multiple ssl servers on the same box?
Hello. (First post!) First off, if I need to post questions about configuring Apache with mod_ssl somewhere else, please let me know where it is. Otherwise . . . I'm having several problems (or quandries, perhaps). The first is: when I try to specify two virtual servers using SSL like so: IfDefine SSL AddType application/x-x509-ca-cert.crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c SSLPassPhraseDialogbuiltin SSLSessionCachedbm:/path/to/ssl_cache SSLSessionCacheTimeout300 SSLMutexfile:/path/to/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog/path/to/ssl_engine_log SSLLogLevel info /IfModule NameVirtualHost my.ip.addy.xx IfDefine SSL # I tried VirtualHost _default_:443 as well. VirtualHost my.ip.addy.xx:443 ServerName ssl.mydomain.com SSLEngine on SSLCertificateFile /path/to/cert SSLCertificateKeyFile /path/to/cert/key # other normal stuff here /VirtualHost /IfDefine # other non-SSL virtual servers here IfDefine SSL VirtualHost my.ip.addy.xx:443 ServerName admin.mydomain.com SSLEngine on SSLCertificateFile /path/to/cert SSLCertificateKeyFile /path/to/cert/key # other normal stuff here /VirtualHost /IfDefine both SSL servers freak out. In particular, they cannot find CSS files and images in the proper directories. That being said, I was playing around with just making my "admin.mydomain.com" server do without SSL, so I took out all the SSL stuff from its VirtualHost directive; I then discovered something strange: All my virtual servers can be accessed with the https protocol, except they access the only server listening on port 443, 'ssl'. This is an odd "feature" that I'd like to prevent. What is the difference between saying: VirtualHost _default_:443 and VirtaulHost my.ip.addy.xx:443 ??? Is this part of my problem? Any input would be appreciated. Dean. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Avoiding man in the middle attacks
That is impossible. If you can't secure your Win9x client then you can never ever establish any kind of secure communication from that client. Security has to begin at the end points. After you secure the client's cerificate store you then use those certificates to secure the communication. Amanda. On Thu, 26 Oct 2000, DarĂo Mariani wrote: I'm still learning SSL. I still do no understand how does or if SSL/TSL prevents from a "man in the middle" attack. If the certificates are good, no problem. But, how does a client, or what must I do for a client to check the validity of a certificate, even a signed one from a trusted CA? My problem is this: I'm developing a client-server application (not web based), the clients will be in computers with Win9x, and for simplicity, the users won't know to wich server they are connecting to (they do not need to). I could have the server certificate and the server address in files in the client computer, but as Win9x security does not exist, nothing prevents someone from replacing these file for another server. I would apreciate any coments, thanks.
Re: help needed with extended keyUsage v3 attrib.
Corrado Derenale wrote: Hi, anyone know how to sign a X.509 cert with the attribute: extended keyUsage set to TLS Web server authentication with the CA command? Read the extension documentation in doc/openssl.txt and the ca manual page, then edit your config file appropriately. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
timestamp server with OpenSSL
I'd like to set up my own timestamping server with OpenSSL. Has anyone done this already and can give me some pointers or point me to a good resource? Thanks in advance, Derek. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com. __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
