Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests

Dne Út 18. února 2014 10:16:15, Daniel Kahn Gillmor napsal(a): > On 02/18/2014 08:14 AM, Pavel Matěja wrote: > > There is one big risk when someone uses reverse HTTPS proxy with > > ServerAlias. > > > > Let say you have on both - backend and proxy servers options: > > ServerName www.example.c

Re: 2.4.8 This Month

I'd like to shoot for a T&R sometime next week... On Feb 4, 2014, at 8:58 AM, Jim Jagielski wrote: > I'd like to T&R and release 2.4.8 this month... Let's all take > some time to: > > 1. See what in trunk should really be backported > 2. Test and vote in STATUS backports > > Let's get people

Re: 2.4.8 This Month

On Wed, Feb 19, 2014 at 8:08 AM, Jim Jagielski wrote: > I'd like to shoot for a T&R sometime next week... >> I'd like to T&R and release 2.4.8 this month... Let's all take >> some time to: >> >> 1. See what in trunk should really be backported >> 2. Test and vote in STATUS backports I hope it f

Re: 2.4.8 This Month

On 19/02/2014 15:08, Tom Browder wrote: > On Wed, Feb 19, 2014 at 8:08 AM, Jim Jagielski wrote: >> I'd like to shoot for a T&R sometime next week... >>> I'd like to T&R and release 2.4.8 this month... Let's all take >>> some time to: >>> >>> 1. See what in trunk should really be backported >>> 2

Re: 2.4.8 This Month

On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson wrote: > On 19/02/2014 15:08, Tom Browder wrote: >> I configured httpd-2.4.7 successfully to use mod_ssl: >> >> ... > That could be user error. The path /usr/local/ssl/fips-2.0 is the default > install location of the FIPS module which isn't a

DH params and multiple certificates

As of svn.apache.org/r1527295 standardized DH parameters were added to mod_ssl. If I understand docs correctly, the bit length is based on the RSA/DSA key. With the recent support of multiple certificates per VirtualHost it is possible to use an RSA and ECC certificate. When using RSA and ECC,

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote: > On 18/02/2014 20:06, Jeff Trawick wrote: > > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson < > shen...@opensslfoundation.com > > > wrote: > > > > On 02/02/2014

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 18:37, Jeff Trawick wrote: > > > I think this is the trick... > > +rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > +while (rc) { > +x = SSL_CTX_get0_certificate(ctx); > +if (x) { > +chain = NULL; > +SSL_CTX_get0_chain_certs(

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote: > On 19/02/2014 18:37, Jeff Trawick wrote: > > > > > > I think this is the trick... > > > > +rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > > +while (rc) { > > +x = SSL_CTX_get0_ce

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > mailto:shen...@opensslfoundation.com>> wrote: > > On 19/02/2014 18:37, Jeff Trawick wrote: > > > > > > I think this is the trick... > > > > +rc = SSL_CTX_set_current_cert(ctx

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > mailto:shen...@opensslfoundation.com>> wrote: > > That works for two cases above. If however the on the fly chain building > is > performed it will fail. > > > Perhaps this is naive, but it m

Re: 2.4.8 This Month

On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder wrote: > On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson > wrote: >> On 19/02/2014 15:08, Tom Browder wrote: >>> I configured httpd-2.4.7 successfully to use mod_ssl: >>> >>> ... >> That could be user error. The path /usr/local/ssl/fips-2.0 is t

Re: 2.4.8 This Month

On 19/02/2014 23:54, Tom Browder wrote: > On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder wrote: >> On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson >> wrote: >>> On 19/02/2014 15:08, Tom Browder wrote: I configured httpd-2.4.7 successfully to use mod_ssl: ... >>> That could be

Re: 2.4.8 This Month

Tom, please start a new thread, this is a discuss thread for planning a 2.4.8 release. Thanks. On Wed, Feb 19, 2014 at 5:54 PM, Tom Browder wrote: > On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder > wrote: > > On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson > > wrote: > >> On 19/02/2014 15

SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson wrote: > On 19/02/2014 23:54, Tom Browder wrote: >> On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder wrote: >>> On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson >>> wrote: On 19/02/2014 15:08, Tom Browder wrote: > I configured httpd-2.4

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On 20/02/2014 00:24, Tom Browder wrote: > On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson > wrote: >> On 19/02/2014 23:54, Tom Browder wrote: >>> On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder wrote: On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson wrote: > On 19/02/2014 15:08

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

Odd, there is something going on here. I am wondering if this fails to resolve zlib libraries? Also don't concern yourself with the 0.9.7 check, you met it (>=) with 1.0.1. Somehow, it didn't resolve the ssl library files initially given adding "-L/usr/local/ssl/lib" to LDFLAGS setting LIBS to

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 7:37 PM, William A. Rowe Jr. wrote: > Odd, there is something going on here. I am wondering if this fails to I'm sorry for muddying the water. I originally used the option 'zlib' for configuring openssl-fips and open ssl. I'm in the process of rebuilding without the zli

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

No, it isn't muddying things, this should just work. So you are building your own openssl. Are you certain your build of ssl and build of httpd and apr are using the same 32 or 64 bit memory model? That's one obvious reason where ld will fail. And the zlib, expat and pcre you resolve to must al

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On 20/02/2014 00:24, Tom Browder wrote: > On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson > wrote: > .. >>> checking for OpenSSL version >= 0.9.7... OK > >> Well something is wrong there with it indicating OpenSSL version 0.9.7. If >> you >> intend to use the FIPS 2.0 module you must use Open

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

I've noticed that openssl default builds do not necessarily add -lz to the lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going to guess you perhaps hadn't installed the zlib1g-dev package? On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson < shen...@opensslfoundation.com> w

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. wrote: > I've noticed that openssl default builds do not necessarily add -lz to the > lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going > to guess you perhaps hadn't installed the zlib1g-dev package? No, it's installed.

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file to include -lz in Libs: (just after -ldl), and then re-./configure On Wed, Feb 19, 2014 at 7:52 PM, Tom Browder wrote: > On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. > wrote: > > I've noticed that openssl defa

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. wrote: > You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file > to include -lz in Libs: (just after -ldl), and then re-./configure I'll first see if I can get a good SSL to work. So far no build problems after I took ou

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On 20/02/2014 02:21, Tom Browder wrote: > On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. wrote: >> You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file >> to include -lz in Libs: (just after -ldl), and then re-./configure > > I'll first see if I can get a good SSL to

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

First insight, did you ./config openssl, or ./config shared? It seems near impossible to use static openssl. apr-util configure will fail since pkgconfig isn't consulted properly. httpd configure would also likely fail for redundant symbols. Second insight - apr-util version 1.5 includes openss

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On 20/02/2014 02:40, William A. Rowe Jr. wrote: > First insight, did you ./config openssl, or ./config shared? It seems near > impossible to use static openssl. apr-util configure will fail since > pkgconfig > isn't consulted properly. httpd configure would also likely fail for > redundant > s

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 8:51 PM, Dr Stephen Henson wrote: > > On 20/02/2014 02:40, William A. Rowe Jr. wrote: > > First insight, did you ./config openssl, or ./config shared? It seems near > > impossible to use static openssl. apr-util configure will fail since > > pkgconfig > > isn't consulted

Re: DH params and multiple certificates

On 19/02/2014 17:30, Falco Schwarz wrote: > As of svn.apache.org/r1527295 standardized DH parameters were added to > mod_ssl. If I understand docs correctly, the bit length is based on the > RSA/DSA key. With the recent support of multiple certificates per VirtualHost > it is possible to use an

Re: Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests

I believe that Kaspar and Ruediger are still entirely at odds with my position, but this 'enhancement' should never have been unilaterally applied as it was to 2.2.26 and must be reverted (even as the feature is 'fixed' with corrections they have blessed), e.g. the comparison must be constrained to

mod_ssl openssl ./configure particularity

Can anyone offer background as to why httpd 2.4 branch ./configure likes checking for OpenSSL... checking for user-provided OpenSSL base directory... /usr/local/ssl adding "-I/usr/local/ssl/include" to CPPFLAGS setting MOD_CFLAGS to "-I/usr/local/ssl/include " setting ab_CFLAGS to "-I/usr/local/

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

On Wed, Feb 19, 2014 at 9:40 PM, William A. Rowe Jr. wrote: > First insight, did you ./config openssl, or ./config shared? It seems near No option which I think means static. > impossible to use static openssl. apr-util configure will fail since > pkgconfig isn't consulted properly. httpd con

Re: DH params and multiple certificates

On 20.02.2014 04:06, Dr Stephen Henson wrote: > On 19/02/2014 17:30, Falco Schwarz wrote: >> The ECC certificate should in any way be skipped and not taken into account >> when setting DH params. >> > > I think that's a consequence of how SSL_get_certificate wo

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19.02.2014 20:23, Dr Stephen Henson wrote: > However for that to work it needs application support either explicitly by > using > SSL_CTX_add0_chain_cert or via the use of SSL_CTX_use_cetificate_chain_file > which uses this transparently in OpenSSL 1.0.2. I just checked and httpd > currently d

Re: SSL and Apache Httpd 2.4.7 [was Re: 2.4.8 This Month]

There is no embedded. httpd-2.2 included apr, apr-util. httpd-2.4 by vote of the PMC excluded apr, apr-util, so you might be imagining things. Or RM's are doing some goofy things. On Wed, Feb 19, 2014 at 9:34 PM, Tom Browder wrote: > On Wed, Feb 19, 2014 at 9:40 PM, William A. Rowe Jr. wrote