Re: [users@httpd] Apache is unable to access /tmp in any way
> I always get 403 Forbidden for that. I can recall when I first downloaded one of these web servers , if you put an incorrect url for which a pages didn't exists your directory structure appeared with full http access to anyone. Clearly the restriction on /tmp is an improvement. On Wed, 15 Feb 2023, 15:07 Eric Covener, wrote: > > Except for anything under /tmp. > > > > I always get 403 Forbidden for that. > > > > What's the verbatim ErrorLog entry for it? > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
Re: [users@httpd] Query about support for OpenSSL 1.1.1
On Wed, Feb 15, 2023 at 9:44 AM Vivek Naruka (EXT-NSB) wrote: > > There is new version of Openssl i.e. Openssl 3.0 available for which Httpd > provide support in its newly released versions. > > We are using Openssl version 1.1.1 in our project and need to know that if > Httpd will continue its support towards Openssl 1.1.1 as well till year 2030. httpd will not support openssl-1.1.1 longer than the openssl project maintains it, and while httpd-2.4.x will surely support openssl-1.1.1 until its last revision, there is no guarantee that httpd-2.4.x itself will still be maintained in 2030. For instance if some httpd-2.6.x or httpd-3.x is released by 2030 when openssl-1.1.1 is not maintained anymore by the openssl team then it may not support this openssl version from the start, so if/whenever httpd-2.4.x itself stops being maintained by the httpd team there is no support for openssl-1.1.1 in any maintained httpd version. In any case, the questions about maintenance times/deadlines concern more the vendors/distros than the httpd project itself. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] OCSP multi stapling support (Apache 2.4.37)
OCSP stapling is supported on - Apache HTTP Server (>=2.3.3) - Nginx (>=1.3.7) The symbols means greater then equal to 2.3.3 To be honest I never of OSCP stapling so I googled. How to and concepts can be found https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx On Thu, 16 Feb 2023, 13:01 Akshath Hegde, wrote: > Hi, > I had some questions about using OCSP for revocation. > I have a client that connects to apache http server 2.4.37 (RHEL). I have > enabled SSL and OCSP stapling on the server with this configuration -> > Root >-> Intermediate > -> Server Certificate > -> OCSP signer certificate > Both the intermediate and Server certificate contain the OCSP responder > URL in AIA extension. And there is a OCSP responder running on the same. > The client will send the "status_request" extension during handshake. I > see the server is querying the responder for the revocation status of the > end entity certificate and returning that back to client. But the > revocation status for intermediate cert doesn't seem to be queried or put > back in response. > Note: The version negotiated is TLS 1.3 > From the documentation about OCSP stapling it seemed RFC 6961 is not > implemented(relevant for TLS 1.2). Please let me know if this understanding > is correct. But in case of TLS 1.3, the response can be added as a > certificate specific extension of TLS Certificate message. It wasn't clear > if I should be expecting the OCSP response even for the intermediate cert > in this situation. > > To summarize > Is OCSP multi stapling supported by apache 2.4.37 ? > > Any pointers would be helpful. Thanks in advance > > Regards > Akshath > >
[users@httpd] OCSP multi stapling support (Apache 2.4.37)
Hi, I had some questions about using OCSP for revocation. I have a client that connects to apache http server 2.4.37 (RHEL). I have enabled SSL and OCSP stapling on the server with this configuration -> Root -> Intermediate -> Server Certificate -> OCSP signer certificate Both the intermediate and Server certificate contain the OCSP responder URL in AIA extension. And there is a OCSP responder running on the same. The client will send the "status_request" extension during handshake. I see the server is querying the responder for the revocation status of the end entity certificate and returning that back to client. But the revocation status for intermediate cert doesn't seem to be queried or put back in response. Note: The version negotiated is TLS 1.3 >From the documentation about OCSP stapling it seemed RFC 6961 is not implemented(relevant for TLS 1.2). Please let me know if this understanding is correct. But in case of TLS 1.3, the response can be added as a certificate specific extension of TLS Certificate message. It wasn't clear if I should be expecting the OCSP response even for the intermediate cert in this situation. To summarize Is OCSP multi stapling supported by apache 2.4.37 ? Any pointers would be helpful. Thanks in advance Regards Akshath
[users@httpd] RE: Query about support for OpenSSL 1.1.1
Hi Team, Please respond at the query in previous mail. Thanks and Regards Vivek Singh Naruka From: Vivek Naruka (EXT-NSB) Sent: 15 February 2023 14:14 To: 'users@httpd.apache.org' Subject: Query about support for OpenSSL 1.1.1 Hi Team, There is new version of Openssl i.e. Openssl 3.0 available for which Httpd provide support in its newly released versions. We are using Openssl version 1.1.1 in our project and need to know that if Httpd will continue its support towards Openssl 1.1.1 as well till year 2030. Thanks and Regards Vivek Singh Naruka