[EMAIL PROTECTED] wrote:
>
> > -Original Message-
> > From: Stephane Bortzmeyer [mailto:[EMAIL PROTECTED]]
> > Sent: 14 February 2001 10:49
> > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: echoping 4.1 released : a tool to test SSL servers
> >
> >
> >
> > Release 4.0 of echoping
[EMAIL PROTECTED] wrote:
>
> > -Original Message-
> > From: Ben Laurie [mailto:[EMAIL PROTECTED]]
> > Sent: 14 February 2001 13:25
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: echoping 4.1 released : a tool to test SSL serv
[EMAIL PROTECTED] wrote:
>
> Further to my previous message, I have not only received my Cryptoswift
> card, but I actually have it working. I'm seeing a speed improvement of
> around 20x on a Dual Pentium 166.
Hmmm ... so we can expect about 3x on a single P3/1GHz. How much do
these things cost
"Ralf S. Engelschall" wrote:
>
> On Tue, Jul 04, 2000, Ben Laurie wrote:
>
> > > > > N.B. I can see some GID sites using my copy of 5.01 / 56 bit. Whether this
> > > > > is a server-side workaround or something else I don't know.
Oleg Makarenko wrote:
>
> Florin Andrei wrote:
>
> > Oleg Makarenko wrote:
> > >
> > > Florin Andrei wrote:
> > >
> > > > 56-bit IE5 works with apache_ssl but doesn't work with mod_ssl
> > >
> > > Was apache_ssl compiled with the same openssl library? What openssl library do
> > > you us
"Ralf S. Engelschall" wrote:
>
> On Mon, Jul 03, 2000, Florin Andrei wrote:
>
> > > N.B. I can see some GID sites using my copy of 5.01 / 56 bit. Whether this
> > > is a server-side workaround or something else I don't know. Any clues?
> >
> > 56-bit IE5 works with apache_ssl but doesn't
Matthias Loepfe wrote:
> Also I think it would probably be a good idea to think about supporting
> the MS-StepUp in OpenSSL.
Is there a spec for it?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who
"Ralf S. Engelschall" wrote:
>
> On Sat, Oct 30, 1999, Magnus Stenman wrote:
>
> > > Sorry to be a bit off topic, but I'm very curious about
> > > the two questions below...
> > >
> > > Does someone know if there are any plans to incorporate
> > > the EAPI into mainstream Apache?
> >
> > There w
"Ralf S. Engelschall" wrote:
>
> On Tue, Aug 17, 1999, Ben Laurie wrote:
>
> > > > I've checked through your ideas and it seems to me that they could be
> > > > made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
> > &g
Holger Reif wrote:
>
> Ben Laurie schrieb:
> >
> > I've checked through your ideas and it seems to me that they could be
> > made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
> > the keys don't have passphrases.
> >
> &g
David Harris wrote:
>
> > Has anyone looked into implementing this? We currently support
> > thousands and thousands of virtual hosts and have (literally)
> > megabytes of configruation files with complex IfDefine and
> > Include directives that take Apache minutes to process, so moving
> > to m
"Ralf S. Engelschall" wrote:
>
> On Tue, Aug 03, 1999, Svante Sörmark wrote:
>
> > are there any ssl patches available for older versions of apache? i need to
> > use apache with oracles (binary only) modules for 1.2.6, and i really need
> > ssl too... oracles webserver just sucks too much.
>
>
Daniel Reichenbach wrote:
> - New Icons included for Apache SSL, Restart and Shutdown function.
If you are going to refer to Apache SSL all the time, you could at least
use it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people:
Steffen Dettmer wrote:
>
> > > can anyone drop me a line about the differences of Apache-SSL and Apache
> > > with mod_ssl? Is the only difference that one is a patch and the other a
> > > module or are there more differences (I guess so ;) ?
> >
> > Neither is a module. They are both patches.
>
Tim Niemueller wrote:
>
> Hi there,
>
> can anyone drop me a line about the differences of Apache-SSL and Apache
> with mod_ssl? Is the only difference that one is a patch and the other a
> module or are there more differences (I guess so ;) ?
Neither is a module. They are both patches.
Cheers
[EMAIL PROTECTED] wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> writes:
>
> > [EMAIL PROTECTED] wrote:
> > >
> > > No user session that
> > > is. My idea is to have the user authenticate, and then bind the user id to
> > > the ssl sess
[EMAIL PROTECTED] wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> writes:
>
> > [EMAIL PROTECTED] wrote:
> > >
> > > The idea behind this is to make the ssl session id available so that other
> > > modules may use the ssl session id as a `key' into
[EMAIL PROTECTED] wrote:
>
> This patch makes the ssl session id available via the environment variable
> SSL_SESSION_ID. Apache modules may obtain this ssl session id via the
> "ap::mod_ssl::var_lookup" EAPI hook. The value of this ssl session id is
> actually the concatenation of the hex repres
Magnus Stenman wrote:
>
> Found this in the "What's new file" for Netscape 4.6:
>
> New 56-bit DES ciphers added to both export and US versions
> (requires new SSL cipher suite server-side)
>
> What is this, and does mod_ssl (or is is OpenSSL) support it?
I added them to OpenSSL when they
Harry Zink wrote:
>
> > I'm just saying that there is a definite need for some third-party
> > point-by-point comparison.
>
> Considering that at this point not only have many mod_SSL users provided
> suggestions and support for this benchmark project, but Ralph was one of the
> first to jump in
Tim Armbruster wrote:
>
> When do the performance disadvantages of gcache come into play?
What disadvantages?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to tr
en follow...
>
> On Wed, May 05, 1999, Ben Laurie wrote:
>
> > [...]
> > d) Apache-SSL supports DSOs.
>
> Are you sure, Ben? At least I still cannot image how you support DSO while
> Apache-SSL still uses direct symbol references between the Apache core and the
> ap
tom minchin wrote:
>
> On Tue, May 04, 1999 at 07:40:58PM -0400, John Ioannidis wrote:
> > Are they just different distributions, or are there fundamental differences?
> >
> > I couldn't find the answer to this in the FAQs of either.
> >
> > I hope this isn't yet another religious thing...
> >
>
reuse when appropriate.
Known exploits
--
There are no known exploits of this security hole.
Ben Laurie, for the OpenSSL team.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He to
Steffen Dettmer wrote:
> > BTW, a few months ago we had a long thread about this topic.
> > Look inside the sw-mod-ssl mailing list archives for details.
>
> Sorry, I couldn't find it... I crawled through lot's of mails, but such a
> discussion I haven't found...
Hmmm ... there was certainly muc
Harry Zink wrote:
>
> >Would it be easier to wipe my source dir and restart from scratch or can I
> >simply add-in php3?
>
> Been there, done that - still can't get it to work myself.
>
> I installed the apapche 1.3.4+mod_SSL rpm that is floating around on
> Ralph's site - it works wonderfuly b
Ralf S. Engelschall wrote:
> On Mon, Jan 11, 1999, Bodo Moeller wrote:
> > I would like to have directives that tell the software packages how to
> > find randomness -- e.g. something allowing me to do things like
> > SSLRandomInit "dd if=/dev/random count=2"
> > SSLRandomInit "ps -Alf"
Anonymous wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> wrote:
>
> > o The OpenSSL project's code will be published under an Open Source license.
> > This license will apply only to the modifications made by the OpenSSL team
> > and contributors. Eri
the joint effort are currently (in alphabetical
order):
Ben Laurie
Mark Cox
Paul Sutton
Ralf Engelschall
Stephen Henson
This group jointly control the direction of the OpenSSL project in a way
similar to the way the Apache Group works. Others may be invited to join in
the future on
Ralf S. Engelschall wrote:
> I just want to _try_ to connext in order to observe the SSL protocol
> details the Netscape server uses when forcing the SSL renegotation.
Why?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant
Ralf S. Engelschall wrote:
>
> On Wed, Dec 09, 1998, Ben Laurie wrote:
>
> > > Does anyone know an existing webserver on the net where SSL client
> > > authentication is requested on a per-URL basis? And does anyone know the URL
> > > of such a server, so
Ralf S. Engelschall wrote:
>
> On Wed, Nov 18, 1998, Ben Laurie wrote:
>
> >[...]
> > > My $0.02, if it's worth anything. But if that's the way you code
> > > Apache-SSL, I'm very glad my friend pointed me to mod_ssl.
> >
> > If you
pointed me to mod_ssl.
If you want to use a system where programming errors are "corrected" by
removing the assertions that reveal them, that is your choice, of
course.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +
e and you (presumably) incorporated the
fix into ssl_gcache.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apach
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> >[...]
> > > While you may think that the only way to run a SSL server is where no one
> > > can login, no users can run any programs on it, etc. in the real world
> > > that is
Marc Slemko wrote:
>
> On Sat, 31 Oct 1998, Ben Laurie wrote:
>
> > Ah, I also forgot to mention that an attacker with the ability to talk
> > to gcache can completely screw you with just legitimate messages - by
> > poisoning your cache. They can presumably also get
Marc Slemko wrote:
>
> On Sat, 31 Oct 1998, Ben Laurie wrote:
>
> > This is far to general a criterion. Some kinds of I/O are completely
> > deterministic (given correct code). I agree that to assert on user input
> > is not a brilliant idea, but on a tightly li
ons should not be used in place
of error handling. Do not put words into my mouth.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> > >[...]
> > > | nRead=saferead(nFD,&usLength,sizeof usLength);
> > > | assert(nRead == sizeof usLength);
> > >
> > > Here the assert makes sure that really the
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> > Ralf S. Engelschall wrote:
> > > H??? Do you mean it cannot occur in practice? Or do I misunderstand you
> > > here. As I said: We not even need an attacker: When an I/O read
nyway.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, En
course.
>
> As I said: As long as the assertions are not I/O or input related they are ok.
> But they are very problematic for a production system when they depend on
> input coming from external sources.
And the external source in this case is?
Cheers,
Ben.
--
Ben Laurie
about it, especially if
accompanied by patches. Where I draw the line is with statements like
"assertions are inherently bad".
I'll also admit that my coding style is more biased towards defending
against programmer error than attackers, but it is programmer errors
that attackers
Maert Laak wrote:
>
> On Fri, 2 Oct 1998, Ben Laurie wrote:
>
> > From: Ben Laurie <[EMAIL PROTECTED]>
> > Subject: Re: gcache session does not expire as requested - bug!
> >
> > Ralf S. Engelschall wrote:
> > > On Thu, Oct 01, 1998, Maert Laa
mod_ssl 2.0.12. Thanks for the hint.
If it is a bug, it is a bug in the C compiler. Uninitialised static
variables are guaranteed to be set to zero.
What system was this on? Which compiler?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Con
45 matches
Mail list logo