Re: Re: Re: httpd configuration problem
Solution (mostly) found. The problem is with a misconfiguration of the Fecora Core 4 http configuration tool: the tool doesn't know about the split in configuration files in core 4 (httpd.conf in /etc/httpd/conf, ssl.conf in /etc/httpd/ conf.d). ssl.conf already contains a Listen on 443 directive, so the listen on 443 directive which the configuration tool creates in httpd.conf is a duplicate, and causes a duplicate listener problem. I'll report the bug on bugzilla (my solution is to comment out the listent directive in ssl.conf, so I can still use the configuration tool). I'm still left with one relatively minor problem. Fedora has a nice Makefile support for creating certificates, including self-signed certificates, which is what I need. However there is no provision for creating a chain file, yet the configuration tool insists on there being one (it crashes otherwise). I put in a ca-bundle, and it appears to work, but it's clearly not the right solution. What should go there? Or is there an appropriate way to create my own chain file? Or is the configuration tool just wrong in insisting on one? Thanks for any suggestions Bob McKay On 29/09/2005, at 21:13, Cliff Woolley wrote: Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down However the key information really is missing. So it looks like this may be a problem in the fedora httpd configuration tool, because the key information definitely is there in the virtual host configuration in the gui, it's just not getting saved for some reason. Okay... although I don't think we've yet found a good explanation for why you're getting the message you're getting. Perhaps duplicate Listen statements? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] *** Bob McKay 521-302, School of Computer Science Engineering, College of Engineering, Seoul National University, San 56-1, Sinlim-dong, Gwanak-gu, Seoul 151-744, Korea Tel: +82 2 880 9392 email: [EMAIL PROTECTED] web: http://sc.snu.ac.kr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Re:
Dear Cliff, Thanks for your help. On 26/09/2005, at 21:22, Cliff Woolley wrote: It really does sound like there's something else listening on port 443: Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down That's usually what this message means. You said: Oh, and there isn't anything else listening to port 443: /sbin/fuser -4 -n udp 443 gives a null result. ... except that it's tcp, not udp, that we care about here. Apologies; tcp gives a null result also. I'm pretty sure nothing but httpd is listening there. As for your httpd.conf, it looks sort of close, although the VirtualHost my ip address:443 block needs to have the SSL certificate and key configuration directives as well as some other stuff (see the example httpd.conf that comes with mod_ssl), and the VirtualHost *:80 block should NOT contain SSLEngine on. The SSLEngine on in VirtualHost *:80 was an error on my part, in tidying up the sample I accidentally pasted a duplicate in the wrong place - it's _not_ in the httpd.conf However the key information really is missing. So it looks like this may be a problem in the fedora httpd configuration tool, because the key information definitely is there in the virtual host configuration in the gui, it's just not getting saved for some reason. Probably, I have a syntax error somewhere (but even so, the tool shouldn't fail it silently). I think this takes it out of modssl, so my next step will be to check the fedora mailing lists, and report it as a bug if it hasn't been already. Then I guess I'll have to take the plunge, and edit the httpd.conf manually. Hope this helps, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] *** Bob McKay 521-302, School of Computer Science Engineering, College of Engineering, Seoul National University, San 56-1, Sinlim-dong, Gwanak-gu, Seoul 151-744, Korea Tel: +82 2 880 9392 email: [EMAIL PROTECTED] web: http://sc.snu.ac.kr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Re:
Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down However the key information really is missing. So it looks like this may be a problem in the fedora httpd configuration tool, because the key information definitely is there in the virtual host configuration in the gui, it's just not getting saved for some reason. Okay... although I don't think we've yet found a good explanation for why you're getting the message you're getting. Perhaps duplicate Listen statements? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Re:
Thanks Cliff; will check it further Wednesday (the server needs to be up running tomorrow). Thanks for pointing out the udp in the fuser command (embarrassed grin). I checked tcp just now, nothing listening, but of course that may not be the state when I'm trying to run SSL/apache. The other issues - key info and SSL On - are kind of strange. I'm almost certain I had them right in the fedora httpd configuration gui. Will check again and confirm. If it turns out to be a configuration gui problem, I guess it takes the issue out of modssl-users, and it should go to fedoraforum or similar, Thanks and Best WIshes Bob On 26/09/2005, at 21:22, Cliff Woolley wrote: It really does sound like there's something else listening on port 443: Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down That's usually what this message means. You said: Oh, and there isn't anything else listening to port 443: /sbin/fuser -4 -n udp 443 gives a null result. ... except that it's tcp, not udp, that we care about here. As for your httpd.conf, it looks sort of close, although the VirtualHost my ip address:443 block needs to have the SSL certificate and key configuration directives as well as some other stuff (see the example httpd.conf that comes with mod_ssl), and the VirtualHost *:80 block should NOT contain SSLEngine on. Hope this helps, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: rse has beagle-a virus ?
Well now, this wins the award for the silliest rant I've heard for a while. I mean really, Dave... get a grip. -- Keith Hunt 330.972.7968 [EMAIL PROTECTED] Internet Server Systems The University of Akron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Paris Sent: Saturday, February 28, 2004 7:25 AM To: [EMAIL PROTECTED] Subject: Re[2]: rse has beagle-a virus ? As I suspected, none of these messages originate from Ralf. Just checking the original headers on the most recent batch of six I got overnight... from cruzeiro (cruzeiro.fisc.wwu.edu [140.160.220.200]) by master.modssl.org from CLS-TORG1010-27 (torg1010-27.its.vt.edu [128.173.44.191]) by master.modssl.org from CLS-TORG1010-24 (torg1010-24.its.vt.edu [128.173.44.188]) by master.modssl.org from CLS-TORG1010-30 (torg1010-30.its.vt.edu [128.173.44.194]) by master.modssl.org from woofie (A052105.N1.Vanderbilt.Edu [129.59.52.105]) by master.modssl.org from AdamBroughton (asdl00.ae.gatech.edu [130.207.39.100])by master.modssl.org What this tells me is that someone realized the .edu addresses on the listserv were low hanging fruit. Nice job. Try partying less, studying more, and figure out how to keep yourself from being infected (on multiple fronts). [aside: pisses me off that I have to deal with spam from cracked/infected boxes from .edu domains ... I think I'm just going to reject all .edu-headered mail. it's a hugely sad commentary that people from institutions of *higher* education can't grasp the concept of DON'T CLICK ON F^KING ATTACHMENTS YOU'RE NOT EXPECING and USE A [EMAIL PROTECTED] A/V PACKAGE ALREADY, DAMNIT. I mean really, people.. you're shelling out a TON of money and you don't seem to be one lick smarter than Jimmy Joe-Jobber's mom who'll click on everything and anything since getting her PC two weeks ago. If you're as f%$king stupid as you appear to be, give it up .. save yourself the money and give your slot at school to someone else. There no shame in doing manual labor for a living. Society needs both ends of the spectrum. If you can't figure out the don't click stuff, I have no idea what you're going to do with number theory or algorithms (assuming you're in a CS program). I vote to kick the .edu's off the listserv until they prove they've got an intellectual agility quotient above that of a small soapdish. If this pisses off admins for .edu's, sorry .. life's a bitch, grab a helmet. The rest of us out in the real world have to deal with [l]users like this and keep our networks clean for the rest of the planet - you're no different... you just have a harder job that I certainly don't envy. Perhaps instituting a three strikes policy for students .. the first infection gets you a warning .. the second gets you booted off the school's network .. the third (meaning you violated both the 2nd AND 1st) gets you booted from school. Hrmm.. not a bad idea, I suppose. Anyway .. rant mode is now OFF.] Kind-ish Regards, -dsp :-) [...] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: rse has beagle-a virus ?
On Mon, 1 Mar 2004, Hunt,Keith A wrote: Well now, this wins the award for the silliest rant I've heard for a while. I mean really, Dave... get a grip. Seriously. Not to mention that my primary email address is [EMAIL PROTECTED] But you know, feel free to block me if you like. All the less stuff for me to worry about. ;) hehe. Here's a revolutionary little idea... if you don't like spam and email worms... how about (gasp) installing SpamAssassin and some antivirus software. :-P --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: OT: cheap CA certificates
Here is one comparison of different SSL certificate choices and their prices: http://www.whichssl.com/ssl-certificate-comparison.html --Kevin -Original Message- From: James Treworgy [mailto:[EMAIL PROTECTED] Sent: Monday, November 17, 2003 2:12 PM To: Goetz Babin-Ebell Cc: [EMAIL PROTECTED] Subject: Re[2]: OT: cheap CA certificates Thawte is pretty cheap. $127 bucks through their ISP channel (anyone can sign up) for a regular web cert, I am not sure you can do much better. If it's not worth $127 a year, then I assume it's not for profit, e.g. for internal use only or for a small number of users. In that case, just use self-signed certificates. They're no less secure, they just pop up a warning. Advise your users to add them to their root store the first time they connect to your site and even that won't happen anymore. We do this for all our internal secured sites. -- Jamie Monday, November 17, 2003, 3:05:23 PM, you wrote: GBE Hello Eric, GBE Eric Wood wrote: Where can I get cheap/reliable certs for a Apache that IE 5.5+ clients will authorize against? Thawte and Verisign have outpriced themselves. GBE That depends on your definition of the terms cheap and reliable. GBE But we offer client and server certs GBE (low level client certs are still free) GBE Bye GBE Goetz -- Best regards, Jamesmailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: Client Info
On Tue, Nov 11, 2003 at 04:29:22PM -0500, [EMAIL PROTECTED] wrote: Thanks for the reply. I should be able to just add these lines to my .htaccess: SSLVerifyClient optional SSLOptions +StdEnvVars require would be better than optional (at least for testing). and have the client variables in my environment (assuming the client has a certificate installed), correct? Sorry I didn't RTFM earlier, but I assumed it would be something complicated, and something only my host could configure anyway. Anyway, I tried that and I still don't get the client variables. Am I missing something? Is it possible the main configuration is overriding mine? I must say that I've never really felt like playing around with my ssl setup in .htaccess files... one thing to check is wether the AllowOverride settings allow those directives in .htaccess - see Override for SSLVerifyClient and SSLOptions. Especially the Options override required by SSLOptions is something that won't be allowed. vh Mads Toftum -- Speaking at ApacheCon 2003 - http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-direct in vhost
Hello Arthur, I do not understand your question clearly. What concerns in your mind? -Kiyoshi Kiyoshi Watanabe Hi all. Currently I've one vhost on Port 443 and while others listen on Port 80. I would like to test the scenario of putting *everything* on openSSL ie listening on Port 443. Do I assume right that all I need is a redirect from the Port 80 vhost to Port 443 ? TIA :-) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-direct in vhost
Currently I've one vhost on Port 443 and while others listen on Port 80. I would like to test the scenario of putting *everything* on openSSL ie listening on Port 443. Do I assume right that all I need is a redirect from the Port 80 vhost to Port 443 ? Yes, that sounds about right. Something like this should do: Listen 80 VirtualHost *:80 ServerName example.com RedirectPermanent / https://example.com /VirtualHost vh Mads Toftum -- Speaking at http://ApacheCon.com/ T03, Apache 2 mod_ssl tutorial (3h) WE03, Troubleshooting Apache configurations WE11, Apache mod_rewrite, the Swiss Army Knife of URL manipulation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: [PATCH] Segfaults in 2.8.13 (was: Re: mod_ssl/2.8.13 andphp)
Hi again, I also tested it sucessfully with linux 2.0.35, linux 2.2.19 and with linux 2.2.20 Greetings Burkhard Hi, this works on linux 2.2.16 and linux 2.4.19 Thanks Burkhard On Fri, 21 Mar 2003, Ralf S. Engelschall wrote: On Fri, Mar 21, 2003, Ralf S. Engelschall wrote: I can see the same segmentation fault : [...] Ok, can the people who are able to reproduce the segfault problem, please apply the following patch, retry it and give feedback? I think these two bugfixes should fix the problem now. If yes, I'll release mod_ssl 2.8.14 with it. Thanks for your help. ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: SSL with multiple domains on same server
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] are you saying i can use the same ip and two different port to be able to have more than one vhs under ssl? Certainly. e.g. Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 ..etc Listen 192.168.1.1:444 VirtualHost 192.168.1.1:444 ..etc The rule is: SSL VHs must be distinct at TCP/IP level (i.e. ip addr and port pair must be distinct). Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[5]: SSL with multiple domains on same server
Great! But do you know why? BindAddress is a deprecated directive which is replaced by Listen. What you have done is said to apache, listen to all active IP addresses. I think the real problem is to do with your NAT (which you didn't mention on your original post). This meant that the IP addresses your browser was using were different from the incoming IP addresses on the apache box. If you had used Listen with the real IPs, it would've worked too. -Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 21. November 2002 11:34 To: [EMAIL PROTECTED] Subject: Re[5]: SSL with multiple domains on same server Hello Boyle, I found the solution : The line BindAddress * need to be uncomment. Now, all works fine :) -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: SSL with multiple domains on same server
-Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] I'm already using two different IP addresses Then it should work. Are you sure? Try defining the IP addresses explicity to reveal any DNS misconfigurations: Listen 192.168.1.1:443 VH 192.168.1.1:443 ... Listen 192.168.1.2:443 VH 192.168.1.2:443 ... Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: SSL with multiple domains on same server
are you saying i can use the same ip and two different port to be able to have more than one vhs under ssl? - Original Message - From: Ludovic Perard [EMAIL PROTECTED] To: Boyle Owen [EMAIL PROTECTED] Sent: Wednesday, November 20, 2002 8:47 AM Subject: Re[2]: SSL with multiple domains on same server Hello Boyle, Wednesday, November 20, 2002, 3:33:00 PM, you wrote: BO You are trying to run two name based VHs under SSL. You cannot do this BO (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47). BO The problem is that SSL encapsulates HTTP so the SSL session has to be BO negotiated before any HTTP traffic can be seen. But the hostname is in BO the HTTP request, so apache cannot decide which VH to use - so it uses BO the first by default. BO You need to use separate IPs and/or ports... I'm already using two different IP addresses -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re-negotiation handshake failed (still trying)
OK I still havent received any replies about this problem, and I still haven't managed to solve it by myself. One thing I want to add, is that I think I have eliminated my java client application as the source of the problem. I tried accessing my server using openssl s_client instead of my java app. This is the command I used: cat postrequest | openssl s_client -connect my.secureserver.com:443 -state Where postrequest is a textfile which contains: POST /MessagingGateway/servlet/com.StrategicEcommerce.StraightSell.MessagingG ateway.ReceiveOBIOrder HTTP/1.0 Content-Length: 12577 Content-type: application/x-obi-order Content-transfer-encoding: base64 AgAAJLxJU0EdMDAdICAgICAgICAgIB0wMB0gICAgICAgICAgHVpaHTY4Mzk5MDkwODk0 ICAgIB1aWh03NjQ5Mzg1MTI0OCAgICAdMDIwODIxHTEzMTcdVR0w... (content truncated for mailing list post) When I do the above I get the same errors in my apache ssl_log as with my java app (see my parent post). Judging by the log messages would people say that this is a mod_ssl configuration issue or a certificate issue? It seems something may be timing out since it works fine for post data of size less than a few K, but I don't know what it could be. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jules Butcher Sent: Monday, 19 August 2002 2:24 PM To: [EMAIL PROTECTED] Subject: Re-negotiation handshake failed Hi All, I have recently upgraded our web server from NT/IIS to FreeBSD/Apache/ModSSL. Everything is pretty sweet, execpt for one application. The application (MessagingGW) is written in java using jsse for the ssl stuff. The app periodically posts base64 encoded data to a java servlet using http over ssl. MessagingGW seems to work fine when the payload data is small, but over a certain size (a few kB) it bombs out. In this configuration I have Apache handling the SSL handshake, then passing the request to tomcat via ajp13. Servlets generally seem to be working fine over https, but in this case the servlet never receives the request, which makes me think that the problem is between apache and the client app. If anyone has any clue about this, I would be very happy to hear from you. Server Software: Apache 1.3.26 mod_ssl 2.8.10-1.3.26 Tomcat 3.3.1 Client Software: Custom app (jdk1.3.1, jsse 1.0.2) Below is the ssl_log file from the apache ssl log(I have replaced IP addresses with [src-IP] and [dest-IP] below for my clients privacy): [19/Aug/2002 13:04:35 98058] [info] Connection to child 5 established (server [dest-IP]:443, client [src-IP]) [19/Aug/2002 13:04:35 98058] [info] Seeding PRNG with 0 bytes of entropy [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Handshake: start [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: before/accept initialization [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: SSLv3 read client hello A [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: SSLv3 write server hello A [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: SSLv3 write certificate A [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: SSLv3 write server done A [19/Aug/2002 13:04:35 98058] [trace] OpenSSL: Loop: SSLv3 flush data [19/Aug/2002 13:04:37 98058] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [19/Aug/2002 13:04:39 98058] [trace] OpenSSL: Loop: SSLv3 read finished A [19/Aug/2002 13:04:39 98058] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [19/Aug/2002 13:04:39 98058] [trace] OpenSSL: Loop: SSLv3 write finished A [19/Aug/2002 13:04:39 98058] [trace] OpenSSL: Loop: SSLv3 flush data [19/Aug/2002 13:04:39 98058] [trace] Inter-Process Session Cache (DBM) Expiry: old: 10, new: 6, removed: 4 [19/Aug/2002 13:04:39 98058] [trace] Inter-Process Session Cache: request=SET status=OK id=41131C9DCE1B61E17AF7997E89F58139BC5164A05AA734A9A70A39B065725CE0 timeout=596s (session caching) [19/Aug/2002 13:04:39 98058] [trace] OpenSSL: Handshake: done [19/Aug/2002 13:04:39 98058] [info] Connection: Client IP: [src-IP], Protocol: TLSv1, Cipher: RC4-SHA (128/128 bits) [19/Aug/2002 13:04:41 98058] [info] Initial (No.1) HTTPS request received for child 5 (server [dest-IP]:443) [19/Aug/2002 13:04:41 98058] [trace] Changed client verification type will force renegotiation [19/Aug/2002 13:04:41 98058] [info] Requesting connection re-negotiation [19/Aug/2002 13:04:41 98058] [trace] Performing full renegotiation: complete handshake protocol [19/Aug/2002 13:04:41 98058] [trace] I/O: sucked 12556 bytes of input data from SSL/TLS I/O layer for delayed injection into Apache I/O layer [19/Aug/2002 13:04:41 98058] [trace] OpenSSL: Handshake: start [19/Aug/2002 13:04:41 98058] [trace] OpenSSL: Loop: SSL renegotiate ciphers [19/Aug/2002 13:04:41 98058] [trace] OpenSSL: Loop: SSLv3 write hello request A [19/Aug/2002 13:04:41 98058] [trace] OpenSSL: Loop: SSLv3 flush data [19/Aug/2002 13:04:41 98058] [trace] OpenSSL: Loop: SSLv3 write hello request C [19/Aug/2002 13:04:41 98058] [info] Awaiting
Re: RE: mod_ssl issue, https is not working
Exactly I am also facing a similar problem like this I had posted my email last night but I am wondering why my email is not there I have installed apache_1.3.26 openssl 0.9.6d and also modssl My http server working but not https Please suggest something as I am in a great need to set up a https sever for some testing On Fri, 12 Jul 2002 Ashmore, Samuel R wrote : There are many reason such as a port is not setup right, theres a conflict with other programs. When you reply to this attach your error log. If you want to you can aso attach the httpd.conf or ssl.conf. This might help us understand what is happening on your system. -Original Message- From: Payal Suratwala [mailto:[EMAIL PROTECTED]] Sent: Thursday, July 11, 2002 2:55 PM To: [EMAIL PROTECTED] Subject: mod_ssl issue, https is not working I have installed Apache-V2.39-compiled with mod_ssl module. I have installed OpenSSL-V-0.9.6c and php4.2.2 on my server. I have created the RSA certificate and Private key and moved them in to the path described in the ssl.conf file. When I do ./apachectl startssl, the ssl starts but when I open netscape to go to the https://servername, it prompts me that I am about to go to the secure website,and I click okay and then it tells me that the website is not found. my http://servername site works, but https://servername does not, so what do I need to do? Why does the https now working? I have looked every where to find information about this and nothing has worked for me so far so, I would really appriciate some help on this issue? Thank You, PayalSuratwala __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] _ There is always a better job for you at Monsterindia.com. Go now http://monsterindia.rediff.com/jobs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests
-Original Message- From: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Sent: 04 May 2002 18:27 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Re: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests snip] No question: I would also prefer to develop under LINUX SOO MUCH (!) but I have no choice: the project is bound to windows NT hosts and I was not able to convince the company to take LINUX (or UNIX) - I tried all the arguments as you stated above. So what I need are other people with the same problem, that they MUST develop under windows NT and have a RELIABLE apache running on such a machine. Are there any people out there - stating that they have a apache mod_ssl running on windows NT RELIABLE ??? johannes We have an expression in the UK that you can't make a silk purse out of a sow's ear. I have had blue screen logging in with Windows NT and reboots on logging in to Windows 2000, both fully patched. We are regularly rebooting our Windows NT servers on an almost monthly basis. If you look at Microsoft's own web site via Netcraft (www.netcraft.co.uk), you'll see that none of their servers has run for more than about 90 days. One server managed to get to 143 days before a reboot. So much for 99.999% availability. They boasted that they'd run 99.98% availability during the Winter Games, which sounds good till you realise that this is over a period of about two weeks. You don't hear them talk about the five nines any more, simply because they can't do it. If you look at our site, www.rnib.org.uk you'll see we just passed 150 days. It would have been longer if it weren't for a power cut. I've had a Linux server pass 497 days uptime, before it was moved to a new site: 2:43pm up 497 days, 2:27, 0 users, load average: 0.00, 0.00, 0.00 2:44pm up 0 min, 0 users, load average: 0.00, 0.00, 0.00 The uptime counter on Linux resets after 497 days, whereas on NT it resets after 49.7 days. It's still possible to track uptime for longer though. The longest uptimes in the world are nearly all Apache servers on BSD or IRIX (http://uptime.netcraft.com/up/today/top.avg.htm). You won't find an NT server staying up for long. What is running on the host is irrelevant. We use Samba to publish our web pages from Windows clients. We have had occasional Samba crashes, but the web server has been totally reliable. In over six years, I've seen only one spurious crash of the web server, all other downtime has been for maintainence. Why spend money on Microsoft's licenses, when you can install Linux or any other type of UNIX for far less money? In Latin you would say res ips a loquitor (I'm not sure of the spelling, but it means the thing speaks for itself. It's used a lot in law). - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] The teaching of evolution as a proven fact rather than a theory has done more harm to scientific progress than anything else in history. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: modssl for Apache 2.0
I stand upbraided for my open software bigotry. Actually, Chuck, apologies are in order because I was going through a heavy mailing for SuSE users where there has been discussion about Apache 2. with mod_ssl. I (rather carelessly) did not notice the source of your mailing. My sincere apologies, and the very best of luck with your project. George Chuck Goehring [EMAIL PROTECTED] wrote: George, It wasn't really my decision to go with Windows. There are many Unix-phobics out there. Have peculiar combination of requirements that causes the need for ssl - Not doing ecomerce. Chuck - Original Message - From: George Walsh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 10, 2002 10:07 PM Subject: RE: modssl for Apache 2.0 Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0 and SSL
Thanks for clarifying this for the group, Cliff. Our 'hangup' was admittedly a little specific, and I am working my way around that right now - if for no other reason than to reduce the updating cycle. (Yeah, I still cannot love distribution rpms! May the Good Lord forgive my intransigence :-) George Cliff Woolley [EMAIL PROTECTED] wrote: On Tue, 9 Apr 2002, George Walsh wrote: I, for one, would be more than happy to use Apache 2.0. BUT, I need mod_ssl to function and as I understand it, mod_ssl applications cannot cope with cgi, so I really have no place to start. Just to clarify for those who might be listening and didn't follow George's earlier posts, Apache 2.0 handles https: requests to CGI's perfectly fine. EXCEPT when you try to configure it to renegotiate on a POST request (which could happen if, say, your cgi-bin directory had per-directory SSL parameters set (eg SSLProtocol or requiring a client certificate)). [As a bit of historical reference, those of you who've been around for a while will recall that mod_ssl for Apache 1.3 had the same problem (worse, actually... it just gave an I/O error) until version 2.3.10, when the method not allowed response an experimental workaround were put in. It remained available only with --enable-rule=SSL_EXPERIMENTAL up until version 2.5.0.] --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: Apache 2.0.* and SSL
OpenSSL is a separate issue, really. It is normally found in /usr/local/src. I am using 0.9.6c currently, which I download as a tar.gz to my /usr/local/src file, uncompress it with: gzip -dc openssl-0.9.6c.tar.gz | tar xf - cd /usr/local/src/openssl-0.9.6c ./config shared make all test install ... and voila! Apache 2.0 includes its own mod_ssl as part of the 'new look'. That gives you encryption while openssl gives you certification services. FWIW I prefer to remove rpm installations for Apache, mod_ssl, mozilla, netscape, opera and sendmail so I can keep painlessly up-to-date. Its not everybody's cup of tea, but I've been doing it this way for years and I like the feeling of being 'in control' of these crucial elements. Hope that helps ... George What options are needed to configure, with Apache 2.0, to make sure that mod_ssl is enabled, and that a particular OpenSSL directory is used? I tried guessing at the right options, but a look at the httpd.conf file in the resulting installation suggests that I guessed wrong. Lynn Gazis __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Oh please, no, not another one I'm drowning just trying to keep up as it is, but that, as they say, is but one man's opinion. I know - I don't have to joi, but then the existing established groups might not be as representative as they would otherwise be. George On Mon, 8 Apr 2002, Eli Marmor wrote: I think that we should open a special mailing list for mod_ssl of Apache2. My personal opinion would be that most modssl users' questions will be of the same nature regardless of version. The kinds of questions we get here: (1) why can't I use NBVH+SSL? (2) how do I get my certificate created and/or to work (3) I'm having problems getting IE to connect, what do I do? (4) ... The answers to these questions are all the same regardless of whether you're talking about 1.3 or 2.0, and there will always be those of us on the httpd development team that listen in on modssl-users for potential bugs, so in my mind it makes sense to keep the user group as one. But that's just me... if you guys disagree, then go right ahead and create a new list. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Apache 2.0.* and SSL
Very well said, Geoff. I have 'played' with Apache 2.0 but certainly not with anything having to do with https and ssl. Now, with a heavy launch schedule in front of me, I have all I can do to switch people out of windows and into KDE/GNOME environments. Respectfully, George Geoff Thorpe [EMAIL PROTECTED] wrote: Hey there, On Tuesday 09 April 2002 10:18, you wrote: Steve Gonzales wrote: One list is enough for me. SSL theory doesn't change from 1.3.xx to 2.0.xx; only the configuration and installation changes. There are many other issues, like the -DEAPI and 3rd party modules that cause Apache to crash. Anyway, the fact is that all of the discussions regarding 2.0 are done in the new-httpd list, and not here (at least till this thread). So it is clear that something must be done. Maybe a request to new-httpd subscribers to move the SSL discussions to here? I would respectfully suggest that modssl discussions stay here. I don't want to rag on Apache 2.0, and I'm sure a lot of good things have found their way into it, but it does not solve a number of issues that I think many people in production environments would require to push them into a pro-active decision to migrate. Likewise, it introduces an entirely new base of code with considerably less real-world mileage than the Apache 1.3.** base, so there's a non-trivial motivation to *not* migrate unless absolutely necessary. Apache 2.0 has clearly also been taking what one might call an, ummm, let's say value-added design approach. If your focus is on SSL/TLS, security, and serving up HTML through a robust and secure server, then having something new that tries to multiplex a huge number of different features and services (in the same address-space as one another, moreover!) is a can of worms that many people will consider best left shut. For now at the very least. So if discussion on the SSL module is in someways independant (or at least may often be independant) of the apache version, I'd suggest we keep discussion in this one place. For my own part; in the near future, I will be working again on session caching and other tuning operations on the Apache 1.3.***-based modssl distribution and [will] have neither the time nor inclination to involve myself in the goings-on of Apache 2.0. I won't mind at *all* if someone who does have the time and motivation handles merging anything useful from that to the apache 2.0 code-base - but I won't be reading from, or posting to, anything Apache 2.0-specific. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, CruiseRoutes Division, DSC Directional Services Corp Courtenay, British Columbia, Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsO/x6FoQlEaqKIEQIOiACdFE57iQebkBg6r1wIbjJf4TOWDYIAoKwY o1SRuk++dFNMuY/7MNbsgYT5 =Z7o4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsO/x6FoQlEaqKIEQIOiACdFE57iQebkBg6r1wIbjJf4TOWDYIAoKwY o1SRuk++dFNMuY/7MNbsgYT5 =Z7o4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nope, I have no attributes on it/them. At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files
RE: Re[2]: Error when signing my cert
Something I would like to add to this last email. Im SURE at one time in your life you where NEW at creating a SSL server and you asked questions also. Life is all about learning and sharing. So get over you your self, and if you dont like this user list, un-unsubscribe. Ron -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum Sent: Saturday, March 23, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Re: Re[2]: Error when signing my cert On Sat, Mar 23, 2002 at 08:58:30PM +0100, Søren Neigaard wrote: Hi I agree, nobody on this list wants newbies :( To some extent I actually agree with you - but our reasons are probably different. First of all: setting up an SSL server is serious business, and when done incorrectly it is at best something that gives you a false sense of security, at its worst you end up with less security. This is the main reason that I think some people might be better off getting experienced people to run their servers instead of fumbling blindly. The other reason is that some people does not spend even a minimal amount of time trying to understand the error messages that they get or as in this case does not try to understand it even when somebody has taken time to make it even more obvious. Enough luserbashing (I'm probably just taking out my bad mood and lack of sleep on the nearest target) I suggest that you try creating your certificates as described in http://www.modssl.org/docs/2.8/ssl_faq.html#cert-dummy you may wish to change the command ``make certificate'' slightly such that it is: make certificate TYPE=CUSTOM vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: Error when signing my cert
On Sat, Mar 23, 2002 at 08:58:30PM +0100, Søren Neigaard wrote: Hi I agree, nobody on this list wants newbies :( To some extent I actually agree with you - but our reasons are probably different. First of all: setting up an SSL server is serious business, and when done incorrectly it is at best something that gives you a false sense of security, at its worst you end up with less security. This is the main reason that I think some people might be better off getting experienced people to run their servers instead of fumbling blindly. The other reason is that some people does not spend even a minimal amount of time trying to understand the error messages that they get or as in this case does not try to understand it even when somebody has taken time to make it even more obvious. Enough luserbashing (I'm probably just taking out my bad mood and lack of sleep on the nearest target) I suggest that you try creating your certificates as described in http://www.modssl.org/docs/2.8/ssl_faq.html#cert-dummy you may wish to change the command ``make certificate'' slightly such that it is: make certificate TYPE=CUSTOM vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: How does mod_ssl work with Apache?
Welcome, my pleasure. Thanks, Ron DuFresne On Tue, 19 Mar 2002, Søren Neigaard wrote: That helped a lot, thanks :) /Søren Tuesday, March 19, 2002, 7:11:15 PM, R. wrote: RD If you built apache with modssl support read the FAQ on how to do this if you have not, and have setup your httpd.conf file properly again read RD the FAQ on particulars as well as going over the default httpd.conf file RD suppiled once apache is compiled with modssl support then you start RD appache like thus: RD apachectl startssl RD There are variations on this theme, but, this is the standard way to get RD apache up with ssl enabled once properly compiled and configured. RD Hope this help, RD Ron DuFresne RD On Tue, 19 Mar 2002, Søren Neigaard wrote: I have Apache running on port 80, and I want to SSL enable one of my VirtualHosts. I don't even know how to start mod_ssl properly. I found the following command somewhere in an example, but I'm not sure what it does, and right now it doesn't work (as I remember it has started before without errors), but this is what it says now: openssl s_client -connect 192.168.1.4:443 connect: Connection refused connect:errno=61 Why? Am I trying to connect to a wrong port? I really need some hints here please. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: SSL works from localhost but not elsewhere
thanks for the reply. I doubt it is the firewall since the I am trying to access https://192.168.0.80/ from another PC on the same LAN, i.e. router does not come into play. That IP address is an internal IP address to the LAN. So for example my webserver with mod_ssl running is on IP 192.168.0.80, and the PC I am trying to access it with is 192.168.0.3 for example. When I use a web browser on 192.168.0.80 with URL https://localhost/ or the URL https://192.168.0.80/ SSL works fine with corresponding log entries in both access_log and ssl_request log being made. But when I use browser on 192.168.0.3 with URL https://192.168.0.80/ it responds with Page Cannot be Displayed with Explorer, and connection refused with Netscape and in both cases no log entries are made on the server in either access_log or ssl_request log. Of course I checked if normal http works from 192.168.0.3 and it does of course. I am at a loss as to why this is. warmest regards, Eric Sean Webber Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Thu, 28 Feb 2002, Andrew Lietzow ([EMAIL PROTECTED]) wrote: Dear Owen, Personally I am not a big fan of opening attachments from unknown sources. Since you're on this list, you're probably a trusted source but I was not aware that sending attachments through this list server was even an option. Perhaps I am a bit paranoid about viruses? With that said, here are a series of things that I would check. 1) Do you have a firewall that might be preventing HTTPS access? 2) Do other non-secure pages from that server come up in your browser-wowser? 3) In httpd.conf, do you have any entries similar to the following: NameVirtualHost $IPADDR VIrtualHost $IPADDR:443 ServerAdmin webmaster@$YOURDOMAINNAME ServerName $YOURDOMAINNAME Port 443 DocumentRoot /var/www/secure.yourdomain.name (or whereever you store your documents that you want to bring up on the secure server. You need to have something in that directory that you can bring up if you don't have index.html) ErrorLoglogs/$YOURDOMAINNAME_err TransferLoglogs/$YOURDOMAINNAME_transfer /VirtualHost If you have the ErrorLog file, what is it telling you? Any hints there? Also, in your named.domain.xxx file, do you have an entry for your secure server if it is running on a different server than your main web site? Probably this info is more than you need, and I am a newbie, but better more than not enough :-) Good luck! Andrew Lietzow The ACL Group, Inc. sure that your firewall is allowing HTTP and HTTPS access? - Original Message - From: Eric Webber [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 27, 2002 2:16 PM Subject: SSL works from localhost but not elsewhere When I go to the url https://localhost using netscape on the same box running apache and mod_ssl, SSL appears to work fine. But when I come in from a box other than the box running apache and mod_ssl, I get Page cannot be displayed. I have apache 1.3.20 RedHat, OpenSSL version 0.9.6b, on redhat version 2.4.7-10. Is this because of the Servername ? I am at a loss and cannot find the solution in the mod_ssl documentation. Is there a set of tests to help ferret out this problem ? warmest regards, Eric Sean Webber here is a copy of my httpd.conf as a file attachment Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: SSL works from localhost but not elsewhere
how would I use openssl and curl ? to check port 443 from a nonlocal host ? thanks !! Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Thu, 28 Feb 2002, Brad Burdick ([EMAIL PROTECTED]) wrote: When I go to the url https://localhost using netscape on the same box running apache and mod_ssl, SSL appears to work fine. But when I come in from a box other than the box running apache and mod_ssl, I get Page cannot be displayed. I have apache 1.3.20 RedHat, OpenSSL version 0.9.6b, on redhat version 2.4.7-10. Is this because of the Servername ? I am at a loss and cannot find the solution in the mod_ssl documentation. Is there a set of tests to help ferret out this problem ? same (or similar) problem here. i've just installed these on a solaris 8 x86 box: - apache 1.3.23 - mod_ssl 2.8.7-1.3.23 - openssl 0.9.6c - fake certificate for testing using the snakeoil CA i can connect using openssl and curl, but netscape and mozilla from linux and IE 5.x from win98 are failing. all 3 clients can connect to other SSL sites without problem up to 128-bit. i've turned up the log level and see the following for the failed connections. [28/Feb/2002 09:57:43 11626] [info] Connection to child 5 established (server dev.topbox.net:443, client 68.65.62.5) [28/Feb/2002 09:57:43 11626] [info] Seeding PRNG with 255 bytes of entropy [28/Feb/2002 09:57:43 11626] [trace] OpenSSL: Handshake: start [28/Feb/2002 09:57:43 11626] [trace] OpenSSL: Loop: before/accept initialization [28/Feb/2002 09:57:43 11626] [trace] OpenSSL: Write: SSLv3 read client hello B [28/Feb/2002 09:57:43 11626] [trace] OpenSSL: Exit: error in SSLv3 read client hello B [28/Feb/2002 09:57:43 11626] [trace] OpenSSL: Exit: error in SSLv3 read client hello B [28/Feb/2002 09:57:43 11626] [error] SSL handshake failed (server dev.topbox.net:443, client 68.65.62.5) (OpenSSL library error follows) [28/Feb/2002 09:57:43 11626] [error] OpenSSL: error:1408A0C1:lib(20):func(138):reason(193) this is a connection using 'curl -v https://dev.topbox.net/': [28/Feb/2002 10:01:21 11619] [info] Connection to child 0 established (server dev.topbox.net:443, client 68.65.62.5) [28/Feb/2002 10:01:21 11619] [info] Seeding PRNG with 255 bytes of entropy [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Handshake: start [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: before/accept initialization [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 read client hello A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write server hello A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write certificate A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write key exchange A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write server done A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 flush data [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 read client key exchange A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 read finished A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write change cipher spec A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 write finished A [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Loop: SSLv3 flush data [28/Feb/2002 10:01:21 11619] [trace] Inter-Process Session Cache (DBM) Expiry: old: 3, new: 1, removed: 2 [28/Feb/2002 10:01:21 11619] [trace] Inter-Process Session Cache: request=SET status=OK id=50E1590207BA3AD79ABFF90030434FB8E8DF0F684802105EF43DCABCA4454C36 timeout=300s (session caching) [28/Feb/2002 10:01:21 11619] [trace] OpenSSL: Handshake: done [28/Feb/2002 10:01:21 11619] [info] Connection: Client IP: 68.65.62.5, Protocol: TLSv1, Cipher: EDH-DSS-DES-CBC3-SHA (168/168 bits) [28/Feb/2002 10:01:22 11619] [info] Initial (No.1) HTTPS request received for child 0 (server dev.topbox.net:443) [28/Feb/2002 10:01:22 11619] [trace] OpenSSL: Write: SSL negotiation finished successfully [28/Feb/2002 10:01:22 11619] [info] Connection to child 0 closed with standard shutdown (server dev.topbox.net:443, client 68.65.62.5) here's the startup info for apache+mod_ssl: [28/Feb/2002 10:02:23 11505] [info] Init: 5nd restart round (already detached) [28/Feb/2002 10:02:23 11505] [info] Init: Reinitializing OpenSSL library [28/Feb/2002 10:02:23 11505] [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0 [28/Feb/2002 10:02:23 11505] [info] Init: Seeding PRNG with 255 bytes of entropy [28/Feb/2002 10:02:23 11505] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [28/Feb/2002 10:02:23 11505] [info] Init: Configuring temporary DH parameters (512/1024 bits) [28/Feb/2002 10:02:23 11505] [info] Init: Initializing (virtual) servers
Re: Re: SSL works from localhost but not elsewhere
you could have a local firewall on the machine-- iptables or ipchains, perhaps? Do you have a NameVirtualHost directive? Something liek: NameVirtualHost 192.168.0.80:443 In your SSL VirtualHost directive, have you specified the IP also? glen On Thu, Feb 28, 2002 at 01:18:32PM -0500, Eric Webber wrote: thanks for the reply. I doubt it is the firewall since the I am trying to access https://192.168.0.80/ from another PC on the same LAN, i.e. router does not come into play. That IP address is an internal IP address to the LAN. So for example my webserver with mod_ssl running is on IP 192.168.0.80, and the PC I am trying to access it with is 192.168.0.3 for example. When I use a web browser on 192.168.0.80 with URL https://localhost/ or the URL https://192.168.0.80/ SSL works fine with corresponding log entries in both access_log and ssl_request log being made. But when I use browser on 192.168.0.3 with URL https://192.168.0.80/ it responds with Page Cannot be Displayed with Explorer, and connection refused with Netscape and in both cases no log entries are made on the server in either access_log or ssl_request log. Of course I checked if normal http works from 192.168.0.3 and it does of course. I am at a loss as to why this is. warmest regards, Eric Sean Webber Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Thu, 28 Feb 2002, Andrew Lietzow ([EMAIL PROTECTED]) wrote: Dear Owen, Personally I am not a big fan of opening attachments from unknown sources. Since you're on this list, you're probably a trusted source but I was not aware that sending attachments through this list server was even an option. Perhaps I am a bit paranoid about viruses? With that said, here are a series of things that I would check. 1) Do you have a firewall that might be preventing HTTPS access? 2) Do other non-secure pages from that server come up in your browser-wowser? 3) In httpd.conf, do you have any entries similar to the following: NameVirtualHost $IPADDR VIrtualHost $IPADDR:443 ServerAdmin webmaster@$YOURDOMAINNAME ServerName $YOURDOMAINNAME Port 443 DocumentRoot /var/www/secure.yourdomain.name (or whereever you store your documents that you want to bring up on the secure server. You need to have something in that directory that you can bring up if you don't have index.html) ErrorLoglogs/$YOURDOMAINNAME_err TransferLoglogs/$YOURDOMAINNAME_transfer /VirtualHost If you have the ErrorLog file, what is it telling you? Any hints there? Also, in your named.domain.xxx file, do you have an entry for your secure server if it is running on a different server than your main web site? Probably this info is more than you need, and I am a newbie, but better more than not enough :-) Good luck! Andrew Lietzow The ACL Group, Inc. sure that your firewall is allowing HTTP and HTTPS access? - Original Message - From: Eric Webber [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 27, 2002 2:16 PM Subject: SSL works from localhost but not elsewhere When I go to the url https://localhost using netscape on the same box running apache and mod_ssl, SSL appears to work fine. But when I come in from a box other than the box running apache and mod_ssl, I get Page cannot be displayed. I have apache 1.3.20 RedHat, OpenSSL version 0.9.6b, on redhat version 2.4.7-10. Is this because of the Servername ? I am at a loss and cannot find the solution in the mod_ssl documentation. Is there a set of tests to help ferret out this problem ? warmest regards, Eric Sean Webber here is a copy of my httpd.conf as a file attachment Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Glen S Mehn Lead Systems Administrator SquareTrade, Inc [EMAIL PROTECTED]Building Trust in Transactions (sm) __ Apache Interface to OpenSSL (mod_ssl)
Re: Re: SSL works from localhost but not elsewhere
how would I use openssl and curl ? to check port 443 from a nonlocal host ? assuming you have the openssl pkg installed on the nonlocal host. $ openssl s_client -connect yourhost:443 -state -debug curl can be found at http://curl.haxx.se/ or depending on your OS, you may already have a pre-built pkg available. $ curl -v https://yourhost/ -brad -- Brad Burdick | [EMAIL PROTECTED] http://media.org/ | The medium is NOT the message __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: SSL works from localhost but not elsewhere
how would I use openssl and curl ? to check port 443 from a nonlocal host ? also, i don't recall from previous mail, but could you 'telnet yourhost 443' from the nonlocal host? good to know connectivity is working before debugging at a higher level. -brad -- Brad Burdick | [EMAIL PROTECTED] http://media.org/ | The medium is NOT the message __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: newbie mod_ssl questions
thanks. it appears to work but only from my a browser on the same box as the server. Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag On Tue, 26 Feb 2002, Glen S Mehn ([EMAIL PROTECTED]) wrote: Read the docs at http://modssl.org/docs/ that'll get you started. You'll need to: create a certificate self-sign it (or get thawte, verisign, etc to do so) configure apache for SSL operation restart with SSL support test etc. -glen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Webber Sent: Monday, February 25, 2002 11:19 AM To: [EMAIL PROTECTED] Subject: newbie mod_ssl questions I have a linux box that came with Apache preinstalled and in the httpd.conf there are entries such as IfDefine HAVE_SSL LoadModule ssl_module modules/libssl.so /IfDefine which would seem to indicate mod ssl is loaded but when I go to https://myserver.com I get nothing. How can I tell if ssl is really loaded, and what is the best faq to read for my situation, i.e. I have apache 1.3.20 RedHat, OpenSSL version 0.9.6b, on redhat version 2.4.7-10. Is there a simple way to list all my modules that are actually loaded dynamically ? [I know the static command] I want to simply provide ssl encryption of web sessions between known and unknown clients and our webserver. I have attached a copy of my httpd.conf file. warmest regards, Eric Sean Webber Get your own 800 number Voicemail, fax, email, and a lot more http://www.ureach.com/reg/tag __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[3]: MSIE + The page cannot be displayed error
The URL you would want to go to would be https://www.yourdomainname.com:4433 obviously you would replace yourdomainname PS... if you have a firewall in effect, you may have to open port 4433 to allow the connection to succeed. - Original Message - From: Christopher Taranto [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, January 18, 2002 11:49 PM Subject: Re[3]: MSIE + The page cannot be displayed error I'm not really sure what to do or what exactly I am expecting using s_server but here are the results from my server. ]# openssl s_server -accept 4443 -www \ -cert /usr/local/apache/conf/ssl.crt/www.cert.crt \ -key /usr/local/apache/conf/ssl.key/www.cert.key \ -state -debug Using default temp DH parameters ACCEPT it waits for input, but no matter what I enter it just hangs. I have looked through the man page but I haven't found an example of how this is used so I don't quite get it. What should I look for? To date, I haven't found a machine that is afflicted with the problem that I can do this with :( What's your URL? I will look at your page and see if it works with my broken MSIE browser. At 10:51 AM 1/18/02 -0700, you wrote: Run this command line and try to connect to it. openssl s_server -accept 4443 -www -cert pathtocert -key pathtokey -state 1) Make sure to change pathtocert and pathtokey to the appropriate values, and for additional debug info add -debug... 2) Try to make sure you are using the same openssl that you compiled apache with It simply creates a weblike version of SSL on port 4433 WITHOUT apache that will print some debug info to the client feel free to man s_server to get info about the program At least this way, you will be able to find out if the problem is with SSL, or if it with (mod_ssl+apache) PS... please let me know as I am confronted with the EXACT problem you have, and have been for 3 years... even after a full Linux redhat upgrade to 7.2 (complete reformat, re-install) To date, I haven't found a machine that is afflicted with the problem that I can do this with :( - Original Message - From: Christopher Taranto [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 17, 2002 11:10 PM Subject: RE: MSIE + The page cannot be displayed error Hi, I have been trying to fix the known MSIE browser issues in my configuration with some issues still occuring. I have read the FAQ, searched the archives, and implemented the solutions that have been documented - but I am still getting the dreaded The page cannot be displayed error when certain MSIE browsers attempt to connect to my site. I get the infamous log entry: [Fri Jan 18 00:55:53 2002] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Fri Jan 18 00:55:53 2002] [error] System: Connection reset by peer (errno: 104) Fortunately (for my sanity), I have one of non-working versions of the MSIE browsers (5.00.2614.3500) on one of the machines in my office so I can repeatedly create the errors. I am determined to squash this thing but I do not know where to go next. I have included the following information below: * SYSTEM INFORMATION * CONFIGURATION INFORMATION * BROWSER VERSION INFORMATION * CERTIFICATE STATISTICS FROM THE BROWSER Any help or further direction would be greatly appreciated! Sincerely, Christopher Taranto SYSTEM INFORMATION: === I am running Red Hat 6.2 on a Pentinum III using: * mod_ssl-2.8.5-1.3.22 * openssl-0.9.6b * mm-1.1.3 CONFIGURATION INFORMATION: == IfModule mod_ssl.c AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin # I have also tried dbm but there was no difference SSLSessionCache shm:/usr/local/apache/logs/ssl_gcache_data(512000) SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule VirtualHost snip SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP BrowserMatch MSIE [1-4] nokeepalive \ ssl-unclean-shutdown \ downgrade-1.0 \ force-response-1.0 BrowserMatch MSIE [5-9] ssl-unclean-shutdown BrowserMatch Mozilla/4..*PC) nokeepalive \ downgrade-1.0 \ force-response-1.0 /snip
Re: Re: Security Checker
Hi, I was aiming at your second and third area.Good points. One additional topic would be to check for intrusion protection in general with a library of known methods and bugs etc Since the server is in my case running on Windows environment, the intrusion protection issue feels rather important... /// Gudmund -Ursprungligt meddelande- Från: J. Johnson [mailto:[EMAIL PROTECTED]] Skickat: den 11 december 2001 07:43 Till: [EMAIL PROTECTED] Kopia: [EMAIL PROTECTED] Ämne: Re: Security Checker? Did you have some particular kind of security check in mind, or were you interested in security overall? For security overall (and security does have have to be done over all) there is excellent material on Internet. Start with CERT or CIAC. For Web specific security see 'http://www.w3.org/Security/FAQ' for "The WWW Security FAQ". More specifically, it would be nice to have a script that would read the httpd.conf file to figure out where all the components exist, then go through and check ownerships and permissions to see that CGI files weren't world writeable, etc. Probably would need to specify some kind or level of security policy. Has anyone tried anything like that? === JJ = On 10 Dec 2001 [EMAIL PROTECTED] wrote: Hi, Does anyone know if there is any way of runnig a security check (locally) on a Apache server with mod_ssl ? I am perhaps a bit too paranoid but I use the Win32 port and I have respect for this environment.. Perhaps there exists a tool that can be run locally that performs some basic tests ? Regards Gudmund B __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: (Virus Alert)
This is an automatic response to a message received from your address: An e-mail received from your account (see To: field) matches the signature of a known virus. Your message has been placed in a quaranteen area. IT IS POSSIBLE THIS MESSAGE WAS SENT WITHOUT YOUR KNOWLEDGE It is also possible that your e-mail address was faked and that the message did not orignate from your account. If this is the case please ignore this auto-reply. If your message was not generated by the virus, please » re-send without the word 'Homepage' in the subject line or » re-send with a subject which contains more than just 'Re:' » let me know and I'll retrieve the message from the quaranteen area. Regards, Chr!s - - - - - - Chris Cooper [EMAIL PROTECTED] Student Service Centre [EMAIL PROTECTED] Edith Cowan University http://www.ecu.edu.au/ Pearson Street Tel: +61 8 9273 8652 Churchlands Fax: +61 8 9273 8000 - - - - - - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: MODSSL: WIN32-apache 1.3.x (windows NT) problem of serving co ncurrent https requests
Hi Justin, I implemented the suggested configuration to ix buggy IE SSL implementations, which includes disableing keepalive and it seems to have made this problem go away (the crashing of apache under SSL) even though it is not what the config changes were intended to fix. I did some troubleshoting and the crashing seemed specifically related to keepalive, probably in conjunction with multiple request over a single connection (1.1) I tried keepalive on/off with no effect. Also its no pure problem of IE5/5.5/6.0 - the crashes also occur with netscape4.78 or netscape 6.2 Johannes Justin -Original Message- From: Johannes Bertscheit [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 01, 2001 9:18 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: MODSSL: WIN32-apache 1.3.x (windows NT) problem of serving concurrent https requests Hi all, Does anyone know something about the following WIN32-apache-modssl and/or WIN32-apache problem as described below? In short: It seems that any WIN32-apache (I tried) has this problem: They cannot display pages (I need mainly https:// but also tried http://) with many images in a RELIABLE manner. That means if you SHIFT-RELOAD the page several times (10x, 20x, 50x.), the apache process crashes once in a while and is restarted after some time. In this time the server is not accessable and images remain empty or the page itself says unable to load page I had this effekt on the following apache servers: - WIN32-apache-mod_ssl 1.3.6 - WIN32-apache-mod_ssl 1.3.9 - WIN32-apache-mod_ssl 1.3.20 - WIN32-apache-mod_ssl 1.3.22 - IBM http server 1.3.19 - based on apache 1.3.20 (without mod_ssl - but with own IBM-ssl-128) I also tried cygwin-based apaches: - cygwin apache 1.3.6 mod_ssl - cygwin camp 1.3.20 mod_ssl The cygwin-based show NOT this effect - but have other problems (sporadic hangs of the cygwin-apache and/or cygwin-system) which do not allow to use them. The only RELIABLE SSL-web server on windows-nt I found yet is tinyssl (also based on openssl) - it is solid as a rock - but it has not the functionality I need (ProxyPass, RewriteRule, mod_jserv...). The problem is closely associated with concurrent requests (to load the images) to the server. So it is a bug in the thread/process- sychronisation of WIN32-apache versions and I think in the core-apache, because apache crashes occur also if you redirect the image loading to another SSL-server (with ProxyPass) and also if you use http:// instead of http://.. I need to get a RELIABLE apache-based mod-ssl web server for windows NT but havent found such a thing yet... Do you know a RELIABLE (no hangs!, no crashes!) running WIN32-apache-mod- ssl installation anywhere? Is there a solution for this problem? Thanks in advance Johannes Here is a posting to mod_ssl which describes the crashes of WIN32-apache 1.3.20 in more detail: Subject: WIN32-apache 1.3.20 (windows NT) problem of serving concurrent https requests Date: Wed, 21 Nov 2001 02:20:58 +0100 From: [EMAIL PROTECTED] (Johannes Artur Bertscheit) Reply-To: [EMAIL PROTECTED] Organization: JB Management Consulting To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Hi all, I use Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN32.zip from your contribution area ( http://www.modssl.org/contrib/Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a- WIN32.zip ) when serving SSL pages under this WIN32-apache 1.3.20 under windows NT e.g: html page with 20 images or html-frame with 1 image and I SHIFT-RELOAD these pages several times (with IE5.5 or netscape4.78 dont matters) (it depends on timing conditions if the crash will occur - so several tries - up to 10- may be neccessary) then I get the following Dr.Watson crashes: FAULT -6ffa1522 8b5104 mov edx,[ecx+0x4] ds:00dfea06= FAULT -10007587 8b0491 mov eax,[ecx+edx*4] ds:0017= because if Apache.exe's are restarted automatically, the server continues to server after some delay and maybe anoher SHIFT-RELOAD may show all images/frames. I think its a problem of serving concurrent https requests (several images / several frames). Are there known problems in this area??? How can the problem be fixed? I tried almost all configuration settings (e.g. SSLSessionCache on/off, nokeepalive on/off...) with no effect. Thanks in advance! Johannes __ E*TRADE - neu in Deutschland. Jetzt Depot eröffnen + Prämie erhalten http://etrade.web.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager
RE: Re: SSL client authentication access to Perl script
Hi, Easy way to check - make a normal HTTP virtualhost with the same content/functionality and see if you get the same problem. I guess the hang-up is due to DBD::mysql. I found that the CPU usage drmatically increased to 80% when accessing the mySQL database using DBD::mysql Perl module. However I still couldn't figured out which statement caused the hang-up. Angus Lee __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re: Importing Self-signed CA into Netscape Browser
Have you created your CA-Certificate with the steps in http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29 ? Then you have the certificate in the right format. I don't know if it works under Linux/Unix if you call a certificate from a file-URL (in Windump it doesn't), try to request it via http and the loadcacert.cgi (so that the correct mime-type is transmitted). After that Netscape brings up a Window to install the Certificate automatically and no password is required. Here the installation process of the cert with pictures (but in german language): Netscape 4: http://www.weisshuhn.de/security/ssl/netscape.html Netscape 6: http://www.weisshuhn.de/security/ssl/ns6.html GreetingX, Alex --- George Walsh [EMAIL PROTECTED] schrieb: Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex! I pointed the URL to the actual test file containing the certificate: in this case file:///opt/apache/conf/ssl.crt/ca.crt. Then, I hit on the security icon and asked to import the certificate. It asks for a password(which I left blank) and then the name of the file - indicating an *.p12 extension. However, it will only find the file without the extensio, of course. This suggests to me that some kind of conversion is necessary? If I ask to look for certificates accepted (in any category!) nothing shows except the commercial CAs. Can you provide me with a further step up? Maybe I need to go back and recreate the certificates in encryted form??? Thanks, Alex. George Alex Pircher [EMAIL PROTECTED] wrote: Can you provide the URL of loadcacert.cgi? If SSL is enabled the mime-type for certificates is ordinary correctly set in the httpd.conf. So actually you don't need loadcacert.cgi, you just have to point your Browser to the URL of the certificate. This worked for me without problems. GreetingX, Alex I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de
RE: Re: Importing Self-signed CA into Netscape Browser
Thanks for taking the trouble to respond to my apparent thick-mindedness, Alex! I pointed the URL to the actual test file containing the certificate: in this case file:///opt/apache/conf/ssl.crt/ca.crt. Then, I hit on the security icon and asked to import the certificate. It asks for a password(which I left blank) and then the name of the file - indicating an *.p12 extension. However, it will only find the file without the extensio, of course. This suggests to me that some kind of conversion is necessary? If I ask to look for certificates accepted (in any category!) nothing shows except the commercial CAs. Can you provide me with a further step up? Maybe I need to go back and recreate the certificates in encryted form??? Thanks, Alex. George Alex Pircher [EMAIL PROTECTED] wrote: Can you provide the URL of loadcacert.cgi? If SSL is enabled the mime-type for certificates is ordinary correctly set in the httpd.conf. So actually you don't need loadcacert.cgi, you just have to point your Browser to the URL of the certificate. This worked for me without problems. GreetingX, Alex I prepared the CAs using the make certificate TYPE=custom option. Both the server and the CA files look fine to me and are in their proper pews. There were warnings about security depth being 0, but that is to be expected during the creation process. In the mod_ssl documentation the instruction asks that I 'fire up' Communicator and use the Perl script loadcacert.cgi in the pkg.contrib directory to load the CA into the browser. Then I have to 'walk through the dialog boxes'. Well, this is all too simple for me to comprehend. I can execute the script file and it assigns the x509 type, determines the length and prints out the certificate data, but that doesn't get into Communicator, so nothing really happens. How do I tie the script output into Communicator to trigger what should be happening? Or is there a more straightforward way??? Thanks, George Walsh, Managing Director Travel Seewise Pacific Corp -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: Apache + JServ + SSL
Newbie that I am, newbie that I am, I finally got it to work! Here's the article I found on the web that helped: http://groups.google.com/groups?hl=enlr=safe=offic=1th=d6e9305c0c7261c,2 seekm=7538g9%241e%241%40nnrp1.dejanews.com#p Basically, I did the following: 1. In the jserv build directory, I removed all *.obj, ApacheModuleJServ.pch, ApacheModuleJserv.lib, ApacheModuleJServ.exp, and ApacheModuleJServ.dll 2. Made myself a file called configure.win32 that contains the following: PACKAGE=ApacheJServ VERSION=1.1.2 APACHE_SRC=d:\apache\src JAVA_HOME=d:\jdk1.3.0_02 JSDK_HOME=d:\JSDK2.0 3. Modified the following items in makefile.win32: Changed this line: JSERV_DEFINE = /D WIN32 /D NDEBUG /D _WINDOWS to this: JSERV_DEFINE = /D WIN32 /D NDEBUG /D _WINDOWS /DEAPI Commented out these lines: jserv.h: autochange.exe @autochange PACKAGE=$(PACKAGE) VERSION=$(VERSION) jserv.h.in jserv.h 4. Ran the make: nmake -f makefile.win32 @configure.win32 The ApacheModuleJserv.dll that it spits out is exactly the same size as the other one, but it must be right because I no longer get the warning message. -jc -Original Message- From: Craig, John Sent: Tuesday, June 05, 2001 4:53 PM To: '[EMAIL PROTECTED]' Subject: FW: RE: Apache + JServ + SSL The below instructions were very helpful -- I was finally able to build this, myself -- except I still get the -DEAPI warning on Apache startup. Any ideas what could be going wrong? The only clue that I have is that when I originally tried to build, I got the error: NMAKE : fatal error U1073: don't know how to make 'd:\apache\src\Release\ApacheCore.lib' So I copied ApacheCore.lib from the modssl distribution into d:\apache\src\Release -- that seemed to make the build work, but I'm not sure. Particulars on my platform: Windows 2000 SP2 Visual C++ 6.0, SP3 modssl 2.84 Apache 1.3.20 The pre-built version of modssl that I'm using at present was downloaded from http://www.modssl.org/contrib/Apache_1.3.20-Mod_SSL_2.8.4-OpenSSL_0.9.6a-WIN 32.zip Any advice would be much appreciated -Message d'origine- De: Jay Burgess [SMTP:[EMAIL PROTECTED]] Date: vendredi 20 avril 2001 17:05 À:[EMAIL PROTECTED] Objet:RE: Apache + JServ + SSL If I well understand the message, I must recompile the JServ module ApacheModuleJServ.dll) with -DEAPI option ... How can I do that (I know that I must do it with Visual C++) ? Or where can I find a Apache version compiled with -DEAPI option ? Boy, this must be my day to answer questions. :) Here's what I just did last week, and it works for us. (1) Create a file called configure.win32 in the directory JSERV_ROOT/sources/c. It should contain the following information (note the paths will have to be adjusted to match your setup): PACKAGE=ApacheJServ VERSION=1.1.2 APACHE_SRC=d:/servers/apache/src JAVA_HOME=d:/java/jdk1.2.2 JSDK_HOME=d:/java/jsdk2.0 EAPI=true (2) In the JSERV_ROOT/sources/c directory, modify makefile.win32 as follows: Replace both instances of CoreR with Release. Comment out the jserv.h build rule: #jserv.h: autochange.exe # @autochange PACKAGE=$(PACKAGE) VERSION=$(VERSION) jserv.h.in jserv.h (3) Rebuild JServ: nmake /f Makefile.win32 @configure.win32 (4) Copy the newly built ApacheModuleJServ.dll to the WEBSERVER_ROOT directory. Jay __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: mod_ssl vs. Stronghold 3
Stronghold is now owned by Red Hat and is most definitely NOT free, as I mentioned in the original posting. But Stronghold does use mod_ssl and it really is Apache anyway. Unless the whole process terrifies you, why would you not prefer the support of this community, which from personal experience I can say has been wonderful! George [EMAIL PROTECTED] wrote: Hmm.. also, is stronghold free? The price of Apache can't be beat. -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: Problems with IE/56bit (not solved in the FAQ)
Hello, i had the same problem with both verisign certificate and self-signed certificate. We had with verisign step up certificate more problem. My problem was SSLRequired 128 bit. I commented the line and used SSLCiphers and so on, all internet explorer version work. Oranous [EMAIL PROTECTED] schrieb am 02.04.01: The problem seems to be that even with the IE workarounds, MSIE still does not like to connect when using a self-signed certificate. If you go out and buy a certificate, it should work (Verisign has a free trial cert if you just want to test it) -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Swift Hello! I installed a self-generated certificate + CA in our Apache. All clients can connect via SSL but not export versions of Internet Explorer (56bit key). The lines SSLCipherSuite ALL:!ADH:!EXPORT56:... and SetEnvIF UserAgent ".*MSIE.*" ... were already in my httpd.conf. So I'm wondering why this don't work!? IE report always: Cannot find server or DNS Error The same thing happens, if I disable SSLv3 completely - very strange. Is there anything I can try to get this @!#%*-Explorer working? Help! Currently I disabled SSL because many users here in germany are using a 56bit-IE :-( But our site needs SSL to be enabled. Thanks in advance! ... tobias wiersch __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ___ Alles unter einem Dach: Informationen, Fun, E-Mails. Bei WEB.DE: http://web.de Die groe Welt der Kommunikation: E-Mail, Fax, SMS, WAP: http://freemail.web.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: Problems with IE/56bit (not solved in the FAQ)
[EMAIL PROTECTED] schrieb: Hi! Oranous Niliarm wrote: i had the same problem with both verisign certificate and self-signed certificate. We had with verisign step up certificate more problem. My problem was SSLRequired 128 bit. I commented the line and used SSLCiphers and so on, all internet explorer version work. Hmm, there is no SSLRequired in my httpd.conf ... Maybe I made a mistake while creating the keys? I followed the FAQ at http://www.modssl.org/docs/2.8/ssl_faq.html : First: "How can I create and use my own CA?" I followed steps 1-3, then jumped to: "...[I] want to create a real SSL server certificate..." (I entered the FQDN as CommonName) After that I completed step 4 of [own CA]. Then I followed the steps "How can I get rid of the pass-phrase dialog...?" That's all. Maybe I made a mistake somewhere? Is there anything else I can try? Thanks! ... tobias wiersch __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Hi Tobias, i generate the CA certificate as below: Key and CSR generation 1. openssl md5 *.* rand.dat 2. openssl genrsa -rand rand.dat -out cakey.pem -des 1024 CA generation: openssl req -new -x509 -keyout ./demoCA/private/cakey.pem -out ./demoCA/certs/cacert.pem -days 3650 Generating a new key and csr and signing the csr with own ca. 1. openssl md5 *.* rand.dat 2. openssl genrsa -rand rand.dat -out key1.pem -des 1024 3. openssl req -new -key key1.pem -out csr1.pem 4. openssl ca -policy policy_anything -out cert.pem -in csr1.pem Good Speed Oranous [EMAIL PROTECTED] schrieb am 03.04.01: Hi! Oranous Niliarm wrote: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ___ Alles unter einem Dach: Informationen, Fun, E-Mails. Bei WEB.DE: http://web.de Die groe Welt der Kommunikation: E-Mail, Fax, SMS, WAP: http://freemail.web.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: SSL-induced loading errors
Hi Geoff, Thanks for the info, should help future users. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Geoff Fowler Sent: Tuesday, February 13, 2001 9:47 AM To: '[EMAIL PROTECTED]' Subject: RE: RE: SSL-induced loading errors Hi Dave, et al: I just joined the mod_ssl mailing list and found the directives for SSLRequire and SSLCipherSuite very helpful. We are running Apache 1.3.14 with mod_ssl 2.7.1, openssl 0.9.6 and mm 1.1.3 on Solaris 7 (yikes!). We are also using a Verisign Global ("Step-up") ID. While most browsers were "bumping up" to 128-bit encryption, regardless of their origin (i.e. domestic vs. export, etc.), Mac versions of IE, as well as IE5.x running on Windows 2000 WITHOUT Service Pack 1 were failing to negotiate the correct algorithm, killing the connection. This is, in fact, a known issue and excused by Microsoft in the following KB article: http://support.microsoft.com/support/kb/articles/Q249/8/63.ASP After we added the two directives discussed at the beginning of this post, however, all of our client browsers (including the broken IE5.x variants) negotiated the handshake correctly and were bumped-up to 128-bit encryption. It seems that even non-128 bit browsers also work correctly - although I have only tested this with a Verisign Global ID. Cheers, Geoff [EMAIL PROTECTED] writes: Can you post the config for your SSL virtual host without comments? Actually, I just tried adding: SSLRequire %{SSL_CIPHER} = 128 And it appears to work on just about every new and old browser/platform! Hope this helps some future newbie... Even on non-128 bit browsers? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
Dear Mr. Rees, But could you elaborate as to why you state "Verisign Requires?"We're not requiring anything on the server side 'except' the certificate request file? Thanks, Ray Erdmann Technical Support Verisign, Inc. -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 4:00 PM To: [EMAIL PROTECTED] Cc: Ralf S. Engelschall Subject: RE: RE: RE: RE: SSL-induced loading errors Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? I'm not sure, does anyone else know? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. I do have those lines installed, and it was giving me all the decryption errors, which only went away once I added the SSLRequire. OK, Looks like another item for the FAQ. Ralf, can you add something for Decryption errors when using Verisign Step Up certs? It looks like when using Verisign step-up certs, they require the line: "SSLRequire %{SSL_CIPHER} = 128" to work properly on all browsers. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
All I said was that it seems that Verisign Step-Up certs require the following line in the Apache config file to work properly: SSLRequire %{SSL_CIPHER} = 128 I deducted this from various reports which I have seen from users on the mod_ssl list like Ray Erdmann. It seems that if you are using a Verisign Step-Up cert and do not include the line above, you will get IO Errors when connecting with MSIE. However, I don't don't have a Verisign Step-Up cert to verify this myself, so if you know this to be false, maybe you can post a known working configuration or what you recommend to your customers. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Erdmann Sent: Monday, February 12, 2001 10:59 AM To: '[EMAIL PROTECTED]' Subject: RE: RE: RE: RE: SSL-induced loading errors But could you elaborate as to why you state "Verisign Requires?"We're not requiring anything on the server side 'except' the certificate request file? -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 4:00 PM To: [EMAIL PROTECTED] Cc: Ralf S. Engelschall Subject: RE: RE: RE: RE: SSL-induced loading errors Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? I'm not sure, does anyone else know? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. I do have those lines installed, and it was giving me all the decryption errors, which only went away once I added the SSLRequire. OK, Looks like another item for the FAQ. Ralf, can you add something for Decryption errors when using Verisign Step Up certs? It looks like when using Verisign step-up certs, they require the line: "SSLRequire %{SSL_CIPHER} = 128" to work properly on all browsers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
David, While posting information about known issues is currently done on our web site, http://www.verisign.com/support/vendors/issues.html the issues posted are ones that have been documented by the vendor in question. If you can find someway of having APACHE users list what works and want doesn't work with our Global Certificates, then I'm willing to take this issue up with our web master and have the information posted for all to see. I'm guessing here that it doesn't matter if the end-users is using a Thawte "Super Cert" or a Verisign "Global Certificate"...the issue still lies with the initial SSL handshake not being completed by the browser for one reason or another. (Browser being of the 'exported' version 40/56 bit variety) Also, regarding MOD_SSL, Mr. Engelschall has stated that MOD does support the SGC/Step Up function. (He states: "...Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have to configure anything special for this, just use a Global ID as your server certificate. The step up of the clients are then automatically handled by mod_ssl under run-time. For details please read the README.GlobalID document in the mod_ssl distribution...") http://www.modssl.org/docs/2.6/ssl_faq.html#ToC38 But apparently you do have to configure something special...the information below, in order for export clients to step up to the stronger ciphers. Therefore, in your opinion, what would seem like the most appropriate step to take? Have the Apache websites post the correct information or have Verisign take that responsibility. Sincerely, Ray Erdmann Technical Support Verisign, Inc. -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Monday, February 12, 2001 11:07 AM To: [EMAIL PROTECTED] Subject: RE: RE: RE: RE: SSL-induced loading errors All I said was that it seems that Verisign Step-Up certs require the following line in the Apache config file to work properly: SSLRequire %{SSL_CIPHER} = 128 I deducted this from various reports which I have seen from users on the mod_ssl list like Ray Erdmann. It seems that if you are using a Verisign Step-Up cert and do not include the line above, you will get IO Errors when connecting with MSIE. However, I don't don't have a Verisign Step-Up cert to verify this myself, so if you know this to be false, maybe you can post a known working configuration or what you recommend to your customers. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ray Erdmann Sent: Monday, February 12, 2001 10:59 AM To: '[EMAIL PROTECTED]' Subject: RE: RE: RE: RE: SSL-induced loading errors But could you elaborate as to why you state "Verisign Requires?"We're not requiring anything on the server side 'except' the certificate request file? -Original Message- From: David Rees [mailto:[EMAIL PROTECTED]] Sent: Friday, February 09, 2001 4:00 PM To: [EMAIL PROTECTED] Cc: Ralf S. Engelschall Subject: RE: RE: RE: RE: SSL-induced loading errors Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? I'm not sure, does anyone else know? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. I do have those lines installed, and it was giving me all the decryption errors, which only went away once I added the SSLRequire. OK, Looks like another item for the FAQ. Ralf, can you add something for Decryption errors when using Verisign Step Up certs? It looks like when using Verisign step-up certs, they require the line: "SSLRequire %{SSL_CIPHER} = 128" to work properly on all browsers. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
Hi there, On Fri, 9 Feb 2001, David Rees wrote: Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? I'm not sure, does anyone else know? I think it's by the presence of the "Microsoft SGC" extension in the signed server certificate. If you examine the server certificate in a modernish IE browser (or simply use "openssl asn1parse") you should be able to see whether the extension is there. I'm reasonably sure that's what causes IE browsers to switch to non-standard protocol-breaking hackery, because I never saw this happen from IE when the server cert didn't have that extension. My memory is a bit dim on this one though, but I think that's right. Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes: Can you post the config for your SSL virtual host without comments? -Dave Actually, I just tried adding: SSLRequire %{SSL_CIPHER} = 128 And it appears to work on just about every new and old browser/platform! Hope this helps some future newbie... Thanks anyway, John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes: Can you post the config for your SSL virtual host without comments? Actually, I just tried adding: SSLRequire %{SSL_CIPHER} = 128 And it appears to work on just about every new and old browser/platform! Hope this helps some future newbie... Even on non-128 bit browsers? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes: Actually, I just tried adding: SSLRequire %{SSL_CIPHER} = 128 And it appears to work on just about every new and old browser/platform! Hope this helps some future newbie... Even on non-128 bit browsers? Yes - it drops back to 40-bit. Doesn't seem quite right, I know - perhaps I'm misinterpreting it. But this was a suggestion in the archives at http://www.mail-archive.com/modssl-users@modssl.org/msg10187.html If this isn't as secure as I think, please point it out to me. John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: SSL-induced loading errors
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Kestner [EMAIL PROTECTED] writes: Actually, I just tried adding: SSLRequire %{SSL_CIPHER} = 128 And it appears to work on just about every new and old browser/platform! Hope this helps some future newbie... Even on non-128 bit browsers? Yes - it drops back to 40-bit. Doesn't seem quite right, I know - perhaps I'm misinterpreting it. But this was a suggestion in the archives at http://www.mail-archive.com/modssl-users@modssl.org/msg10187.html If this isn't as secure as I think, please point it out to me. Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: RE: RE: SSL-induced loading errors
[EMAIL PROTECTED] writes: Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. I do have those lines installed, and it was giving me all the decryption errors, which only went away once I added the SSLRequire. John __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: RE: RE: SSL-induced loading errors
Curious, according to the docs, it shouldn't allow those browsers to connect. Are you using one of the step-up certificates from Verisign? So I'm told by the guy who acquired our certificates from Verisign. How do I tell? I'm not sure, does anyone else know? Do you also have the following lines installed? SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 If you do, could you try it without "SSLRequire %{SSL_CIPHER} = 128", I'm not convinced that the SSLRequire makes a difference. I do have those lines installed, and it was giving me all the decryption errors, which only went away once I added the SSLRequire. OK, Looks like another item for the FAQ. Ralf, can you add something for Decryption errors when using Verisign Step Up certs? It looks like when using Verisign step-up certs, they require the line: "SSLRequire %{SSL_CIPHER} = 128" to work properly on all browsers. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: [Re: PRNGD compiler options UNIXWARE]]
Hi there, Lutz: RE Could not bind socket to /var/run/egd-pool: Invalid argument Hmm, I can only guess, but do you have a /var/run directory into which the socket can be created? Yes, /var/run directory was established for this purpose, 755 root,sys If this does not help, please check out the manual page of "bind" and see what it states for EINVAL. ON HP-UX it says: [EINVAL] The socket is already bound to an address, the socket has been shut down, addrlen is a bad value, or an attempt was made to bind() an AF_UNIX socket to an NFS-mounted (remote) name. In UNIXWARE7, the bind man entry for EINVAL reads: "namelen is not the size of a valid address for the specified address family" I took a look at the prngd-seed and it has indeed been written over as indicated. That's good to hear, but only the smaller part of the wanted functionality :-) But isn't the size of the file controlled by the prngd program itself as reported by the debugging function? I understood my task was to provide a source from which to reliably build that INITIAL seed? Would it help if I sent you the bind man page as a whole??? Warmly appreciated, George Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: [Re: PRNGD compiler options UNIXWARE]]
On Tue, Jan 09, 2001 at 11:29:54AM -0800, George Walsh wrote: If this does not help, please check out the manual page of "bind" and see what it states for EINVAL. ON HP-UX it says: [EINVAL] The socket is already bound to an address, the socket has been shut down, addrlen is a bad value, or an attempt was made to bind() an AF_UNIX socket to an NFS-mounted (remote) name. In UNIXWARE7, the bind man entry for EINVAL reads: "namelen is not the size of a valid address for the specified address family" Hmm, thinking... Could you send me the following things (private email, no need to bother the list): - the bind() manual page of UNIXWARE 7 - the header file /usr/include/sys/types.h and /usr/include/sys/socket.h (should include the needed information) - Output of the compilation of PRNGD, especially of prngd.c, if there were any warnings.. That's good to hear, but only the smaller part of the wanted functionality :-) But isn't the size of the file controlled by the prngd program itself as reported by the debugging function? I understood my task was to provide a source from which to reliably build that INITIAL seed? Yes, and that is ok. But the task of PRNGD is not just to mix this entropy. The task of PRNGD is to run in the background and allow other programs to retrieve random data via the socket. So actually the PRNGD you have now does not accomplish its main task, yet! Would it help if I sent you the bind man page as a whole??? Hopefully yes, as indicated above. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: PRNGD compiler options UNIXWARE]
Thank you, Lutz and Parad, for having pity with my plight! Yes, the addition of SYSLIBS=lsocket relieved some of the pressure at least! I pumped 102695 byte of unique material into /tmp/prngd-seed. Running /usr/local/sbin/prngd-d /var/run/egd-pool now gives: Debugging enabled Read 102695 bytes Wrote 1024 bytes back to seed file Could not bind socket to /var/run/egd-pool: Invalid argument I took a look at the prngd-seed and it has indeed been written over as indicated. By the way, Lutz, you have my word that a complete set of all changes I have made in Makefile, prngd.c and prngd.conf will be sent to you when this is up. Its the very least I can do! And thanks for the insight on the 'W option. This is all rather interesting, if a bit frustrating. Thanks, guys! George Walsh, Managing Director, Travel Seewise Pacfic Corp Vancouver, Canada As Parad Warudka already pointed out, you are missing a library, probably -lsocket. I have just checked out OpenSSH, for several SCO versions the linker line looks like this: LIBS="$LIBS -lgen -lsocket -lprot -lx" so -lsocket is a quite good guess :-) I only have HP-UX and Linux available, so I cannot test this myself. Actually, I am working on an "autoconf" based configuration for PRNGD, but it may take some more days before I can release it and it will probably also take some tests on platforms I don't have before it will become mature :-) BTW -Wall is the GNU-C option for "Warnings: all", it would not help at all. Best regards, Lutz PS. If you finally succeed, please send me your configuration for inclusion into future versions. Get your own FREE, personal Netscape WebMail account today at http://home.netscape.com/webmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Re: PRNGD compiler options UNIXWARE]
On Mon, Jan 08, 2001 at 11:59:26AM -0800, George Walsh wrote: Debugging enabled Read 102695 bytes Wrote 1024 bytes back to seed file Could not bind socket to /var/run/egd-pool: Invalid argument Hmm, I can only guess, but do you have a /var/run directory into which the socket can be created? If this does not help, please check out the manual page of "bind" and see what it states for EINVAL. ON HP-UX it says: [EINVAL] The socket is already bound to an address, the socket has been shut down, addrlen is a bad value, or an attempt was made to bind() an AF_UNIX socket to an NFS-mounted (remote) name. I took a look at the prngd-seed and it has indeed been written over as indicated. That's good to hear, but only the smaller part of the wanted functionality :-) Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: mod_ssl on redhat 7
there's is a known issue when usig php '.0.3p1 with mod_perl. Upgrading to the latest version of php should resolve this problem. Franky On Fri, Dec 22, 2000 at 08:52:37AM -0600, [EMAIL PROTECTED] wrote: i'm on redhat 7.0, with apache 1.3.14, mod_perl 1.24, mod_php 4.0.3pl1, mod_ssl 2.7.1, and openssl 0.9.5a. i've applied all of the most recent patches, including the glibc and gcc. it's all from rpm from the redhat updates site. i've also been toying around with recompiling everything from source, but i'm having a difficult time getting all of those modules to complile together. mod_ssl is easy to compile in, but when you start adding all of those other modules, everything falls apart in a hurry. OK, so it doesn't appear to be an OpenSSL issue between 0.9.6/0.9.5a. Has anyone seen the problem without the mod_perl/mod_php modules? -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] #! /bin/bash echo -n "Enter site URL : " read site openssl req -out ssl.csr/$site.csr -keyout ssl.key/$site.key -newkey rsa:1024 -new -config RCSCA/rcsnet.cnf -extensions v3_req openssl x509 -in ssl.csr/$site.csr -out ssl.crt/$site.crt -days 365 -req -CA ssl.crt/CA.rcsnet.net.crt -CAkey ssl.key/CA.rcsnet.net.key -CAserial RCSCA/serial -sha1 -extensions svr_cert Creer une demande et une clef: [root@xfiles conf]# openssl req -out ssl.csr/www.rcsnet.net.csr -keyout ssl.key/www.rcsnet.net.key -newkey rsa:1024 -new Creer un certificat CA: [root@xfiles conf]# openssl x509 -in ssl.csr/CA.rcsnet.net.csr -out ssl.crt/CA.rcsnet.net.crt -days 365 -signkey ssl.key/CA.rcsnet.net.key -req -sha1 Signe une demande avec un CAcert: [root@xfiles conf]# openssl x509 -in ssl.csr/www.rcsnet.net.csr -out ssl.crt/www.rcsnet.net.crt -days 365 -req -CA ssl.crt/CA.rcsnet.net.crt -CAkey ssl.key/CA.rcsnet.net.key -CAserial RCSCA/serial -sha1 Affiche un certificat: [root@xfiles conf]# openssl x509 -in ssl.crt/www.rcsnet.net.crt -noout -text Voir gen_site_cert. Signature cryptographique S/MIME
RE: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Oops, my mistake of asking something I did not understand. Basically, the result of the extraction procedure is the cert.p12 (which is the dummy certificate containing the original private key). And in the final step of using pkcs12 (or using the openssl wrapper - openssl pkcs12) to extract the private key from the p12 certificate, it actually allows you to specify a password to the private key. This will actually requires me to put in the password when I issue 'apachectl startssl'. Sorry to bother the group. But then again this prove the procedure actually works! ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] -Original Message- From: Remi Cohen-Scali [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23, 2000 1:44 PM To: [EMAIL PROTECTED] Subject: Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache
Ed Yu a écrit : Oops, my mistake of asking something I did not understand. Basically, the result of the extraction procedure is the cert.p12 (which is the dummy certificate containing the original private key). And in the final step of using pkcs12 (or using the openssl wrapper - openssl pkcs12) to extract the private key from the p12 certificate, it actually allows you to specify a password to the private key. This will actually requires me to put in the password when I issue 'apachectl startssl'. Sorry to bother the group. But then again this prove the procedure actually works! ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] -Original Message- From: Remi Cohen-Scali [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23, 2000 1:44 PM To: [EMAIL PROTECTED] Subject: Re: Re-use a Thawte Certificate (for Netscape Fasttrack) on Apache Ed Yu a écrit : Hi all, I was able to follow the procedure outlined in http://www.drh-consultancy.demon.co.uk/nskey.html to extract the private key out from the Netscape Fasttrack Server. Now I need to encrypt this key so that I can start apache with it with the Thawte certificate (requested by that same key). I was wonder if anyone knows how to do this? I know I can start the server simply with this file (without prompting for the pass phrase), but I would like to have the pass phrase for a little more security. Any ideas? ^^ Ed Yu, IBM Certified Specialist - AIX System Administrator Information Technology Manager, University of South Carolina, Advanced Solutions Group, Physics Dept., Columbia, SC 29208 Office (803)777-8831, FAX (803)777-8833, Email [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You can use these as a start point. It differs because you have already the key and you don't have a CA but a chained CA cert (I think it is what you speak about by telling thawte cert). You also need a conf file for openssl with matching your needs (can start from openssk.cnf). Personaly I use these to generate my site certs with a home made CA cert. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] So You need something like: openssl pkcs12 -in yourfile.p12 -out thechain.pem You will obtain (after entering passphrase) a pem encoded file which contains all key/certs enclosed in the p12 armor. I use it to extract/transform netscape repository exported p12. -- \/ Remi Cohen-Scali ------ [EMAIL PROTECTED] WAP/\ [EMAIL PROTECTED] Signature cryptographique S/MIME
re: Re: Everything Appears to be right but
That is hoe I set it up originaly here is my conf file: VirtualHost jaffa.webest.co.za:443 DocumentRoot usr/CV/ssl SSLEngine On SSLCertificateFile conf/ssl/jaffa.webest.co.za.cert SSLCertificateKeyFile conf/ssl/jaffa.webest.co.za.key /VirtualHost jaffa __ wrote: After trying everypossible conversion on my httpd.conf file I still get this log message after start up: [warn] Init: (www.myserver.co.za:443) You configured HTTP(80) on the standard HTTPS(443) port! If anyone can give me relevant advice to get this functioning 100% please. Ralf S. Engelschallwrote: The above warning means that you have no "SSLEngine on" in the "VirtualHost www.myserver.co.za:443" section. My recommendation: look carefully at the provided httpd.conf-dist, it has all SSL stuff pre-configured. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com --- Brought to you by MightyMail! http://www.mighty.co.za __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: Problems after installing SSL
On Tue, Aug 08, 2000 at 11:05:42AM +0800, [EMAIL PROTECTED] wrote: The error message in log file is: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key Check the FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#entropy vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE: Problems after installing SSL
The error message is /opt/JRun/connectors/apache/sparc-solaris/mod_jrun.so is crashed with EAPI. Before installing SSL, the apache can start with JRun. What's the problem??? Besides, when I check the apache log file, I find msg like "Failed to generate temporary 512 bit RSA private key". Can you post the exact messages from your error log? It sounds like you have two distince problems. The first one is related to JRun, you will have to recompile the jrun module to work with SSL. -Dave The error message in log file is: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key Thx. Chloe Chan -- Åwªï¨Ï¥Î hongkong.com ¹q¤l¶l¥ó¨t²Î Thank you for using hongkong.com Email system __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re-using current certificate
On Wed, May 03, 2000 at 10:39:07AM -0700, Carlos Ramirez wrote: Hello, Can I use an existing server.crt and server.key generated by Stronghold? I am attempting to switch over to mod_ssl from an old version of Stronghold. I already created a test certificate which worked as stated in the docs. So then can I "make certificate TYPE=? /path/to/stronghold/generated/certs?" Yep, you can make certificate TYPE=existing CRT=/path/to/your.crt [KEY=/path/to/your.key] vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RE:
[This is an automatic reply generated by Ralf S. Engelschall's BUSY daemon] In a private mail to me you wrote: This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01BF8D58.3D0170AA Content-Type: text/plain; charset="iso-8859-1" After RewriteEngine on ,if you add RewriteLogLevel 9 [...] Your Email was successfully received. But I'm sorry to say that I'm totally busy and so currently it's not possible for me to work on your request. Please first try to solve your problems by investigating again and by utilizing dedicated support resources (Documentation, FAQs, Mailing Lists, Newsgroups, etc.). Should your problems then still remain, feel free to contact me again. Otherwise I'll assume the problem was already solved in the meantime. Thanks for your understanding. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re(2): ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 bro ken
On Sun, Feb 27, 2000, Mäkinen Tero FCOM wrote: Daniel S. Reichenbach (27.2.2000 15:43): i did a quick test with Apache 1.3.12, mod_ssl 2.6.0 and both OpenSSL 0.9.4 and 0.9.5beta1 under Win98 and WinNT/SP5. And the story continues... Anyone else out there, who has Apache with mod_ssl higher than 2.4.10 up and running ??? Both 2.5.1 and 2.6.0 compile and run fine with vc++ 5.0 (OpenSSL 0.9.4 and WinNT/SP6). With vc++ 6.0 we had to insert following lines into mod_ssl.h (OS headers section). After that it compiles fine. #ifdef WIN32 #include wincrypt.h #endif These additions work also with vc++ 5.0 Ok, I've added these lines to mod_ssl.h for 2.6.1. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re(2): ANNOUNCE: mod_ssl 2.6.0-1.3.12, Win32 bro ken
#ifdef WIN32 #include wincrypt.h #endif These additions work also with vc++ 5.0 Ok, I've added these lines to mod_ssl.h for 2.6.1. Just checked it with NT5 and Win98. Works fine for both. Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re:
[This is an automatic reply generated by Ralf S. Engelschall's BUSY daemon] In a private mail to me you wrote: What are the gcache processes doing there? They are from apache-ssl, not apache-mod_ssl Maybe you have ended up with files from both apache variants? /magnus Steve Frampton wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi again: [...] Your Email was successfully received. But I'm sorry to say that I'm totally busy and so currently it's not possible for me to work on your request. Please first try to solve your problems by investigating again and by utilizing dedicated support resources (Documentation, FAQs, Mailing Lists, Newsgroups, etc.). Should your problems then still remain, feel free to contact me again. Otherwise I'll assume the problem was already solved in the meantime. Thanks for your understanding. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: httpd is serving nothing! (Child dies on mutex error)
Doh! I missed one directory in the permissions change. All now works. Thousands of apologies, Ralf. Blair. --- begin forwarded text X-Sender: [EMAIL PROTECTED] Date: Thu, 2 Dec 1999 16:34:00 -0700 To: [EMAIL PROTECTED] From: Blair Lowe [EMAIL PROTECTED] Subject: Re: httpd is serving nothing! (Child dies on mutex error) Also, All directories are rwxr-xr-x, and all files are owned by nobody (who runs the daemon on my development server). Thanks, Blair. --- begin forwarded text X-Sender: [EMAIL PROTECTED] Date: Thu, 2 Dec 1999 15:25:04 -0700 To: [EMAIL PROTECTED] From: Blair Lowe [EMAIL PROTECTED] Subject: Re: httpd is serving nothing! I get a similar problem, but I am connecting to the https port as https. I am running/compiling/testing with modssl 2.4.9-1.3.9 with r s a 2.0, mod-perl 1.21, openssl-0.9.3a on RedHat 6.1. Neither "httpsd", or httpd work. When the application is launched, the parent seems to be trying to fork children, but only defunct child processes continue to appear, and disappear. The error that fills up my log file is: [02/Dec/1999 15:27:58 14012] [error] Child could not open SSLMutex lockfile /var/opt/apachessl/run/ssl_mutex.13644 (System error follows) Thanks, Blair. Hi. I have installed openssl and modssl and compiled them with apache (1.3.9). I run the appropriate init scripts, in this case it is 'apachectl startssl'. This script starts the httpd processes just fine. However, when I try to connect with a browser, the connection times out. When I only start the regualar http daemon with 'apachectl start', the same thing happens. When I stop the http daemon, I get 'a connection with the server could not be established' error on my browser (so something is running). Seems like you're speaking HTTPS to a port where only HTTP is spoken. Check your server configuration by comparing it to the distributed conf/httpd.conf-dist file, please. --- end forwarded text --- end forwarded text Computer Engineering Inc. http://www.compeng.net Phone: 780 499 5687 (9 - 5 MST) Fax: 780 435 0693 (24 Hours) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re(lated): Forcing https with RewriteRule
On Wed, 17 Nov 1999, you wrote: Hmmm... today I've less time (because today is my birthday ;), so I cannot Happy birthday, Ralf ;-) -- Hakan Tandogan [EMAIL PROTECTED] ICONSULT Tandogan - Egerer GbR Tel.: +49-9131-9047-11 Memelstrasse 38 - D-91052 Erlangen Fax.: +49-9131-9047-77 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re Use of Apache and SSl on NT
Running NT :) But check your server configuration. Make sure you are including the ssl port for your virtualhost for the https://domain Brian Fisk Director of Internet Operations Lazerlink Internet Services A Service of Lazerpro Digital Media Group [EMAIL PROTECTED] 814-867-2100 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tewari, Vijay Sent: Tuesday, August 24, 1999 1:56 PM To: '[EMAIL PROTECTED]' Subject: Re Use of Apache and SSl on NT I have installed Apache with mod_ssl and openssl on Nt. I can access the site via http://somedomain http://somedomain but when I try https://sokedomain https://sokedomain it tells me that a connecion with server could not be established I am running apache eith -D SSL option. What am I doing wrong. --Vijay __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re Win Nt install
On Thu, Aug 19, 1999, Tewari, Vijay wrote: I have been trying to get SSL running with Apache on a win nt platform. After applying the patches I get a ton of errors while recompiling Apache. Any help on this will be appreciated Err... first: WinNT is not officially supported by mod_ssl and so if you're not in the position to help yourself for the compile step, look for binary packages at http://www.opensa.de/ as the INSTALL.W32 document says. Second: how can you expect "any help" without actually saying a little bit more about the errors? Hmmm... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re Win Nt install
If you still have problems on NT, feel free to ask me. I can help you out. Send a mail describing your prob to [EMAIL PROTECTED] Daniel Reichenbach __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re^2: Differences?
Hi! As far as I understood [...] and to write a nice documentaion/manual (== doing the right software engineering). [...] You are wrong. I have nothing against the "module idea". oki, sorry!! [...] But for various reasons the final pieces of the puzzle never quite fell into place. Not least of these reasons is the prohibition against crypto hooks. Yepp, the old problem... BTW, I completely disagree that documentation equates to "doing the right software engineering". It is a symptom of having a great deal more spare time than I have, though. ("doing the right software engineering" refered not on documentation only) Of course this is a matter of opionions... I think the documentation saved time of many of users. I needed a lot of time to build and run the first servers, since at this time there wasn't good documentation. With the manual, I think it's quite easier and faster to work with. I think good documentaion is really important. Thank you for putting the things right! oki, Steffen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re: Is mod_ssl having trouble initializing???
I waited for the error.log file to say started as you suggested. And I still got the exact same result. And I know that I am not hitting the stop button :) - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, July 02, 1999 11:19 AM Subject: Re: Is mod_ssl having trouble initializing??? Generally the message below from your logfile means that the client hit the 'stop' button. As for your start/stop/restart problems, I dunno. It could be that you just aren't waiting long enough for your server to startup. There is a lot mod_ssl has to do at init. Do a `tail -f logs/error.log` and wait for the server startup message to appear and then try to connect. -Tom "Jason Terry" [EMAIL PROTECTED] writes: I am running Linux 2.2.9 Server Version: Apache/1.3.6 (Unix) PHP/3.0.11 mod_ssl/2.3.5 OpenSSL/0.9.3a It seemst that every so often my ssl connections fail to handshake properly here is a log entry [Fri Jul 2 10:08:22 1999] [error] mod_ssl: SSL handshake failed (client 209.180.87.121, server www.cartmanager.net:443) (OpenSSL library error follows) [Fri Jul 2 10:08:22 1999] [error] OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message If it stop and then start the server I am pretty much guarnateed to get this message on my first ssl request. Same goes for if I do a graceful restart. I am occasionally getting the same message as the server runs normally. But, ALWAYS get it imediatly after a restart. Is there anything I can do (besides not restart :) to rememdy this? Thank you -Jason __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Tom Vaughan tvaughan at aventail dot com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re(lated): Forcing https with RewriteRule
Ralf S Engelschall writes: Ralf Hmmm... today I've less time (because today is my birthday ;), so I cannot Happy birthday Ralf ... hope you have a great time and don't have to work on one of those electron based machine with a plastic cover on them :) at least until the weekend when you can start your work on mod_ssl :) mehul -- "My grandfather once told me that there are two kinds of people: those who work and those who take the credit. He told me to try to be in the first group; there was less competition there." - Indira Gandhi stolen from Ben Laurie on the FSB list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: Sooo many problems with Debian mod_ssl !
4-Jan-99 17:20 you wrote: Thanks for your reply, I'll then get the sources for apache 1.3.3 ;-) But have to disagree with you about the solution you gave for the SSL_BASE variable. Here is the problem: (first, I wiped the test for the EAPI flag, otherwise, I cannot get further ;-) - When I don't set a SSL_BASE variable, I get a 'cannot find SSL installation in /usr/local/ssl'. That is normal. - The program that configure is trying to get is 'ssleay'. In Debian, it is located as file '/usr/bin/ssl/ssleay'. - If I set SSL_BASE to '/usr/bin/ssl', it will not find it, as the line you use to test the presence of the ssleay file is: 'if [ -f "$SSL_BASE/bin/ssleay" ]; then ...' ($SSL_BASE/apps/ssleay is tried too) As you can see, I cannot map /usr/bin/ssl into $SSL_BASE to match the test ! There are two possible modifications to make it work: 1) Create a link in the /usr/bin/ssl directory named 'bin' that is a link to the directory where it is (/usr/bin/ssl/bin will point to /usr/bin/ssl ;-) 2) Modify all the references in libssl.module to allow such mapping (that makes 3 lines modified). I think the easyest is the first solution. It would be cool to write to the debian maintainer of the ssleay package to add such link in his package. BUT: There's the same problem with the include files from ssleay-dev. They are located in a complete different location from the binary part of ssleay ( they are in /usr/include/ssl). The problem is that the same variable is used (BASE_SSL) to point for binary and include files ;-( So if I put '/usr/bin/ssl' in BASE_SSL, it will look in /usr/bin/ssl/include for the include files ;-( I've no solution for this, except modifying the libssl.module file. "Then you have to use SSL_BASE=SYSTEM as it's documented in the INSTALL file." Something not clear ? With SSL_BASE=SYSTEM ssleay command will be searched via PATH variable, /usr/include, /usr/include/ssl, /usr/local/include and /usr/local/include/ssl will be scanned for ssl.h and /lib, /usr/lib and /usr/local/lib will be scanned for libssl.a or libssl.so ... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re: [BugDB] PRIVATE: 403 (PR#51)
Estarei em férias no período de 19/11/98 a 08/12/98. Qualquer problema, favor entrar em contato com [EMAIL PROTECTED] I am on vacation from November 19th to December 08th. If your message needs immediate attention, please send it to [EMAIL PROTECTED] Luiz Cunha __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re[2]: licencing
On Fri, 30 Oct 1998, Whit Blauvelt wrote: Will this product use it in a way that it can be incorporated into a custom-compiled Apache? The best product for many uses would put the minimum wrapping around RSA's stuff needed to have them consider it a valid license, and preserve the user's access to the maximal amount of code in the freeware tradition - and most importantly, it should allow the immediate upgrade of Apache as soon as a new version is released (which would probably require immediately-available compiled modules over the Net for registered customers?). If Mark's product is something less than that, I hope someone else is pursuing this business plan. Unfortunately, the source isn't included at this time. I'm going to re-read the license closer as its not that clear on what can be distributed and what can't. If it turns out I can distribute it, there will be an announcement to registered users. There will be upgrades made available as soon as new versions of mod_ssl and apache are available. They will be downloadable from my web site. It will be available for RedHat at first (and come with the full version of RedHat), but it will be ported to other UNIXes soon. Mark __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re(2): Compiling w/RSA
On Fri, Sep 25, 1998, Ron Thompson wrote: $ perl ./Configure gcc -DRSAref -lRSAglue -L`pwd`/../rsaref-2.0/local/ -lrsaref(if you Are you really sure you performed this step: $ mv rsaref.a librsaref.a ?? Yes... absolutely... 8-) Over and over... Then the stuff doesn't stay under exactly `pwd`/../rsaref-2.0/local/ Go to the SSLeay directory and try $ ls -l `pwd`/../rsaref-2.0/local/librsaref.a When it complains the path is different, when it works I've currently no clue what's going wrong for you... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]