Re: SSLCryptoDevice: works as a static, not as a DSO...? (fwd)
[[ None of my emails from this evening seem to have actually gone out (misconfig on my end, I think), so here's this again. Sorry if it's a dupe. ]] -- Forwarded message -- Date: Fri, 28 Jun 2002 02:24:29 -0400 (EDT) From: Cliff Woolley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLCryptoDevice: works as a static, not as a DSO...? On Fri, 28 Jun 2002, Cliff Woolley wrote: To ask a silly question, you are *loading* the DSO, right? And you have SSL_EXPERIMENTAL_ENGINE defined in both cases? I guess I didn't read your first email carefully enough; I see you already mentioned that you do have the appropriate AddModule and LoadModule lines in the DSO case. Double-check that, though, as that and the SSL_EXPERIMENTAL_ENGINE things are the only possible reasons you'd get that message. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. I'm pretty sure, and others will correct me if I'm wrong that openssl, the engine version, is the part that enables cryto devices accelerator cards, and the documentation for it should define those devices it supports; This is from the README.ENGINE file for openssl-engine-0.9.6b/, note that this is not the most current version, and 0.9.6d might well have new device support: quote ENGINE == With OpenSSL 0.9.6, a new component has been added to support external crypto devices, for example accelerator cards. The component is called ENGINE, and has still a pretty experimental status and almost no documentation. It's designed to be faily easily extensible by the calling programs. There's currently built-in support for the following crypto devices: o CryptoSwift o Compaq Atalla o nCipher CHIL ... No external crypto device is chosen unless you say so. You have actively tell the openssl utility commands to use it through a new command line switch called -engine. And if you want to use the ENGINE library to do something similar, you must also explicitely choose an external crypto device, or the built-in crypto routines will be used, just as in the default OpenSSL distribution. PROBLEMS It seems like the ENGINE part doesn't work too well with Cryptoswift on Win32. A quick test done right before the release showed that trying openssl speed -engine cswift generated errors. If the DSO gets enabled, an attempt is made to write at memory address 0x0002. /quote Unfortunately, the documentation on the engine directives is fairly poor and sparse. If I recall, others have used such devices with the engine version and may well beable to help you more then I can at present. They should respond a tad later in the day as the sun rises near their locations smile. Sorry I'm not of more help here. Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Thanks Ron... I just did this, and there was no change -- it still doesn't like this directive: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration My build was effectively: cd openssl* sh config -fPIC -DSSL_EXPERIMENTAL shared make cd .. cd mm-1.1.3 ./configure --disable-shared make cd .. cd mod_ssl-2.8.10-1.3.26 ./configure --with-apache=../apache_1.3.26 \ --with-ssl=../openssl-engine-0.9.6d \ --with-mm=../mm-1.1.3 \ --enable-rule=SSL_EXPERIMENTAL \ --enable-module=ssl \ --prefix=/usr/local/apache --enable-shared=ssl \ --enable-module=most \ --enable-shared=max --enable-module=so cd .. cd apache_1.3.26 make make install package-root=`pwd`/package-root The difference I am doing is removing the --enable-shared=ssl and --enable-shared=max, and then it works (as a static). Thanks, James [EMAIL PROTECTED] 06/28/02 01:45pm It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security
Re: SSLCryptoDevice: works as a static, not as a DSO...?
On Fri, 28 Jun 2002, R. DuFresne wrote: I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. Right. That's not a restriction in 1.3 as far as I know. Just 2.0 (due to libtool). For 2.0, if you want a shared mod_ssl, use a shared OpenSSL, and if you want a static mod_ssl, use a static OpenSSL. 1.3 should be a bit more flexible there. We'll get around to fixing that in 2.0 one of these days. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLCryptoDevice: works as a static, not as a DSO...?
Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- James Bromberger, Senior Web/Systems Administrator, JDV +61 8 9268 2909, +61 417 322 500 Fax: +61 8 9266 0200 JDV - e-Commerce and Outsourcing Solutions for Financial Services http://www.jdv.com/ JDV is a division of Hartleys Limited ABN 67 009 136 029 (JDV). Any securities recommendation contained in this document is unsolicited general information only. Do not act on a recommendation without first consulting your investment advisor to determine whether the recommendation is appropriate for your investment objectives, financial situation and particular needs. JDV believes that any information or advice (including any securities recommendation) contained in this document is accurate when issued. However, JDV does not warrant its accuracy or reliability. JDV, its officers, agents and employees exclude all liability whatsoever, in negligence or otherwise, for any loss or damage relating to this document to the full extent permitted by law. JDV may collect personal information from you in order to provide any services you have requested. A copy of JDV's privacy policy is available at http://www.jdv.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
Thanks Ron... I just did this, and there was no change -- it still doesn't like this directive: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration My build was effectively: cd openssl* sh config -fPIC -DSSL_EXPERIMENTAL shared make cd .. cd mm-1.1.3 ./configure --disable-shared make cd .. cd mod_ssl-2.8.10-1.3.26 ./configure --with-apache=../apache_1.3.26 \ --with-ssl=../openssl-engine-0.9.6d \ --with-mm=../mm-1.1.3 \ --enable-rule=SSL_EXPERIMENTAL \ --enable-module=ssl \ --prefix=/usr/local/apache --enable-shared=ssl \ --enable-module=most \ --enable-shared=max --enable-module=so cd .. cd apache_1.3.26 make make install package-root=`pwd`/package-root The difference I am doing is removing the --enable-shared=ssl and --enable-shared=max, and then it works (as a static). Thanks, James [EMAIL PROTECTED] 06/28/02 01:45pm It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- James Bromberger, Senior Web/Systems Administrator, JDV +61 8 9268 2909, +61 417 322 500 Fax: +61 8 9266 0200 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]