RE: Specifying the openssl version used with mod_ssl
Hello all, Sorry for the delay. We found a work around and quit looking into the below issue. Thanks to Peter for the static library suggestion and Lee for the same and for getting me back on the topic. We were able to get everything working how it should. A note, we are compiling modssl into apache. We are not using it as a shared object. Here are the key config options for openssl and apache: Openssl: ./configure --prefix=/usr/local/ssl --shared Apache: ./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl It is probably a good idea to run a sudo make clean for each installation. At least it was for us since we re-installed about 50 times. Thanks again, Gunner Geller -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Gregg L. Smith Sent: Monday, September 13, 2010 12:48 PM To: modssl-users@modssl.org Subject: Re: Specifying the openssl version used with mod_ssl Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Specifying the openssl version used with mod_ssl
Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
mod_ssl errors
Hi All, I switched my LogLevel to info and noticed this error in the logs: [client ::1] (70007)The timeout specified has expired: SSL input filter read failed. Furthermore, when I do a graceful restart, I get this error: [client ::1] SSL library error 1 in handshake (server localhost:443) SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [client ::1] Connection closed to child 9 with abortive shutdown (server localhost:443) I am using mod_ssl/2.2.11 compiled against Server: Apache/2.2.11, Library: OpenSSL/0.9.8h on OS X but I have also seen the problem on Linux as well. The setup I have is dead simple - I am setting up a virtual host on port 80 and on port 443, both serving static files from apache/htdocs. Does anybody have any ideas what could be causing these ssl errors? Thanks, Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Using multiple certs with mod_ssl behind load balancer
I've been asked to implement a somewhat strange setup. We are going to handle ssl decryption on the load balancer then forward the connections to either an IIS or Apache server. I'm tasked with configuring the Apache servers. I need to be able to use multiple certs but I'm not sure how. I've made test runs using SSLCertificateChainFile and SSLCACertificatePath but I couldn't get either to work. What are the correct steps I need to follow? Joe Holt | Product Development, Intuit Small Business Web | 650-549-3454 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl Environment Variable?
Hello,
I would like to do the following (Apache 2.2 config):
Directory /var/www/desert/storage/jctmirrorserver/dav/Service42
AuthUserFile /dev/null
#SSLOptions +ExportCertData +FakeBasicAuth
SSLOptions +FakeBasicAuth
#SSLRequire (%{SSL_CLIENT_S_DN_O} in {ClientO1, ClientO2})
AuthLDAPURL ldap://192.168.1.3:389/dc=testnet,dc=de?uid;
AuthType Basic
AuthName Internal Server Content
#AuthBasicAuthoritative Off
AuthBasicProvider ldap
Require ldap-user %{SSL_CLIENT_S_DN_OU}
/Directory
I want to use Client certificates, after Connect, one of the Fields
in the Certificate i will check (existance) in an ldap Server.
But in the apache Variable %{SSL_CLIENT_S_DN_OU} are not basicly the
OU String (testorg), there is a very long String, like this:
uid=/c=de/st=niedersachsen/o=ClientO1/ou=testorg/cn=maschinen/
[EMAIL PROTECTED]
With this string now apache askes the ldap Server, that seems all
correctly, but in the uid Field in my ldap is the Entry named
testorg.
Is this an Error, that the Variable %{SSL_CLIENT_S_DN_OU} contains
ALL Client Cert Data and not the one requested (OU)?
Or is it like an perl hash and my syntax is simply wrong?
Wilhelm
Fips compliant mod_ssl module availability
I need to implement a FIPS 140 compliant version of mod_ssl. Is there a patch file or a distribution of mod_ssl currently available for download which can be used in conjunction with the fips compliant libopenssl? I found a link to a patch file for modssl in a message sent earlier in 2008 but the link doesn't work. The link was found in this thread: http://www.mail-archive.com/[EMAIL PROTECTED]/msg52290.html The actual link posted was http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/[EMAIL PROTECTED]/bugzilla/%3e Has this patch been obsoleted? I also found an entire distribution tree for a FIPS compliant httpd server at http://svn.apache.org/repos/asf/httpd/sandbox/gaithersburg. What is the status of this code? Is this code available somewhere for download to be used to provide a FIPS compliant mod_ssl module? Thank you, Sean Coleman __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Need to add/enable/install mod_ssl
Hi, experts: Here are the environment configuration: Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 Server: -HP-UX Tomcat: 4.0 I have a apache already installed (by other team, which doesnt know if there´s the module mod_ssl). The final purpose is to secure my current http to https. Already have all cerficates, with the directives in the conf files, and still the https url doesnt work yet. I searched over all logs I could find, and didnt found any string mod_ssl:(. So I guess I need to do something to enable, install it. Saw in a link that I need to download the source in modssl.org, and other installation procedures as well. But the in my case is that I already have Apache installed, and need only to add/enable/install the mod_ssl module. Ok, now another question to be pointed out: Make sure any module for your Apache server is compiled with the compiler-flag -DEAPI, or your Webserver might crash or can not be started. Almost all modules I know adds the -DEAPI flag by themself except mod_jserv and mod_jk But my apache installed is mod_jk (my configuration Apache/2.0.46 (Unix) mod_jk/1.2.4). Should I supppose from this that in my case I dont have the DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? I keep doing searches over the net, but in case any of you has some hint and speed up a little bit on my side, it´ll be helpful. Im kind of disorientated with all this thing of https. This´s the 1st time i get into it. So, ask for your detailed support. Thank you! Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
All, I´m told that having the directives in httpd.conf IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule means that my apache is configured with mod_ssl (thanks to the guy that told me so!) Now the question risen up is how do I do to have my https working? As I mentioned below, already have all certificates and their directives configured. Thanks for your attention. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 12:30 PM To: modssl-users@modssl.org Subject: Need to add/enable/install mod_ssl Hi, experts: Here are the environment configuration: Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 Server: -HP-UX Tomcat: 4.0 I have a apache already installed (by other team, which doesnt know if there´s the module mod_ssl). The final purpose is to secure my current http to https. Already have all cerficates, with the directives in the conf files, and still the https url doesnt work yet. I searched over all logs I could find, and didnt found any string mod_ssl:(. So I guess I need to do something to enable, install it. Saw in a link that I need to download the source in modssl.org, and other installation procedures as well. But the in my case is that I already have Apache installed, and need only to add/enable/install the mod_ssl module. Ok, now another question to be pointed out: Make sure any module for your Apache server is compiled with the compiler-flag -DEAPI, or your Webserver might crash or can not be started. Almost all modules I know adds the -DEAPI flag by themself except mod_jserv and mod_jk But my apache installed is mod_jk (my configuration Apache/2.0.46 (Unix) mod_jk/1.2.4). Should I supppose from this that in my case I dont have the DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? I keep doing searches over the net, but in case any of you has some hint and speed up a little bit on my side, it´ll be helpful. Im kind of disorientated with all this thing of https. This´s the 1st time i get into it. So, ask for your detailed support. Thank you! Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: David, that was what I thought earlier. But since I´m told this directive is for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ the directive to include to httpd.conf. What I mean is that I think I hv the mod_ssl installed, but not enabled yet, and to enable, if it´s simply adding the directive´s in httpd file, and the exact syntax for version 2.0. Still searching for the solution. Thanks Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
another information: what I see in libexec/ is just mod_jk.sl, and under modules/, just the file httpd.exp. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 5:34 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: David, that was what I thought earlier. But since I´m told this directive is for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ the directive to include to httpd.conf. What I mean is that I think I hv the mod_ssl installed, but not enabled yet, and to enable, if it´s simply adding the directive´s in httpd file, and the exact syntax for version 2.0. Still searching for the solution. Thanks Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Can MOD_SSL be configured to only use ONLY FIPS 140-2 complaint openssl ???
Hello, Can MOD_SSL be configured to only use the FIPS 140-2 complaint openssl ??? Ed Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
mod_ssl 2.2.3
I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com
Re: mod_ssl 2.2.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 modssl is built into the 2.x.x apache versions. your consultant must be asking you to upgrade full apache versions. the 1.3.x apache tree still has a separate modssl base to add and build off of. This should not be a concern for you since you are running the newer apache tree. Thanks, Ron DuFresne On Tue, 1 Apr 2008, Sir June wrote: I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFH8lYmst+vzJSwZikRAm6YAJ9e9NwNJu8sGjuFE3CcnljNI3kVxgCfXl4x R0NJeZnoKQpRfqrff0Xir+o= =sIQZ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Query about mod_ssl bundled with apache 2.2.8 sources
I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well. My concern is about the two vulnerabilities (http://www.securityfocus.com/bid/10736/info, http://www.securityfocus.com/bid/4189/info). I do not have any information whether or not these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache sources 2.2.8. After googling I could find out that these are solved in mod_ssl 2.8.19. When I go to modssl.org to download the latest version there is no download for mod_ssl latest for apache 2.x versions? Both of these look very old and looks like they might have been fixed. But I did not find it anywhere written. 5, 50, 500, 5000 - Store N number of mails in your inbox. Go to http://help.yahoo.com/l/in/yahoo/mail/yahoomail/tools/tools-08.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Query about mod_ssl bundled with apache 2.2.8 sources
I have downloaded the sources of latest apache 2.2.8 that includes mod_ssl as well. My concern is about the two vulnerabilities (htp://www.securityfocus.com/bid/10736/info, htp://www.securityfocus.com/bid/4189/info). I do not have any information whether or not these two vulnerabilities still exist or have been fixed in the mod_ssl provided with apache sources 2.2.8. After googling I could find out that these are solved in mod_ssl 2.8.19. When I go to modssl.org to download the latest version there is no download for mod_ssl latest for apache 2.x versions? Both of these look very old and looks like they might have been fixed. But I did not find it anywhere written. Now you can chat without downloading messenger. Go to http://in.messenger.yahoo.com/webmessengerpromo.php __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues
I've found a solution to this problem. You have to use the version of OpenSSL installed on your machine. In my case, it's 0.9.7l (the latest version Apple is supporting). When I tried configuring mod_ssl with SSL_BASE=SYSTEM, it failed saying it couldn't find the OpenSSL libraries. So I grabbed the latest version of OpenSSL (0.9.8g) and compiled against that. After a lot of digging, I came across this old post (2002) by David Wheeler: http://www.mail-archive.com/modssl-users@modssl.org/msg15623.html This fixed my problem after manually applying the patch. Is there any reason this wasn't applied to mod_ssl 5 years ago or addressed at all? Thanks! Bob [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/19/2007 09:45 AM Please respond to modssl-users@modssl.org To modssl-users@modssl.org cc Subject mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues Hi, I am trying to run Apache 1.3.39 with mod_ssl 2.8.30, openssl 0.9.8g and mm 1.4.2. I am able to successfully compile it, but when I start Apache in SSL mode, it exits immediately. Looking in the error log, I see the following message: dyld: lazy symbol binding failed: Symbol not found: _SSL_CTX_sess_set_new_cb Referenced from: /usr/local/apache-1.3.39/libexec/libssl.so Expected in: flat namespace Can anyone help me in resolving why this is happening? Thanks, Bob
mod_ssl-2.8.30-1.3.39 w/ mm-1.4.2 on mac os 10.4 issues
Hi, I am trying to run Apache 1.3.39 with mod_ssl 2.8.30, openssl 0.9.8g and mm 1.4.2. I am able to successfully compile it, but when I start Apache in SSL mode, it exits immediately. Looking in the error log, I see the following message: dyld: lazy symbol binding failed: Symbol not found: _SSL_CTX_sess_set_new_cb Referenced from: /usr/local/apache-1.3.39/libexec/libssl.so Expected in: flat namespace Can anyone help me in resolving why this is happening? Thanks, Bob
Apache 2.2.6 mod_ssl won't serve subdirectories
This is my first experience with SSL. I have done the
Google thing and searched Apache FAQ etc but found
nothing regarding my problem.
In a nutshell, I have the following file structure:
/var/ssl/www/index.html
/var/ssl/www/budget/index.html
Everything in both paths is owned by root and either
755 or 644 as appropriate for directories and files.
I have the server working for /var/ssl/www/index.html
but I get a HTTP Error 403 - Forbidden error trying
to view /var/ssl/www/budget/index.html
The logs are uninformative as to WHY access to
/var/ssl/www/budget/index.html is being forbidden.
My impression was that subdirectories should inherit
the access rights of their parent if I do nothing to
override that behavior.
I have an http server configured similarly running in
the same instance of Apache 2.2.6 (on port 2080 so as
to not conflict with my production web site running on
port 80). It works as expected, including acces to
subdirectories.
The URLs are
https://daniel.ameriroots.com
and
http://daniel.ameriroots.com:2080
I have reduced the httpd.conf file to the following
essentials (this is what is presently running on the
above URLs):
#
# Main Server Configuration
#
ServerRoot /usr/daniel/apache2
ServerName danniel.ameriroots.com
ServerAdmin [EMAIL PROTECTED]
Listen 64.249.12.251:2080
Listen 64.249.12.251:443
User www
Group www
Directory /
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
/Directory
DirectoryIndex index.html
FilesMatch ^\.ht
Order allow,deny
Deny from all
Satisfy All
/FilesMatch
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\
\%{User-Agent}i\ combined
LogFormat %h %l %u %t \%r\ %s %b common
ErrorLog /var/log/apache_error_log2
LogLevel info
CustomLog /var/log/apache_access_log2 combined
#
# HTTP SERVER ON PORT 2080
#
VirtualHost _default_:2080
ErrorLog /var/log/http_error_log2
LogLevel info
CustomLog /var/log/http_access_log2 combined
DocumentRoot /var/www
Directory /var/www
Allow from all
/Directory
/VirtualHost
#
# HTTPS SERVER ON PORT 443
#
SSLCertificateFile/var/ssl/conf/daniel.crt
SSLCertificateKeyFile /var/ssl/conf/daniel.key
VirtualHost _default_:443
SSLEngine On
CustomLog /var/log/https_access_log2 combined
ErrorLog /var/log/https_error_log2
LogLevel info
BrowserMatch .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
DocumentRoot /var/ssl/www
Directory /var/ssl/www
Allow from all
/Directory
/VirtualHost
The log files are unenlightening, even at debug level
where I get lots of detail on SSL calculations, but a
simple access denied message on the file itself.
What am I missing here?
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
SOLVED: Apache 2.2.6 mod_ssl won't serve subdirectories
Problem found and fixed - after getting some sleep I checked for about the 5th time and found the problem - the directory budget had permission 644 instead of 755. Stupid me :-( --- Orville Weyrich - KD7HJV [EMAIL PROTECTED] wrote: In a nutshell, I have the following file structure: /var/ssl/www/index.html /var/ssl/www/budget/index.html Everything in both paths is owned by root and either 755 or 644 as appropriate for directories and files. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl not for apache 2.2.4 (unix)?
As of Apache 2.x mod_ssl is included in the distribution. All you should have to do is enable the module in the configuration file. Rich __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl not for apache 2.2.4 (unix)?
Hi folks, I'm a complete newbie to compiling apache, and I'm trying to install my first SSL certificate. All instructions I can find so far all assume that I have mod_ssl installed already. I'm willing to install it, but all of the references I can find to the latest and greatest version of mod_ssl say that it's for apache 1.3.39, but I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) I don't want to proceed with recompiling the web server unless I know that I'm doing the right thing. Can any one either a) just help me... or b) point me to a good article or set of articles on how to do this? I should mention that we host many, many virtual domains off this one server. Thanks heaps, Chris -- http://cjordan.us
Re: mod_ssl not for apache 2.2.4 (unix)?
On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: Hi folks, I'm a complete newbie to compiling apache, and I'm trying to install my first SSL certificate. All instructions I can find so far all assume that I have mod_ssl installed already. I'm willing to install it, but all of the references I can find to the latest and greatest version of mod_ssl say that it's for apache 1.3.39, but I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) mod_ssl is part of httpd 2.x, and is included with Fedora. Run yum install mod_ssl joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl not for apache 2.2.4 (unix)?
Richard Joe, Thanks so much! Joe, thanks for the command. :o) I'll see if I can manage it from here. I appreciate you answering such a basic question for me. Really. Thanks. :o) Cheers! Chris On Dec 14, 2007 2:27 PM, Joe Orton [EMAIL PROTECTED] wrote: On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote: Hi folks, I'm a complete newbie to compiling apache, and I'm trying to install my first SSL certificate. All instructions I can find so far all assume that I have mod_ssl installed already. I'm willing to install it, but all of the references I can find to the latest and greatest version of mod_ssl say that it's for apache 1.3.39, but I'm running apache 2.2.4 on a Fadora Core 6 (2.6.20-1.292.fc6) mod_ssl is part of httpd 2.x, and is included with Fedora. Run yum install mod_ssl joe -- http://cjordan.us
Compiling Apache with mod_ssl on Mac OS 10.5
Hello. I'm having trouble compiling Apache with mod_ssl, on an MacBook Pro running Mac OS 10.5.1. I'm trying to build the following programs (rather than using the ones that come with the OS): openssl-0.9.8g mm-1.4.1 mod_ssl-2.8.30-1.3.39 apache_1.3.39 Everything works until I try to make Apache. I get the message ld: warning in ./libhttpd.so, file is not of required architecture, and then it exits due to some undefined symbols. If I look at file src/ libhttpd.so, it gives me Mach-O bundle i386, which looks correct. Anyone know why this would happen? More details are below. If I don't pass --enable-module=ssl --enable-rule=SHARED_CORE when configuring Apache, I don't get this error, so I assume it's somewhat related to mod_ssl. Jacob The end of the make output looks like this: === src/modules gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` modules.c gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` buildmark.c cc -bundle -undefined suppress -flat_namespace -o libhttpd.so buildmark.o modules.o modules/ssl/libssl.a modules/standard/ libstandard.a main/libmain.a ./os/unix/libos.a ap/libap.a regex/ libregex.a gcc -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` -L$BUILD_DIR/openssl-0.9.8g -L./../../mm-1.4.1/.libs \ -o libhttpd.ep -DSHARED_CORE_TIESTATIC main/http_main.c \ -L. -lhttpd -ldbm -lssl -lcrypto -lmm -lexpat ld: warning in ./libhttpd.so, file is not of required architecture Undefined symbols: _ap_validate_password, referenced from: _suck_in_ap_validate_password in ccRuUDHX.o _ap_main, referenced from: _main in ccRuUDHX.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [libhttpd.ep] Error 1 make[1]: *** [build-std] Error 2 make: *** [build] Error 2 I'm running the following commands (with $TAR_DIR, $BUILD_DIR, and $INSTALL_DIR defined): cd $BUILD_DIR tar xzvf $TAR_DIR/openssl-0.9.8g.tar.gz cd $BUILD_DIR/openssl-0.9.8g ./config --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl make cd $BUILD_DIR tar xzvf $TAR_DIR/mm-1.4.1.tar.gz cd $BUILD_DIR/mm-1.4.1 ./configure --disable-shared make cd $BUILD_DIR tar xzvf $TAR_DIR/apache_1.3.39.tar.gz tar xzvf $TAR_DIR/mod_ssl-2.8.30-1.3.39.tar.gz cd $BUILD_DIR/mod_ssl-2.8.30-1.3.39 ./configure --with-apache=../apache_1.3.39 --with-ssl=../ openssl-0.9.8g --prefix=$INSTALL_DIR cd $BUILD_DIR/apache_1.3.39 export SSL_BASE=../openssl-0.9.8g export EAPI_MM=../mm-1.4.1 ./configure --enable-module=ssl --enable-module=headers --enable- module=expires --enable-module=so --enable-module=rewrite --enable- rule=SHARED_CORE --prefix=$INSTALL_DIR make # the error happens here __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
How to build apache/mod_ssl/mod_perl together?
I can't seem to build an SSL enabled httpd binary from the sources and instructions listed below. I'm basically following the instructions from the mod_perl instructions for SSL in the file INSTALL.simple.mod_ssl. But this does not result in an SSL/mod_perl enabled httpd binary. Can someone tell me what I'm doing wrong below? -Thanks tar zxvf apache_1.3.33.tar.gz tar zxvf mod_ssl-2.8.24-1.3.33.tar.gz tar zxvf openssl-0.9.6b.tar.gz tar zxvf mod_perl-1.0-current.tar.gz cd openssl-0.9.8b ./config make cd .. cd mod_ssl-2.8.24-1.3.33 ./configure \ --with-apache=../apache_1.3.33 \ --with-ssl=../openssl-0.9.8b \ --enable-module=ssl \ --enable-module=so \ --prefix=/usr/local/apache-1.3.33 cd.. cd mod_perl-1.29 perl Makefile.PL \ EVERYTHING=1 \ APACHE_SRC=../apache_1.3.33/src \ APACHE_PREFIX=/usr/local/apache-1.3.33 \ SSL_BASE=../openssl-0.9.8b \ USE_APACI=1 \ PREP_HTTPD=1 \ DO_HTTPD=1 \ APACI_ARGS=--enable-module=ssl,--enable-module=so,--enable-module=rewrite make __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
On Mon, Sep 10, 2007, Ralf S. Engelschall wrote: Apache 1.3.39 was released recently. An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too. Find it on: http://www.modssl.org/ Unfortunately, there was a bug in the auto-generated patch caused by a changed amount of patch hunks in the mod_status.c patch set. This is now fixed with mod_ssl 2.8.30. Please use this updated version. Sorry for the inconvenience. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl for apache 1.3.39
Does anyone know that a new version of mod_ssl is under construction for use with apache 1.3.39? I tried to compile Apache-1.3.39 with mod_ssl for 1.3.37 but that kills apache... best regards, Pascal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.39
Some of the patches in eapi.patch do not apply cleanly and are rejected. This means that, unless you hand apply them, the patch isn't complete and you core dump when mod_ssl is trying to hook. Pascal Nobus wrote: Does anyone know that a new version of mod_ssl is under construction for use with apache 1.3.39? I tried to compile Apache-1.3.39 with mod_ssl for 1.3.37 but that kills apache... best regards, Pascal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ If you can dodge a wrench, you can dodge a ball. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 1.3.39
I patched the EAPI patch to apply cleanly to 1.3.39. This should work
until a version is rolled for 1.3.39.
Cheers,
Doug
diff -PurN mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch
mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch
--- mod_ssl-2.8.28-1.3.37/pkg.eapi/eapi.patch 2007-09-10 13:31:38.0
-0400
+++ mod_ssl-2.8.28-1.3.39/pkg.eapi/eapi.patch 2007-09-10 13:36:27.0
-0400
@@ -1132,7 +1132,7 @@
/*
* The max child slot ever assigned, preserved across restarts. Necessary
-@@ -436,6 +439,30 @@
+@@ -471,6 +474,30 @@
}
}
@@ -1163,7 +1163,7 @@
#ifndef NETWARE
static APACHE_TLS int volatile exit_after_unblock = 0;
#endif
-@@ -1551,6 +1578,9 @@
+@@ -1588,6 +1615,9 @@
}
ap_bsetflag(save_req-connection-client, B_EOUT, 1);
@@ -1173,7 +1173,7 @@
ap_bclose(save_req-connection-client);
if (!ap_standalone)
-@@ -1559,6 +1589,9 @@
+@@ -1596,6 +1626,9 @@
}
else {/* abort the connection */
ap_bsetflag(current_conn-client, B_EOUT, 1);
@@ -1183,7 +1183,7 @@
ap_bclose(current_conn-client);
current_conn-aborted = 1;
}
-@@ -1880,10 +1913,16 @@
+@@ -1915,10 +1948,16 @@
/* Send any leftover data to the client, but never try to again */
if (ap_bflush(r-connection-client) == -1) {
@@ -1200,7 +1200,7 @@
ap_bsetflag(r-connection-client, B_EOUT, 1);
/* Close our half of the connection --- send the client a FIN */
-@@ -2582,6 +2621,9 @@
+@@ -2617,6 +2656,9 @@
/* Clear the pool - including any registered cleanups */
ap_destroy_pool(pglobal);
#endif
@@ -1210,7 +1210,7 @@
exit(code);
}
-@@ -3655,6 +3697,24 @@
+@@ -3711,6 +3753,24 @@
conn-remote_addr = *remaddr;
conn-remote_ip = ap_pstrdup(conn-pool,
inet_ntoa(conn-remote_addr.sin_addr));
@@ -1235,7 +1235,7 @@
return conn;
}
-@@ -4165,6 +4225,15 @@
+@@ -4221,6 +4281,15 @@
printf(Server's Module Magic Number: %u:%u\n,
MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR);
printf(Server compiled with\n);
@@ -1251,10 +1251,10 @@
#ifdef TPF
show_os_specific_compile_settings();
#endif
-@@ -4339,6 +4408,22 @@
- ap_server_pre_read_config = ap_make_array(pcommands, 1, sizeof(char *));
+@@ -4396,6 +4465,22 @@
ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *));
+ pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT);
+
+#ifdef EAPI
+ap_hook_init();
@@ -1274,7 +1274,7 @@
}
#ifndef MULTITHREAD
-@@ -4835,6 +4920,9 @@
+@@ -4892,6 +4977,9 @@
ap_sync_scoreboard_image();
if (ap_scoreboard_image-global.running_generation !=
ap_my_generation) {
@@ -1284,7 +1284,7 @@
ap_bclose(conn_io);
clean_child_exit(0);
}
-@@ -4863,6 +4951,9 @@
+@@ -4920,6 +5008,9 @@
*/
#ifdef NO_LINGCLOSE
@@ -1294,7 +1294,7 @@
ap_bclose(conn_io); /* just close it */
#else
if (r r-connection
-@@ -4873,6 +4964,9 @@
+@@ -4930,6 +5021,9 @@
lingering_close(r);
}
else {
@@ -1304,7 +1304,7 @@
ap_bsetflag(conn_io, B_EOUT, 1);
ap_bclose(conn_io);
}
-@@ -5656,16 +5750,31 @@
+@@ -5730,16 +5824,31 @@
usage(argv[0]);
}
}
@@ -1336,7 +1336,7 @@
}
child_timeouts = !ap_standalone || one_process;
-@@ -5813,6 +5922,10 @@
+@@ -5887,6 +5996,10 @@
ap_destroy_pool(r-pool);
}
@@ -1347,7 +1347,7 @@
ap_bclose(cio);
}
exit(0);
-@@ -6189,6 +6302,9 @@
+@@ -6263,6 +6376,9 @@
ap_kill_cleanups_for_socket(ptrans, csd);
#ifdef NO_LINGCLOSE
@@ -1357,7 +1357,7 @@
ap_bclose(conn_io); /* just close it */
#else
if (r r-connection
-@@ -6199,6 +6315,9 @@
+@@ -6273,6 +6389,9 @@
lingering_close(r);
}
else {
@@ -1367,7 +1367,7 @@
ap_bsetflag(conn_io, B_EOUT, 1);
ap_bclose(conn_io);
}
-@@ -7774,6 +7893,10 @@
+@@ -7848,6 +7967,10 @@
if (!conf_specified)
ap_cpystrn(ap_server_confname, SERVER_CONFIG_FILE,
sizeof(ap_server_confname));
@@ -1378,7 +1378,7 @@
if (!ap_os_is_path_absolute(ap_server_confname))
ap_cpystrn(ap_server_confname,
ap_server_root_relative(pcommands, ap_server_confname),
-@@ -7814,6 +7937,9 @@
+@@ -7888,6 +8011,9 @@
#else /* ndef WIN32 */
server_conf = ap_read_config(pconf, ptrans, ap_server_confname);
#endif
@@ -1598,26 +1598,29 @@
Index: src/modules/standard/mod_status.c
--- src/modules/standard/mod_status.c 28 Jul 2006 13:55:27 - 1.1.1.17
+++ src/modules/standard/mod_status.c 28 Jul 2006 13:56:29 - 1.14
-@@ -652,12 +678,23 @@
+@@ -653,6 +653,18 @@
ap_rprintf(r
[ANNOUNCE] mod_ssl 2.8.29 for Apache 1.3.39
Apache 1.3.39 was released recently. An updated mod_ssl 2.8.29 for Apache 1.3.39 is now available, too. Find it on: http://www.modssl.org/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org Official Announcement Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl
I have a feeling that I'm missing something elementary here. I have an install of apache 2.0.55 with mod_ssl enabled on a HP-UX system in /opt/apache2. This one runs fine. I recompiled another copy of apache (same version) into /opt/apache2a (for testing purposes) to add mod_ldap support and that one worked as well. Then I tried recreating apache2a in apache2 by doing a recompile using a prefix of apache2 and then doing an install after backing everything up and moving the old apache install out of the way. However, this one DOESN'T work. If I launch it WITHOUT SSL turned on (i.e, no SSLEngine on) directive, everything works great. But as soon as I turn on SSL in a VirtualHost, then strange things happen. A client will connect to the test port via SSL, the SSL negotiation appears to work just fine (tested using openssl s_client), but when you attempt to do a GET, the request is sent, but a reply never shows up. Nothing appears in the access_log, and child processes begin to spawn with each request. I can pull up the server-status url and everytime I hit refresh, one child process goes to W and another one is spawned. Clicking repeatedly will continue this process until there are a ton of processes, all stuck at Waiting with 0/0/0 under the Acc columntDo it enough, the server's load average starts to climb. I've checked and double checked every permission I can possible find. The User and Group directives are both set to webadmin which is the same in all configurations. The permissions of the sub-directories in both directories match between the two. I have this feeling that it's simple with the directory permissions and/or structure but I just can't seem to locate it. Anyone have any ideas on what else I might need to look at? Aaron Aaron Smith[EMAIL PROTECTED] System Administrator (269) 337-7496 Kalamazoo College
Apache and mod_ssl (extra info)
So I tried something kind of new. I completely removed the directory with the non-functioning apache install. I went back to the source, did a make clean, a new configure using the same parameters as before: ./configure --prefix=/opt/apache3 --enable-auth-dbm=shared --enable-expires=shared --enable-headers=shared --enable-rewrite=shared --enable-mime-magic=shared --enable-info=shared --enable-status=shared --enable-userdir=shared --enable-http --enable-so --enable-ssl=static --with-ssl=/opt/openssl098d --with-perl=/opt/perl58 --with-ndbm --enable-ldap=shared --enable-auth_ldap=shared --with-ldap=/usr/local/OpenLDAP.2.3 Had SHLIB_PATH set to /opt/openssl098d/lib:/usr/local/OpenLDAP.2.3/lib as well as CPPFLAGS and LDFLAGS set with -I and -L flags for those two non-standard directories. This is all the same as what I had done before. After the make, make install, I went in to the installed directory and made as minimal changes as I could. I changed Listen port in the main httpd.conf to 8040 and the Listen port (as well as the VirtualHost port) in ssl.conf to 8045 so it wouldn't step on the toes of the production apache process. I then changed the User and Group directives in httpd.conf to the webadmin user which the other apache process runs as. Launched this just about plain jane apache using apachectl startssl. Connecting via http to 8040, everything looks fine. Connecting via https to port 8045 shows the behavior of child processing hanging in a waiting state. Am I wrong in thinking this is a permissions issue? Or perhaps something is funky with the fact that the SSL libraries are in a strange spot? I've tried adding the library path to envvars in apache3/bin and having PassEnv SHLIB_PATH in the httpd.conf. However, the WORKING installation is linked to these exact same libraries and although there's a PassEnv command in it's httpd.conf, nothing was added to envvars. If it *is* a permissions issue, what does mod_ssl need permission to get to in order to function properly? I notice that the ssl_scache.dir and ssl_scache.pag files are created in the logs directory, (though the .dir file is 0 bytes) both owned by webadmin, so that user can at least CREATE files in that directory.
Bug in mod_ssl ?
All, I recently ran into a problem with mod_ssl and Internet Explorers version 6 and 7. I have found that in the case where SSLVerifyClient is set to anything other than exactly none with Apache 1.3.x and mod_ssl 2.8.x that a client using Internet Explorer version 6 or 7 cannot connect using HTTPS. The following error is given in the ssl_error_log: mod_ssl: SSL handshake interrupted by system connection reset by peer It is not clear whether this is a mod_ssl or an Internet Explorer bug. The issue is not present when using Apache 2.2.x and the corresponding Apache mod_ssl. I would prefer to continue using Apache 1.3.x and mod_ssl 2.8.x for now, but this bug (regardless of which component is faulty) prevents that option when SSLVerifyClient and availability to clients using Internet Explorer are both simultaneously desired. Is this a known bug ? Is there a place to report this bug in greater detail ? Thanks, -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Bug in mod_ssl ?
All, I recently ran into a problem with mod_ssl and Internet Explorers version 6 and 7. I have found that in the case where SSLVerifyClient is set to anything other than exactly none with Apache 1.3.x and mod_ssl 2.8.x that a client using Internet Explorer version 6 or 7 cannot connect using HTTPS. The following error is given in the ssl_error_log: mod_ssl: SSL handshake interrupted by system connection reset by peer It is not clear whether this is a mod_ssl or an Internet Explorer bug. The issue is not present when using Apache 2.2.x and the corresponding Apache mod_ssl. I would prefer to continue using Apache 1.3.x and mod_ssl 2.8.x for now, but this bug (regardless of which component is faulty) prevents that option when SSLVerifyClient and availability to clients using Internet Explorer are both simultaneously desired. Is this a known bug ? Is there a place to report this bug in greater detail ? Thanks, -- Roy Keene (Contractor) Office of Network Management (Code 7030.8) Naval Research Laboratory Stennis Space Center, MS 39529 DSN 828-4827 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl - refusing connections on https?
Yes, I have SSLEngine On in ssl.conf, here's my ssl.conf file:
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
IfDefine SSL
Listen 443
Listen my.ip.ad.dr:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLPassPhraseDialog builtin
SSLSessionCache dbm:/var/run/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex file:/var/run/ssl_mutex
VirtualHost _default_:443
DocumentRoot /usr/pkg/share/httpd/htdocs
ServerName www.mydomain.net:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/pkg/etc/httpd/ssl.crt/server.crt
SSLCertificateKeyFile /usr/pkg/etc/httpd/ssl.key/server.pem
FilesMatch \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/FilesMatch
Directory /usr/pkg/libexec/cgi-bin
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
/IfDefine
Any ideas?
--- Omar W. Hannet [EMAIL PROTECTED] wrote:
SSLEngine On?
Glyn Astill wrote:
Hi people,
I'm new to this list, so hello.
I've been trying to get https working with apache 2.0.59 on
NetBSD
3.99 today, and it's
beginning to make my face ache.
Basically when I try to view a page via https I get connection
refused. Apache is compiled with mod_ssl.c, I have openssl
installed.
This is what I've done so far:
1) Copied the example openssl cfg from examples to
/etc/openssl/openssl.cnf
2)Generated my server key, then pem file then the csr and crt.
3)Then coppied them all into ssl.key (server.pem, server.key),
ssl.csr (server.csr) and ssl.crt (server.crt). This is where my
ssl.conf expects them.
4) Made sure ssl.conf is pointing to these files properly and is
listening on port 443 (Listen ipaddress:443)
5) Made sure ssl.conf is included in httpd.conf properly
6) check that mod_ssl.c is compiled in with https -l
7) checked my apache access and error logs - nothing !
And still nothing, it can't be listening on 443.
If I do the following:
#openssl s_client -connect localhost:443 -state -debug
I get:
connect: Connection refused
connect:errno=61
I've even tried copying all my virtual hosts and changing :80 to
:443, still nothing.
This is really the first time I've ever touched ssl, so I'm
hoping
I'm missing something really dumb. I've basically just got the
standard ssl.conf example modified ever so slightly so that
things
point in the right place.
?
Any ideas?
Cheers
Glyn
___
Yahoo! Mail is the world's favourite email. Don't settle for
less, sign up for
your free account today
http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html
__
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
modssl-users@modssl.org
Automated List Manager
[EMAIL PROTECTED]
--
Omar W. Hannet
http://www.allez-oop.net/
__
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
modssl-users@modssl.org
Automated List Manager
[EMAIL PROTECTED]
___
Yahoo! Answers - Got a question? Someone out there knows the answer. Try it
now.
http://uk.answers.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl - refusing connections on https?
Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl - refusing connections on https?
SSLEngine On? Glyn Astill wrote: Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even more revealing was the passphrase prompt, not required for plain httpd... Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer+zst+vzJSwZikRAlhnAJ4rLby4nNIlTNYwr0Vq2bQdI1TGmwCgwn1e itrUfe7Vl+cuoIdY3KOVw8M= =LeZD -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache mod_ssl and FIPS 140-2
Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl is FIPS 140-2 validated? What version of OpenSSL is distributed with the current version of Apache? Any help is much appreciated... Thanks, David Gerendas, CISSP McAfee, Inc. 949-297-5600 Main 949-860-3369 Direct 949-289-8677 Mobile [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
Re: Apache mod_ssl and FIPS 140-2
http://csrc.nist.gov/cryptval/140-1/1401val2007.htm#733 Best~ -d [EMAIL PROTECTED] wrote: Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl is FIPS 140-2 validated? What version of OpenSSL is distributed with the current version of Apache? Any help is much appreciated… Thanks, *David Gerendas, **CISSP* McAfee, Inc. 949-297-5600 Main 949-860-3369 Direct 949-289-8677 Mobile [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache with mod_ssl
We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? Also can apache support both http and https at different ports at the same time? Thanks much for your help. SS [EMAIL PROTECTED] bin]# ./apachectl start Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. Httpd.conf # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule
Re: Apache with mod_ssl
Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Apache with mod_ssl
Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: adding mod_ssl module to existing apache configuration
my apology for late replies...it works for me. Thanks Team !!! On 6/12/07, Omar W. Hannet [EMAIL PROTECTED] wrote: Lalit Kapoor wrote: Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Have you tried 'yum install mod_ssl'? -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
adding mod_ssl module to existing apache configuration
Hi, I am using following version of apache, i got it installed using yum install httpd . Server version: Apache/2.0.52 Server built: Aug 2 2006 05:21:10 There is a requirement of adding mod_ssl module to existing apache configuration. Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Thanks, Lalit
Re: adding mod_ssl module to existing apache configuration
Lalit Kapoor wrote: Can you give me some idea if it possible to add mod_ssl in running configuration or do i need to recompile and install apache with mod_ssl. Have you tried 'yum install mod_ssl'? -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl setup process with apache 2.2.4
Hi, We are trying to setup apache 2.2.4 alongwith mod_ssl and mod_jk. Mod_jk has been successfully configured and working with two instances of Jboss. However after installing mod_ssl, does not seem to be installed/configured properly. Is there some link which describes step by step setup process to configure Mod_ssl with apache 2.2.4? Can anyone please forward the link? Also, we have three ports, two of them need to be https and one needs to be http. How do we configure this? In our configuration, we want Apache to receive https requests from clients and then forward http to the Jboss application server thru mod_jk. Can someone please point to some link/documentation. We would assume these are standard practices. Thank you so very much for your kind help. Regards, SS
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. Specifically, if I delete this line from my HTML: link rel=stylesheet type=text/css href=https://www.beileysoftware.com/main.css; then these problematic browsers can view the page fine. I've also changed the HTML to include the exact contents of the style sheet inline, and this works fine. It is only when the style sheet is external that the browser can't display the contents. If I leave the external style sheet in place, I can see in the logs the browser requesting the page and then the style sheet. Both are returned with no errors, but the browser just sits there with a blank page, and never really finishes. It seems like it is waiting for something to complete, but it never finishes. I'm guessing this was some bug in early versions of IE6, but does anyone know what the specific problem is, and how I can fix it by configuring Apache differently? Thanks, Mark http://www.beiley.com Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Interesting... I hadn't thought of that. I know some other sites using a Starfield certificate. I'll see if these customers experience the same problem when they go there. Thanks for your help! Mark http://www.beiley.com - Original Message - From: Sven Geisler [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, June 07, 2007 11:30 PM Subject: Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2) Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Thanks for the reply Zareh, but still no joy :-(
We DO have old libraries on the box, but when compiling apache (after
setting SSL_BASE),
The output does show:
.
.
+ SSL library version: OpenSSL 0.9.8e 23 Feb 2007
.
.
Running a strings on httpd shows:
OpenSSL 0.9.7b 10 Apr 2003
SSLv2 part of OpenSSL 0.9.8e 23 Feb 2007
TLSv1 part of OpenSSL 0.9.8e 23 Feb 2007
OpenSSL 0.9.8e 23 Feb 2007
SSLv3 part of OpenSSL 0.9.8e 23 Feb 2007
Big Number part of OpenSSL 0.9.8e 23 Feb 2007
RSA part of OpenSSL 0.9.8e 23 Feb 2007
Diffie-Hellman part of OpenSSL 0.9.8e 23 Feb 2007
Stack part of OpenSSL 0.9.8e 23 Feb 2007
lhash part of OpenSSL 0.9.8e 23 Feb 2007
EVP part of OpenSSL 0.9.8e 23 Feb 2007
ASN.1 part of OpenSSL 0.9.8e 23 Feb 2007
X.509 part of OpenSSL 0.9.8e 23 Feb 2007
MD2 part of OpenSSL 0.9.8e 23 Feb 2007
MD5 part of OpenSSL 0.9.8e 23 Feb 2007
SHA1 part of OpenSSL 0.9.8e 23 Feb 2007
SHA-256 part of OpenSSL 0.9.8e 23 Feb 2007
SHA-512 part of OpenSSL 0.9.8e 23 Feb 2007
DES part of OpenSSL 0.9.8e 23 Feb 2007
libdes part of OpenSSL 0.9.8e 23 Feb 2007
RC2 part of OpenSSL 0.9.8e 23 Feb 2007
RC4 part of OpenSSL 0.9.8e 23 Feb 2007
IDEA part of OpenSSL 0.9.8e 23 Feb 2007
DSA part of OpenSSL 0.9.8e 23 Feb 2007
ECDSA part of OpenSSL 0.9.8e 23 Feb 2007
ECDH part of OpenSSL 0.9.8e 23 Feb 2007
RAND part of OpenSSL 0.9.8e 23 Feb 2007
PEM part of OpenSSL 0.9.8e 23 Feb 2007
CONF part of OpenSSL 0.9.8e 23 Feb 2007
CONF_def part of OpenSSL 0.9.8e 23 Feb 2007
As you can see from the top line, 0.9.7b is comming in from [EMAIL PROTECTED]
Question, is the output of this LogFormat line an accurate reflection of
what version of openssl was compiled into httpd?:
CustomLog /tmp/ssl.log %{SSL_VERSION_LIBRARY}x
%{SSL_VERSION_INTERFACE}x
I'll try and move those libs out of the way, and re-compile
|-+-
| | Zareh |
| | [EMAIL PROTECTED]|
| ||
| | Sent by: |
| | owner-modssl-users|
| | @modssl.org |
| | |
| | |
| | 06/06/2007 06:10 |
| | Please respond to |
| | modssl-users |
| | |
|-+-
--|
|
|
| To: modssl-users@modssl.org
|
| cc:
|
| Subject: Re: OpenSSL verion from mod_ssl statically compiled into
httpd? |
--|
Hi Vishal,
I seem to remember running into this a while back, it turned out that I had
old ssl libs in /usr/local/ssl and apache's build scripts were picking them
up. instead of /usr/local/openssl - I can't remember what I did to get them
to compile with the newer openssl libs, but here are a few things you could
try:
1) Set the following in your environment before you build apache/mod_ssl
SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile
against)
export SSL_BASE
2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and
move them into another directory. Build apache/mod_ssl - then just untar
the old libs back into place.
... kinda messy though :)
- Original Message
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, June 4, 2007 8:52:34 AM
Subject: OpenSSL verion from mod_ssl statically compiled into httpd?
Question: How do I find out the version of openssl used by my httpd that
has mod_ssl statically compiled into it?
HEAD / HTTP/1.0 shows no mod_ssl info, and the only way in which I can
get anything is to use the following in the Apache conf:
CustomLog /tmp/ssl.log %{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x
Is this accurate, and can it be trusted? I ask because I recompiled
apache/mod_ssl using openssl 0.9.8c and the version the above showed in the
logs was older: 0.9.7b, which isn't installed on the box...?
My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained:
engines/
libcrypto.a
libcrypto.so
libcrypto.so.0.9.8*
libssl.a
libssl.so
libssl.so.0.9.8*
pkgconfig/
It's an old setup that I've inherited from people who have all left now :-(
The source files and the way in which this was compiled have gone.
To be honest, I'm a bit confused as to the whole ssl setup
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Hi guys,
Is there a definitive way of finding out the version of OpenSSL used by
httpd, with mod_ssl statically compiled into it.
Thanks!
|-+-
| | [EMAIL PROTECTED]|
| | om|
| | Sent by: |
| | owner-modssl-users|
| | @modssl.org |
| | |
| | |
| | 07/06/2007 13:59 |
| | Please respond to |
| | modssl-users |
| | |
|-+-
--|
|
|
| To: modssl-users@modssl.org
|
| cc: modssl-users@modssl.org, [EMAIL PROTECTED]
|
| Subject: Re: OpenSSL verion from mod_ssl statically compiled into
httpd? |
--|
Thanks for the reply Zareh, but still no joy :-(
We DO have old libraries on the box, but when compiling apache (after
setting SSL_BASE),
The output does show:
.
.
+ SSL library version: OpenSSL 0.9.8e 23 Feb 2007
.
.
Running a strings on httpd shows:
OpenSSL 0.9.7b 10 Apr 2003
SSLv2 part of OpenSSL 0.9.8e 23 Feb 2007
TLSv1 part of OpenSSL 0.9.8e 23 Feb 2007
OpenSSL 0.9.8e 23 Feb 2007
SSLv3 part of OpenSSL 0.9.8e 23 Feb 2007
Big Number part of OpenSSL 0.9.8e 23 Feb 2007
RSA part of OpenSSL 0.9.8e 23 Feb 2007
Diffie-Hellman part of OpenSSL 0.9.8e 23 Feb 2007
Stack part of OpenSSL 0.9.8e 23 Feb 2007
lhash part of OpenSSL 0.9.8e 23 Feb 2007
EVP part of OpenSSL 0.9.8e 23 Feb 2007
ASN.1 part of OpenSSL 0.9.8e 23 Feb 2007
X.509 part of OpenSSL 0.9.8e 23 Feb 2007
MD2 part of OpenSSL 0.9.8e 23 Feb 2007
MD5 part of OpenSSL 0.9.8e 23 Feb 2007
SHA1 part of OpenSSL 0.9.8e 23 Feb 2007
SHA-256 part of OpenSSL 0.9.8e 23 Feb 2007
SHA-512 part of OpenSSL 0.9.8e 23 Feb 2007
DES part of OpenSSL 0.9.8e 23 Feb 2007
libdes part of OpenSSL 0.9.8e 23 Feb 2007
RC2 part of OpenSSL 0.9.8e 23 Feb 2007
RC4 part of OpenSSL 0.9.8e 23 Feb 2007
IDEA part of OpenSSL 0.9.8e 23 Feb 2007
DSA part of OpenSSL 0.9.8e 23 Feb 2007
ECDSA part of OpenSSL 0.9.8e 23 Feb 2007
ECDH part of OpenSSL 0.9.8e 23 Feb 2007
RAND part of OpenSSL 0.9.8e 23 Feb 2007
PEM part of OpenSSL 0.9.8e 23 Feb 2007
CONF part of OpenSSL 0.9.8e 23 Feb 2007
CONF_def part of OpenSSL 0.9.8e 23 Feb 2007
As you can see from the top line, 0.9.7b is comming in from [EMAIL PROTECTED]
Question, is the output of this LogFormat line an accurate reflection of
what version of openssl was compiled into httpd?:
CustomLog /tmp/ssl.log %{SSL_VERSION_LIBRARY}x
%{SSL_VERSION_INTERFACE}x
I'll try and move those libs out of the way, and re-compile
|-+-
| | Zareh |
| | [EMAIL PROTECTED]|
| ||
| | Sent by: |
| | owner-modssl-users|
| | @modssl.org |
| | |
| | |
| | 06/06/2007 06:10 |
| | Please respond to |
| | modssl-users |
| | |
|-+-
--|
|
|
| To: modssl-users@modssl.org
|
| cc:
|
| Subject: Re: OpenSSL verion from mod_ssl statically compiled
into httpd? |
--|
Hi Vishal,
I seem to remember running into this a while back, it turned out that I had
old ssl libs in /usr/local/ssl and apache's build scripts were picking them
up. instead of /usr/local/openssl - I can't remember what I did to get them
to compile with the newer openssl libs, but here are a few things you could
try:
1) Set the following in your environment before you build apache/mod_ssl
SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile
against)
export SSL_BASE
2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and
move them into another directory. Build apache/mod_ssl - then just untar
the old libs back into place
Re: OpenSSL verion from mod_ssl statically compiled into httpd?
Hi Vishal,
I seem to remember running into this a while back, it turned out that I had old
ssl libs in /usr/local/ssl and apache's build scripts were picking them up.
instead of /usr/local/openssl - I can't remember what I did to get them to
compile with the newer openssl libs, but here are a few things you could try:
1) Set the following in your environment before you build apache/mod_ssl
SSL_BASE=/usr/local/openssl (wherever the libs are you want to compile against)
export SSL_BASE
2) Find the libs ( find /usr/* -type f -name '*ssl*' ), tar them up and move
them into another directory. Build apache/mod_ssl - then just untar the old
libs back into place.
... kinda messy though :)
- Original Message
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Monday, June 4, 2007 8:52:34 AM
Subject: OpenSSL verion from mod_ssl statically compiled into httpd?
Question: How do I find out the version of openssl used by my httpd that
has mod_ssl statically compiled into it?
HEAD / HTTP/1.0 shows no mod_ssl info, and the only way in which I can
get anything is to use the following in the Apache conf:
CustomLog /tmp/ssl.log %{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x
Is this accurate, and can it be trusted? I ask because I recompiled
apache/mod_ssl using openssl 0.9.8c and the version the above showed in the
logs was older: 0.9.7b, which isn't installed on the box...?
My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained:
engines/
libcrypto.a
libcrypto.so
libcrypto.so.0.9.8*
libssl.a
libssl.so
libssl.so.0.9.8*
pkgconfig/
It's an old setup that I've inherited from people who have all left now :-(
The source files and the way in which this was compiled have gone.
To be honest, I'm a bit confused as to the whole ssl setup with regards to
solaris --apache -- mod_ssl. I download and compiled openssl 0.9.8e
from source and compiled mod_ssl with ./configure
--with-apache=../apache_1.3.37 --with-ssl=../openssl-0.9.8e
But when apache built, it said that it was using 0.9.8c the one installed
as a pkg on the solaris box. Why would it do that? Anyway, the custom log
shows
the correct mod_ssl version, but an old openssl version.
Any help is much appreciated, thanks in advance guys.
Regards,
Vish.
**
This email may contain confidential material. If you were not an intended
recipient, please notify the sender and delete all copies. We may monitor
email to and from our network. For more details see www.FT.com.
The Financial Times Limited, registered in England and Wales number 227590.
Registered office: Number One Southwark Bridge, London SE1 9HL. VAT number
GB 278 5371 21.
F.T. Publications Inc, incorporated in New York, number 13-2545828,
Registered office: 1330 Avenue of the Americas, New York NY 10019, USA.
The Financial Times (HK) Limited, registered in Hong Kong number 108204,
Registered office: Suite 2903-2909, level 29, 2 International Finance
Centre, No.8 Finance Street, Central, Hong Kong.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Moody friends. Drama queens. Your life? Nope! - their life, your story. Play
Sims Stories at Yahoo! Games.
http://sims.yahoo.com/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
OpenSSL verion from mod_ssl statically compiled into httpd?
Question: How do I find out the version of openssl used by my httpd that
has mod_ssl statically compiled into it?
HEAD / HTTP/1.0 shows no mod_ssl info, and the only way in which I can
get anything is to use the following in the Apache conf:
CustomLog /tmp/ssl.log %{SSL_VERSION_LIBRARY}x %{SSL_VERSION_INTERFACE}x
Is this accurate, and can it be trusted? I ask because I recompiled
apache/mod_ssl using openssl 0.9.8c and the version the above showed in the
logs was older: 0.9.7b, which isn't installed on the box...?
My LD_LIBRARY path was set to /usr/local/ssl/lib, which contained:
engines/
libcrypto.a
libcrypto.so
libcrypto.so.0.9.8*
libssl.a
libssl.so
libssl.so.0.9.8*
pkgconfig/
It's an old setup that I've inherited from people who have all left now :-(
The source files and the way in which this was compiled have gone.
To be honest, I'm a bit confused as to the whole ssl setup with regards to
solaris --apache -- mod_ssl. I download and compiled openssl 0.9.8e
from source and compiled mod_ssl with ./configure
--with-apache=../apache_1.3.37 --with-ssl=../openssl-0.9.8e
But when apache built, it said that it was using 0.9.8c the one installed
as a pkg on the solaris box. Why would it do that? Anyway, the custom log
shows
the correct mod_ssl version, but an old openssl version.
Any help is much appreciated, thanks in advance guys.
Regards,
Vish.
**
This email may contain confidential material. If you were not an intended
recipient, please notify the sender and delete all copies. We may monitor
email to and from our network. For more details see www.FT.com.
The Financial Times Limited, registered in England and Wales number 227590.
Registered office: Number One Southwark Bridge, London SE1 9HL. VAT number
GB 278 5371 21.
F.T. Publications Inc, incorporated in New York, number 13-2545828,
Registered office: 1330 Avenue of the Americas, New York NY 10019, USA.
The Financial Times (HK) Limited, registered in Hong Kong number 108204,
Registered office: Suite 2903-2909, level 29, 2 International Finance
Centre, No.8 Finance Street, Central, Hong Kong.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
The cipher you allow will have a big impact on performance. Tim Lovelace [EMAIL PROTECTED] wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV.
RE: mod_ssl performance problems - FreeBSD
Thanks for the information. What would be the recommended SSLCipherSuite settings to use? I would like to eliminate some of the lower security options, but I am curious what set of clients that would affect. Originally ports had added this line to httpd.conf SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL I then changed it to SSLCipherSuite !ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL And saw some huge performance changes. The TPS jumped from the 13-15 range into the lower 60 range. Also the total transaction time dropped by more than 2/3 of the original. So overall I have changed these parameters - SSLCipherSuite - see above, huge changes SSLRandomSeed - changed from /dev/random to /dev/urandom SSLSessionCacheTimeout - increased to 900 due to the time users will be in the app. What is the tradeoff memory-wise? Are there any other parameters that should be tuned? I have seen a lot about the SSLMutex but I am not sure I understand the value of making that change. Thanks again Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of a k Sent: Monday, March 26, 2007 4:39 AM To: modssl-users@modssl.org Subject: RE: mod_ssl performance problems - FreeBSD The cipher you allow will have a big impact on performance. Tim Lovelace [EMAIL PROTECTED] wrote: Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] TV dinner still cooling? Check out Tonight's Picks on Yahoo! TV. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl performance problems - FreeBSD
Thanks for the response. Although I expected a pretty decent difference between HTTP and HTTPS I didnt realize it would be so significant. Both machines are small P3 2ghz boxes, the client side is running Ubuntu. They are connected to the same switch. For the ab options I am running ab -n 1000 -c 100 s https://targethost I can live with the low tps count assuming that the speed was a little better. I have seen some of the initial connections take from 5-10 seconds to setup. Is there some good general tuning I should try out? Thanks Tim From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, March 25, 2007 11:14 AM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: mod_ssl performance problems - FreeBSD What hardwre are you using for the client and the server? are you running ab from localhost? What options are you using with ab? Most of the CPU cycles in each transaction are going to be spent in the SSL handshake. I just did a quick test of one of my servers running 1.3.37 on a dual Xeon 3.06, using a P4-3.2 as the client, and saw about 5000rps for HTTP, and 24 for HTTPS. I suspect that the latter may represent the capabilities of my client machine rather than the server machine. If you want fast SSL, you need hardware acceleration. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Lovelace Sent: Sunday, March 25, 2007 7:54 AM To: modssl-users@modssl.org Subject: mod_ssl performance problems - FreeBSD Hello, I am having some issues with my SSL implementation on a FreeBSD 6.2-RELEASE system. I am currently running the following software Server Version: Apache/1.3.37 (Unix) PHP/5.1.6 with Suhosin-Patch mod_ssl/2.8.28 OpenSSL/0.9.7e-p1 All built from ports. In testing of the web application I noticed that once SSL was added the initial login to the site was slowing down. I did some testing using Apache Bench and have noticed that without SSL the server can process about 700 requests per second. Using SSL the number is in the 13-15 range. I have tried changing a few parameters (log level, SSLRandomSeed, SSLSessionCache) and have seen 0 improvement. Using server_status shows that there are plenty of resources available. Any help would be appreciated. Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.0.59 with mod_ssl
Hi there, I have installed Apache 2.0.59 from the sourcecode with the mod_jk module, but no I have a problem since I want ( I need) to install the mod_ssl module but I don't want to recompile or reinstall the whole Apache. Is it possible to do so? Is there any way of compiling only the module or to get it from a RPM or something like that. Maybe compiling the whole Apache but without installing it and moving the mod_ssl.so library to the aproppiate directory? I'm working with a RedHat Linux. Thanks in advance. Any help or advice will be great. Thanks again, Bittor. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Core dump with mod_ssl
Hi, When I use mod_ssl and test it with RoadRunner it dumps core. The details are given below. $ openssl version OpenSSL 0.9.8d 28 Sep 2006 $ httpd -v Server version: Apache/2.0.58 HP-UX_Apache-based_Web_Server Server built: Dec 20 2006 13:10:19 $ (gdb) bt #0 0xc0214508 in kill+0x10 () #1 0x4e9f4 in sig_coredump+0x88 () #2 signal handler called #3 0xc0c3141c in ASN1_STRING_free+0x14 () #4 0xc0c989c8 in ASN1_primitive_free+0x68 () #5 0xc0c98834 in asn1_item_combine_free+0x3dc () #6 0xc0c987e0 in asn1_item_combine_free+0x388 () #7 0xc0c98388 in ASN1_item_free+0x20 () #8 0xc0c2bc50 in X509_free+0x18 () #9 0xc0be0b2c in SSL_SESSION_free+0xac () #10 0xc0bd96e4 in SSL_free+0x124 () #11 0xc0bbb64c in ssl_filter_io_shutdown+0x14c () #12 0xc0bbc0dc in ssl_io_filter_output+0x1fc () #13 0x4fa14 in ap_pass_brigade+0x6c () #14 0x4c114 in ap_flush_conn+0x84 () #15 0x4c1f8 in ap_lingering_close+0x60 () #16 0x3a310 in process_socket+0xb8 () #17 0x3aec8 in worker_thread+0x1e0 () #18 0xc0522f54 in dummy_worker+0x1c () #19 0xc0094024 in __pthread_bound_body+0xa8 () #20 0xc00c4ab4 in __pthread_bound_start+0x14 () Does it have to do anything with some pointer alignment problem? Let me know if more details is needed. Thanks in advance, Pradeep
Build Apache 1.3.37 with mod_ssl on Ubuntu x86_64
I'm trying to build apache 1.3.37 with ssl support on a Ubuntu 6.1 running on a AMD Turion 64. I've downloaded the following packages: Apache 1.3.37 sources (apache_1.3.37.tar.gz from httpd.apache.org) Mod SSL 2.8.28 (mod_ssl-2.8.28-1.3.37.tar.gz from www.modssl.org) Open SSL 0.9.8e (openssl-0.9.8e.tar.gz from www.openssl.org) I've built openssl as described into the INSTALL file provided with mod_ssl distribution, using gcc-4.0: ./config no-idea -fPIC no-threads --prefix=/path/to/local/openssl make make test make install Then I've patched Apache by using (into the mod_ssl directory): ./Configure --with-apache=/path/to/local/apache then I've switched to the apache tree and configured it as follows: MM_BASE=/path/to/mm/ \ SSL_BASE=/path/to/local/openssl \ ./configure \ --prefix=/path/to/local/apache \ --enable-module=most \ --enable-shared=max \ --disable-module=auth_dbm \ --disable-module=cern_meta \ --disable-module=log_agent \ --disable-module=log_referer \ --disable-module=usertrack make I received the ld error while linking libssl.so saying that libcrypto.a (module x86_64cpuid.o) cannot be relocated, compile with -fPIC (but is what I've done). I've also tried using gcc-3.3 as well as using -fpic instead of -fPIC while building openssl. I've tried to use the DSO version of libcrypto/libssl and compilation coes well but when starting apache it stops due to unresolved symbols (SSL_). I found nothing appropriate on the Internet, because all solutions are rebuild openssl with -fPIC (but is what I'm doing). Can someone help me? Thanks in Advance Gianluca -- *Gianluca Magalotti* View Gianluca Magalotti's profile on LinkedIn http://www.linkedin.com/in/gianlucamagalotti Ph: +393489326722 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
httpd signal 11, Segmentation fault and mod_ssl
Good day for all. Ive got newly installed linux box with APACHE 1.3.27PHP/4.4.4 mod_ssl/2.8.28 OpenSSL/0.9.8d Some times in a day in httpd error_log appears lines child pid * exit signal Segmentation fault (11) I decided to get a core dump. After using gdb utility, i've got the following output gdb /opt/apache/bin/httpd /tmp/core.2019 GNU gdb Red Hat Linux (6.5-8.fc6rh) Copyright (C) 2006 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-redhat-linux-gnu...(no debugging symbols found) Using host libthread_db library /lib/libthread_db.so.1. warning: Can't read pathname for load map: Input/output error. Reading symbols from /lib/libm.so.6...(no debugging symbols found)...done. Loaded symbols for /lib/libm.so.6 Reading symbols from /lib/libcrypt.so.1...(no debugging symbols found)...done. Loaded symbols for /lib/libcrypt.so.1 Reading symbols from /usr/lib/libgdbm.so.2...(no debugging symbols found)...done. Loaded symbols for /usr/lib/libgdbm.so.2 Reading symbols from /lib/libexpat.so.0...(no debugging symbols found)...done. Loaded symbols for /lib/libexpat.so.0 Reading symbols from /lib/libdl.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libdl.so.2 Reading symbols from /lib/libc.so.6... (no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 Reading symbols from /lib/libnss_files.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/libnss_files.so.2 Reading symbols from /opt/apache/libexec/libphp4.so...done. Loaded symbols for /opt/apache/libexec/libphp4.so Reading symbols from /usr/lib/libpng12.so.0...done. Loaded symbols for /usr/lib/libpng12.so.0 Reading symbols from /usr/lib/libz.so.1...done. Loaded symbols for /usr/lib/libz.so.1 Reading symbols from /usr/lib/libjpeg.so.62...done. Loaded symbols for /usr/lib/libjpeg.so.62 Reading symbols from /usr/lib/libcurl.so.3...done. Loaded symbols for /usr/lib/libcurl.so.3 Reading symbols from /lib/libresolv.so.2...done. Loaded symbols for /lib/libresolv.so.2 Reading symbols from /lib/libnsl.so.1...done. Loaded symbols for /lib/libnsl.so.1 Reading symbols from /usr/lib/libgssapi_krb5.so.2...done. Loaded symbols for /usr/lib/libgssapi_krb5.so.2 Reading symbols from /usr/lib/libkrb5.so.3...done. Loaded symbols for /usr/lib/libkrb5.so.3 Reading symbols from /usr/lib/libk5crypto.so.3...done. Loaded symbols for /usr/lib/libk5crypto.so.3 Reading symbols from /lib/libcom_err.so.2...done. Loaded symbols for /lib/libcom_err.so.2 Reading symbols from /usr/lib/libidn.so.11...done. Loaded symbols for /usr/lib/libidn.so.11 Reading symbols from /lib/libssl.so.6...done. Loaded symbols for /lib/libssl.so.6 Reading symbols from /lib/libcrypto.so.6...done. Loaded symbols for /lib/libcrypto.so.6 Reading symbols from /usr/lib/libkrb5support.so.0...done. Loaded symbols for /usr/lib/libkrb5support.so.0 Reading symbols from /usr/local/Zend/lib/ZendExtensionManager.so...done. Loaded symbols for /usr/local/Zend/lib/ZendExtensionManager.so Reading symbols from /usr/local/Zend/lib/Optimizer-3.2.0/php-4.4.x /ZendOptimizer.so...done. Loaded symbols for /usr/local/Zend/lib/Optimizer-3.2.0/php-4.4.x /ZendOptimizer.so Failed to read a valid object file image from memory. Core was generated by `/opt/apache/bin/httpd -DSSL'. Program terminated with signal 11, Segmentation fault. #0 0x08101ea1 in do_ssl3_write () (gdb) bt full #0 0x08101ea1 in do_ssl3_write () No symbol table info available. #1 0x08101e9e in do_ssl3_write () No symbol table info available. #2 0x0010 in ?? () No symbol table info available. #3 0x082fb5b8 in ?? () No symbol table info available. #4 0x in ?? () No symbol table info available. As you see segfault was at function do_ssl3_write () The next step is to identify this problem. What it could be? Thanks in advance!!
mod_ssl for apache 2.x?
Hi, Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 everywhere? Is there any other ssl solution to apache 2.x? Thanks, Bahadir __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apache 2.x?
On Fri, Dec 29, 2006 at 08:31:32PM +, Bahadir Balban wrote: Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 everywhere? Because the version of mod_ssl you find at modssl.org is only for 1.3. Is there any other ssl solution to apache 2.x? --enable-ssl when configuring apache 2 - mod_ssl is included in the apache httpd-2.x source. vh Mads Toftum -- http://soulfood.dk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Mod_SSL
Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version httpd-2.2.3. I am at the point where I need to patch it with mod_ssl module. Can you guide me how to patch httpd-2.2.3 with the latest version of mod_ssl-2.2.828-1.3.37? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Mod_SSL
You don't have to patch anything. It's already in there.Just add --enable-ssl to the ./configure command line arguments.--CliffOn 11/10/06, kbajwa [EMAIL PROTECTED] wrote: Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version 'httpd-2.2.3'. I am at the point where I need to patch it with 'mod_ssl" module. Can you guide me how to patch 'httpd-2.2.3' with the latest version of 'mod_ssl-2.2.828-1.3.37'? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Forgotten mod_ssl pool?
Apache 2 SSL question which is probably related to mod_ssl:
The Apache 2.2.3 SSL implementation has a pool in the ssl_expr_node
struct (in ssl_expr.h) whereas the latest mod_ssl implementation does
not. I know mod_ssl is only for Apache 3.1.* but the pool in Apache
2.2.3 doesn't seem to be used anyway!
Is this just a forgotten pool from older versions of mod_ssl or does
it have a purpose?
An extra pointer in the struct is not really a problem as such but I
want to make copy (in my own allocated memory, which is not tied to an
apache pool) and then execute it later using ssl_expr_exec() If a
copy of the contents of the pool is also necessary, well then it could
be a problem.
Many thanks to anyone who knows
Christiaan
Some more details below:
---
ssl_expr.h:
typedef struct {
ssl_expr_node_op node_op;
void *node_arg1;
void *node_arg2;
apr_pool_t *p;
} ssl_expr_node;
typedef ssl_expr_node ssl_expr;
---
The pool in ssl_expr_node doesn't seem to be used? Either when the
struct is created(ssl_expr.c):
ssl_expr *ssl_expr_comp(apr_pool_t *p, char *expr)
or when it is evaluated:
int ssl_expr_exec(request_rec *r, ssl_expr *expr)
Many thanks in advance
Christiaan Lamprecht
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Mod_SSL
Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt
RE: Mod_SSL
You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL Hello List: My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x? Thanks. Kirt ella for Spam Control has removed 4905 Spam messages and set aside 10689 Newsletters for meYou can use it too - and it's FREE!www.ellaforspam.com
Re: Mod_SSL
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Howto unload the mod_ssl from memory?
Hi Louise, Hi Patrick =) Include conf.d/*.conf So this includes *.conf files listed in the conf.d directory (in mine, this is on the same directory level as the conf directory below /etc/httpd). My ssl.conf file is in this second directory and has as one of its commands: This was just it =) I backed up the original and called it _ssl.conf From now on will I learn learn how to use SVN, and check /etc in as the first thing, so I don't try something similar another time =) I do not know if this will apply to your situation but it sounds like it might be something to check. It took me a couple of hours of digging around in the filesystem to find that one. I'm a noobie or I guess I would have found it quicker. :-) I think I spend about 4-5 hours on the debugging and tracing without solving this problem, so I am very glad for Michael's and yours reply =) I would very have solved it without. With love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto unload the mod_ssl from memory?
This: module ssl_module is already loaded, skipping means you have LoadModule ssl_module specified twice in your apache configuration. This: _default_ VirtualHost overlap on port 443, the first has precedence means you have two virtual hosts defined in your configuration which conflict because they want to use the same socket (IP address/port pair). When you move ssl_conf out the way, SSL still works because you must have LoadModule ssl_module and an SSL virtual host defined in another config file. Look through your config files and find the offending duplicate entries. What's probably happening is your Apache distribution already has SSL configured, and when you've followed the SSL howto you've duplicated the steps required to enable SSL. That's my tuppence worth anyway. Hope it helps. -- Michael __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto unload the mod_ssl from memory?
Louise Hoffman wrote: Replying to my own post again. Even if I have stopped all daemons that uses libssl, I get the module ssl_module is already loaded, skipping error. Could there be something very wrong with my ssl.conf? I haven't made changes to httpd.conf because this howto doesn't do that: http://www.vanemery.com/Linux/Apache/apache-SSL.html Hi Louise, Two things you can check are your httpd.conf and ssl.conf files. In mine, the httpd.conf file contains: LoadModule ssl_module modules/mod_ssl.so and then just a few lines down: # # Load config files from the config directory /etc/httpd/conf.d. # Include conf.d/*.conf So this includes *.conf files listed in the conf.d directory (in mine, this is on the same directory level as the conf directory below /etc/httpd). My ssl.conf file is in this second directory and has as one of its commands: LoadModule ssl_module modules/mod_ssl.so This was triggering the same error you are seeing on your server. I kept trying to find out why this module was getting loaded twice and finally ran it down. I just commented out the LoadModule... command in the httpd.conf file and the problem cleared up (since it was only getting loaded once now instead of twice: once in the httpd.conf file and again in the ssl.conf file). I do not know if this will apply to your situation but it sounds like it might be something to check. It took me a couple of hours of digging around in the filesystem to find that one. I'm a noobie or I guess I would have found it quicker. :-) Patrick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Howto unload the mod_ssl from memory?
Dear readers, Can anyone teach me how to unload/kill/remove the SSL module from memory, so when I restart Apache the SSL module will be loaded again? The reason I am asking is because I get this error: Starting httpd: [Sat Nov 04 18:59:43 2006] [warn] module ssl_module is already loaded, skipping [Sat Nov 04 18:59:43 2006] [warn] _default_ VirtualHost overlap on port 443, the first has precedence (98)Address already in use: make_sock: could not bind to address [::]:443 no listening sockets available, shutting down Unable to open logs and the strangest thing is, if I ~# mv /etc/httpd/conf.d/ssl_conf /etc/httpd/conf.d/ssl_conf_old ~# apachectl restart it works, but https:// still works on the server. So I guess if I could unload the module I could make the changes to ssl_conf that I need, and restart Apache and the new settings would be loaded. Can anyone help me with this? =) Lots of love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto unload the mod_ssl from memory?
Replying to my own post. I have found the problem, and it is not Apache not unloading its modules =) ~# lsof|grep ssl rpc.idmap 2607root mem REG 253,02136005884682 /lib/libssl.so.0.9.7a vsftpd 2760root mem REG 253,02136005884682 /lib/libssl.so.0.9.7a mysqld31323 mysql mem REG 253,02136005884682 /lib/libssl.so.0.9.7a ~# but rpc.idmap (what ever that is), vsftpd, and mysqld. One problem solved, another arised =) Any help I can get is much appreciated =) Love, Louise __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Howto unload the mod_ssl from memory?
Replying to my own post again.
Even if I have stopped all daemons that uses libssl, I get the
module ssl_module is already loaded, skipping error.
Could there be something very wrong with my ssl.conf? I haven't made
changes to httpd.conf because this howto doesn't do that:
http://www.vanemery.com/Linux/Apache/apache-SSL.html
I have stripped the comments from it to shorten it for this email.
So I am completly out of ideas now... I hope someone at this
mailinglist can help me =)
Hugs,
Louise
LoadModule ssl_module modules/mod_ssl.so
Listen 443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl.crl
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
VirtualHost _default_:443
DocumentRoot /var/www/html
ServerName removed.com:443
ServerAdmin [EMAIL PROTECTED]
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/my-ca.crt
SSLCACertificateFile /etc/httpd/conf/ssl.crt/my-ca.crt
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /var/www/cgi-bin
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
So what are the next steps...is this being highlighted as a risk anywhere? I am surprised that this doesn't get onto the main security page if it is a risk...how else would anyone find out about it and take preventative measures? Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
One more thing. I can see this on 2.0.54 with OpenSSL at 0.9.7d on AIX as well. I think there is something masking this problem on other platforms, or I have been building this in some weird and mysterious way you guys don't do (highly unlikely I think). Regards, Per Phil Ehrens wrote: Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! Regards, Per Olausson __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Does Mod_SSL use SSL_get_shared_ciphers()?
Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() function from OpenSSL? As you may know a buffer overflow has been detected in that function in OpenSSL versions prior to 0.9.8d. I'm trying to find out if Mod_SSL uses the vulnerable function. Thanks in advance. Stanley E. Laufer Network Administrator School of Library and Information Science San Jose State University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Stanley Laufer wrote: Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() function from OpenSSL? As you may know a buffer overflow has been detected in that function in OpenSSL versions prior to 0.9.8d. I'm trying to find out if Mod_SSL uses the vulnerable function. I just checked a couple different versions and did not see that function. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Newbie Question regarding mod_ssl
http://hunter.campbus.com/ - and yes Chris is trustworthy. Blame Canada :) Bill Eckard Wille wrote: Erol Yalaz schrieb: I have a WIN2003 box with the latest Apache on it (2.2.3) and it is working great. I need to get mod_ssl working. Unfortunately, I can’t Any suggestions? Shouldn’t there be some pre-compiled binaries out there? http://www.apachelounge.com/download/ If you trust them :-) Greetings Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
apache configuration and mod_ssl
Hello, We have some problem with the configuration of apache. We have a couple of virtual hosts (about 10), many of them which use ssl. We have been maintaining them for a couple of years, and although we can make them work, I don't like the way we do it now. As I understand, all virtual hosts configuration files should be in /etc/httpd/conf.d . The problem is that most of our virtual hosts use mod_ssl, and that ssl.conf is itself not loaded first. As such, every virtual host whose name is alphabetically before ssl.conf cannot use ssl, as the Listen 443 directive is in ssl.conf. The solution we found was to move all virtual hosts in /etc/httpd/conf.d/vhosts/ . This works, but everytime a package as subversion gets updated, it creates a new file in /etc/httpd/conf.d/ , duplicating the virtual hosts and causing problems. What can we do to get things work, to be able to have standard packages updating themselves and to do things in a standard way? We use httpd 2.2.2 (standard package) on fedora core 5. Regards, -- -- Yannick Majoros http://www.inma.ucl.ac.be/~majoros Informaticien UCL/INMA-MEMA 4, avenue G. Lemaître B-1348 Louvain-la-Neuve Tel: +32-10-47.80.10 Fax: +32-10-47.21.80 -- Mon calendrier en ligne : http://www.inma.ucl.ac.be/~majoros/calendar Accents bizarres ? http://www.inma.ucl.ac.be/~majoros/email.html -- smime.p7s Description: S/MIME Cryptographic Signature
mod_ssl and Apache with gSoap
Hi, This is regarding using Apache server with mod_ssl and mod_gsoap modules. I am confused as to who would handle the certificate verification in such a case where the directive 'SSLVerifyClient' is set to 2. I understand gSoap has it' own authentication layer for users and might actually interrupt the usual HTTPS certificate verification process. Please let me know if any specific configurations can ensure that mod_ssl would certify clients before allowing access to gSoap web services. Thanks in Advance, Prashanth __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl / Apache 2.2.3 / Windows
We are trying to implement: Windows XP, Apache 2.2.3, mod_ssl and running into problems. Question: Is it possible to do this under Windows without compiling Apache from source? We were able to get it to work using Apache 2.0.59 after some wrangling with OpenSSL and cert creation. (Had to create the certs on a Unix (FreeBSD) system / OpenSSL install) I would like to ask if there is a how-to document for mod_ssl / Apache 2.2.3 / Winderz that covers how to do this successfully. We keep running into Apache complaining it cannot load / find the mod_ssl.so module. We have taken the proper steps in adding LoadModule ssl_module modules/mod_ssl.so to the httpd.conf file and adding the mod_ssl.so file to the modules directory. But every time we attempt to start the server it fails with the error cannot load / find the mod_ssl.so file. Are there other files missing? We have OpenSSL installed and the libeay32.dll ssleay32.dll installed in system32 directory. Is there a precompiled mod_ssl.so available for Windows? Thanks a lot for any direction. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.28 for Apache 1.3.37
Apache 1.3.37 was released because of security issues. Find a corresponding mod_ssl 2.8.28-1.3.37 at modssl.org now, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Mod_ssl 2.8.16 security patches.
Hi All, Thanks. This is regarding mod_ssl 2.8.16 security vulnerabilities. We use mod_ssl-2.8.16 . Nessus tool reported few security vulnerability. 1) CVE : CVE-2004-0488 BID : 10355 Other references : OSVDB:6472 2) CVE : CVE-2004-0700 BID : 10736 3) CVE : CVE-2004-0488 BID : 10355 Other references : OSVDB:6472 Upgrading to newer mod_ssl version involves lot of effort. So we are looking for 2.8.16 patches. Where are the 2.8.16 patches for above bugs?. Thanks for your assistance. Madhu K.S. The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Client SSL authentication on Apache + mod_ssl
I am required to have our apache server using PKI client authentication by the end of July. I have set up a test server with the latest and greatest Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.7 I have set up a ssl.conf using SSLVerifyClient require SSLVerifyDepth 10 and populated a CA certification file and enabled SSLCACertificateFile /usr/local/apache2/conf/dod_ca_bundle.crt On start the logs (set to debug) show the dod_ca_bundle.crt file being read in properly -- log output begin - ssl_engine_init.c(405): Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) ssl_engine_init.c(538): Configuring client authentication ssl_engine_init.c(1113): CA certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CLASS 3 CA-10 ssl_engine_init.c(1113): CA certificate: /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD CLASS 3 Root CA ssl_engine_init.c(601): Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] -- log output end - However, when attempting to connect with IE nothing is returned. The pertinent log out looks like -- log output begin - ssl_engine_kernel.c(1752): OpenSSL: Handshake: start ssl_engine_kernel.c(1760): OpenSSL: Loop: before/accept initialization ssl_engine_io.c(1775): OpenSSL: read 11/11 bytes from BIO#918b100 [mem: 9192780] (BIO dump follows) : : ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read client hello A ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write server hello A ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate A ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 write certificate request A ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 flush data -- log output end - Looks like the next line indicates a problem: -- log output begin - ssl_engine_io.c(1786): OpenSSL: I/O error, 5 bytes expected to read on BIO #918b100 [mem: 9192780] ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate A ssl_engine_kernel.c(1789): OpenSSL: Exit: error in SSLv3 read client certificate A [client 157.187.160.114] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] -- log output end - Any help with this problem would be greatly appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
apach3 and mod_ssl sending close_notify and getting XMLHTTP on IE out of sync
Hello all In my environment a reverse proxy using apache (and mod_ssl) secures the frontend server. The problem arises when using OWA and checking names in the mail being sent. IE uses XMLHTTP to make asynchronious lookups of the username to the backend resulting in a POST through the SSL channel. Before the problem arises, mod_ssl sends an SSL alert (close_notify) to the browser and closes the connection. When the users checks the names in OWA now, the XMLHTTP still tries to send through the previously closed SSL channel, to no avail of course. Is there a possibility to stop mod_ssl from closing the SSL channel or can anybody point me into the right direction. Best regards, Pascal. PS: I have traces if needed (snoop and ssldump) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.27 for Apache 1.3.36
Today Apache 1.3.36 was released. An updated mod_ssl 2.8.27 for Apache 1.3.36 is now available, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: [ANNOUNCE] mod_ssl 2.8.27 for Apache 1.3.36
FYI - if you are asking, there's no announce yet since 1.3.36 simply fixes the Include directive regressions introduced in 1.3.35, if you either nested your Include directive in a Something /Something block, or you used the wildcard match for your Include directive. It will be some time before all the mirrors have caught up. The announce of 1.3.36 is here; http://www.apache.org/dist/httpd/Announcement1.3.txt Many thanks to Ralf for providing mod_ssl's corresponding patch so quickly. Ralf S. Engelschall wrote: Today Apache 1.3.36 was released. An updated mod_ssl 2.8.27 for Apache 1.3.36 is now available, too. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] . __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.26 for Apache 1.3.35
mod_ssl 2.8.26 for Apache 1.3.35 is now available: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.26 (18-Oct-2005 to 08-May-2006) *) Upgraded to Apache 1.3.35 *) More correct prototype usage for passphrase callback. *) Some Win32 fixes. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Cleanup of mod_ssl compiler warnings
Please rmove me from your list"Ralf S. Engelschall" [EMAIL PROTECTED] wrote: On Fri, Feb 10, 2006, William A. Rowe, Jr. wrote: The following patches mop up some unnecessary compile warnings, when the functions are properly decorated. It's been sitting in my drafts waiting for a subscription to go through for 3 months, so feel free to verify that they are still appropriate. [...]I had to add some "#if SSL_LIBRARY_VERSION 0x00904000...#else..#endif" to the patches to let it still work on older OpenSSLversions, but after this I've added to mod_ssl for release with version2.8.26. Thanks for your contribution.Ralf S. Engelschall[EMAIL PROTECTED]www.engelschall.com__Apache Interface to OpenSSL (mod_ssl) www.modssl.orgUser Support Mailing List modssl-users@modssl.orgAutomated List Manager [EMAIL PROTECTED] Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1/min.
mod_ssl: SSLRequire
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq Testuser
the server permits accesss to a client with
SSL_CLIENT_S_DN_CN=testuser2. What's wrong?
Here is the according section from my config:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
Directory /home/gellert/htdocs/ssltest
AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} eq SSLTest SubCA 01 \
%{SSL_CLIENT_S_DN_OU} eq User Certificates \
%{SSL_CLIENT_S_DN_CN} eq Testuser )
/Directory
Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl: SSLRequire
Perhaps
SSLVerifyClient require
Default is
SSLVerifyClient none
Greetings
Oliver
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] im Auftrag von Olaf Gellert
Gesendet: Mi 05.04.2006 14:08
An: modssl-users@modssl.org
Betreff: mod_ssl: SSLRequire
I try to do X.509 client authentication with Apache
Apache/2.0.54. This works fine. Now I want to check
for certain fields in the client certificate with
SSLRequire. Even though I ask that
%{SSL_CLIENT_S_DN_CN} eq Testuser
the server permits accesss to a client with
SSL_CLIENT_S_DN_CN=testuser2. What's wrong?
Here is the according section from my config:
SSLOptions +FakeBasicAuth +StdEnvVars +CompatEnvVars +StrictRequire
Directory /home/gellert/htdocs/ssltest
AllowOverride None
Options +FollowSymLinks +Includes
Order deny,allow
Deny from all
Allow from localhost
SSLRequireSSL
SSLRequire (%{SSL_CLIENT_S_DN_O} eq SSLTest SubCA 01 \
%{SSL_CLIENT_S_DN_OU} eq User Certificates \
%{SSL_CLIENT_S_DN_CN} eq Testuser )
/Directory
Anything forgotten? If I print out the environment from
within the webpage (with SSI #printenv), I see (among all
the other variables):
SSL_CLIENT_S_DN_O=SSLTest SubCA 01
SSL_CLIENT_S_DN_OU=User Certificates
SSL_CLIENT_S_DN_CN=testuser2
Hmmm Any clues?
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
winmail.dat
