Re: Partitioned CRLs
Nuno Ponte a écrit : Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-devm=120350484626015q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : Hi all, i have a problem with an apache 2.2.9, maybe this is not the correct mailing list but i am going to ask, my apologizes if this isn't the properly place. I had an instance of apache 2.2.9 with and IP serving contents with the port 80 and 443, we bought a godaddy certificate and all went pretty well, but we needed to install another certificate for other domain in the same machine. I had several domains and all works with vhosts with http, but when i first tried to use several vhosts for secure connections the apache seemed to restart well but stop working. Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered key ? Wich is result of httpd -S ? -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : I tried with an SSLPassPhraseDialog in every VirtualHost and i get this message: [EMAIL PROTECTED] bin]$ ./apachectl -S Syntax error on line 82 of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: SSLPassPhraseDialog cannot occur within VirtualHost section or unciphered key ? how can i do it? do i need to contact with my certificate provider? http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Your key may be stored unciphered on your server. -- Pourquoi Pierre Lescure a quitté Canal? parce qu'il pensait créer une marionette Chuck Norris dans les Guignols de l'info !!! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Eckard Wille a écrit : [EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. I thought that using wildcard or multi-cn certificates will work ? In this case, only one certificate is needeed for a range of Vhost -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Eckard Wille a écrit : Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. So what about this ? *MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required. http://www.tbs-certificats.com/index.html.en -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Thursday 26 June 2008, Florian Hackenberger wrote: On Thursday 26 June 2008, Joe Orton wrote: It denies access for what type of request, a directory listing? Ok, I think I understood the intention of your question. Accessing a specific file works, but getting the directory listing fails. Would that be a result of apache trying to access the protected directory in oder to read attributes for the listing, causing the certificate verification to kick in? It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. -- Beaucoup d'hommes ont recherché la boîte de pandore à travers le monde, pendant ce temp Chuck Norris l'utilisait pour ranger ses chaussures. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Friday 27 June 2008, Cuesta Gilles wrote: It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. Thanks, but that is certainly not the problem, as apache creates a listing as soon as I remove 'SSLVerifyClient require'. Cheers, Florian That seems to point that it's already activated. For your issue, two questions: - is a VerifyDepth 1 enough for verification chaining ? - No default VerifyClient by default for VirtualHost Try adding: SSLVerifyClient none or Directory /usr/local/htdocs SSLVerifyClient none /Directory Listen 443 VirtualHost *:443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot /usr/local/htdocs SSLVerifyClient none Directory /usr/local/htdocs/directory/subdirectory SSLVerifyClient require SSLVerifyDepth 1 /Directory /VirtualHost -- Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui qui à réalisé les traductions dans l'intégralité des épisodes ! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : Hi! First of all: Thanks for your great software, I've used it on several server and it proved to be very useful. I have a little problem with the SSLVerifyClient directive on apache 2.2.9 with mod_ssl compiled from source on debian etch. I have the following directory layout: /usr/local/htdocs/directory/subdirectory and the following configuration options (besides the defaults) in httpd.conf: Listen 443 VirtualHost *:443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot /usr/local/htdocs /VirtualHost Directory /usr/local/htdocs/directory/subdirectory SSLVerifyClient require SSLVerifyDepth 1 /Directory Maybe try this: Listen 443 VirtualHost *:443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot /usr/local/htdocs Location /directory/subdirectory SSLVerifyClient require SSLVerifyDepth 1 /Location /VirtualHost -- Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature