but then the newer perl was a problem. ... older perl must be in path before cygwin After it all comes to gether you can use nmake -f makefile.win installr Then I had trouble making certs... Try these hints ... I will make more detailed instructions later if needed but I think the newer packages (must) probably work better than what I used ... but I have not checked. I will have to download new source and try again to know what the situation is and I am sorry but I have to run off to work. Later, ok? Chris. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failure to load mod_ssl under NT/apache 2.0
Alex wrote: I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: Cannot load C:/apache2/modules/mod_ssl.so into server: The operating system cannot run %1 Experienced the same prob myself just yesterday. Consider the following checklist: * Download Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip from www.modssl.org/contrib * Download latest OpenSSL binary for Win32 from same location * Unzip the apache archive into where you want your Apache to live * Unzip the OpenSSL archive where you want your OpenSSl to live * Ensure that your Path (System variable) is set to include the OpenSSL directory (wherever you chose to install it). (You can set the path by hitting Windows and Pause/Break keys, which will bring up the System Properties dialog. Under NT you select Environment tab and then select Path from the list of System Variables, then type to change it). As an additional measure, you may find that copying the .dll files (that are in the same directory as openssl.exe) to WINNT/System32 helps (although setting the path should also achieve the same end result) * Make sure your httpd.conf includes both the LoadModule and AddModule directives If I think of anything else, I'll let you know. I can also forward you some troubleshooting emails (provided to me by a colleague) if the above does not help? Good luck! Brendan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failure to load mod_ssl under NT/apache 2.0
arcean wrote: -- Original Message -- From: hunter [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 09:22:37 -0400 arcean wrote: -- Original Message -- From: Alex Moon [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Wed, 17 Jul 2002 11:37:20 +0100 I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at what seems like the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: with apache 1.3.2* under windows (not cygwin) you had to load .DDL and not .SO maybe it a way to search [over load sniped ... ] I said : with apache 1.3.2* under windows (not cygwin) you had to load .DDL ^^^^^ not cygwin, native win32 if you prefer (with DLL) 1.3.2* like 1.3.20 or 1.3.26 ... not 1.0.39 (not sure it existes) i know my english is bad but with cygwin i never try I have not done this for several weeks and maybe the distribution has changed, but... mod_ssl.so was not built with Apache 1.0.39 ...you have to build it. 1. place openssl into ?:\httpd-2.0.39\srclib ... there are instructions somewhere to follow... 2. follow the instructions in openssl and build it ... you need masm7, perl, vc6, etc. 3. build apache ... it finds openssl and builds mod_ssl.so ... you need awk, bison, sed and flex (new cygwin) ... I had to get newer version of cygwin before it worked, but then the newer perl was a problem. ... older perl must be in path before cygwin After it all comes to gether you can use nmake -f makefile.win installr Then I had trouble making certs... Try these hints ... I will make more detailed instructions later if needed but I think the newer packages (must) probably work better than what I used ... but I have not checked. I will have to download new source and try again to know what the situation is and I am sorry but I have to run off to work. Later, ok? Chris. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] I'm sorry I failed to make it clear when I replied - I was in a hurry to get to work. The compile is with vc6 or vc 7 but some of the cygwin (unix) tools are used and must be avaialble. I don't use cygwin to build Apache or openssl. If you are still having trouble ... I am going to get the latest source now and see if the build conditions are the same as when I built mine. If they are then I think I can help you ... I worked through similar difficulties already. Chris. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failure to load mod_ssl under NT/apache 2.0
I apologize for the sloppiness... hunter wrote: arcean wrote: (snip) I will have to download new source and try again to know what the situation is and I am sorry but I have to run off to work. Later, ok? Chris. I have not located an msi installer for Apache 2.0.39 These are the steps that I followed build it from source. 1. Download httpd-2.0.39-win32-src.zip 2. Unzip into directory httpd-2.0.39 3. Create directory ?:\httpd-2.0.39\srclib\openssl 4. Extract openssl-0.9.6d.tar.gz 5. Copy the contents of \openssl-0.9.6d to \httpd-2.0.39\srclib\openssl 6. Go to :\httpd-2.0.39\srclib\openssl follow instructions in INSTALL.W32 Bellow is the results mixed within the instructionss... Visual C++ -- First should run Configure: perl Configure VC-WIN32 2002.07.17 21.47.37.13 [I:\httpd-2.0.39\srclib\openssl]perl configure VC-WIN32 Configuring for VC-WIN32 IsWindows=1 CC=cl CFLAG =-DTHREADS -DDSO_WIN32 EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=/usr/bin/ranlib PERL =/usr/bin/perl THIRTY_TWO_BIT mode BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Configured for VC-WIN32. 2002.07.17 21.48.04.99 [I:\httpd-2.0.39\srclib\openssl] Next you need to build the Makefiles and optionally the assembly language files: - If you are using MASM then run: ms\do_masm 2002.07.17 21.48.04.99 [I:\httpd-2.0.39\srclib\openssl]ms\do_masm Generating x86 for MASM assember Bignum DES crypt(3) Blowfish CAST5 RC4 MD5 SHA1 RIPEMD160 RC5\32 2002.07.17 21.49.00.49 [I:\httpd-2.0.39\srclib\openssl]perl util\mkfiles.pl 1MINFO 2002.07.17 21.49.00.85 [I:\httpd-2.0.39\srclib\openssl]rem perl util\mk1mf.pl VC-MSDOS no-sock ms\msdos.mak 2002.07.17 21.49.00.85 [I:\httpd-2.0.39\srclib\openssl]rem perl util\mk1mf.pl VC-W31-32 ms\w31.mak 2002.07.17 21.49.00.85 [I:\httpd-2.0.39\srclib\openssl]perl util\mk1mf.pl dll VC-W31-32 1ms\w31dll.mak unknown option - 2002.07.17 21.49.01.34 [I:\httpd-2.0.39\srclib\openssl]perl util\mk1mf.pl VC-WIN32 1ms\nt.mak unknown option - 2002.07.17 21.49.01.79 [I:\httpd-2.0.39\srclib\openssl]perl util\mk1mf.pl dll VC-WIN32 1ms\ntdll.mak unknown option - 2002.07.17 21.49.02.23 [I:\httpd-2.0.39\srclib\openssl]perl util\mkdef.pl 16 libeay 1ms\libeay16.def 2002.07.17 21.49.05.07 [I:\httpd-2.0.39\srclib\openssl]perl util\mkdef.pl 32 libeay 1ms\libeay32.def 2002.07.17 21.49.07.95 [I:\httpd-2.0.39\srclib\openssl]perl util\mkdef.pl 16 ssleay 1ms\ssleay16.def 2002.07.17 21.49.10.64 [I:\httpd-2.0.39\srclib\openssl]perl util\mkdef.pl 32 ssleay 1ms\ssleay32.def 2002.07.17 21.49.13.33 [I:\httpd-2.0.39\srclib\openssl] - If you are using NASM then run: ms\do_nasm - If you don't want to use the assembly language files at all then run: ms\do_ms If you get errors about things not having numbers assigned then check the troubleshooting section: you probably won't be able to compile it as it stands. Then from the VC++ environment at a prompt do: nmake -f ms\ntdll.mak 2002.07.17 21.49.13.33 [I:\httpd-2.0.39\srclib\openssl]nmake -f ms\ntdll.mak Microsoft (R) Program Maintenance Utility Version 6.00.8168.0 Copyright (C) Microsoft Corp 1988-1998. All rights reserved. ' in macroak(239) : fatal error U1001: syntax error : illegal character ' Stop. 2002.07.17 21.50.09.96 [I:\httpd-2.0.39\srclib\openssl]nmake -f ms\ntdll.mak in macroak(239) : fatal error U1001: syntax error : illegal character - this is the error you get when you use the new cygwin perl... ...make certain older perl is ahead in path and start over... 2002.07.17 21.57.07.91 [I:\httpd-2.0.39\srclib\openssl]perl configure VC-WIN32 Configuring for VC-WIN32 IsWindows=1 CC=cl CFLAG =-DTHREADS -DDSO_WIN32 EX_LIBS = BN_ASM=bn_asm.o DES_ENC =des_enc.o fcrypt_b.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= PROCESSOR = RANLIB=true PERL =perl THIRTY_TWO_BIT mode BN_LLONG mode RC4_INDEX mode RC4_CHUNK is undefined Configured for VC-WIN32. 2002.07.17 21.57.54.71 [I:\httpd-2.0.39\srclib\openssl] 2002.07.17 21.57.54.71 [I:\httpd-2.0.39\srclib\openssl]ms\do_masm Generating x86 for MASM assember Bignum DES crypt(3) Blowfish CAST5 RC4 MD5 SHA1 RIPEMD160 RC5\32 2002.07.17 21.58.37.68 [I:\httpd-2.0.39\srclib\openssl]perl util\mkfiles.pl 1MINFO 2002.07.17 21.58.37.86 [I:\httpd-2.0.39\srclib\openssl]rem perl util\mk1mf.pl VC-MSDOS no-sock ms\msdos.mak 2002.07.17 21.58.37.86 [I:\httpd-2.0.39\srclib\openssl]rem perl util\mk1mf.pl VC-W31-32 ms\w31.mak 2002.07.17 21.58.37.86 [I:\httpd-2.0.39\srclib\openssl]perl util\mk1mf.pl dll VC-W31-32 1ms\w31dll.mak 2002.07.17 21.58.38.10
Re: apache 2.0 hates older linux kernels:
Umm, yers might be considered older in relative terms, but, I'm using a slackware 3.6 version on the box I'm trying to work on, so the kernel is a patched up 2.0.35-6 derivative, older yet then the 7.1 slackware/2.2.16 kernel you are working on there. You're right. Dunno what made me see/think 2.2.16 as older then 2.0.35 Sorry. Bye, B. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 2.0 hates older linux kernels:
uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown and no matter how we configure, apache dies under SNIP Just tested it on my old local testbed server.. (not online) Slackware 7.1.0 Kernel 2.2.16 Apache 2.0.39 Just did the normal configure, make and make install.. now it's running Apache 2.. Uhm.. yeah.. so.. since 2.2.16 qualifies for 'older kernel' ;) something else must be the reason why it failed on your box.. Bye, B. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 2.0 hates older linux kernels:
On Tue, 25 Jun 2002, B. van Ouwerkerk wrote: uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown and no matter how we configure, apache dies under SNIP Just tested it on my old local testbed server.. (not online) Slackware 7.1.0 Kernel 2.2.16 Apache 2.0.39 Umm, yers might be considered older in relative terms, but, I'm using a slackware 3.6 version on the box I'm trying to work on, so the kernel is a patched up 2.0.35-6 derivative, older yet then the 7.1 slackware/2.2.16 kernel you are working on there. Now, thanks to Cliff w/ apache.org we have gotten farther, but are still a tad short; #define HZ 100 in mod_status and it will at least come closer to compiling. Cliff, This comes so close, yet remains so far; the compile looks to complete without any serious errors: I edit mod_status.c; /* #ifdef NEXT #if (NX_CURRENT_COMPILER_RELEASE == 410) #ifdef m68k #define HZ 64 #else #define HZ 100 #endif #else #include machine/param.h #endif #endif NEXT */ #define HZ 100 here is my config statement; configure --disable-threads --enable-suexec --with-suexec-caller=nobody --with-suexec-uidmin=500 --enable-module=mod_rewrite --enable-module=mod_cgi --enable-module-shared=ssl --with-ssl=/usr/local/ssl --enable-static-rotatelogs --enable-static-logresolve this goves me a httpd, httpd -l Compiled in modules: core.c mod_access.c mod_auth.c mod_include.c mod_log_config.c mod_env.c mod_setenvif.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_suexec.c mod_cgi.c mod_negotiation.c mod_dir.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c should suexec be compiled into the httpd binary itself? It gives me static binaries under support; -rwx-- 1 root root 5561 Jun 24 18:37 ab* -rwx-- 1 root root 5591 Jun 24 18:37 checkgid* -rwx-- 1 root root 5576 Jun 24 18:37 htdbm* -rwx-- 1 root root 5591 Jun 24 18:36 htdigest* -rwx-- 1 root root 5591 Jun 24 18:36 htpasswd* -rwx-- 1 root root19875 Jun 24 18:37 logresolve* -rwx-- 1 root root 272278 Jun 24 18:37 rotatelogs* -rwx-- 1 root root24613 Jun 24 18:38 suexec* -rw--- 1 root root20595 Jun 24 17:25 apxs but, under modules/ssl, it looks like it was mostly untouched, no compiled .so is left there, nothing. The only files that appear might have been touched in the process; -rw--- 1 root root 3371 Jun 24 17:25 Makefile ... -rw--- 1 root root 51 Jun 24 17:25 modules.mk Though this may well be the reseult of the make clean just prior to the last config/make... So, we're almost there, any clues? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache 2.0 hates older linux kernels:
uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown and no matter how we configure, apache dies under: /bin/sh /mnt/src/httpd-2.0.39/srclib/apr/libtool --silent --mode=compile gcc -g -O2-DLINUX=2 -D_REENTRANT -DAP_HAVE_DESIGNATED_INITIALIZER -I/mnt/src/httpd-2.0.39/srclib/apr/include -I/mnt/src/httpd-2.0.39/srclib/apr-util/include -I/mnt/src/httpd-2.0.39/srclib/apr-util/xml/expat/lib -I. -I/mnt/src/httpd-2.0.39/os/unix -I/mnt/src/httpd-2.0.39/server/mpm/prefork -I/mnt/src/httpd-2.0.39/modules/http -I/mnt/src/httpd-2.0.39/modules/filters -I/mnt/src/httpd-2.0.39/modules/proxy -I/mnt/src/httpd-2.0.39/include -I/mnt/src/httpd-2.0.39/modules/dav/main -prefer-non-pic -static -c mod_status.c touch mod_status.lo mod_status.c: In function `status_handler': mod_status.c:270: `HZ' undeclared (first use this function) mod_status.c:270: (Each undeclared identifier is reported only once mod_status.c:270: for each function it appears in.) make[3]: *** [mod_status.lo] Error 1 make[3]: Leaving directory `/mnt/src/httpd-2.0.39/modules/generators' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/mnt/src/httpd-2.0.39/modules/generators' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/mnt/src/httpd-2.0.39/modules' make: *** [all-recursive] Error 1 Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
http https on apache 2.0
I have configured my httpd.conf ssl.conf file also but probably I am not doing some thing right as my site is not opening as required. My Q is How do i configure my http.conf ssl.conf in apache 2.0 if - I have one page which has to be http I have the second page which has to be https with sslverifyclient none I have a third page which is https with sslverifyclient require Regards Sonu __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: important - virtual hosts for apache 2.0
Thanx Andrew for a quick response. I am in a mess ... this project landed in my lap just 8 days back when I new nothing about apache's httpd.conf or PKI or openssl etc etc.. But today i feel so much more aware. [http page] The problem is in our intranet site we have first page which has to be a http page where the new user sends a request for certificate to my CA. [https Page - SSLVerifyClient none] The second page is where the new user is asked to provide user id PEM pass phrase to generate a certificate [http page - SSLVerifyClient require] The third page where all registered users fill there user id password and use the intranet aaplication. now I need to create three virtual hosts in [httpd.conf file] [ssl.conf file] how do configure the two files for the same. 1. where do i put the virtual host details for http page 2. where do i put the virtual host details for https page SSLVerifyClient none 3. where do i put the virtual host details for https page SSLVerifyClient require Please suggest. Regards Sonu. --- Andrew Lietzow [EMAIL PROTECTED] wrote: Dear Sonu, RE:I have configured my httpd.conf ssl.conf file also but probably I am not doing something right as my site is not opening as required. ...and... RE: I have one page which has to be http I have the second page which has to be https with sslverifyclient none I have a third page which is https with sslverifyclient require I have read that i will require IP base virtual hosts. ...and... RE: I want to use apache 2.0 how do I configure it with mod_ssl openssl. Okay, now that you have shared the background, what exactly is happening? I guess the reason I was (on Saturday) curious as to whether you have followed guides available from Apache, openssl, and mod_ssl is because FOR ME, the Apache 2.0.35 system configured very quickly to provide a secure server, without hardly a whimper. Download the tarball, run configure, generate the key, csr, and crt, and voila, secure server is up and running. This does not, however, address your last configuration, with sslverifyclient = require. That I have not tried. However, if you can provide the scenario for your error or perceived disfunctionality of the system, then possibly someone can help you quickly move forward. I doubt that it is I, but send more information and I'll be glad to help if I can. Most here will do the same, or so I believe, or they probably wouldn't continue to subscribe. Take some time to thoroughly clearly describe the error or the problem and you may get some very quick help. Good Luck! Andrew Lietzow The ACL Group, Inc. __ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: important - virtual hosts for apache 2.0
Hello Sonu, RE:1. where do i put the virtual host details for http page In the virtual host directive section of your httpd.conf file. Is this working? If not, what about it does not work? Once you have the Secure ServerName, and DocumentRoot for the MAIN server set, does the main server come up okay? If not, you will probably have trouble making the virtual host work. RE:2. where do i put the virtual host details for https page SSLVerifyClient none This you put in the ssl.conf file. Since Apache 2.0.35 already is mod_ssl aware, all you should need to do is something like: Listen 443 VirtualHost __default__:443 DocumentRoot /var/www/secure.server.com/ ServerName secure.server.com:443 /Virtual Host --- If you don't require the SSLClient to verify, then you shouldn't have to set up anything because the web server software should just handle your secure communications. There are a few other settings that need to be set to read your certificate files, but this should get you to the point of users being able to connect to the https server. And, you said that you had all of the files created so I would imagine that you can see how the default is set. You would change those settings to point to YOUR CRT and KEY files instead. Again, do you have a specific error message? What does your access_log say on that server? RE:3. where do i put the virtual host details for https page SSLVerifyClient --- Make sure the SSLVerifyClient require statement is uncommented in the ssl.conf file. I did this and immediately, my secure server requests a certificate from my client. I think you can then pick the client cert you want to use from a list, if the client has one. (I don't have one in my client as I have never had a need for one). The best info I had on this was from a message by Owen Boyle with a subject line of Creating Client Certificates. If you can't find it, I'll forward a copy to you... RE:now I need to create three virtual hosts One at 80, one at 443, and one at 8443? Wouldn't this work? Good luck. I'm going to have to bow out because I would be the blind leading the blind. Hopefully I haven't steered you too far off track. :-) Andrew Lietzow The ACL Group, Inc. - Original Message - From: Sonu Kishore [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, April 22, 2002 11:44 AM Subject: Re: important - virtual hosts for apache 2.0 Thanx Andrew for a quick response. I am in a mess ... this project landed in my lap just 8 days back when I new nothing about apache's httpd.conf or PKI or openssl etc etc.. But today i feel so much more aware. [http page] The problem is in our intranet site we have first page which has to be a http page where the new user sends a request for certificate to my CA. [https Page - SSLVerifyClient none] The second page is where the new user is asked to provide user id PEM pass phrase to generate a certificate [http page - SSLVerifyClient require] The third page where all registered users fill there user id password and use the intranet aaplication. now I need to create three virtual hosts in [httpd.conf file] [ssl.conf file] how do configure the two files for the same. 1. where do i put the virtual host details for http page 2. where do i put the virtual host details for https page SSLVerifyClient none 3. where do i put the virtual host details for https page SSLVerifyClient require Please suggest. Regards Sonu. --- Andrew Lietzow [EMAIL PROTECTED] wrote: Dear Sonu, RE:I have configured my httpd.conf ssl.conf file also but probably I am not doing something right as my site is not opening as required. ...and... RE: I have one page which has to be http I have the second page which has to be https with sslverifyclient none I have a third page which is https with sslverifyclient require I have read that i will require IP base virtual hosts. ...and... RE: I want to use apache 2.0 how do I configure it with mod_ssl openssl. Okay, now that you have shared the background, what exactly is happening? I guess the reason I was (on Saturday) curious as to whether you have followed guides available from Apache, openssl, and mod_ssl is because FOR ME, the Apache 2.0.35 system configured very quickly to provide a secure server, without hardly a whimper. Download the tarball, run configure, generate the key, csr, and crt, and voila, secure server is up and running. This does not, however, address your last configuration, with sslverifyclient = require. That I have not tried. However, if you can provide the scenario for your error or perceived disfunctionality of the system, then possibly someone can help you quickly move forward. I doubt that it is I, but send more information and I'll be glad to help if I can. Most here will do the same, or so I believe, or they probably wouldn't continue to subscribe. Take
Re: modssl for Apache 2.0
Cliff, Found it. Problem was mod_ssl didn't get built/installed by VS so I had no module to load. Somehow I got the idea it was now integrated as opposed to a module. I wasn't too clear headed at 10:00 pm when I wrote the initial post. Thanks Chuck - Original Message - From: Cliff Woolley [EMAIL PROTECTED] To: modssl [EMAIL PROTECTED] Sent: Wednesday, April 10, 2002 10:05 PM Subject: Re: modssl for Apache 2.0 On Wed, 10 Apr 2002, Chuck Goehring wrote: I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. mod_ssl now comes bundled with Apache 2.0. Just download the .zip or the .msi from http://www.apache.org/dist/httpd/ and openssl from http://www.openssl.org/ if you don't already have it and that's all you need. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
Lookin at it now. So, are compile directives pretty much the same, as for pointing at the ssl source and mm source trees? The docs are not as clear on this as Ralf has them in the mod-ssl structures smile. Thanks, Ron DuFresne On Thu, 11 Apr 2002, Cliff Woolley wrote: On Thu, 11 Apr 2002, R. DuFresne wrote: When is apache 2.0 coming out of beta and into primetime? How did you manage to miss the party? :) It went GA last week with the release of 2.0.35. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0 and mod_ssl compile problem.
I have had a few problems when compiling Apache 2.0.35 with mod_ssl. My first error was no yacc - I found the line in the modules/ssl/Makefile and changed it for bison, I have tried options --fixed-outout-files and --yacc, but it seems the y.tab.h file is not produced. However I have also noted that the Makefile contains the line just before the yacc statement : # # developer stuff # (we really don't expect end users to use these targets!) # So I am wondering if these file are supposed to be there or not. Removing the y.tab.h file from the sed allows the compile to continue. Heres one of the outputs I have had : bison --yacc /usr/local/build/apache20/httpd-2.0.35/modules/ssl/ssl_expr_parse.y sed -e 's;yy;ssl_expr_yy;g' \ -e '/#if defined(c_plusplus) || defined(__cplusplus)/,/#endif/d' \ y.tab.c ssl_expr_parse.c rm -f y.tab.c sed -e 's;yy;ssl_expr_yy;g' \ y.tab.h ssl_expr_parse.h rm -f y.tab.h /bin/sh: y.tab.h: cannot open make[3]: *** [ssl_expr_parse.h] Error 1 make[3]: Leaving directory `/usr/local/build/apache20/httpd-2.0.35/modules/ssl' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/usr/local/build/apache20/httpd-2.0.35/modules/ssl' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/usr/local/build/apache20/httpd-2.0.35/modules' make: *** [all-recursive] Error 1 Can anyone shed light on this? Thanks for your help, Neil. -- Neil Marjoram. Unix System Manager, Victoria and Albert Museum, Cromwell Road, London. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: Lookin at it now. So, are compile directives pretty much the same, as for pointing at the ssl source and mm source trees? The docs are not as clear on this as Ralf has them in the mod-ssl structures smile. Look at ./configure --help for starters. Hint --with-ssl=DIR is probably what you're looking for. Oh, and Apache 2.0's mod_ssl doesn't use mm anymore... it uses the shared memory support that's built in to APR. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: I've found this, do I point at the openssl dir I have the all the sub dirs and bins installed in, or to the source tree they were compiled from? The install dir's prefix. So, for example, if your OpenSSL is in /usr/lib and /usr/include/openssl, then you'd use --with-ssl=/usr PS: warning, danger Will Robinson: I heard a rumor that if you link to a static OpenSSL (ie, libssl.a and libcrypto.a) instead of a shared one (libssl.so and libcrypto.so) and you use mod_ssl as a DSO, then it breaks. If you get errors along the lines of unresolved symbols such as X509_INFO_free, this is probably what's going on. Watch out for that! --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.* and SSL success
Hello all. OK. I think I have a solution for base-line Apache-2.0.35 +mod_ssl +openssl-0.9.6c. So far, I've rebuilt my RedHat 7.2 test server three times and followed this checklist with success. Assumptions: Openssl and httpd tar balls are located in /download directory You untar the tar balls under the /usr/src directory. - PROGRAMMING LANGUAGES (you need these before anything else) cpp gcc byacc flex patch OPENSSL-0.9.6c cd openssl-0.9.6c ./config make make test make install HTTPD-2.0.35 cd ../httpd-2.0.35 ./configure --enable-module=most --enable-ssl --with-ssl=/usr/local/ssl make make install MAKE CERTIFICATE cp /usr/local/ssl/bin/openssl /usr/local/apache2/bin cd /usr/local/apache2/bin ./openssl genrsa -des3 1024 server.key (Enter Passphrase) chmod 400 server.key ./openssl req -new -key server.key -out server.csr ./openssl req -x509 -key server.key -in server.csr -out server.crt mkdir /usr/local/apache2/conf/ssl.key mkdir /usr/local/apache2/conf/ssl.crt mv server.crt /usr/local/apache2/conf/ssl.crt mv server.key /usr/local/apache2/conf/ssl.key TEST APACHE INSTALLATION cp /usr/local/apache2/bin/apachectl /usr/bin UNSECURE TEST apachectl start go to test URL reload to test (don't use cached files) apachectl stop reload to test (should error out) SECURE TEST apachectl startssl reload to test unsecure site (should be OK) go to test https URL reload to test secure site (should complain about the self-signed certificate) apachectl stop reload to test (should error out) - HIH! Steve Gonzales Louisiana State University [EMAIL PROTECTED] Division of Engineering Services225.578.6069 (v) 3216G CEBA 225.578.5990 (f) Baton Rouge, LA 70803 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl for Apache 2.0
George, It wasn't really my decision to go with Windows. There are many Unix-phobics out there. Have peculiar combination of requirements that causes the need for ssl - Not doing ecomerce. Chuck - Original Message - From: George Walsh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 10, 2002 10:07 PM Subject: RE: modssl for Apache 2.0 Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: modssl for Apache 2.0
I stand upbraided for my open software bigotry. Actually, Chuck, apologies are in order because I was going through a heavy mailing for SuSE users where there has been discussion about Apache 2. with mod_ssl. I (rather carelessly) did not notice the source of your mailing. My sincere apologies, and the very best of luck with your project. George Chuck Goehring [EMAIL PROTECTED] wrote: George, It wasn't really my decision to go with Windows. There are many Unix-phobics out there. Have peculiar combination of requirements that causes the need for ssl - Not doing ecomerce. Chuck - Original Message - From: George Walsh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 10, 2002 10:07 PM Subject: RE: modssl for Apache 2.0 Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
An addendum to the second test (Apache 2.0.35 with SSL, on HP UX 11.0, no attempt to use cryptographic accelerator): I found that I can connect to this Web server with IE or Netscape, but attempting to connect with swamp 1.1.0 (using the -connect parameter and no others) results in the same error message as I got from my own application and from OpenSSL's s_client. Lynn Gazis -Original Message- From: Lynn Gazis [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 4:15 PM To: '[EMAIL PROTECTED]' Subject: RE: Apache 2.0.* and SSL OK, I've tested it, and so far it isn't working for me. Here are my tests: 1) Attempt to configure, on an HP UX 11.0 system, to use SSL with a cryptographic accelerator card: Set up Apache 1.3.23, on this same system, and confirmed that it ran and successfully accessed the CryptoSwift card. configure --enable-ssl --with-ssl=/home/lgazis/openssl-engine-0.9.6c --prefix=/home/lgazis/apache2 --enable-rule=SSL_EXPERIMENTAL Had to create lib directory under openssl-engine-0.9.6c and copy libraries there, since they seemed to be expected there rather than at the top level. First problem: http://httpd.apache.org/docs-2.0/install.html makes no mention of actually installing a certificate, and make certificate appears to no longer be the correct thing to do. Worked around this by copying conf/ssl.crt and conf/ssl.key from Apache 1.3.23 installation to Apache 2.0.35 installation. Edited httpd.conf, set ServerName to pamela, User to www, Group to nobody, Listen to my IP address and port. Edited ssl.conf and set Listen to my IP address and port, and added SSLCryptoDevice cswift. Attempted a bin/apachectl startssl, and got the error: Invalid command 'SSLCryptoDevice' Evidently something has changed, since Apache 1.3, about how to make the cryptographic accelerators in the OpenSSL engine code work. 2) Test, on HP UX 11.0 system, attempting to use SSL and no cryptographic accelerator. Got rid of the SSLCryptoDevice line, and tested to see whether I could make Apache 2.0 work with SSL with no accelerator. This also failed; the server started, but when I generated traffic, none of my handshakes succeeded, and my error log showed lots of [error] [client 10.10.37.185] Invalid method in request k. Tried a test with OpenSSL's s_client, instead of my own test program, generating the traffic. Ran s_client with the -connect option, and no others. Got the error: warning, not much extra random data, consider using the -rand option CONNECTED(0003) 905:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460 Attempts to specify with ssl3 or tls1 also failed to connect, though with a different error. 3) Attempted to build Apache 2.0 on Solaris 7: Configured with same options as on the HP system, but my make failed with an undefined symbol sk_new_null. Either this isn't working properly, or I am missing some key information about how I am supposed to be setting this up. I've been building and running various versions of Apache 1.3 on these same systems with no difficulty. Lynn Gazis -Original Message- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:03 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.* and SSL On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Thanks all, Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl for Apache 2.0
I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary "stuff" for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck
Re: modssl for Apache 2.0
On Wed, 10 Apr 2002, Chuck Goehring wrote: I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. mod_ssl now comes bundled with Apache 2.0. Just download the .zip or the .msi from http://www.apache.org/dist/httpd/ and openssl from http://www.openssl.org/ if you don't already have it and that's all you need. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
When is apache 2.0 coming out of beta and into primetime? Thanks, Ron DuFresne On Thu, 11 Apr 2002, George Walsh wrote: Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, George Walsh wrote: As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) FWIW, in 2.0, the Win32 port of Apache is just as solid and performant as the Unix port. (Of course, it is intended for WinNT, 2k, and XP, not the consumer-level ones (95, 98, and ME)...) --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
On Thu, 11 Apr 2002, R. DuFresne wrote: When is apache 2.0 coming out of beta and into primetime? How did you manage to miss the party? :) It went GA last week with the release of 2.0.35. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl for Apache 2.0
R. DuFresne wrote: When is apache 2.0 coming out of beta and into primetime? April 6, 2002. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 01:18:29AM +0300, Eli Marmor wrote: Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? User discussion/support was never welcome on new-httpd, so I'm sure that at least the user part of modssl discussions won't stay there. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, Apr 08, 2002 at 11:49:37AM -0700, Lynn Gazis wrote: What options are needed to configure, with Apache 2.0, to make sure that mod_ssl is enabled, and that a particular OpenSSL directory is used? I tried guessing at the right options, but a look at the httpd.conf file in the resulting installation suggests that I guessed wrong. The relevant stuff is: --enable-sslSSL/TLS support (mod_ssl) --with-ssl=DIR SSL/TLS toolkit (OpenSSL) (you can get a list of options with ./configure --help) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, Apr 08, 2002 at 04:34:12PM -0400, Cliff Woolley wrote: On Mon, 8 Apr 2002, Eli Marmor wrote: I think that we should open a special mailing list for mod_ssl of Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: I agree. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 12:52:26PM +1200, Geoff Thorpe wrote: I would respectfully suggest that modssl discussions stay here. I don't want to rag on Apache 2.0, and I'm sure a lot of good things have found their way into it, but it does not solve a number of issues that I think many people in production environments would require to push them into a pro-active decision to migrate. Likewise, it introduces an entirely new base of code with considerably less real-world mileage than the Apache 1.3.** base, so there's a non-trivial motivation to *not* migrate unless absolutely necessary. I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. MAJOR CHANGES lists a substantial number of things that IMHO needs a load of testing and ideally also some code review. A look at the readme file also shows a substantial number of TODOs. modules/ssl/README is worth a look for anyone thinking about a migration. vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Thanks all, Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Cliff Woolley wrote: On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! This, exactly, was one of my intentions when I opened this thread. BTW: Great article about 2.0, Cliff! (IIRC, it was Linux Magazine). -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, 9 Apr 2002, Eli Marmor wrote: This, exactly, was one of my intentions when I opened this thread. Glad to hear it. :) BTW: Great article about 2.0, Cliff! (IIRC, it was Linux Magazine). Thanks! It's good to know that people got something out of it. shameless plug PS: for anyone else who's interested but missed it, it just recently became available online at linux-mag.com./shameless plug --Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and SSL
I, for one, would be more than happy to use Apache 2.0. BUT, I need mod_ssl to function and as I understand it, mod_ssl applications cannot cope with cgi, so I really have no place to start. Running without the nedd for https, I have been VERY impressed with Apache 2.0's speed and efficiency, and would love to work with it, but I have to have the basic tools available to go the next step. George -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and SSL
On Tue, 9 Apr 2002, George Walsh wrote: I, for one, would be more than happy to use Apache 2.0. BUT, I need mod_ssl to function and as I understand it, mod_ssl applications cannot cope with cgi, so I really have no place to start. Just to clarify for those who might be listening and didn't follow George's earlier posts, Apache 2.0 handles https: requests to CGI's perfectly fine. EXCEPT when you try to configure it to renegotiate on a POST request (which could happen if, say, your cgi-bin directory had per-directory SSL parameters set (eg SSLProtocol or requiring a client certificate)). [As a bit of historical reference, those of you who've been around for a while will recall that mod_ssl for Apache 1.3 had the same problem (worse, actually... it just gave an I/O error) until version 2.3.10, when the method not allowed response an experimental workaround were put in. It remained available only with --enable-rule=SSL_EXPERIMENTAL up until version 2.5.0.] --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0 and SSL
Thanks for clarifying this for the group, Cliff. Our 'hangup' was admittedly a little specific, and I am working my way around that right now - if for no other reason than to reduce the updating cycle. (Yeah, I still cannot love distribution rpms! May the Good Lord forgive my intransigence :-) George Cliff Woolley [EMAIL PROTECTED] wrote: On Tue, 9 Apr 2002, George Walsh wrote: I, for one, would be more than happy to use Apache 2.0. BUT, I need mod_ssl to function and as I understand it, mod_ssl applications cannot cope with cgi, so I really have no place to start. Just to clarify for those who might be listening and didn't follow George's earlier posts, Apache 2.0 handles https: requests to CGI's perfectly fine. EXCEPT when you try to configure it to renegotiate on a POST request (which could happen if, say, your cgi-bin directory had per-directory SSL parameters set (eg SSLProtocol or requiring a client certificate)). [As a bit of historical reference, those of you who've been around for a while will recall that mod_ssl for Apache 1.3 had the same problem (worse, actually... it just gave an I/O error) until version 2.3.10, when the method not allowed response an experimental workaround were put in. It remained available only with --enable-rule=SSL_EXPERIMENTAL up until version 2.5.0.] --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Tue, Apr 09, 2002 at 11:03:28AM -0400, Cliff Woolley wrote: On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Exactly. That was the point I wanted to make - that the new SSL code needs extensive testing. I must admit that I was rather surprised when Apache went GA last friday, I had expected another month at the very least to start looking closer at it. Oh well, time to start testing :) vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and SSL
I have some questions related to Apache 2.0, SSL and IPv6. IPv6-based VHosts for SSL will work? Cyb.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache 2.0 trying to reinitialise ssl
I am trying to run apache 2.0.35 with ssl on a Solaris box. I can compile and install without any problems. But when I try and run it fails with an error message about (theoretically impossible) failed re-initialisation of SSL (see log extract below) (i also tried configuring mod_ssl as a shared module, but then I had problems with X509_INFO_free not being found) system: Solaris 8 on Sparcstation 20, gcc 2.95.2, openssl 0.9.6c I used the following configure options: ./configure --prefix=/usr/local/apache --enable-modules=ssl and started the server: /usr/local/apache/bin/apachectl startssl extract from /usr/local/apache/logs/ssl_engine_log [09/Apr/2002 15:23:55 14475] [info] Init: Initializing OpenSSL library [09/Apr/2002 15:23:55 14475] [info] Init: Seeding PRNG with 1024 bytes of entropy [09/Apr/2002 15:23:55 14475] [info] Init: (jupiter.library.uvic.ca:443) Loading certificate private key of SSL-aware server [09/Apr/2002 15:23:55 14475] [info] Init: Requesting pass phrase via builtin terminal dialog [09/Apr/2002 15:23:59 14475] [info] Init: Wiped out the queried pass phrases from memory [09/Apr/2002 15:23:59 14475] [info] Init: Generating temporary RSA private keys (512/1024 bits) [09/Apr/2002 15:24:06 14475] [info] Init: Generating temporary DH parameters (512/1024 bits) [09/Apr/2002 15:24:06 14475] [info] Init: Initializing (virtual) servers for SSL [09/Apr/2002 15:24:06 14475] [info] Init: (jupiter.library.uvic.ca:443) Configuring server for SSL protocol [09/Apr/2002 15:24:06 14475] [warn] Init: (jupiter.library.uvic.ca:443) RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [09/Apr/2002 15:24:06 14475] [info] Server: Apache/2.0.35, Interface: mod_ssl/2.0.35, Library: OpenSSL/0.9.6c [09/Apr/2002 15:24:06 14475] [info] Init: Initializing OpenSSL library [09/Apr/2002 15:24:06 14475] [info] Init: Seeding PRNG with 1024 bytes of entropy [09/Apr/2002 15:24:06 14475] [info] Init: (jupiter.library.uvic.ca:443) Loading certificate private key of SSL-aware server [09/Apr/2002 15:24:06 14475] [info] jupiter.library.uvic.ca:443 reusing existing RSA private key on restart [09/Apr/2002 15:24:06 14475] [info] Init: Generating temporary RSA private keys (512/1024 bits) [09/Apr/2002 15:24:41 14475] [info] Init: Generating temporary DH parameters (512/1024 bits) [09/Apr/2002 15:24:41 14475] [info] Init: Initializing (virtual) servers for SSL [09/Apr/2002 15:24:41 14475] [info] Init: (jupiter.library.uvic.ca:443) Configuring server for SSL protocol [09/Apr/2002 15:24:41 14475] [error] Init: (jupiter.library.uvic.ca:443) Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) Martin Hofmann Unix Systems Administrator [EMAIL PROTECTED]Library Systems Services Ph: 472-5069 McPherson Library __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
OK, I've tested it, and so far it isn't working for me. Here are my tests: 1) Attempt to configure, on an HP UX 11.0 system, to use SSL with a cryptographic accelerator card: Set up Apache 1.3.23, on this same system, and confirmed that it ran and successfully accessed the CryptoSwift card. configure --enable-ssl --with-ssl=/home/lgazis/openssl-engine-0.9.6c --prefix=/home/lgazis/apache2 --enable-rule=SSL_EXPERIMENTAL Had to create lib directory under openssl-engine-0.9.6c and copy libraries there, since they seemed to be expected there rather than at the top level. First problem: http://httpd.apache.org/docs-2.0/install.html makes no mention of actually installing a certificate, and make certificate appears to no longer be the correct thing to do. Worked around this by copying conf/ssl.crt and conf/ssl.key from Apache 1.3.23 installation to Apache 2.0.35 installation. Edited httpd.conf, set ServerName to pamela, User to www, Group to nobody, Listen to my IP address and port. Edited ssl.conf and set Listen to my IP address and port, and added SSLCryptoDevice cswift. Attempted a bin/apachectl startssl, and got the error: Invalid command 'SSLCryptoDevice' Evidently something has changed, since Apache 1.3, about how to make the cryptographic accelerators in the OpenSSL engine code work. 2) Test, on HP UX 11.0 system, attempting to use SSL and no cryptographic accelerator. Got rid of the SSLCryptoDevice line, and tested to see whether I could make Apache 2.0 work with SSL with no accelerator. This also failed; the server started, but when I generated traffic, none of my handshakes succeeded, and my error log showed lots of [error] [client 10.10.37.185] Invalid method in request k. Tried a test with OpenSSL's s_client, instead of my own test program, generating the traffic. Ran s_client with the -connect option, and no others. Got the error: warning, not much extra random data, consider using the -rand option CONNECTED(0003) 905:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460 Attempts to specify with ssl3 or tls1 also failed to connect, though with a different error. 3) Attempted to build Apache 2.0 on Solaris 7: Configured with same options as on the HP system, but my make failed with an undefined symbol sk_new_null. Either this isn't working properly, or I am missing some key information about how I am supposed to be setting this up. I've been building and running various versions of Apache 1.3 on these same systems with no difficulty. Lynn Gazis -Original Message- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 09, 2002 8:03 AM To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.* and SSL On Tue, 9 Apr 2002, Mads Toftum wrote: I too could add a whole lot of reasons to not migrate if you're doing SSL. Up to about a week before Apache went GA, there were substantial commits to SSL code which to me makes it an essentially untested module. While I can't wholly disagree with you, I will point out that the only way we can ever really consider SSL tried and true is if the people _from_this_group_ test it extensively and help us find the problems with it. Your participation is vital... really! Thanks all, Cliff -- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
What options are needed to configure, with Apache 2.0, to make sure that mod_ssl is enabled, and that a particular OpenSSL directory is used? I tried guessing at the right options, but a look at the httpd.conf file in the resulting installation suggests that I guessed wrong. This is what I use: ./configure \ --with-layout=Apache \ --enable-mods-shared=all \ --enable-ssl ( Apache/2.0.35 (Unix) mod_ssl/2.0.35 OpenSSL/0.9.6b DAV/2 mod_perl/1.99_01-dev Perl/v5.6.0 PHP/4.1.2 ) __ Charles Aulds http://hiwaay.net/~caulds/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: Apache 2.0.* and SSL
OpenSSL is a separate issue, really. It is normally found in /usr/local/src. I am using 0.9.6c currently, which I download as a tar.gz to my /usr/local/src file, uncompress it with: gzip -dc openssl-0.9.6c.tar.gz | tar xf - cd /usr/local/src/openssl-0.9.6c ./config shared make all test install ... and voila! Apache 2.0 includes its own mod_ssl as part of the 'new look'. That gives you encryption while openssl gives you certification services. FWIW I prefer to remove rpm installations for Apache, mod_ssl, mozilla, netscape, opera and sendmail so I can keep painlessly up-to-date. Its not everybody's cup of tea, but I've been doing it this way for years and I like the feeling of being 'in control' of these crucial elements. Hope that helps ... George What options are needed to configure, with Apache 2.0, to make sure that mod_ssl is enabled, and that a particular OpenSSL directory is used? I tried guessing at the right options, but a look at the httpd.conf file in the resulting installation suggests that I guessed wrong. Lynn Gazis __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
By the way: I think that we should open a special mailing list for mod_ssl of Apache2. The current list focuses on 1.3, which is completely different than 2, and even comes in a very different way (as a patch, rather than a filter). The developers and maintainers are different. And the new mod_ssl is a part of Apache. On the other hand, the main list that currently deals with the new mod_ssl, is new_httpd, which is the main list of Apache developers: It deals with zillion things, very heavy, and doesn't focus on SSL at all. There must be a third list, specific for mod_ssl of 2.0. It must be announced to both of the current lists, so subscribers of both have chance to subscribe to the new list (I guess that in most of the cases it will be IN ADDITION to their current list, and not instead of it). I don't know if it should be served by the server of the other lists of Apache, or by Ralf's server; I guess that we should ask Ralf... -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
On Mon, 8 Apr 2002, Eli Marmor wrote: I think that we should open a special mailing list for mod_ssl of Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: (1) why can't I use NBVH+SSL? (2) how do I get my certificate created and/or to work (3) I'm having problems getting IE to connect, what do I do? (4) ... The answers to these questions are all the same regardless of whether you're talking about 1.3 or 2.0, and there will always be those of us on the httpd development team that listen in on modssl-users for potential bugs, so in my mind it makes sense to keep the user group as one. But that's just me... if you guys disagree, then go right ahead and create a new list. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Oh please, no, not another one I'm drowning just trying to keep up as it is, but that, as they say, is but one man's opinion. I know - I don't have to joi, but then the existing established groups might not be as representative as they would otherwise be. George On Mon, 8 Apr 2002, Eli Marmor wrote: I think that we should open a special mailing list for mod_ssl of Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: (1) why can't I use NBVH+SSL? (2) how do I get my certificate created and/or to work (3) I'm having problems getting IE to connect, what do I do? (4) ... The answers to these questions are all the same regardless of whether you're talking about 1.3 or 2.0, and there will always be those of us on the httpd development team that listen in on modssl-users for potential bugs, so in my mind it makes sense to keep the user group as one. But that's just me... if you guys disagree, then go right ahead and create a new list. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
On Mon, 8 Apr 2002, Steve Gonzales wrote: One list is enough for me. SSL theory doesn't change from 1.3.xx to 2.0.xx; only the configuration and installation changes. And even that is mostly the same. :) -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Steve Gonzales wrote: One list is enough for me. SSL theory doesn't change from 1.3.xx to 2.0.xx; only the configuration and installation changes. There are many other issues, like the -DEAPI and 3rd party modules that cause Apache to crash. Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Hey there, On Tuesday 09 April 2002 10:18, you wrote: Steve Gonzales wrote: One list is enough for me. SSL theory doesn't change from 1.3.xx to 2.0.xx; only the configuration and installation changes. There are many other issues, like the -DEAPI and 3rd party modules that cause Apache to crash. Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? I would respectfully suggest that modssl discussions stay here. I don't want to rag on Apache 2.0, and I'm sure a lot of good things have found their way into it, but it does not solve a number of issues that I think many people in production environments would require to push them into a pro-active decision to migrate. Likewise, it introduces an entirely new base of code with considerably less real-world mileage than the Apache 1.3.** base, so there's a non-trivial motivation to *not* migrate unless absolutely necessary. Apache 2.0 has clearly also been taking what one might call an, ummm, let's say value-added design approach. If your focus is on SSL/TLS, security, and serving up HTML through a robust and secure server, then having something new that tries to multiplex a huge number of different features and services (in the same address-space as one another, moreover!) is a can of worms that many people will consider best left shut. For now at the very least. So if discussion on the SSL module is in someways independant (or at least may often be independant) of the apache version, I'd suggest we keep discussion in this one place. For my own part; in the near future, I will be working again on session caching and other tuning operations on the Apache 1.3.***-based modssl distribution and [will] have neither the time nor inclination to involve myself in the goings-on of Apache 2.0. I won't mind at *all* if someone who does have the time and motivation handles merging anything useful from that to the apache 2.0 code-base - but I won't be reading from, or posting to, anything Apache 2.0-specific. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Very well said, Geoff. I have 'played' with Apache 2.0 but certainly not with anything having to do with https and ssl. Now, with a heavy launch schedule in front of me, I have all I can do to switch people out of windows and into KDE/GNOME environments. Respectfully, George Geoff Thorpe [EMAIL PROTECTED] wrote: Hey there, On Tuesday 09 April 2002 10:18, you wrote: Steve Gonzales wrote: One list is enough for me. SSL theory doesn't change from 1.3.xx to 2.0.xx; only the configuration and installation changes. There are many other issues, like the -DEAPI and 3rd party modules that cause Apache to crash. Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? I would respectfully suggest that modssl discussions stay here. I don't want to rag on Apache 2.0, and I'm sure a lot of good things have found their way into it, but it does not solve a number of issues that I think many people in production environments would require to push them into a pro-active decision to migrate. Likewise, it introduces an entirely new base of code with considerably less real-world mileage than the Apache 1.3.** base, so there's a non-trivial motivation to *not* migrate unless absolutely necessary. Apache 2.0 has clearly also been taking what one might call an, ummm, let's say value-added design approach. If your focus is on SSL/TLS, security, and serving up HTML through a robust and secure server, then having something new that tries to multiplex a huge number of different features and services (in the same address-space as one another, moreover!) is a can of worms that many people will consider best left shut. For now at the very least. So if discussion on the SSL module is in someways independant (or at least may often be independant) of the apache version, I'd suggest we keep discussion in this one place. For my own part; in the near future, I will be working again on session caching and other tuning operations on the Apache 1.3.***-based modssl distribution and [will] have neither the time nor inclination to involve myself in the goings-on of Apache 2.0. I won't mind at *all* if someone who does have the time and motivation handles merging anything useful from that to the apache 2.0 code-base - but I won't be reading from, or posting to, anything Apache 2.0-specific. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Well said, and the written support from the group is long overdue, as are the well deserved compliments. Thanks! -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Oops... The last message was intended personally for George Walsh, and not for the list... -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
...well, I'm keeping it for myself! *grin* At 02:10 AM 4.8.2002 +0300, Eli Marmor wrote: Oops... The last message was intended personally for George Walsh, and not for the list... -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] our website: http://www.sage-one.net/ Best regards, Jack L. Stone Server Admin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0.* and SSL
Hi mod_ssl users, As most of you probably know, the development efforts of Apache 2 are going to result in a product, soon. The current betas are already stable, mature, fast, portable than ever, strong, and support many features that we have dreamed about for years, like filtering (I mention this feature, and not zillion others, because it is important specifically for SSL). Yes, it's true that some of us didn't like various things, and that the development process was not optimal and took too much time. But this effort comes (finally...) to a successful end, and I believe that everybody who uses SSL (including myself...) should do the migration. Contrary to past versions, this one is a dramatic change in the integration of SSL. No more patches, no more re-compilations with -DEAPI, no more 3rd party modules which cause Apache to crash because these modules were not compiled using this flag, no more specific versions of mod_ssl per each version of Apache, no more repeating merges of the patches of mod_ssl. Now, thanks to the filtering feature, mod_ssl is separate, and doesn't depend on modifications in the core of Apache. Thanks to the White House, mod_ssl is not a national secret that can't be distributed, anymore. Thanks to the USPTO, mod_ssl doesn't depend on a protected patent anymore (it expired. RSA even gave up 2 weeks). And thanks to ASF, mod_ssl is a standard part of Apache. Any Apache that will be distributed in the future, will include SSL support (at least optionally), that can be enabled externally by installing OpenSSL and adding some directives to the httpd.conf. Ben did a great job by creating apache_ssl. Ralf did a great job too, by improving it, and his impressive efforts and skills that were invested in developing and maintaining mod_ssl. We all owe a great thank to Ralf for other Open Source projects that he does, or joins. Now it's time to make the next step, and migrate to Apache 2.0. It still requires some work and testing. It can happen if we all join this effort. I am not a member of ASF, but I'm convinced that everybody will accept you happily. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.* and SSL
Hi! Well said, and the written support from the group is long overdue, as are the well deserved compliments. I intend to rip out the bundled Apache from my SuSE Pro 7.3 distribution and give the new threaded Apache a go. (I intend to do the same with Netscape, Mozilla and Sendmail while I am at it so I have full control over the key elements of my system beyond Linux itself. SuSE rpms are never up-to-date one these services, even when they are available, so I prefer to do the builds 'the old fashioned way'. Regards to all, George Hi mod_ssl users, As most of you probably know, the development efforts of Apache 2 are going to result in a product, soon. The current betas are already stable, mature, fast, portable than ever, strong, and support many features that we have dreamed about for years, like filtering (I mention this feature, and not zillion others, because it is important specifically for SSL). Yes, it's true that some of us didn't like various things, and that the development process was not optimal and took too much time. But this effort comes (finally...) to a successful end, and I believe that everybody who uses SSL (including myself...) should do the migration. Contrary to past versions, this one is a dramatic change in the integration of SSL. No more patches, no more re-compilations with -DEAPI, no more 3rd party modules which cause Apache to crash because these modules were not compiled using this flag, no more specific versions of mod_ssl per each version of Apache, no more repeating merges of the patches of mod_ssl. Now, thanks to the filtering feature, mod_ssl is separate, and doesn't depend on modifications in the core of Apache. Thanks to the White House, mod_ssl is not a national secret that can't be distributed, anymore. Thanks to the USPTO, mod_ssl doesn't depend on a protected patent anymore (it expired. RSA even gave up 2 weeks). And thanks to ASF, mod_ssl is a standard part of Apache. Any Apache that will be distributed in the future, will include SSL support (at least optionally), that can be enabled externally by installing OpenSSL and adding some directives to the httpd.conf. Ben did a great job by creating apache_ssl. Ralf did a great job too, by improving it, and his impressive efforts and skills that were invested in developing and maintaining mod_ssl. We all owe a great thank to Ralf for other Open Source projects that he does, or joins. Now it's time to make the next step, and migrate to Apache 2.0. It still requires some work and testing. It can happen if we all join this effort. I am not a member of ASF, but I'm convinced that everybody will accept you happily. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.* and SSL
Sounds like you would like the emerging Lunar-Linux release that is built from source on the target machine. Take a look at http://Lunar-Linux.org It still has a lot of work to be done, but it looks like it is headed the right direction. It has great tools for keeping a remote server up to date without needing a GUI. --Richard On Friday 05 April 2002 11:45 am, George Walsh wrote: Hi! Well said, and the written support from the group is long overdue, as are the well deserved compliments. I intend to rip out the bundled Apache from my SuSE Pro 7.3 distribution and give the new threaded Apache a go. (I intend to do the same with Netscape, Mozilla and Sendmail while I am at it so I have full control over the key elements of my system beyond Linux itself. SuSE rpms are never up-to-date one these services, even when they are available, so I prefer to do the builds 'the old fashioned way'. Regards to all, George Hi mod_ssl users, As most of you probably know, the development efforts of Apache 2 are going to result in a product, soon. The current betas are already stable, mature, fast, portable than ever, strong, and support many features that we have dreamed about for years, like filtering (I mention this feature, and not zillion others, because it is important specifically for SSL). Yes, it's true that some of us didn't like various things, and that the development process was not optimal and took too much time. But this effort comes (finally...) to a successful end, and I believe that everybody who uses SSL (including myself...) should do the migration. Contrary to past versions, this one is a dramatic change in the integration of SSL. No more patches, no more re-compilations with -DEAPI, no more 3rd party modules which cause Apache to crash because these modules were not compiled using this flag, no more specific versions of mod_ssl per each version of Apache, no more repeating merges of the patches of mod_ssl. Now, thanks to the filtering feature, mod_ssl is separate, and doesn't depend on modifications in the core of Apache. Thanks to the White House, mod_ssl is not a national secret that can't be distributed, anymore. Thanks to the USPTO, mod_ssl doesn't depend on a protected patent anymore (it expired. RSA even gave up 2 weeks). And thanks to ASF, mod_ssl is a standard part of Apache. Any Apache that will be distributed in the future, will include SSL support (at least optionally), that can be enabled externally by installing OpenSSL and adding some directives to the httpd.conf. Ben did a great job by creating apache_ssl. Ralf did a great job too, by improving it, and his impressive efforts and skills that were invested in developing and maintaining mod_ssl. We all owe a great thank to Ralf for other Open Source projects that he does, or joins. Now it's time to make the next step, and migrate to Apache 2.0. It still requires some work and testing. It can happen if we all join this effort. I am not a member of ASF, but I'm convinced that everybody will accept you happily. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Richard B. Pyne [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Support for Apache 2.0
I've looked for mod-ssl support for Apache-2.0 (httpd-2.0), but haven't found any so far. What is its status? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl for Apache 2.0
Fine. I'll try to incorporate the change that Ryan has suggested and shall send out the patch today. Thanks -Madhu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 05, 2001 11:14 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl for Apache 2.0 Thanks very much for the information. Infact over the last couple of days, I've managed to eliminate most of the #if 0 ... #endif portions of the code - and get the code to compile (ofcourse with major exceptions).. Cool! I'm currently trying to develop the input / output filter. mod_tls should provide some good insight for getting that done, as it sounds like you've discovered. mod_ssl should actually just be using the TLS_filters. No need to duplicate code here. Here's the set highlight of the changes that I've done : 1. Replace ap_ctx *ap_global_ctx with a global table (this is just for work-around, till something better can be achieved). I'm trying to minimize the amount of data that'll eventually be stored in ap_global_ctx These should be using the process_rec-pool-user_data. Looking forward to the patch. Ryan _ Ryan Bloom [EMAIL PROTECTED] Covalent Technologies [EMAIL PROTECTED] - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0 and mod_ssl status
Hi, Did there is new about mod_ssl port to Apache 2.0 ? Or will it be merged to mod_tls ? Regards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 and mod_ssl status
On Thu, Mar 29, 2001 at 04:00:34PM +0200, ModSSL user wrote: Hi, Did there is new about mod_ssl port to Apache 2.0 ? Or will it be merged to mod_tls ? Haven't you already asked this question once - http://marc.theaimsgroup.com/?l=apache-modsslm=98378374827565w=2 A search on the mailing list will bring up the answers to the question: http://marc.theaimsgroup.com/?l=apache-modsslw=2r=1s=apache+2.0q=b vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
On Mon, Mar 05, 2001 at 11:18:03PM +0100, Mats Dufberg wrote: Do I interpret it correctly that SSL/TLS will be included in base Apache 2.0, and that the SSL/TLS code is based on something else but the mod_ssl code? I find no sign of SSL/TLS in the Apache documentation for 2.0. Ben Laurie is working on mod_tls as part of Apache 2. See also: http://marc.theaimsgroup.com/?l=apache-new-httpdw=2r=1s=mod_tlsq=b vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
** Reply to note from "ModSSL user" [EMAIL PROTECTED] Mon, 5 Mar 2001 10:20:24 +0100 Hi, What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. If I remember right, the decision was that NOTHING would be done until Apache 2.0 made it to beta, in an attempt to minimize the number of rewrites needed as the software layout changed in alpha and pre-alpha stages. I thought I saw mention that they were about to roll out the first beta version of 2.0 in the Apache Newsletter, but httpd.apache.org still shows the current 2.0 to be alpha. I don't expect work on mod_ssl to START until the beta is released. Rick Widmer Internet Marketing Specialists http://www.developersdesk.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
On Mon, 5 Mar 2001, Ralf S. Engelschall wrote: What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. Although I offered the whole mod_ssl 2.8 code basis under the ASF license to the ASF, there was no group consensus on using mod_ssl for Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache 2.0 and you should be able to imagine yourself why our mod_ssl code was not accepted as the code base. Do I interpret it correctly that SSL/TLS will be included in base Apache 2.0, and that the SSL/TLS code is based on something else but the mod_ssl code? I find no sign of SSL/TLS in the Apache documentation for 2.0. Mats - Mats Dufberg +46-8-545 857 06 [EMAIL PROTECTED] fax: +46-8-545 857 29 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
On Mon, 5 Mar 2001, Dave Paris wrote: Apache has been (arguably) one of the best OS projects to date. It pains me to see the obvious, and most successful current SSL implementation not be chosen for the 2.0 revision. I definitely don't recall seeing a user-community vote on the topic of SSL/TLS choice for the 2.0 revision. I'm sure there are many folks who would have appreciated the opportunity to have voiced their opinion. Heck, even large companies like Computer Associates take polls of that nature. Just to throw in an objective perspective in fairness to all (regardless of my personal preference for mod_ssl): There is actually a rather big technical problem with just dumping *either* mod_ssl or Apache-SSL into Apache 2.0. That is that the I/O mechanics of Apache 2.0 are *completely* different than those of 1.3. SSL/TLS in 2.0 can and should be implemented using the new I/O filtering and bucket-brigades data management system of 2.0, which is a fairly drastic change from any code out there for SSL/TLS in 1.3. So, while politics does play a factor (necessarily just by human nature), it's not that the group just said "We choose not to use mod_ssl for 2.0" for purely political reasons. Rather, they said "We need to get a really basic SSL/TLS implementation set up that uses filtering and bucket brigades, because there does not currently exist such a beast. Then we can pull in all the neat goodies from mod_ssl and Apache-SSL from there." Hence mod_tls was born. It's currently in stage 1 -- getting it working as a filter. Next is stage 2... pulling in the goodies. Don't get disappointed or up-in-arms just yet. =-) --Cliff Woolley Apache 2.0/APR contributor -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 2.0
Hi, What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. Will you instead works with Ben Laurie on mod_tls ? Regards __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
On Mon, Mar 05, 2001, ModSSL user wrote: What about mod_ssl port to Apache 2.0. You proposed some time ago to put all mod_ssl 2.8.x in Apache 2.0 tree but there is still nothing. Although I offered the whole mod_ssl 2.8 code basis under the ASF license to the ASF, there was no group consensus on using mod_ssl for Apache 2.0. Look at the way and by whom SSL/TLS was pushed into Apache 2.0 and you should be able to imagine yourself why our mod_ssl code was not accepted as the code base. Actually the whole "SSL/TLS for Apache 2.0" situation over the last months was finally "solved" by a rather clever trick by someone of the group - and this was not obvious even to me until recently. But because of this, as a result, we failed to bring mod_ssl directly into Apache 2.0. Sorry, perhaps my fault in being to optimistic and thinking that political things inside the group were already gone. Seems like someone else was a lot more clever than me... Will you instead works with Ben Laurie on mod_tls ? I still don't know. As I said, the whole SSL/TLS issue again is a _highly_ political thing in Apache 2.0 and I certainly will try hard to stay out of those things as far as I can. Whether it finally means that mod_ssl has to be externally maintained again, I still don't know. The only thing I currently know is that with Apache 2.0 it seems that we again will have the same SSL/TLS problem as we had three years ago with Apache 1.3 (means: an unpolished 70% percent solution). And I also know that someone (not necessarily me) will again find this not satisfactory. What approach then is used to change this we all still don't know... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
[..snip a bunch of sane pondering at completely inexplicable behavior by third parties..] The only thing I currently know is that with Apache 2.0 it seems that we again will have the same SSL/TLS problem as we had three years ago with Apache 1.3 (means: an unpolished 70% percent solution). And I also know that someone (not necessarily me) will again find this not satisfactory. What approach then is used to change this we all still don't know... Ralf, take heart that you're not alone here. As much as I believe in and work for OpenSource projects, this is the achilies heel of them all. They completely forget they are still developing applications for a USER BASE. When their internal politics flies in the face of what's best for that user base, the project comes off looking like it was done by a gaggle of immature, clue-challenged fruckwits who cannot grasp the basics of how to run a successful project. mutters something about forgetting and repeating history... Apache has been (arguably) one of the best OS projects to date. It pains me to see the obvious, and most successful current SSL implementation not be chosen for the 2.0 revision. I definitely don't recall seeing a user-community vote on the topic of SSL/TLS choice for the 2.0 revision. I'm sure there are many folks who would have appreciated the opportunity to have voiced their opinion. Heck, even large companies like Computer Associates take polls of that nature. After all, if the project doesn't do its best to increasingly serve the user base that's grown along with it, what's the point? Surely the point can't be politics - that's reserved for those extra-special folks who speak far more and work far less. just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. --dsp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
Dave Paris wrote: [snip] just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. [Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet some want to reinvent the wheel.) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
The use of the work "superior" is a subjective one. Just as some say that Picaso is superior to Michaelangelo. Because there are different styles to doing the same thing, does not mean that they should be criticized in a manner which solves nothing, but adds fuel to fire. Saying x is superior over y, while on the surface may appear true, only after looking at tangible evidence and reasons behind why x is superior to why and vice versa can we atain enlightenment about that which we claim. I realize this because I work in an office which is sometimes painful. Plenty of claims about this is better than that, but no real substantiation about anything. People can talk from experience, but sometimes that's not enough. Proof of the pudding and all that. I thing what you are saying here is good feedback, but let's try to debate the reasons, rather than speculate. I think it is a mistake not to use mod_ssl code in Apache 2.0, but with no truly objective debate happening in the Apache list(from what I've seen I don't consider 'mod_ssl is spaghetti' as objective), then both projects suffer. Mod_ssl less than the ASF I think, but that's the way it is. Does it mean that this won't change? Not really, it just means that _if_ it changes, it will take a while and probably be painful. Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: [EMAIL PROTECTED] On Mon, 5 Mar 2001, Balzs Nagy wrote: Dave Paris wrote: [snip] just my $0.02 at the state of some recent, mind-bogglingly stupid moves in the OpenSource community. [Flamebait] That reminds me the GNOME fiasco. (KDE is far superior, yet some want to reinvent the wheel.) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
Austin Gonyou wrote: Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. Thank you for not assasinating me for the flamebait. The question is, what do you suggest we do to encourage ASF to (re)consider mod_ssl? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0
I think the biggest thing we can do is take a wait and see attitude, but keep on top of the ssl issue as a whole. The other thing to do is to review the technical reasons why mod_ssl should not be incorporated at all, to try and dispell any and all political issues people in that group may have. Politics doesn't belong in the OS community, not this type of politics anyway. We need to show both parties that a balance can be reached, but that it takes both parties, not one, working in tandem to achieve something useable to both. I believe that mod_ssl, and apache_ssl are 2 projects which should exist, and never be the same project. Freedom of choice is what drove most of us to OpenSource, we should embrace this as an opportunity to continue that tradition. -- Austin Gonyou Systems Architect Coremetrics, Inc. Phone: 512-796-9023 email: [EMAIL PROTECTED] On Mon, 5 Mar 2001, Balzs Nagy wrote: Austin Gonyou wrote: Thank you all for your ear, and sorry if it's a bit long. I'm quite passionate about OpenSource and what it's potentials are. It simply breaks my heart to see people who are usually enlightened enough to believe in freedom and openness breed politics into something so good. Thank you for not assasinating me for the flamebait. The question is, what do you suggest we do to encourage ASF to (re)consider mod_ssl? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 (fwd)
[ Message reposted because I accidentally sent the original under an alternate address which wasn't accepted by the list software ] -- Forwarded message -- Date: Mon, 5 Mar 2001 16:50:33 -0500 (EST) From: Cliff Woolley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Apache 2.0 On Mon, 5 Mar 2001, Dave Paris wrote: Apache has been (arguably) one of the best OS projects to date. It pains me to see the obvious, and most successful current SSL implementation not be chosen for the 2.0 revision. I definitely don't recall seeing a user-community vote on the topic of SSL/TLS choice for the 2.0 revision. I'm sure there are many folks who would have appreciated the opportunity to have voiced their opinion. Heck, even large companies like Computer Associates take polls of that nature. Just to throw in an objective perspective in fairness to all (regardless of my personal preference for mod_ssl): There is actually a rather big technical problem with just dumping *either* mod_ssl or Apache-SSL into Apache 2.0. That is that the I/O mechanics of Apache 2.0 are *completely* different than those of 1.3. SSL/TLS in 2.0 can and should be implemented using the new I/O filtering and bucket-brigades data management system of 2.0, which is a fairly drastic change from any code out there for SSL/TLS in 1.3. So, while politics does play a factor (necessarily just by human nature), it's not that the group just said "We choose not to use mod_ssl for 2.0" for purely political reasons. Rather, they said "We need to get a really basic SSL/TLS implementation set up that uses filtering and bucket brigades, because there does not currently exist such a beast. Then we can pull in all the neat goodies from mod_ssl and Apache-SSL from there." Hence mod_tls was born. It's currently in stage 1 -- getting it working as a filter. Next is stage 2... pulling in the goodies. Don't get disappointed or up-in-arms just yet. =-) --Cliff Woolley Apache 2.0/APR contributor -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and Apache 2.0 ?
A direct question to Ralf, will you port mod_ssl to Apache 2.0 ? API tends to move less (even if ap_r* are still discussed) and we may see a first beta in some weeks. Hi, As the first who tried to give a detailed answer for a similar question in this list (about a year ago), let me say something (though I'm not going to repeat the whole explanation): There are some arguments regarding Apache 2.0. I think Ralf will be glad to detail. But one of the concensual issues, at least for purposes like SSL support, is the filtered I/O mechanism. This feature, was developed especially for things like compression, SSL encryption, spelling, and other filters which are applied on the output of the various modules of Apache. Actually, if mod_ssl was required to be developed from scratch, at least a half of the work (in my humble opinion) could be avoided. Apache 2.0 could be an amazing shortcut for development of SSL layer. No more patches, no more EAPI, no more seg faults of binary modules which were pre-compiled, and no more endless runnings after each minor version of Apache. The final Paradise. However, as we know ;-), mod_ssl is already working, alive and kicking. And since it proved itself in so many installations, and so many bugs and incompatibilities have been fixed, it will be silly to develop a new layer from scratch. Apache 2.0 is being developed for more than 4 years. I know that the porting of mod_ssl to 2.0 will take less time, but I believe it is important to start with it. Even esoteric modules are already finalizing their 2.0 port, after a long time of porting, and mod_ssl even didn't start this porting. I believe that mod_ssl is one of the most important and critical modules. And these days, that there are no more patents, neither US export limitations, it has the potential to become a standard part of Apache. I hope this effort will start and end soon. P.S. I want to thank Ralf for his excellent work! -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and Apache 2.0 ?
On Wed, Jan 24, 2001, ModSSL user wrote: A direct question to Ralf, will you port mod_ssl to Apache 2.0 ? Yes. API tends to move less (even if ap_r* are still discussed) and we may see a first beta in some weeks. Not related but Apache 2.0 is still using mm-1.1.1 (patched) and you're at mm-1.1.3. Will you also release a mm-1.1.4 with the patch from apr applied ? Yes, but not with all APR changes (because some are not needed). Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and Apache 2.0 ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here here! P.S. I want to thank Ralf for his excellent work! -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6bxsa94g6ZVmFMoIRAvFCAKCVkvE9EkPTv1y4fpZyrpYwKdKG7gCgxgMw 7r4f0qx2SxLkTgptVcIBESM= =DNIi -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl and Apache 2.0 ?
Hi, A direct question to Ralf, will you port mod_ssl to Apache 2.0 ? API tends to move less (even if ap_r* are still discussed) and we may see a first beta in some weeks. Not related but Apache 2.0 is still using mm-1.1.1 (patched) and you're at mm-1.1.3. Will you also release a mm-1.1.4 with the patch from apr applied ? Regards and keep the good work. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Fwd: SSL Testing with Apache 2.0 threading.
In part of my study to show how much we'll gain by using threads, I need to generate a proof of concept for apache 2.0 using ssl. Does anyone on this list have any suggestions as to whom I may speak with about obtaining some kind of ssl code or some hack for integrating one of the existing mod_ssl's with apache 2.0? Austin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mod_ssl for apache 2.0
Anyone know if/when mod_ssl will be released for apache 2.0? Austin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
