Hi, On an imac intel dual core, I recently migrated to Leopard from Tiger
10.4.10. On my Tiger client I had installed my own web server using openssl
and mod_ssl with Apache 1.3 server; https was working fine. On Leopard with
apache 2.2.6 and OpenSSL 0.9.7, configuration files have significantly
ch
http://marc.theaimsgroup.com/?l=apache-modssl&w=2&r=1&s=SSLVerifyClient&q=bSemantically, it seems odd that the python intrepreter would even be invoked, since the SSLVerifyClient ought to be part of the authentication step, and should refuse the request before it even arrives. In any case, I'm completely befuddled.
ben
The cipher is located within the browsers which is different then the
way Microsoft puts it in the system (hence the patch to upgrade the
cipher).
Anyway, I use IE 5.1 for Mac on OS9 and have no problem with 128-bit
sites. Are you using OSX?
Ben Ricker
Web Security System Administrator
I (stupidly) forgot what my passphrase is for a server cert I have
created using OpenSSL. The cert is certified by verisign. Is there a way
I can reset the passphrase WITHOUT recreating the cert?
Ben Ricker
Wellinx, Inc
reinstall the original RPM and retry my procedures.
Ben
[EMAIL PROTECTED] said:
> Why did you forcibly install and upgrade the packages? Were there error
> messages without it?
>
> The ONLY time I'd ever forcibly install a package is if it was already
> installed according t
ow on restart of httpd I received the
following error.
Anybody have ideas?
Thanks,
Ben
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated
nding here ..
Thanks, Ben
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
in malloc_block()
My client is IE6 with latest 'service packs'. Tried several different client
machines. With NS6 I also get:
Ouch! malloc failed in malloc_block()
Help or debugging suggestions would be appreciated. Thanks, BenG.
Michael Metz wrote:
Hi Ben,sorry - I haven'
x27; and `graceful' did not
pick up my new cert). The debug output of openssl is slightly
different as well (the verify return messages).
And now, lo and behold, it works on MSIE. And I still have a bit of hair
left!
--Ben
___
Hi;
I built openssl, apache & modssl as per the instructions in the latter.
When I type in the command ./apachectl startssl all comes up fine so long
as I've commented out certain things (see below) in httpd.conf. But
https://blah.com doesn't resolve. ./apachectl startssl chokes on the
followi
ode of the process. If it is not a process you want running (or if it
is a zombied Apache process), do a grep on 'lsof' for that inode and
then kill the process (or it's parent; there probably isn't one).
HTH,
Ben Ricker
System Administrator
Wellinx.com
On 17 Jul 2001 16:36:17
Hello.
I've recently started playing with mod_ssl
and had done well with it till I descided to switch off
the test certs (SnakeOil) and onto real certs. I successfully
created and signed my own cert as documented in the mod_ssl
users guide, but ran into trouble when trying to connect wi
> Sent (91 bytes)...
> > 14914 bytes read from server.
> > Elapsed time: 2.508330 seconds
> >
> This is just the kind of thing I'm looking for for testing SSL acceleration
> cards. By testing on the actual server I can see the raw performance
> increase without ha
[EMAIL PROTECTED] wrote:
>
> > -Original Message-
> > From: Ben Laurie [mailto:[EMAIL PROTECTED]]
> > Sent: 14 February 2001 13:25
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: Re: echoping 4.1 released : a tool to test SSL serv
h do
these things cost?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
__
Apac
Mads Toftum wrote:
> On Sun, Aug 06, 2000 at 01:04:38PM -0400, Ben Hyde wrote:
> > The following presumably explains that problem.
> >
> > OpenSSL> version
> > OpenSSL 0.9.4 09 Aug 1999
> > OpenSSL> ciphers -v 'ALL:-SSLv3'
> >
Ben Hyde wrote:
>
> Sorry for the hit and run Question, it's hard to search
> for questions like this one:
>
> When I setup the usual MSIE FAQ recomendation...
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
Mads Toftum wrote:
> On Fri, Aug 04, 2000 at 02:40:57AM -0000, Ben Hyde wrote:
> >
> > in each of my vhosts running "Apache/1.3.12 (Unix) mod_ssl/2.6.2
> > OpenSSL/0.9.4 ApacheJServ/1.1.2" I get "no shared cipher", other
> > than the DSA
H:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
in each of my vhosts running "Apache/1.3.12 (Unix) mod_ssl/2.6.2
OpenSSL/0.9.4 ApacheJServ/1.1.2" I get "no shared cipher", other
than the DSA certificate thang is there something obvious I
shou
"Ralf S. Engelschall" wrote:
>
> On Tue, Jul 04, 2000, Ben Laurie wrote:
>
> > > > > N.B. I can see some GID sites using my copy of 5.01 / 56 bit. Whether this
> > > > > is a server-side workaround or something else I don't know.
t disabled by default...
That is not the case.
> Or it was compiled
> with 0.9.4 that has EXPERIMENTAL_CIPHERSUITS disabled (ssl/tls1.h)...
He stated that the version was 0.9.5a.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://
is not mod_ssl's fault, it's
> IE5's fault, of course.
I think that is leaping to conclusions. Besides, the stepup shouldn't
involve a shutdown.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
_
Matthias Loepfe wrote:
> Also I think it would probably be a good idea to think about supporting
> the MS-StepUp in OpenSSL.
Is there a spec for it?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who wor
; Status is that because of the proposed KEAPI the inclusion of EAPI was
> suspended a few months ago and while people were still confused, Ben L.
> implemented a third hook variant of EAPI hooks directly in the 2.0 source tree
> (nice timing, yeah)
That is not really the way I see it
Do I need to add any other module beside mod_proxy? None of the mod_proxy
directives seem to work. I only changed the Configuration under the apache
1.3.9 source to add the proxy module. Is there anything else I need to do to
build the proxy?
Thanks, and sorry for my newbe questions...
Yaniv.
> >
t the application server gets requests and sends responses in
plaintext, and the Apache server takes care of encrypting/decrypting
everything for it.
I heard it was possible (perhaps I was misled). Any idea how?
Thanks a lot
"Ralf S. Engelschall" wrote:
>
> On Tue, Aug 17, 1999, Ben Laurie wrote:
>
> > > > I've checked through your ideas and it seems to me that they could be
> > > > made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
> > &g
Holger Reif wrote:
>
> Ben Laurie schrieb:
> >
> > I've checked through your ideas and it seems to me that they could be
> > made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
> > the keys don't have passphrases.
> >
> &g
hosting for mod_ssl.
I've checked through your ideas and it seems to me that they could be
made to work with Apache-SSL (and hence, probably, mod_ssl), so long as
the keys don't have passphrases.
The point of the preload of keys/certs its to get passphrases while you
still have a tty
oracles webserver just sucks too much.
>
> mod_ssl is only available for Apache 1.3. For Apache 1.2 you can only use
> Apache-SSL. But I'm sure even Ben would recommend you to not use these old
> version for Apache 1.2...
You are quite right :-)
Cheers,
Ben.
--
http://www.apache-ssl
Daniel Reichenbach wrote:
> - New Icons included for Apache SSL, Restart and Shutdown function.
If you are going to refer to Apache SSL all the time, you could at least
use it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds o
7;m wrong, Ralf!), but
> by the time there came up more differences (shared memory cache in mod_ssl
> and so on), since the Apache-SSL developers didn't like the "module idea"
> (tell me when I'm wrong, Ben!).
You are wrong. I have nothing against the "module idea".
y are both patches.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there
[EMAIL PROTECTED] wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> writes:
>
> > [EMAIL PROTECTED] wrote:
> > >
> > > No user session that
> > > is. My idea is to have the user authenticate, and then bind the user id to
> > > the ssl sess
[EMAIL PROTECTED] wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> writes:
>
> > [EMAIL PROTECTED] wrote:
> > >
> > > The idea behind this is to make the ssl session id available so that other
> > > modules may use the ssl session id as a `key' into
reuse SSL
sessions, and may time them out arbitrarily.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first grou
my test server has
hits from within Netscape, even though they haven't told me about it [I
forgive them, that would probably be illegal]).
Servers need to be modified to support them, because they should
generate ephemeral 1024 bit keys when required.
Let me know if anything interesting happen
ears to be, at this point, from re-reading some of the original
> bickering thread, that the split between mod_SSL and apache_SSL was not an
> amicable one, at least on one side of the fence.
Is that relevant?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told
Tim Armbruster wrote:
>
> When do the performance disadvantages of gcache come into play?
What disadvantages?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He
Ralf S. Engelschall wrote:
>
> I'll not say anything about comparisons in general, because either people can
> find out the differences theirself or the differences are not actually
> important for them (or they would have found it out). But a few technical
> questions to B
ems to me
to be a completely futile exercise).
h) replacing gcache with DBM seems a backward step to me.
Also, I notice that parts of that FAQ were written by me, yet strangely
there is no credit, despite the immense fuss Ralph made about getting
credit on a page we wrote that a prototype for was
reuse when appropriate.
Known exploits
--
There are no known exploits of this security hole.
Ben Laurie, for the OpenSSL team.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He to
with PKCS#11). Can you tell me how did you solved the problem.
I use RedHat 5.2 (2.0.36-0.7) with apache 1.3.4 mod-ssl 2.2.4-1.3.4 and
openssl-0.9.1cs with bnpatch.
Fathi Ben Nasr
Mechanical engineer.
Société Nationale des Chemeins de Fer Tunisiens.
ot
in a position to make a judgement on security practices, so it is good
that you raise these points, again, for discussion, for those who were
not around for the last marathon.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of p
, 1999, Fathi Ben Nasr wrote:
>
> > What is the difference between SSLeay and openssl i.e. which one
> > should I use (with mod-ssl 2.2.3-1.3.4 and apache) and why ?
>
> Although this should be asked on our openssl-users list, here is an answer:
> The difference are first a
Hi,
What is the difference between SSLeay and openssl i.e. which one
should I use (with mod-ssl 2.2.3-1.3.4 and apache) and why ?
How can I generate certs for communicator 4.05 or ie4.x (export
versions) ? My .crt files results to be invalid or corrupted to both
clients.
Fathi Ben Nasr.
P.S
> PHP3 scripts.
>
> I'm hoping that this issue will be addressed soon, seeing as how mod_perl
> is kinda very important if you're running perl on your site.
AFAIK, this problem doesn't affect Apache-SSL.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My gra
unsuscribe
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
to time itself.
I'd suggest that the functionality should really go into OpenSSL, since
it is a common requirement. Naturally whatever software is using OpenSSL
will have to handle the configuration (unless we put it in
openssl.conf?).
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
&qu
Anonymous wrote:
>
> Ben Laurie <[EMAIL PROTECTED]> wrote:
>
> > o The OpenSSL project's code will be published under an Open Source license.
> > This license will apply only to the modifications made by the OpenSSL team
> > and contributors. Eri
and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style
licence, which basically means that you are free to get and use it for
commercial and non-commercial purposes subject to some simple license
conditions.
o Due to some unfortunate coincidences and misunderstandings Ben a
Ralf S. Engelschall wrote:
> I just want to _try_ to connext in order to observe the SSL protocol
> details the Netscape server uses when forcing the SSL renegotation.
Why?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant
Ralf S. Engelschall wrote:
>
> On Wed, Dec 09, 1998, Ben Laurie wrote:
>
> > > Does anyone know an existing webserver on the net where SSL client
> > > authentication is requested on a per-URL basis? And does anyone know the URL
> > > of such a server, so
Ralf S. Engelschall wrote:
>
> On Wed, Nov 18, 1998, Ben Laurie wrote:
>
> >[...]
> > > My $0.02, if it's worth anything. But if that's the way you code
> > > Apache-SSL, I'm very glad my friend pointed me to mod_ssl.
> >
> > If you
pointed me to mod_ssl.
If you want to use a system where programming errors are "corrected" by
removing the assertions that reveal them, that is your choice, of
course.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +
e and you (presumably) incorporated the
fix into ssl_gcache.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apach
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> >[...]
> > > While you may think that the only way to run a SSL server is where no one
> > > can login, no users can run any programs on it, etc. in the real world
> > > that is
Marc Slemko wrote:
>
> On Sat, 31 Oct 1998, Ben Laurie wrote:
>
> > Ah, I also forgot to mention that an attacker with the ability to talk
> > to gcache can completely screw you with just legitimate messages - by
> > poisoning your cache. They can presumably also get
Marc Slemko wrote:
>
> On Sat, 31 Oct 1998, Ben Laurie wrote:
>
> > This is far to general a criterion. Some kinds of I/O are completely
> > deterministic (given correct code). I agree that to assert on user input
> > is not a brilliant idea, but on a tightly li
ons should not be used in place
of error handling. Do not put words into my mouth.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> > >[...]
> > > | nRead=saferead(nFD,&usLength,sizeof usLength);
> > > | assert(nRead == sizeof usLength);
> > >
> > > Here the assert makes sure that really the
Ralf S. Engelschall wrote:
>
> On Sat, Oct 31, 1998, Ben Laurie wrote:
>
> > Ralf S. Engelschall wrote:
> > > H??? Do you mean it cannot occur in practice? Or do I misunderstand you
> > > here. As I said: We not even need an attacker: When an I/O read
nyway.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.org/
London, En
course.
>
> As I said: As long as the assertions are not I/O or input related they are ok.
> But they are very problematic for a production system when they depend on
> input coming from external sources.
And the external source in this case is?
Cheers,
Ben.
--
Ben Laurie
Ralf S. Engelschall wrote:
> And now I ask me why _isn't_ this better? I don't understand it, Ben. IMHO
> this non-assertion way _is_ better, because it prevents the system from being
> dropped down (kind of DoS) by a local attacker
I'm happy to admit that is is a ma
Maert Laak wrote:
>
> On Fri, 2 Oct 1998, Ben Laurie wrote:
>
> > From: Ben Laurie <[EMAIL PROTECTED]>
> > Subject: Re: gcache session does not expire as requested - bug!
> >
> > Ralf S. Engelschall wrote:
> > > On Thu, Oct 01, 1998, Maert Laa
mod_ssl 2.0.12. Thanks for the hint.
If it is a bug, it is a bug in the C compiler. Uninitialised static
variables are guaranteed to be set to zero.
What system was this on? Which compiler?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Con
67 matches
Mail list logo
