Re: [EMAIL PROTECTED] TLS SNI with user certificates.
As a quick hack, I setup the normal vhost to have a certificate 1 (it
has to have one defined to even start after all) then patch
set_ssl_vhost() to load a different "ctx" certificate 2. I would leak
context like crazy, but as a quick proof-of-concept it would tell me if
it is feasible.
strcasecmp(servername, "www.example.com")) {
SSL_CTX *ctx;
int status;
found = TRUE;
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "example patch:
loading");
ctx = SSL_CTX_new(SSLv23_method());
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "new ctx %p", ctx);
status = SSL_CTX_use_certificate_file(ctx,
"/etc/certs/www.example.com.pem",
X509_FILETYPE_PEM);
ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, "loaded pem file %d",
status);
if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
return 0;
if (!(sc = mySrvConfig(s)))
return 0;
sc->server->ssl_ctx = ctx;
SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
SSL_CTX_set_app_data(ctx, s);
return 1;
}
The last few lines, I have tried a few combinations in my attempt to
make it work. I get the following output however:
[Tue Jan 29 12:23:38 2008] [error] Called set_ssl_vhost with
'www.example.jp'
[Tue Jan 29 12:23:38 2008] [error] example patch: loading
[Tue Jan 29 12:23:38 2008] [error] new ctx
[Tue Jan 29 12:23:38 2008] [error] loaded pem file 1
[Tue Jan 29 12:23:38 2008] [error] Re-negotiation handshake failed: Not
accepted by client!?
And Seamonkey says: "the site uses a security protocol that isn't enabled".
Am I trying to patch it in too late in the game?, has it already sent
part of the vhost certificate1 before the example.com certificate2?
If I create a vhost with example.com, and example.com.pem certificate2,
as well as the default vhost, both certificates work and loads
correctly. It is my hack that breaks things, I am not sure how much of
apache's framework I need to conform to.
Jorgen Lundman wrote:
What is the state with TLS/SNI at the moment? We are exploring offering
SSL certificates to users, and in a perfect world we would like to keep
our httpd.conf free of provisioning.
Apache 2.2.0
OpenSSL-0.9.8e
At the moment, all users' vhosts are defined as:
VirtualDocumentRoot "/export/nfs/www/%-1/%-2.-1/%-2.-2/%-2+/"
So a request for http://www.example.com/$path would translate as
/export/nfs/www/com/e/l/www.example/$path
If that directory exists it is served.
What would be ideal is if a user had a certificate as:
/export/nfs/www/com/e/l/www.example/.certificate
Then SSL TLS/SNI would use it and "everything would just work".
(Minus Safari, and Konquerer from our current tests)
Possible right now ? Possible if I add a little code?
Lundy
--
Jorgen Lundman | <[EMAIL PROTECTED]>
Unix Administrator | +81 (0)3 -5456-2687 ext 1017 (work)
Shibuya-ku, Tokyo| +81 (0)90-5578-8500 (cell)
Japan| +81 (0)3 -3375-1767 (home)
-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] %T time to serve log entry
Tony Rice (trice) schrieb: Is there another Log format available that shows more resolution than seconds for time to serve a request? Perhaps in milliseconds? Microseconds are given with %D from mod_log_config http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats .max - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Figuring out the order in which directives apply
On Mon, 28 Jan 2008 16:54:32 -0500 "Mark H. Wood" <[EMAIL PROTECTED]> wrote: > Is there some document I can read to help me understand the order in > which configuration directives from different modules apply? maybe you're looking for http://httpd.apache.org/docs/2.2/sections.html > In this instance I wanted to know whether I could use Allow/Deny rules > before a request gets picked off and handed over to a servlet > container by mod_jk. There didn't seem to be any obvious way to > answer the question except by experiment. (My result: I *think* this > works.) That's simple: allow/deny rules apply before any content handler. To do otherwise would be nonsensical. This might be clearer in some of the developer docs, such as http://httpd.apache.org/docs/2.2/developer/request.html http://www.apachetutor.org/dev/request -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] %T time to serve log entry
Is there another Log format available that shows more resolution than seconds for time to serve a request? Perhaps in milliseconds? - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Figuring out the order in which directives apply
Is there some document I can read to help me understand the order in which configuration directives from different modules apply? In this instance I wanted to know whether I could use Allow/Deny rules before a request gets picked off and handed over to a servlet container by mod_jk. There didn't seem to be any obvious way to answer the question except by experiment. (My result: I *think* this works.) Experiment always serves, but can be tricky to test. And there's a tendency to learn lessons that are overbroad, and later fall victim to unproven assumptions. It would be nice if I could just read something and determine which things will happen to a model request in which order. -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite. pgpwE15j7wkXm.pgp Description: PGP signature
Re: [EMAIL PROTECTED] test.html.php shown as html not as php
Hello, AddType application/x-httpd-php .php That's wrong. PHP is a handler, not a MIME type. That ugly hack was required by Apache 1.0, but has been a nasty bogosity since Apache 1.1 in 1996. ah, I see. I started using it with my Apache 1.3.x config where it worked fine and then kept it until my 2.2.4 apache config since it works fine (except for the .html.php thing). But with the upgrade to 2.2.8 I will change this as well. I wili use AddHandler application/x-httpd-php .php AddHandler application/x-httpd-php .php3 AddHandler application/x-httpd-php .php4 AddHandler application/x-httpd-php5 .php5 instead. AddHandler server-parsed .html And that's been wrong since Apache 2.0 in 2002, when SSI ceased to be a content generator and became a filter. The legacy support for SSI handlers precludes using dynamic contents with SSI. Ok, I changed it to AddType text/html .shtml AddOutputFilter INCLUDES .html AddOutputFilter INCLUDES .shtml Seems to work fine. Thanks! Kind regards Marten - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Apache Hangs.. Server-Status shows all Reading
Hi! Jérôme Etévé-2 wrote: > > I've got here exactly the same problem, but without any php modules. My > server serves only static resources and It's flooded with reading state > request sometime. > We've also got the same problem and as it seems the Apache foundation has the same problem as well (see this server-status of issues.apache.org: http://www.nabble.com/file/p15144733/server-status-issues-apache-2008-01-25.htm server-status-issues-apache-2008-01-25.htm ). The actual problem is that requests are stuck in "Reading Request" until the timeout occurs. In the server-status from issues.apache.org you see "R"-request with more than 500s running. There are several people describing the same problem with different versions of Apache (also 1.x) and different SSL implementation - but no solution. I have made a JMeter test, wich only requests static resources on our server to find the cause: I can reproduce the problem on our test server. There, I've done some analysis with netstat and I've seen that there are lot of tcp connections with "TIME_WAIT" - but I'm not sure if that is in connection with this phenomenon. Anybody else got this problem? Did anybody solve this? Maybe we should file a bugzilla entry? -- Chris -- View this message in context: http://www.nabble.com/Apache-Hangs..-Server-Status-shows-all-Reading-tp13631744p15144733.html Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] redirections
On 17.01.08 19:59, Octavian Rasnita wrote: > Ok, I understand that I could use ServerAlias for having 2 or more > addresses for the same virtualhost, but I don't understand how I can't do > what I want without redirecting. > > I want the url > /maestro > > to be redirected to: > /static/maestro/ > > no matter which is the current host name. Redirect /maestro/ /static/maestro/ in section. note the trailing slashes, otherwise you'd redirect /maestroXYZ to /static/maestroXYZ (unless it's what you want) > ...something like: > > Redirect /maestro $HOSTNAME/static/maestro/ > > where $HOSTNAME would get the current host... if you want to keep the same hostname, set "UseCanonicalName off" or use two virtual hosts. However I'd advise not to use multiple hosts for the same content, unless you really must, and leave apache redirect to the ServerName -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] A question on HTTPs protocol
I just realised I actually meant to say: SSLProxyCipherSuite NULL Of course, of course... a horse is a horse. -ascs -Message d'origine- De : Axel-Stephane SMORGRAV Envoyé : lundi 28 janvier 2008 08:26 À : users@httpd.apache.org Objet : RE: [EMAIL PROTECTED] A question on HTTPs protocol You probably want to use SSLCipherSuite NULL $ openssl ciphers -v NULL AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 ECDHE-ECDSA-NULL-SHASSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 NULL-SHASSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 -ascs Disclaimer: I am not an SSL expert :-) -Message d'origine- De : Qingshan Xie [mailto:[EMAIL PROTECTED] Envoyé : lundi 28 janvier 2008 07:09 À : users@httpd.apache.org Objet : [EMAIL PROTECTED] A question on HTTPs protocol This maybe a little crazy or sounds silly. We have a reverse proxy talks to the backend Apache in SSL. However for better performance we wonder if we can disable the request encryption and decryption but only ssl-handshake? This pretty much like SSH pipe, once the trust-relation established, the pipe created, there is no need of encryption/decryption in data transaction. Can SSL experts shed some light on it? Many Thanks, Q.Xie Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] test.html.php shown as html not as php
On Mon, 28 Jan 2008 16:21:16 +0100 Marten Lehmann <[EMAIL PROTECTED]> wrote: > Hello, > > using apache 2.2.4 we have these lines in our httpd.conf (among > others of course): > > AddType application/x-httpd-php .php That's wrong. PHP is a handler, not a MIME type. That ugly hack was required by Apache 1.0, but has been a nasty bogosity since Apache 1.1 in 1996. > AddHandler server-parsed .html And that's been wrong since Apache 2.0 in 2002, when SSI ceased to be a content generator and became a filter. The legacy support for SSI handlers precludes using dynamic contents with SSI. > HTTP/1.1 200 OK > Date: Mon, 28 Jan 2008 15:07:32 GMT > Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a > Accept-Ranges: bytes > Content-Length: 31 > Connection: close > Content-Type: application/x-httpd-php That's exactly what you told it: - the handler is "server-parsed", so php rightly doesn't touch it. - the content-type is what you set. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] test.html.php shown as html not as php
On Jan 28, 2008 10:21 AM, Marten Lehmann <[EMAIL PROTECTED]> wrote: > Hello, > > using apache 2.2.4 we have these lines in our httpd.conf (among others > of course): > > AddType application/x-httpd-php .php > AddHandler server-parsed .html > > This works generally fine: .php files are executed by the php > interpreter and .html files processed by the SSI processor of apache. > > Today a user informed us, that naming a file e.g. test.html.php results > in an unexpected behaviour: There are two problems here: 1. Using AddType to activate the php HANDLER. You should be using AddHandler for php as well. (Yes, this is incorrectly document in the php manual and has been that way forever. The php people don't seem to be too concerned about this issue which hits people who deal with multiple-extensions.) 2. Understand that files can have multiple extensions and apache will apply config directives for each extension. Using AddHandler properly will fix the test.html.php case, since the handler for the last extension (php) will take precedence over the INCLUDES handler. The test.php.html will still not work. If you want that to work, you need to RemoveHandler for the .html extension for that file. Joshua. - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [EMAIL PROTECTED] test.html.php shown as html not as php
Marten, Should be (Although not really a good thing) AddType application/x-httpd-php .php .html AJ - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] test.html.php shown as html not as php
Hello, using apache 2.2.4 we have these lines in our httpd.conf (among others of course): AddType application/x-httpd-php .php AddHandler server-parsed .html This works generally fine: .php files are executed by the php interpreter and .html files processed by the SSI processor of apache. Today a user informed us, that naming a file e.g. test.html.php results in an unexpected behaviour: # telnet test.com 80 Trying 1.2.3.4... Connected to test.com (1.2.3.4). Escape character is '^]'. GET /testcases/test.html.php HTTP/1.0 Host: test.com HTTP/1.1 200 OK Date: Mon, 28 Jan 2008 15:07:32 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a Accept-Ranges: bytes Content-Length: 31 Connection: close Content-Type: application/x-httpd-php On the one hand, apache is setting the content-type "application/x-httpd-php", but on the other hand, the script isn't passed to the php intepreter. It also doesn't work the other way round (test.php.html): # telnet test.com 80 Trying 1.2.3.4... Connected to gotmilk.eu (1.2.3.4). Escape character is '^]'. GET /testcases/test.php.html HTTP/1.0 Host: test.com HTTP/1.1 200 OK Date: Mon, 28 Jan 2008 15:19:56 GMT Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.7a Accept-Ranges: bytes Content-Length: 32 Connection: close Content-Type: text/html Any ideas? Regards Marten - The official User-To-User support forum of the Apache HTTP Server Project. See http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] httpd 2.0.54 VHost not working
The issue is solved. I needed to do some configuration in sw,conf On 28/01/2008, anand nalya <[EMAIL PROTECTED]> wrote: > > Thanks for the quick response. > > These are the contents of xaccess_log. > > > 10.76.6.6 - - [28/Jan/2008:13:07:13 +0530] 10.76.6.1:80 www.mydomain.com > www.mydomain.com "GET /index.html HTTP/1.1" > /usr/local/skunk/docroot/index.html 200 1198 " > > 10.76.6.6 - - [28/Jan/2008:13:10:17 +0530] 10.76.6.1:80 sub.mydomain.com > sub.mydomain.com "GET /index.html HTTP/1.1" > /usr/local/skunk/docroot/sub/index.html 200 1198 " > > - > > I think, there is some problem with the skunk module. Now I'm starting to > look into it. > Thanks for the pointer. > > On 28/01/2008, Axel-Stephane SMORGRAV < > [EMAIL PROTECTED]> wrote: > > > > Could you: > > > > 1. add the following lines at the server-level of your configuration: > > > > LogFormat "%h %l %u %t %A:%p %v %V \"%r\" %f %>s %b \"" extended > > CustomLog /var/logs/www/xaccess_log extended > > > > 2. restart your server > > > > 3. Perform the request you claim fails to be executed in the VH context > > > > 4. Post the contents of /var/logs/www/xaccess_log > > > > -ascs > > > > >
