Re: mod_ssl 2.2.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 modssl is built into the 2.x.x apache versions. your consultant must be asking you to upgrade full apache version. the 1.3.x apache tree still has a separate modssl base to add and build off of. This should not be a concern for you since you are running the newer apache tree. Thanks, Ron DuFresne On Tue, 1 Apr 2008, Sir June wrote: I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFH8lYmst+vzJSwZikRAm6YAJ9e9NwNJu8sGjuFE3CcnljNI3kVxgCfXl4x R0NJeZnoKQpRfqrff0Xir+o= =sIQZ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues
I've found a solution to this problem. You have to use the version of OpenSSL installed on your machine. In my case, it's 0.9.7l (the latest version Apple is supporting). When I tried configuring mod_ssl with SSL_BASE=SYSTEM, it failed saying it couldn't find the OpenSSL libraries. So I grabbed the latest version of OpenSSL (0.9.8g) and compiled against that. After a lot of digging, I came across this old post (2002) by David Wheeler: http://www.mail-archive.com/modssl-users@modssl.org/msg15623.html This fixed my problem after manually applying the patch. Is there any reason this wasn't applied to mod_ssl 5 years ago or addressed at all? Thanks! Bob [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/19/2007 09:45 AM Please respond to modssl-users@modssl.org To modssl-users@modssl.org cc Subject mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues Hi, I am trying to run Apache 1.3.39 with mod_ssl 2.8.30, openssl 0.9.8g and mm 1.4.2. I am able to successfully compile it, but when I start Apache in SSL mode, it exits immediately. Looking in the error log, I see the following message: dyld: lazy symbol binding failed: Symbol not found: _SSL_CTX_sess_set_new_cb Referenced from: /usr/local/apache-1.3.39/libexec/libssl.so Expected in: flat namespace Can anyone help me in resolving why this is happening? Thanks, Bob
Re: mod_ssl not for apache 2.2.4 (unix)?
Richard & Joe, Thanks so much! Joe, thanks for the command. :o) I'll see if I can manage it from here. I appreciate you answering such a basic question for me. Really. Thanks. :o) Cheers! Chris On Dec 14, 2007 2:27 PM, Joe Orton <[EMAIL PROTECTED]> wrote: > On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: > > Hi folks, > > > > I'm a complete newbie to compiling apache, and I'm trying to install my > > first SSL certificate. All instructions I can find so far all assume > that I > > have mod_ssl installed already. > > > > I'm willing to install it, but all of the references I can find to the > > latest and greatest version of mod_ssl say that it's for apache 1.3.39, > but > > I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) > > mod_ssl is part of httpd 2.x, and is included with Fedora. Run > > yum install mod_ssl > > joe > -- http://cjordan.us
Re: mod_ssl not for apache 2.2.4 (unix)?
On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: > Hi folks, > > I'm a complete newbie to compiling apache, and I'm trying to install my > first SSL certificate. All instructions I can find so far all assume that I > have mod_ssl installed already. > > I'm willing to install it, but all of the references I can find to the > latest and greatest version of mod_ssl say that it's for apache 1.3.39, but > I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) mod_ssl is part of httpd 2.x, and is included with Fedora. Run yum install mod_ssl joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl not for apache 2.2.4 (unix)?
As of Apache 2.x mod_ssl is included in the distribution. All you should have to do is enable the module in the configuration file. Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.39
I patched the EAPI patch to apply cleanly to 1.3.39. This should work
until a version is rolled for 1.3.39.
Cheers,
Doug
diff -PurN mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch
mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch
--- mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch 2007-09-10 13:31:38.0
-0400
+++ mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch 2007-09-10 13:36:27.0
-0400
@@ -1132,7 +1132,7 @@
/*
* The max child slot ever assigned, preserved across restarts. Necessary
-@@ -436,6 +439,30 @@
+@@ -471,6 +474,30 @@
}
}
@@ -1163,7 +1163,7 @@
#ifndef NETWARE
static APACHE_TLS int volatile exit_after_unblock = 0;
#endif
-@@ -1551,6 +1578,9 @@
+@@ -1588,6 +1615,9 @@
}
ap_bsetflag(save_req->connection->client, B_EOUT, 1);
@@ -1173,7 +1173,7 @@
ap_bclose(save_req->connection->client);
if (!ap_standalone)
-@@ -1559,6 +1589,9 @@
+@@ -1596,6 +1626,9 @@
}
else {/* abort the connection */
ap_bsetflag(current_conn->client, B_EOUT, 1);
@@ -1183,7 +1183,7 @@
ap_bclose(current_conn->client);
current_conn->aborted = 1;
}
-@@ -1880,10 +1913,16 @@
+@@ -1915,10 +1948,16 @@
/* Send any leftover data to the client, but never try to again */
if (ap_bflush(r->connection->client) == -1) {
@@ -1200,7 +1200,7 @@
ap_bsetflag(r->connection->client, B_EOUT, 1);
/* Close our half of the connection --- send the client a FIN */
-@@ -2582,6 +2621,9 @@
+@@ -2617,6 +2656,9 @@
/* Clear the pool - including any registered cleanups */
ap_destroy_pool(pglobal);
#endif
@@ -1210,7 +1210,7 @@
exit(code);
}
-@@ -3655,6 +3697,24 @@
+@@ -3711,6 +3753,24 @@
conn->remote_addr = *remaddr;
conn->remote_ip = ap_pstrdup(conn->pool,
inet_ntoa(conn->remote_addr.sin_addr));
@@ -1235,7 +1235,7 @@
return conn;
}
-@@ -4165,6 +4225,15 @@
+@@ -4221,6 +4281,15 @@
printf("Server's Module Magic Number: %u:%u\n",
MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR);
printf("Server compiled with\n");
@@ -1251,10 +1251,10 @@
#ifdef TPF
show_os_specific_compile_settings();
#endif
-@@ -4339,6 +4408,22 @@
- ap_server_pre_read_config = ap_make_array(pcommands, 1, sizeof(char *));
+@@ -4396,6 +4465,22 @@
ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *));
+ pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT);
+
+#ifdef EAPI
+ap_hook_init();
@@ -1274,7 +1274,7 @@
}
#ifndef MULTITHREAD
-@@ -4835,6 +4920,9 @@
+@@ -4892,6 +4977,9 @@
ap_sync_scoreboard_image();
if (ap_scoreboard_image->global.running_generation !=
ap_my_generation) {
@@ -1284,7 +1284,7 @@
ap_bclose(conn_io);
clean_child_exit(0);
}
-@@ -4863,6 +4951,9 @@
+@@ -4920,6 +5008,9 @@
*/
#ifdef NO_LINGCLOSE
@@ -1294,7 +1294,7 @@
ap_bclose(conn_io); /* just close it */
#else
if (r && r->connection
-@@ -4873,6 +4964,9 @@
+@@ -4930,6 +5021,9 @@
lingering_close(r);
}
else {
@@ -1304,7 +1304,7 @@
ap_bsetflag(conn_io, B_EOUT, 1);
ap_bclose(conn_io);
}
-@@ -5656,16 +5750,31 @@
+@@ -5730,16 +5824,31 @@
usage(argv[0]);
}
}
@@ -1336,7 +1336,7 @@
}
child_timeouts = !ap_standalone || one_process;
-@@ -5813,6 +5922,10 @@
+@@ -5887,6 +5996,10 @@
ap_destroy_pool(r->pool);
}
@@ -1347,7 +1347,7 @@
ap_bclose(cio);
}
exit(0);
-@@ -6189,6 +6302,9 @@
+@@ -6263,6 +6376,9 @@
ap_kill_cleanups_for_socket(ptrans, csd);
#ifdef NO_LINGCLOSE
@@ -1357,7 +1357,7 @@
ap_bclose(conn_io); /* just close it */
#else
if (r && r->connection
-@@ -6199,6 +6315,9 @@
+@@ -6273,6 +6389,9 @@
lingering_close(r);
}
else {
@@ -1367,7 +1367,7 @@
ap_bsetflag(conn_io, B_EOUT, 1);
ap_bclose(conn_io);
}
-@@ -7774,6 +7893,10 @@
+@@ -7848,6 +7967,10 @@
if (!conf_specified)
ap_cpystrn(ap_server_confname, SERVER_CONFIG_FILE,
sizeof(ap_server_confname));
@@ -1378,7 +1378,7 @@
if (!ap_os_is_path_absolute(ap_server_confname))
ap_cpystrn(ap_server_confname,
ap_server_root_relative(pcommands, ap_server_confname),
-@@ -7814,6 +7937,9 @@
+@@ -7888,6 +8011,9 @@
#else /* ndef WIN32 */
server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
#endif
@@ -1598,26 +1598,29 @@
Index: src/modules/standard/mod_status.c
--- src/modules/standard/mod_status.c 28 Jul 2006 13:55:27 - 1.1.1.17
+++ src/modules/standard/mod_status.c 28 Jul 2006 13:56:29 - 1.14
-@@ -652,12 +678,23 @@
+@@ -653,6 +653,18 @@
ap_r
Re: mod_ssl for apache 1.3.39
Some of the patches in eapi.patch do not apply cleanly and are rejected. This means that, unless you hand apply them, the patch isn't complete and you core dump when mod_ssl is trying to hook. Pascal Nobus wrote: > > Does anyone know that a new version of mod_ssl is under construction for > use with apache 1.3.39? > I tried to compile Apache-1.3.39 with mod_ssl for 1.3.37 but that kills > apache... > > best regards, > Pascal > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "If you can dodge a wrench, you can dodge a ball." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl setup process with apache 2.2.4
That sounds like a lot of unnecessary overhead for the Apache boxes. Check: http://www.apsis.ch/pound/ .. it does precisely what you seek. Best~ -d Saikat Saha wrote: Hi, We are trying to setup apache 2.2.4 alongwith mod_ssl and mod_jk. Mod_jk has been successfully configured and working with two instances of Jboss. However after installing mod_ssl, does not seem to be installed/configured properly. Is there some link which describes step by step setup process to configure Mod_ssl with apache 2.2.4? Can anyone please forward the link? Also, we have three ports, two of them need to be https and one needs to be http. How do we configure this? In our configuration, we want Apache to receive https requests from clients and then forward http to the Jboss application server thru mod_jk. Can someone please point to some link/documentation. We would assume these are standard practices. Thank you so very much for your kind help. Regards, SS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
Thanks for the information. What would be the recommended SSLCipherSuite settings to use? I would like to eliminate some of the lower security options, but I am curious what set of clients that would affect. Originally ports had added this line to httpd.conf SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL I then changed it to SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL And saw some huge performance changes. The TPS jumped from the 13-15 range into the lower 60 range. Also the total transaction time dropped by more than 2/3 of the original. So overall I have changed these parameters - SSLCipherSuite - see above, huge changes SSLRandomSeed - changed from /dev/random to /dev/urandom SSLSessionCacheTimeout - increased to 900 due to the time users will be in the app. What is the tradeoff memory-wise? Are there any other parameters that should be tuned? I have seen a lot about the SSLMutex but I am not sure I understand the value of making that change. Thanks again Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a k Sent: Monday, March 26, 2007 4:39 AM To: modssl-users@modssl.org Subject: RE: mod_ssl performance problems - FreeBSD The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV.
RE: mod_ssl performance problems - FreeBSD
Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim
Re: mod_ssl for apache 2.x?
On Fri, Dec 29, 2006 at 08:31:32PM +, Bahadir Balban wrote: > Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 > everywhere? Because the version of mod_ssl you find at modssl.org is only for 1.3. > > Is there any other ssl solution to apache 2.x? > --enable-ssl when configuring apache 2 - mod_ssl is included in the apache httpd-2.x source. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL
You don't have to patch anything. It's already in there.Just add --enable-ssl to the ./configure command line arguments.--CliffOn 11/10/06, kbajwa <[EMAIL PROTECTED]> wrote: Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version 'httpd-2.2.3'. I am at the point where I need to patch it with 'mod_ssl" module. Can you guide me how to patch 'httpd-2.2.3' with the latest version of 'mod_ssl-2.2.828-1.3.37'? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL < [EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
RE: Mod_SSL
Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version ’httpd-2.2.3’. I am at the point where I need to patch it with ‘mod_ssl” module. Can you guide me how to patch ‘httpd-2.2.3’ with the latest version of ‘mod_ssl-2.2.828-1.3.37’? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL <[EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Mod_SSL
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff On 11/7/06, Kong, Yi - HPL <[EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
RE: Mod_SSL
You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt << ella for Spam Control >> has removed 4905 Spam messages and set aside 10689 Newsletters for meYou can use it too - and it's FREE! www.ellaforspam.com
Re: mod_ssl: SSLRequire
[EMAIL PROTECTED] wrote: > How deep is VerifyDepth ? I guess this is the wrong direction of error checking. VerifDepth and VerifyRequire are used in evaluating the certificate chain on SSL connection establishment, the SSLRequire expression is evaluated after the HTTP request is successfully transmitted and the server already knows which webpage is requested (it's a "directory" section...) Of course VerifyDepth is sufficient (every value above 2 works in my case, as expected), if it was not, the error would be something like "unable to get issuer certificate", because evaluation starts at the leaf (= client certificate) going up to the root CA cer. > I know it will be a big file, but for this purposes i use to turn on > "LogLevel Debug" than the error_log will become very verbose. > There Apache will tell if your "testuser" will be checked or not . How would that look like? I see at the connection establishment: [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 2, subject: /C=DE/O=SSLTest Root CA/CN=SSLTest Root, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 1, subject: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01, issuer: /C=DE/O=SSLTest Root CA/CN=SSLTest Root [Wed Apr 05 19:17:59 2006] [debug] ssl_engine_kernel.c(1228): Certificate Verification: depth: 0, subject: /C=DE/O=SSLTest SubCA 01/OU=User Certificates/CN=testuser2, issuer: /C=DE/O=SSLTest SubCA 01/CN=SSLTest SubCA 01 After many bytes of packet dump I see the HTTP request arrived: [Wed Apr 05 19:17:59 2006] [info] Initial (No.1) HTTPS request received for child 0 (server www.testserver.de:443) and then again lots of bytes (the webpage that is delivered). Nothing about the check of SSLRequire... Thanx for your help anyways. :-) I guess the next step will be stracing the whole thing... -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl: SSLRequire
>[EMAIL PROTECTED] wrote: >> Perhaps >> SSLVerifyClient require >> >> Default is >> SSLVerifyClient none >Good idea, but this is set already (otherwise the >client would not authentify with the certificate) >for this virtual host. Moving it into the directory >section does not change anything either. And VerifyDepth >is set, too... How deep is VerifyDepth ? I know it will be a big file, but for this purposes i use to turn on "LogLevel Debug" than the error_log will become very verbose. There Apache will tell if your "testuser" will be checked or not . >Olaf bye Oliver -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] <>
Re: mod_ssl: SSLRequire
[EMAIL PROTECTED] wrote: > Perhaps > SSLVerifyClient require > > Default is > SSLVerifyClient none Good idea, but this is set already (otherwise the client would not authentify with the certificate) for this virtual host. Moving it into the directory section does not change anything either. And VerifyDepth is set, too... Olaf -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] A daily view on Internet Attacks https://www.ecsirt.net/sensornet __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl: SSLRequire
Perhaps
SSLVerifyClient require
Default is
SSLVerifyClient none
Greetings
Oliver
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] im Auftrag von Olaf Gellert
Gesendet: Mi 05.04.2006 14:08
An: modssl-users@modssl.org
Betreff: mod_ssl: SSLRequire
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq "Testuser"
the server permits accesss to a client with
SSL_CLIENT_S_DN_CN="testuser2". What's wrong?
Here is the according section from my config:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \
&& %{SSL_CLIENT_S_DN_OU} eq "User Certificates" \
&& %{SSL_CLIENT_S_DN_CN} eq "Testuser" )
Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
<>
Re: Mod_ssl and how to reduce overhead (Thanks!)
Thanks for all the great info! It definitly gives me a nice footing from which I can start. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On 9/26/05, Phil Ehrens <[EMAIL PROTECTED]> wrote: > Pigeon wrote: > > (The reason I say 10k concurrent is because we have an update system (sorta > > like windows update).. and as soon as we tell their computer to update, we > > have 10k boxes saying give me the file!) I think I agree with the guy who said this thread has pretty much been asked and answered at this point, but I figured I'd just throw in one more little nugget for you to think about. It sounds to me from the limited information above that you're causing your own problem here by instructing 10k-100k clients to update themselves with some multi-megabyte patch file simultaneously. This is obviously a huge amount of bandwidth, but it doesn't seem obvious to me that it would be a huge amount of bandwidth on a 24/7 basis... rather it would come in bursts _at times specified by you_. This to me begs for a software engineering effort rather than a sysadmin/netadmin effort; if you can get the clients to wait some random length of time after receiving the "update available" notification prior to requesting the update, your number of concurrent accesses will drop dramatically. Alternatively, if you have more control over the server-side code than the client-side code, you could publish the "update available" notification TO the clients a handful at a time rather than all at the same time. Hope this helps, and best of luck... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Pigeon wrote: > Ok, lets assume I can get a network connection with: > A)10mbit > B)100mbit > C)1000mbit > > And I will have 10k concurrent downloads (let us throw out 100k for now.. > because i can alwasy scale up figures if we get a base). > > (The reason I say 10k concurrent is because we have an update system (sorta > like windows update).. and as soon as we tell their computer to update, we > have 10k boxes saying give me the file!) > > So my question is.. > What would be the best (given we cannot do blades or the like since we have > to use 'standard' 1u/2u/4u boxes from the dedi center). > Should we definitly beat the problem with iron and get 5servers doing load > balancing? 2servers? If 2servers go with the 1000mbit connection? The short answer is that you need to benchmark using various configurations. You have a particularly bad problem, what with the per-request encryption beating on the CPU's, and the large file size beating on the network (and putting your servers at the mercy of the clients). Pushing all of the solutions downstream like this instead of coming up with a better front-end is going to cost you. This all just screams for a more elegant solution than just asking apache to stick it's finger in the dike. Good luck. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Well, the math is simple 1000mbit/1 users = 100 kilobit/sec, or 12K per second, or 1200 seconds, 20 minutes per downlaod. Marginally acceptable by todays standards. To concurrently process that much data, that many connections, you will want a load balancer out front. With the system I'm currently administering, with a dual 3Gig Xeon we can safely handle about 2000 concurrent connections non SSL, although we have a rather overweight config. I would expect you need at least two boxes, and 5 would probably not be overkill. BTW, do you really need SSL? From a project design perspective, would it be possible to encrypt the file to be down downloaded (encryption cost only once)? Then using sendfile you could really have it hum. Jeffrey Burgoyne Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Mon, 26 Sep 2005, Pigeon wrote: > Ok, lets assume I can get a network connection with: > A)10mbit > B)100mbit > C)1000mbit > > And I will have 10k concurrent downloads (let us throw out 100k for now.. > because i can alwasy scale up figures if we get a base). > > (The reason I say 10k concurrent is because we have an update system (sorta > like windows update).. and as soon as we tell their computer to update, we > have 10k boxes saying give me the file!) > > So my question is.. > What would be the best (given we cannot do blades or the like since we have > to use 'standard' 1u/2u/4u boxes from the dedi center). > Should we definitly beat the problem with iron and get 5servers doing load > balancing? 2servers? If 2servers go with the 1000mbit connection? > > > > thank you for all of your time and input! > > thanks > Lee > > > > > > - Original Message - > From: "Mads Toftum" <[EMAIL PROTECTED]> > To: > Sent: Monday, September 26, 2005 1:27 PM > Subject: Re: Mod_ssl and how to reduce overhead > > > > On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: > >> Hmm.. 10k -100k are pretty much guaranteed numbers.. > >> > > That's quite a wide margin. Are we talking concurrent users or just > > number of people who could be using it over a period of xx? > > > >> So my main computer crunching will be done at the beginning? (and to > >> relive > >> this I can do session key caching.. how long can I cache a key? is this > >> 'secure'?) (also.. all transfers will be ~15megs in size) > >> > > well, with 15meg files you've got more work to do encrypting the content > > as the session goes along. You can cache the key as long as you want, > > but depending on the type of encryption used, most browsers will not > > allow the key to live for all that long. I usually run for about 1 hour, > > but ymmv depending on the chosen parameters. > > > >> And using a single server is out of the question? > >> > > the number of concurrent users has very much to say in that regard. > > Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an > > ssl accelerator to the mix. > > > >> If we just go with one server.. shouldn't it be something super fast.. > >> amd64 1gig ram? > >> > > Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm > > pretty sure you couldn't keep even without SSL. > > Doesn't your pr0n streaming business generate enough income to pay for a > > real server? ;) > > > > vh > > > > Mads Toftum > > -- > > `Darn it, who spiked my coffee with water?!' - lwall > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@modssl.org > > Automated List Manager[EMAIL PROTECTED] > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
You're not looking at your problem from the right angle. 10K users... asking for the SAME file. Set up a smallish farm of four or five machines and use a HTTP Acclerator. (basically a Squid proxy turned on it's head - the examples exist in the config file for squid .. look at the http accelerator mode). Then use an SSL terminating proxy cluster on the frontend .. now you have 0 disk contention since the file will be sent straight from RAM. What you now need to know is the distribution of connection speeds for your users. If they're on T3's, you have no choice but to go with GigE. .. Frankly, you're probably looking at some sort of GigE burstable product offering anyway. Ok .. enough's enough .. Your original question has been answered long ago and you've heard from everyone with additional information and ideas. We're getting very close to the point of engineering this solution for you. Either you can take it from here or hire some of us as consultants to work out the rest of the engineering for you. Free software is one thing .. free engineering is quite another. Best~ -d > Ok, lets assume I can get a network connection with: > A)10mbit > B)100mbit > C)1000mbit > > And I will have 10k concurrent downloads (let us throw out 100k for now.. > because i can alwasy scale up figures if we get a base). > > (The reason I say 10k concurrent is because we have an update system > (sorta > like windows update).. and as soon as we tell their computer to update, we > have 10k boxes saying give me the file!) > > So my question is.. > What would be the best (given we cannot do blades or the like since we > have > to use 'standard' 1u/2u/4u boxes from the dedi center). > Should we definitly beat the problem with iron and get 5servers doing load > balancing? 2servers? If 2servers go with the 1000mbit connection? > > > > thank you for all of your time and input! > > thanks > Lee > > > > > > - Original Message - > From: "Mads Toftum" <[EMAIL PROTECTED]> > To: > Sent: Monday, September 26, 2005 1:27 PM > Subject: Re: Mod_ssl and how to reduce overhead > > >> On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: >>> Hmm.. 10k -100k are pretty much guaranteed numbers.. >>> >> That's quite a wide margin. Are we talking concurrent users or just >> number of people who could be using it over a period of xx? >> >>> So my main computer crunching will be done at the beginning? (and to >>> relive >>> this I can do session key caching.. how long can I cache a key? is this >>> 'secure'?) (also.. all transfers will be ~15megs in size) >>> >> well, with 15meg files you've got more work to do encrypting the content >> as the session goes along. You can cache the key as long as you want, >> but depending on the type of encryption used, most browsers will not >> allow the key to live for all that long. I usually run for about 1 hour, >> but ymmv depending on the chosen parameters. >> >>> And using a single server is out of the question? >>> >> the number of concurrent users has very much to say in that regard. >> Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an >> ssl accelerator to the mix. >> >>> If we just go with one server.. shouldn't it be something super fast.. >>> amd64 1gig ram? >>> >> Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm >> pretty sure you couldn't keep even without SSL. >> Doesn't your pr0n streaming business generate enough income to pay for a >> real server? ;) >> >> vh >> >> Mads Toftum >> -- >> `Darn it, who spiked my coffee with water?!' - lwall >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Manager[EMAIL PROTECTED] >> > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? thank you for all of your time and input! thanks Lee - Original Message - From: "Mads Toftum" <[EMAIL PROTECTED]> To: Sent: Monday, September 26, 2005 1:27 PM Subject: Re: Mod_ssl and how to reduce overhead On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. And using a single server is out of the question? the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote: > Hmm.. 10k -100k are pretty much guaranteed numbers.. > That's quite a wide margin. Are we talking concurrent users or just number of people who could be using it over a period of xx? > So my main computer crunching will be done at the beginning? (and to relive > this I can do session key caching.. how long can I cache a key? is this > 'secure'?) (also.. all transfers will be ~15megs in size) > well, with 15meg files you've got more work to do encrypting the content as the session goes along. You can cache the key as long as you want, but depending on the type of encryption used, most browsers will not allow the key to live for all that long. I usually run for about 1 hour, but ymmv depending on the chosen parameters. > And using a single server is out of the question? > the number of concurrent users has very much to say in that regard. Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an ssl accelerator to the mix. > If we just go with one server.. shouldn't it be something super fast.. > amd64 1gig ram? > Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm pretty sure you couldn't keep even without SSL. Doesn't your pr0n streaming business generate enough income to pay for a real server? ;) vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Just wondering, is this for the charter.net music download? I cannot believe you would have 100,000 comcurrent connections for a service such as that. I also see the download file is listed at 1.5MB, not 15. As as for bandwidth, that better be upgraded. It took over a minute just to download the home page of off charter.net. Jeffrey Burgoyne Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Mon, 26 Sep 2005, Pigeon wrote: > Hmm.. 10k -100k are pretty much guaranteed numbers.. > > So my main computer crunching will be done at the beginning? (and to relive > this I can do session key caching.. how long can I cache a key? is this > 'secure'?) (also.. all transfers will be ~15megs in size) > > And using a single server is out of the question? > > If we just go with one server.. shouldn't it be something super fast.. amd64 > 1gig ram? > > thanks! > Lee > > > > > > On Mon, 26 Sep 2005, Pigeon wrote: > > > >> Hello, I am trying to plan a system that can handle 10k-100k users. > >> > >> I am only using apache w/mod-ssl > >> > >> What should I look at to reduce overhead of bandwidth/cpu/mem? > >> > >> At what point should I look at ssl accelerators? > >> > >> Should I definitly look at clustering? > >> > >> Also.. I ahve heard about ssl session key caching, anyone know how much > >> this > >> will improve things? > >> > >> Any good resources I can read? > >> > >> > >> thanks! > >> Lee > >> __ > >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >> User Support Mailing List modssl-users@modssl.org > >> Automated List Manager[EMAIL PROTECTED] > >> > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Aaron Turner wrote: > > I gotta ask though, just what are you doing where you expect 100K > people trying to download a 15MB file all at the same time? You > working for Microsoft and planning the next security tuesday patch > update or something? :) That or he has the video of Gates getting raped by the penguin. Oops, I hope this isn't a family list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Not to mention 15MB download * 100K concurrent users is some *serious* traffic. If you're going to be paying that kind of $$$ for bandwidth, I hope you've got some cash left over for a load balancer and additional web servers. Some quick (and hopefully accurate) math: For a T3: 15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (45Mbit/s * 1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 74 hours For a 100Mbps ethernet uplink: 15MB * 1024^2 bytes/MB * 8 bits/byte * 100,000 sessions / (100Mbit/s * 1024^2 bits/Mbit) / 60 sec/min / 60 min/hour = 33 hours And those assume zero overhead for framing and TCP/IP. Not to mention, 100K Apache children/threads running to support all those connections (not going to happen). So yeah, uh, them some serious numbers. You're going to need some serious uplink and hardware (load balancer, multiple boxes) to pull this off. I gotta ask though, just what are you doing where you expect 100K people trying to download a 15MB file all at the same time? You working for Microsoft and planning the next security tuesday patch update or something? :) - -- Aaron Turner, Sr. Security Engineer <[EMAIL PROTECTED]> Ph: 408.329.6320 Fax: 408.329.6317 On Sep 26, 2005, at 8:52 AM, Dave paris wrote: In an earlier note, you said that it was 10K-100K *concurrent* users. a) that's a magnitude of difference, see if you can get better numbers from whomever is doing the marketing/project planning. b) ain't no way you're going to do that many *CONCURRENT* transactions on a single box. -d Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee ___ ___ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl- [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFDOCI8klVhPAXg8nARAiP2AJ9sBkSOKy4mtsctO3XAb2RbXhLnAACgkXh7 k9Fs38X1Q8nJ5b5t2Xg43kA= =awV5 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
In an earlier note, you said that it was 10K-100K *concurrent* users. a) that's a magnitude of difference, see if you can get better numbers from whomever is doing the marketing/project planning. b) ain't no way you're going to do that many *CONCURRENT* transactions on a single box. -d Pigeon wrote: Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Hmm.. 10k -100k are pretty much guaranteed numbers.. So my main computer crunching will be done at the beginning? (and to relive this I can do session key caching.. how long can I cache a key? is this 'secure'?) (also.. all transfers will be ~15megs in size) And using a single server is out of the question? If we just go with one server.. shouldn't it be something super fast.. amd64 1gig ram? thanks! Lee On Mon, 26 Sep 2005, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On Mon, Sep 26, 2005 at 08:54:30AM -0400, Cliff Woolley wrote: > Session caching is more or less essential for any kind of reasonable > SSL performance. Disabling the session cache will hurt your SSL perf > by perhaps as much as an order of magnitude (roughly speaking -- it's > been a long time since I benchmarked it). > The actual performance benefit is dependent on the usage pattern (mostly the length of sessions) but fetching a session from the cache is easily 100x faster than negotiating a new session key (again ymmv dependt on how much spare processing power you have). Openssl is usefull in at least getting an idea of the order of magnitude - run openssl speed rsa on the box to figure out how many rsa operations it can handle concurrently for your chosen keysize. openssl s_client with the -reconnect option will help determine wheter session caching is working on the server. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
We are going to have 10k-100k concurrent users (yeah... ) We are transfering EXE files (no not warez) I am just trying to get some ideas.. I am concerned about all because I do not know what to be concerned about :/ thanks Lee - Original Message - From: "Martin Strandbygaard" <[EMAIL PROTECTED]> To: Sent: Monday, September 26, 2005 8:42 AM Subject: Re: Mod_ssl and how to reduce overhead Hi, A few words about intended usage would be of great help. - How many concurrent users - Type of transactions - You really think the http front is going to be you bottle neck? or are there back end systems that will pose a greater problem (I would think so) Why not just use a normal server as ssl accelerator? I know several SSL accelerator "appliancees" that are just that anyway. Unless you have specific keyhandling requirements (FIPS140-3 or something), using normal server hardware is much cheaper. regards martin On 26/09/2005, at 14.35, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
> Also.. I ahve heard about ssl session key caching, anyone know how much this > will improve things? Session caching is more or less essential for any kind of reasonable SSL performance. Disabling the session cache will hurt your SSL perf by perhaps as much as an order of magnitude (roughly speaking -- it's been a long time since I benchmarked it). --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse proxy .. on commodity hardware, it can handle - at least according to quotes from the field - up to around 400 conns/sec. It also affords you some additional firewalling in that you can put the SSL terminating accelerator in the DMZ and pass straight HTTP traffic to the backend without the client ever directly connecting to the web server/cluster. I also use keepalived to keep a pair of Pound proxies in a high-availability scenario. If you really need it, you could probably put up a HA/LVS cluster of Pound proxies up that terminate and proxy traffic for an entire web farm - if your traffic demands it. The other bonus is that by terminating SSL at the DMZ, your IDS/IPS system gets a chance to peek at the traffic. Pound does numerous other things as well (URL normalization, etc) .. head to the URL and have a good read. Best~ -d Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Hi, A few words about intended usage would be of great help. - How many concurrent users - Type of transactions - You really think the http front is going to be you bottle neck? or are there back end systems that will pose a greater problem (I would think so) Why not just use a normal server as ssl accelerator? I know several SSL accelerator "appliancees" that are just that anyway. Unless you have specific keyhandling requirements (FIPS140-3 or something), using normal server hardware is much cheaper. regards martin On 26/09/2005, at 14.35, Pigeon wrote: Hello, I am trying to plan a system that can handle 10k-100k users. I am only using apache w/mod-ssl What should I look at to reduce overhead of bandwidth/cpu/mem? At what point should I look at ssl accelerators? Should I definitly look at clustering? Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Any good resources I can read? thanks! Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl
Hopefully stratech has you on the bench right now so ya get paid to go back and read the dcs you obviously avoided for a quickie fix here . Did you complie with all hte proper settings for ssl? is this 1.3.x or 2.0.x? there are differences, slightly in how one enables ssl in each. Do you have the pre=coreqs in place to implimnet ssl under apache? with 1.3.x you ned apache, openssl, and the modssl package as well as mm, with 2.0.x I beleive yer only needing apache and openssl. But, no one replaied mostlikely to yer earlier post as you include such scant information as to what the issue is. Yer not a transplant down here are ya? Thanks, Ron DuFresne On Tue, 1 Feb 2005, Plantier, Spencer wrote: > I cant get ssl to work. > > I did a search on my httpd.conf and it has (IfModule mod_ssl.c) > > Include conf/ssl.conf > > (/IfModule) > And when I do a httpd -l I get: > > Compiled in modules: > core.c > mod_access.c > mod_auth.c > mod_include.c > mod_log_config.c > mod_env.c > mod_setenvif.c > prefork.c > http_core.c > mod_mime.c > mod_status.c > mod_autoindex.c > mod_asis.c > mod_cgi.c > mod_negotiation.c > mod_dir.c > mod_imap.c > mod_actions.c > mod_userdir.c > mod_alias.c > mod_so.c > > > Spencer Plantier > System Network Administrator > > 301 Gregson Dr > Cary, NC 27511 > Office 919-379-8513 > Cell919-272-8833 > [EMAIL PROTECTED] > > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words "make" and "stay" become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl
Title: Message What version of Apache and mod_ssl are you using? Are you trying to compile it in static or are you using DSO? Need more details. If your unclear about the above, read this for a quick overview (if you haven't already) http://www.modssl.org/docs/2.8/ssl_overview.html -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Plantier, SpencerSent: Tuesday, February 01, 2005 8:03 AMTo: modssl-users@modssl.orgSubject: mod_ssl I cant get ssl to work. I did a search on my httpd.conf and it has (IfModule mod_ssl.c) Include conf/ssl.conf (/IfModule) And when I do a httpd –l I get: Compiled in modules: core.c mod_access.c mod_auth.c mod_include.c mod_log_config.c mod_env.c mod_setenvif.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_negotiation.c mod_dir.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c Spencer Plantier System Network Administrator 301 Gregson Dr Cary, NC 27511 Office 919-379-8513 Cell 919-272-8833 [EMAIL PROTECTED]
Re: mod_ssl for Apache 2
Thanks all. That clarifies the situation nicely. __ Do you Yahoo!? Yahoo! Mail - You care about security. So do we. http://promotions.yahoo.com/new_mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for Apache 2
On Wed, 26 Jan 2005, Mads Toftum wrote: > On Wed, Jan 26, 2005 at 02:15:37AM -0800, ColinB wrote: > > What is the relationship between mod_ssl for Apache 1 and Apache 2 ? > > > The mod_ssl in apache2 is based on the mod_ssl for Apache 1.3, but the > two versions are not the same module. > > > Why doesn't www.modssl.org say that it is for both Apache 1 and 2 ? > > > Because it isn't. The mod_ssl available at www.modssl.org is only for > Apache 1.3. > Just to clarify some, mod_ssl is part of apache 2 by default, you just turn it on with configure/compile options while for apache 1.3.x it is an addon package requiring a few other steps in the configure/compile process and additional packages to link with. Thanks, Ron DuFresne -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words "make" and "stay" become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for Apache 2
I think I know the answer to this but what the heck... I run apachectl -l and get... core.c worker.c http_core.c mod_so.c No mod_ssl . This is Apache 2.0.39. Is there a way to get mod_ssl installed on this server outside of re-installing Apache? Thanks, Tony Andrews - Original Message - From: "Mads Toftum" <[EMAIL PROTECTED]> To: Sent: Wednesday, January 26, 2005 7:00 AM Subject: Re: mod_ssl for Apache 2 > On Wed, Jan 26, 2005 at 02:15:37AM -0800, ColinB wrote: > > What is the relationship between mod_ssl for Apache 1 and Apache 2 ? > > > The mod_ssl in apache2 is based on the mod_ssl for Apache 1.3, but the > two versions are not the same module. > > > Why doesn't www.modssl.org say that it is for both Apache 1 and 2 ? > > > Because it isn't. The mod_ssl available at www.modssl.org is only for > Apache 1.3. > > vh > > Mads Toftum > -- > `Darn it, who spiked my coffee with water?!' - lwall > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for Apache 2
On Wed, Jan 26, 2005 at 02:15:37AM -0800, ColinB wrote: > What is the relationship between mod_ssl for Apache 1 and Apache 2 ? > The mod_ssl in apache2 is based on the mod_ssl for Apache 1.3, but the two versions are not the same module. > Why doesn't www.modssl.org say that it is for both Apache 1 and 2 ? > Because it isn't. The mod_ssl available at www.modssl.org is only for Apache 1.3. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl, block-on-read problem?
Hello Bob. > #4 0x08072d00 in ap_hook_call ( > hook=0xfe00 ) at ap_hook.c:382 > ^^^ problem here too? I don't know about this one > Using strace -p I get: > read(3, > > Using lsof -n -p I get and looking for FD 3, I see this: > > apache.db 21547 www-data3u IPv4 16364769 TCP > xx.xxx.xxx.xxx:www->xxx.xxx.xxx.xxx:51923 (ESTABLISHED) but when it comes to this one, I would say that the main reason why a read() keeps hanging on a TCP socket is that the client or peer has not shut down the connection, that is, the client or peer has not performed a shutdown(), close() or exit(). Of course, you could argue that mod_ssl should have implemented a timeout for conditions like that. Maybe there is some kind of protocol problem here, in that mod_ssl is still expecting data, while the client thinks there is no more data to send, or maybe the client too is hanging in a read(). Regards Anders __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl, block-on-read problem?
On Monday 24 January 2005 11:53 pm, Bob Tanner wrote: > Have the folling: > > apache-1.3.33 > libapache-mod-ssl-2.8.22 > kernel-2.4.26-1-686-smp > > Having a problem where https connections just won't die. Over time the > process table files and box crawls or falls to its knees. > > Installed debugging version of apache, here is gdb's backtrace showing the > block on read() called from mod_ssl's ssl_io_unregister() function. This url sounds like the problem I'm having. http://www.issociate.de/board/post/44974/ Any solution to the above? -- Bob Tanner <[EMAIL PROTECTED]> | Phone : (952)943-8700 http://www.mn-linux.org, Minnesota, Linux | Fax : (952)943-8500 Key fingerprint = AB15 0BDF BCDE 4369 5B42 1973 7CF1 A709 2CC1 B288 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl environment variables
On Fri, Jan 14, 2005 at 04:48:09PM -0500, Jason Kaskel wrote: > This is technically both a mod_perl and mod_ssl question. Maybe I > should harass their mailing list too. > > I have a PerlAccessHandler that needs to access certificate > information. According to what I've read the environment isn't loaded > with this information until the fixup phase which occurs right before > the response phase (and well after the access phase). Is there any > other way for me to access certificate information this early in the > Apache process (specifically the data that gets loaded into > SSL_CLIENT_S_DN_CN)? Failing that is there a way for me to force the > fixup phase to occur before the access phase? With the mod_ssl in httpd 2.0, you can do this using Geoff Young's Apache::SSLLookup module, which extracts variables directly from mod_ssl rather than going through the environment table: http://search.cpan.org/~geoff/Apache-SSLLookup-2.00_02/ Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl environment variables
You can try something like ...
# Get SSL variables into subprocess...
my $subr = $r->lookup_uri( $r->uri() );
# Get serial and issuer
my $serial =
$subr->subprocess_env('SSL_CLIENT_M_SERIAL') || "";
my $issuer_slashes =
$subr->subprocess_env('SSL_CLIENT_I_DN') || "";
Hope that works.
Regards
Matt
--- Jason Kaskel <[EMAIL PROTECTED]> wrote:
> This is technically both a mod_perl and mod_ssl
> question. Maybe I
> should harass their mailing list too.
>
> I have a PerlAccessHandler that needs to access
> certificate
> information. According to what I've read the
> environment isn't loaded
> with this information until the fixup phase which
> occurs right before
> the response phase (and well after the access
> phase). Is there any
> other way for me to access certificate information
> this early in the
> Apache process (specifically the data that gets
> loaded into
> SSL_CLIENT_S_DN_CN)? Failing that is there a way
> for me to force the
> fixup phase to occur before the access phase?
>
> Thanks for any help!
>
> -Jason
> [EMAIL PROTECTED]
>
>
__
> Apache Interface to OpenSSL (mod_ssl)
>www.modssl.org
> User Support Mailing List
> modssl-users@modssl.org
> Automated List Manager
> [EMAIL PROTECTED]
>
__
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and MacOS browsers...
Are you using a real certificate or a test certificate. If it is a test certificate you have to install a "Test Certificate Authority" which you may have already done on your windows machines but not on your Mac. Could that be it.? Theory is when you know something, but it doesn't work. Practice is when something works, but you don't know why. Programmers combine theory and practice: Nothing works and they don't know why. --Unknown - Original Message - From: "Tim Howell" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 28, 2004 10:17 AM Subject: Re: mod_ssl and MacOS browsers... > On Thu, 28 Oct 2004 09:42:53 -0700, Tim Howell > <[EMAIL PROTECTED]> wrote: > > I've just installed a VeriSign 128 bit certificate on a server running > > Apache 2.0.50 with mod_ssl. Connecting to the server over https works > > fine from all of the Windows clients I've tried (Win2K using both IE 6 > > and Firefox 1.0PR). However, whenever I try to connect from a MacOS > > client (using MSIE 5.1, current Safari, or Firefox 1.0PR) I get a > > warning that the certificate issuer is unknown. > > > > Any ideas? This is for a system that is (hopefully) going into > > production in a couple of days. =) I've searched the list archives > > to no avail. > > > > Thanks! =) > > > > --TWH > > I think I've solved my own problem. The solution might be useful for > the archives. > > I had to download an intermediary CA certificate from the VeriSign > website and install that using the SSLCertificateChainFile option. > > --TWH > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and MacOS browsers...
On Thu, 28 Oct 2004 09:42:53 -0700, Tim Howell <[EMAIL PROTECTED]> wrote: > I've just installed a VeriSign 128 bit certificate on a server running > Apache 2.0.50 with mod_ssl. Connecting to the server over https works > fine from all of the Windows clients I've tried (Win2K using both IE 6 > and Firefox 1.0PR). However, whenever I try to connect from a MacOS > client (using MSIE 5.1, current Safari, or Firefox 1.0PR) I get a > warning that the certificate issuer is unknown. > > Any ideas? This is for a system that is (hopefully) going into > production in a couple of days. =) I've searched the list archives > to no avail. > > Thanks! =) > > --TWH I think I've solved my own problem. The solution might be useful for the archives. I had to download an intermediary CA certificate from the VeriSign website and install that using the SSLCertificateChainFile option. --TWH __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl on sparc solaris
Hi, I haven't used authz_ldap in a while but I believe the following config should work. Also you should see mod_so.c listed for a "httpd -l". ./httpd -l Compiled-in modules: http_core.c mod_so.c openssl: CC=$(CC) ./config shared no-idea modssl: ./configure \ --with-apache=$(COMP_DIR)/$(APACHE_DIR) \ --with-ssl=$(COMP_DIR)/$(OPENSSL_DIR) \ --with-mm=$(COMP_DIR)/$(MM_DIR) ) apache: ./configure --prefix=$(APACHE_PREFIX) \ --enable-module=rewrite --enable-module=ssl \ --enable-module=most \ --enable-shared=max \ --enable-rule=SSL_EXPERIMENTAL \ Regards Matt --- Helke_Schröder <[EMAIL PROTECTED]> wrote: > Hi, > > we have some problems to get mod_ssl working on > solaris > First we tried at suse 8.2 and there was no problem > at all, but now we have > troubles and hope someone can give us a hint.. > > While doing config and make there seems to be no > problem > Even apache can be started and "apachectl > configtest" says "Syntax OK" > > but when viewing the environment variables some of > them are missing like > SSL_CLIENT_S_DN > only the server-variables are there > > and when trying to start mod_authz_ldap (which uses > the variables provided > by mod_ssl) it appears this message when typing > "apachectl configtest" > > Syntax error on line 246 of > /opt/webservers/apache/conf/httpd.conf: > Cannot load > /opt/webservers/apache/libexec/mod_authz_ldap.so > into server: > ld.so.1: /opt/webservers/apache/bin/httpd: fatal: > relocation error: file > /opt/webservers/apache/libexec/mod_authz_ldap.so: > symbol ssl_var_lookup: > referenced symbol not found > > We have experimented with ./config shared -fPIC for > openssl and > --enable-rule=SHARED_CORE (for mod_ssl and apache) > > but without success > > (we are using apache 1.3.31, openssl 0.9.7d, mod_ssl > 2.8.19-1.3.31 on sparc > solaris 8) > > thanks in advance > Helke Schröder > > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager > [EMAIL PROTECTED] > __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl, mod_rewrite, apache2 problem.
simontst wrote: > The nasty problem is that when I redirect a request for a page (e.g. > index.html) that contains an tag in the form of: > > http://server/logos.gif";> > > IE 6 continually complains that the page contains insecured items and > refuses to display the yellow padlock. However, an examination of my rewrite > logs indicates that the GET for the logos.gif is being redirected: [snip] > > If I remove the tag from index.html, the complaints go away, > index.html is accessed using https, and the padlock appears. So it would > appear that there is an issue with the GET for the .gif > > Thinking that browser might be getting confused by two redirects in a row > (the first for http://server/index.html, and the second for > http://server/logos.gif) I have tried to GET the logos.gif directly via > http://server/logos.gif. But again, even though the request is redirected to > https://server/logos.gif, the same warning message pops up and IE refuses to > display the padlock. But if I bypass mod_rewrite and GET the gif using the > URL: https://server/logos.gif, IE does not complain. > > Finally, Mozilla does not complain at all!! Jeez! My inclination is to > modify the s so that they all point to a relative path name instead I cannot verify what I'm talking about, both because you have not provided the URLs to test (than can be solved by local testest, but no time at the moment) and because I do not use any for of windoze, I'm just wild gessing IE's reasonig. In a wild gess, IE is right (I hate to say so :), though you are redirecting the request, the source for the page it is presenting has unsecure elements, the parser does not know in advance that the objects it will have to present to the user (your images with absolute references), are really server by secure means, it is asked to retrieve unsecured URLs (src=http:), though the page contains mixed elements. This is another example why absolute URLs shall be avoided when asking for contents from the same server :) -- --- G & S Sistemas de Informacion, S.L. | Teléfono: 9 02 01 44 43 Victoriano Giralt| Land line: +34-952-207-741 Torre de San Telmo, 8| Mobile:+34-670-332-720 E-29018 Malaga (Spain) | http://www.gssi.es/ --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl, mod_rewrite, apache2 problem.
On Wed, Apr 07, 2004 at 11:36:23AM -0400, simontst wrote:
> Hi,
>
> I am running apache2, mod_ssl, on freebsd4.9 and I am using the mod_rewrite
> engine to redirect requests for http -> https.
> I have this working using:
>
> RewriteEngine on
> RewriteCond %{HTTPS} !=on
This doesn't work properly in 2.0: try %{LA-U:HTTPS} instead. Without
fixing that it's likely the rule is being applied to *all* requests, so
issuing a redirect for https://foo/bar to https://foo/bar which browsers
may do weird things for.
> RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [R,L]
Regards,
joe
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl & kerberos ?
On Mon, Nov 10, 2003 at 12:58:33PM +0100, Daniel Struck wrote: > Hello, > > > I want to ask if the following setup is possible: > > > Clients will be authenticated towards apache with x509 certificates (mod_ssl). > > Would it now be possible to give authenticated clients a kerberos ticket which could > be read out in php/perl? > I would like to use this ticket to authenticate the client towards a database like > postgresql. > I imagine something like http://modauthkerb.sourceforge.net/ along with SSLOptions +FakeBasicAuth could do the trick (YMMV - I don't know enough about Kerberos to know wether that type of usernames would be a problem). http://www.modssl.org/docs/2.8/ssl_reference.html#ToC21 vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, "Apache 2 mod_ssl tutorial" (3h) WE03, "Troubleshooting Apache configurations" WE11, "Apache mod_rewrite, the Swiss Army Knife of URL manipulation" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl compile problems
Hi Dave, I already had the devel RPM installed but I went ahead and forced the reinstallation of both the openssl- and openssl-devel- packages. I am still getting the same error. Any other suggestions. TIA Trevor Dave Paris wrote: you need the *-devel RPM as well. -dsp -Original Message- From: Trevor Morrison [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 20, 2003 10:16 PM To: [EMAIL PROTECTED] Subject: mod_ssl compile problems Hi, I am trying to compile in mod_ssl 2.8.15 into the apache1.3.28 source and using openssl-1.9.7a-2 installed from an RH RPM and I am getting the following error: ranlib libstandard.a <=== src/modules/standard ===> src/modules/ssl gcc -c -I../.. -I/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE -I../../os/unix -I../../include -DLINUX=22 -DMOD_SSL=208115 -DMOD_PERL -DUSE_PERL_SSI -D_REENTRANT -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm -DUSE_HSREGEX -DEAPI -DEAPI_MM -DNO_DL_NEEDED `../../apaci` -DSSL_USE_SDBM -DSSL_ENGINE -DMOD_SSL_VERSION=\"2.8.15\" mod_ssl.c In file included from /usr/include/openssl/ssl.h:179, from mod_ssl.h:116, from mod_ssl.c:65: /usr/include/openssl/kssl.h:72:18: krb5.h: No such file or directory In file included from /usr/include/openssl/ssl.h:179, from mod_ssl.h:116, from mod_ssl.c:65: /usr/include/openssl/kssl.h:132: parse error before "krb5_enctype" /usr/include/openssl/kssl.h:134: parse error before "FAR" /usr/include/openssl/kssl.h:135: parse error before '}' token /usr/include/openssl/kssl.h:147: parse error before "kssl_ctx_setstring" /usr/include/openssl/kssl.h:147: parse error before '*' token /usr/include/openssl/kssl.h:148: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:149: parse error before '*' token /usr/include/openssl/kssl.h:150: parse error before '*' token /usr/include/openssl/kssl.h:151: parse error before "kssl_ctx_setprinc" /usr/include/openssl/kssl.h:151: parse error before '*' token /usr/include/openssl/kssl.h:153: parse error before "kssl_cget_tkt" /usr/include/openssl/kssl.h:153: parse error before '*' token /usr/include/openssl/kssl.h:155: parse error before "kssl_sget_tkt" /usr/include/openssl/kssl.h:155: parse error before '*' token /usr/include/openssl/kssl.h:157: parse error before "kssl_ctx_setkey" /usr/include/openssl/kssl.h:157: parse error before '*' token /usr/include/openssl/kssl.h:159: parse error before "context" /usr/include/openssl/kssl.h:160: parse error before "kssl_build_principal_2" /usr/include/openssl/kssl.h:160: parse error before "context" /usr/include/openssl/kssl.h:163: parse error before "kssl_validate_times" /usr/include/openssl/kssl.h:163: parse error before "atime" /usr/include/openssl/kssl.h:165: parse error before "kssl_check_authent" /usr/include/openssl/kssl.h:165: parse error before '*' token /usr/include/openssl/kssl.h:167: parse error before "enctype" In file included from mod_ssl.h:116, from mod_ssl.c:65: /usr/include/openssl/ssl.h:909: parse error before "KSSL_CTX" /usr/include/openssl/ssl.h:931: parse error before '}' token make[4]: *** [mod_ssl.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/var/tmp/apache_1.3.28/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/var/tmp/apache_1.3.28' make: *** [build] Error 2 I am on a RH 9 box with a 2.4.20 compiled static kernle. TIA Trevor __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
On Fri, Mar 21, 2003 at 04:18:11AM -0500, Jason Parsons wrote: > > I'm seeing similar problems after an upgrade to mod_ssl 2.8.13 under > Solaris 2.8. > > [Fri Mar 21 04:10:42 2003] [notice] child pid 4241 exit signal > Segmentation Fault (11) > [Fri Mar 21 04:10:42 2003] [notice] child pid 4248 exit signal > Segmentation Fault (11) > [Fri Mar 21 04:10:42 2003] [notice] child pid 4240 exit signal > Segmentation Fault (11) > > When accessing an https page using php. http and php are fine. > You need to upgrade to 2.8.14-1.3.27, which was released 21-Mar-2003 to fix a problem similar to what you're describing. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
I'm seeing similar problems after an upgrade to mod_ssl 2.8.13 under Solaris 2.8. [Fri Mar 21 04:10:42 2003] [notice] child pid 4241 exit signal Segmentation Fault (11) [Fri Mar 21 04:10:42 2003] [notice] child pid 4248 exit signal Segmentation Fault (11) [Fri Mar 21 04:10:42 2003] [notice] child pid 4240 exit signal Segmentation Fault (11) When accessing an https page using php. http and php are fine. Server: Apache/1.3.27 (Unix) FrontPage/5.0.2.2510 mod_perl/1.27 PHP/4.2.3 mod_ssl/2.8.13 OpenSSL/0.9.7 SunOS hostname 5.8 Generic_108528-19 sun4u sparc SUNW,UltraAX-i2 Let me know if there is any debugging info I can grab for you folks. - Jason Parsons __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
Hi All, It is OK with: Solaris 2.6/Sparc Apache 1.3.27 (DSO) Php 4.2.3 OpenSSL 0.9.6i Mod_SSL 2.8.14 Nice weekend for everybody! JAZZ ___ Busca Yahoo! O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra. http://br.busca.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 andphp)
Hi again, I also tested it sucessfully with linux 2.0.35, linux 2.2.19 and with linux 2.2.20 Greetings Burkhard > > Hi, > > this works on linux 2.2.16 and linux 2.4.19 > > Thanks > > Burkhard > > On Fri, 21 Mar 2003, Ralf S. Engelschall wrote: > > > On Fri, Mar 21, 2003, Ralf S. Engelschall wrote: > > > > > > I can see the same segmentation fault : > > > [...] > > > > Ok, can the people who are able to reproduce the segfault problem, > > please apply the following patch, retry it and give feedback? I think > > these two bugfixes should fix the problem now. If yes, I'll release > > mod_ssl 2.8.14 with it. Thanks for your help. ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
Hi, Ralf S. Engelschall wrote: Ok, can the people who are able to reproduce the segfault problem, please apply the following patch, retry it and give feedback? I think these two bugfixes should fix the problem now. If yes, I'll release mod_ssl 2.8.14 with it. Thanks for your help. That's ok with static and DSO apache build on : FreeBSD 4.8-STABLE Apache 1.3.27 Openssl 0.9.7a Modssl 2.8.13 + provided patch PHP 4.3.1 and PHP 4.3.2RC1 Thanks ! -- Best regards, Artur Pydo. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
--"Ralf S. Engelschall" <[EMAIL PROTECTED]> wrote:
On Fri, Mar 21, 2003, Ralf S. Engelschall wrote:
> I can see the same segmentation fault :
[...]
Ok, can the people who are able to reproduce the segfault problem,
please apply the following patch, retry it and give feedback? I think
these two bugfixes should fix the problem now. If yes, I'll release
mod_ssl 2.8.14 with it. Thanks for your help.
The patch fixed the problem for me (no php, RH 7.3.)
--
Ed Kubaitis - [EMAIL PROTECTED]
CITES/STS - University of Illinois at Urbana-Champaign
Index: ssl_engine_kernel.c
===
RCS file:
/e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.136
diff -u -d -r1.136 ssl_engine_kernel.c
--- ssl_engine_kernel.c 19 Nov 2002 13:57:01 - 1.136
+++ ssl_engine_kernel.c 21 Mar 2003 12:39:47 -
@@ -1048,13 +1048,15 @@
"Re-negotiation handshake failed: Client
verification failed"); return FORBIDDEN;
}
+cert = SSL_get_peer_certificate(ssl);
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
-&& (cert = SSL_get_peer_certificate(ssl)) == NULL) {
+&& cert == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client
certificate missing"); -X509_free(cert);
return FORBIDDEN;
}
+if (cert != NULL)
+X509_free(cert);
}
}
Index: ssl_engine_vars.c
===
RCS file:
/e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.53
diff -u -d -r1.53 ssl_engine_vars.c
--- ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
+++ ssl_engine_vars.c 21 Mar 2003 12:40:12 -
@@ -322,7 +322,9 @@
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_",
7)) { if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
-X509_free(xs);
+/* SSL_get_certificate() as of OpenSSL 0.9.7a does not
increment + the reference count the same way
SSL_get_peer_certificate does, + so no need to
X509_free(xs) the stuff here. */
}
}
return result;
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
Hi,
this works on linux 2.2.16 and linux 2.4.19
Thanks
Burkhard
On Fri, 21 Mar 2003, Ralf S. Engelschall wrote:
> On Fri, Mar 21, 2003, Ralf S. Engelschall wrote:
>
> > > I can see the same segmentation fault :
> > [...]
>
> Ok, can the people who are able to reproduce the segfault problem,
> please apply the following patch, retry it and give feedback? I think
> these two bugfixes should fix the problem now. If yes, I'll release
> mod_ssl 2.8.14 with it. Thanks for your help.
>
> Index: ssl_engine_kernel.c
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
> retrieving revision 1.136
> diff -u -d -r1.136 ssl_engine_kernel.c
> --- ssl_engine_kernel.c 19 Nov 2002 13:57:01 - 1.136
> +++ ssl_engine_kernel.c 21 Mar 2003 12:39:47 -
> @@ -1048,13 +1048,15 @@
> "Re-negotiation handshake failed: Client verification
> failed");
> return FORBIDDEN;
> }
> +cert = SSL_get_peer_certificate(ssl);
> if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
> -&& (cert = SSL_get_peer_certificate(ssl)) == NULL) {
> +&& cert == NULL) {
> ssl_log(r->server, SSL_LOG_ERROR,
> "Re-negotiation handshake failed: Client certificate
> missing");
> -X509_free(cert);
> return FORBIDDEN;
> }
> +if (cert != NULL)
> +X509_free(cert);
> }
> }
>
> Index: ssl_engine_vars.c
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
> retrieving revision 1.53
> diff -u -d -r1.53 ssl_engine_vars.c
> --- ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
> +++ ssl_engine_vars.c 21 Mar 2003 12:40:12 -
> @@ -322,7 +322,9 @@
> else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
> if ((xs = SSL_get_certificate(ssl)) != NULL) {
> result = ssl_var_lookup_ssl_cert(p, xs, var+7);
> -X509_free(xs);
> +/* SSL_get_certificate() as of OpenSSL 0.9.7a does not increment
> + the reference count the same way SSL_get_peer_certificate does,
> + so no need to X509_free(xs) the stuff here. */
> }
> }
> return result;
>
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
[PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 and php)
On Fri, Mar 21, 2003, Ralf S. Engelschall wrote:
> > I can see the same segmentation fault :
> [...]
Ok, can the people who are able to reproduce the segfault problem,
please apply the following patch, retry it and give feedback? I think
these two bugfixes should fix the problem now. If yes, I'll release
mod_ssl 2.8.14 with it. Thanks for your help.
Index: ssl_engine_kernel.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_kernel.c,v
retrieving revision 1.136
diff -u -d -r1.136 ssl_engine_kernel.c
--- ssl_engine_kernel.c 19 Nov 2002 13:57:01 - 1.136
+++ ssl_engine_kernel.c 21 Mar 2003 12:39:47 -
@@ -1048,13 +1048,15 @@
"Re-negotiation handshake failed: Client verification
failed");
return FORBIDDEN;
}
+cert = SSL_get_peer_certificate(ssl);
if ( dc->nVerifyClient == SSL_CVERIFY_REQUIRE
-&& (cert = SSL_get_peer_certificate(ssl)) == NULL) {
+&& cert == NULL) {
ssl_log(r->server, SSL_LOG_ERROR,
"Re-negotiation handshake failed: Client certificate
missing");
-X509_free(cert);
return FORBIDDEN;
}
+if (cert != NULL)
+X509_free(cert);
}
}
Index: ssl_engine_vars.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.53
diff -u -d -r1.53 ssl_engine_vars.c
--- ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
+++ ssl_engine_vars.c 21 Mar 2003 12:40:12 -
@@ -322,7 +322,9 @@
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
-X509_free(xs);
+/* SSL_get_certificate() as of OpenSSL 0.9.7a does not increment
+ the reference count the same way SSL_get_peer_certificate does,
+ so no need to X509_free(xs) the stuff here. */
}
}
return result;
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
On Fri, Mar 21, 2003, Joe Orton wrote:
> On Fri, Mar 21, 2003 at 12:30:36PM +0100, Ralf S. Engelschall wrote:
> > -if ((xs = SSL_get_certificate(ssl)) != NULL)
> > +if ((xs = SSL_get_certificate(ssl)) != NULL) {
> > result = ssl_var_lookup_ssl_cert(p, xs, var+7);
> > +X509_free(xs);
> > +}
> > }
>
> That isn't safe, SSL_get_certificate doesn't increase the refcount on
> the certificate (unlike SSL_peer_get_certificate).
Ops, great catch! Yes, you're right, I was not aware of this subtle
difference. Will be fixed.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
Dear Mr. Owen, Yes, Solaris 2.6/Sparc + Php 4.2.3 + OpenSSL 0.9.6i + Mod_ssl 2.8.13 do crash. Seems that is something with Php I think... but the error logged is different from other reports I've saw in the list. error_log reports: [notice] child pid 19396 exit signal Bus Error (10) No problem starting the server, but all child requests makes them crash. If you need more information, please ask me for. Jazz --- Boyle Owen <[EMAIL PROTECTED]> escreveu: > Can we bring these threads together? It would seem > we have: > > >Burkhard: > >Apache/1.3.27 mod_gzip/1.3.26.1a PHP/4.3.1 > mod_ssl/2.8.13 > >OpenSSL/0.9.7a > > QUESTION: What OS? > > And: > > >Jazz: > >mod_ssl 2.8.13, OpenSSL 0.9.6i with apache 1.3.27 > >... on Solaris 2.6/Sparc > > QUESTION: using PHP? > > Both have the same problem, HTTP is OK but HTTPS > causes segfault. > > Any other users experiencing this? > > Rgds, > Owen Boyle > Disclaimer: Any disclaimer attached to this message > may be ignored. > > This message is for the named person's use only. It > may contain > confidential, proprietary or legally privileged > information. No > confidentiality or privilege is waived or lost by > any mistransmission. > If you receive this message in error, please notify > the sender urgently > and then immediately delete the message and any > copies of it from your > system. Please also immediately destroy any > hardcopies of the message. > You must not, directly or indirectly, use, disclose, > distribute, print, > or copy any part of this message if you are not the > intended recipient. > The sender's company reserves the right to monitor > all e-mail > communications through their networks. Any views > expressed in this > message are those of the individual sender, except > where the message > states otherwise and the sender is authorised to > state them to be the > views of the sender's company. > > > __ > Apache Interface to OpenSSL (mod_ssl) >www.modssl.org > User Support Mailing List > [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ___ Busca Yahoo! O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra. http://br.busca.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
Hi, Ralf S. Engelschall wrote: Additionally, I still cannot reproduce the problem myself. So, can you help me here by using a breakpoint at ssl_var_lookup_ssl_cert() and the single-stepping until the problem occurs? This would help us in really locating the problem. I recompiled static Apache binary with -g3. First backtrace : (gdb) run -X -f /usr/local/apache/conf/httpd.conf.static -DSSL Starting program: /usr/local/src/build/test/apache_1.3.27/src/./httpd -X -f /usr/local/apache/conf/httpd.conf.static -DSSL Program received signal SIGSEGV, Segmentation fault. 0x80a0b76 in ssl_var_lookup_ssl_cert (p=0x82a500c, xs=0x833d280, var=0x8214035 "V_END") at ssl_engine_vars.c:353 353 result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs)); (gdb) bt #0 0x80a0b76 in ssl_var_lookup_ssl_cert (p=0x82a500c, xs=0x833d280, var=0x8214035 "V_END") at ssl_engine_vars.c:353 #1 0x80a0a4d in ssl_var_lookup_ssl (p=0x82a500c, c=0x8352014, var=0x821402e "SERVER_V_END") at ssl_engine_vars.c:324 #2 0x80a0049 in ssl_var_lookup (p=0x82a500c, s=0x82e567c, c=0x8352014, r=0x82a5034, var=0x821402a "SSL_SERVER_V_END") at ssl_engine_vars.c:191 #3 0x809b74b in ssl_hook_Fixup (r=0x82a5034) at ssl_engine_kernel.c:1336 #4 0x8162d3f in run_method (r=0x82a5034, offset=19, run_all=1) at http_config.c:370 #5 0x8162e1e in ap_run_fixups (r=0x82a5034) at http_config.c:397 #6 0x8177e7e in ap_sub_req_method_uri (method=0x824fa8a "GET", new_file=0x82ee754 "index.php", r=0x833e034) at http_request.c:855 #7 0x8177ebf in ap_sub_req_lookup_uri (new_file=0x82ee754 "index.php", r=0x833e034) at http_request.c:880 #8 0x808e3bc in handle_dir (r=0x833e034) at mod_dir.c:163 #9 0x81631f1 in ap_invoke_handler (r=0x833e034) at http_config.c:518 #10 0x8178e10 in process_request_internal (r=0x833e034) at http_request.c:1308 #11 0x8178e7a in ap_process_request (r=0x833e034) at http_request.c:1324 #12 0x816f6ff in child_main (child_num_arg=0) at http_main.c:4689 #13 0x816f8e1 in make_child (s=0x829f034, slot=0, now=1048249519) at http_main.c:4813 #14 0x816fa5a in startup_children (number_to_start=5) at http_main.c:4895 #15 0x8170088 in standalone_main (argc=5, argv=0xbfbffaf4) at http_main.c:5203 #16 0x8170904 in main (argc=5, argv=0xbfbffaf4) at http_main.c:5566 #17 0x807d109 in _start () I'm going on to see if i can bring you more specific trace. Your suggestions are welcome i am backtracing for the first time. :) -- Best regards, Artur Pydo. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
On Fri, Mar 21, 2003 at 12:30:36PM +0100, Ralf S. Engelschall wrote:
> -if ((xs = SSL_get_certificate(ssl)) != NULL)
> +if ((xs = SSL_get_certificate(ssl)) != NULL) {
> result = ssl_var_lookup_ssl_cert(p, xs, var+7);
> +X509_free(xs);
> +}
> }
That isn't safe, SSL_get_certificate doesn't increase the refcount on
the certificate (unlike SSL_peer_get_certificate).
Regards,
joe
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/2.8.13 and php
On Thu, Mar 20, 2003, Artur Pydo wrote:
> I can see the same segmentation fault :
>
> FreeBSD 4.8-STABLE
> Apache 1.3.27
> Openssl 0.9.7a
> Modssl 2.8.13
> PHP 4.3.1 / PHP 4.3.2RC1 / PHP 4.3.2-snapshot
>
> It happens both with static compilation and as DSO.
>
> The backtrace seems pointing out an error in
> ssl_var_lookup_ssl_cert().
>
> This problem only appears with PHP compiled in and
> asking for a .php document. I mean asking for a html
> document works fine.
>
> Backtrace (sorry for the formatting) :
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x283a6e9a in ssl_var_lookup_ssl_cert () from
> /usr/local/apache/libexec/libssl.so
> (gdb) bt
> #0 0x283a6e9a in ssl_var_lookup_ssl_cert () from
> /usr/local/apache/libexec/libssl.so
> #1 0x283a6d49 in ssl_var_lookup_ssl () from
> /usr/local/apache/libexec/libssl.so
> #2 0x283a6291 in ssl_var_lookup () from /usr/local/apache/libexec/libssl.so
> #3 0x283a11c8 in ssl_hook_Fixup () from /usr/local/apache/libexec/libssl.so
> #4 0x805472b in run_method (r=0x815d034, offset=29, run_all=1) at
> http_config.c:370
> #5 0x805480a in ap_run_fixups (r=0x815d034) at http_config.c:397
> #6 0x806a7cc in process_request_internal (r=0x815d034) at
> http_request.c:1303
> #7 0x806a866 in ap_process_request (r=0x815d034) at http_request.c:1324
> #8 0x80610eb in child_main (child_num_arg=0) at http_main.c:4689
> #9 0x80612cd in make_child (s=0x80b0034, slot=0, now=1048177481) at
> http_main.c:4813
> #10 0x8061446 in startup_children (number_to_start=5) at http_main.c:4895
> #11 0x8061a74 in standalone_main (argc=5, argv=0xbfbffb04) at
> http_main.c:5203
> #12 0x80622f0 in main (argc=5, argv=0xbfbffb04) at http_main.c:5566
> #13 0x804f4b1 in _start ()
Hmmm... I've in-depth looked at the changes to ssl_engine_vars.c
and they all look correct:
Index: ssl_engine_vars.c
===
RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_vars.c,v
retrieving revision 1.51
retrieving revision 1.53
diff -u -d -u -3 -r1.51 -r1.53
--- ssl_engine_vars.c 29 Jun 2002 07:42:51 - 1.51
+++ ssl_engine_vars.c 29 Oct 2002 13:00:46 - 1.53
@@ -314,12 +314,16 @@
result = ssl_var_lookup_ssl_cert_verify(p, c);
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
-if ((xs = SSL_get_peer_certificate(ssl)) != NULL)
+if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+X509_free(xs);
+}
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
-if ((xs = SSL_get_certificate(ssl)) != NULL)
+if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+X509_free(xs);
+}
}
return result;
}
@@ -352,7 +356,7 @@
xsname = X509_get_subject_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
-free(cp);
+OPENSSL_free(cp);
resdup = FALSE;
}
else if (strlen(var) > 5 && strcEQn(var, "S_DN_", 5)) {
@@ -364,7 +368,7 @@
xsname = X509_get_issuer_name(xs);
cp = X509_NAME_oneline(xsname, NULL, 0);
result = ap_pstrdup(p, cp);
-free(cp);
+OPENSSL_free(cp);
resdup = FALSE;
}
else if (strlen(var) > 5 && strcEQn(var, "I_DN_", 5)) {
@@ -543,6 +547,10 @@
else
/* client verification failed */
result = ap_psprintf(p, "FAILED:%s", verr);
+
+if (xs != NULL)
+X509_free(xs);
+
return result;
}
Additionally, I still cannot reproduce the problem myself. So, can you
help me here by using a breakpoint at ssl_var_lookup_ssl_cert() and the
single-stepping until the problem occurs? This would help us in really
locating the problem.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
Can we bring these threads together? It would seem we have: >Burkhard: >Apache/1.3.27 mod_gzip/1.3.26.1a PHP/4.3.1 mod_ssl/2.8.13 >OpenSSL/0.9.7a QUESTION: What OS? And: >Jazz: >mod_ssl 2.8.13, OpenSSL 0.9.6i with apache 1.3.27 >... on Solaris 2.6/Sparc QUESTION: using PHP? Both have the same problem, HTTP is OK but HTTPS causes segfault. Any other users experiencing this? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php
Hi, I can see the same segmentation fault : FreeBSD 4.8-STABLE Apache 1.3.27 Openssl 0.9.7a Modssl 2.8.13 PHP 4.3.1 / PHP 4.3.2RC1 / PHP 4.3.2-snapshot It happens both with static compilation and as DSO. The backtrace seems pointing out an error in ssl_var_lookup_ssl_cert(). This problem only appears with PHP compiled in and asking for a .php document. I mean asking for a html document works fine. Backtrace (sorry for the formatting) : Program received signal SIGSEGV, Segmentation fault. 0x283a6e9a in ssl_var_lookup_ssl_cert () from /usr/local/apache/libexec/libssl.so (gdb) bt #0 0x283a6e9a in ssl_var_lookup_ssl_cert () from /usr/local/apache/libexec/libssl.so #1 0x283a6d49 in ssl_var_lookup_ssl () from /usr/local/apache/libexec/libssl.so #2 0x283a6291 in ssl_var_lookup () from /usr/local/apache/libexec/libssl.so #3 0x283a11c8 in ssl_hook_Fixup () from /usr/local/apache/libexec/libssl.so #4 0x805472b in run_method (r=0x815d034, offset=29, run_all=1) at http_config.c:370 #5 0x805480a in ap_run_fixups (r=0x815d034) at http_config.c:397 #6 0x806a7cc in process_request_internal (r=0x815d034) at http_request.c:1303 #7 0x806a866 in ap_process_request (r=0x815d034) at http_request.c:1324 #8 0x80610eb in child_main (child_num_arg=0) at http_main.c:4689 #9 0x80612cd in make_child (s=0x80b0034, slot=0, now=1048177481) at http_main.c:4813 #10 0x8061446 in startup_children (number_to_start=5) at http_main.c:4895 #11 0x8061a74 in standalone_main (argc=5, argv=0xbfbffb04) at http_main.c:5203 #12 0x80622f0 in main (argc=5, argv=0xbfbffb04) at http_main.c:5566 #13 0x804f4b1 in _start () -- Best regards, Artur Pydo. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php
I see the problem with Apache/1.3.27 mod_ssl/2.8.13 (no other optional Apache modules except mod_rewrite) OpenSSL/0.9.7a Red Hat Linux 7.3 system I tried OpenSSL 0.9.7a both with and without the RSA blinding patch distributed by Ben Laurie and saw the problem both times. I see no problems with modssl 2.8.12 and OpenSSL 0.9.7a -- either with or without the Ben Laurie patch. I have made the error_log and ssl_engine_log for the failure with 2.8.13 available at http://ejk.cso.uiuc.edu/modssl-2.8.13-logs/ -- Ed Kubaitis - [EMAIL PROTECTED] CITES/STS - University of Illinois at Urbana-Champaign Burkhard Ulric wrote: I have this Problems with: Apache/1.3.27 mod_gzip/1.3.26.1a PHP/4.3.1 mod_ssl/2.8.13 OpenSSL/0.9.7a Requesting Pages without ssl encryption works fine but requesting this Pages with encryption causes segfault on every request. There are no Problems with 2.8.12 Regards Burkhard On Wed, 19 Mar 2003, Frye, David wrote: I had the same problem but without using PHP. Ended up reverting back to 2.8.12 \ until I (or someone else) can figure it out. It will also install the snakeoil \ certificates even if I specifiy the path to an existing cert. -Original Message- From: Sophia Petridou [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 9:39 AM To: [EMAIL PROTECTED] Subject: mod_ssl/2.8.13 and php Hello all, SERVER: Apache 1.3.27 + mod_ssl/2.8.13 + PHP/4.3.1 I have just installed mod_ssl/2.8.13 and my server has started without problems. (config command: ./configure --with-apxs=/usr/local/apache/bin/apxs --with-ssl=/usr/local/ssl --with-mm=/usr/local/include) The requests about html files or server-status and server-info pages are ok. But, when I request a php file (/php3-info.php3) I get the message 'The page cannot be displayed'. These are the entries in my error log file: [Wed Mar 19 16:10:31 2003] [notice] child pid 11411 exit signal Segmentation Fault (11) [Wed Mar 19 16:10:33 2003] [notice] child pid 11414 exit signal Segmentation Fault (11) [Wed Mar 19 16:20:54 2003] [notice] child pid 11413 exit signal Segmentation Fault (11) [Wed Mar 19 16:21:04 2003] [notice] child pid 11415 exit signal Segmentation Fault (11) [Wed Mar 19 16:21:17 2003] [notice] child pid 11412 exit signal Segmentation Fault (11) This problem does not exist with mod_ssl/2.8.12 and the same version of php thanks in advance -sophia __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php
I have this Problems with: Apache/1.3.27 mod_gzip/1.3.26.1a PHP/4.3.1 mod_ssl/2.8.13 OpenSSL/0.9.7a Requesting Pages without ssl encryption works fine but requesting this Pages with encryption causes segfault on every request. There are no Problems with 2.8.12 Regards Burkhard On Wed, 19 Mar 2003, Frye, David wrote: > I had the same problem but without using PHP. Ended up reverting back to 2.8.12 > until I (or someone else) can figure it out. It will also install the snakeoil > certificates even if I specifiy the path to an existing cert. > > -Original Message- > From: Sophia Petridou [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 19, 2003 9:39 AM > To: [EMAIL PROTECTED] > Subject: mod_ssl/2.8.13 and php > > > Hello all, > > SERVER: Apache 1.3.27 + mod_ssl/2.8.13 + PHP/4.3.1 > > I have just installed mod_ssl/2.8.13 and my server > has started without problems. > (config command: ./configure --with-apxs=/usr/local/apache/bin/apxs > --with-ssl=/usr/local/ssl --with-mm=/usr/local/include) > > The requests about html files or server-status and server-info pages > are ok. But, when I request a php file (/php3-info.php3) I get the > message > 'The page cannot be displayed'. These are the entries in my error log > file: > [Wed Mar 19 16:10:31 2003] [notice] child pid 11411 exit signal > Segmentation Fault (11) > [Wed Mar 19 16:10:33 2003] [notice] child pid 11414 exit signal > Segmentation Fault (11) > [Wed Mar 19 16:20:54 2003] [notice] child pid 11413 exit signal > Segmentation Fault (11) > [Wed Mar 19 16:21:04 2003] [notice] child pid 11415 exit signal > Segmentation Fault (11) > [Wed Mar 19 16:21:17 2003] [notice] child pid 11412 exit signal > Segmentation Fault (11) > > This problem does not exist with mod_ssl/2.8.12 and the same version of > php > > thanks in advance > > -sophia > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl/2.8.13 and php
I had the same problem but without using PHP. Ended up reverting back to 2.8.12 until I (or someone else) can figure it out. It will also install the snakeoil certificates even if I specifiy the path to an existing cert. -Original Message- From: Sophia Petridou [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 9:39 AM To: [EMAIL PROTECTED] Subject: mod_ssl/2.8.13 and php Hello all, SERVER: Apache 1.3.27 + mod_ssl/2.8.13 + PHP/4.3.1 I have just installed mod_ssl/2.8.13 and my server has started without problems. (config command: ./configure --with-apxs=/usr/local/apache/bin/apxs --with-ssl=/usr/local/ssl --with-mm=/usr/local/include) The requests about html files or server-status and server-info pages are ok. But, when I request a php file (/php3-info.php3) I get the message 'The page cannot be displayed'. These are the entries in my error log file: [Wed Mar 19 16:10:31 2003] [notice] child pid 11411 exit signal Segmentation Fault (11) [Wed Mar 19 16:10:33 2003] [notice] child pid 11414 exit signal Segmentation Fault (11) [Wed Mar 19 16:20:54 2003] [notice] child pid 11413 exit signal Segmentation Fault (11) [Wed Mar 19 16:21:04 2003] [notice] child pid 11415 exit signal Segmentation Fault (11) [Wed Mar 19 16:21:17 2003] [notice] child pid 11412 exit signal Segmentation Fault (11) This problem does not exist with mod_ssl/2.8.12 and the same version of php thanks in advance -sophia __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/mod_jk failure with client authentication on
I realised that I included irrelevant log snipet from the SSL log. Please see the correction below. Aaron Stromas said: > Hi, > > I apologise for cross-posting - I'm really not sure which component is > at fault, looks like mod_ssl but possibly mod_jk. BTW, is there a list > (or some other venue) dedicated to mod_jk? > > My environment is Apache 1.3.22, mod_ssl 2.8.5, OpenSSL 0.9.6b, tomcat > 4.0.3. I have a servlet mounted like this > > JkMount /app/servlet/* ajp13 > JkMount /app/*.jsp ajp13 > >SSLVerifyClient require >SSLVerifyDepth 4 > > > When SSLVerifyClient is set to 'none' all works fine, but when I set it > as above, to 'require', it seems that the SSL connection is repetedly > renegotiated. The mod_jk log stop at this line (I edited out log entry > headers for clarity): > > Attempting to map URI '/app/servlet/ApplicationProxyServlet' > jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 -> > /app/servlet/ > > whilst the ssl engine log shows this > Connection to child 3 established (server > www-sps.sps.fms.treas.gov:443, client 164.95.119.43) > Seeding PRNG with 1160 bytes of entropy > OpenSSL: Handshake: start > OpenSSL: Loop: before/accept initialization > Inter-Process Session Cache: request=GET status=FOUND > id=7A2A7121DDC60F144CA9F233A19E7BD7D88F0DCA06AEB588165EB9F01CA276DE > (session reuse) > OpenSSL: Loop: SSLv3 read client hello A > OpenSSL: Loop: SSLv3 write server hello A > OpenSSL: Loop: SSLv3 write change cipher spec A > OpenSSL: Loop: SSLv3 write finished A > OpenSSL: Loop: SSLv3 flush data > OpenSSL: Loop: SSLv3 read finished A > OpenSSL: Handshake: done > Connection: Client IP: 164.95.119.43, Protocol: SSLv3, Cipher: > EXP1024-RC4-SHA (56/128 bits) > Initial (No.1) HTTPS request received for child 3 (server > www-sps.sps.fms.treas.gov:443) > OpenSSL: Write: SSL negotiation finished successfully > Connection to child 3 closed with standard shutdown (server > www-sps.sps.fms.treas.gov:443, client 164.95.119.43) > Connection to child 4 established (server > www-sps.sps.fms.treas.gov:443, client 164.95.119.43) > Seeding PRNG with 1160 bytes of entropy > OpenSSL: Handshake: start > OpenSSL: Loop: before/accept initialization > [Connection to child 5 established (server > www-sps.sps.fms.treas.gov:443, client 164.95.119.43) > Seeding PRNG with 1160 bytes of entropy > OpenSSL: Handshake: start > OpenSSL: Loop: before/accept initialization > OpenSSL: Loop: SSLv3 read client hello A > OpenSSL: Loop: SSLv3 write server hello A > OpenSSL: Loop: SSLv3 write certificate A > OpenSSL: Loop: SSLv3 write key exchange A > OpenSSL: Loop: SSLv3 write server done A > OpenSSL: Loop: SSLv3 flush data > OpenSSL: Loop: SSLv3 read client key exchange A > OpenSSL: Loop: SSLv3 read finished A > OpenSSL: Loop: SSLv3 write change cipher spec A > OpenSSL: Loop: SSLv3 write finished A > OpenSSL: Loop: SSLv3 flush data > [ more SSL handshake] OpenSSL: Handshake: done Connection: Client IP: 164.95.119.43, Protocol: TLSv1, Cipher: EDH-RSA-DES-CBC3-SHA (168/168 bits) Initial (No.1) HTTPS request received for child 1 (server www-sps.sps.fms.treas.gov:443) Changed client verification type will force renegotiation Requesting connection re-negotiation Performing full renegotiation: complete handshake protocol OpenSSL: Write: SSL negotiation finished successfully Connection to child 0 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) I/O: sucked 4708 bytes of input data from SSL/TLS I/O layer for delayed injection into Apache I/O layer OpenSSL: Handshake: start OpenSSL: Loop: SSL renegotiate ciphers OpenSSL: Loop: SSLv3 write hello request A OpenSSL: Loop: SSLv3 flush data Awaiting re-negotiation handshake OpenSSL: Handshake: start OpenSSL: Loop: before accept initialization Inter-Process Session Cache: request=REM status=OK id=38B1D98C2B4A6384FA080BDD4374ACE13881B23AD58834437874A1F03733FCFE (session dead) Write: SSLv3 read client hello B OpenSSL: Exit: error in SSLv3 read client hello B Re-negotiation handshake failed: Not accepted by client!? I/O: injecting 4708 bytes of pre-sucked data into Apache I/O layer OpenSSL: Write: SSLv3 read client hello B OpenSSL: Exit: error in SSLv3 read client hello B SSL error on writing data (OpenSSL library error follows) OpenSSL: error:140940F5:SSL routines:SSL3_READ_BYTES:unexpected record Connection to child 1 closed with standard shutdown (server www-sps.sps.fms.treas.gov:443, client 164.95.119.43) > > > In contrast, when SSLVerifyClient is 'none', mod_jk log shows > > Attempting to map URI '/app/servlet/ApplicationProxyServlet' > jk_uri_worker_map_t::map_uri_to_worker, Found a context match ajp13 -> > /app/servlet/ > Into wc_get_worker_for_name ajp13 > wc_get_worker_for_name, done found a worker > Into jk_worker_t::get_endpoint > In jk_endpoint_t::ajp_get_endpoint, time elapsed since last request = > 534 seconds > Into jk_endpoint_t::service > Into ajp_marshal_into_msgb > ajp_marshal_into_msgb -
Re: mod_ssl/openssl error with test certificate?
* Otto L. Miller ([EMAIL PROTECTED]) wrote: [snip] > I checked permissions and thought that might be the problem, however, > the problem persists even if I 'chmod 444 > /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Could you post a copy of the server.crt file? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl 2.8.12 + apache 1.3.26
additionally, each version of modssl is diff'ed against the version of apache it is designated for. There have been times I think Ralf has givien out probable ways to fit one modssl version into a newer apache release prior to the new modssl version, but has given warnings about certain things possibly being borked in the process. Thanks, Ron DuFresne On Fri, 28 Feb 2003, Jeff Bert wrote: > Yes. You should use mod_ssl 2.8.12 and apache 1.3.27 as there is a security > issue with apache 1.3.26 > > Jeff > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ihor Bilyy > > Sent: Friday, February 28, 2003 10:16 AM > > To: [EMAIL PROTECTED] > > Subject: mod_ssl 2.8.12 + apache 1.3.26 > > > > > > Hello All, > > > > is there any problem running this combination (subj)? > > > > thanks > > -i- > > > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl 2.8.12 + apache 1.3.26
Yes. You should use mod_ssl 2.8.12 and apache 1.3.27 as there is a security issue with apache 1.3.26 Jeff > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ihor Bilyy > Sent: Friday, February 28, 2003 10:16 AM > To: [EMAIL PROTECTED] > Subject: mod_ssl 2.8.12 + apache 1.3.26 > > > Hello All, > > is there any problem running this combination (subj)? > > thanks > -i- > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl and apache 2.0.40
Sorry, I have a mistake in configuration in reality the directives in
ssl.conf are :
>
RewriteEngineon
RewriteCond %{HTTPS} !=on
RewriteRule ^/home/httpd/html/telechargement/(.*)$
https://%{SERVER_NAME}/telechargement/$1 [R,L]
I test http://machine.site/telechargement/fichier.htmlwriteEngineon
In reality, i have several questions :
Why http_2.0.40 loops and why apache_1.3.27 doesn't loop?
ANd why the server see the url that I am testing
http://machine.site/telechargement/fichier.html like
/home/httpd/html/telechargement/fichier.html
Perhaps it's idiot question but i'd like someone answer this.
Thanks.
Françoise TUKALO
STNA 8IS
Tel : 05 62 14 53 95
Fax : 05 62 14 54 02
email : [EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl and apache 2.0.40
It is an obvious loop. Why are you suprised that this loops? Please
provide:
1) Example of incoming URL
2) What you want it to translate to
Rgds,
Owen Boyle
>-Original Message-
>From: [EMAIL PROTECTED]
>[mailto:[EMAIL PROTECTED]]
>Sent: Montag, 16. Dezember 2002 15:32
>To: [EMAIL PROTECTED]
>Subject: Mod_ssl and apache 2.0.40
>
>
>Hello,
>
>I install on a PC linux redhat 8.0 a web server apache 2.0.40
>and mod ssl
>0.9.6b (configuration include in redhat 8.0)
>
>I want to access a directory of my site with ssl. The
>directory site pages
>have been written in html without ssl.
>To avoid the rewritting of all pages, I try to put the
>following directives
>in /etc/httpd/conf.d/ssl.conf
>
>
>RewriteEngineon
>RewriteCond %{HTTPS} !=on
>RewriteRule ^/home/httpd/html/telechargement/(.*)$
>https://%{SERVER_NAME}/telechargement/$1 [R,L]
>
>
>If I test http://machine.site/telechargement/fichier.html. The server
>permanently loops .
>I obtain the following messages in ssl_access_log :
>
>143.196.30.134 - - [10/Dec/2002:11:00:22 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] "GET
>/test/compteftp.doc
>HTTP/1.1" 302 295
>
>I read a lot of archives of the mail and the faq of apache. I have seen
>that a lot of solutions for this matter has been
> found with apache 1.3.*. So i compile apache_1.3.27 with
>mod-ssl_2.8.12 on
>the same PC. I test this server with the same config and it works fine.
>
>Does anyone know where the problem is?
>
>Regards
>
>
>__
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager[EMAIL PROTECTED]
>
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
In article <[EMAIL PROTECTED]> you wrote: >> > > Just for your information: the Apache mod_ssl project environment was >> > > migrated to a new location. In case of any problems, contact me. >> > > >> > It seems that cvs is broken - http://www.modssl.org/source/cvs/ and >> > the docs taken from the sorce - like >> > http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL >> > both result in Internal Server Error. >> >> Ops, yes, of course. Because there is no more active development on >> mod_ssl for Apache 1.3, the CVS environment is no longer provided >> publically (because there would be no interesting things to monitor at >> all) and hence the new public project environment has no CVS setup. >> So, CVS related things are now gone from the website. Just my fault in >> forgetting to synchronize the website. Now fixed. Thanks for the hint. > > does this imply there are to be no more apache 1.3 developement or version > updates, thus modssl is now moving entirely into the source for apache > 2.0? Err... mod_ssl already _IS_ included in the official Apache 2 source tree... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, 15 Dec 2002, Ralf S. Engelschall wrote: > On Sun, Dec 15, 2002, Mads Toftum wrote: > > > On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: > > > Just for your information: the Apache mod_ssl project environment was > > > migrated to a new location. In case of any problems, contact me. > > > > > It seems that cvs is broken - http://www.modssl.org/source/cvs/ and > > the docs taken from the sorce - like > > http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL > > both result in Internal Server Error. > > Ops, yes, of course. Because there is no more active development on > mod_ssl for Apache 1.3, the CVS environment is no longer provided > publically (because there would be no interesting things to monitor at > all) and hence the new public project environment has no CVS setup. > So, CVS related things are now gone from the website. Just my fault in > forgetting to synchronize the website. Now fixed. Thanks for the hint. Ralf, does this imply there are to be no more apache 1.3 developement or version updates, thus modssl is now moving entirely into the source for apache 2.0? Thanks, Ron DuFresne -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002, Mads Toftum wrote: > On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: > > Just for your information: the Apache mod_ssl project environment was > > migrated to a new location. In case of any problems, contact me. > > > It seems that cvs is broken - http://www.modssl.org/source/cvs/ and > the docs taken from the sorce - like > http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL > both result in Internal Server Error. Ops, yes, of course. Because there is no more active development on mod_ssl for Apache 1.3, the CVS environment is no longer provided publically (because there would be no interesting things to monitor at all) and hence the new public project environment has no CVS setup. So, CVS related things are now gone from the website. Just my fault in forgetting to synchronize the website. Now fixed. Thanks for the hint. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: > Just for your information: the Apache mod_ssl project environment was > migrated to a new location. In case of any problems, contact me. > It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl in apache 2.X
Here is a config for Solaris 8, gcc 3.1, Apache 2.x - multithreaded with SSL - I had no issues with this and am not an expert on Linuz by any means. Perhaps this might help. If not delete it. #!/bin/ksh PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin LD_LIBRARY_PATH=/usr/local/lib:/usr/local/ssl/lib:/usr/lib export PATH LD_LIBRARY_PATH SSL_BASE=/usr/local/ssl \ LIBS=/usr/lib/libC.so.5 \ CFLAGS=-fPIC \ ./configure --prefix=/opt/apache \ --enable-ssl \ --with-ssl=/usr/local/ssl/ \ --enable-so \ --with-mpm=worker \ --enable-deflate David S. Loesche [EMAIL PROTECTED] Yipes Enterprise Services, Inc. Main: (415) 901-2000 114 Sansome Street, Suite 1045 Direct: (415) 901-2210 San Francisco, CA 94104 Fax:(415) 901-2201 http://www.yipes.com Yipes is the defining provider of fully scalable bandwidth for businesses. We offer fully managed high-speed Internet and Nationwide LAN-to-LAN services at speeds ranging from 1 Mbps to 1 Gbps, in 1 Mbps increments. Yipes delivers this uniquely flexible service over the first nationwide system of optical IP networks. -Original Message- From: Johan Bryssling [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 2:39 AM Cc: [EMAIL PROTECTED] Subject: RE: Mod_ssl in apache 2.X Hi! Im not here to quarrel with you kid. Im here to get some help, and your insults are not helping very much. I thought this was the modssl-users list for people with not-so-much-expert-knowledge and not the linux-experts-with-nolife mailinglist. Im working under time pressure and cannot afford reading old documentation all day and then guess how the latter versions work (but of course I have read most of the old documentation anyway...). If I understand the example below I could rewrite it: CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-ssl=shared ? ... and load "mod_ssl.so" dynamically with "Loadmodule" latter on? Right? (Of course its right.. ;) ) "Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy." You call me lazy and think you know me after one email, that's cute. ;) I was asking a question and not hiring you or anybody else for a job. You even didnt have to answer. Im not demanding anything. (This is the first time I ask a usergroup a question at all, silly.) "The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks" Right, I and other developers still havnt all day, thats why it exists user-groups to ask someone who already knows and perhaps have some time over for an clear answer. If I had some time over myself I would be happy to contribute with some quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with SSL must be one of the most common configurations... Perhaps I will contribute in not-so-distance-future. ;) Regards /Johan -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: den 4 december 2002 16:53 To: Johan Bryssling Cc: [EMAIL PROTECTED] Subject: Re: Mod_ssl in apache 2.X Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: > Hi! > > I have a couple of questions: > > If mod_ssl is included in apache2.x why doesnt it show up in the modulelist > when I use: > > %> httpd -l > > ? > > If it's not "included" when I "default" compile (using the INSTALL-file > instructions), how do I know how to compile in the mod_ssl into the apache > (if this is my first time)? > > Where do I find information about these thi
RE: mod_ssl & mod_proxy
Apache does get the requests in my case, as verified in log files created by CustomLog /usr/local/apache/logs/referer_log refererCustomLog /usr/local/apache/logs/agent_log agent in httpd.conf. BTW, my LDAP authentication is handled by the internal (iPlanet) web server. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of AlexandreSent: Thursday, December 05, 2002 8:53 AMTo: [EMAIL PROTECTED]Subject: Re: mod_ssl & mod_proxyoh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list.
RE: mod_ssl & mod_proxy
Thanks for your reply. The behavior is the same with ProxyPass and ProxyPassReverse instead of ProxyRemote. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Christopher McCrory Sent: Thursday, December 05, 2002 10:29 AM To: [EMAIL PROTECTED] Subject: Re: mod_ssl & mod_proxy Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the community’s help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Here’s the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl & mod_proxy
oh my God i have the exactly the same problem ... the only diference is that my autentication is on Ldap directory in the internal net when a click on link http://host.myinternalnet.com nothing hapen only the loop and the apache dont get a request im sniffing the interfaces but the request dont send ok. any people can help us ??? thanks Alexandre HMajidy wrote: This is to report a problem with Apache with mod_ssl and mod_proxy, and to request the community?s help in resolving it. urn:schemas-microsoft-com:office:office" /> Objective: The objective is to set up Apache as a reverse proxy, to receive encrypted HTTPS traffic over the Internet and to convert it to HTTP and direct it to a web server through a firewall. Problem: Apache seems to be redirecting traffic to the virtual hosts on the local filesystem correctly, but mod_proxy does not seem to send requests to remote URL (as specified by ProxyRemote directive below). SSL does display correct certificate from requesting browser. Troubleshooting Steps Taken: Experimenting with the target URL (IP and hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) I have not been able to establish that proxy is doing anything at all. Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well as statically linked in modules. Here?s the system configuration: Linux version 2.2.16-22smp gcc version egcs-2.91.66 Server version: Apache/1.3.27 (Unix) Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_proxy.c mod_setenvif.c mod_ssl.c OpenSSL 0.9.6g 9 August 2002 httpd.conf AddModule mod_proxy.c ProxyRequests off NoCache * AllowCONNECT 443,80 Order Allow,Deny Allow from All ProxyRemote * http://1.2.3.4:85 NameVirtualHost * Listen *:443 SSLEngine on ServerName www.mydomain.com DocumentRoot /usr/local/apache/htdocs ErrorLog logs/443-error_log Listen *:80 ServerAdmin [EMAIL PROTECTED] DocumentRoot /usr/local/apache/www ServerName www1.mydomain.com ErrorLog logs/80-error_log Can anyone see a conflict or omission in this configuration? Does anyone have these two modules working together in a reverse proxy scenario? Any help or suggestions would be appreciated. Regards, Hamid. PS. Please reply to [EMAIL PROTECTED] as well as to this list. begin:vcard n:da Silva Augusto;Alexandre x-mozilla-html:FALSE org:Secretaria de Estado dos Negocios da Fazenda;DTI - Departamento de Tecnologia da Informacao adr:;; version:2.1 email;internet:[EMAIL PROTECTED] title:Administrador de Sistemas Unix x-mozilla-cpt:;3424 fn:Alexandre da Silva Augusto end:vcard
Re: mod_ssl & mod_proxy
Hello... On Thu, 2002-12-05 at 10:12, HMajidy wrote: > This is to report a problem with Apache with mod_ssl and mod_proxy, > and to request the communitys help in resolving it. > > > > Objective: The objective is to set up Apache as a reverse proxy, to > receive encrypted HTTPS traffic over the Internet and to convert it to > HTTP and direct it to a web server through a firewall. > >From what I see, you don't have a proxypass directive, ala: ProxyPass/foohttp://cruella.pricegrabber.com/foo ProxyPassReverse /foohttp://cruella.pricegrabber.com/foo > > > Problem: Apache seems to be redirecting traffic to the virtual hosts > on the local filesystem correctly, but mod_proxy does not seem to send > requests to remote URL (as specified by ProxyRemote directive below). > SSL does display correct certificate from requesting browser. > > > > Troubleshooting Steps Taken: Experimenting with the target URL (IP and > hosname) and various proxy directives (ie ProxyPassReverse, ProxyPass) > I have not been able to establish that proxy is doing anything at all. > > Apache has been recompiled with mod_ssl and mod_proxy as DSOs as well > as statically linked in modules. > > > > Heres the system configuration: > > Linux version 2.2.16-22smp > > gcc version egcs-2.91.66 > > Server version: Apache/1.3.27 (Unix) > > Compiled-in modules: > > http_core.c > > mod_env.c > > mod_log_config.c > > mod_mime.c > > mod_negotiation.c > > mod_status.c > > mod_include.c > > mod_autoindex.c > > mod_dir.c > > mod_cgi.c > > mod_asis.c > > mod_imap.c > > mod_actions.c > > mod_userdir.c > > mod_alias.c > > mod_access.c > > mod_auth.c > > mod_proxy.c > > mod_setenvif.c > > mod_ssl.c > > OpenSSL 0.9.6g 9 August 2002 > > > > httpd.conf > > AddModule mod_proxy.c > > > > ProxyRequests off > > NoCache * > > AllowCONNECT 443,80 > > > > Order Allow,Deny > > Allow from All > > > > ProxyRemote * http://1.2.3.4:85 > > > > NameVirtualHost * > > Listen *:443 > > > > SSLEngine on > > ServerName www.mydomain.com > > DocumentRoot /usr/local/apache/htdocs > > ErrorLog logs/443-error_log > > > > Listen *:80 > > > > ServerAdmin [EMAIL PROTECTED] > > DocumentRoot /usr/local/apache/www > > ServerName www1.mydomain.com > > ErrorLog logs/80-error_log > > > > > > Can anyone see a conflict or omission in this configuration? Does > anyone have these two modules working together in a reverse proxy > scenario? Any help or suggestions would be appreciated. > > > > Regards, > > Hamid. > > > > PS. Please reply to [EMAIL PROTECTED] as well as to this list. -- Christopher McCrory <[EMAIL PROTECTED]> Pricegrabber __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
For mod_ssl on Apache 2.0 you may want to check also the secure server chapter I have online, which contains step by step instructions http://www.apacheworld.org/ty24/ Best regards Daniel > Hi! > > Im not here to quarrel with you kid. Im here to get some help, and your > insults are not helping very much. > > I thought this was the modssl-users list for people with > not-so-much-expert-knowledge and not the linux-experts-with-nolife > mailinglist. > > Im working under time pressure and cannot afford reading old documentation > all day and then guess how the latter versions work (but of course I have > read most of the old documentation anyway...). > > If I understand the example below I could rewrite it: > > CC="pgcc" CFLAGS="-O2" \ > ./configure --prefix=/sw/pkg/apache \ > --enable-ssl=shared > ? > > ... and load "mod_ssl.so" dynamically with "Loadmodule" latter on? Right? > (Of course its right.. ;) ) > > "Now you have to do some work on your own, you can't expect others to do it > all for you and remain lazy." > > You call me lazy and think you know me after one email, that's cute. ;) I > was asking a question and not hiring you or anybody else for a job. You even > didnt have to answer. Im not demanding anything. (This is the first time I > ask a usergroup a question at all, silly.) > > "The new apache is not the best as far as documentation concerns, certainly > not up to the documentation that the older apache with or without mod-ssl > integration, but, there is info to be gleened, if one looks" > > Right, I and other developers still havnt all day, thats why it exists > user-groups to ask someone who already knows and perhaps have some time over > for an clear answer. > > If I had some time over myself I would be happy to contribute with some > quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with > SSL must be one of the most common configurations... Perhaps I will > contribute in not-so-distance-future. ;) > > Regards > > /Johan > > > > > > > > -Original Message- > From: R. DuFresne [mailto:[EMAIL PROTECTED]] > Sent: den 4 december 2002 16:53 > To: Johan Bryssling > Cc: [EMAIL PROTECTED] > Subject: Re: Mod_ssl in apache 2.X > > > > Didn't read any of the documentation in that tarball did ya? > >INSTALL > > [SNIP] > > For a short impression of what possibilities you have, here is a > typical example which configures Apache for the installation tree > /sw/pkg/apache with a particular compiler and flags plus the two > additional modules mod_rewrite and mod_speling for later loading > through the DSO mechanism: > > $ CC="pgcc" CFLAGS="-O2" \ > ./configure --prefix=/sw/pkg/apache \ > --enable-rewrite=shared \ > --enable-speling=shared > > The easiest way to find all of the configuration flags for Apache 2.0 > is to run ./configure --help. > > [SNIP] > > The new apache is not the best as far as documentation concerns, certainly > not up to the documentation that the older apache with or without mod-ssl > integration, but, there is info to be gleened, if one looks. > > How about the apache web pages, read that at all? > > Now you have to do some work on your own, you can't expect others to do it > all for you and remain lazy. > > Thanks, > > Ron DuFresne > > On Wed, 4 Dec 2002, Johan Bryssling wrote: > > > Hi! > > > > I have a couple of questions: > > > > If mod_ssl is included in apache2.x why doesnt it show up in the > modulelist > > when I use: > > > > %> httpd -l > > > > ? > > > > If it's not "included" when I "default" compile (using the INSTALL-file > > instructions), how do I know how to compile in the mod_ssl into the apache > > (if this is my first time)? > > > > Where do I find information about these things, I certanly dont install > > apache at a regulary basis.. ;-) > > > > I noted a default config file for SSL (I also found an include into the > > httpd.config-file) and used the command: > > > > %>httpd -DSSL -k start > > > > .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I > > shouldnt bother or?... Something I missed? > > > > All help will be appricated. > > > > Thanks... > > > > /Johan > > > > ps. Thinking of using Apache 1.3.7 instead due to the extended source of > > good documentation.
RE: Mod_ssl in apache 2.X
Hi! Im not here to quarrel with you kid. Im here to get some help, and your insults are not helping very much. I thought this was the modssl-users list for people with not-so-much-expert-knowledge and not the linux-experts-with-nolife mailinglist. Im working under time pressure and cannot afford reading old documentation all day and then guess how the latter versions work (but of course I have read most of the old documentation anyway...). If I understand the example below I could rewrite it: CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-ssl=shared ? ... and load "mod_ssl.so" dynamically with "Loadmodule" latter on? Right? (Of course its right.. ;) ) "Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy." You call me lazy and think you know me after one email, that's cute. ;) I was asking a question and not hiring you or anybody else for a job. You even didnt have to answer. Im not demanding anything. (This is the first time I ask a usergroup a question at all, silly.) "The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks" Right, I and other developers still havnt all day, thats why it exists user-groups to ask someone who already knows and perhaps have some time over for an clear answer. If I had some time over myself I would be happy to contribute with some quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with SSL must be one of the most common configurations... Perhaps I will contribute in not-so-distance-future. ;) Regards /Johan -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: den 4 december 2002 16:53 To: Johan Bryssling Cc: [EMAIL PROTECTED] Subject: Re: Mod_ssl in apache 2.X Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: > Hi! > > I have a couple of questions: > > If mod_ssl is included in apache2.x why doesnt it show up in the modulelist > when I use: > > %> httpd -l > > ? > > If it's not "included" when I "default" compile (using the INSTALL-file > instructions), how do I know how to compile in the mod_ssl into the apache > (if this is my first time)? > > Where do I find information about these things, I certanly dont install > apache at a regulary basis.. ;-) > > I noted a default config file for SSL (I also found an include into the > httpd.config-file) and used the command: > > %>httpd -DSSL -k start > > .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I > shouldnt bother or?... Something I missed? > > All help will be appricated. > > Thanks... > > /Johan > > ps. Thinking of using Apache 1.3.7 instead due to the extended source of > good documentation... > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: > Hi! > > I have a couple of questions: > > If mod_ssl is included in apache2.x why doesnt it show up in the modulelist > when I use: > > %> httpd -l > > ? > > If it's not "included" when I "default" compile (using the INSTALL-file > instructions), how do I know how to compile in the mod_ssl into the apache > (if this is my first time)? > > Where do I find information about these things, I certanly dont install > apache at a regulary basis.. ;-) > > I noted a default config file for SSL (I also found an include into the > httpd.config-file) and used the command: > > %>httpd -DSSL -k start > > .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I > shouldnt bother or?... Something I missed? > > All help will be appricated. > > Thanks... > > /Johan > > ps. Thinking of using Apache 1.3.7 instead due to the extended source of > good documentation... > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and mod_jk (Win32)
Answering my own question in case anyone else ever encounters this: Modify Tomcat's server.xml specifying scheme="https" (rather than scheme="http") for the Connector used to wire Apache and Tomcat. Paul Christmann wrote: Environment: Running Apache 2.0.43/OpenSSL 9.6.g as downloaded from hunter.campbus.com and mod_jk 1.2.1 for build 2.0.43 from jakarta. Problem: When I access the URL https://localhost/app, I *hope* to get the contents of index.html (i.e., https://localhost/app/index.html). Instead, my browser (Mozilla 1.0) reports a "Bad Request" error, indicating that there was a protocol error in accessing the URL "http://localhost:443/app/index.html";. Of course there will be a protocol error -- using http to talk to the https port! Any ideas where that error might come from? I assume its something happening with a redirect in Tomcat. FWIW: Each of the following URLs work fine (right now, I have Apache configured to take all connections either from http or https and forward to Tomcat): + http://localhost/app + http://localhost/app/index.html + https://localhost/app/index.html Its only the https://localhost/app URL that's failing. Thanks for any assistance, Paul Christmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache2 2.0.43
Paetsch, Christian (BearingPoint extern) wrote: Hello, I'm looking for the modul mod_ssl for the new apache 2.0.43 server running on a window32 platform. I can only find information about the mod_ssl for apache 1.3. Can I still use the latest version of mod_ssl? Apache 2.x has the ssl code in the main distribution. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache2 2.0.43
Paetsch, Christian (BearingPoint extern) wrote: Hello, I'm looking for the modul mod_ssl for the new apache 2.0.43 server running on a window32 platform. I can only find information about the mod_ssl for apache 1.3. Can I still use the latest version of mod_ssl? Thanks in advance. Regard, Christian Paetsch | BearingPoint | Berlin, Germany Phone +49 30 88004 59 20 | Mobile +49 172 38 73 175 | Fax +49 30 88004 9755 592 www.bearingpoint.com -- The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Christian, - mod_ssl is built into Apache2 - it is included in the source. You still need to build OpenSSL and place the build directly into the Apache source, but mod_ssl is there already. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl-2.0.40-8
I wasn't just surprised, I was confused. I was looking all over for the apache package! I've only had a brief dabble into 8.0, but will have to consider it if and when our apache servers start to get any heavier load. My last attempt at Apache 2.0 ended in disaster regardless of whether I used an RPM or compiled it myself, so hopefully version 8.0 does what I haven't managed yet. Thanks for the information. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute > -Original Message- > From: Nadav Har'El [mailto:nyh@;math.technion.ac.il] > Sent: 28 October 2002 10:26 > To: [EMAIL PROTECTED] > Subject: Re: mod_ssl-2.0.40-8 > > > On Mon, Oct 28, 2002, [EMAIL PROTECTED] wrote about "RE: > mod_ssl-2.0.40-8": > > the "apache" package name disappears and is called "httpd" > instead. I guess > > they are synchronising the names of the packages to match > the daemon names, > > although I haven't yet checked to see if "bind" has become "named". > > No, it hasn't, and remind "bind" (bind-9.2.1-9). > > I think they wanted a different name when they switched from > Apache 1 to > Apache 2. > By the way, considering Apache 2's site is "http://httpd.apache.org/";, > I guess the choice of name "httpd" could be understood. But I was also > quite suprised when I first saw this name in Redhat 8. > > -- > Nadav Har'El| Monday, Oct 28 > 2002, 22 Heshvan 5763 > [EMAIL PROTECTED] > |- > Phone: +972-53-245868, ICQ 13349191 |Long periods of drought > are always > http://nadav.harel.org.il |followed by rain. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.40-8
On Mon, Oct 28, 2002, [EMAIL PROTECTED] wrote about "RE: mod_ssl-2.0.40-8": > the "apache" package name disappears and is called "httpd" instead. I guess > they are synchronising the names of the packages to match the daemon names, > although I haven't yet checked to see if "bind" has become "named". No, it hasn't, and remind "bind" (bind-9.2.1-9). I think they wanted a different name when they switched from Apache 1 to Apache 2. By the way, considering Apache 2's site is "http://httpd.apache.org/";, I guess the choice of name "httpd" could be understood. But I was also quite suprised when I first saw this name in Redhat 8. -- Nadav Har'El| Monday, Oct 28 2002, 22 Heshvan 5763 [EMAIL PROTECTED] |- Phone: +972-53-245868, ICQ 13349191 |Long periods of drought are always http://nadav.harel.org.il |followed by rain. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl-2.0.40-8
You'll find the source RPM on the source CD for Red Hat 8.0. Install it as any normal package (eg rpm -ivh), and you'll find the spec file that built the binary in /usr/src/redhat/SPECS. As Geoff points out, it is unusual that Red Hat 8.0 uses a separate package name, but Red Hat have been doing this since version 7.0. With version 8.0, the "apache" package name disappears and is called "httpd" instead. I guess they are synchronising the names of the packages to match the daemon names, although I haven't yet checked to see if "bind" has become "named". - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Theories of evolution are like buses - there'll be another one along in a minute > -Original Message- > From: Mike Pacheco [mailto:mike@;fwdsystems.com] > Sent: 25 October 2002 18:30 > To: [EMAIL PROTECTED] > Subject: mod_ssl-2.0.40-8 > > > Hi All, > > Been on the mod_ssl site from top to bottom and I can not > find mod_ssl for > apache 2.0.40 - I do a custom install of RedHat 8.0 - pick > httpd and mod_ssl > and then query the installed packages after it finishes and I > test apache > with ssl successfully and I get: > > rpm -q mod_ssl = mod_ssl-2.0.40-8 > > I would like to get my hands on the source for this version > of mod_ssl for > some custom install options but I can not seem to find it. > Can somebody > please point me in the right direction? > > Thanks > > Mike Pacheco > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.40-8
On Friday 25 Oct 2002 2:01 pm, I wrote: > Anyway, if you get the Apache2 source code, (a tarball from the horse's > mouth mouth, or via source RPMs from Redhat or elsewhere), then you ^^^ I am reminded from time to time that perhaps "vi" might not, after all, be as appropriate for quickly-blurted emails as it is for coding ... with this slight slip of the fingers I make an already silly reference utterly incomprehensible. Apologies, I meant "a tarball from apache.org". Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.0.40-8
Hi, On Friday 25 Oct 2002 1:30 pm, Mike Pacheco wrote: > Hi All, > > Been on the mod_ssl site from top to bottom and I can not find mod_ssl > for apache 2.0.40 - I do a custom install of RedHat 8.0 - pick httpd > and mod_ssl and then query the installed packages after it finishes and > I test apache with ssl successfully and I get: > > rpm -q mod_ssl = mod_ssl-2.0.40-8 > > I would like to get my hands on the source for this version of mod_ssl > for some custom install options but I can not seem to find it. Can > somebody please point me in the right direction? It's bundled in the source code for Apache2 now. BTW: that's strange naming for the rpm if it's as you say and Redhat have split the Apache2 modules out. "apache-mod_ssl" would have made more sense for the ssl support IMHO. Anyway, if you get the Apache2 source code, (a tarball from the horse's mouth mouth, or via source RPMs from Redhat or elsewhere), then you should find the ssl module sitting in the source. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl 2.8.11-1.3.27
Ok, I finally got it .. I hope.. I am now getting configuration errors again.. Line 340 # Controls who can get stuff from this server. 339 # 340 Order allow,deny 341 Allow from all 342 343 -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: Friday, October 04, 2002 8:39 PM To: '[EMAIL PROTECTED]' Subject: mod_ssl 2.8.11-1.3.27 I am getting the following error [04/Oct/2002 20:35:32 00056] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence [04/Oct/2002 20:30:52 29344] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6g On Solaris 9, Also Everytime I compile and make apache shared core -- boom I am getting core Bus Bombs.. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
