Re: %{SSL_PROTOCOL}x %{SSL_CIPHER}x - question

2007-12-14 Thread Anony Mouse 
On Dec 6, 2007 7:26 PM, Shiva Subramanian [EMAIL PROTECTED] wrote:

 hi there,

   recently I turned on the SSL_PROTOCOL  SSL_CIPHER on one of our
 web server to gather some statistics on the SSL protocol  ciphers
 being used.

   most of the entries have SSLv3, TLSv1, some SSLv2s here and there
 and then there are these entries with only a -  - in place where
 the SSL_PROTOCOL  SSL_CIPHER should be.

 for eg:

 XX.XX.83.98 - - [XX/XX/2007:13:31:27 -0500] SSLv3 RC4-MD5  GET XX
 HTTP/1.0 404 363 XX XX
 XX.XX.83.98 - - [XX/XX/2007:13:31:51 -0500] - -  GET / 400 596 - -
 XX.XX.83.98 - - [XX/XX/2007:13:32:21 -0500] - -  GET / 400 596 - -

   my question is what does the -  - represent in the
 SSL_PROTOCOL  SSL_CIPHER fields respectively.


The hypen just represents a null variable. In this case, no SSL session was
present.

The request in the above example returned status code 400 for Bad Request.
You can reproduce it by issuing a plain HTTP GET / to an HTTPS host.

Regards,

Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs

2007-12-14 Thread Anony Mouse 
On Nov 19, 2007 9:24 AM, Anony Mouse [EMAIL PROTECTED] wrote:

 I see that there's been the addition of the SSLCADNRequestFile
 directive in Apache 2.2.x, but I don't see how this relates to this
 particular problem. I also understand that I could narrow the problem
 by using SSLRequire directives and the %{SSL_CLIENT_I_DN} variable,
 but this seems a hackish solution to something that should be handled
 by SSLCACertificateFile alone. Is this a bug?

 Any advice is appreciated. I can provide further details about my
 Apache configs or logs if required.


Nobody?

Regards,

Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs

2007-12-14 Thread Joe Orton 
On Mon, Nov 19, 2007 at 09:24:09AM +, Anony Mouse wrote:
 I've found myself in the same quandary as this guy [1]. My CA
 structure is as follows.
 
 - RootCA
  - SubCA1
- SubCA1 Server
- SubCA1 Clients
  - SubCA2
- SubCA2 Server
- SubCA2 Clients
 
 I have two HTTPS vhost containers. One which has a server certificate
 issued by SubCA1 and should only accept client certificates from
 SubCA1. Likewise, another for SubCA2, which should only accept client
 certificates from SubCA2.

I think this should work by using:

   SSLCertificateChainFile rootca
   Vhost for SubCA1
SSLCACertificateFile SubCA1
   /Vhost
   Vhost for SubCA2
SSLCACertificateFile SubCA2
   /Vhost

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: mod_ssl not for apache 2.2.4 (unix)?

2007-12-14 Thread Fought, Richard 
As of Apache 2.x mod_ssl is included in the distribution.  All you
should have to do is enable the module in the configuration file.
 
Rich
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

mod_ssl not for apache 2.2.4 (unix)?

2007-12-14 Thread Chris Jordan 
Hi folks,

I'm a complete newbie to compiling apache, and I'm trying to install my
first SSL certificate. All instructions I can find so far all assume that I
have mod_ssl installed already.

I'm willing to install it, but all of the references I can find to the
latest and greatest version of mod_ssl say that it's for apache 1.3.39, but
I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6)

I don't want to proceed with recompiling the web server unless I know that
I'm doing the right thing.

Can any one either a) just help me... or b) point me to a good article or
set of articles on how to do this?

I should mention that we host many, many virtual domains off this one
server.

Thanks heaps,
Chris

-- 
http://cjordan.us

Re: mod_ssl not for apache 2.2.4 (unix)?

2007-12-14 Thread Joe Orton 
On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote:
 Hi folks,
 
 I'm a complete newbie to compiling apache, and I'm trying to install my
 first SSL certificate. All instructions I can find so far all assume that I
 have mod_ssl installed already.
 
 I'm willing to install it, but all of the references I can find to the
 latest and greatest version of mod_ssl say that it's for apache 1.3.39, but
 I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6)

mod_ssl is part of httpd 2.x, and is included with Fedora.  Run

  yum install mod_ssl

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl not for apache 2.2.4 (unix)?

2007-12-14 Thread Chris Jordan 
Richard  Joe, Thanks so much!

Joe, thanks for the command. :o)

I'll see if I can manage it from here. I appreciate you answering such a
basic question for me. Really. Thanks. :o)

Cheers!
Chris

On Dec 14, 2007 2:27 PM, Joe Orton [EMAIL PROTECTED] wrote:

 On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote:
  Hi folks,
 
  I'm a complete newbie to compiling apache, and I'm trying to install my
  first SSL certificate. All instructions I can find so far all assume
 that I
  have mod_ssl installed already.
 
  I'm willing to install it, but all of the references I can find to the
  latest and greatest version of mod_ssl say that it's for apache 1.3.39,
 but
  I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6)

 mod_ssl is part of httpd 2.x, and is included with Fedora.  Run

  yum install mod_ssl

 joe




-- 
http://cjordan.us

Jean-Pierre Guilloteau est absent.

2007-12-14 Thread jpguilloteau 

I will be out of the office starting Mon 10/12/07 and will not return until
Mon 17/12/07.

Je répondrai à votre message dès mon retour.
Vous pouvez en mon absence contacter Aspaway au 01 46 67 88 88 ou notre
support technique au 01 46 67 88 98.
Cordialement.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]