the server with "openssl s_client" to make sure
your browser isn't broken.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
rote this stuff. Perhaps he has a clue why it could fail
for you...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apach
> purchased for $120 with the Red Hat software? I'm lost.
No, you can install a fresh Apache+mod_ssl+OpenSSL triple under a different
path and then copy over the cert/key from your original installation.
> Any help on this would be really appreciated.
BTW, isn't there any sup
w-mod-ssl, of course. Only the
announcement postings will occur on sw-mod-ssl-announce.
The list is also controlled by [EMAIL PROTECTED], so send your
"subscribe sw-mod-ssl-announce" to this address.
Ralf S. Engelschall
and not related to mod_ssl. Seems like your
Perl installation is missing the Apache::XXX Perl-side of mod_perl. You've to
ask on the mod_perl support mailing list ([EMAIL PROTECTED]) for this. But I
recommend you to reinstall mod_perl and look where it installs the Apach
:SSL3_READ_BYTES:sslv3 alert handshake failure
At which state of the handshake happens this?
Use "SSLLogLevel trace" to find this out, please.
I wish our OpenSSL library would give more detailed descriptions...
Ralf S. E
now a different
problem. And yes, it's strange that a client certificate is read although
youßve not configured one. BTW, I use exactly the same software as you
(FreeBSD 3.1, Apache 1.3.6, mod_ssl 2.2.6, OpenSSL 0.9.2b) and it works fine
with my local Netscape. So it really seems that those Mac-N
log entries you showed, right? Strange...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (m
oduce your
problems. So, it's now your turn. Connect from your favorite client platform
with your esoteric clients and hopefully let us find out something...
Ralf S. Engelschall
[
ssl/2.2.6+OpenSSL/0.9.2b (sorry when I ask again,
but too much people already described their situation the last days and I
already intermix them)?
Ralf S. Engelschall
m). Try to upgrade to exactly my versions
(Apache/1.3.6+mod_ssl/2.2.6+OpenSSL/0.9.2b) and try again. It has to work,
because it works in en4.engelschall.com which is also FreeBSD 3.1.
Ralf S. Engelschall
On Thu, Mar 25, 1999, John Hamlik wrote:
> Is this a standard config?? static or module??
All static and compiled with debugging symbols
for easier debugging in case of a code dump.
Ralf S. Engelschall
[EM
then only
enabled "SSLLogLevel trace" in the apache.conf file.
That's all. Nothing special. Even the box is a PII/333 where
I've done a standard FreeBSD 3.1 installation a few weeks ago.
Ralf S. Engelschall
che logfiles.
> MSIE3.02(Japanese) can't access https://en4.engelschall.com/
Why? What happens? An I/O error? Or is just because the server certificate is
a dummy one which uses the SnakeOil CA your MSIE3.02 doesn't know?
Ral
tificate problem which do not count, of course). In other words: Still no
hangs or real I/O errors?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
On Fri, Mar 26, 1999, Magnus Stenman wrote:
> Everything works like a charm when I upgraded to OpenSSL
> 0.9.2b (from 0.9.1c) so that must have been the problem.
Fine. This news makes me happy again
Ralf S. Engel
least because of this nothing should fail with older
version. OTOH, don't think about <= 0x0920 any longer. From the next mod_ssl
versions (I'm currently thinking about 2.2.7 vs. 2.3.0) OpenSSL 0.9.2b is a
hard requirement and all those #ifdef's will be kicked out completely.
I'm sure other clients stop working. So,
the next round seems to be that I move from "SSLLogLevel trace" to
"SSLLogLevel debug" and those of you who can reproduce the problem try it
again. At least we've now reduced the area of problems to the various IE
clients. So, peo
t OpenSSL here.
4. When Apache+mod_ssl doesn't startup you really
should find the error in the error_log. At least
I do not know any part in mod_ssl where an
exit() is done but no error written.
l had
problems there can now again connect to https://en4.engelschall.com/ with the
MSIE clients and try again. I really hope the problems are now gone. When
not, I've no more clue what we can do...
Ralf S. Engelschall
ndows NT)", so the regex has to be ".*MSIE.*" and not
"^MSIE.*". Fixed on en4.engelschall.com. Please try again.
Ralf S. Engelschall
[EMAIL PROTECTED]
gt;
> I swear I have SSLLogLevel debug and LogLEvel debug and only the 4 lines
> in ssl_engine_log. And there is nothing written to error_log.
Hmmm... you say you get a core dump, then this is related to this. Try to
find out the location where it dumps core (look inside the mod_ssl FAQ
; ssl-unclean-shutdown
>
> I added the following line to the
> SSL-aware virtual host:
> BrowserMatch "MSIE" ssl-unclean-shutdown
> And it works fine.
Yeah, sorry. This was my fault. I've overlooked the fact that MSIE announces
itself as Mozilla. It's now alre
caused me...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/s
t; 7) The new suite (apache,mod_ssl,openssl) passes all of my test now!
> yippie..
> 7) Ralf does a great job! Thank you.
Fine, thanks. And I've to thank you all for discovering the MSIE bug and
helping me in finding a final work-around, of course.
On Mon, Mar 29, 1999, Hans Lohmander wrote:
> "Ralf S. Engelschall" wrote:
> >Netscape 4.5 Mac, PPC international . Failed
><[EMAIL PROTECTED]>
> > ``I tested the below and got "bad data from the server"
> > http was
when they want, but for the default config I think it's best and safe to
use ".*MSIE.*"...
Ralf S. Engelschall
[EMAIL PROTECTED]
ll.com to just ``SetEnvIf
User-Agent ".*MSIE.*" nokeepalive'' and disabled the ssl-unclean-shutdown
SetEnvIf. Try it out when you want and give us feedback.
Ralf S. Engelschall
together with a
high-performance shared memory based session cache (is already implemented and
works fine, but needs some more cleanups and testing).
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED
er ID from Verisign). The mechanism is
also known as "International Step-Up" in the Netscape area and "Server Gated
Cryptography (SGC)" in the Microsoft area. Read the above document where I've
assembled the details.
the SSL server.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to Op
compatibility reasons. But the results are the same, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ntermediate proxy server? Because
independent whether you use HTTP or HTTPS, when the stuff was removed from
disk, then Apache cannot serve it. It doesn't cache pages - neither under
HTTP nor HTTPS. So when you still get the data that's either a browser or
proxy configuration issue.
s a workaround
you can try to enable the shipped SDBM stuff.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
On Mon, Mar 29, 1999, [EMAIL PROTECTED] wrote:
> "Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
>
> > Another update is available before new features will be introduced (in 2.2.8):
> > mod_ssl 2.2.7 for Apache 1.3.6. This version mainly contains support
ings and
worked fine again after a correct re-installation. At least the core dumps
occurs not inside mod_ssl. It occurs after OpenSSL's BIO_free() inside your
libc...
Ralf S. Engelschall
rl -noout -hash" command manually until I add support for this to
the ssl.crt/Makefile).
Feedback is welcome!
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.c
cal access session". Nevertheless, when you want to use this you can
use mod_ssl's "ssl" EAPI context variable in the BUFF structure to access the
session id from your module. You don't need the shared memory session cach
dor on the market based their
product on our Open Source software. A better recognition we cannot expect on
the market, of course. :) And perhaps Covalent/Randy additionally gives us a
little bit of background information...
Greetings,
ure?
3. What things in mod_ssl and OpenSSL bothered you most (and caused
you the most trouble) and what things are your favorite thing (which you
likes very much)? Especially, what are your personal (from the Raven point
of view) wishes for the future?
httpd -DSSL". Seems like either SSL is totally disabled or at least your
Listen and sections to not match. I guess even that your Listen
directives are not activated. The best you can do is to start with the
provided httpd.conf-dist file and first make sure it works with this one.
That's a plain Apache configuration issue and not related to mod_ssl. Check
the server configuration and there for Options +ExecCGI, , etc.
Ralf S. Engelschall
[EMAIL PRO
two (both mod_ssl and mod_perl) auto-script-modifiers I do
> have some problems. I also have no problem with just mod_ssl apaci-style.
>
> In what order do I do stuff?
>
> This ought to be a FAQ and be answered somewhere.
Yes, that's why it's best to directly add it to
It's already prepared in your httpd.conf, you just have to enable the
SSLCACertificateFile directive.
PS: Why it works with MS IE4 I don't know. Perhaps your MSIE doesn't
send the Verisign cert at all?
Ralf S. Engelsc
In article <[EMAIL PROTECTED]> you wrote:
> On 17-Sep-98 Ralf S. Engelschall wrote:
>> On Thu, Sep 17, 1998, [EMAIL PROTECTED] wrote:
>>
>>> Anyone have a example of httpd.conf with two virtual host and two
>>> certificates?
>>>
>>> I pu
) server inside a . Because
this way your main server config isn't inherited by the , etc.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
the RSYNC program is trivial to
install and very fast under update-time). When you want real-CVS you have to
wait a little bit longer...
Ralf S. Engelschall
[EMAIL PROTECTED]
there and include it into my httpd.conf
files.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
A new stable mod_ssl is available: 2.0.11 for Apache 1.3.2.
As always the CHANGES entry is appended below for quick overview.
Ralf S. Engelschall
[EMAIL PROTECTED
rrently cannot commit it to the FreeBSD CVS repository. So be patient,
please. When freefall.freebsd.org is repaired you can get the pleasure of your
SSL-aware Apache 1.3.2.
Greetings,
Ralf S. Engelschall
On Wed, Sep 23, 1998, Ralf S. Engelschall wrote:
>[...]
> ...I currently cannot commit it to the FreeBSD CVS repository. So be patient,
> please. When freefall.freebsd.org is repaired you can get the pleasure of your
> SSL-aware Apache 1.3.2.
It's now comitted.
Feel free
ng on select. Is this
> just me, or have others had problems?
I tried it again myself and it works fine. And some of the mirrors use it,
too. So I think its a local problem for you. Perhaps a platform problem of
rsync. What platform are you using?
perl/libperl.a, of course. Will be fixed for mod_ssl 2.0.12.
Thanks for the feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
On Thu, Sep 24, 1998, Magnus Bodin wrote:
> At 10:58 1998-09-24 +0200, Ralf S. Engelschall wrote:
> >
> >In article <> you wrote:
> >>[...]
> >>>> --activate-module=src/modules/perl
> >
> >> In my case it was
> >&
;t know if this is more of an apaci or mod_perl problem than mod_ssl
> because mod_perl complained "Sorry, need 1.3.0+ for USE_APACI"... Anyway,
> it seems to work fine now.
I didn't seen these problems with mod_perl 1.15_01, so I assume
Doug fixed them between 1.15 an
le lrsaref,
> searched my whole system for it to no avail.
> I'm a semi-newbie at this, so any help would be greatly appreciated!
> Thanks! 8-)
Are you really sure you performed this step:
$ mv rsaref.a librsaref.a
??
Ralf S. Engelschall
s going wrong for you...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay
u who
are also attending ApacheCon and wanted to meet me, now actually can meet me.
Details follow later when I know more.
Greetings,
Ralf S. Engelschall
[EMAIL PROT
easier to setup than CVSup for you, too. Perhaps ask the RSync
authors for hints? OTOH can you speak SSH through your Firewall? Then we can
for instance tunnel RSync this way.
Ralf S. Engelscha
vice is to don't confuse yourself is to look at the provided
httpd.conf-dist file and start from there or at least adjust your existing
config with this file in mind.
Ralf S. Engelschall
[EMAIL PROTECTED]
-dist
> > file for hints which directives you should use)
> > 3. Add `SSLDisable' to the old
> >sections or at least the main server (outside
> >any sections)
>
> Thanks a lot, it works nicely. I suggest you put this question and the
> answer in your faq.
nutes.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.c
.. how do you build mod_perl? As a DSO or statically?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw
nk those of you who discovered the problem should post as much details as
possible to the mod_perl mailing list (or directly to [EMAIL PROTECTED] if
you're not subscribed to the mod_perl ML), so Doug has a chance to fix it.
Ralf S. Engelschall
ecially the .EXP stuff and the used commands and flags).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLea
t compiled the beast ;-)
Oh yes, you're right. I checked the CVS imported version and seems like *.obj
are also (like *.o and *.a, etc.) ignored by CVS while importing. Sorry, this was
my fault.
Another version from the stable branch is available. It provides you with
support for Apache 1.3.3, X.509 v3 certificates under "make certificate" and
again cleanups and bugfixes for the session cache.
Greetings,
Ralf S. E
And here is a the updated version for the development branch.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1b6 (01-Oct-1998 to 09-Oct-1998
g the port files)
to the mod_ssl Contrib area. FreeBSD users who want to use this port to easily
install Apache 1.3.3 + mod_ssl 2.0.13 can fetch it from there.
Greetings,
Ralf S. Engelschall
[EMAIL
cheCon...
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) ww
figuration difference between HTTP and HTTPS.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interf
vs. LF. But this is
documented in the INSTALL.W32 file, isn't it? But be careful: Only the 2.1b
versions are ported to Win32. The stable 2.0 branch is _NOT_ ported to the
Win32 environment.
Ralf S. Engelschall
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) w
ns. I just need a little
bit more time to overcome the large amount of messages inside my mail folders
and mailing list folders... ;-)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
For the SSL sources there should be _no_
warning (at least with MSVC 5.0 there is no for me) while other parts inside
Apache cause warnings.
Ralf S. Engelschall
[EMAIL PROTECTED]
omatically and correctly setup for
you.
> PS. The really annoying thing is it works fine on my Linux Slackware 3.5
> machine at home!
Are you really sure? I think you have SSLCertificateKeyFile at home...
Ralf
ntributions and feedback (whether minor or major is not actually
important) mod_ssl wouldn't exist...
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
ude this header...
Try to find out (from the error message of gcc!) which include files includes
it. And then try to find out why it includes it. And when it really has to
include it, check your installation and the reason why it doesn't exists.
passwort
protected client certs in Netscape, but it looks like a bug. Because SSLeay
usually doesn't do anything more, it just requests the certificate and waits
until it arrives. Have you at least tried different Communicator versions?
sed and
deny access. So, it doesn't allow non-secure communication, just the
establishment of the connection. But why MSIE switches to non-secure mode you
have to find out by inspecting your HTML pages and the contained hyperlinks...
Ralf S. Engelschall
middle of the graph
;-) will be happen the next weeks. More details are coming when I'm
allowed to say more...
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
in the error logfile. I'm using the
> Snake Oil
> Certificate on the server and a Thawte Freemail Certificate on the
> client. My
> Client is Netscape Communicator 4.5. Any Ideas, anyone?
>[...]
Have you tried "SSLVerifyDepth 2" or hi
er, so don't know what the MSVC linker dislikes here. But
at least this seems not to be related to mod_ssl, right? Then just put these
warning messages into a problem report for Apache itself, so our Win32 hackers
at the Apache Group can look at it and this way it is
In article <> you wrote:
> Speaking of which,
> here is a little patch I've been wanting to send for a few days:
>[...]
Now comitted for mod_ssl 2.1b7.
Thanks for your feedback.
Ralf S. Engelschall
nly when the $(BN_MULW) define exists in the Makefiles. So, the question is:
How have you configured SSLeay for your platform? I hope with "perl Configure
irix-cc", right? In any case try to figure out why the $(BN_MULW) is not
defined to bn_mulw.o on your platform.
x27;t think you're now
secure, please ;-)
Nevertheless thanks for this nice positive feedback.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
On Thu, Oct 22, 1998, Tony Earnshaw wrote:
> "Ralf S. Engelschall" wrote:
> > Fine.
>
> Ralph, perhaps it's time to tell your mailer that you're back from
> Apachecon?
Ops, right. I'm still fighting the huge amount of traffic which my mail
folders as
t. Seems like your section doesn't apply at all. I
advice you to check the Listen and parameters first. Perhaps
there is a mismatch, you wrote down the wrong IP address, etc. Or just present
us with more details, i.e. which IP address you use and what exact config
you're using.
Leay binaries from my NT box and uploaded it:
Look on http://www.engelschall.com/sw/mod_ssl/contrib/ for file ssleay090b.zip
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
aps can force your visitors to use Netscape) I recommend you to not use
wildcard CNs.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ll + jserv. What
> should I do to install certificate received from Verisign and my private
> key?
Just replace the installed etc/ssl.crt/server.crt with the certificate
Verisign sends you and the etc/ssl.key/server.key with the private key you
generated under 1.)
). Here it should work without pain.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apach
's the price you have to pay: Before
you get security you have to understand it and for this a few terms are
necessary. Without them we couldn't talk about it or at least we won't
understand us ;-)
le
Apache without -n32 and the last solution is to find a IRIX linker option
which says "Yeah, it's different objects, but try it nevertheless". I
recommend you to first try the easiest way: Use --disable-rule=IRIXN32. Then
I would try to add -n32 for SSLea
e page is correct the way it is.
But seems like I should at least add a hint to it that it's _really_ just a
quick illustration and that the user should read the INSTALL file when he
wants to setup the stuff correctly.
Ralf S. En
the FAQ. OTOH pushing Apache explicity into the
background is not needed at all for Apache 1.3: Because Apache detaches itself
implicitly. So there is no need for "httpd &", neither with nor without
mod_ssl ;-)
Ralf S. Engelschal
ot; inside the INSTALL file. Anything else is automatically
configured. ;-)
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
On Sat, Oct 24, 1998, Ralf S. Engelschall wrote:
> Just for your information and to share my great happyness ;-) :
>
>Dynamic Shared Object (DSO) support for mod_ssl is now possible!
>
> Yeah, I know, it was declared as impossible even by me in the past but now
> it'
On Sat, Oct 24, 1998, Simon Kenyon wrote:
> On 24-Oct-98 Ralf S. Engelschall wrote:
> > Oh sorry, I at least should say what the main key to DSO support for mod_ssl
> > was: Instead of patching in SSL-things into the Apache core now a totally
> > generic API extensi
401 - 500 of 1115 matches
Mail list logo
