Thawte is pretty cheap. $127 bucks through their ISP channel (anyone
can sign up) for a regular web cert, I am not sure you can do much better.
If it's not worth $127 a year, then I assume it's not for profit, e.g.
for internal use only or for a small number of users. In that case,
just use self-s
Add:
SSLPassPhraseDialog exec:(path to SSLpassphrasefile)
to httpd.conf
SSLpassphrasefile is:
#!/bin/sh
echo (passphrase)
Of course, this is a security risk, since you've got your pass phrase
stored on the server itself in clear text. The consequences of that should
be considered. You coul
You can't use name-based virtual hosting for SSL. More specifically
you cannot have two SSL virtual hosts bound to the
same IP and port. You must either use a different IP or a different
port. Check the FAQ or archives of this list for details of why you
can't do this.
Jamie
On Sunday, Februar
It is impossible, read the faq. For your purposes, why not just use
alternate ports, or use a subdirectory of a single secure server (e.g.
https://yourhost.com/yourclient)? For administration purposes - presumably
by the person who maintains the sites - the url really doesn't matter much.
Ja
... and you can tell your browser to add a certificate to it's root
authority list so it won't warn you in the future. So if it's for a small
group or intranet you simply tell everyone how to accept the cert and
they'll never be bothered again.
But for any commercial use this simply won't fly
Why did you need to do this? I would think this would have unpredictable
results. You only need one IP addresss to use the same domain name for
both http and https since they are accessed on different ports.
# Secure virtual host
...
# http virtual host
...
is the usual way to set this up.
Apache 1.3.14 will not compile with php4.0.0? Why? Also, why _must_ you use
a specific version of PHP that contains documented memory leaks, among
other bugs, when there are more recent versions available?
Using the 2.7.1 version of mod_ssl (without RSAREF) also has the
significant advantage o
I was going to note a similar problem I was having to this list (as I
believed it to be mod_ssl related at first), but I believe the problem is
not with mod_ssl but with Apache 1.3.14 and/or PHP 3.0.4pl1. That is, are
you noting this problem with https only, or have you confirmed that it
exis
True, there's nothing in protocol against it, and users can switch it off,
but if you're trying to sell something over the internet (which is the
reason a lot of poeple use SSL) then you really need to cater to the least
common denominator. Trying to explain frightening messages to the 60% or
I would absolutely *not* do this, unless you want your web site users to
see a message from the web browser saying "this page has both secure and
insecure information. Do you want to proceed?" every time they user your
site. This does not instill confidence.
-- Jamie
At 06:03 AM 11/6/00, Owe
The others have answered one part of your question, but I wanted to mention
another very significant part of the whole support issue.
What is your experience with paid, supported software from companies like
'the evil empire'? Personally, I have been in many situations where I was
ready, willi
Here's one way... Set up your roots in separete directories in
httpd.conf:
./normal-root/
./secure-root/
Make a symbolic link from ./normal-root/index.html to
./secure-root/index.html
This would be the only "file" under normal-root, and everything
is stored in secure-root but the link makes jus
Doesn't seem like a big deal to me.. even _without_ the phpinfo() function
i could probably tell you with about 80% accuracy what directories stuff on
any given server is installed in, since most people use the defaults
anyway. And any technical mailing list such as this one would tell you
ex
The answer lies..
https://www.ahresources.org
(https, not http)
He got to ModSSL via the "Apache Interface to SSLEay" link. I
guess he missed the next paragraph that reads
"ATTENTION! f you are seeing this page instead of the site
you expected, please contact the administrator of the site invo
The answer lies..
https://www.ahresources.org
(https, not http)
He got to ModSSL via the "Apache Interface to SSLEay" link. I guess he
missed the next paragraph that reads
"ATTENTION! f you are seeing this page instead of the site you expected,
please contact the administrator of the site in
I just sent him a message asking him to stop his takeover of our mailing
list. What on earth is he talking about anyway? How could someone link
_from_ his site to theirs? And assuming he really mean someone linked from
_their_ site to _his_ site (which is completely empty anyway), why the hell
You can't have a secured area without a certificate. This is the entire
principle of the system depends on a certificate from the server. It's
like trying to find a way to keep your door locked without carrying keys
around.
You need to either buy a cert from a trusted issuing authority, or g
At 05:53 AM 9/21/00, Nick Davies wrote:
>It's just to save me time really. I have a few shop sites to move to a
>new server and that's how its been setup. I can't be bother tolling
>through loads of code to change everything.
>
>I'll do it properly some other time.
Just set the root for HTTP an
Why not just use a different document root for the secure and insecure
sites? Put symbolic links from the HTTPS root into the regular root for
directories that you want to make available insecurely as well.
Jamie
At 02:01 PM 9/14/00 , Carlos Ramirez wrote:
You can use mod_rewrite.
Example:
R
You don't really "install" a certificate, you simply put it somewhere and
then reference it in your httpd.conf file:
SSLCertificateFile /path/your.domain.com.crt
SSLCertificateKeyFile /path/your.domain.com.key
You probably should set privileges to only allow access by the user that
apache runs
RTFA ;-)
Virtual hosting does not work with SSL. Each site must have its own IP.
Jamie
At 12:10 PM 9/8/00, Thomas E. Ruth wrote:
>Hello,
>
>I have a little but I found that I'd like to report.
>
>I am using the NameVirtualHost facility of Apache together with SSL. The
>problem comes with the en
The information that isn't linked on the web site is included in the
tarball, called "Install".
-- Jamie
At 12:54 PM 9/7/00, Marcos Sanchez wrote:
>Hello!
>
> I'm about to install mod_ssl 2_1_8-1_3_4 but I couldn't find the
>information to a detailed installation of mod_ssl in the webs
At 10:33 AM 8/31/00, Airey, John wrote:
>Seriously though, I have to say that there are a number of postings to this
>list that fall into the RTFM category, especially when it comes to the SSL
>chicken and egg problem (please don't ask!). If I could get commission for
>every message I've seen on t
Add:
SSLPassPhraseDialog exec:(path to SSLpassphrasefile)
to httpd.conf
SSLpassphrasefile is:
#!/bin/sh
echo (passphrase)
Of course, this is a security risk, since you've got your pass phrase
stored on the server itself in clear text. The consequences of that should
be considered. You coul
Ought to be a piece of cake with perl, and to set to a log format that
includes the virtual host is easy enough with a single configuration
directive. You could even do it with a single grep for each virtual server
if you wanted.
Also, from my reading of the file limit problem on apache's doc
Wouldn't it be simpler to set up a little cron job to break up your log
file by virtual host every day?
At 09:03 AM 5/23/00 -0400, [EMAIL PROTECTED] wrote:
>The per process file opening limit was a configurable parameter of your OS.
>It was either a user resource limit (ulimit) or a tunable kern
On the other hand, if you have a need to authenticate many SSL sites within
your top level domain, it's probably because you need to distribute
load. How I would love to be in a position of needing to spend an extra
$100 for another cert because my primary server was maxed out.
Seems like not
In response to Veronique's original question - there's no way that I can
think of to make a user re-authenticate on your site after they "leave".
HTTP is by nature a request/response protocol so you how would you know
they "left" your site? The only control you have is with time, which
should
Remove the "listen" directive for port 80 for that server in httpd.conf
Jamie
At 03:50 PM 5/12/00 +0800, wen wrote:
>modssl-users:
> I have intalled apache+openssl+modssl.now I want to allow
> intranet client request webserver by HTTPS only,don't allow by http. how
> to do?
>
I don't know how to do it without recompiling, but it really doesn't take
that long to recompile. In my experience it has always taken a little
messing around to get the configure's exactly right, so I save the
statements for each component in a script file so I can just rerun it each
time I n
Check httpd.conf. If you are upgrading from a previous version, and
therefore aren't using the default httpd.conf for this version of mod_ssl,
then check httpd.conf.default (which will be generated when you install
apache + mod_ssl) and make sure you merge any missing directives.
My guess is
When I got certs from Thawte (now owned by verisign) they had extensive
instructions on their web site for generating a CSR. This wasn't a big
deal. You run the openssl program to create a new CSR for your company and
it asks you to enter all the information. Thawte's web site has step by
st
using the following directive
> in your SSL-aware virtual host section:
>
> SetEnvIf User-Agent ".*MSIE.*" nokeepalive
> ssl-unclean-shutdown
>
> At 10:18 AM 5/4/00 -0400, James Treworgy wrote:
> >I am running apache 1.3.12 + mod_ssl 2.6.4 (openssl
Yes, but this isn't really useful unless you are using the certs in a
closed/internal situation. Having to explain to random users on your web
site that they need to import you as a CA authority doesn't serve the
purpose very well of assuring users they can trust you.
Jamie
At 09:21 AM 5/5/0
My cache is indeed set this way. Also, I don't seem to be getting any
errors in my log when this happens. The last two errors are:
[Thu May 4 11:50:14 2000] [error] mod_ssl: SSL handshake timed out (client
216.181.63.35, server ss.generationnet.org:443)
[Mon May 1 18:02:07 2000] [error] mod_
No. The short answer (and about as much as I understand ;-) is that part
of the purpose of the certificate authorities is that an independent third
party has verified the information provided by your certificate. The
browsers are hardcoded with information about the certificate authorities
a
tes). I thought installing it as a DSO might help
but it still happens. I can't seem to create a specific circumstance under
which it will happen - e.g. if I restart httpd it won't do it the first
time I hit the site
37 matches
Mail list logo