MM
Well I asked this about a week ago, but I'll ask again because I can't figure out what the heck MM wants. I'm trying to install mod_ssl2.8.2-1.3.19 on a Solaris 8 system. I'm at step 4 of the mod_ssl INSTALLATION instructions, the MM Shared Memory Library build. Here is the error I keep getting: decision on shared memory allocation method... 4.4BSD-style mmap() via MAP_ANON checking for shared memory maximum segment size... configure: error: Unable to determine maximum shared memory segment size Now I've checked via sysdef -i that a shared memory maximim segment size is set and it is, with a value of 1048576. Surely someone else has seen this error. I sure would appreciate some help. Diana Shepard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProtocol all -SSLv3 having no effect on ie 5 behavior
on 4/23/01 6:30 PM, Tim Taylor at [EMAIL PROTECTED] wrote: So I went back to the archive and found some mention of ssl session cache so I tried dropping in.. SSLsessioncache none I ran into this problem myself. You really do need a session cache. SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 That and the other two lines: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Those lines did the trick for me. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: block by IP
Have a look at mod_rewrite from Ralf S. Engelschall http://www.engelschall.com/pw/apache/rewriteguide/ Bruno Georges [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Can I have a directory which I can block access to by a range of IPs or specific IPs? I read about this a few weeks ago but at the time it didn't mean much to me. Thanks, Blair __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: block by IP
On Tue, 24 Apr 2001 [EMAIL PROTECTED] wrote: Can I have a directory which I can block access to by a range of IPs or specific IPs? Yes, but it doesn't have anything to do with mod_ssl. It's handled by mod_access. See http://httpd.apache.org/docs/mod/mod_access.html --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MM
Cliff, Thanks for the reply, but I am already using the GNU gcc compiler. Diana Shepard -Original Message- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 24, 2001 8:52 AM To: [EMAIL PROTECTED] Subject: Re: MM On Mon, 23 Apr 2001, Diana Shepard wrote: decision on shared memory allocation method... 4.4BSD-style mmap() via MAP_ANON checking for shared memory maximum segment size... configure: error: Unable to determine maximum shared memory segment size I've seen this on either Solaris or HP-UX (can't remember) as well--I'm pretty sure it's when I was using the build-in compiler. Try using gcc if you can, and I'll bet it will work. --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLProtocol all -SSLv3 having no effect on ie 5 behavior--Solved
That Worked The session cache settings were what I needed. Thanks for the response/ Tim Taylor -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of James Hastings-Trew Sent: Tuesday, April 24, 2001 10:07 AM To: [EMAIL PROTECTED] Subject: Re: SSLProtocol all -SSLv3 having no effect on ie 5 behavior on 4/23/01 6:30 PM, Tim Taylor at [EMAIL PROTECTED] wrote: So I went back to the archive and found some mention of ssl session cache so I tried dropping in.. SSLsessioncache none I ran into this problem myself. You really do need a session cache. SSLSessionCache dbm:/var/cache/httpd/ssl_cache SSLSessionCacheTimeout 300 That and the other two lines: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP Those lines did the trick for me. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MM
On Mon, Apr 23, 2001 at 05:19:52PM -0600, Diana Shepard wrote: Well I asked this about a week ago, but I'll ask again because I can't figure out what the heck MM wants. I'm trying to install mod_ssl2.8.2-1.3.19 on a Solaris 8 system. I'm at step 4 of the mod_ssl INSTALLATION instructions, the MM Shared Memory Library build. Here is the error I keep getting: decision on shared memory allocation method... 4.4BSD-style mmap() via MAP_ANON checking for shared memory maximum segment size... configure: error: Unable to determine maximum shared memory segment size Now I've checked via sysdef -i that a shared memory maximim segment size is set and it is, with a value of 1048576. Surely someone else has seen this error. I sure would appreciate some help. Hi, if you don't want to wait until the author of MM has time to look into that issue (he most probably is busy writing other fine software ;) you could try the following workaround: Edit the configure script to pretend that the autoconf-test for MM_SHM_MAXSEGSIZE did not fail. To do that, search for the line MM_SHM_MAXSEGSIZE=`cat conftestval` and change that to set the size you determined from running sysdef MM_SHM_MAXSEGSIZE=1048576 I don't know for sure whether that will work, as I have't tried it actually -- but it should prevent the script from aborting, by substituting the (hopefully correct) value yourself. And if you are lucky, it's only the autoconf test routine that fails, not the actual lib-code at the time it's being used in the application... Erdmut -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MM
Erdmut, Thanks very much for the taking the time to respond. I tried your suggestion, but unfortunately the same error persists. Think I'll just have to skip MM in the mod_ssl install. Diana Shepard University of Colorado, Boulder -Original Message- From: Erdmut Pfeifer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 24, 2001 12:52 PM To: [EMAIL PROTECTED] Subject: Re: MM On Mon, Apr 23, 2001 at 05:19:52PM -0600, Diana Shepard wrote: Well I asked this about a week ago, but I'll ask again because I can't figure out what the heck MM wants. I'm trying to install mod_ssl2.8.2-1.3.19 on a Solaris 8 system. I'm at step 4 of the mod_ssl INSTALLATION instructions, the MM Shared Memory Library build. Here is the error I keep getting: decision on shared memory allocation method... 4.4BSD-style mmap() via MAP_ANON checking for shared memory maximum segment size... configure: error: Unable to determine maximum shared memory segment size Now I've checked via sysdef -i that a shared memory maximim segment size is set and it is, with a value of 1048576. Surely someone else has seen this error. I sure would appreciate some help. Hi, if you don't want to wait until the author of MM has time to look into that issue (he most probably is busy writing other fine software ;) you could try the following workaround: Edit the configure script to pretend that the autoconf-test for MM_SHM_MAXSEGSIZE did not fail. To do that, search for the line MM_SHM_MAXSEGSIZE=`cat conftestval` and change that to set the size you determined from running sysdef MM_SHM_MAXSEGSIZE=1048576 I don't know for sure whether that will work, as I have't tried it actually -- but it should prevent the script from aborting, by substituting the (hopefully correct) value yourself. And if you are lucky, it's only the autoconf test routine that fails, not the actual lib-code at the time it's being used in the application... Erdmut -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: MM
Um, as I haven't looked at the source and am unlikely to have a chance to dig into it for you, I'm wary of leaping in with off-the-top-of-my-head suggestions ... *but* ... :-) On Tue, 24 Apr 2001, Diana Shepard wrote: Thanks very much for the taking the time to respond. I tried your suggestion, but unfortunately the same error persists. Think I'll just have to skip MM in the mod_ssl install. It looks like the line you replaced is not where the error is occuring, it's only a line that retrieves the value of an earlier test - ie. it assumes that an earlier test had succeeded and had deposited the result into the conftestval file. In other words, the failure seems to be occuring earlier. Ie. MM_SHM_MAXSEGSIZE=`cat conftestval` should populate MM_SHM_MAXSEGSIZE with the text inside conftestval. Try looking a line or two higher up to figure out where conftestval is actually created. That seems to be where the configuration process is actually stopping. I suspect if you stop that test from running (so hopefully the configuration scripts should get past that point) *and* follow the original suggestion about hard-coding the value for MM_SHM_MAXSEGSIZE, then you should be OK. Then again, I could be talking utter garbage too. :-) Good luck. Cheers, Geoff PS: Actually, by fishing about in this, you'll probably get an idea for what's going wrong as you make these changes. Once it's all up and running (touch wood), perhaps you could take a look at the offending code and see why it's not working as intended on your host system? It would be good to submit a fix (or at least a clear bug description) to Ralf so it can be fixed permanently. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MM
On Tue, Apr 24, 2001 at 01:32:56PM -0600, Diana Shepard wrote: Erdmut, Thanks very much for the taking the time to respond. I tried your suggestion, but unfortunately the same error persists. sorry, my fault, didn't look closely enough at what the script is really doing. You also need to disable the if { (eval echo configure: ... line immediately above, by changing it to something like if test x So, the script fragment should then read: (...) EOF #if { (eval echo configure:2476: \$ac_link\) 15; (eval $ac_link) 25; } test -s conftest${ac_exeext} (./conftest; exit) 2/dev/null if test x then #MM_SHM_MAXSEGSIZE=`cat conftestval` MM_SHM_MAXSEGSIZE=1048576 msg=$MM_SHM_MAXSEGSIZE (...) Hope it's ok now, Erdmut -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Netscape give I/O Exception, IE OK
Hello: This is really strange. I am using a test server certificate generated from mod SSL 2.8.2 for apache 1.3.19 on a freshly installed Redhat 7.1 server. I used the stock openssl (OpenSSL 0.9.6-3) that came with the installation. If I connect to https://serverName using Internet Explorer, everything works fine. I get the dialog box that says that the certificate is not from a trusted authority and then when I hit OK, I get the apache test page. If I try it in Netscape, I get the dialog box about the certificate name check and then, when I hit continue, I get another dialog box that states: An I/O error occurred during security authorization. Please try your connection again. I can repeat this as many times as I like, but the exception always pops up. Here are some messages in the error_log: [Tue Apr 24 15:08:28 2001] [notice] Apache/1.3.19 (Unix) mod_jk mod_ssl/2.8.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Apr 24 15:08:43 2001] [error] mod_ssl: SSL handshake failed (server www.JAMMConsulting.com:443, client 192.168.1.2) (OpenSSL library error follows) [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt Does anyone know what this means and why it is occurring? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development -- Java, JSP, servlets, databases __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape give I/O Exception, IE OK
On Tue, 24 Apr 2001, Neil Aggarwal wrote: This is really strange. It's in the FAQ -- http://www.modssl.org/docs/2.8/ssl_faq.html#ToC50 When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message Netscape has encountered bad data from the server What's the reason? [L] The problem usually is that you had created a new server certificate with the same DN, but you had told your browser to accept forever the old server ertificate. Once you clear the entry in your browser for the old certificate, everything usually will work fine. Netscape's SSL implementation is correct, so when you encounter I/O errors with Netscape Navigator it is most of the time caused by the configured certificates. -- Brett http://www.chapelperilous.net/btfwk/ The only thing worse than X Windows: (X Windows) - X __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Netscape give I/O Exception, IE OK
Hi, I have seen the same problem once. I have generated the RAS certificate using mod_ssl's make certificate utility and choose NOT to encrypt the key, I got exactly the same problem. But if you choose to encrypt the key when runing mod_ssl's make certificate utility, you will be fine. If you do not want to encrypt the key, you can use openssl's CA utility to self-sign a cert (without key encryption). That should work too. Let me know if that helps. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Neil Aggarwal Sent: Tuesday, April 24, 2001 4:13 PM To: [EMAIL PROTECTED] Subject: Netscape give I/O Exception, IE OK Hello: This is really strange. I am using a test server certificate generated from mod SSL 2.8.2 for apache 1.3.19 on a freshly installed Redhat 7.1 server. I used the stock openssl (OpenSSL 0.9.6-3) that came with the installation. If I connect to https://serverName using Internet Explorer, everything works fine. I get the dialog box that says that the certificate is not from a trusted authority and then when I hit OK, I get the apache test page. If I try it in Netscape, I get the dialog box about the certificate name check and then, when I hit continue, I get another dialog box that states: An I/O error occurred during security authorization. Please try your connection again. I can repeat this as many times as I like, but the exception always pops up. Here are some messages in the error_log: [Tue Apr 24 15:08:28 2001] [notice] Apache/1.3.19 (Unix) mod_jk mod_ssl/2.8.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Apr 24 15:08:43 2001] [error] mod_ssl: SSL handshake failed (server www.JAMMConsulting.com:443, client 192.168.1.2) (OpenSSL library error follows) [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt Does anyone know what this means and why it is occurring? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development -- Java, JSP, servlets, databases __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Netscape give I/O Exception, IE OK
Joey: Actually, I had a different certificate previously installed in netscape and the two certificates were colliding. I really apprecaite your help though. Thanks, Neil. Joey Wang wrote: Hi, I have seen the same problem once. I have generated the RAS certificate using mod_ssl's make certificate utility and choose NOT to encrypt the key, I got exactly the same problem. But if you choose to encrypt the key when runing mod_ssl's make certificate utility, you will be fine. If you do not want to encrypt the key, you can use openssl's CA utility to self-sign a cert (without key encryption). That should work too. Let me know if that helps. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Neil Aggarwal Sent: Tuesday, April 24, 2001 4:13 PM To: [EMAIL PROTECTED] Subject: Netscape give I/O Exception, IE OK Hello: This is really strange. I am using a test server certificate generated from mod SSL 2.8.2 for apache 1.3.19 on a freshly installed Redhat 7.1 server. I used the stock openssl (OpenSSL 0.9.6-3) that came with the installation. If I connect to https://serverName using Internet Explorer, everything works fine. I get the dialog box that says that the certificate is not from a trusted authority and then when I hit OK, I get the apache test page. If I try it in Netscape, I get the dialog box about the certificate name check and then, when I hit continue, I get another dialog box that states: An I/O error occurred during security authorization. Please try your connection again. I can repeat this as many times as I like, but the exception always pops up. Here are some messages in the error_log: [Tue Apr 24 15:08:28 2001] [notice] Apache/1.3.19 (Unix) mod_jk mod_ssl/2.8.1 OpenSSL/0.9.6 configured -- resuming normal operations [Tue Apr 24 15:08:43 2001] [error] mod_ssl: SSL handshake failed (server www.JAMMConsulting.com:443, client 192.168.1.2) (OpenSSL library error follows) [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:0407106B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02 [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:04065072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed [Tue Apr 24 15:08:43 2001] [error] OpenSSL: error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt Does anyone know what this means and why it is occurring? Thanks, Neil. -- Neil Aggarwal JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development -- Java, JSP, servlets, databases __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Neil Aggarwal JAMM Consulting, Inc. -- (972) 612-6056, http://www.JAMMConsulting.com Custom Internet Development -- Java, JSP, servlets, databases __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]