- see
http://issues.apache.org/bugzilla/show_bug.cgi?id=41123)
Tahnks
Marc
Rob Crittenden wrote:
Marc Stern wrote:
What are the advantages/disadvantages between mod_ssl mod_nss ?
Marc
mod_ssl has the advantage that it is in wide use and has had many
eyeballs on it. It is feature-rich
What are the advantages/disadvantages between mod_ssl mod_nss ?
Marc
That would definitely be a good thing.
More and more servers are using a HSM, and we only can suggest to our
customers who want to do so to use a commercial server like IIS.
Marc
I can't find how to do that, could you help me ?
Thanks,
Marc
*//*
Jim Jagielski wrote:
Yep. No problem.
On Feb 21, 2007, at 4:50 AM, Marc Stern wrote:
Is it also possible to make a post with this ?
This is what I need.
Jim Jagielski wrote:
How could we use mod_proxy for outgoing
How is it possible to modify another module's setting, like, for
instance, the content of a 'SSLDirConfigRec' structure (from mod_ssl)
from another module ?
Thanks
Marc
) possibility would be to hard-code a test certificate
in the distribution.
*/Marc Stern/*
William A. Rowe, Jr. wrote:
Everyone agrees that a batch file or something that would help the users make
a server certificate would be goodness; this isn't a win32-specific issue,
either, if you examine
to the
proxy_handler ?
*/Marc Stern/*
15 votes (14 in Bugzilla + Matthieu Estrade in the list), and no veto.
Can we add it ?
Thanks
*/Marc Stern/*
Approach Belgium http://www.approach.be
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve
Belgium
Tel: +32 475 68 29 10
Fax: +32 10 83 22 55
serial
number is a real ennoyance
I ported the patch to 2.2.4
Rem: There is no shortname defined in OpenSSL, only longname
+1 from me
Thanks
--
*/Marc Stern/*
Approach Belgium http://www.approach.be
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve
Belgium
Tel: +32 475 68 29 10
Fax: +32 10 83 22 55
in 2.0.54 ;-) .
This solution is also used as the base for several initiatives around
interoperable SSL authentication between national PKI.
Could you please accept this in the trunk ?
+1 from me
Thanks
--
Marc Stern
Approach Belgium
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve
Belgium
Tel: +32
;-) .
Could this be included in next version ?
I also modified the documentation to reflect the new directives. Should
I include it in the same patch, or open a separate patch for the doc ?
I have a picture describing the validation process, is it possible to
include it in the doc ?
Thanks
*/Marc
me to write a patch for this ?
--
*/Marc Stern/*
Approach Belgium http://www.approach.be
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve
Belgium
Tel: +32 475 68 29 10
Fax: +32 10 83 22 55
Disclaimer_
1. This message
Hi Joe
1. The current idea is to trap validation-related errors, like
certificate expiration/revocation.
Shouldn't we also trap negotiation errors, like incompatible
ciphersuites and protocols between browser and server ?
Maybe other ones ?
I would not try to solve everything at once;
in a separate module.
I'd like to work soon on this; if you want to participate, please
contact me asap.
Regards
*/Marc Stern/*
Approach Belgium http://www.approach.be
Avenue Einstein, 2A
B-1348 Louvain-la-Neuve
Belgium
Tel: +32 475 68 29 10
Fax: +32 10 83 22 55
I use %{SSL_CLIENT_CERT}e with 2.0.54 (patched to get mod_ssl headers).
Is this the problem ? Was it fixed after 2.0.54 ?
- Original Message -
From: Joe Orton [EMAIL PROTECTED]
To: Marc Stern [EMAIL PROTECTED]
Cc: Apache development list dev@httpd.apache.org
Sent: Wednesday, March 22
I found a strange behaviour related to mod_ssl and caching.
I have a module that hooks the requests (via ap_hook_post_read_request).
I defined a location such as:
VirtualHost _default_:443
MyDirective global
Location /sub
MyDirective sub
/Location
/VirtualHost
When I connect to the host in the
When a certificate contains UTF-8 characters, like non-English names, the
Distinguished Name that is returned to the Web server (if we export the
SSL_CLIENT_S_DN header) encodes the binary characters (\x..). Is this
mandatory ?
This is very ennoying because the applications would have to
;
+
+hdr = ptr = apr_pstrdup(p, hdr);
+
+do {
+if (*ptr == APR_ASCII_LF || *ptr == APR_ASCII_CR)
+*ptr = APR_ASCII_BLANK;
+} while (*ptr++);
+}
+return hdr;
+}
- Original Message -
From: Joe Orton [EMAIL PROTECTED]
To: Marc Stern
It seems that the PEM-encoded certificate coming out of OpenSSL (0.9.8a in
my case) contains new lines without leading space, which is interpreted as a
new HTTP header.
Even more important, the last empty line leads to 2 new lines without
leading space, which is interpreted as the end of all HTTP
It's a bit more complex than that.
At a certain point, a fix was released for IE 6 to correct the
incompatibility that needed the 'ssl-unclean-shutdown' directive (I guess
it's KB 831167). At this point, we had two different flavours of IE+SSL
floating around.
Although we can determine if
Just a little correction: the code is being tested (under Windows and Linux)
from January 2004, not May.
Marc
- Original Message -
From: Marc Stern [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, September 23, 2004 1:41 PM
Subject: OCSP support added
I added support
I added support for certificate validation through OCSP, where the OCSP
server URI is contained in the certificate itself (following the X.509
standard).
The patch is available on
http://issues.apache.org/bugzilla/show_bug.cgi?id=31383 (for 2.0.49, but
most of it is in separate files).
The check
I'd like to re-load the CRL on a regular basis (every few hours) without
re-starting the server.
How can we do that ?
We need to re-build the store at some time, where ?
Thanks,
Marc
Hi,
I want to find the issuer of the current certificate in "ssl_callback_SSLVerify_CRL()".
The certificate is "X509_STORE_CTX_get_current_cert(ctx)",
where ctx is the parameter to "ssl_callback_SSLVerify_CRL()". That's
easy.
The problem is to use the "X509_STORE_CTX_get1_issuer()"
It compiles correctly, now I will try it.
You also need to #include apr_optional.h
Marc
- Original Message -
From: Mathihalli, Madhusudan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, May 14, 2004 6:50 PM
Subject: RE: SSL_CLIENT_S_DN and proxy
Hi,
I just realized that Joe had
Hi,
Could you please explain me what is the purpose of the ok parameter.
More specifically, am I correct in understanding that this function (that I
am modifying to add OCSP) must return the value of the parameter ((ok) if
it succeeds, and !ok if it fails ?
Thanks,
Marc
Madhu,
I tested Joe's code, and it works very well.
I hope it will be included in 2.1
Just a few remarks on the code:
- We must add #include apr_optional.h
- header_request_ssl_var() should return NULL instead of (null) in order
to possibly add other header getters
As a more general question,
*a)
{
const char *s = apr_table_get(r-subprocess_env,a);
+
+if (s == NULL) {
+s = header_request_ssl_var(r, a);
+}
if (s)
return unwrap_header(r-pool, s);
-Original Message-
From: Marc Stern [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 11:35 PM
To: [EMAIL
of the treatment ?
Marc
- Original Message -
From: Joe Orton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, May 12, 2004 3:27 PM
Subject: Re: SSL_CLIENT_S_DN and proxy
On Wed, May 12, 2004 at 01:09:03PM +0200, Marc Stern wrote:
When using Apache as a proxy:
( brower
When using Apache as a proxy:
( brower --https-- Apache + mod_proxy --https-- Web server )
the Web server never receives the user's certificate info, because only the
proxy is seen by the Web server. That means that all headers SSL_CLIENT_*
contain the proxy certificate info, not the user
30 matches
Mail list logo