Forgotten mod_ssl pool?
Apache 2 SSL question which is probably related to mod_ssl: The Apache 2.2.3 SSL implementation has a pool in the ssl_expr_node struct (in ssl_expr.h) whereas the latest mod_ssl implementation does not. I know mod_ssl is only for Apache 3.1.* but the pool in Apache 2.2.3 doesn't seem to be used anyway! Is this just a forgotten pool from older versions of mod_ssl or does it have a purpose? An extra pointer in the struct is not really a problem as such but I want to make copy (in my own allocated memory, which is not tied to an apache pool) and then execute it later using ssl_expr_exec() If a copy of the contents of the pool is also necessary, well then it could be a problem. Many thanks to anyone who knows Christiaan Some more details below: --- ssl_expr.h: typedef struct { ssl_expr_node_op node_op; void *node_arg1; void *node_arg2; apr_pool_t *p; } ssl_expr_node; typedef ssl_expr_node ssl_expr; --- The pool in ssl_expr_node doesn't seem to be used? Either when the struct is created(ssl_expr.c): ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr) or when it is evaluated: int ssl_expr_exec(request_rec *r, ssl_expr *expr) Many thanks in advance Christiaan Lamprecht __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SSLRequire: core dump with long strings, sometimes unreliable expressions
Hi, im trying to protect URLs with SSLRequire and i am running into trouble with Apache segmentation faults und expressions that work sometimes, but not always. Setup ist Apache 1.3.37 on a Linux box with ModSSL built into Apache, not as external .so. No RPMs, everything built from source. I want to protect two URLS: /foo and /cgi-bin/foo. /foo redirects per 'http-equiv=refresh content=0' to /cgi-bin/foo. /cgi-bin/foo displays a frameset of two frames, which are generated by perl-scripts. So, i am using two Location blocks, one for /foo and one for /cgi-bin/foo, each containing the same SSLRequire expression. The blocks are contained in a external file, that ist included to Apache configuration with Include. Everything is fine, when i am using expressions like: SSLRequire ( %{SSL_CLIENT_I_DN_CN} eq Foo CA \ and %{SSL_CLIENT_S_DN_CN} in {Bar, Baz} ) Works great, but for some reason i want to check against the whole certificate. This is where the trouble starts. I tried: SSLRequire (%{SSL_CLIENT_CERT} == file (/path/to/bar.pem) \ or %{SSL_CLIENT_CERT} == file (/path/to/baz.pem)) \ and %{SSL_CLIENT_CERT_CHAIN_0} == file (/path/to/foo-ca.pem) Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get: - One frame with content, the other with 403 forbidden. - Both frames with 403 forbidden. - Both frames with content - One Page (no frames) with 403 forbidden In case of 403 the error log states: Failed expression. Then i tried to in include the PEM encoded cert into SSLRequire: SSLRequire (%{SSL_CLIENT_CERT} eq -BEGIN CERTIFICATE-\nImage_completet_PEM_in_here\n-END CERTIFICATE-\n Which results in segmentation faults when trying to start Apache! The parser of ModSSL seems to be limited to a number of characters in this place. Shorter expressions are ok, complete PEM certificate and my Apache won't start, instead he throws a segmentation fault. Finally i came up with matching against the last 128 or 256 bytes of the certificate where the signature is located. I match with m## so slashes inside PEM don't matter, '+' are quoted, \n is replace by .?: SSLRequire %{SSL_CLIENT_CERT} =~ m#ZlL5lB6BhQqB9Cwa3OCetBxuqT5Rx6eQB0UJQQF\+v5 R80H6XPjeURnbD8UvNflZG.?2noIZ4UxkVoKxFAlTeept5EylxVclQ4NTsLyrsQnxjrrAUUy3eP3I\+C kreLRuv0F.?f08ISFtKaHttoQ==.?-END CERTIFICATE-# \ and %{SSL_CLIENT_CERT_CHAIN_0} =~ m#w3qcUn85WX5Vmi/QI\+UCG6kuNtKk\+CAWYkN\+n t4vwa11SzCQLCYYccMrr\+5CMCpG.?PeXsmiMCpYUitWk9AryzyMPiDBc9acZebdY44EbQHE4DaNNrrW N1rcdagQ\+RMWZt.?8cv\+nUG4NUQCPeUffrKVLHw56jvWsR6GJaode2GDh79yRKdj5w==.?-END CERTIFICATE-# And what do i get? Same result as with file(): Browsing to /foo and being redirect to /cgi-bin/foo i sometimes get: - One frame with content, the other with 403 forbidden. - Both frames with 403 forbidden. - Both frames with content - One Page (no frames) with 403 forbidden Is this behaviour known? Any Solution? Cheers Jan -- Jan Klever (PKI Team), DFN-CERT Services GmbH https://www.dfn-cert.de, +49 40 808077-619 / +49 40 808077-555 (Hotline) PGP RSA/2048, 501B8FB1, 37 DD 41 9A E9 3B CB 2B 94 E5 F8 6A 76 CA 16 C1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Mod_SSL
Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt
RE: Mod_SSL
You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt ella for Spam Control has removed 4905 Spam messages and set aside 10689 Newsletters for meYou can use it too - and it's FREE!www.ellaforspam.com
Re: Mod_SSL
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Howto unload the mod_ssl from memory?
Hi Louise, Hi Patrick =) Include conf.d/*.conf So this includes *.conf files listed in the conf.d directory (in mine, this is on the same directory level as the conf directory below /etc/httpd). My ssl.conf file is in this second directory and has as one of its commands: This was just it =) I backed up the original and called it _ssl.conf From now on will I learn learn how to use SVN, and check /etc in as the first thing, so I don't try something similar another time =) I do not know if this will apply to your situation but it sounds like it might be something to check. It took me a couple of hours of digging around in the filesystem to find that one. I'm a noobie or I guess I would have found it quicker. :-) I think I spend about 4-5 hours on the debugging and tracing without solving this problem, so I am very glad for Michael's and yours reply =) I would very have solved it without. With love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]