Re: [users@httpd] How to use DH 4096 parameters?

[Walter Hop]

On 14 Mar 2022, at 19:02, Yann Ylavic  wrote:
> 
> Step 3) does not work anymore with latest openssl versions, the only
> way to configure custom dhparams in httpd is to append them to the
> certificate file (see
> https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile 
> ).

Thank you so much! This was the solution.
The scanner is no longer complaining! :) 
https://internet.nl/site/lifeforms.nl/1529724/# 


For those who stumble on this thread with the same issue, I’ll review:
- I created a 4096 bit RSA key
- I requested a certificate with Let’s Encrypt
- I appended the RFC's standard 4096 bit DH parameters file to the certificate, 
e.g.

# wget 
https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
 

# cat ffdhe4096.pem >> newcert.pem

(or the name of your certificate)

Restart Apache and it should look great.
Thank you all for the input!

Cheers,
WH

Re: [users@httpd] configure fails using --with-pcre with httpd-2.4.53

[Ash]

Thanks Yann, that was it (specifying the path to the pcre-config binary rather 
than the path to its installation directory). The build succeeds on both 
platforms now. We really appreciate the help.

> --- Original Message ---
>
> On Monday, March 14th, 2022 at 2:06 PM, Yann Ylavic ylavic@gmail.com 
> wrote:
>
> > On Mon, Mar 14, 2022 at 5:46 PM Ash ash.kre...@protonmail.com.invalid wrote:
> >
> > > Configure fails for us when building httpd-2.4.53 from source using the 
> > > --with-pcre option. The error occurs on both RHEL 8 and Solaris 11.3. A 
> > > prior release of httpd (httpd-2.4.51) builds successfully in these same 
> > > environments with the same commands.
> > >
> > > We're using apr 1.7.0, apr-util 1.6.1, PCRE 8.4.1 and OpenSSL 1.1.1l.
> > >
> > > Our configure command is:
> > >
> > > ./configure --prefix=/path/to/apache \
> > >
> > > --with-crypto --with-openssl=/path/to/ssl \
> > >
> > > --with-included-apr \
> > >
> > > --with-pcre=/path/to/pcre \
> > >
> > > --with-ssl=/path/to/ssl
> >
> > It should probably be "--with-pcre=/path/to/pcre-config", pointing to
> >
> > the pcre-config file rather than pcre the installation directory.
> >
> > Regards;
> >
> > Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] configure fails using --with-pcre with httpd-2.4.53

[Yann Ylavic]

On Mon, Mar 14, 2022 at 5:46 PM Ash  wrote:
>
> Configure fails for us when building httpd-2.4.53 from source using the 
> --with-pcre option.  The error occurs on both RHEL 8 and Solaris 11.3.  A 
> prior release of httpd (httpd-2.4.51) builds successfully in these same 
> environments with the same commands.
>
> We're using apr 1.7.0, apr-util 1.6.1, PCRE 8.4.1 and OpenSSL 1.1.1l.
>
> Our configure command is:
> ./configure --prefix=/path/to/apache \
>   --with-crypto --with-openssl=/path/to/ssl \
>   --with-included-apr \
>   --with-pcre=/path/to/pcre \
>   --with-ssl=/path/to/ssl

It should probably be "--with-pcre=/path/to/pcre-config", pointing to
the pcre-config file rather than pcre the installation directory.

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to use DH 4096 parameters?

[Yann Ylavic]

On Sun, Mar 13, 2022 at 3:55 PM Walter Hop  wrote:
>
> On my old setup, this was DH 2048, which is considered “insufficient” 
> according to internet.nl. I have tried the following things:
>
> 1) use a 4096 bit RSA key and get a new certificate
> 2) generate DH params with: openssl dhparam -out /etc/apache2/dhparam.pem 4096
> 3) in my configuration, added: SSLOpenSSLConfCmd DHParameters 
> "/etc/apache2/dhparam.pem”

Step 3) does not work anymore with latest openssl versions, the only
way to configure custom dhparams in httpd is to append them to the
certificate file (see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile).

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] configure fails using --with-pcre with httpd-2.4.53

[Nick Folino]

You did change "/path/to/pcre" to the correct path, right?

On Mon, Mar 14, 2022 at 12:45 PM Ash 
wrote:

> Configure fails for us when building httpd-2.4.53 from source using the
> --with-pcre option.  The error occurs on both RHEL 8 and Solaris 11.3.  A
> prior release of httpd (httpd-2.4.51) builds successfully in these same
> environments with the same commands.
>
> We're using apr 1.7.0, apr-util 1.6.1, PCRE 8.4.1 and OpenSSL 1.1.1l.
>
> Our configure command is:
> ./configure --prefix=/path/to/apache \
>   --with-crypto --with-openssl=/path/to/ssl \
>   --with-included-apr \
>   --with-pcre=/path/to/pcre \
>   --with-ssl=/path/to/ssl
>
> The specific error on RHEL 8 is different than the error on Solaris, but
> on both platforms /path/to/pcre/bin/pcre-config is executable by the build
> user, as are all the PCRE libraries.
>
> Console output from configure on RHEL 8 shows:
> checking for -pcre2-config... no
> checking for -pcre-config... no
> checking for pcre2-config... no
> checking for pcre-config... pcre-config
> configure: error: Did not find working script at pcre-config
>
> and config.log on RHEL 8 shows:
> configure:6144: checking for -pcre2-config
> configure:6174: result: no
> configure:6144: checking for -pcre-config
> configure:6174: result: no
> configure:6188: checking for pcre2-config
> configure:6218: result: no
> configure:6188: checking for pcre-config
> configure:6204: found /path/to/pcre/bin/pcre-config
> configure:6215: result: pcre-config
> configure:6236: error: Did not find working script at pcre-config
>
>
> Console output on Solaris 11 shows:
> checking for -pcre2-config... no
> checking for -pcre-config... no
> checking for pcre2-config... no
> checking for pcre-config... no
> configure: error: Did not find working script at /path/to/pcre
>
> and contents of config.log on Solaris 11 show:
> configure:6144: checking for -pcre2-config
> configure:6174: result: no
> configure:6144: checking for -pcre-config
> configure:6174: result: no
> configure:6188: checking for pcre2-config
> configure:6218: result: no
> configure:6188: checking for pcre-config
> configure:6218: result: no
> configure:6236: error: Did not find working script at /path/to/pcre
>
> We notice significant changes were made to configure between 2.4.51 and
> 2.4.53.
>
> Thanks for any suggestions.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

[users@httpd] configure fails using --with-pcre with httpd-2.4.53

[Ash]

Configure fails for us when building httpd-2.4.53 from source using the 
--with-pcre option.  The error occurs on both RHEL 8 and Solaris 11.3.  A prior 
release of httpd (httpd-2.4.51) builds successfully in these same environments 
with the same commands.

We're using apr 1.7.0, apr-util 1.6.1, PCRE 8.4.1 and OpenSSL 1.1.1l.

Our configure command is:
./configure --prefix=/path/to/apache \
  --with-crypto --with-openssl=/path/to/ssl \
  --with-included-apr \
  --with-pcre=/path/to/pcre \
  --with-ssl=/path/to/ssl

The specific error on RHEL 8 is different than the error on Solaris, but on 
both platforms /path/to/pcre/bin/pcre-config is executable by the build user, 
as are all the PCRE libraries.

Console output from configure on RHEL 8 shows:
checking for -pcre2-config... no
checking for -pcre-config... no
checking for pcre2-config... no
checking for pcre-config... pcre-config
configure: error: Did not find working script at pcre-config

and config.log on RHEL 8 shows:
configure:6144: checking for -pcre2-config
configure:6174: result: no
configure:6144: checking for -pcre-config
configure:6174: result: no
configure:6188: checking for pcre2-config
configure:6218: result: no
configure:6188: checking for pcre-config
configure:6204: found /path/to/pcre/bin/pcre-config
configure:6215: result: pcre-config
configure:6236: error: Did not find working script at pcre-config


Console output on Solaris 11 shows:
checking for -pcre2-config... no
checking for -pcre-config... no
checking for pcre2-config... no
checking for pcre-config... no
configure: error: Did not find working script at /path/to/pcre

and contents of config.log on Solaris 11 show:
configure:6144: checking for -pcre2-config
configure:6174: result: no
configure:6144: checking for -pcre-config
configure:6174: result: no
configure:6188: checking for pcre2-config
configure:6218: result: no
configure:6188: checking for pcre-config
configure:6218: result: no
configure:6236: error: Did not find working script at /path/to/pcre

We notice significant changes were made to configure between 2.4.51 and 2.4.53.

Thanks for any suggestions.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to use DH 4096 parameters?

[Walter Hop]

>> I’m confused where the DH 3072 comes from. My question is, what should I 
>> configure so that DH 4096 is sent?
> 
> Your problem is in step 2) generate DH params - internet.nl explicitly
> states that "Self-generated groups are 'Insufficient'". Follow their
> instructions to download one of the pre-defined groups from RFC 7919
> to make that test happy.

Thanks for your mail! I noticed that advice and already tried it, but it didn’t 
work! I’ve copied their file 
https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
 

 to my /etc/apache2/dhparams.pem.

In my Apache config, I am pointing to that file:
SSLOpenSSLConfCmd DHParameters "/etc/apache2/dhparam.pem”

And I made sure to restart Apache.

However, even with the standard 4096 bit DH params file, still my Apache seems 
to use 3072 DH… https://internet.nl/site/lifeforms.nl/1529341/#control-panel-14 


I’ve also tried using the standard 3072 bit DH params file 
https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe3072.pem
 

 as they say this should be ’sufficient’ but the result is still ‘insufficient':
https://internet.nl/site/lifeforms.nl/1529352/#control-panel-14 


So I’m still confused how I can use 4096 bit DH params...

Kind regards,
WH

[users@httpd] Re: mod_evasive-2.2.0-win64-VS16 stringent parameters

[Shubhankar Soni]

Hello folks,

Your suggestions on this are much appreciated.

Regards,

On Thu, Mar 3, 2022 at 9:49 AM Shubhankar Soni 
wrote:

> Hello All,
>
> I have been using mod_evasive-2.2.0 module to enable DoS security. My
> Apache web server is behind the Load balancer and I have added the below
> parameter values which are shipped by default with the *mod_evasive-2.2.0
> *module which are,
>
>
>
>
>
>
> *DOSEnabled  trueDOSHashTableSize3097DOSPageCount
>2DOSSiteCount50DOSPageInterval 1
> DOSSiteInterval 1DOSBlockingPeriod   10*
> The above parameter values seem to be aggressive. I added the above values
> to the Server and as soon as I restart the server, the Website responded as
> 403 Forbidden for all the users. Are there any standard criteria to set the
> above values?
>
> Regards,
>
>

-- 
Thanks & Regards,
*Shubhankar Soni*

Liferay India Pvt. Ltd.| Green Glen Layout, Bellandur, Bengaluru, Karnataka
560103 INDIA
Visit Us: www.liferay.com  |  Like Us: facebook.com/liferay  |  Follow Us:
twitter.com/liferay

Re: [users@httpd] How to use DH 4096 parameters?

[Rainer Canavan]

On Sun, Mar 13, 2022 at 8:08 PM Walter Hop  wrote:
[...]

> I’m confused where the DH 3072 comes from. My question is, what should I 
> configure so that DH 4096 is sent?

Your problem is in step 2) generate DH params - internet.nl explicitly
states that "Self-generated groups are 'Insufficient'". Follow their
instructions to download one of the pre-defined groups from RFC 7919
to make that test happy.

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Coin Master - Support is on the way!

[Coin Master Support]

##- Please type your reply above this line -##

Hi Users,

Thanks for contacting Coin Master Support!

We received your message and our Support team will get back to you as soon as 
possible. If there’s any additional information that can help us assist you, 
please send it in a reply to this email.

In the meantime, feel free to check out our https://moonactive.zendesk.com/hc/en-us?utm_source=support_medium=email_campaign=auto_reply;>Help
 Center, where all the information about Coin Master is available right at 
your fingertips!

Thanks for playing,
Coin Master Support Team


This email is a service from Moon Active.









[VX98VP-WKLZ8]