Re: ReCap: 2.2.4 windows binary w/ssl - server certificates
Marc Stern wrote: For info, I developed for the Belgian government, a reverse proxy installation script (Unix/Windows) that encompasses a certificate creation, and its registration in the config file. This uses gawk. It is available on http://www.belgium.be/zip/eid_authentication_proxy_fr.html It's simple enough to create one; however none of the other packaging does so, and the question remains, should httpd's windows installer do anything differently? Another (simpler) possibility would be to hard-code a test certificate in the distribution. That would be a mistake, there are several security issues with doing so.
Re: ReCap: 2.2.4 windows binary w/ssl?
Sander Temme wrote: On Mar 6, 2007, at 3:56 PM, William A. Rowe, Jr. wrote: Don't know about the shm session cache. Otherwise, the quotation issues are fairly minor. I see that in trunk on unix we quote paths, and in extra/httpd-ssl.conf we don't. Time to rigorously quote every path in those extra config files as well? I think so. Working on this as we speak. I'll go over all of trunk/docs/conf/extra/*.conf.in, then propose the backport. Good catches; in the meantime - we'll let the user fix their config for the remaining (hopefully short) life of 2.2.4 and obtain some end-user feedback from this package. Bill
Re: ReCap: 2.2.4 windows binary w/ssl?
On Mar 16, 2007, at 2:55 PM, William A. Rowe, Jr. wrote: Working on this as we speak. I'll go over all of trunk/docs/conf/extra/*.conf.in, then propose the backport. Good catches; in the meantime - we'll let the user fix their config for the remaining (hopefully short) life of 2.2.4 and obtain some end-user feedback from this package. The config file fixes should be in place at this time for the next 2.2.x roll. S. -- [EMAIL PROTECTED]http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: ReCap: 2.2.4 windows binary w/ssl?
set OPENSSL_CONF=C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf, I get the error message Unable to load config info from C:\Program Files\Apache Software Foundation\Apache2.2\conf\openssl.cnf When I do the set without the double quotes, it works. Ugh. Wrapper time? NO :) You made a simple syntax error, the SET command in cmd.exe or even good old command.com doesn't parse double quotes, use SET by itself after the fact to see the quotes are part of the value you created above (bad). FYI -conf pathto\openssl.cnf also works, IIRC. Don't know about the shm session cache. Otherwise, the quotation issues are fairly minor. I see that in trunk on unix we quote paths, and in extra/httpd-ssl.conf we don't. Time to rigorously quote every path in those extra config files as well? I think so. One final nitpick: I now have both httpd 2.2.4 and Tomcat 6.0.10 installed on that box, and there are two systray icons, one for each server, both with a cute little Feather icon. Backwards reels the mind. We seriously need to talk about sharing the love here. I assume those are ApacheMonitor.exe and tomcat6w.exe? Why not ship one that picks up both httpd and Tomcat services, whose presence is recognized by the other's installer? :) Because Mladen contributed ApacheMonitor, then ported for Tomcat. Sort of silly, I agree that some central mechanism for storing ASF-ish services would be wonderful.
Re: ReCap: 2.2.4 windows binary w/ssl?
On Mar 6, 2007, at 3:41 PM, Sander Temme wrote: Service start bitches about a syntax error on line 62 of extra/ httpd-ssl.conf: SSLSessionCache takes one argument, SSL Session Cache storage (`none', `nonenotnull', `dbm:/path/to/file') The failing value is: SSLSessionCache shmcb:C:/Program Files/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000) Using the commented out dbm: example in line 61 instead makes this go, after I quote the directive argument to accomodate the spaces in the path. Actually, SSLSessionCache with a quoted shmcb:... argument works, too. S. -- [EMAIL PROTECTED]http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: ReCap: 2.2.4 windows binary w/ssl?
On Mar 6, 2007, at 3:56 PM, William A. Rowe, Jr. wrote: Don't know about the shm session cache. Otherwise, the quotation issues are fairly minor. I see that in trunk on unix we quote paths, and in extra/httpd-ssl.conf we don't. Time to rigorously quote every path in those extra config files as well? I think so. Working on this as we speak. I'll go over all of trunk/docs/conf/ extra/*.conf.in, then propose the backport. S. -- [EMAIL PROTECTED]http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
Re: ReCap: 2.2.4 windows binary w/ssl?
On Mon, February 19, 2007 6:01 am, William A. Rowe, Jr. wrote: The reason for http://svn.apache.org/repos/asf/httpd/httpd/win32-msi/ to remain out-of-tree (and for goodness sakes, the reason to REMOVE the .pkg and .rpm generation sources) is that packaging after the tree is tagged is largely a game of catch-up, and is a stupid reason to throw away the release tag because they've fallen out-of-sync. Don't make the mistake of assuming that either rpm or pkg packaging are anywhere near as complex as the Windows packaging. The pkg packaging is trivial, and unlikely to see any changes in the near future. Removing the rpm packaging from the tarball breaks rpmbuild -tb tarball and so doing violates the principle of least astonishment for rpm users. One size definitely doesn't fit all. Regards, Graham --
Re: ReCap: 2.2.4 windows binary w/ssl?
On Feb 18, 2007, at 8:01 PM, William A. Rowe, Jr. wrote: Everyone agrees that a batch file or something that would help the users make a server certificate would be goodness; this isn't a win32-specific issue, either, if you examine the most FAQ'ed on [EMAIL PROTECTED] I believe we ship the openssl.exe binary on Windows, yes? That makes it at least feasible for users to generate keys. Yes, it would be nice to have a batch script that generates a key, self-signed cert and csr. I have never programmed BAT in anger, perhaps someone who knows their way around that can whip it up. It would also be a nice-to-have on other platforms: I always have to look up the correct invocation. I'll see if I can whip up a shell script that does the same. S. -- [EMAIL PROTECTED]http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature