Re: SSL proxy issues

[lwhelan]

Hi, first time mailer but hoping for some good advice from experienced
users.
 
Basically Im looking to implement a solution that will redirect SSL
requests coming into my apache server (listening on 443) and forward
them on to a backend server.
I have reverse proxying setup but I cant seem to get it to work for
https connections.
 
At the moment using the current configuration, below, an http connection
coming into the server on port 80 can be redirected to the https site
configured.
 
But when I click on a login button on that site Im just getting a blank
screen on Firefox, with no errors showing in the logs?
 
Has anyone any ideas, cause Ive been looking into this for hours now?
 
Listen 8080

Listen 443

ServerName F00311.eircom.ie

IfModule ssl_module

SSLRandomSeed startup builtin

SSLRandomSeed connect builtin

/IfModule

SSLProxyEngine on

ProxyPass / https://www.365online.com/

ProxyPassReverse / https://www.365online.com/

 

SSLSessionCache shmcb:d:/Apache2.2/logs/ssl_scache(512000)

SSLSessionCacheTimeout 300

VirtualHost F00311.eircom.ie:443

SSLEngine On

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateKeyFile D:\Apache2.2\conf\security\ca.key

SSLCertificateFile D:\Apache2.2\conf\security\ca.crt

ServerName F00311.eircom.ie

SSLProxyEngine on

ProxyPass / https://www.365online.com/

ProxyPassReverse / https://www.365online.com/

SSLProxyVerify none

SSLProxyProtocol all

SSLProxyCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

/VirtualHost

 


***
The information contained in this e-mail and any files transmitted 
with it is confidential and may be subject to legal professional 
privilege. It is intended solely for the use of the addressee(s). 
If you are not the intended recipient of this e-mail, please note 
that any review, dissemination, disclosure, alteration, printing, 
copying or transmission of this e-mail and/or any file transmitted 
with it, is prohibited and may be unlawful. 
If you have received this e-mail by mistake, please promptly 
inform the sender by reply e-mail and delete the material. 
Whilst this e-mail message has been swept for the presence of 
computer viruses, eircom does not, except as required by law, 
represent, warrant and/or guarantee that the integrity 
of this communication has been maintained nor that 
the communication is free of errors, viruses, interception or 
interference. 

eircom Limited. Private Company Limited by Shares. 
Registered in Dublin. Registration Number 98789.
Registered Office - 114 St. Stephen's Green West, Dublin 2.
***

Re: Extracting SSL_CLIENT_S_DN_UID does not work

[erika20]

DONT SEND ME THIS CRAP THANK'S 
-- Original message from Michael Ströder [EMAIL PROTECTED]: --  Joe,   many thanks for your response.   Joe Orton wrote:   On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote: Maybe I'm overlooking the obvious but it seems that env var   SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication. The following env vars displayed in my SSI HTML text are relevant here   (obfuscated to protect privacy): SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name   SSL_CLIENT_S_DN_UID: (none) Is it caused by UID not being the leaf RDN? That shouldn'
 t make
 any difference.   Ok, fine.What versions of OpenSSL and httpd/mod_ssl are you using?   Actually pre-built RPMs shipped with openSUSE 10.3:   # rpm -q openssl apache2  openssl-0.9.8e-45.5  apache2-2.2.4-70.4   Not sure whether these RPMs are based on sources patched by openSUSE.The "UID" DN tag is ambiguous and probably   maps to something other than what your subject DN uses. In the current 2.x mod_ssl sources, UID maps to: #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */   { "UID", NID_x500UniqueIdentifier },   #else /* old name, OpenSSL  0.9.7 */   { "UID", NID_uniqueIdentifier },   #endif   Hmm, the user ID is already stored by mod_ssl with attribute name "UID"  in env var SSL_CLIENT_S_D
 N. Giv
en that it's OpenSSL 0.9.8 and that the  attribute type seems to be interpreted as UID is it safe to assume that  the cert contains the right OID?   If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway...   Ciao, Michael.  __  Apache Interface to OpenSSL (mod_ssl) www.modssl.org  User Support Mailing List modssl-users@modssl.org  Automated List Manager [EMAIL PROTECTED]