e enabled in an
> application to avoid the remote deduction of the precise configuration
> being run?
Perhaps you also want to disable mod_info...
Ralf S. Engelschall
[EMAIL PROTECTED]
r from the
ca-bundle.crt of mod_ssl).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) www.engelscha
perhaps just importet it, but didn't marked the CA
cert as valid. Perhaps this leads to the dialog box. At least I don't know
what we could do different on server/mod_ssl side... :-(
Ralf S. Engelschall
e feedback whether
it now works for you or not.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interfac
r SSL_PROGRAM. Perhaps it's empty for you. When this is
the case try to find out why. Is SSL_BASE also empty? I've never seen such an
error, so I expect some build-configuration problem.
Ralf
library
version: SSLeay blabla" output when configuring Apache?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
; call. Can it be that you built SSLeay with
just "Configure gcc" instead of "Configure alpha-gcc" or other platform
dependend names? For some systems the generic "gcc" platform doesn't work.
Run SSLeay's "Configure" script with
getful mans.
2. I've now finally found the original ITU-T X.509 specification on
the net. A hyperlink to it was added to the Related area under:
http://www.engelschall.com/sw/mod_ssl/related/ssl.html
For those of you who are masochistic... ;-)
Greetings,
C (although I am shameful not to be), so a full fully
> operational expression yielding a boolean would be just great.
Already answered in BugDB: "if (r->connection->client->ssl != NULL) ..."
where "r" is the request_rec your auth handler gets from the API.
es/ssl/libssl.module script. Watch the output of the configuration
process: There should be 4 or 5 lines starting with "SSL".
Ralf S. Engelschall
[EMAIL PROTEC
some cleanups.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1b5 (17-Sep-1998 to 01-Oct-1998)
*) Created a configure.bat script w
ver today...
I've already comitted your above bugfix and it will occur with mod_ssl 2.0.12
tomorrow (or on Saturday). But for more reliable session caching you have to
wait for 2.1, sorry.
Greetings,
Ralf
ule=rewrite --enable-suexec --suexec-uidmin=901
> --sysconfdir=config
I think the rpm user problem you can ignore, and when you use
../rsaref-2.0/local instead of just ../rsaref-2.0/ it will work.
Ralf S. Engelschall
f-2.0/local/"''. This should work for 2.0.11.
It's fixed in 2.0.12 which is released the next days.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
r dir in `echo $PATH | sed -e 's/:/ /g'` .; do
+if [ -f "$dir/perl" ]; then
+perl="$dir/perl"
+break
+fi
+done
+if [ ".$perl" != . ]; then
#
# Perl is preferred because writing to STDERR in
#
in the main server
context _and_ the virtual host section.
3. For using the canonical name (i.e. one you specified
by ServerName) you have to additionally use "UseCanonicalName on".
Then all things should work fine...
this
version.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.0.12 (23-Sep-1998 to 02-Oct-1998)
*) Cleaned up gcache stuff again and
ve libssl.so loaded there is still no SSL code in your httpd.
Only EAPI exists. So I guess it's a problem with EAPI and existing DSOs
Ralf S. Engelschall
[EMAIL PROTECTED]
m and you're subscribed to a mailing list (not only
sw-mod-ssl, this is for all types of mailing lists!: FILTER OUT THE MAILING
LIST MESSAGES _BEFORE_ PASSING THE MESSAGE TO YOUR VACATION PROGRAM. H...
Ralf S. Engelschall
00. It just uses certificates
which are based on the the same X.509 standard.
> Can I have different DNs in LDAP and certificate?
> I apologize for any faq.
Sure. Apache+mod_ssl doesn't query your LDAP database...
Ralf S.
instead of more sections. This at least
reduces the redundancy in writing down the stuff a little bit.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
NT box' pages into some particular
pages on the Linux server, e.g. all pages with a fixed file extension, etc.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
ause usually it should be _not_ needed.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod
a SSLRequireSSL to
prevent access to those dirs through the SSL-disabled ).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
ting information from certificate,
> it'll be a nightmare to change the DN after production. :(
Yes, but isn't there a mapping mechanism in LDAP to overcome those things? Can
the LDAP filter funtions be used for this? Hmmm... my current LDAP knowledge
is too less here, sorry.
er.crt
$ ssleay rsa -inform DER -in iis-server.key -outform PEM -out server.key
Ralf S. Engelschall
[EMAIL PROTECTED]
www.
in the most flexible way. You example above would then be:
...
Sure, the name "" should be "" but it's better to follow
the clean SSLxxx terminology of directives (they all have the SSL prefix).
Hmm... very interesting idea and useful stuff.
"
RewriteCond %{HTTP_HOST} !^secure\.mycompany\.com(:443)?$
RewriteRule ^/.* - [F]
The check for the not existing Host header is just to allow old browsers (who
don't send it) access, too. If you don't want this, leave the SetEnvIf for
^$ or the Rewri
.1 which comes out the next
days. In the meantime when you don't need the compat code you can just build
mod_ssl without it by using --disable-rule=SSL_COMPAT, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
On Thu, Nov 26, 1998, Michael Hallgren wrote:
> On Thu, Nov 26, 1998 at 08:16:14AM +0100, Ralf S. Engelschall wrote:
> > On Thu, Nov 26, 1998, Nuno Grilo wrote:
> >
> > > I have a machine running WindowsNT+IIS with a certificate issued by
> > > verisign and
orithm is rc4 and using the rc4
> utility from SSLeay I decrypted the key. Next I had to remove the
> envelope and convert it to PEM.
Oh hell, what a situation. Please remember the steps and finally post a
step-by-step list on how to convert such a IIS cert/key for Apache+mod_ssl.
Beca
to be a full-featured solution or whatever. Just the essential
information is needed for the FAQ.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
db library should it be looking at and why isn't it?
I've today no more time to investigate myself (will do tomorrow) but one hint:
Try --enable-shared=SHARED_CHAIN. This way libssl.so is linked against the DBM
stuff explicitly. When this doesn't work, please provide
nd -ldbm but even with SHARED_CHAIN it
isn't linked against libssl.so. As a workaround just add "-ldbm" to the
Makefile of mod_ssl. But as a final solution we have to determine _WHY_ -ldbm
is missing. Perhaps the SHARED_CHAIN stuff doesn't w
t SSL..
H I would first check whether the not used writev() is really a
network performance problem. Usually Apache's performance penalties exists at
other corners, AFAIK.
Ralf S. Engelschall
didn't
came to this idea first... :-(
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLea
On Sat, Nov 28, 1998, Ralf S. Engelschall wrote:
> On Sun, Nov 29, 1998, Anthony Rumble wrote:
>
> >[...]
> > When will EAPI have writev support..
>
> I've now again searched for the details. When we want to create a SSL_writev()
> by trying to emulate wri
On Sun, Nov 29, 1998, Anthony Rumble wrote:
> > > > Im wondering how badly mod_perl will fragment up writes without writev
> > > > support..
> > >
> > > Don't know, I've never did any performance tests.
> > >
> > > > Maby Ill have to run two servers for now.. one with ssl and no writev, and
> >
ssl.so and once with the LoadModule command. Only this way you
can be sure that the problem is really caused by mod_ssl+SSLeay.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
nger force NO_WRITEV) and the CA
list is send on client authentication. Additionally a lot of minor bugfixes
were done, of course.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
ly have one release
branch and perhaps one beta branch. But be sure that there will be not two
release branches (which I guess is what you asked about).
Ralf S. Engelschall
On Mon, Nov 30, 1998, Manuel J. Galan wrote:
> "Ralf S. Engelschall" wrote:
> [...]
> >*) Ported a recent change in Apache-SSL 1.29 to mod_ssl:
> > ``Send CA list to client when SSLCACertificatePath is used (this was
> > only done for SSLCA
; immediately. For details please
contact the Apache Group ([EMAIL PROTECTED]).
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
't remember it
> being. I glossed over it because it seemed complicated.
Is this now fixed with mod_ssl 2.1.1? It should because I've fixed the bug in
the libssl.module script. But I want to make sure it's now finally fixed. Have
you already tried it again with 2.1.1?
If the
> third party patch in etc/ works with this as well, I would like to suggest
> apply.sh be changed in this way.
Yes, this patch (it's a stripped down patch 2.1) accepts "--directory
dirname", too. I'll change it for 2.1.2 to make your life easier.
it cannot
be a lot more more what we want to know ;-)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
t I'm now working on it.
Expect it to be updated today.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
Here is the next pure bugfixing release. In addition to other minor fixes it
mainly solves the problem where under Linux boxes the DBM library wasn't
correctly found.
Ralf S. Engelschall
[EMAIL PROT
On Thu, Dec 03, 1998, Ralf S. Engelschall wrote:
>[...]
> Changes with mod_ssl 2.1.2 (30-Nov-1998 to 03-Dec-1998)
>[...]
The FreeBSD port is now again in sync with the current release version: I've
updated the www/apache13-modssl port to Apache 1.3.3 + mod_ssl 2.1.2 now.
H
. But don't expect
any bugfixes on this branch unless a really heavy bug occurs.
In short: The release version of mod_ssl is 2.1 now and from now on whenever I
talk about mod_ssl to you I mean this version.
Greetings,
Ralf S. Engels
re information cannot be given given, obviously.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interfa
ng as you're happy with 2.0.x (not failures occur) and don't need one of
the new features of 2.1, you can wait, of course. Apache 1.3.4 should be
released at least before Christmas ;-)
Ralf S. Engelschall
ssl 2.1.x because it's not enough tested. But it already works
fine for me. You just have to use --with-apxs instead of --with-apache and
anything else works magically ;-) Let it me know when I can use you as a
beta-tester for this stuff...
u
have to use "export SSL_BASE". As it's the case for all configure-style
scripts.
So, try either
$ SSL_BASE=... ./configure ...
or
$ SSL_BASE=...
$ export SSL_BASE
$ ./configure ...
Ralf S. Engelschall
lots of symbol not found messages...]
Either a "ranlib" call is missing somewhere or the ELF stuff confused the
library generation. Because the port works fine at least under my FreeBSD
2.2.6 box.
R
NT4' when
`u_int32_t' is defined by your vendor include files. If not try to
use a standard type which is four bytes in length on your
platform, e.g. on Alphas `typedef unsigned int UINT4' works.
Perhaps your SGI box has a similar problem?
'm
very interested in the print-version of this article.... Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache I
re mod_ssl will survive those law issues...
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interfac
lter for HTTP and some Firewall admins enable this filter
for both the HTTP and HTTPS remote port connections. Obviously for the HTTPS
connection this cannot work this way such easily. So the Firewall admin
should make sure this BorderManager box doesn't try s
e the argument to point to a
reasonable file inside your logs or runtime dirs.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
situation) which can be
used to easily upgrade the libssl.so.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1.3 (03-Nov-1998 to 0
On Sun, Dec 06, 1998, John Baskind wrote:
> I'm sure this is a stupid question, but please humour me...
>
> I have upgraded from 2.15...2.1..2.1.1...2.1.2, each time reinstalling the
> server, i.e., fresh apache, fresh (new) m0d_ssl, and fresh mod_perl.
>
> Is this necessary? Is it possible jus
D" entry):
"FreeBSD-elf", "gcc:-DTERMIOS -DBN_ASM -DL_ENDIAN -fomit-frame-pointer -O3 -m486
-Wall::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
And then configure SSLeay with "perl Configure FreeBSD-elf" instead of &quo
On Mon, Dec 07, 1998, Todd Vierling wrote:
> On Thu, 3 Dec 1998, Ralf S. Engelschall wrote:
>
> : And one more question: What's the reason you have to name the DSO
> : mod_ssl.so instead of libssl.so? Because of the conflict with the "real"
> : libssl.so?
>
eck your Listen directives. They have to match the
vhost sections. Second I advice you to look inside the Apache logfiles.
Perhaps you get a connection but SSL is just not enabled (don't trust a
"cannot connect"
On Wed, Dec 09, 1998, Steve Vertigan wrote:
> "Ralf S. Engelschall" wrote:
>
> > And then configure SSLeay with "perl Configure FreeBSD-elf" instead of "perl
> > Configure FreeBSD". Do a "make clean" first!
> > Then all went fine
you work in this area for Apache-SSL, too. Because I've never read any
information about your recent development plans. Nevertheless the Apache-SSL
users will appreciate it, so it's fine that you work on this, too.
Ralf S
and remove the etc/apache/ssl.*/ dirs completely, then do a
"make certificate" again followed by a "make install". Because "make install"
doesn't override existing ssl.*/* files once they were created.
Apache Group, the
| Apache webserver is Year 2000 compliant, too. But whether SSLeay or the
| underlaying Operating System (either a Unix or Win32 platform) is Year 2000
| compliant is a different question which cannot be answered here.
th)
doesn't recognize that you use HTTP over SSL (mod_ssl) instead of plain HTTPS.
So you can use Basic Authentication together with HTTPS, of course. And it
gets processed "after" SSL, yes. Or did I misundertood your question?
ly synchronized with the SSL layer.
Actually the icon is displayed _after_ the complete webpage was loaded. But
the encryption was enabled long time before, of course. In your case, the
Basic Auth is a facility on the HTTP layer. Under HTTPS below the HTTP layer
there is the SSL/TLS
Hello Ralf S. Engelschall, in a previous mail you wrote:
> Does anyone know an existing webserver on the net where SSL client
> authentication is requested on a per-URL basis? And does anyone know the URL
> of such a server, so I can establish a test-connection to it?
Does really no
On Tue, Dec 15, 1998, Enrico Badella wrote:
> > Hello Ralf S. Engelschall, in a previous mail you wrote:
> >
> > > Does anyone know an existing webserver on the net where SSL client
> > > authentication is requested on a per-URL basis? And does anyone know the UR
On Wed, Dec 16, 1998, Ben Laurie wrote:
> Ralf S. Engelschall wrote:
> > I just want to _try_ to connext in order to observe the SSL protocol
> > details the Netscape server uses when forcing the SSL renegotation.
>
> Why?
Why? As I already said: to compare Netscape'
atform id for an Intel-Solaris?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apach
On Wed, Dec 16, 1998, Brad Cox wrote:
> At 5:39 AM -0500 12/16/1998, Ralf S. Engelschall wrote:
> >Why? As I already said: to compare Netscape's behavior with mod_ssl's behavior
> >in case of a renegotiation, of course. Because when you look carefully into
> >the
archives for details on
this CertMgr stuff.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
Or did I overlooked something essential?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to SSLeay (mod_ssl) www.enge
information to the mod_ssl FAQ for 2.1.4.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Inter
ses from
| the German BMWi (see http://www.bmwi.de/presse/1998/1208prm2.html">here) and the
| Switzerland Bawi (see http://jya.com/wass-ch.htm">here) there
| will be no forthcoming export restriction for free cryptography software
| for their countries. Remember that mod
mod_ssl-2_1_3-1_3_3_tar.gz tarball. It's name is
mod_ssl-2.1.3-1.3.3.tar.gz. And it unpacks correctly. I've tried it directly
on the webserver. Can it be that you download it to Windows and have local
problems there? Because your file seems to be correct, but perhaps your tar or
gzip is buggy.
On Mon, Dec 21, 1998, Martin Kraemer wrote:
> On Mon, Dec 21, 1998 at 04:45:10PM +0100, Ralf S. Engelschall wrote:
> > On Mon, Dec 21, 1998, Enrico Badella wrote:
> >
> > > I have just downloaded (again) mod_ssl-2_1_3-1_3_3_tar.gz and it fails
> > > to unpack c
mmon to
> the MSIE-%&?.
Or alternatively just put all your stuff into a PKCS#12 format file with the
pkcs12 program and import this into Communicator with the corresponding Import
button under the Security panel.
Ralf S. Engelschall
27;re interested.
The distribution for OpenSSL 0.9.1c you can also grab from there, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1.
When someone has recent RPMs, just upload it to
the Contrib area, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.en
the
coordinator. That depends on _ALL_ developers and their voting, of course. The
coordinator just keeps the environment running, pushed the members to do
something (especially releases ;-), etc.
Ralf S. Engelschall
ou have to run it on ports 8080/8443
temporarily as a regular user to get the core. Without the coredump and a
backtrace it's hard to find the location of the SIGSEGV.
I'll try it out myself on my Solaris 2.6 box the next days.
In the meantime perhaps
o the script can access the key contents.
>
> Now, I'll have to look into the documentation again to find how to do that.
Look inside the FAQ, there is the command written down.
In short: $ ssleay rsa -in cakey.pem -out x && mv x cakey.pem
s slightly broken on at least your platform. When you
can find out something, I'm still interested. Because although it's not really
mod_ssl related, it's important for OpenSSL. Perhaps we have some sort of a
bug there which causes these problems...
like this before?
I've no clue, but seems like it's related to your mod_autoindex configuration.
At least I don't see where mod_ssl should be involved in this problem. So,
please check your Apache configuration related to mod_autoindex.
XS-based mod_ssl package (with the use of
| --with-apxs).
But please read it carefully: The generated libssl.so doesn't work with a
plain Apache. Your Apache has to already contain the Extended API.
Ralf S. Engelschall
Just a few bugfixes to keep you up-to-date and bug free, nothing dramatically.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.1.5 (23-Dec-1998
to get out of this seems to get all the sources of apache and
> recompile everything ?
Yes, sorry. But because of the crypto-hook-problematic you have to at least
once install a patches Apache. Then you can upgrade easily with APXS.
Ralf S. Engelsch
for more details on SGC. There I've written down all I know
about this stuff.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.en
a means to limit the number of live
> connections from a particular IP address? [more a standard apache rather
> than mod_ssl issue].
AFAIK we've no mechanism which limits the connections on a per IP basis. But
you can write a patch which implements this within a few hundrets of
's too late
in case of HTTPS. So, mod_ssl has to manually perform an own additional
timeout for the SSL handshake phase. I've added this facility for 2.1.6: Now
the "Timeout" directive also applies to the SSL handshake phase. Thanks for
discovering this and
Another bugfix version is available for you: mod_ssl 2.1.6.
This version fixes a lot of subtle bugs under the cover.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED
e terms is not allowed). That's not
the case, because the OpenSSL license is less restrictive than the SSLeay
license.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
t to get digests are those who even better use one of
the mailing list archive. There one can look at the stuff more nice and easy
(you can search, have it threaded, etc.). But when people are interested in
digests I can configure Majordomo to support his, of course.
course. They have to be secured, too.
Or at least under the same virtual SSL-aware server.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.eng
601 - 700 of 1115 matches
Mail list logo
