stop apache/mod_ssl binding to all IP's.
Hi, I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. The system has two IP's, and I only wish for apache to start on ports 80 and 443 on one of those IPs. I am using named based virtual hosting for many sites on the system for http, and have just one virtual host setup for https on port 443. The problem that I am having is that I cannot stop mod_ssl from binding to port 443 on both the IP's on my system. I have tried every possible combination of Listen, BindAddress, and Port, and have managed to prevent http from starting on all IP's, but https still starts on all IPs. Is there any way to stop this? Will I need to start two seperate servers, one serving http only, and one serving https only? If I was to do this, I may as well go back to using apache-ssl which is the default installation on debian anyway. Thanks in advance terry -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: question.
On Wed, 5 Mar 2003, kulkarni veena wrote: > To have SSL enabled server with self-signed > certificate do we need > > Apache+openSSL+ModSSL or just Apache+ModSSL ? mod_ssl needs to be linked against OpenSSL libraries so you need to have OpenSSL if you want to compile mod_ssl. you don't need to have OpenSSL libraries installed on the OS to run mod_ssl if you use static linking. the OpenSSL application is very useful for many PKI operations (handling certificate requests, keys, certificates etc.) but it's not really required. best regards, -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Proxy http with modssl?
On Wed, 5 Mar 2003, Chris Davis wrote: > I'm looking for a method to hide an old web server behind > a modssl server. The hidden server has several applications > served over http. What I'd like is for https requests > to be rewritten in modssl and proxied to the hidden > internal system. > ... there are probably several possible implementations for the reverse proxy configuration you're describing but one possibility is to use mod_accel (http://sysoev.ru/mod_accel/) for this purpose. best regards, -- aspahttp://www.kronodoc.fi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: two server certificates..
You can of you use virtual hosts. See the Apache doc and the mod-ssl faq on using one daemon that handles both ssl and non-ssl traffic. This is very similar. Jan - Original Message - From: "kulkarni veena" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, March 06, 2003 12:07 AM Subject: two server certificates.. > Hi, > > is it possible to have one instance of Apache+mod_ssl > and have two server cerificates using two different > ports for SSL connection. > > Thanks in advance. > > -veena > > __ > Do you Yahoo!? > Yahoo! Tax Center - forms, calculators, tips, more > http://taxes.yahoo.com/ > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
two server certificates..
Hi, is it possible to have one instance of Apache+mod_ssl and have two server cerificates using two different ports for SSL connection. Thanks in advance. -veena __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Proxy http with modssl?
Chris: Look at Ralph Engelshall's paper on the Apache web site discussing the mod_rewrite module. You can provide all the SSL/TLS support on your front-end server and use mod_rewrite to generate HTTP requests to the old web server. Merton Campbell Crockett On Wed, 5 Mar 2003, Chris Davis wrote: > > Hi, > > I'm looking for a method to hide an old web server behind > a modssl server. The hidden server has several applications > served over http. What I'd like is for https requests > to be rewritten in modssl and proxied to the hidden > internal system. > > I installed a second interface on the modssl system. From > the modssl system I can access the internal web server. > In a virtualhost clause for the modssl system I've added > > ProxyRequests On > ProxyRemote https://modssl/MyApp http://10.x.x.x > > I'd like requests of the form > https://modssl/MyApp/pgm?SomeArgument=Value to be proxied > to the internal system as http://10.x.x.x/pgm?SomeArgument=Value > I receive a 404 in the browser and the following in my error log. > > [Wed Mar 04 11:14:25 2003] [error] (20014)Error string > not specified yet: Cannot store SSL session to DBM file > `/usr/local/www/logs/ssl_scache' > [Wed Mar 04 11:14:25 2003] [error] [client 1.2.3.4] File does not exist: > /usr/local/www/htdocs/MyApp > > Is it possible to have modssl proxy an http conversation? > > Thanks for any advice, Chris > -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence and Exploitation Systems N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=work,fax: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
two server certificates.
Hi, I have one machine which has apache+mod_ssl with a self signed server certificate. is it possible to have another self signed certificate using the same Apache+mod_ssl instance but say a different port? thanks in advance. -veena __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
question.
Hi, To have SSL enabled server with self-signed certificate do we need Apache+openSSL+ModSSL or just Apache+ModSSL ? thanks in advance. -veena __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re[2]: mod_ssl/openssl error with test certificate?
Geoff, Opps! Checked out the file and it is a dummy ascii file :-(. I replaced it with a 'real' file from the source tree and then it whined about the private key. It too was a dummy ascii file. I replaced it with a 'real' key file and voila... it all works! It never occurred to me that 'make install' *does not* install the certificate files files. Thanks to all who spent time on this! Thanks, Otto --- Otto L. Miller Network Architect [EMAIL PROTECTED] Titan Systems 3877 Fairfax Ridge Road Fairfax, VA 22030-7448 Phone: 703-383-8022 Fax:703-383-4055 Wednesday, March 5, 2003, 1:21:59 PM, you wrote: > * Otto L. Miller ([EMAIL PROTECTED]) wrote: > [snip] >> I checked permissions and thought that might be the problem, however, >> the problem persists even if I 'chmod 444 >> /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? > Could you post a copy of the server.crt file? > Cheers, > Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Proxy http with modssl?
Hi, I'm looking for a method to hide an old web server behind a modssl server. The hidden server has several applications served over http. What I'd like is for https requests to be rewritten in modssl and proxied to the hidden internal system. I installed a second interface on the modssl system. From the modssl system I can access the internal web server. In a virtualhost clause for the modssl system I've added ProxyRequests On ProxyRemote https://modssl/MyApp http://10.x.x.x I'd like requests of the form https://modssl/MyApp/pgm?SomeArgument=Value to be proxied to the internal system as http://10.x.x.x/pgm?SomeArgument=Value I receive a 404 in the browser and the following in my error log. [Wed Mar 04 11:14:25 2003] [error] (20014)Error string not specified yet: Cannot store SSL session to DBM file `/usr/local/www/logs/ssl_scache' [Wed Mar 04 11:14:25 2003] [error] [client 1.2.3.4] File does not exist: /usr/local/www/htdocs/MyApp Is it possible to have modssl proxy an http conversation? Thanks for any advice, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl/openssl error with test certificate?
* Otto L. Miller ([EMAIL PROTECTED]) wrote: [snip] > I checked permissions and thought that might be the problem, however, > the problem persists even if I 'chmod 444 > /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Could you post a copy of the server.crt file? Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How to log errors
I have had a look in the archives but couldnt find definate answers to the following: Im running a website that has ssl working quite happily for some time. However when errors occur it would be useful to get more details out to diagnose the errors better. For example, i use client authentication for part of the site. A few times a day i will get an error like the following: [Tue Mar 4 13:16:22 2003] [error] mod_ssl: SSL handshake failed (server xxx.xxx.xxx:443, client 198.137.241.11) (OpenSSL library error follows) [Tue Mar 4 13:16:22 2003] [error] OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] Is it possible (and if so how) to log the details from this certificate without having to change the logging level of mod_ssl? I could change the level but i would end up with faaar to big logs. Is it possible to add something to the end of the LogFormat line? Secondly is it normal to get quite a few of the following: [Tue Mar 4 13:45:09 2003] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Tue Mar 4 13:45:09 2003] [error] System: Connection reset by peer (errno: 104) Thanks for any help Tim Fowle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl/openssl error with test certificate?
modssl-users, OK, I just built an apache + mod_ssl + mod_perl configuration. I built the test certificate and installed it (make certificate && make install). But when I 'apachectl startssl' I get the following message: [error] Init: Unable to read server certificate from file /opt/sisapache/conf/ssl.crt/server.crt (OpenSSL library error follows) [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence I checked permissions and thought that might be the problem, however, the problem persists even if I 'chmod 444 /opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts? Thanks, Otto --- Otto L. Miller Network Architect [EMAIL PROTECTED] Titan Systems 3877 Fairfax Ridge Road Fairfax, VA 22030-7448 Phone: 703-383-8022 Fax:703-383-4055 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice Directive
Hi, On Wed, 4 Mar 2003, Tyler Walden wrote: > I assume that possibly apache is still using an older verison of mod_ssl > somehow. I know since openssl 0.9.7 the engine code is built in so you > don't need the --enable-rule=SSL_EXPERIMENTAL anymore or is that > incorrect? The SSL_EXPERIMENTAL rule is an option to modSSL, not OpenSSL. You need to enable it to use hardware crypto in modSSL. I built modSSL with this rule enabled and my Ncipher Crypto module works fine. Your apache directive is correct. > > Is there an easy way to determine what version of mod_ssl Apache is > actually loading? try "strings httpd | grep 'mod_ssl/'" > > Any help would be great! Thanx! Cheers __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice Directive
Hi, To know the version of mod_ssl running, you can read the logs at the apache startup, or do a connection with nc or telnet on your webserver and do a HEAD request. The server will answer sending the Server header with the server version. You need the --enable-rule=SSL_EXPERIMENTAL The directive SSLCryptoDevice is provided by mod_ssl. without the SSL_EXPERIMENTAL rule, it doesn't provide the directive. So you have to recompile mod_ssl with it. regards, Matthieu Estrade Tyler Walden wrote: I am attempting to get a CryptoSwift PCI harware accelerator engine working with: OpenSSL 0.9.7a modssl 2.8.12 apache 1.3.27 When adding the 'SSLCryptoDevice cswift' line to my httpd.conf I receive the following: Starting httpd: /opt/apache/bin/httpd -DPHP4 -DSSL Syntax error on line 1024 of /opt/apache/conf/httpd.conf: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration. I have tried placing the directive in the global ssl options and in the and get the same error. I assume that possibly apache is still using an older verison of mod_ssl somehow. I know since openssl 0.9.7 the engine code is built in so you don't need the --enable-rule=SSL_EXPERIMENTAL anymore or is that incorrect? Is there an easy way to determine what version of mod_ssl Apache is actually loading? Any help would be great! Thanx! _ Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]