still no message for old browsers
Hi,
thanks for the tips on how to create a situation where browsers which cannot handle
128 bits encryption are redirected to an upgrade message.
I get the idea of using the rewrite rules, but I'm still stuck.
I have a separate directory /var/www/messages configured with rewriteEngine off,
aliased as /messages, but browsers without the 128 bits encryption capability don't
seem to be able to access it, even if I allow all SSLCipherSuite.
Even if I get rid of the SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128 completely,
browsers without 128 bits encryption cannot access anything.
I do have a global server certificate from verisign, with an intermediate
certificate installed with SSLCACertificateFile, could that have something to do with
it?
Cheers,
Jeroen.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Client certificate mapping in OpenLDAP
Hello all, I would like to know if anyone has experience with client certificate mapping in LDAP. I know that there is a module called mod_authz, but I don't know if it is any good. Thanks, Leus -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem starting Apache (yes I have read the FAQs!)
Hi all - This seems to be a commonly reported problem, but for all the archives and FAQs I've read, I am no further forward. Here is the situation: Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX 4.0F. On starting Apache, it immediately exits and logs the following in the error log file: [Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) It also refers to problems at the make certificate stage; that seems to have gone through without any problems. I've also read that there are problems with PHP, so I have removed all reference in the httpd.conf file to the dynamic PHP module, and for good measure the dynamic Apache Jserv module, so these are not loading. Still no diference. Can anyone offer me some more pointers? Thanks Richard -- Richard Rogers IT Services, Staffordshire University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem starting Apache (yes I have read the FAQs!)
On Tue, 20 Aug 2002 [EMAIL PROTECTED] wrote: The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) Try using prngd ... http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html Hope this helps, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem starting Apache (yes I have read the FAQs!)
there's more info on this in the reference manual, than the FAQ. http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4 Basically try changing the 'startup' one to use a file:/path/to/file/with/junk/in/it that points at a file with something random enough in it - I'm not mr crypto, but, by random I take it that something an outside party cant guess ought to be enough, and you need to experiment with file lengths a bit to find what works enough - some people advocate using the syslog output. Of course if you're just hacking around and you dont care that the NSA or the Home Office might be able to decrypt your ssl streams, then why stress out about it? the 'connect' one however should get by using the builtin or see if you can get egd working - this one does affect performance, so avoid using the exec: option because spawning processes is not cheap on resources. [EMAIL PROTECTED] wrote: Hi all - This seems to be a commonly reported problem, but for all the archives and FAQs I've read, I am no further forward. Here is the situation: Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX 4.0F. On starting Apache, it immediately exits and logs the following in the error log file: [Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) It also refers to problems at the make certificate stage; that seems to have gone through without any problems. I've also read that there are problems with PHP, so I have removed all reference in the httpd.conf file to the dynamic PHP module, and for good measure the dynamic Apache Jserv module, so these are not loading. Still no diference. Can anyone offer me some more pointers? Thanks Richard -- Richard Rogers IT Services, Staffordshire University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem starting Apache (yes I have read the FAQs!)
On Tue, 20 Aug 2002 20:48:26 +0100 Peter Viertel [EMAIL PROTECTED] wrote: there's more info on this in the reference manual, than the FAQ. http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4 Basically try changing the 'startup' one to use a file:/path/to/file/with/junk/in/it that points at a file with something random enough in it - I'm not mr crypto, but, by random I take it that something an outside party cant guess ought to be enough, and you need Actally something like having an autocorrelation function which looks like a dirac delta function is better. Since an algorithm can never produce real random, there are actually hardware random generators using a source like zener noise for random. Regards. mr. (paranoid) crypto. to experiment with file lengths a bit to find what works enough - some people advocate using the syslog output. Of course if you're just hacking around and you dont care that the NSA or the Home Office might be able to decrypt your ssl streams, then why stress out about it? I do care, they are always after me, realy! the 'connect' one however should get by using the builtin or see if you can get egd working - this one does affect performance, so avoid using the exec: option because spawning processes is not cheap on resources. [EMAIL PROTECTED] wrote: Hi all - This seems to be a commonly reported problem, but for all the archives and FAQs I've read, I am no further forward. Here is the situation: Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX 4.0F. On starting Apache, it immediately exits and logs the following in the error log file: [Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) It also refers to problems at the make certificate stage; that seems to have gone through without any problems. I've also read that there are problems with PHP, so I have removed all reference in the httpd.conf file to the dynamic PHP module, and for good measure the dynamic Apache Jserv module, so these are not loading. Still no diference. Can anyone offer me some more pointers? Thanks Richard -- Richard Rogers IT Services, Staffordshire University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Corrupt Jar and Cab files
Hello All, I'm seeing strange behavior when running apache 2.0.39 on Windows XP, where jar and cab files are truncated after after only 16K or so (my jar/cab files are actually around 100K). This seems to happen with just about any browser, regardless of the JVM. Also, this issue only occurs on Windows XP. Win2k, WinNT, and Linux all work properly. In Windows XP under http, everything seems to work just fine. Under https, everything works fine EXCEPT for the jar and cab files. Taking a look at the java cache shows that natually, the jar and cab files are missing. My ssl conf files are as follows: ---ssl.conf # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html # # For the moment, see URL:http://www.modssl.org/docs/ for this info. # The documents are still being prepared from material donated by the # modssl project. # # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # include conf/ssllisten.conf ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl AddType application/x-509-ca-cert .csr # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. #SSLPassPhraseDialog exec:certificates/getPassword.exe # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCachenone #SSLSessionCacheshmht:logs/ssl_scache(512000) #SSLSessionCacheshmcb:logs/ssl_scache(512000) SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:logs/ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. #SSLLog logs/ssl_engine_log #SSLLogLevel warn # SSL Cipher Suite: include conf/ciphers.conf ## ## SSL Virtual Host Context ## include conf/sslvirtualhost.conf and sslvirtualhost.conf VirtualHost _default_:8443 #DocumentRoot doc #ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log TransferLog logs/access_log UseCanonicalName On # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile certificates/server.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile certificates/server.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the #
Re: Compile of Apache
On Wednesday 07 August 2002 11:08 am, you wrote: Firstly, excuse my weak English. I am trying to compile the Apache-1.3.26, with SSL (openssl-0.9.6d or mod_ssl-2.8.10-1.3.26) and mod_perl (mod_perl-1.26). I tried to compile in several different ways, for the Apache, using the openssl and for the mod_perl (INSTALL.simple.mod_ssl). Both seem to compile well and to generate the binary ones. SSL works well. However, in any situation I am getting to execute scripts PERL. Could anybody send me a compilation and installation script of the Apache with SSL and MOD_PERL that it works appropriately? I am using RedHat 6.2 in a Sun UltraSparc 10 with perl 5.003. Thank you. Perhaps it's the I love to be on the bleeding edge drive in me which has regrettably proven to be something other than a brilliant move so many times, but I question why would you not install Apache 2.0.40 and skip the 1.3.26 all together? It seems to work so much better right out of the tarball, having mod_so, pre-compiled into the code, making the addition of mod_perl and mod_ssl seemingly much easier. I do know that the install of 2.0.X has been quite smooth, relative to 1.3.26. Am I off track in that assumption? Am I leading this fellow astray? Perhaps there are quirks that won't allow an install to RHL 6.2 and Sun US 10? -- Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Corrupt Jar and Cab files
Thanks Cliff. It looks like that's the answer! --Ed From: Cliff Woolley [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Edward Wong [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Corrupt Jar and Cab files Date: Tue, 20 Aug 2002 21:07:07 -0400 (EDT) MIME-Version: 1.0 Received: from mc2-f23.law16.hotmail.com ([65.54.237.30]) by mc2-s11.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 18:28:20 -0700 Received: from mmx.engelschall.com ([195.27.130.252]) by mc2-f23.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.4905); Tue, 20 Aug 2002 18:12:51 -0700 Received: by mmx.engelschall.com (Postfix)id 631D3195A4; Wed, 21 Aug 2002 03:12:12 +0200 (CEST) Received: from opensource.ee.ethz.ch (opensource-01.ee.ethz.ch [129.132.7.153])by mmx.engelschall.com (Postfix) with ESMTP id 2DF11194DEfor [EMAIL PROTECTED]; Wed, 21 Aug 2002 03:12:12 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) for modssl-users-Lid DAA27428; Wed, 21 Aug 2002 03:11:09 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for [EMAIL PROTECTED]from deepthought.cs.virginia.edu id DAA27424; Wed, 21 Aug 2002 03:10:41 +0200 (MET DST) Received: from localhost (root@localhost)by deepthought.cs.virginia.edu (8.12.4/8.11.4) with ESMTP id g7L177VL005848;Tue, 20 Aug 2002 21:07:08 -0400 X-X-Sender: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk X-Sender: Cliff Woolley [EMAIL PROTECTED] X-List-Manager: Majordomo [version 1.94.4] X-List-Name: modssl-users Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 21 Aug 2002 01:12:54.0126 (UTC) FILETIME=[E06928E0:01C248AF] On Tue, 20 Aug 2002, Edward Wong wrote: I'm seeing strange behavior when running apache 2.0.39 on Windows XP, where First of all, it is critical that you upgrade to 2.0.40, as you are currently wide open to attack with the Win32-related vulnerabilities in 2.0.39. jar and cab files are truncated after after only 16K or so (my jar/cab files are actually around 100K). This seems to happen with just about any browser, regardless of the JVM. Also, this issue only occurs on Windows XP. Win2k, WinNT, and Linux all work properly. I'm guessing you have not looked at the following: http://www.apache.org/dist/httpd/binaries/win32/#xpbug This is a bug in XP for which a hotfix exists. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
