You have set your mod_ssl up correctly, however your browser is telling
you that you did not pay from $100 to $1000 to one of the CA's listed as
trusted by the vendor of your BROWSER.
To avoid the message, you need to store the certificate for the website
in your browser's database of trusted
Yes, I've done it a few times with apache 1.3 on Solaris, still mucking
around with apache 2 though.
what you need is:
a) the nCipher software for the o/s - these are binary only and will set
up a daemon called hardserver, and another package that installs the
CHIL library. If they don't have pa
soft restarts like this crash httpd if you have added/deleted SSL key or
certificate lines to the config file - in these cases you must fully
stop/restart the daemon.
So I would say there is a case for a restartssl option, although I'm
happy enough to run stop, check for all daemons dying, then r
httpd -t will error on SSL stuff not between lines.
I think you'll find that your LoadModule is in an ifDefine while the unloadmodule
isnt.
httpd -DSSL -t is the way to check all the syntax in httpd.conf, without
the -DSSL you're only checking half of it.
Aryeh Katz wrote:
Use apache
No I wouldnt want to disable SSL3 either...
One case I know of like this is to do with advertising EXPORT56 ciphers
on the server side... some variants of IE barf if they're talking to a
site with a so called 128 bit certificate (an SGC cert).
I have used this when a site has an uber-cert for
Use VirtualHost stanzas:
ie:
ServerName www.foo.com
Redirect/private https://www.foo.com/private
DocumentRoot "htdocs"
ServerName www.foo.com
SSLCertificateFile conf/ssl.crt/server.crt
SSLCertificateKeyFile conf/ssl.key/server.key
--- Original Message ---
From: "Peter Viertel" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Tue, 07 May 2002 12:55:04 +0100
Subject: Re: N/A
Use VirtualHost stanzas:
ie:
ServerName www.foo.com
Redirect/private https://www.foo.com/
Keep-alive is a pain all round really...
But not necessarily so so as regards renegotiation.
SSL has a concept of session resuming. The first thing exchanged during an
ssl session is the previously negotiated session-id - the startup of these
resumed sessions is a lot cheaper than an initial
make certificate does not work in apache 2 yet.
copy your key and certificate from the 1.3 installation
mineka fujimoto wrote:
Hello
I am a student to study Linux.
I want to use SSL in apache2.0.36
I stop apache 1.3 and tar apache2.0.36..
I use Re
You say you can connect to the 'actual server address' while on the
actual machine but not from across the network.
You do not say which operating system you're using - but if it's redhat
linux for example, perhaps you've got iptables rules. Otherwise is
network routing ok, like does the machien
Let me guess you have a '128 bit' SGC certificate on your
server? If you do then change your cipher suite to not offer EXPORT56 for
example:
SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
This results in most people with older client
Sure,
If you're going to use the default http auth mechanism, then use SSL.
if the URL is https:// something then it's all encrypted. (ok, unless
you do something really odd with the server config).
Note that the 'password window' is something your browser displays -
once it's got the password
Try reading the FAQ.
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
Han, Donghoon wrote:
>Hi everyone,
>
>I recently configured several named virtual hosts on my Apache 1.3.24
>server.
>
>NameVirtualHost A.B.C.D:80
>NameVirtualHost E.F.G.H:80
>NameVirtualHost A.B.C.D:443
>NameVirtualHost
That sounds like the ssl mutex mechanism not working properly. Not sure
whether anyones got it working on win32 and mod_ssl on win32 is still
listed as an alpha release.
I too would choose to ditch windows, but if you do need it, then you
should try apache 2 at least the asf say its production
Whether this can be done is something you should talk to the vendor of
your HSM about. If you're still looking for one to buy, I can confirm
that it can be done with nCipher's gear using openssl-engine and some
extra binaries they provide, I personally have experience with Solaris
and using an
You could do that using reverse proxy, ie mod_proxy.
Redirects are not going to help.
Wim Godden wrote:
>Hi,
>
>I'd like to use a certificate to secure several of our subdomains...
>buying hundreds of certificates is simply too expensive.
>Is there some way to do this :
>
>- Install certificate
t http://other-subdomain.ourdomain.com
>>doesn't work properly... I get errors about the images being
>>insecure and all links
>>point to the wrong position.
>>
>>
>>Peter Viertel wrote:
>>
>>
>>
>>>You could do th
potential bottleneck
as the proxy server would have to parse all of the content passing
through it.
Wim Godden wrote:
>So there's no system which allows me to really proxy pages and 'modify' them so
>that all future connections go through this 'proxy' as well ?
&g
^[F,L]
ServerName www.donations.org.nz
DocumentRoot /var/www/html/donations
ErrorLog /var/log/httpd/donations-error_log
TransferLog /var/log/httpd/donations-access_log
David wrote:
> Hi,
>
> I tried adding port 80 to the virtual hosts as you suggested but the
> issue still persists?
&
Why dont you just buy Stronghold? Sounds like you ought to be paying
someone to do this work for you.
-->> http://www.redhat.com/software/apache/stronghold/index.html
Jim Lee wrote:
>
> Hi,
>
> Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x
> file from the mod_ssl-2.8.
The problem here as usual is that he HAS got a SGC certificate - and
some ie's barf unless you drop EXPORT56 from your offering when you have
one of those certs.
not worth the money as far as I'm concerned, not even when getting
thawte's one. I feel its a scam the way they sell SGC's as some s
you can run as many instances of apache that your system can support so
long as no two instances listen on the same port - at least thats the
theory.
In practice, apache writes to various files such as the .pid file,
lockfiles, mutex lockfiles etc - and it can be difficult to make sure
the dif
Perhaps if you watch the session with Eric Rescorla's excellent ssldump tool
you may get to the bottom of it
http://www.rtfm.com/ssldump/
Or another possibility altogether... I had a problem which looked similar
to this which was some solaris specific mutex bug which meant that child
proc
I think your confusion is in using the cakey when in fact you should use
the key that you made the cert request from for the Server Private key
directive
eg: if you used the following two invocations of openssl
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key
All startssl does in the apachectl script is run httpd with -DSSL, this
activates any directives in httpd.conf that are between
so if you have not got an appropriately patched
httpd.conf then it wont do anything.
It looks as if you're using the with-apxs method to build libssl, that
is you'
If you cut and pasted that straight from your config then you have a
typo in the rule
Instead of:
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R]
try
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(manual/.*)
reloads dont work if your keys are encrypted - is this the case here?
i have happliy sent a sig USR1 to an ssl apache setup each night for two
years - and never a problem - only goes awry if a cert or key changes.
Sean M Alderman wrote:
>I thought it might be something like that, but typically
that will turn it off...see refguide at
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9
I wonder if it's time to leave SSLv2 off completely? how many browsers
out there dont work with v3 these days?
Aditya wrote:
>Is it sufficient to change:
>
> +SSLv2
>
>to
>
> -SSLv2
>
>in SSLCiphe
My recommendation is to look through openssl-engine doco and pick a
supported card.
From experience, I can say that the nCipher ones work just fine on
sparc-solaris, I'm sure the other cards there do the job too.
I was testing out an nCipher nFast800 PCI card in a netra T1 today -
seems to w
there's more info on this in the reference manual, than the FAQ.
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4
Basically try changing the 'startup' one to use a
file:/path/to/file/with/junk/in/it that points at a file with something
random enough in it - I'm not mr crypto, but, by ran
you have only one option - renew the certificate
you have to pay up again, and submit a new csr based on a new key, but
with identical certificate information.
not sure about verisign, but at least with thawte the renewal adds a
year to the expiry date of the previous certificate, so at lea
My money is on a SSL session resume problem. Make sure your SSL session
cache is configured correctly - one thing that really bites us all in
the butt is that some MSIE versions get annoyed when it tries to resume
a session in what it thinks is a reasonable amount of time and finds the
server
I notice that your virtual hosts are all using the ip address of your
machine, but your testing example uses http://localhost/
It's probably worth pointing out that localhost usually resolves to
127.0.0.1 which is not the same thing as your machine's ip address.
Try testing against https://192.1
You certainly can. See the openssl FAQ
http://www.openssl.org/support/faq.cgi#USER4
Miguel Angel Gomez Animas wrote:
Hi all
I want to know if is possible create a server certificate with modssl,
something like a personal verisign or something like this...
What do i have to do???, can
I'm thinking you need to use Virtual Host directives - as others have
replied, you already know that NameVirtualHost wont help - so you need
to put each virtual host on a different IP. (or different port if no
spare IP's_).
firstly - configure your operating system to receive all the ip's you
The default:
Listen 443
achieves this already. Is there some advantage to doing separate Listen's?
Boyle Owen wrote:
Don't forget:
Listen 192.168.1.2:443
Listen 192.168.1.3:443
-Original Message-----
From: Peter Viertel [mailto:peter.viertel@;itaction.co.uk]
Sent: Dienstag, 5
I'd set these up as virtual hosts - the essence of what you want to do
here is to make http://www.domain.com/ return different information than
https://www.domain.com.
Having done that (by following the links in the other reply you got) you
then will need to set up what you want to happen on th
37 matches
Mail list logo
