Re: SSLCryptoDevice: works as a static, not as a DSO...? (fwd)
[[ None of my emails from this evening seem to have actually gone out (misconfig on my end, I think), so here's this again. Sorry if it's a dupe. ]] -- Forwarded message -- Date: Fri, 28 Jun 2002 02:24:29 -0400 (EDT) From: Cliff Woolley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLCryptoDevice: works as a static, not as a DSO...? On Fri, 28 Jun 2002, Cliff Woolley wrote: To ask a silly question, you are *loading* the DSO, right? And you have SSL_EXPERIMENTAL_ENGINE defined in both cases? I guess I didn't read your first email carefully enough; I see you already mentioned that you do have the appropriate AddModule and LoadModule lines in the DSO case. Double-check that, though, as that and the SSL_EXPERIMENTAL_ENGINE things are the only possible reasons you'd get that message. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. I'm pretty sure, and others will correct me if I'm wrong that openssl, the engine version, is the part that enables cryto devices accelerator cards, and the documentation for it should define those devices it supports; This is from the README.ENGINE file for openssl-engine-0.9.6b/, note that this is not the most current version, and 0.9.6d might well have new device support: quote ENGINE == With OpenSSL 0.9.6, a new component has been added to support external crypto devices, for example accelerator cards. The component is called ENGINE, and has still a pretty experimental status and almost no documentation. It's designed to be faily easily extensible by the calling programs. There's currently built-in support for the following crypto devices: o CryptoSwift o Compaq Atalla o nCipher CHIL ... No external crypto device is chosen unless you say so. You have actively tell the openssl utility commands to use it through a new command line switch called -engine. And if you want to use the ENGINE library to do something similar, you must also explicitely choose an external crypto device, or the built-in crypto routines will be used, just as in the default OpenSSL distribution. PROBLEMS It seems like the ENGINE part doesn't work too well with Cryptoswift on Win32. A quick test done right before the release showed that trying openssl speed -engine cswift generated errors. If the DSO gets enabled, an attempt is made to write at memory address 0x0002. /quote Unfortunately, the documentation on the engine directives is fairly poor and sparse. If I recall, others have used such devices with the engine version and may well beable to help you more then I can at present. They should respond a tad later in the day as the sun rises near their locations smile. Sorry I'm not of more help here. Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Thanks Ron... I just did this, and there was no change -- it still doesn't like this directive: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration My build was effectively: cd openssl* sh config -fPIC -DSSL_EXPERIMENTAL shared make cd .. cd mm-1.1.3 ./configure --disable-shared make cd .. cd mod_ssl-2.8.10-1.3.26 ./configure --with-apache=../apache_1.3.26 \ --with-ssl=../openssl-engine-0.9.6d \ --with-mm=../mm-1.1.3 \ --enable-rule=SSL_EXPERIMENTAL \ --enable-module=ssl \ --prefix=/usr/local/apache --enable-shared=ssl \ --enable-module=most \ --enable-shared=max --enable-module=so cd .. cd apache_1.3.26 make make install package-root=`pwd`/package-root The difference I am doing is removing the --enable-shared=ssl and --enable-shared=max, and then it works (as a static). Thanks, James [EMAIL PROTECTED] 06/28/02 01:45pm It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security
Re: SSLCryptoDevice: works as a static, not as a DSO...?
On Fri, 28 Jun 2002, R. DuFresne wrote: I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. Right. That's not a restriction in 1.3 as far as I know. Just 2.0 (due to libtool). For 2.0, if you want a shared mod_ssl, use a shared OpenSSL, and if you want a static mod_ssl, use a static OpenSSL. 1.3 should be a bit more flexible there. We'll get around to fixing that in 2.0 one of these days. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Certificate config problem
Hi all, Apologies if this has been asked before - I'm very new to this list. I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains on the box in question (40ish) and 2 of them use SSL. For the sake of argument let's call them example.com and example2.com - these are both name-based virtual servers. I've created certificates for them using the ssl.ca package - I created my own root CA and then generated/signed certificates for both domains, providing the correct CN in each case. So we have example.com CA key signing server certificates for www.example.com and www.example2.com. Whenever I go to https://www.example.com/ - it works great. No problems whatsoever. However with https://www.example2.com/ it seems to be using the certificate for www.example.com - IE pops up the error saying that the name on the cert doesn't match the site name. The thing that is baffling me is that this *did* work at one point. I first set up SSL and got it working perfectly for both domains around about July last year - using whatever was the latest version at that point. The ssl_engine_log file shows the following for a request for a single HTML file on www.example2.com [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with standard shutdown (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received for child 7 (server www.example2.com:443) [28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with unclean shutdown (server www.example2.com:443, client 217.135.39.70) THe useful parts of my httpd.conf are in the attached file. If anyone could help with this I'd be extremely grateful. Cheers, Jon. Port 80 User nobody Group nobody ServerAdmin [EMAIL PROTECTED] ServerName www.example.com DocumentRoot /home/httpd/html ## SSL Global Stuff IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl Listen x.x.x.x:80 Listen x.x.x.x:443 Listen x.x.x.y:80 /IfDefine IfModule mod_ssl.c SSLPassPhraseDialog builtin #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLLog logs/ssl_engine_log SSLLogLevel info /IfModule ### Section 3: Virtual Hosts NameVirtualHost x.x.x.x:80 NameVirtualHost x.x.x.x:443 #VirtualHost _default_:* #/VirtualHost VirtualHost x.x.x.x:80 DocumentRoot /home/httpd/html ServerName www.example.com ... /VirtualHost VirtualHost x.x.x.x:443 DocumentRoot /home/httpd/html ServerName www.example.com ... IfDefine SSL SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/www.example.com.crt SSLCertificateKeyFile /etc/httpd/conf/www.example.com.key Files ~ \.(cgi|shtml|php?)$ SSLOptions +StdEnvVars /Files Directory /home/httpd/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 /IfDefine /VirtualHost VirtualHost x.x.x.x:80 DocumentRoot /home/jon/domains/example2.com ServerName www.example2.com ServerAdmin [EMAIL PROTECTED] ... /VirtualHost VirtualHost x.x.x.x:443 DocumentRoot /home/jon/domains/example2.com ServerName www.example2.com ServerAdmin [EMAIL PROTECTED] ... IfDefine SSL SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/conf/www.example2.com.crt SSLCertificateKeyFile /etc/httpd/conf/www.example2.com.key Files ~ \.(cgi|shtml|php?)$ SSLOptions +StdEnvVars /Files Directory /home/httpd/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 /IfDefine /VirtualHost
Re: Certificate config problem
Hi Jon! Your problem lies in that you have name-based and not IP based virtual host for the ssl ones! The faq at modssl explains better why change it to 2 ip based and your in the clear! / HTH Jimmy At 10:16 2002-06-28 +0100, you wrote: Hi all, Apologies if this has been asked before - I'm very new to this list. I'm running Apache 1.3.26 with mod-ssl 2.8.9-1.3.26. There are many domains on the box in question (40ish) and 2 of them use SSL. For the sake of argument let's call them example.com and example2.com - these are both name-based virtual servers. I've created certificates for them using the ssl.ca package - I created my own root CA and then generated/signed certificates for both domains, providing the correct CN in each case. So we have example.com CA key signing server certificates for www.example.com and www.example2.com. Whenever I go to https://www.example.com/ - it works great. No problems whatsoever. However with https://www.example2.com/ it seems to be using the certificate for www.example.com - IE pops up the error saying that the name on the cert doesn't match the site name. The thing that is baffling me is that this *did* work at one point. I first set up SSL and got it working perfectly for both domains around about July last year - using whatever was the latest version at that point. The ssl_engine_log file shows the following for a request for a single HTML file on www.example2.com [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:04 01309] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:04 01309] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:04 01309] [info] Connection to child 6 closed with standard shutdown (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Connection to child 7 established (server www.example.com:443, client 217.135.39.70) [28/Jun/2002 10:14:06 01310] [info] Seeding PRNG with 23177 bytes of entropy [28/Jun/2002 10:14:07 01310] [info] Connection: Client IP: 217.135.39.70, Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) [28/Jun/2002 10:14:07 01310] [info] Initial (No.1) HTTPS request received for child 7 (server www.example2.com:443) [28/Jun/2002 10:14:07 01310] [info] Connection to child 7 closed with unclean shutdown (server www.example2.com:443, client 217.135.39.70) THe useful parts of my httpd.conf are in the attached file. If anyone could help with this I'd be extremely grateful. Cheers, Jon. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: CLient/Server Certificates
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Saunders Jack Sent: 27 June 2002 19:55 To: '[EMAIL PROTECTED]' Subject: CLient/Server Certificates I am running Apache 1.3.26 with mod_ssl/openssl. I have configured a server certificate from versign and https communication works great. However I am trying to now configure client certs. I have configured apache to trust the CA. But now if I have a browser that tries a https connection without a certificate imported in the browser I get a page cannot be found error. How can both types of certificates exist in apache without stopping https communication for everyone. Some resources will use server to browser 128 bit encryption and others may require client certs. Thanks Client and Server certificates co-reside happily without problems. Sounds like you need to look at your SSL settings for the client certs in httpd.conf. You probably have something like SSLVerifyClient require which means a client certificate is REQUIRED for access. Try setting this to SSLVerifyClient optional which means you will get a certificate if the user has one, and they decide to let you see it. Either way, they get access. Regards Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]