RE: Specifying the openssl version used with mod_ssl
Hello all, Sorry for the delay. We found a work around and quit looking into the below issue. Thanks to Peter for the static library suggestion and Lee for the same and for getting me back on the topic. We were able to get everything working how it should. A note, we are compiling modssl into apache. We are not using it as a shared object. Here are the key config options for openssl and apache: Openssl: ./configure --prefix=/usr/local/ssl --shared Apache: ./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl It is probably a good idea to run a sudo make clean for each installation. At least it was for us since we re-installed about 50 times. Thanks again, Gunner Geller -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Gregg L. Smith Sent: Monday, September 13, 2010 12:48 PM To: modssl-users@modssl.org Subject: Re: Specifying the openssl version used with mod_ssl Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: > Hello, > > We are using mac Leopard OS. We have rolled our own Apache(2.2.16) > separate from the default install. We have also rolled our own OpenSSL to > the latest version. However when we compile Apache and enable mod_ssl it > still uses the old OpenSSL version. We can see it in our http headers: > > > > Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l > > > > When typing "openssl version" from my account and the root account I get: > > OpenSSL 1.0.0a 1 Jun 2010 > > I've seen this in some apache configs: > > --enable-ssl --with-ssl=/usr/local/ssl > > I've tried the above with no success. According to the output I get when > configuring/making/installing apache it is finding openssl at the above > directory. The problem is though that the http header stays the same. > > > > The problem is we can't upgrade the default openssl version on the OS > without apple providing the update. The outdated version is tripping our > security scans. Like I said we rolled our owned updated version but cannot > get apache/mod_ssl to use it. Any help is appreciated. > > Thanks, > > > > Gunner Geller > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Specifying the openssl version used with mod_ssl
Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing "openssl version" from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Specifying the openssl version used with mod_ssl
Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing "openssl version" from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller
mod_ssl and ephemeral keying
Hello, regarding http://httpd.apache.org/docs/2.2/mod/mod_ssl.html there seem to be different ways to enable ephemeral keying by using SSLCipherSuite in the mod_ssl config. If I specify kEDH for the kex algorithm, does it mean that the key exchange is not integrity protected by using RSA/DSA (b/c the description states "no cert.")? So, if I want ephemeral keying with integrity protection, do I have to use: a.) SSLCipherSuite kDHr:kDHd:... or b.) SSLCipherSuite kEDH:EDH or something else? Thanks for your help. Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
mod_ssl errors
Hi All, I switched my LogLevel to info and noticed this error in the logs: [client ::1] (70007)The timeout specified has expired: SSL input filter read failed. Furthermore, when I do a graceful restart, I get this error: [client ::1] SSL library error 1 in handshake (server localhost:443) SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [client ::1] Connection closed to child 9 with abortive shutdown (server localhost:443) I am using mod_ssl/2.2.11 compiled against Server: Apache/2.2.11, Library: OpenSSL/0.9.8h on OS X but I have also seen the problem on Linux as well. The setup I have is dead simple - I am setting up a virtual host on port 80 and on port 443, both serving static files from apache/htdocs. Does anybody have any ideas what could be causing these ssl errors? Thanks, Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Using multiple certs with mod_ssl behind load balancer
I've been asked to implement a somewhat strange setup. We are going to handle ssl decryption on the load balancer then forward the connections to either an IIS or Apache server. I'm tasked with configuring the Apache servers. I need to be able to use multiple certs but I'm not sure how. I've made test runs using SSLCertificateChainFile and SSLCACertificatePath but I couldn't get either to work. What are the correct steps I need to follow? Joe Holt | Product Development, Intuit Small Business Web | 650-549-3454 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl Environment Variable?
Hello, I would like to do the following (Apache 2.2 config): AuthUserFile /dev/null #SSLOptions +ExportCertData +FakeBasicAuth SSLOptions +FakeBasicAuth #SSLRequire (%{SSL_CLIENT_S_DN_O} in {"ClientO1", "ClientO2"}) AuthLDAPURL "ldap://192.168.1.3:389/dc=testnet,dc=de?uid"; AuthType Basic AuthName "Internal Server Content" #AuthBasicAuthoritative Off AuthBasicProvider ldap Require ldap-user %{SSL_CLIENT_S_DN_OU} I want to use Client certificates, after Connect, one of the Fields in the Certificate i will check (existance) in an ldap Server. But in the apache Variable %{SSL_CLIENT_S_DN_OU} are not basicly the OU String (testorg), there is a very long String, like this: uid=/c=de/st=niedersachsen/o=ClientO1/ou=testorg/cn=maschinen/ [EMAIL PROTECTED] With this string now apache askes the ldap Server, that seems all correctly, but in the uid Field in my ldap is the Entry named "testorg". Is this an Error, that the Variable %{SSL_CLIENT_S_DN_OU} contains ALL Client Cert Data and not the one requested (OU)? Or is it like an perl hash and my syntax is simply wrong? Wilhelm
Fips compliant mod_ssl module availability
I need to implement a FIPS 140 compliant version of mod_ssl. Is there a patch file or a distribution of mod_ssl currently available for download which can be used in conjunction with the fips compliant libopenssl? I found a link to a patch file for modssl in a message sent earlier in 2008 but the link doesn't work. The link was found in this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg52290.html The actual link posted was http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/[EMAIL PROTECTED]/bugzilla/%3e Has this patch been obsoleted? I also found an entire distribution tree for a FIPS compliant httpd server at http://svn.apache.org/repos/asf/httpd/sandbox/gaithersburg. What is the status of this code? Is this code available somewhere for download to be used to provide a FIPS compliant mod_ssl module? Thank you, Sean Coleman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
another information: what I see in libexec/ is just "mod_jk.sl", and under modules/, just the file httpd.exp. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 5:34 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > David, > > that was what I thought earlier. But since I´m told this directive is > for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ > the directive to include to httpd.conf. What I mean is that I think I hv > the mod_ssl installed, but not enabled yet, and to enable, if it´s > simply adding the directive´s in httpd file, and the exact syntax for > version 2.0. > > Still searching for the solution. > > Thanks > > Ingrid ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > David, > > that was what I thought earlier. But since I´m told this directive is > for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ > the directive to include to httpd.conf. What I mean is that I think I hv > the mod_ssl installed, but not enabled yet, and to enable, if it´s > simply adding the directive´s in httpd file, and the exact syntax for > version 2.0. > > Still searching for the solution. > > Thanks > > Ingrid ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
David, that was what I thought earlier. But since I´m told this directive is for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ the directive to include to httpd.conf. What I mean is that I think I hv the mod_ssl installed, but not enabled yet, and to enable, if it´s simply adding the directive´s in httpd file, and the exact syntax for version 2.0. Still searching for the solution. Thanks Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:04 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl That doesn't sound right. Don't you need a statement like this in your httpd.conf file? LoadModule ssl_module modules/mod_ssl.so The statements that you mentioned will do stuff /only/ if the ssl module is loaded (that's what IfModule means -- If the Module is Present). -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > All, > > I´m told that having the directives in httpd.conf > > > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > > means that my apache is configured with mod_ssl (thanks to the guy that told > me so!) > > Now the question risen up is how do I do to have my https working? As I > mentioned below, already have all certificates and their directives > configured. > > Thanks for your attention. > > Ingrid > ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
All, I´m told that having the directives in httpd.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin means that my apache is configured with mod_ssl (thanks to the guy that told me so!) Now the question risen up is how do I do to have my https working? As I mentioned below, already have all certificates and their directives configured. Thanks for your attention. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 12:30 PM To: modssl-users@modssl.org Subject: Need to add/enable/install mod_ssl Hi, experts: >> Here are the environment configuration: >> Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 >> Server: -HP-UX >> Tomcat: 4.0 I have a apache already installed (by other team, which doesnt know if there´s the module mod_ssl). The final purpose is to secure my current http to https. Already have all cerficates, with the directives in the conf files, and still the https url doesnt work yet. I searched over all logs I could find, and didnt found any string "mod_ssl":(. So I guess I need to do something to enable, install it. Saw in a link that I need to download the source in modssl.org, and other installation procedures as well. But the in my case is that I already have Apache installed, and need only to add/enable/install the mod_ssl module. Ok, now another question to be pointed out: "Make sure any module for your Apache server is compiled with the compiler-flag -DEAPI, or your Webserver might crash or can not be started. Almost all modules I know adds the -DEAPI flag by themself except mod_jserv and mod_jk" But my apache installed is mod_jk (my configuration >> Apache/2.0.46 (Unix) mod_jk/1.2.4). Should I supppose from this that in my case I dont have the DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? I keep doing searches over the net, but in case any of you has some hint and speed up a little bit on my side, it´ll be helpful. Im kind of disorientated with all this thing of https. This´s the 1st time i get into it. So, ask for your detailed support. Thank you! Ingrid ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Need to add/enable/install mod_ssl
Hi, experts: >> Here are the environment configuration: >> Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 >> Server: -HP-UX >> Tomcat: 4.0 I have a apache already installed (by other team, which doesnt know if there´s the module mod_ssl). The final purpose is to secure my current http to https. Already have all cerficates, with the directives in the conf files, and still the https url doesnt work yet. I searched over all logs I could find, and didnt found any string "mod_ssl":(. So I guess I need to do something to enable, install it. Saw in a link that I need to download the source in modssl.org, and other installation procedures as well. But the in my case is that I already have Apache installed, and need only to add/enable/install the mod_ssl module. Ok, now another question to be pointed out: "Make sure any module for your Apache server is compiled with the compiler-flag -DEAPI, or your Webserver might crash or can not be started. Almost all modules I know adds the -DEAPI flag by themself except mod_jserv and mod_jk" But my apache installed is mod_jk (my configuration >> Apache/2.0.46 (Unix) mod_jk/1.2.4). Should I supppose from this that in my case I dont have the DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? I keep doing searches over the net, but in case any of you has some hint and speed up a little bit on my side, it´ll be helpful. Im kind of disorientated with all this thing of https. This´s the 1st time i get into it. So, ask for your detailed support. Thank you! Ingrid ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Question about mod_ssl & mod_jk
All, My apache installed is has only the mod_jk.sl in the "libexec/" directory. I want to know what I need to do in order to to configure my current http to https? I know this is a very general question, but to start, I guess I need to include the directives in httpd.conf: 1) LoadModule ssl_module libexec/mod_ssl.so 2) AddModule mod_ssl.c Already have all certificates configured in the paths. But still unsure on if simply adding those 2 directives will be enough, and will put the file (mod_ssl.so) there in the path, or if I have to get this file from somewhere (if so, how?) Here are the environment configuration: Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 Server: -HP-UX lath09 B.11.11 U 9000/800 690359356 unlimited-user license Tomcat: 4.0 Ask for your kind and prompt support. Thank you. Ingrid Liao Citi Markets & Banking | CMB Technology Brazil Technology Solutions Center | Business Intelligence, Database & Support Services Tel. +55-11-3741-6274 Fax. +55-11-3741-6285 Email: [EMAIL PROTECTED]
Can MOD_SSL be configured to only use ONLY FIPS 140-2 complaint openssl ???
Hello, Can MOD_SSL be configured to only use the FIPS 140-2 complaint openssl ??? Ed Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: mod_ssl 2.2.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 modssl is built into the 2.x.x apache versions. your consultant must be asking you to upgrade full apache version. the 1.3.x apache tree still has a separate modssl base to add and build off of. This should not be a concern for you since you are running the newer apache tree. Thanks, Ron DuFresne On Tue, 1 Apr 2008, Sir June wrote: I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFH8lYmst+vzJSwZikRAm6YAJ9e9NwNJu8sGjuFE3CcnljNI3kVxgCfXl4x R0NJeZnoKQpRfqrff0Xir+o= =sIQZ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl 2.2.3
I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com
Query about mod_ssl bundled with apache 2.2.8 sources
I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well. My concern is about the two vulnerabilities (htp://www.securityfocus.com/bid/10736/info, htp://www.securityfocus.com/bid/4189/info). I do not have any information whether or not these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache sources 2.2.8. After googling I could find out that these are solved in mod_ssl 2.8.19. When I go to modssl.org to download the latest version there is no download for mod_ssl latest for apache 2.x versions? Both of these look very old and looks like they might have been fixed. But I did not find it anywhere written. Now you can chat without downloading messenger. Go to http://in.messenger.yahoo.com/webmessengerpromo.php __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Query about mod_ssl bundled with apache 2.2.8 sources
I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well. My concern is about the two vulnerabilities (http://www.securityfocus.com/bid/10736/info, http://www.securityfocus.com/bid/4189/info). I do not have any information whether or not these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache sources 2.2.8. After googling I could find out that these are solved in mod_ssl 2.8.19. When I go to modssl.org to download the latest version there is no download for mod_ssl latest for apache 2.x versions? Both of these look very old and looks like they might have been fixed. But I did not find it anywhere written. 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues
I've found a solution to this problem. You have to use the version of OpenSSL installed on your machine. In my case, it's 0.9.7l (the latest version Apple is supporting). When I tried configuring mod_ssl with SSL_BASE=SYSTEM, it failed saying it couldn't find the OpenSSL libraries. So I grabbed the latest version of OpenSSL (0.9.8g) and compiled against that. After a lot of digging, I came across this old post (2002) by David Wheeler: http://www.mail-archive.com/modssl-users@modssl.org/msg15623.html This fixed my problem after manually applying the patch. Is there any reason this wasn't applied to mod_ssl 5 years ago or addressed at all? Thanks! Bob [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/19/2007 09:45 AM Please respond to modssl-users@modssl.org To modssl-users@modssl.org cc Subject mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues Hi, I am trying to run Apache 1.3.39 with mod_ssl 2.8.30, openssl 0.9.8g and mm 1.4.2. I am able to successfully compile it, but when I start Apache in SSL mode, it exits immediately. Looking in the error log, I see the following message: dyld: lazy symbol binding failed: Symbol not found: _SSL_CTX_sess_set_new_cb Referenced from: /usr/local/apache-1.3.39/libexec/libssl.so Expected in: flat namespace Can anyone help me in resolving why this is happening? Thanks, Bob
SOLVED: Apache 2.2.6 mod_ssl won't serve subdirectories
Problem found and fixed - after getting some sleep I checked for about the 5th time and found the problem - the directory "budget" had permission 644 instead of 755. Stupid me :-( --- Orville Weyrich - KD7HJV <[EMAIL PROTECTED]> wrote: > In a nutshell, I have the following file structure: > > /var/ssl/www/index.html > /var/ssl/www/budget/index.html > > Everything in both paths is owned by root and either > 755 or 644 as appropriate for directories and files. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.2.6 mod_ssl won't serve subdirectories
This is my first experience with SSL. I have done the Google thing and searched Apache FAQ etc but found nothing regarding my problem. In a nutshell, I have the following file structure: /var/ssl/www/index.html /var/ssl/www/budget/index.html Everything in both paths is owned by root and either 755 or 644 as appropriate for directories and files. I have the server working for /var/ssl/www/index.html but I get a "HTTP Error 403 - Forbidden" error trying to view /var/ssl/www/budget/index.html The logs are uninformative as to WHY access to /var/ssl/www/budget/index.html is being forbidden. My impression was that subdirectories should inherit the access rights of their parent if I do nothing to override that behavior. I have an http server configured similarly running in the same instance of Apache 2.2.6 (on port 2080 so as to not conflict with my production web site running on port 80). It works as expected, including acces to subdirectories. The URLs are https://daniel.ameriroots.com and http://daniel.ameriroots.com:2080 I have reduced the httpd.conf file to the following essentials (this is what is presently running on the above URLs): # # Main Server Configuration # ServerRoot /usr/daniel/apache2 ServerName danniel.ameriroots.com ServerAdmin [EMAIL PROTECTED] Listen 64.249.12.251:2080 Listen 64.249.12.251:443 User www Group www Options FollowSymLinks AllowOverride None Order deny,allow Deny from all DirectoryIndex index.html Order allow,deny Deny from all Satisfy All LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common ErrorLog /var/log/apache_error_log2 LogLevel info CustomLog /var/log/apache_access_log2 combined # # HTTP SERVER ON PORT 2080 # ErrorLog /var/log/http_error_log2 LogLevel info CustomLog /var/log/http_access_log2 combined DocumentRoot /var/www Allow from all # # HTTPS SERVER ON PORT 443 # SSLCertificateFile/var/ssl/conf/daniel.crt SSLCertificateKeyFile /var/ssl/conf/daniel.key SSLEngine On CustomLog /var/log/https_access_log2 combined ErrorLog /var/log/https_error_log2 LogLevel info BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 DocumentRoot /var/ssl/www Allow from all The log files are unenlightening, even at debug level where I get lots of detail on SSL calculations, but a simple access denied message on the file itself. What am I missing here? Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues
Hi, I am trying to run Apache 1.3.39 with mod_ssl 2.8.30, openssl 0.9.8g and mm 1.4.2. I am able to successfully compile it, but when I start Apache in SSL mode, it exits immediately. Looking in the error log, I see the following message: dyld: lazy symbol binding failed: Symbol not found: _SSL_CTX_sess_set_new_cb Referenced from: /usr/local/apache-1.3.39/libexec/libssl.so Expected in: flat namespace Can anyone help me in resolving why this is happening? Thanks, Bob
Re: mod_ssl not for apache 2.2.4 (unix)?
Richard & Joe, Thanks so much! Joe, thanks for the command. :o) I'll see if I can manage it from here. I appreciate you answering such a basic question for me. Really. Thanks. :o) Cheers! Chris On Dec 14, 2007 2:27 PM, Joe Orton <[EMAIL PROTECTED]> wrote: > On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: > > Hi folks, > > > > I'm a complete newbie to compiling apache, and I'm trying to install my > > first SSL certificate. All instructions I can find so far all assume > that I > > have mod_ssl installed already. > > > > I'm willing to install it, but all of the references I can find to the > > latest and greatest version of mod_ssl say that it's for apache 1.3.39, > but > > I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) > > mod_ssl is part of httpd 2.x, and is included with Fedora. Run > > yum install mod_ssl > > joe > -- http://cjordan.us
Re: mod_ssl not for apache 2.2.4 (unix)?
On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: > Hi folks, > > I'm a complete newbie to compiling apache, and I'm trying to install my > first SSL certificate. All instructions I can find so far all assume that I > have mod_ssl installed already. > > I'm willing to install it, but all of the references I can find to the > latest and greatest version of mod_ssl say that it's for apache 1.3.39, but > I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) mod_ssl is part of httpd 2.x, and is included with Fedora. Run yum install mod_ssl joe ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl not for apache 2.2.4 (unix)?
As of Apache 2.x mod_ssl is included in the distribution. All you should have to do is enable the module in the configuration file. Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl not for apache 2.2.4 (unix)?
Hi folks, I'm a complete newbie to compiling apache, and I'm trying to install my first SSL certificate. All instructions I can find so far all assume that I have mod_ssl installed already. I'm willing to install it, but all of the references I can find to the latest and greatest version of mod_ssl say that it's for apache 1.3.39, but I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) I don't want to proceed with recompiling the web server unless I know that I'm doing the right thing. Can any one either a) just help me... or b) point me to a good article or set of articles on how to do this? I should mention that we host many, many virtual domains off this one server. Thanks heaps, Chris -- http://cjordan.us
Compiling Apache with mod_ssl on Mac OS 10.5
Hello. I'm having trouble compiling Apache with mod_ssl, on an MacBook Pro running Mac OS 10.5.1. I'm trying to build the following programs (rather than using the ones that come with the OS): openssl-0.9.8g mm-1.4.1 mod_ssl-2.8.30-1.3.39 apache_1.3.39 Everything works until I try to make Apache. I get the message "ld: warning in ./libhttpd.so, file is not of required architecture", and then it exits due to some undefined symbols. If I look at "file src/ libhttpd.so", it gives me "Mach-O bundle i386", which looks correct. Anyone know why this would happen? More details are below. If I don't pass --enable-module=ssl --enable-rule=SHARED_CORE when configuring Apache, I don't get this error, so I assume it's somewhat related to mod_ssl. Jacob The end of the "make" output looks like this: <=== src/modules gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` modules.c gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` buildmark.c cc -bundle -undefined suppress -flat_namespace -o libhttpd.so buildmark.o modules.o modules/ssl/libssl.a modules/standard/ libstandard.a main/libmain.a ./os/unix/libos.a ap/libap.a regex/ libregex.a gcc -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` -L$BUILD_DIR/openssl-0.9.8g -L./../../mm-1.4.1/.libs \ -o libhttpd.ep -DSHARED_CORE_TIESTATIC main/http_main.c \ -L. -lhttpd -ldbm -lssl -lcrypto -lmm -lexpat ld: warning in ./libhttpd.so, file is not of required architecture Undefined symbols: "_ap_validate_password", referenced from: _suck_in_ap_validate_password in ccRuUDHX.o "_ap_main", referenced from: _main in ccRuUDHX.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [libhttpd.ep] Error 1 make[1]: *** [build-std] Error 2 make: *** [build] Error 2 I'm running the following commands (with $TAR_DIR, $BUILD_DIR, and $INSTALL_DIR defined): cd $BUILD_DIR tar xzvf $TAR_DIR/openssl-0.9.8g.tar.gz cd $BUILD_DIR/openssl-0.9.8g ./config --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl make cd $BUILD_DIR tar xzvf $TAR_DIR/mm-1.4.1.tar.gz cd $BUILD_DIR/mm-1.4.1 ./configure --disable-shared make cd $BUILD_DIR tar xzvf $TAR_DIR/apache_1.3.39.tar.gz tar xzvf $TAR_DIR/mod_ssl-2.8.30-1.3.39.tar.gz cd $BUILD_DIR/mod_ssl-2.8.30-1.3.39 ./configure --with-apache=../apache_1.3.39 --with-ssl=../ openssl-0.9.8g --prefix=$INSTALL_DIR cd $BUILD_DIR/apache_1.3.39 export SSL_BASE=../openssl-0.9.8g export EAPI_MM=../mm-1.4.1 ./configure --enable-module=ssl --enable-module=headers --enable- module=expires --enable-module=so --enable-module=rewrite --enable- rule=SHARED_CORE --prefix=$INSTALL_DIR make # the error happens here ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
How to build apache/mod_ssl/mod_perl together?
I can't seem to build an SSL enabled httpd binary from the sources and instructions listed below. I'm basically following the instructions from the mod_perl instructions for SSL in the file INSTALL.simple.mod_ssl. But this does not result in an SSL/mod_perl enabled httpd binary. Can someone tell me what I'm doing wrong below? -Thanks tar zxvf apache_1.3.33.tar.gz tar zxvf mod_ssl-2.8.24-1.3.33.tar.gz tar zxvf openssl-0.9.6b.tar.gz tar zxvf mod_perl-1.0-current.tar.gz cd openssl-0.9.8b ./config make cd .. cd mod_ssl-2.8.24-1.3.33 ./configure \ --with-apache=../apache_1.3.33 \ --with-ssl=../openssl-0.9.8b \ --enable-module=ssl \ --enable-module=so \ --prefix=/usr/local/apache-1.3.33 cd.. cd mod_perl-1.29 perl Makefile.PL \ EVERYTHING=1 \ APACHE_SRC=../apache_1.3.33/src \ APACHE_PREFIX=/usr/local/apache-1.3.33 \ SSL_BASE=../openssl-0.9.8b \ USE_APACI=1 \ PREP_HTTPD=1 \ DO_HTTPD=1 \ APACI_ARGS=--enable-module=ssl,--enable-module=so,--enable-module=rewrite make __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
On Mon, Sep 10, 2007, Ralf S. Engelschall wrote: > Apache 1.3.39 was released recently. > An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too. > Find it on: http://www.modssl.org/ Unfortunately, there was a bug in the auto-generated patch caused by a changed amount of patch hunks in the mod_status.c patch set. This is now fixed with mod_ssl 2.8.30. Please use this updated version. Sorry for the inconvenience. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
Apache 1.3.39 was released recently. An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too. Find it on: http://www.modssl.org/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.39
I patched the EAPI patch to apply cleanly to 1.3.39. This should work until a version is rolled for 1.3.39. Cheers, Doug diff -PurN mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch --- mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch 2007-09-10 13:31:38.0 -0400 +++ mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch 2007-09-10 13:36:27.0 -0400 @@ -1132,7 +1132,7 @@ /* * The max child slot ever assigned, preserved across restarts. Necessary -@@ -436,6 +439,30 @@ +@@ -471,6 +474,30 @@ } } @@ -1163,7 +1163,7 @@ #ifndef NETWARE static APACHE_TLS int volatile exit_after_unblock = 0; #endif -@@ -1551,6 +1578,9 @@ +@@ -1588,6 +1615,9 @@ } ap_bsetflag(save_req->connection->client, B_EOUT, 1); @@ -1173,7 +1173,7 @@ ap_bclose(save_req->connection->client); if (!ap_standalone) -@@ -1559,6 +1589,9 @@ +@@ -1596,6 +1626,9 @@ } else {/* abort the connection */ ap_bsetflag(current_conn->client, B_EOUT, 1); @@ -1183,7 +1183,7 @@ ap_bclose(current_conn->client); current_conn->aborted = 1; } -@@ -1880,10 +1913,16 @@ +@@ -1915,10 +1948,16 @@ /* Send any leftover data to the client, but never try to again */ if (ap_bflush(r->connection->client) == -1) { @@ -1200,7 +1200,7 @@ ap_bsetflag(r->connection->client, B_EOUT, 1); /* Close our half of the connection --- send the client a FIN */ -@@ -2582,6 +2621,9 @@ +@@ -2617,6 +2656,9 @@ /* Clear the pool - including any registered cleanups */ ap_destroy_pool(pglobal); #endif @@ -1210,7 +1210,7 @@ exit(code); } -@@ -3655,6 +3697,24 @@ +@@ -3711,6 +3753,24 @@ conn->remote_addr = *remaddr; conn->remote_ip = ap_pstrdup(conn->pool, inet_ntoa(conn->remote_addr.sin_addr)); @@ -1235,7 +1235,7 @@ return conn; } -@@ -4165,6 +4225,15 @@ +@@ -4221,6 +4281,15 @@ printf("Server's Module Magic Number: %u:%u\n", MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR); printf("Server compiled with\n"); @@ -1251,10 +1251,10 @@ #ifdef TPF show_os_specific_compile_settings(); #endif -@@ -4339,6 +4408,22 @@ - ap_server_pre_read_config = ap_make_array(pcommands, 1, sizeof(char *)); +@@ -4396,6 +4465,22 @@ ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *)); ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *)); + pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT); + +#ifdef EAPI +ap_hook_init(); @@ -1274,7 +1274,7 @@ } #ifndef MULTITHREAD -@@ -4835,6 +4920,9 @@ +@@ -4892,6 +4977,9 @@ ap_sync_scoreboard_image(); if (ap_scoreboard_image->global.running_generation != ap_my_generation) { @@ -1284,7 +1284,7 @@ ap_bclose(conn_io); clean_child_exit(0); } -@@ -4863,6 +4951,9 @@ +@@ -4920,6 +5008,9 @@ */ #ifdef NO_LINGCLOSE @@ -1294,7 +1294,7 @@ ap_bclose(conn_io); /* just close it */ #else if (r && r->connection -@@ -4873,6 +4964,9 @@ +@@ -4930,6 +5021,9 @@ lingering_close(r); } else { @@ -1304,7 +1304,7 @@ ap_bsetflag(conn_io, B_EOUT, 1); ap_bclose(conn_io); } -@@ -5656,16 +5750,31 @@ +@@ -5730,16 +5824,31 @@ usage(argv[0]); } } @@ -1336,7 +1336,7 @@ } child_timeouts = !ap_standalone || one_process; -@@ -5813,6 +5922,10 @@ +@@ -5887,6 +5996,10 @@ ap_destroy_pool(r->pool); } @@ -1347,7 +1347,7 @@ ap_bclose(cio); } exit(0); -@@ -6189,6 +6302,9 @@ +@@ -6263,6 +6376,9 @@ ap_kill_cleanups_for_socket(ptrans, csd); #ifdef NO_LINGCLOSE @@ -1357,7 +1357,7 @@ ap_bclose(conn_io); /* just close it */ #else if (r && r->connection -@@ -6199,6 +6315,9 @@ +@@ -6273,6 +6389,9 @@ lingering_close(r); } else { @@ -1367,7 +1367,7 @@ ap_bsetflag(conn_io, B_EOUT, 1); ap_bclose(conn_io); } -@@ -7774,6 +7893,10 @@ +@@ -7848,6 +7967,10 @@ if (!conf_specified) ap_cpystrn(ap_server_confname, SERVER_CONFIG_FILE, sizeof(ap_server_confname)); @@ -1378,7 +1378,7 @@ if (!ap_os_is_path_absolute(ap_server_confname)) ap_cpystrn(ap_server_confname, ap_server_root_relative(pcommands, ap_server_confname), -@@ -7814,6 +7937,9 @@ +@@ -7888,6 +8011,9 @@ #else /* ndef WIN32 */ server_conf = ap_read_config(pconf, ptrans, ap_server_confname); #endif @@ -1598,26 +1598,29 @@ Index: src/modules/standard/mod_status.c --- src/modules/standard/mod_status.c 28 Jul 2006 13:55:27 - 1.1.1.17 +++ src/modules/sta
Re: mod_ssl for apache 1.3.39
Some of the patches in eapi.patch do not apply cleanly and are rejected. This means that, unless you hand apply them, the patch isn't complete and you core dump when mod_ssl is trying to hook. Pascal Nobus wrote: > > Does anyone know that a new version of mod_ssl is under construction for > use with apache 1.3.39? > I tried to compile Apache-1.3.39 with mod_ssl for 1.3.37 but that kills > apache... > > best regards, > Pascal > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ "If you can dodge a wrench, you can dodge a ball." ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl for apache 1.3.39
Does anyone know that a new version of mod_ssl is under construction for use with apache 1.3.39? I tried to compile Apache-1.3.39 with mod_ssl for 1.3.37 but that kills apache... best regards, Pascal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl (extra info)
So I tried something kind of new. I completely removed the directory with the non-functioning apache install. I went back to the source, did a make clean, a new configure using the same parameters as before: ./configure --prefix=/opt/apache3 --enable-auth-dbm=shared --enable-expires=shared --enable-headers=shared --enable-rewrite=shared --enable-mime-magic=shared --enable-info=shared --enable-status=shared --enable-userdir=shared --enable-http --enable-so --enable-ssl=static --with-ssl=/opt/openssl098d --with-perl=/opt/perl58 --with-ndbm --enable-ldap=shared --enable-auth_ldap=shared --with-ldap=/usr/local/OpenLDAP.2.3 Had SHLIB_PATH set to "/opt/openssl098d/lib:/usr/local/OpenLDAP.2.3/lib" as well as CPPFLAGS and LDFLAGS set with -I and -L flags for those two non-standard directories. This is all the same as what I had done before. After the make, make install, I went in to the installed directory and made as minimal changes as I could. I changed Listen port in the main httpd.conf to 8040 and the Listen port (as well as the VirtualHost port) in ssl.conf to 8045 so it wouldn't step on the toes of the production apache process. I then changed the User and Group directives in httpd.conf to the webadmin user which the other apache process runs as. Launched this just about plain jane apache using apachectl startssl. Connecting via http to 8040, everything looks fine. Connecting via https to port 8045 shows the behavior of child processing hanging in a waiting state. Am I wrong in thinking this is a permissions issue? Or perhaps something is funky with the fact that the SSL libraries are in a strange spot? I've tried adding the library path to envvars in apache3/bin and having PassEnv SHLIB_PATH in the httpd.conf. However, the WORKING installation is linked to these exact same libraries and although there's a PassEnv command in it's httpd.conf, nothing was added to envvars. If it *is* a permissions issue, what does mod_ssl need permission to get to in order to function properly? I notice that the ssl_scache.dir and ssl_scache.pag files are created in the logs directory, (though the .dir file is 0 bytes) both owned by webadmin, so that user can at least CREATE files in that directory.
Apache and mod_ssl
I have a feeling that I'm missing something elementary here. I have an install of apache 2.0.55 with mod_ssl enabled on a HP-UX system in /opt/apache2. This one runs fine. I recompiled another copy of apache (same version) into /opt/apache2a (for testing purposes) to add mod_ldap support and that one worked as well. Then I tried recreating apache2a in apache2 by doing a recompile using a prefix of apache2 and then doing an install after backing everything up and moving the old apache install out of the way. However, this one DOESN'T work. If I launch it WITHOUT SSL turned on (i.e, no SSLEngine on) directive, everything works great. But as soon as I turn on SSL in a VirtualHost, then strange things happen. A client will connect to the test port via SSL, the SSL negotiation appears to work just fine (tested using openssl s_client), but when you attempt to do a GET, the request is sent, but a reply never shows up. Nothing appears in the access_log, and child processes begin to spawn with each request. I can pull up the server-status url and everytime I hit refresh, one child process goes to "W" and another one is spawned. Clicking repeatedly will continue this process until there are a ton of processes, all stuck at "Waiting" with 0/0/0 under the Acc columntDo it enough, the server's load average starts to climb. I've checked and double checked every permission I can possible find. The User and Group directives are both set to "webadmin" which is the same in all configurations. The permissions of the sub-directories in both directories match between the two. I have this feeling that it's simple with the directory permissions and/or structure but I just can't seem to locate it. Anyone have any ideas on what else I might need to look at? Aaron Aaron Smith[EMAIL PROTECTED] System Administrator (269) 337-7496 Kalamazoo College
Bug in mod_ssl ?
All, I recently ran into a problem with mod_ssl and Internet Explorers version 6 and 7. I have found that in the case where "SSLVerifyClient" is set to anything other than exactly "none" with Apache 1.3.x and mod_ssl 2.8.x that a client using Internet Explorer version 6 or 7 cannot connect using HTTPS. The following error is given in the ssl_error_log: mod_ssl: SSL handshake interrupted by system connection reset by peer It is not clear whether this is a mod_ssl or an Internet Explorer bug. The issue is not present when using Apache 2.2.x and the corresponding Apache mod_ssl. I would prefer to continue using Apache 1.3.x and mod_ssl 2.8.x for now, but this bug (regardless of which component is faulty) prevents that option when "SSLVerifyClient" and availability to clients using Internet Explorer are both simultaneously desired. Is this a known bug ? Is there a place to report this bug in greater detail ? Thanks, -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Bug in mod_ssl ?
All, I recently ran into a problem with mod_ssl and Internet Explorers version 6 and 7. I have found that in the case where "SSLVerifyClient" is set to anything other than exactly "none" with Apache 1.3.x and mod_ssl 2.8.x that a client using Internet Explorer version 6 or 7 cannot connect using HTTPS. The following error is given in the ssl_error_log: mod_ssl: SSL handshake interrupted by system connection reset by peer It is not clear whether this is a mod_ssl or an Internet Explorer bug. The issue is not present when using Apache 2.2.x and the corresponding Apache mod_ssl. I would prefer to continue using Apache 1.3.x and mod_ssl 2.8.x for now, but this bug (regardless of which component is faulty) prevents that option when "SSLVerifyClient" and availability to clients using Internet Explorer are both simultaneously desired. Is this a known bug ? Is there a place to report this bug in greater detail ? Thanks, -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl - refusing connections on https?
I figured it out people, I just needed to start httpd with -DSSL. SO I was being dumb. --- Glyn Astill <[EMAIL PROTECTED]> wrote: > Yes, I have SSLEngine On in ssl.conf, here's my ssl.conf file: > > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > > Listen 443 > Listen my.ip.ad.dr:443 > > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl.crl > > SSLPassPhraseDialog builtin > > SSLSessionCache dbm:/var/run/ssl_scache > SSLSessionCacheTimeout 300 > > SSLMutex file:/var/run/ssl_mutex > > > > DocumentRoot "/usr/pkg/share/httpd/htdocs" > ServerName www.mydomain.net:443 > ServerAdmin [EMAIL PROTECTED] > ErrorLog /var/log/httpd/error_log > TransferLog /var/log/httpd/access_log > > SSLEngine on > > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > > SSLCertificateFile /usr/pkg/etc/httpd/ssl.crt/server.crt > SSLCertificateKeyFile /usr/pkg/etc/httpd/ssl.key/server.pem > > > SSLOptions +StdEnvVars > > > SSLOptions +StdEnvVars > > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > CustomLog /var/log/httpd/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > > > > > Any ideas? > > --- "Omar W. Hannet" <[EMAIL PROTECTED]> wrote: > > > SSLEngine On? > > > > Glyn Astill wrote: > > > Hi people, > > > > > > I'm new to this list, so hello. > > > > > > I've been trying to get https working with apache 2.0.59 on > > NetBSD > > > 3.99 today, and it's > > > beginning to make my face ache. > > > > > > Basically when I try to view a page via https I get connection > > > refused. Apache is compiled with mod_ssl.c, I have openssl > > installed. > > > > > > This is what I've done so far: > > > > > > 1) Copied the example openssl cfg from examples to > > > /etc/openssl/openssl.cnf > > > > > > 2)Generated my server key, then pem file then the csr and crt. > > > > > > 3)Then coppied them all into ssl.key (server.pem, server.key), > > > ssl.csr (server.csr) and ssl.crt (server.crt). This is where my > > > ssl.conf expects them. > > > > > > 4) Made sure ssl.conf is pointing to these files properly and > is > > > listening on port 443 (Listen :443) > > > > > > 5) Made sure ssl.conf is included in httpd.conf properly > > > > > > 6) check that mod_ssl.c is compiled in with https -l > > > > > > 7) checked my apache access and error logs - nothing ! > > > > > > And still nothing, it can't be listening on 443. > > > > > > If I do the following: > > > > > > #openssl s_client -connect localhost:443 -state -debug > > > > > > I get: > > > > > > connect: Connection refused > > > connect:errno=61 > > > I've even tried copying all my virtual hosts and changing :80 > to > > > :443, still nothing. > > > > > > This is really the first time I've ever touched ssl, so I'm > > hoping > > > I'm missing something really dumb. I've basically just got the > > > standard ssl.conf example modified ever so slightly so that > > things > > > point in the right place. > > > > > > ? > > > > > > Any ideas? > > > > > > > > > Cheers > > > Glyn > > > > > > > > > > ___ > > > > > Yahoo! Mail is the world's favourite email. Don't settle for > > less, sign up for > > > your free account today > > > http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html > > > > > > > > ______ > > > Apache Interface to OpenSSL (mod_ssl) > > www.modssl.org > > > User Support Mailing List > > modssl-users@modssl.org > > > Automated List Manager > > [EMAIL PROTECTED] > > > > > > -- > > Omar W. Hannet > > http://www.allez-oop.net/ > > > ___
Re: Apache and mod_ssl - refusing connections on https?
Yes, I have SSLEngine On in ssl.conf, here's my ssl.conf file: SSLRandomSeed startup builtin SSLRandomSeed connect builtin Listen 443 Listen my.ip.ad.dr:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex DocumentRoot "/usr/pkg/share/httpd/htdocs" ServerName www.mydomain.net:443 ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/pkg/etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /usr/pkg/etc/httpd/ssl.key/server.pem SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" Any ideas? --- "Omar W. Hannet" <[EMAIL PROTECTED]> wrote: > SSLEngine On? > > Glyn Astill wrote: > > Hi people, > > > > I'm new to this list, so hello. > > > > I've been trying to get https working with apache 2.0.59 on > NetBSD > > 3.99 today, and it's > > beginning to make my face ache. > > > > Basically when I try to view a page via https I get connection > > refused. Apache is compiled with mod_ssl.c, I have openssl > installed. > > > > This is what I've done so far: > > > > 1) Copied the example openssl cfg from examples to > > /etc/openssl/openssl.cnf > > > > 2)Generated my server key, then pem file then the csr and crt. > > > > 3)Then coppied them all into ssl.key (server.pem, server.key), > > ssl.csr (server.csr) and ssl.crt (server.crt). This is where my > > ssl.conf expects them. > > > > 4) Made sure ssl.conf is pointing to these files properly and is > > listening on port 443 (Listen :443) > > > > 5) Made sure ssl.conf is included in httpd.conf properly > > > > 6) check that mod_ssl.c is compiled in with https -l > > > > 7) checked my apache access and error logs - nothing ! > > > > And still nothing, it can't be listening on 443. > > > > If I do the following: > > > > #openssl s_client -connect localhost:443 -state -debug > > > > I get: > > > > connect: Connection refused > > connect:errno=61 > > I've even tried copying all my virtual hosts and changing :80 to > > :443, still nothing. > > > > This is really the first time I've ever touched ssl, so I'm > hoping > > I'm missing something really dumb. I've basically just got the > > standard ssl.conf example modified ever so slightly so that > things > > point in the right place. > > > > ? > > > > Any ideas? > > > > > > Cheers > > Glyn > > > > > > ___ > > > Yahoo! Mail is the world's favourite email. Don't settle for > less, sign up for > > your free account today > http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html > > > > __ > > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > > User Support Mailing List > modssl-users@modssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > -- > Omar W. Hannet > http://www.allez-oop.net/ > ______ > Apache Interface to OpenSSL (mod_ssl) > www.modssl.org > User Support Mailing List > modssl-users@modssl.org > Automated List Manager > [EMAIL PROTECTED] > ___ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl - refusing connections on https?
SSLEngine On? Glyn Astill wrote: Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen :443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Omar W. Hannet http://www.allez-oop.net/ ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl - refusing connections on https?
Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen :443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even more revealing was the passphrase prompt, not required for plain httpd... Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is "debug" ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have tags surrounding all SSL directives in your configuration file? For example: SSLPassPhraseDialog builtin # etc. Saikat Saha wrote:_module> Apache was compiled as below ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer+zst+vzJSwZikRAlhnAJ4rLby4nNIlTNYwr0Vq2bQdI1TGmwCgwn1e itrUfe7Vl+cuoIdY3KOVw8M= =LeZD -END PGP SIGNATURE- ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 11 Jun 2007, Mark Beiley wrote: I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. There are really idiots using XP without SP2? Damn! Thanks, Ron DuFresne - -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGeoxqst+vzJSwZikRAimeAJ9TaRtg2S4RYPSGjsho9oI+DIkp9QCfZLgv L0UtGwP46PoAop7cqTs6G+E= =N1Ne -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is "debug" ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have tags surrounding all SSL directives in your configuration file? For example: SSLPassPhraseDialog builtin # etc. Saikat Saha wrote:_module> Apache was compiled as below ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Apache with mod_ssl
Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is "debug" ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have tags surrounding all SSL directives in your configuration file? For example: SSLPassPhraseDialog builtin # etc. Saikat Saha wrote:_module> > Apache was compiled as below > > ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy > authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock > disk_cache" --prefix=/opt/apache-2.2.4 > > Httpd -l gives below > [EMAIL PROTECTED] bin]# httpd -l > Compiled in modules: > core.c > prefork.c > http_core.c > mod_so.c > > How do I compile so that it does not load mod_ssl automatically and > loads only if httpd.conf is configured. > > Surprisingly there are no error logs even at debug level. > > Thank you so very much for the kind help. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet > Sent: Friday, June 15, 2007 4:13 PM > To: modssl-users@modssl.org > Subject: Re: Apache with mod_ssl > > Saikat Saha wrote: >> We have apache 2.2.4 compiled with all modules but commented out all >> load modules. Do not have anything in httpd.conf file to state that > this >> is https. But when I start apache, it tries to goto https and prompts >> for pass phrase. How does apache determine that this is https whereas >> this is actually a http server. > > Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. > >> After I enter a passphrase, it shows >> successful but the server never starts up. Can someone please help? > > The reason probably can be found in Apache's error_log file. > >> Also can apache support both http and https at different ports at the >> same time? > > Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Do you have tags surrounding all SSL directives in your configuration file? For example: SSLPassPhraseDialog builtin # etc. Saikat Saha wrote:_module> Apache was compiled as below ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Apache with mod_ssl
Apache was compiled as below ./configure --with-ldap --enable-mods-shared="all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache" --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: > We have apache 2.2.4 compiled with all modules but commented out all > load modules. Do not have anything in httpd.conf file to state that this > is https. But when I start apache, it tries to goto https and prompts > for pass phrase. How does apache determine that this is https whereas > this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. > After I enter a passphrase, it shows > successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. > Also can apache support both http and https at different ports at the > same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache with mod_ssl
We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? Also can apache support both http and https at different ports at the same time? Thanks much for your help. SS [EMAIL PROTECTED] bin]# ./apachectl start Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. Httpd.conf # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # SSLRandomSeed startup builtin SSLRandomSeed connect builtin
Re: Apache mod_ssl and FIPS 140-2
http://csrc.nist.gov/cryptval/140-1/1401val2007.htm#733 Best~ -d [EMAIL PROTECTED] wrote: Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl is FIPS 140-2 validated? What version of OpenSSL is distributed with the current version of Apache? Any help is much appreciated… Thanks, *David Gerendas, **CISSP* McAfee, Inc. 949-297-5600 Main 949-860-3369 Direct 949-289-8677 Mobile [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache mod_ssl and FIPS 140-2
Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl is FIPS 140-2 validated? What version of OpenSSL is distributed with the current version of Apache? Any help is much appreciated... Thanks, David Gerendas, CISSP McAfee, Inc. 949-297-5600 Main 949-860-3369 Direct 949-289-8677 Mobile [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
Re: adding mod_ssl module to existing apache configuration
my apology for late replies...it works for me. Thanks Team !!! On 6/12/07, Omar W. Hannet <[EMAIL PROTECTED]> wrote: Lalit Kapoor wrote: > Can you give me some idea if it possible to add mod_ssl in running > configuration or do i need to recompile and install apache with mod_ssl. Have you tried 'yum install mod_ssl'? -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl setup process with apache 2.2.4
That sounds like a lot of unnecessary overhead for the Apache boxes. Check: http://www.apsis.ch/pound/ .. it does precisely what you seek. Best~ -d Saikat Saha wrote: Hi, We are trying to setup apache 2.2.4 alongwith mod_ssl and mod_jk. Mod_jk has been successfully configured and working with two instances of Jboss. However after installing mod_ssl, does not seem to be installed/configured properly. Is there some link which describes step by step setup process to configure Mod_ssl with apache 2.2.4? Can anyone please forward the link? Also, we have three ports, two of them need to be https and one needs to be http. How do we configure this? In our configuration, we want Apache to receive https requests from clients and then forward http to the Jboss application server thru mod_jk. Can someone please point to some link/documentation. We would assume these are standard practices. Thank you so very much for your kind help. Regards, SS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl setup process with apache 2.2.4
Hi, We are trying to setup apache 2.2.4 alongwith mod_ssl and mod_jk. Mod_jk has been successfully configured and working with two instances of Jboss. However after installing mod_ssl, does not seem to be installed/configured properly. Is there some link which describes step by step setup process to configure Mod_ssl with apache 2.2.4? Can anyone please forward the link? Also, we have three ports, two of them need to be https and one needs to be http. How do we configure this? In our configuration, we want Apache to receive https requests from clients and then forward http to the Jboss application server thru mod_jk. Can someone please point to some link/documentation. We would assume these are standard practices. Thank you so very much for your kind help. Regards, SS
Re: adding mod_ssl module to existing apache configuration
Lalit Kapoor wrote: Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Have you tried 'yum install mod_ssl'? -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
adding mod_ssl module to existing apache configuration
Hi, I am using following version of apache, i got it installed using " yum install httpd ". Server version: Apache/2.0.52 Server built: Aug 2 2006 05:21:10 There is a requirement of adding mod_ssl module to existing apache configuration. Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Thanks, Lalit
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. Specifically, if I delete this line from my HTML: href="https://www.beileysoftware.com/main.css";> then these problematic browsers can view the page fine. I've also changed the HTML to include the exact contents of the style sheet inline, and this works fine. It is only when the style sheet is external that the browser can't display the contents. If I leave the external style sheet in place, I can see in the logs the browser requesting the page and then the style sheet. Both are returned with no errors, but the browser just sits there with a blank page, and never really finishes. It seems like it is waiting for something to complete, but it never finishes. I'm guessing this was some bug in early versions of IE6, but does anyone know what the specific problem is, and how I can fix it by configuring Apache differently? Thanks, Mark http://www.beiley.com Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Interesting... I hadn't thought of that. I know some other sites using a Starfield certificate. I'll see if these customers experience the same problem when they go there. Thanks for your help! Mark http://www.beiley.com - Original Message - From: "Sven Geisler" <[EMAIL PROTECTED]> To: Sent: Thursday, June 07, 2007 11:30 PM Subject: Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2) Hi Mark, Did you try Google <http://www.google.com/search?q=Starfield+cert+ie6>? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler <[EMAIL PROTECTED]> Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH & Co. KG Berlin, Germany ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Mark, Did you try Google <http://www.google.com/search?q=Starfield+cert+ie6>? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: > Hi Sven, > > Thanks for the reply. I believe I have KeepAlive off for this browser. > In my ssl.conf file I have: > > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > Thanks, > Mark > http://www.beiley.com > > > >> Hi Mark, >> >> Do you have KeepALive on in you server config for this browser? >> >> Sven. >> >> >> Mark Beiley schrieb: >>> Hello, >>> >>> Several customers are not able to access my server via HTTPS. Their >>> browser >>> just sits there, and doesn't display anything. I've determined the >>> common >>> properties of these cases to be: >>> >>> Windows XP (all of them without SP2) >>> Internet Explorer 6 >>> >>> I can see their requests show up fine in my log files, without errors. >>> These customers can visit other HTTPS sites. My site works fine for the >>> vast majority of people. I'm stumped on the next step to try and debug >>> the problem. Any suggestions? >>> >>> My server configuration: >>> Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP >>> >>> For an example URL, try: https://www.beileysoftware.com/handy.html >>> >>> Thanks, >>> Mark >>> http://www.beiley.com > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] -- Sven Geisler <[EMAIL PROTECTED]> Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH & Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Hi guys, Is there a definitive way of finding out the version of OpenSSL used by httpd, with mod_ssl statically compiled into it. Thanks! |-+-> | | [EMAIL PROTECTED]| | | om| | | Sent by: | | | owner-modssl-users| | | @modssl.org | | | | | | | | | 07/06/2007 13:59 | | | Please respond to | | | modssl-users | | | | |-+-> >--| |< | | To: modssl-users@modssl.org< | | cc: modssl-users@modssl.org, [EMAIL PROTECTED] | | Subject: Re: OpenSSL verion from mod_ssl statically compiled into httpd? | >--| Thanks for the reply Zareh, but still no joy :-( We DO have old libraries on the box, but when compiling apache (after setting SSL_BASE), The output does show: . . + SSL library version: OpenSSL 0.9.8e 23 Feb 2007 . . Running a strings on httpd shows: OpenSSL 0.9.7b 10 Apr 2003 SSLv2 part of OpenSSL 0.9.8e 23 Feb 2007 TLSv1 part of OpenSSL 0.9.8e 23 Feb 2007 OpenSSL 0.9.8e 23 Feb 2007 SSLv3 part of OpenSSL 0.9.8e 23 Feb 2007 Big Number part of OpenSSL 0.9.8e 23 Feb 2007 RSA part of OpenSSL 0.9.8e 23 Feb 2007 Diffie-Hellman part of OpenSSL 0.9.8e 23 Feb 2007 Stack part of OpenSSL 0.9.8e 23 Feb 2007 lhash part of OpenSSL 0.9.8e 23 Feb 2007 EVP part of OpenSSL 0.9.8e 23 Feb 2007 ASN.1 part of OpenSSL 0.9.8e 23 Feb 2007 X.509 part of OpenSSL 0.9.8e 23 Feb 2007 MD2 part of OpenSSL 0.9.8e 23 Feb 2007 MD5 part of OpenSSL 0.9.8e 23 Feb 2007 SHA1 part of OpenSSL 0.9.8e 23 Feb 2007 SHA-256 part of OpenSSL 0.9.8e 23 Feb 2007 SHA-512 part of OpenSSL 0.9.8e 23 Feb 2007 DES part of OpenSSL 0.9.8e 23 Feb 2007 libdes part of OpenSSL 0.9.8e 23 Feb 2007 RC2 part of OpenSSL 0.9.8e 23 Feb 2007 RC4 part of OpenSSL 0.9.8e 23 Feb 2007 IDEA part of OpenSSL 0.9.8e 23 Feb 2007 DSA part of OpenSSL 0.9.8e 23 Feb 2007 ECDSA part of OpenSSL 0.9.8e 23 Feb 2007 ECDH part of OpenSSL 0.9.8e 23 Feb 2007 RAND part of OpenSSL 0.9.8e 23 Feb 2007 PEM part of OpenSSL 0.9.8e 23 Feb 2007 CONF part of OpenSSL 0.9.8e 23 Feb 2007 CONF_def part of OpenSSL 0.9.8e 23 Feb 2007 As you can see from the top line, 0.9.7b is comming in from [EMAIL PROTECTED] Question, is the output of this LogFormat line an accurate reflection of what version of openssl was compiled into httpd?: CustomLog /tmp/ssl.log "%{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x" I'll try and move those libs out of the way, and re-compile |-+-> | | Zareh | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | owner-modssl-users| | | @modssl.org | | | | | | | | | 06/06/2007 06:10 | | | Please respond to | | | modssl-users | | | | |-+-> >--| |< | | To: modssl-users@modssl.org< | | cc: | | Subject: Re: OpenSSL verion from mod_ssl statically compiled into httpd? | >--| Hi Vishal, I seem to remember running into this a while back, it turned out that I had old ssl libs in /usr/local/ssl and apache's build scripts were picking them up. instead of /usr/local/openssl - I can't remember what I did to get them to compile with the newer openssl libs, but here are a few things you could try: 1) Set the following in your environment before you build apache/mod_ssl SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile against) export SSL_BASE 2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and move them int
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: > Hello, > > Several customers are not able to access my server via HTTPS. Their > browser > just sits there, and doesn't display anything. I've determined the common > properties of these cases to be: > > Windows XP (all of them without SP2) > Internet Explorer 6 > > I can see their requests show up fine in my log files, without errors. > These customers can visit other HTTPS sites. My site works fine for the > vast majority of people. I'm stumped on the next step to try and debug > the problem. Any suggestions? > > My server configuration: > Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP > > For an example URL, try: https://www.beileysoftware.com/handy.html > > Thanks, > Mark > http://www.beiley.com > > > ______ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] -- Sven Geisler <[EMAIL PROTECTED]> Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH & Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Thanks for the reply Zareh, but still no joy :-( We DO have old libraries on the box, but when compiling apache (after setting SSL_BASE), The output does show: . . + SSL library version: OpenSSL 0.9.8e 23 Feb 2007 . . Running a strings on httpd shows: OpenSSL 0.9.7b 10 Apr 2003 SSLv2 part of OpenSSL 0.9.8e 23 Feb 2007 TLSv1 part of OpenSSL 0.9.8e 23 Feb 2007 OpenSSL 0.9.8e 23 Feb 2007 SSLv3 part of OpenSSL 0.9.8e 23 Feb 2007 Big Number part of OpenSSL 0.9.8e 23 Feb 2007 RSA part of OpenSSL 0.9.8e 23 Feb 2007 Diffie-Hellman part of OpenSSL 0.9.8e 23 Feb 2007 Stack part of OpenSSL 0.9.8e 23 Feb 2007 lhash part of OpenSSL 0.9.8e 23 Feb 2007 EVP part of OpenSSL 0.9.8e 23 Feb 2007 ASN.1 part of OpenSSL 0.9.8e 23 Feb 2007 X.509 part of OpenSSL 0.9.8e 23 Feb 2007 MD2 part of OpenSSL 0.9.8e 23 Feb 2007 MD5 part of OpenSSL 0.9.8e 23 Feb 2007 SHA1 part of OpenSSL 0.9.8e 23 Feb 2007 SHA-256 part of OpenSSL 0.9.8e 23 Feb 2007 SHA-512 part of OpenSSL 0.9.8e 23 Feb 2007 DES part of OpenSSL 0.9.8e 23 Feb 2007 libdes part of OpenSSL 0.9.8e 23 Feb 2007 RC2 part of OpenSSL 0.9.8e 23 Feb 2007 RC4 part of OpenSSL 0.9.8e 23 Feb 2007 IDEA part of OpenSSL 0.9.8e 23 Feb 2007 DSA part of OpenSSL 0.9.8e 23 Feb 2007 ECDSA part of OpenSSL 0.9.8e 23 Feb 2007 ECDH part of OpenSSL 0.9.8e 23 Feb 2007 RAND part of OpenSSL 0.9.8e 23 Feb 2007 PEM part of OpenSSL 0.9.8e 23 Feb 2007 CONF part of OpenSSL 0.9.8e 23 Feb 2007 CONF_def part of OpenSSL 0.9.8e 23 Feb 2007 As you can see from the top line, 0.9.7b is comming in from [EMAIL PROTECTED] Question, is the output of this LogFormat line an accurate reflection of what version of openssl was compiled into httpd?: CustomLog /tmp/ssl.log "%{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x" I'll try and move those libs out of the way, and re-compile |-+-> | | Zareh | | | <[EMAIL PROTECTED]| | | > | | | Sent by: | | | owner-modssl-users| | | @modssl.org | | | | | | | | | 06/06/2007 06:10 | | | Please respond to | | | modssl-users | | | | |-+-> >--| |< | | To: modssl-users@modssl.org< | | cc: | | Subject: Re: OpenSSL verion from mod_ssl statically compiled into httpd? | >--| Hi Vishal, I seem to remember running into this a while back, it turned out that I had old ssl libs in /usr/local/ssl and apache's build scripts were picking them up. instead of /usr/local/openssl - I can't remember what I did to get them to compile with the newer openssl libs, but here are a few things you could try: 1) Set the following in your environment before you build apache/mod_ssl SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile against) export SSL_BASE 2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and move them into another directory. Build apache/mod_ssl - then just untar the old libs back into place. ... kinda messy though :) - Original Message From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, June 4, 2007 8:52:34 AM Subject: OpenSSL verion from mod_ssl statically compiled into httpd? Question: How do I find out the version of openssl used by my httpd that has mod_ssl statically compiled into it? "HEAD / HTTP/1.0" shows no mod_ssl info, and the only way in which I can get anything is to use the following in the Apache conf: CustomLog /tmp/ssl.log "%{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x" Is this accurate, and can it be trusted? I ask because I recompiled apache/mod_ssl using openssl 0.9.8c and the version the above showed in the logs was older: 0.9.7b, which isn't installed on the box...? My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained: engines/ libcrypto.a libcrypto.so libcrypto.so.0.9.8* libssl.a libssl.so libssl.so.0.9.8* pkgconfig/ It's an old setup that I've inherited from people who have all left now :-( The so
Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Hi Vishal, I seem to remember running into this a while back, it turned out that I had old ssl libs in /usr/local/ssl and apache's build scripts were picking them up. instead of /usr/local/openssl - I can't remember what I did to get them to compile with the newer openssl libs, but here are a few things you could try: 1) Set the following in your environment before you build apache/mod_ssl SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile against) export SSL_BASE 2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and move them into another directory. Build apache/mod_ssl - then just untar the old libs back into place. ... kinda messy though :) - Original Message From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, June 4, 2007 8:52:34 AM Subject: OpenSSL verion from mod_ssl statically compiled into httpd? Question: How do I find out the version of openssl used by my httpd that has mod_ssl statically compiled into it? "HEAD / HTTP/1.0" shows no mod_ssl info, and the only way in which I can get anything is to use the following in the Apache conf: CustomLog /tmp/ssl.log "%{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x" Is this accurate, and can it be trusted? I ask because I recompiled apache/mod_ssl using openssl 0.9.8c and the version the above showed in the logs was older: 0.9.7b, which isn't installed on the box...? My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained: engines/ libcrypto.a libcrypto.so libcrypto.so.0.9.8* libssl.a libssl.so libssl.so.0.9.8* pkgconfig/ It's an old setup that I've inherited from people who have all left now :-( The source files and the way in which this was compiled have gone. To be honest, I'm a bit confused as to the whole ssl setup with regards to solaris <-->apache <--> mod_ssl. I download and compiled openssl 0.9.8e from source and compiled mod_ssl with ./configure --with-apache=../apache_1.3.37 --with-ssl=../openssl-0.9.8e But when apache built, it said that it was using 0.9.8c the one installed as a pkg on the solaris box. Why would it do that? Anyway, the custom log shows the correct mod_ssl version, but an old openssl version. Any help is much appreciated, thanks in advance guys. Regards, Vish. ** This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. For more details see www.FT.com. The Financial Times Limited, registered in England and Wales number 227590. Registered office: Number One Southwark Bridge, London SE1 9HL. VAT number GB 278 5371 21. F.T. Publications Inc, incorporated in New York, number 13-2545828, Registered office: 1330 Avenue of the Americas, New York NY 10019, USA. The Financial Times (HK) Limited, registered in Hong Kong number 108204, Registered office: Suite 2903-2909, level 29, 2 International Finance Centre, No.8 Finance Street, Central, Hong Kong. ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] Moody friends. Drama queens. Your life? Nope! - their life, your story. Play Sims Stories at Yahoo! Games. http://sims.yahoo.com/ ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
OpenSSL verion from mod_ssl statically compiled into httpd?
Question: How do I find out the version of openssl used by my httpd that has mod_ssl statically compiled into it? "HEAD / HTTP/1.0" shows no mod_ssl info, and the only way in which I can get anything is to use the following in the Apache conf: CustomLog /tmp/ssl.log "%{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x" Is this accurate, and can it be trusted? I ask because I recompiled apache/mod_ssl using openssl 0.9.8c and the version the above showed in the logs was older: 0.9.7b, which isn't installed on the box...? My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained: engines/ libcrypto.a libcrypto.so libcrypto.so.0.9.8* libssl.a libssl.so libssl.so.0.9.8* pkgconfig/ It's an old setup that I've inherited from people who have all left now :-( The source files and the way in which this was compiled have gone. To be honest, I'm a bit confused as to the whole ssl setup with regards to solaris <-->apache <--> mod_ssl. I download and compiled openssl 0.9.8e from source and compiled mod_ssl with ./configure --with-apache=../apache_1.3.37 --with-ssl=../openssl-0.9.8e But when apache built, it said that it was using 0.9.8c the one installed as a pkg on the solaris box. Why would it do that? Anyway, the custom log shows the correct mod_ssl version, but an old openssl version. Any help is much appreciated, thanks in advance guys. Regards, Vish. ** This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. For more details see www.FT.com. The Financial Times Limited, registered in England and Wales number 227590. Registered office: Number One Southwark Bridge, London SE1 9HL. VAT number GB 278 5371 21. F.T. Publications Inc, incorporated in New York, number 13-2545828, Registered office: 1330 Avenue of the Americas, New York NY 10019, USA. The Financial Times (HK) Limited, registered in Hong Kong number 108204, Registered office: Suite 2903-2909, level 29, 2 International Finance Centre, No.8 Finance Street, Central, Hong Kong. ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
Thanks for the information. What would be the recommended SSLCipherSuite settings to use? I would like to eliminate some of the lower security options, but I am curious what set of clients that would affect. Originally ports had added this line to httpd.conf SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL I then changed it to SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL And saw some huge performance changes. The TPS jumped from the 13-15 range into the lower 60 range. Also the total transaction time dropped by more than 2/3 of the original. So overall I have changed these parameters - SSLCipherSuite - see above, huge changes SSLRandomSeed - changed from /dev/random to /dev/urandom SSLSessionCacheTimeout - increased to 900 due to the time users will be in the app. What is the tradeoff memory-wise? Are there any other parameters that should be tuned? I have seen a lot about the SSLMutex but I am not sure I understand the value of making that change. Thanks again Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a k Sent: Monday, March 26, 2007 4:39 AM To: modssl-users@modssl.org Subject: RE: mod_ssl performance problems - FreeBSD The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
The cipher you allow will have a big impact on performance. Tim Lovelace <[EMAIL PROTECTED]> wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - TV dinner still cooling? Check out "Tonight's Picks" on Yahoo! TV.
RE: mod_ssl performance problems - FreeBSD
Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim
mod_ssl performance problems - FreeBSD
Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim
Apache 2.0.59 with mod_ssl
Hi there, I have installed Apache 2.0.59 from the sourcecode with the mod_jk module, but no I have a problem since I want ( I need) to install the mod_ssl module but I don't want to recompile or reinstall the whole Apache. Is it possible to do so? Is there any way of compiling only the module or to get it from a RPM or something like that. Maybe compiling the whole Apache but without installing it and moving the mod_ssl.so library to the aproppiate directory? I'm working with a RedHat Linux. Thanks in advance. Any help or advice will be great. Thanks again, Bittor. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Build Apache 1.3.37 with mod_ssl on Ubuntu x86_64
I'm trying to build apache 1.3.37 with ssl support on a Ubuntu 6.1 running on a AMD Turion 64. I've downloaded the following packages: Apache 1.3.37 sources (apache_1.3.37.tar.gz from httpd.apache.org) Mod SSL 2.8.28 (mod_ssl-2.8.28-1.3.37.tar.gz from www.modssl.org) Open SSL 0.9.8e (openssl-0.9.8e.tar.gz from www.openssl.org) I've built openssl as described into the INSTALL file provided with mod_ssl distribution, using gcc-4.0: ./config no-idea -fPIC no-threads --prefix=/path/to/local/openssl make make test make install Then I've patched Apache by using (into the mod_ssl directory): ./Configure --with-apache=/path/to/local/apache then I've switched to the apache tree and configured it as follows: MM_BASE=/path/to/mm/ \ SSL_BASE=/path/to/local/openssl \ ./configure \ --prefix=/path/to/local/apache \ --enable-module=most \ --enable-shared=max \ --disable-module=auth_dbm \ --disable-module=cern_meta \ --disable-module=log_agent \ --disable-module=log_referer \ --disable-module=usertrack make I received the ld error while linking libssl.so saying that libcrypto.a (module x86_64cpuid.o) cannot be relocated, compile with -fPIC (but is what I've done). I've also tried using gcc-3.3 as well as using -fpic instead of -fPIC while building openssl. I've tried to use the DSO version of libcrypto/libssl and compilation coes well but when starting apache it stops due to unresolved symbols (SSL_). I found nothing appropriate on the Internet, because all solutions are "rebuild openssl with -fPIC (but is what I'm doing). Can someone help me? Thanks in Advance Gianluca ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Core dump with mod_ssl
Hi, When I use mod_ssl and test it with RoadRunner it dumps core. The details are given below. $ openssl version OpenSSL 0.9.8d 28 Sep 2006 $ httpd -v Server version: Apache/2.0.58 HP-UX_Apache-based_Web_Server Server built: Dec 20 2006 13:10:19 $ (gdb) bt #0 0xc0214508 in kill+0x10 () #1 0x4e9f4 in sig_coredump+0x88 () #2 #3 0xc0c3141c in ASN1_STRING_free+0x14 () #4 0xc0c989c8 in ASN1_primitive_free+0x68 () #5 0xc0c98834 in asn1_item_combine_free+0x3dc () #6 0xc0c987e0 in asn1_item_combine_free+0x388 () #7 0xc0c98388 in ASN1_item_free+0x20 () #8 0xc0c2bc50 in X509_free+0x18 () #9 0xc0be0b2c in SSL_SESSION_free+0xac () #10 0xc0bd96e4 in SSL_free+0x124 () #11 0xc0bbb64c in ssl_filter_io_shutdown+0x14c () #12 0xc0bbc0dc in ssl_io_filter_output+0x1fc () #13 0x4fa14 in ap_pass_brigade+0x6c () #14 0x4c114 in ap_flush_conn+0x84 () #15 0x4c1f8 in ap_lingering_close+0x60 () #16 0x3a310 in process_socket+0xb8 () #17 0x3aec8 in worker_thread+0x1e0 () #18 0xc0522f54 in dummy_worker+0x1c () #19 0xc0094024 in __pthread_bound_body+0xa8 () #20 0xc00c4ab4 in __pthread_bound_start+0x14 () Does it have to do anything with some pointer alignment problem? Let me know if more details is needed. Thanks in advance, Pradeep
Build Apache 1.3.37 with mod_ssl on Ubuntu x86_64
I'm trying to build apache 1.3.37 with ssl support on a Ubuntu 6.1 running on a AMD Turion 64. I've downloaded the following packages: Apache 1.3.37 sources (apache_1.3.37.tar.gz from httpd.apache.org) Mod SSL 2.8.28 (mod_ssl-2.8.28-1.3.37.tar.gz from www.modssl.org) Open SSL 0.9.8e (openssl-0.9.8e.tar.gz from www.openssl.org) I've built openssl as described into the INSTALL file provided with mod_ssl distribution, using gcc-4.0: ./config no-idea -fPIC no-threads --prefix=/path/to/local/openssl make make test make install Then I've patched Apache by using (into the mod_ssl directory): ./Configure --with-apache=/path/to/local/apache then I've switched to the apache tree and configured it as follows: MM_BASE=/path/to/mm/ \ SSL_BASE=/path/to/local/openssl \ ./configure \ --prefix=/path/to/local/apache \ --enable-module=most \ --enable-shared=max \ --disable-module=auth_dbm \ --disable-module=cern_meta \ --disable-module=log_agent \ --disable-module=log_referer \ --disable-module=usertrack make I received the ld error while linking libssl.so saying that libcrypto.a (module x86_64cpuid.o) cannot be relocated, compile with -fPIC (but is what I've done). I've also tried using gcc-3.3 as well as using -fpic instead of -fPIC while building openssl. I've tried to use the DSO version of libcrypto/libssl and compilation coes well but when starting apache it stops due to unresolved symbols (SSL_). I found nothing appropriate on the Internet, because all solutions are "rebuild openssl with -fPIC (but is what I'm doing). Can someone help me? Thanks in Advance Gianluca -- *Gianluca Magalotti* View Gianluca Magalotti's profile on LinkedIn <http://www.linkedin.com/in/gianlucamagalotti> Ph: +393489326722 ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
httpd signal 11, Segmentation fault and mod_ssl
Good day for all. Ive got newly installed linux box with APACHE 1.3.27PHP/4.4.4 mod_ssl/2.8.28 OpenSSL/0.9.8d Some times in a day in httpd error_log appears lines child pid * exit signal Segmentation fault (11) I decided to get a core dump. After using gdb utility, i've got the following output gdb /opt/apache/bin/httpd /tmp/core.2019 GNU gdb Red Hat Linux (6.5-8.fc6rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols found) Using host libthread_db library "/lib/libthread_db.so.1". warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libgdbm.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgdbm.so.2 Reading symbols from /lib/libexpat.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libexpat.so.0 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6... (no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /opt/apache/libexec/libphp4.so...done. Loaded symbols for /opt/apache/libexec/libphp4.so Reading symbols from /usr/lib/libpng12.so.0...done. Loaded symbols for /usr/lib/libpng12.so.0 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /usr/lib/libjpeg.so.62...done. Loaded symbols for /usr/lib/libjpeg.so.62 Reading symbols from /usr/lib/libcurl.so.3...done. Loaded symbols for /usr/lib/libcurl.so.3 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /usr/lib/libgssapi_krb5.so.2...done. Loaded symbols for /usr/lib/libgssapi_krb5.so.2 Reading symbols from /usr/lib/libkrb5.so.3...done. Loaded symbols for /usr/lib/libkrb5.so.3 Reading symbols from /usr/lib/libk5crypto.so.3...done. Loaded symbols for /usr/lib/libk5crypto.so.3 Reading symbols from /lib/libcom_err.so.2...done. Loaded symbols for /lib/libcom_err.so.2 Reading symbols from /usr/lib/libidn.so.11...done. Loaded symbols for /usr/lib/libidn.so.11 Reading symbols from /lib/libssl.so.6...done. Loaded symbols for /lib/libssl.so.6 Reading symbols from /lib/libcrypto.so.6...done. Loaded symbols for /lib/libcrypto.so.6 Reading symbols from /usr/lib/libkrb5support.so.0...done. Loaded symbols for /usr/lib/libkrb5support.so.0 Reading symbols from /usr/local/Zend/lib/ZendExtensionManager.so...done. Loaded symbols for /usr/local/Zend/lib/ZendExtensionManager.so Reading symbols from /usr/local/Zend/lib/Optimizer-3.2.0/php-4.4.x /ZendOptimizer.so...done. Loaded symbols for /usr/local/Zend/lib/Optimizer-3.2.0/php-4.4.x /ZendOptimizer.so Failed to read a valid object file image from memory. Core was generated by `/opt/apache/bin/httpd -DSSL'. Program terminated with signal 11, Segmentation fault. #0 0x08101ea1 in do_ssl3_write () (gdb) bt full #0 0x08101ea1 in do_ssl3_write () No symbol table info available. #1 0x08101e9e in do_ssl3_write () No symbol table info available. #2 0x0010 in ?? () No symbol table info available. #3 0x082fb5b8 in ?? () No symbol table info available. #4 0x in ?? () No symbol table info available. As you see segfault was at function do_ssl3_write () The next step is to identify this problem. What it could be? Thanks in advance!!
Re: mod_ssl for apache 2.x?
On Fri, Dec 29, 2006 at 08:31:32PM +, Bahadir Balban wrote: > Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 > everywhere? Because the version of mod_ssl you find at modssl.org is only for 1.3. > > Is there any other ssl solution to apache 2.x? > --enable-ssl when configuring apache 2 - mod_ssl is included in the apache httpd-2.x source. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl for apache 2.x?
Hi, Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 everywhere? Is there any other ssl solution to apache 2.x? Thanks, Bahadir __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL
You don't have to patch anything. It's already in there.Just add --enable-ssl to the ./configure command line arguments.--CliffOn 11/10/06, kbajwa <[EMAIL PROTECTED]> wrote: Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version 'httpd-2.2.3'. I am at the point where I need to patch it with 'mod_ssl" module. Can you guide me how to patch 'httpd-2.2.3' with the latest version of 'mod_ssl-2.2.828-1.3.37'? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL < [EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
RE: Mod_SSL
Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version ’httpd-2.2.3’. I am at the point where I need to patch it with ‘mod_ssl” module. Can you guide me how to patch ‘httpd-2.2.3’ with the latest version of ‘mod_ssl-2.2.828-1.3.37’? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL <[EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Howto "unload" the mod_ssl from memory?
Hi Louise, Hi Patrick =) Include conf.d/*.conf So this includes *.conf files listed in the conf.d directory (in mine, this is on the same directory level as the "conf" directory below /etc/httpd). My ssl.conf file is in this second directory and has as one of its commands: This was just it =) I backed up the original and called it _ssl.conf From now on will I learn learn how to use SVN, and check /etc in as the first thing, so I don't try something similar another time =) I do not know if this will apply to your situation but it sounds like it might be something to check. It took me a couple of hours of digging around in the filesystem to find that one. I'm a noobie or I guess I would have found it quicker. :-) I think I spend about 4-5 hours on the debugging and tracing without solving this problem, so I am very glad for Michael's and yours reply =) I would very have solved it without. With love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff On 11/7/06, Kong, Yi - HPL <[EMAIL PROTECTED]> wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
RE: Mod_SSL
You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt << ella for Spam Control >> has removed 4905 Spam messages and set aside 10689 Newsletters for meYou can use it too - and it's FREE! www.ellaforspam.com
Mod_SSL
Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt
Forgotten mod_ssl pool?
Apache 2 SSL question which is probably related to mod_ssl: The Apache 2.2.3 SSL implementation has a pool in the ssl_expr_node struct (in ssl_expr.h) whereas the latest mod_ssl implementation does not. I know mod_ssl is only for Apache 3.1.* but the pool in Apache 2.2.3 doesn't seem to be used anyway! Is this just a forgotten pool from older versions of mod_ssl or does it have a purpose? An extra pointer in the struct is not really a problem as such but I want to make copy (in my own allocated memory, which is not tied to an apache pool) and then execute it later using ssl_expr_exec() If a copy of the contents of the pool is also necessary, well then it could be a problem. Many thanks to anyone who knows Christiaan Some more details below: --- ssl_expr.h: typedef struct { ssl_expr_node_op node_op; void *node_arg1; void *node_arg2; apr_pool_t *p; } ssl_expr_node; typedef ssl_expr_node ssl_expr; --- The pool in ssl_expr_node doesn't seem to be used? Either when the struct is created(ssl_expr.c): ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr) or when it is evaluated: int ssl_expr_exec(request_rec *r, ssl_expr *expr) Many thanks in advance Christiaan Lamprecht __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto "unload" the mod_ssl from memory?
Louise Hoffman wrote: Replying to my own post again. Even if I have stopped all daemons that uses libssl, I get the "module ssl_module is already loaded, skipping" error. Could there be something very wrong with my ssl.conf? I haven't made changes to httpd.conf because this howto doesn't do that: http://www.vanemery.com/Linux/Apache/apache-SSL.html Hi Louise, Two things you can check are your httpd.conf and ssl.conf files. In mine, the httpd.conf file contains: LoadModule ssl_module modules/mod_ssl.so and then just a few lines down: # # Load config files from the config directory "/etc/httpd/conf.d". # Include conf.d/*.conf So this includes *.conf files listed in the conf.d directory (in mine, this is on the same directory level as the "conf" directory below /etc/httpd). My ssl.conf file is in this second directory and has as one of its commands: LoadModule ssl_module modules/mod_ssl.so This was triggering the same error you are seeing on your server. I kept trying to find out why this module was getting loaded twice and finally ran it down. I just commented out the "LoadModule..." command in the httpd.conf file and the problem cleared up (since it was only getting loaded once now instead of twice: once in the httpd.conf file and again in the ssl.conf file). I do not know if this will apply to your situation but it sounds like it might be something to check. It took me a couple of hours of digging around in the filesystem to find that one. I'm a noobie or I guess I would have found it quicker. :-) Patrick ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto "unload" the mod_ssl from memory?
This: module ssl_module is already loaded, skipping means you have LoadModule ssl_module specified twice in your apache configuration. This: _default_ VirtualHost overlap on port 443, the first has precedence means you have two virtual hosts defined in your configuration which conflict because they want to use the same socket (IP address/port pair). When you move ssl_conf out the way, SSL still works because you must have LoadModule ssl_module and an SSL virtual host defined in another config file. Look through your config files and find the offending duplicate entries. What's probably happening is your Apache distribution already has SSL configured, and when you've followed the SSL howto you've duplicated the steps required to enable SSL. That's my tuppence worth anyway. Hope it helps. -- Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto "unload" the mod_ssl from memory?
Replying to my own post again. Even if I have stopped all daemons that uses libssl, I get the "module ssl_module is already loaded, skipping" error. Could there be something very wrong with my ssl.conf? I haven't made changes to httpd.conf because this howto doesn't do that: http://www.vanemery.com/Linux/Apache/apache-SSL.html I have stripped the comments from it to shorten it for this email. So I am completly out of ideas now... I hope someone at this mailinglist can help me =) Hugs, Louise LoadModule ssl_module modules/mod_ssl.so Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin DocumentRoot "/var/www/html" ServerName removed.com:443 ServerAdmin [EMAIL PROTECTED] ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateChainFile /etc/httpd/conf/ssl.crt/my-ca.crt SSLCACertificateFile /etc/httpd/conf/ssl.crt/my-ca.crt SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto "unload" the mod_ssl from memory?
Replying to my own post. I have found the problem, and it is not Apache not unloading its modules =) ~# lsof|grep ssl rpc.idmap 2607root mem REG 253,02136005884682 /lib/libssl.so.0.9.7a vsftpd 2760root mem REG 253,02136005884682 /lib/libssl.so.0.9.7a mysqld31323 mysql mem REG 253,02136005884682 /lib/libssl.so.0.9.7a ~# but rpc.idmap (what ever that is), vsftpd, and mysqld. One problem solved, another arised =) Any help I can get is much appreciated =) Love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Howto "unload" the mod_ssl from memory?
Dear readers, Can anyone teach me how to unload/kill/remove the SSL module from memory, so when I restart Apache the SSL module will be loaded again? The reason I am asking is because I get this error: Starting httpd: [Sat Nov 04 18:59:43 2006] [warn] module ssl_module is already loaded, skipping [Sat Nov 04 18:59:43 2006] [warn] _default_ VirtualHost overlap on port 443, the first has precedence (98)Address already in use: make_sock: could not bind to address [::]:443 no listening sockets available, shutting down Unable to open logs and the strangest thing is, if I ~# mv /etc/httpd/conf.d/ssl_conf /etc/httpd/conf.d/ssl_conf_old ~# apachectl restart it works, but https:// still works on the server. So I guess if I could unload the module I could make the changes to ssl_conf that I need, and restart Apache and the new settings would be loaded. Can anyone help me with this? =) Lots of love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX as well. I think there is something masking this problem on other platforms, or I have been building this in some weird and mysterious way you guys don't do (highly unlikely I think). Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
So what are the next steps...is this being highlighted as a risk anywhere? I am surprised that this doesn't get onto the main security page if it is a risk...how else would anyone find out about it and take preventative measures? Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: > > Phil, > > Is it the way I am building Apache or is Linux or Solaris hiding this > symbol? I've checked this on a gentoo build, but on my machine the > module has no symbols. > > Details as below: > > Apache/2.2.3 > OpenSSL 0.9.8c > AIX 5200-09 > * > nm mod_ssl.so | grep SSL_get_shared_ciphers > .SSL_get_shared_ciphers T 269028692 > .SSL_get_shared_ciphers_139_116 t 269031772* > > nm(1): > > T Global text symbol. > t Local text symbol. > > Regards, > > > Per > > Phil Ehrens wrote: > >Per Olausson wrote: > > > >>>Phil Ehrens: > >>>I just checked a couple different versions and did not see that > >>>function. > >>> > >>I posted a question about this to the apache security mailbox, but > >>nobody responded. I guess that is inline with the policy for that > >>mailbox even if I find it somewhat unhelpful, considering that SSL isn't > >>completely a rarity when using Apache. > >> > >>The reason I am concerned is because mod_ssl indirectly references > >>SSL_get_shared_ciphers. It is in use. You can see this if you use > >>something like nm and grep for this function. > >> > >>So is mod_ssl vulnerable? Is the functionality insulated and not > >>possible to trigger from the mod_ssl user scenario, or is it? > >> > >>If anyone have any ideas please let me know! > >> > > > >The symbol is not defined in mod_ssl on any of my Linux or Solaris > >systems, all of which are running Apache-2.0.55. What version are > >you looking at? > >__ > >Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >User Support Mailing List modssl-users@modssl.org > >Automated List Manager[EMAIL PROTECTED] > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens <[EMAIL PROTECTED]>| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Per Olausson wrote: > > >Phil Ehrens: > >I just checked a couple different versions and did not see that > >function. > > I posted a question about this to the apache security mailbox, but > nobody responded. I guess that is inline with the policy for that > mailbox even if I find it somewhat unhelpful, considering that SSL isn't > completely a rarity when using Apache. > > The reason I am concerned is because mod_ssl indirectly references > SSL_get_shared_ciphers. It is in use. You can see this if you use > something like nm and grep for this function. > > So is mod_ssl vulnerable? Is the functionality insulated and not > possible to trigger from the mod_ssl user scenario, or is it? > > If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! Regards, Per Olausson __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Newbie Question regarding mod_ssl
> > Erol Yalaz schrieb: > >> I have a WIN2003 box with the latest Apache on it (2.2.3) and it is > >> working great. I need to get mod_ssl working. > Unfortunately, I can't > >> > >> Any suggestions? Shouldn't there be some pre-compiled > binaries out there? i haven't used apache on windows, but the *nix versions can have ssl compiled directly into apache. if you're compiling your own apache, then you should be able to --enable-ssl when you ./configure, or however you'll do it. smime.p7s Description: S/MIME cryptographic signature
Re: Newbie Question regarding mod_ssl
http://hunter.campbus.com/ - and yes Chris is trustworthy. Blame Canada :) Bill Eckard Wille wrote: > Erol Yalaz schrieb: >> I have a WIN2003 box with the latest Apache on it (2.2.3) and it is >> working great. I need to get mod_ssl working. Unfortunately, I can’t >> >> Any suggestions? Shouldn’t there be some pre-compiled binaries out there? > > http://www.apachelounge.com/download/ > > If you trust them :-) > > Greetings > Eckard > ______ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > > ______ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Stanley Laufer wrote: > Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() > function from OpenSSL? > > As you may know a buffer overflow has been detected in that > function in OpenSSL versions prior to 0.9.8d. > > I'm trying to find out if Mod_SSL uses the vulnerable function. I just checked a couple different versions and did not see that function. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]