If the client asks the server for a secure connection, the server starts its
handshake by sending a suggestion of a private-private-key encryption
(encrypted with its private-key).
Right so far?
No. Totally wrong.
Suggest you read more about the protocol details. A key (sic) point is
Ya know, lots of people run PHP with Apache -- post the vulnerability
there.
Lots of people run PHP on Solaris -- post the vulnerability there.
Lots of poeple run PHP on Linux -- post hte vulnerability there.
Some people probably run PHP on Windows machines -- post it to MSDN chat
rooms.
Please,
Valicert has listed Entrust as one of its partners. I would assume that
would mean that Valicert can interoperate with Entrust issued
certificates.
I think it is stretching things to say that partnership implies full
parsing of the various Entrust CRL's. How many partnerships do you know
i'd ask a valicert person, actually.
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Apache Interface to OpenSSL (mod_ssl)
No, openssl does not yet support the (infinite:) ways to split CRL's
that Entrust likes.
OCSP is simpler. :)
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
__
Does Valicert support the various Entrust CRL extensions and
partitioning?
If not, then they're useless for this problem.
/r$
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
But if an adversary gets root without rebooting your machine
Right, but I wasn't talking about that. I believe the case I described
is a common situation, and worth defense.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
Of course, you forget to mention the most common cause of server reboots
running UNIX based systems. Power failures.
Unh, no, that's why I talked about bribing operators and mysterious
reboots.
Obviously, these are occasions when a server goes down, which is why it is
preferable to have it
Therefore, the passphrase only protects the key if it is removed from your
server, but as has been shown, being able to remove the key requires (or
should require) root privileges. QED.
No, the passphrase protects the key during the time when root may have
access to the machine *any time your
PRNG programmable random number generator - it needs a good source of
random data to get started. Check out:
*Psuedo* random number generator.
The idea is that if you know the starting point, the sequence is
predictable. That is why it is so important to mix in some REAL random
data -- so an
The difference is that with a passphrase the rooter must be an active
attacker with an active compromise on your machine, as opposed to a
non-pass phrase which can be a passive attacker trying to snarf a single
file. More than just warm fuzzy; the first is just downright harder.
/r$
--
nCipher is one of many hardware crypto makers -- was there a particular
reason why you picked them out? I know they can spool keys out to
disk (under 3DES protection I believe), but most h/w crypto accelerators
have similar provisions.
BTW, perhaps you can convince management that your email
Adding passphrases to the keys or storing them in a encrypted partition
doesn't really get you any additional level of security.
Perhaps in the specific case that started this thread, but in the
general case, this is wrong.
Let's consider a common co-location scenario. Or where the MIS/IT
If you still get the warning than some old modules somewhere need to be
rebuilt.
--
Zolera Systems, Your Key to Online Integrity
Securing Web services: XML, SOAP, Dig-sig, Encryption
http://www.zolera.com
__
Apache Interface to
Apache 1.x modules work by registering a table of function pointers, and
the apache core calls out at various points in processing. In order to
make SSL work, Ralph added some more callbacks. They are added to the
*end* of the current table. This extendaed API, EAPI, is enabled by
adding -DEAPI
The timeout on a session is also a concept subject to much
misunderstanding.
I've always though TTL, TimeToLive, was a better name.
/r$
--
Zolera Systems, Securing web services (XML, SOAP, Signatures,
Encryption)
http://www.zolera.com
Posts to the list from email address different from the one
I'm subscribed to are silently dropped
It is a deliberate anti-spam feature.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support
Sorry, no time to respond in detail for a day or two, this'll have to
do.
If you have your system misconfigured so that security credentials are
unavailable, that is a security issue, not a configuration issue.
A principal tenant of security is: if something's broke, stop. NEVER
silently
This has gotten way off topic of how to use mod_ssl.
I suggest interested parties look for Dan Geer's risk management is
where the money's at paper. Google should find it trivially.
Many consider it to be the definitive word on this trade-off issue.
/r$
we need to call openssl_add_all_algorithms so that we can decrypt the
server key (our own use of standard encryption). What's the cleanest
way to add that it -- a vendor hook?
__
Apache Interface to OpenSSL (mod_ssl)
Is there an alternate way to pass the passphrase to apache?
Try to use expect.
If you are going to use a script that contains the password, then you
might as well put the password in a file. mod_ssl can exec a program so
your "script" is as easy as
#! /bin/sh
echo
The 'best practices' standard *for everyone who doesn't have to support
older browsers that only did 512bit keys* is a 1024 bit key.
RSA operations are only done at the start of an SSL session, not at each
HTTP(S) connection. (Because public key is so expensive, it's typically
only used to
If you *look* at the cert (via something like "openssl x509 -text")
you'll see that the port number is not part of the distinguished name.
Do you recall Thawte asking you for a port number? That's a rhetorical
question.
/r$
I am getting this error with a third party module. Someone on another
disscussion group said not to worry mod_ssl has "been fixed to not
care if you are using the Extended API (EAPI)" etc. "It will be/is
taken out in the newest version of mod_ssl".
I cannot imagine how that person could
Do you have /dev/random installed?
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager
I do not believe anybody from CertCo is on this list.
If you would like CertCo to donate the mod_ssl/OCSP diffs, I suggest you
contact
Mark Horvath, [EMAIL PROTECTED]
Good luck.
/r$
__
Apache Interface to OpenSSL
This discussion stopped being relevant to mod_ssl awhile ago.
Please stop.
/r$
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
The *copyright* and *license* on RSAREF is not affected by the patent
expiration. If you want an implementation, use the code that is in
OpenSSL itself.
Are we *really* going to be totally free after September 20th?
Yes.
Has anyone seen anything in print by some authority stating this?
The mkcert.sh script can't easily be "scripted." We'd like to do this
as part of a nightly build and regression test. Writing an expect
script is too much overhead.
I'm not sure why, but for some reason the "Encrypt Private key?"
question
(at step 4; we're doing snakeoil since it's just for
Do I read it correctly that
it isn't legal for me at the moment, but will be after September 20th, 2000?
Yes.
/r$
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
It is not clear if you can recompile mod_ssl once you
bought one of those products.
The patent law (and the licenses granted to those organizations, undoubtedly)
is
quite clear: you can't just "peel off" the license from one product and slap
it onto another, without the license-grantor's
I haven't heard of any RC4 patents either.
According to RSA:
RC4 is trade-secret intellectual property of RSA.
Someone "stole" it and posted it to the net.
We reserve the right to come after you.
In the real world:
The cat's out of the bag, RSA knows it, and it
We have a patch that adds OCSP checking to client-side certs for mod_ssl.
It has some client code, and additions to OpenSSL to parse the data
structures. We're in the process of upgrading to the current OpenSSL
release. With the change in US export regulations, we would like to
contribute this
33 matches
Mail list logo