RE: Specifying the openssl version used with mod_ssl
Hello all, Sorry for the delay. We found a work around and quit looking into the below issue. Thanks to Peter for the static library suggestion and Lee for the same and for getting me back on the topic. We were able to get everything working how it should. A note, we are compiling modssl into apache. We are not using it as a shared object. Here are the key config options for openssl and apache: Openssl: ./configure --prefix=/usr/local/ssl --shared Apache: ./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl It is probably a good idea to run a sudo make clean for each installation. At least it was for us since we re-installed about 50 times. Thanks again, Gunner Geller -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Gregg L. Smith Sent: Monday, September 13, 2010 12:48 PM To: modssl-users@modssl.org Subject: Re: Specifying the openssl version used with mod_ssl Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Specifying the openssl version used with mod_ssl
Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Question on version
Hi, We have Intranet server with apache 2.0.54 and openssl 0.9.8 self-made certificate. It is accessed by IE 6.0 with no problem, but will stop and get the connection has terminated unexpectedly. Some data may have been transferred when I use Firefox or Netscape (all version ). After I unmark v3.0 from Firefox security, I can access the site. From the ssl_request_log, it works well with V2.0 or V3.0. Here is it: 1/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/jibcol3.j pg HTTP/1.1 - # tail ssl_request_log [11/Oct/2006:12:06:10 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /mininav.html HTTP/ 1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /area.html HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/mission_g raphic.jpg HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/maus_roug e.jpg HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/newnav3.g if HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/roll_back 3.gif HTTP/1.1 - [11/Oct/2006:12:06:11 -0500] 10.34.145.36 SSLv3 RC4-MD5 GET /graphics/jibcol3.j pg HTTP/1.1 - [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /resources.html HTT P/1.1 3218 [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /graphics/res_banne r.gif HTTP/1.1 2090 [11/Oct/2006:13:55:07 -0500] 10.34.145.36 SSLv2 RC4-MD5 GET /favicon.ico HTTP/1 .1 209 Anybody can tell me why? Thanks Yi ella for Spam Control has removed 4797 Spam messages and set aside 10203 Newsletters for me You can use it too - and it's FREE!www.ellaforspam.com
Where can I find a runtime version of ModSSL
Hi, Following the procedure described in http://www.verisign.com/resources/gd/secureApache/index.html) I need to download ModSSL. However, I cant find the ModSSL runtime in www.modssl.org the only download file I found requires me to fully compile everything, and it requires all sort of other products for this purpose. Where can I find a runtime version of ModSSL? Thanks Tali
Distinghished Name of X509 depend on version of ModSSL ?
Hello I want to extract the Distinghished Name of a X509 certificat for checking the access of my HTTP server (see FakeBasicAuthentification) with the new version of openssl I have the following result : /usr/local/openssl-0.9.7c/apps/openssl x509 -noout -subject -in /home/apache/htdocs/dess/intranetSTIC/UPS836-2003-2004.pem subject= /C=FR/O=CNRS/OU=UPS836/CN=Xavier Jeannin/[EMAIL PROTECTED] with the old version of openssl of Redhat I have the following result : /usr/bin/openssl x509 -noout -subject -in /home/apache/htdocs/dess/intranetSTIC/UPS836-2003-2004.pem subject= /C=FR/O=CNRS/OU=UPS836/CN=Xavier Jeannin/[EMAIL PROTECTED] As Apache uses the DN to select the access on directory, my user cannot access to my server because DN does not match anymore DN in password file. the solution could be to change my files password file (htpasswd) but I have lot of this kind of file Is there any way to change the result of openssl command by configuration at runtime or at compilation ? thank you --xj -- _ Xavier Jeannin UREC/CNRS Université P. M. Curie, Courrier : case 171, 4 place Jussieu 75252 PARIS CEDEX 05 Tél : 01 44 27 42 59 - Fax : 01 44 27 42 61 - Courriel : [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verifying OpenSSL Version in mod_ssl
I've been getting this error ever since I upgraded to mod_ssl-2.8.14-1.3.27: [Fri Mar 28 16:44:47 2003] [error] mod_ssl: Cannot store SSL session to DBM file `/usr/local/apache/logs/ssl_scache' (System error follows) [Fri Mar 28 16:44:47 2003] [error] System: Invalid argument (errno: 22) When trying to debug the problem, I wanted to verify that mod_ssl was compiled with the recently upgraded OpenSSL-0.9.7a. Usually I just use 'strings' and grep for 'openssl'. However, when I do it against libssl.so, it returns a string that looks like the version is 0.9.6c : [EMAIL PROTECTED] ssl]# strings libssl.so | grep -i openssl OpenSSL Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] OpenSSL OpenSSL (System and OpenSSL library errors follow) (OpenSSL library error follows) OpenSSL OpenSSL 0.9.6c 21 dec 2001 [EMAIL PROTECTED] ssl]# Version 0.9.6c hasn't been on the box in years, so I'm not sure if what I'm seeing is the actually the real version of just something linked in. This is what I see from configure: [EMAIL PROTECTED] mod_ssl-2.8.14-1.3.27]# ./configure --with-apache=../apache_1.3.27 --with-ssl=../openssl-0.9.7a --with-mm=../mm-1.3.0 Configuring mod_ssl/2.8.14 for Apache/1.3.27 + Apache location: ../apache_1.3.27 (Version 1.3.27) + OpenSSL location: ../openssl-0.9.7a + MM location: ../mm-1.3.0 + Auxiliary patch tool: ./etc/patch/patch (local) + Applying packages to Apache source tree: SNIP + adding selected modules o ssl_module uses ConfigStart/End + SSL interface: mod_ssl/2.8.14 + SSL interface build type: OBJ + SSL interface compatibility: enabled + SSL interface experimental code: disabled + SSL interface conservative code: disabled + SSL interface vendor extensions: disabled + SSL interface plugin: Built-in SDBM + SSL library path: /usr/src/APACHE-1.3.27/openssl-0.9.7a + SSL library version: OpenSSL 0.9.7a Feb 19 2003 And this is what I see from Apache's configure: [EMAIL PROTECTED] apache_1.3.27]# ./go-apache2.sh Configuring for Apache, Version 1.3.27 + using installation path layout: Apache (config.layout) Creating Makefile Creating Configuration.apaci in src Creating Makefile in src + configured for Linux platform + setting C compiler to gcc + setting C pre-processor to gcc -E + checking for system header files + adding selected modules o rewrite_module uses ConfigStart/End + using -lndbm for DBM support enabling DBM support for mod_rewrite o ssl_module uses ConfigStart/End + SSL interface: mod_ssl/2.8.14 + SSL interface build type: DSO + SSL interface compatibility: enabled + SSL interface experimental code: disabled + SSL interface conservative code: disabled + SSL interface vendor extensions: disabled + SSL interface plugin: Built-in SDBM + SSL library path: /usr/src/APACHE-1.3.27/openssl-0.9.7a + SSL library version: OpenSSL 0.9.7a Feb 19 2003 SNIP Can anyone help with determining the actual version? Or if this is irrelevant to determining the original error, I would appreciate a pointer to what might help. Thanks! -- Ken Schweigert, Network Administrator Byte Productions, LLC http://www.byte-productions.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Version number
Hi ! I've just upgraded OpenSSL 0.9.6d to 0.9.6g on FreeBSD, but Apache says that it's running OpenSSL 0.9.6a! Where is this version number and how to change it? I read somewhere in the archive that a solution might be to recompile PHP... But what does PHP have to do with Apache (something I don't know) ? Thanks. Martin Nyberg __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Version number
Martin, Actually, you may need to recompile Apache (w/ PHP if you need that.) When building Apache from sources, you have to specify where the OpenSSL libraries are installed. If you happened to not use the ones specified by the RPM and used OpenSSL sources, upgrading the RPM will not help you and you will need to rebuild Apache with the new libraries. Let me know if you need help with this... Drew J. Como Phone: 631-434-6600 Systems Administrator Fax: 631-434-7800 [EMAIL PROTECTED] Web: www.bascom.com Bascom Global Internet Services, Inc. When quality is the goal, winning is guaranteed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Martin Nyberg Sent: Friday, September 20, 2002 3:55 PM To: modssl-users Subject: Version number Hi ! I've just upgraded OpenSSL 0.9.6d to 0.9.6g on FreeBSD, but Apache says that it's running OpenSSL 0.9.6a! Where is this version number and how to change it? I read somewhere in the archive that a solution might be to recompile PHP... But what does PHP have to do with Apache (something I don't know) ? Thanks. Martin Nyberg __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Version number
Martin Nyberg writes: Hi ! I've just upgraded OpenSSL 0.9.6d to 0.9.6g on FreeBSD, but Apache says that it's running OpenSSL 0.9.6a! Where is this version number and how to change it? I read somewhere in the archive that a solution might be to recompile PHP... But what does PHP have to do with Apache (something I don't know) ? Thanks. Martin Nyberg __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] hi, to get it right, you should recomplie apache and php to show the correct version numbers. i've had the same problem and that's how i fixed it. i hope it helps for you greetz Richard The Netherlands __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Version number
On Fri, 20 Sep 2002 [EMAIL PROTECTED] wrote: I've just upgraded OpenSSL 0.9.6d to 0.9.6g on FreeBSD, but Apache says that it's running OpenSSL 0.9.6a! Where is this version number and how to change it? to get it right, you should recomplie apache and php to show the correct version numbers. i've had the same problem and that's how i fixed it. Just to be absolutely clear, this is not just a matter of showing the correct version number. If it shows the wrong version number, that's because that wrong version is the one actually being used by Apache!! It's probably a matter of the old version having been statically linked into Apache, so even after you upgrade OpenSSL, Apache still needs to be relinked with it. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
version?
why don't i see a mod_ssl version for apache 2.039? or rather when will i see one? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: version?
On Wed, 21 Aug 2002, Pandora Fawcett wrote: why don't i see a mod_ssl version for apache 2.039? Because you haven't looked in the right place. mod_ssl comes bundled with Apache 2.0; it's no longer a separate product. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Regarding mod_ssl version which suits apache 2.0.39
Hi, Can you please let me know where exactly i can get the suitable mod_ssl version which suits for apache 2.0.39, I tried to find out in www.modssl.org, but found out only the mod_ssl_2.8.10-1.3.26 which suits for apache 1.3.26, Any help greatly apprecited Thks Venkata Reddy V __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Regarding mod_ssl version which suits apache 2.0.39
On Wed, Jul 31, 2002 at 02:14:21PM -0400, Venkat Reddy Valluri wrote: Hi, Can you please let me know where exactly i can get the suitable mod_ssl version which suits for apache 2.0.39, I tried to find out in www.modssl.org, but found out only the mod_ssl_2.8.10-1.3.26 which suits for apache 1.3.26, Mod_ssl is part of apache 2.0.x and is included in the source tarballs available at http://httpd.apache.org/dist/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Regarding mod_ssl version which suits apache 2.0.39
none are required, it's built into the 2.0.x code. Thanks, Ron DuFresne On Wed, 31 Jul 2002, Venkat Reddy Valluri wrote: Hi, Can you please let me know where exactly i can get the suitable mod_ssl version which suits for apache 2.0.39, I tried to find out in www.modssl.org, but found out only the mod_ssl_2.8.10-1.3.26 which suits for apache 1.3.26, Any help greatly apprecited Thks Venkata Reddy V __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: version compatibility
This is an interesting issue you put to our attention here. I, for one, consider myself likeley to come to the same point in the future. So please post any results/problems you have, and support us all! Thanks, Dennis Shon Stephens wrote: i am currently using modssl 2.8.4 w/ apache 1.3.20 and openssl 0.9.6b. for compatibility with another application, i need to upgrade my openssl to 0.9.6c. will i have any problems with the modssl/apache upgrading to this version of openssl. in other words, will i need to upgrade my modssl version? should i recompile modssl with the new openssl version, or can i just replace what is currently there? thanks, shon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
version compatibility
i am currently using modssl 2.8.4 w/ apache 1.3.20 and openssl 0.9.6b. for compatibility with another application, i need to upgrade my openssl to 0.9.6c. will i have any problems with the modssl/apache upgrading to this version of openssl. in other words, will i need to upgrade my modssl version? should i recompile modssl with the new openssl version, or can i just replace what is currently there? thanks, shon __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: version compatibility
On Thu, May 30, 2002 at 01:50:32PM -0400, Shon Stephens wrote: i am currently using modssl 2.8.4 w/ apache 1.3.20 and openssl 0.9.6b. for compatibility with another application, i need to upgrade my openssl to 0.9.6c. will i have any problems with the modssl/apache upgrading to this version of openssl. in other words, will i need to upgrade my modssl version? should i recompile modssl with the new openssl version, or can i just replace what is currently there? Source code compatibility should not be an issue. Binary compatibility is possible, but I don't know for sure, whether some internal interface was changed. I would thus recommend to recompile. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL_Scache version 2.8.7
I'm noticing that "ssl_scache.dir" is a 0 byte file. Is this "normal"? The wierdness continuesin full SSL mode, whith 100% content in the secured directory, I get half loaded pages, and Page Not Found errors. It happens with both Netscape as well as IE5.5 Any ideas about what can be done? Has anyone configured and used the MM library that Ralf wrote? Will this work on the RHLinx 6.2 (kernel 2.2.19) platform? Sigh, someday, I'll be the one with the answers instead... Regards, -Arthur.
Re: SSL_Scache version 2.8.7
On Sun, Mar 17, 2002 at 08:28:56PM -0600, Petra Computing wrote: Has anyone configured and used the MM library that Ralf wrote? Will this work on the RHLinx 6.2 (kernel 2.2.19) platform? Yes. It works very well - just ./configure --disable-shared in MM vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLSessionCache in Version 2.8.7
Hello ! I have installed the following in APXS mode: mod_ssl-2.8.7-1.3.23 apache-1.3.23 php-4.1.2 on a Intel 500MHz RedHat 6.2 (2.2.19) server box. I'm noticing that the images are sometimes not showing up when running a PHP page with lots of images in https mode. Whenwe had the problem sometime back (version 2.8.4) we enabled the SSLSessionCache mode using dbm and it started to work great then. Any ideas? -Arthur. [EMAIL PROTECTED]
RE: SSLSessionCache in Version 2.8.7
No Russ, the images and all the web pages are on the same directory under SSL. I figure it's time for a faster CPU. Another thing - the ssa;_scache.dir file is 0 bytes long...the ssl_scahe.pag usually has something like 8192. Wonder if there's a bug somewhere?? BTW: the openssl lib is 0.9.6a -Arthur -Original Message- From: Russell Ruby [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 17, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: Re: SSLSessionCache in Version 2.8.7 Do the image URLs reference insecure pages, e.g. http://somewhere.comm/ ? Some browsers, e.g. netscape 4.x, refuse to display such insecure images when the base page is secure (https). It's a problem for me too. -- russ Hello ! I have installed the following in APXS mode: mod_ssl-2.8.7-1.3.23 apache-1.3.23 php-4.1.2 on a Intel 500MHz RedHat 6.2 (2.2.19) server box. I'm noticing that the images are sometimes not showing up when running a PHP page with lots of images in https mode. When we had the problem sometime back (version 2.8.4) we enabled the SSLSessionCache mode using dbm and it started to work great then. Any ideas? -Arthur. [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLSessionCache in Version 2.8.7
I am not in the office for the week 18-22 March 2002 If it's an Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter that requires urgent attention then please contact either Kirsteen1 or Sanjay1 who should be able to help. Otherwise I will contact you as soon as possible on my return. If you are student on MKT3035 GIS for Business - I will contact you asap or if urgent please contact the module tutor All the best Alex __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Best mod_proxy Stable Version
[The following questions relate to mod_ssl too; Please read on] What is the best *STANDARD* version of Apache, from the point of view of mod_proxy? (by writing "standard", I mean the standard source tree, excluding external patches like the one that was prepared for 1.3.19) Is it true that proxy features which already worked with old versions of Apache, don't work anymore with 1.3.19? (unless the special patch, which I wrote that is not an option, is applied) IIRC, since mod_proxy was not maintained quite well for some time in the past, some versions of it were not up-to-date, and had conflicts with the core Apache, which made mod_proxy not so good as in the past. Is it true? And if it's true, then what version exactly is recommended? Is 1.3.12 good enough? My questions may sound strange, so let me describe my status: I have a site powered by 1.3.12 + mod_ssl, with intensive use of mod_proxy, mainly as a reverse proxy. I want to upgrade it, but am afraid that the proxy stuff will not work well. Picking 1.3.19, and applying the special proxy patch of 1.3.19 into it, is not an option, since mod_ssl comes as a patch which should be applied into the standard Apache. There are versions of mod_ssl for almost any standard Apache, including the current (1.3.19) and mine (1.3.12), but not _1.3.19 + proxy-patch_. If it's possible to apply mod_ssl into the patched 1.3.19, then it's the best, and I'll be happy to hear about it from you. If not, I'd appreciate if anybody here has any expecience with the combination of mod_ssl/mod_proxy, and can recommend the best version of Apache to use. Thanks in advance, -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: version numbers
On Wed, Mar 14, 2001, Brett Tofel wrote: I can't seem to find where the mod_ssl version numbers are explained. In the FAQ AFAIK. if we are using an older apache, must we use an older mod_ssl? For instance, if we were using apache 1.3.12 would we have to use: mod_ssl-2.6.6-1.3.12 Yes. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
version numbers
I can't seem to find where the mod_ssl version numbers are explained. if we are using an older apache, must we use an older mod_ssl? For instance, if we were using apache 1.3.12 would we have to use: mod_ssl-2.6.6-1.3.12 ? thanks, brett __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
-DEAPI compiled version from ApacheModuleJServ.dll available?
hi, i successfully installed Apache_1.3.14-mod_ssl_2.7.2-openssl_0.9.6-WIN32 from modssl "Contrib" and everything works fine 'til now. I use Jakarta's Tomcat in conjunction with Apache, therefor i downloaded the modul ApacheModuleJServ.dll. Apache now states, that this version was compiled for the "normal" version of Apache (and uses plain Apache 1.3 API), which might leads to problems with EAPI. Is there a -EAPI - compiled version of ApacheModuleJServ.dll available or do i have to compile it by myself? (the problem is, i have no MS Visual C++-Compiler available ...) many thanks in advance! basti __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: -DEAPI compiled version from ApacheModuleJServ.dll available?
Sebastian Schulz wrote: hi, i successfully installed Apache_1.3.14-mod_ssl_2.7.2-openssl_0.9.6-WIN32 from modssl "Contrib" and everything works fine 'til now. I use Jakarta's Tomcat in conjunction with Apache, therefor i downloaded the modul ApacheModuleJServ.dll. Apache now states, that this version was compiled for the "normal" version of Apache (and uses plain Apache 1.3 API), which might leads to problems with EAPI. Is there a -EAPI - compiled version of ApacheModuleJServ.dll available or do i have to compile it by myself? (the problem is, i have no MS Visual C++-Compiler available ...) many thanks in advance! basti __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] I have done it for apache1.3.14 - just compile mod_jk like it is in howto with added -DEAPI before -DSOLARIS (I've done it for solaris). Works for me. Wojtek __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: upgrading an ancient version
On Fri, Dec 01, 2000 at 04:52:22PM -0800, Robert L. Yelvington wrote: I am very familiar configuring mod_ssl / openssl / apache. Can someone advise as to the pitfalls I might encounter, if there are any, and how to overcome them when upgrading from the following versions of software to the latest on a FREEBSD box? OS: 3.2-STABLE FreeBSD 3.2-STABLE #2 i386 (not a chance of upgrading this to latest...yet!) APACHE: 1.3.9 MODSSL: mod_ssl/2.4.0 OPENSSL: OpenSSL/0.9.4 What I am really worried about is my vhost's certs. Will they still work if I upgrade modssl and openssl? Yep, there shouldn't be any problems with that. There's even an option to mod_ssl's configure if you want to point to existing certs. You could probably even use the same httpd.conf. Will they still work if I just upgrade apache and mod_ssl (do I even need to upgrade openssl at all?) I would recommend upgrading openssl for performance and other fixes, but you probably don't really have to. OR Can I just upgrade apache and keep the current versions of modssl and openssl...? No. You must have the correct version of mod_ssl to fit the Apache. There is also quite a lot that have happened to mod_ssl that will make an upgrade worth the trouble. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
upgrading an ancient version
I am very familiar configuring mod_ssl / openssl / apache. Can someone advise as to the pitfalls I might encounter, if there are any, and how to overcome them when upgrading from the following versions of software to the latest on a FREEBSD box? OS: 3.2-STABLE FreeBSD 3.2-STABLE #2 i386 (not a chance of upgrading this to latest...yet!) APACHE: 1.3.9 MODSSL: mod_ssl/2.4.0 OPENSSL: OpenSSL/0.9.4 What I am really worried about is my vhost's certs. Will they still work if I upgrade modssl and openssl? Will they still work if I just upgrade apache and mod_ssl (do I even need to upgrade openssl at all?) OR Can I just upgrade apache and keep the current versions of modssl and openssl...? -robt "You have the possibility to make a lot of people angry OR a lot of people happy. Thus is the nature of the System Admin" __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: upgrading an ancient version
Hi, I am very familiar configuring mod_ssl / openssl / apache. Can someone advise as to the pitfalls I might encounter, if there are any, and how to overcome them when upgrading from the following versions of software to the latest on a FREEBSD box? OS: 3.2-STABLE FreeBSD 3.2-STABLE #2 i386 (not a chance of upgrading this to latest...yet!) APACHE: 1.3.9 MODSSL: mod_ssl/2.4.0 OPENSSL: OpenSSL/0.9.4 What I am really worried about is my vhost's certs. Will they still work if I upgrade modssl and openssl? Will they still work if I just upgrade apache and mod_ssl (do I even need to upgrade openssl at all?) I have no idea. :-) I wouldn't expect any problems to arise, but why don't you test it by running the upgraded version in a different directory and on different ports? I do this all the time on production machines. Can I just upgrade apache and keep the current versions of modssl and openssl...? You can't do this, mod_ssl generally only works for the version of Apache it's released for. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Where I can Get a Precompiled version for WINNT
Hi... Anybody knows where i can get a precompiled version of Apache+modssl+openssl, please any ideas... Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Where I can Get a Precompiled version for WINNT
On Tue, Nov 28, 2000 at 10:47:44AM -0500, Andres Salazar wrote: Anybody knows where i can get a precompiled version of Apache+modssl+openssl, please any ideas... Assuming you're running one of the main GNU/Linux distributions, these should be available as separate packages from their download site, as they are quite, quite standard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Compiled version
Hi. Where can I find a compiled version of Apache+ModSSL+OpenSSL for Linux RedHat? The latest one with Apache 1.3.14, ModSSL 2.7.1 and OpenSSL0.9.6 if possible? Thanks for help. Carole Hébrard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiled version
I'm so sorry, I didn't read your message properly (no flames please!) If you mean RPMs, I compiled several RPMs from source yesterday. If you let me know which processor you need it for I'll see what I can do. Otherwise you can compile them yourself using the source rpm on the www.modssl.org/contrib/ site with rpm --rebuild --target (your processor) apache-mod_ssl-1.3.14.2.7.1-1.src.rpm eg to build the RPMs for a pentium use rpm --rebuild --target i586 apache-mod_ssl-1.3.14.2.7.1-1.src.rpm You'll need the openssl and openssl-devel packages for this work. Again, these can be compiled from source in a similar method to above or you can download some compiled versions from www.modssl.org/contrib/ site. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Carole Hébrard [mailto:[EMAIL PROTECTED]] Sent: 21 November 2000 14:42 To: ModSsl User Subject: Compiled version Hi. Where can I find a compiled version of Apache+ModSSL+OpenSSL for Linux RedHat? The latest one with Apache 1.3.14, ModSSL 2.7.1 and OpenSSL0.9.6 if possible? Thanks for help. Carole Hébrard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Compiled version
Thanks for your help. I found what I need (i686) on the www.modssl.org/contrib/ site. Carole Hébrard. [EMAIL PROTECTED] wrote: I'm so sorry, I didn't read your message properly (no flames please!) If you mean RPMs, I compiled several RPMs from source yesterday. If you let me know which processor you need it for I'll see what I can do. Otherwise you can compile them yourself using the source rpm on the www.modssl.org/contrib/ site with rpm --rebuild --target (your processor) apache-mod_ssl-1.3.14.2.7.1-1.src.rpm eg to build the RPMs for a pentium use rpm --rebuild --target i586 apache-mod_ssl-1.3.14.2.7.1-1.src.rpm You'll need the openssl and openssl-devel packages for this work. Again, these can be compiled from source in a similar method to above or you can download some compiled versions from www.modssl.org/contrib/ site. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Carole Hébrard [mailto:[EMAIL PROTECTED]] Sent: 21 November 2000 14:42 To: ModSsl User Subject: Compiled version Hi. Where can I find a compiled version of Apache+ModSSL+OpenSSL for Linux RedHat? The latest one with Apache 1.3.14, ModSSL 2.7.1 and OpenSSL0.9.6 if possible? Thanks for help. Carole Hébrard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Best mod_ssl version for 1.3.3?
We recently build and installed mod_ssl 2.0.15-1.3.3, as it was listed among the "only use these on production servers" versions. It seems to be working fine. Looking through the changelog, though, I'm concerned about some of the fixes in later versions that we're missing. We're locked into Apache 1.3.3 for now because of one 3rd party, no-source-available module. Is 2.0.15 stable, or has someone backported later versions of mod_ssl to 1.3.3? Thanks, -Jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Best mod_ssl version for 1.3.3?
Hi Jeff, The latest version of apache/mod_ssl/openssl is what you want to be using. This means apache-1.3.12, mod_ssl 0.9.6 and openssl 0.9.5a or 0.9.6. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeff Mayzurk Sent: Wednesday, October 04, 2000 11:23 PM To: [EMAIL PROTECTED] Subject: Best mod_ssl version for 1.3.3? We recently build and installed mod_ssl 2.0.15-1.3.3, as it was listed among the "only use these on production servers" versions. It seems to be working fine. Looking through the changelog, though, I'm concerned about some of the fixes in later versions that we're missing. We're locked into Apache 1.3.3 for now because of one 3rd party, no-source-available module. Is 2.0.15 stable, or has someone backported later versions of mod_ssl to 1.3.3? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Best mod_ssl version for 1.3.3?
Thanks, but if you note my original message, I said we're locked into Apache 1.3.3 because of a third party module. Or, in other words, we can't upgrade to Apache 1.3.12 and mod_ssl 2.6.x. Ah, sorry, I did not see that. We're observing large memory leaks with mod_ssl 2.0.15. So my questions are: 1. Is 2.1.6 better than 2.0.15? Why was it deprecated? The leaks we're seeing look to be coming from SSLeay 0.9.0, anyway, so this may be irrelevant. Just guessing, but usually bigger revision numbers means better. :-) 2. Is there a backport of 2.6.x (or anything later than 2.1.x) to Apache 1.3.3? This would allow us to us OpenSSL instead of SSLeay. Not that I know of. This is something you would probably have to attempt to do yourself (and I can't imagine it being a whole lot of fun!) -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [SLE] how do i know the version how to start https
tk dev wrote: 3.as i know, modssl apache-ssl is different. how should i start apache after i enabled ssl? should i stop the current apache? should i change/start/stop any daemon? /sbin/init.d/apache reload Most of the scripts in that directory have start, stop and reload functions built in. Try them out. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how do i know the version how to start https
In order: Hi. Really, I would never have guessed. I thought you might have some insight (other than you're too lazy to read *massive* man pages) to contribute. 1. Read up gasp on server-status - failing this: check your expletive deleted apache logs. 2. Read up on the difference between static and dynamic linking. The version of the libraries Netscape is using may or may not be the latest and greatest version you have installed on your system. (Notice there is no sarcastic gasp on this answer because this is the only question you could not reasonably be expected to puzzle out for yourself before wasting the time of the participants on this mailing list.) 3. RTF install document gasp. You are not welcome. Why, because you don't have to learn to read? If you had made *ANY* effort whatsoever it would be different. tk dev [EMAIL PROTECTED] on 08/24/2000 03:03:03 PM Please respond to [EMAIL PROTECTED] To: modssluser [EMAIL PROTECTED], openssluser [EMAIL PROTECTED], suse [EMAIL PROTECTED], suse-security [EMAIL PROTECTED] cc: Subject: how do i know the version how to start https hi all i've some ques re modssl,openssl apache-would b glad to hear from u all. (i'm using suse6.4,kernel2.2.16 - also installed modssl/2.62 openssl/0.95 together with suse6.4) 1. how do i know the version for openssl modssl that's running on my system? 2.i've downloaded installed openssl/0.95a,without any error message- yet when i open netscape communicator(for suse6.4 users = it'll show the apache version,openssl,modssl version etc) the version shown is still 0.95!! what should i do so that i'm using the latest openssl?btw, how do i know that's it's running the latest version i've installed ?- should i delete the old version, how? 3.as i know, modssl apache-ssl is different. how should i start apache after i enabled ssl? should i stop the current apache? should i change/start/stop any daemon? pls advise thanks in advance. thanks also to all u've been so helpful answered many of the ques in this list...one reason why i love linux/open system so much. cheers tk = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ** Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA. Thank you. ** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how do i know the version how to start https
hi, i'm sorry if i've offended u so greatly...but i really have no idea that i can find the source of this trouble... honestly i've used man openssl etc but there's an error saying no such man page. i'm also new with apache: yes i'm still striving, thanks for your hint on what to read. N.B. i apologize too to all those who find my ques - irrelavant. tk --- [EMAIL PROTECTED] wrote: In order: Hi. Really, I would never have guessed. I thought you might have some insight (other than you're too lazy to read *massive* man pages) to contribute. 1. Read up gasp on server-status - failing this: check your expletive deleted apache logs. 2. Read up on the difference between static and dynamic linking. The version of the libraries Netscape is using may or may not be the latest and greatest version you have installed on your system. (Notice there is no sarcastic gasp on this answer because this is the only question you could not reasonably be expected to puzzle out for yourself before wasting the time of the participants on this mailing list.) 3. RTF install document gasp. You are not welcome. Why, because you don't have to learn to read? If you had made *ANY* effort whatsoever it would be different. tk dev [EMAIL PROTECTED] on 08/24/2000 03:03:03 PM Please respond to [EMAIL PROTECTED] To: modssluser [EMAIL PROTECTED], openssluser [EMAIL PROTECTED], suse [EMAIL PROTECTED], suse-security [EMAIL PROTECTED] cc: Subject: how do i know the version how to start https hi all i've some ques re modssl,openssl apache-would b glad to hear from u all. (i'm using suse6.4,kernel2.2.16 - also installed modssl/2.62 openssl/0.95 together with suse6.4) 1. how do i know the version for openssl modssl that's running on my system? 2.i've downloaded installed openssl/0.95a,without any error message- yet when i open netscape communicator(for suse6.4 users = it'll show the apache version,openssl,modssl version etc) the version shown is still 0.95!! what should i do so that i'm using the latest openssl?btw, how do i know that's it's running the latest version i've installed ?- should i delete the old version, how? 3.as i know, modssl apache-ssl is different. how should i start apache after i enabled ssl? should i stop the current apache? should i change/start/stop any daemon? pls advise thanks in advance. thanks also to all u've been so helpful answered many of the ques in this list...one reason why i love linux/open system so much. cheers tk = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ** Important Note This email (including any attachments) contains information which is confidential and may be subject to legal privilege. If you are not the intended recipient you must not use, distribute or copy this email. If you have received this email in error please notify the sender immediately and delete this email. Any views expressed in this email are not necessarily the views of AXA. Thank you. ** __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] = 0Oo~~:o) Smile! You'r Alive!!! Q:What's peacefulness? A:What's confusion? Peacefulness is the end of confusion. o.0.Oo.o May there be peace in every step we take :o):tk __ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
problems with version 2.6.5
I downloaded and compiled mod_ssl 2.6.5-1.3.12 on a Solaris 2.7 on Intel box using gcc 2.8.1. When I do a 'make test' everything appears okay. I then statically link it into Apache 1.3.12 and it does not work. All modules are compiled and linked static. I try doing openssl s_client -connect localhost:442 -state -debug and get the following: CONNECTED(0004) SSL_connect:before/connect initialization write to 081622B8 [08164430] (130 bytes = 130 (0x82) bunch of hex stuff SSL_connect:SSLv2/v3 write client hello A read from 081622B8 [08169990] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY SSL_connect:error in SSLv2/v3 read server hello A 4792:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:458: Please HELP! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problems with version 2.6.5
On Tue, Aug 08, 2000 at 07:37:41PM -0500, John Hearn wrote: I downloaded and compiled mod_ssl 2.6.5-1.3.12 on a Solaris 2.7 on Intel box using gcc 2.8.1. When I do a 'make test' everything appears okay. I then statically link it into Apache 1.3.12 and it does not work. All modules are compiled and linked static. I try doing openssl s_client -connect localhost:442 -state -debug and get the following: CONNECTED(0004) SSL_connect:before/connect initialization write to 081622B8 [08164430] (130 bytes = 130 (0x82) bunch of hex stuff SSL_connect:SSLv2/v3 write client hello A read from 081622B8 [08169990] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY ^^^ You're seeing "!DOCTY" because you're trying to connect with SSL to a plain http host. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Bad Protocol Version Number ???
Past experience with Covalent Raven SSL, which hopefully provides some useful insight. The SSL engine started happily with the PEM passphrase, as does yours. However, I encountered this error message when the certificate installed did not match up with the private key. I had initially self-signed to test the installation, but encountered same error message, "unable to configure server private key for connection (OpenSSL library error follows)" when I re-generated a CSR, submitted it to Verisign, and subsequently installed the signed certificate. In fact, I should have submitted the original certificate, had Verisign that, and re-install the certificate. When I did this, the problem was eliminated. At 01:11 PM 5/31/00 -0800, you wrote: Greetz from Alaska, Every time I start httpsd I'm asked for the Pass Phrase, given the ok and the daemon is started. All the SSL domains work except one. Even though I am asked for the Pass Phrase and it replies with OK but I can't connect. Below is the error I get in the ssl_engine_log file when I try to connect to the site. When I change their CRT and KEY file to the the main servers (server.crt/key) the site works great. Any ideas? Thanks Dan Please reply to [EMAIL PROTECTED] [31/May/2000 12:11:56] [error] Unable to configure server private key for connection (OpenSSL library error follows) [31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad protocol version number [31/May/2000 12:11:56] [error] Unable to configure server private key for connection (OpenSSL library error follows) [31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad protocol version number __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] = Jody Fraser, CISA, CISSP - Lucent NPS Pager (800) 467-1467 Mobile (916) 769-5751 email: [EMAIL PROTECTED] [EMAIL PROTECTED] = __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Bad Protocol Version Number ???
Greetz from Alaska, Every time I start httpsd I'm asked for the Pass Phrase, given the ok and the daemon is started. All the SSL domains work except one. Even though I am asked for the Pass Phrase and it replies with OK but I can't connect. Below is the error I get in the ssl_engine_log file when I try to connect to the site. When I change their CRT and KEY file to the the main servers (server.crt/key) the site works great. Any ideas? Thanks Dan Please reply to [EMAIL PROTECTED] [31/May/2000 12:11:56] [error] Unable to configure server private key for connection (OpenSSL library error follows) [31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad protocol version number [31/May/2000 12:11:56] [error] Unable to configure server private key for connection (OpenSSL library error follows) [31/May/2000 12:11:56] [error] OpenSSL: error:14080074:SSL routines:SSL3_ACCEPT:bad protocol version number __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrading to next version of Apache
"R. DuFresne" [EMAIL PROTECTED] 12/21/99 11:05PM When the next version of Apache is released, can you just upgrade the Apache or will mod_ssl and/or openssl need to be reinstalled to retain SSL ? You sould beable to just drop the new apache source into place, and recompile it with the proper params like you did before. This is easiest if you retain the source for mod_ssl and openssl under some apache specific src/ tree, if ya dig what I'm saying; you already built the other two, yer just going to rebuild apache with their inclusion. It's not that simple because the new Apache will not contain EAPI, and if you just drop it into place, you'll have an Apache with no EAPI and mod_ssl won't work anymore. Besides, the EAPI changes with every release of Apache because the line numbers (etc) in Apache change and therefore the EAPI patches must be updated to reflect that. You don't have to redo openssl (assuming you did a separate make/make install for openssl to install it as a system library), just mod_ssl. I'd tend to expect a new version of mod_ssl out when the new Apache comes out, assuming all goes as it usually does. Right, Ralf? --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrading to next version of Apache
folks, listen to Cliff, rather then me, for, he has the time in on this area over me. Cliff, thanks for the correction! Thanks, Ron DuFresne On Wed, 22 Dec 1999, Cliff Woolley wrote: "R. DuFresne" [EMAIL PROTECTED] 12/21/99 11:05PM When the next version of Apache is released, can you just upgrade the Apache or will mod_ssl and/or openssl need to be reinstalled to retain SSL ? You sould beable to just drop the new apache source into place, and recompile it with the proper params like you did before. This is easiest if you retain the source for mod_ssl and openssl under some apache specific src/ tree, if ya dig what I'm saying; you already built the other two, yer just going to rebuild apache with their inclusion. It's not that simple because the new Apache will not contain EAPI, and if you just drop it into place, you'll have an Apache with no EAPI and mod_ssl won't work anymore. Besides, the EAPI changes with every release of Apache because the line numbers (etc) in Apache change and therefore the EAPI patches must be updated to reflect that. You don't have to redo openssl (assuming you did a separate make/make install for openssl to install it as a system library), just mod_ssl. I'd tend to expect a new version of mod_ssl out when the new Apache comes out, assuming all goes as it usually does. Right, Ralf? --Cliff Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089 Pager: (540) 462-2303 -- ~~ admin senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrading to next version of Apache
On Wed, Dec 22, 1999, Cliff Woolley wrote: "R. DuFresne" [EMAIL PROTECTED] 12/21/99 11:05PM When the next version of Apache is released, can you just upgrade the Apache or will mod_ssl and/or openssl need to be reinstalled to retain SSL ? You sould beable to just drop the new apache source into place, and recompile it with the proper params like you did before. This is easiest if you retain the source for mod_ssl and openssl under some apache specific src/ tree, if ya dig what I'm saying; you already built the other two, yer just going to rebuild apache with their inclusion. It's not that simple because the new Apache will not contain EAPI, and if you just drop it into place, you'll have an Apache with no EAPI and mod_ssl won't work anymore. Besides, the EAPI changes with every release of Apache because the line numbers (etc) in Apache change and therefore the EAPI patches must be updated to reflect that. You don't have to redo openssl (assuming you did a separate make/make install for openssl to install it as a system library), just mod_ssl. I'd tend to expect a new version of mod_ssl out when the new Apache comes out, assuming all goes as it usually does. Right, Ralf? Sure, as for the last 1.5 years, once a new Apache version is out, at the same time (sometimes even some time before ;) a corresponding mod_ssl version is available which applies cleanly to the current Apache state. So the fact that EAPI needs adjusting is not important for end users. I take care of this all the time. But as it looks, the chances are high that we get EAPI into Apache 1.3.11 (not 1.3.10, for this it was too late and so the resistance was already too high). Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Upgrading to next version of Apache
When the next version of Apache is released, can you just upgrade the Apache or will mod_ssl and/or openssl need to be reinstalled to retain SSL ? /thinkahead-mode __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrading to next version of Apache
On Tue, 21 Dec 1999 [EMAIL PROTECTED] wrote: When the next version of Apache is released, can you just upgrade the Apache or will mod_ssl and/or openssl need to be reinstalled to retain SSL ? /thinkahead-mode __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] You sould beable to just drop the new apache source into place, and recompile it with the proper params like you did before. This is easiest if you retain the source for mod_ssl and openssl under some apache specific src/ tree, if ya dig what I'm saying; you already built the other two, yer just going to rebuild apache with their inclusion. Thanks, Ron DuFresne -- ~~ admin senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Version
On Wed, Oct 13, 1999, Charles Williams wrote: I was told we were using mod_ssl but at /apache/bin I type httpsd -v and learn: Server version: Apache/1.3.6 Ben-SSL/1.35 (Unix) Does anyone know where I go for documentation? You're using Ben's Apache-SSL and not mod_ssl. So you should start browsing on http://www.apache-ssl.org/ for documentation. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Version
http://www.apache-ssl.org/ Charles Williams wrote: I was told we were using mod_ssl but at /apache/bin I type httpsd -v and learn: Server version: Apache/1.3.6 Ben-SSL/1.35 (Unix) Does anyone know where I go for documentation? Chuck Williams __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Version
Title: Version That looks like ApacheSSL - check out http://www.apache-ssl.org. Dom GallagherSystems AdministratorStayfree Internet -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charles WilliamsSent: 13 October 1999 14:51To: '[EMAIL PROTECTED]'Subject: Version I was told we were using mod_ssl but at /apache/bin I type httpsd -v and learn: Server version: Apache/1.3.6 Ben-SSL/1.35 (Unix) Does anyone know where I go for documentation? Chuck Williams
Re: Version
Hi, Server version: Apache/1.3.6 Ben-SSL/1.35 (Unix) This seems like apache-ssl, http://www.apache-ssl.org _ Balázs Bárány[EMAIL PROTECTED] http://www.tud.at ICQ 10747763 Computers. You can't live with them, you can't live without them. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ANNOUNCE: Online Version of OSSC Presentations
It's my pleasure that by courtesy of Holger Reif I can provide you online versions of the presentations o ``The beautiful features of SSL'' o ``How to get SSL into Apache'' which Holger gave last months at O'Reilly Open Source Software Convention 1999 in Monterey. The presentations (talk and tutorial) are available in both HTML/JPEG and Postscript format from http://www.modssl.org/docs/ossc1999/ Send credits to Holger and flames to me. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
version information
Hello, I noticed when I telnet to localhost on port 80, and do a "HEAD / HTML /" , which I do just to see if the mods show up, and after compiling apache 1.3.9 + mm 1.0.9 + openssl 0.9.4 + mod_perl 1.21 + mod_ssl 2.4.1 + php 3.0.12 , only apache 1.3.9 + openssl , all I see is "Apache/1.3.9 (Unix) mod_ssl/2.4.1 OpenSSL/0.9.4", is this something mod_ssl does, or is this a problem on mod_perl and/or php's side? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [BugDB] mod_ssl.c version error (PR#177)
You should get Apache 1.3.6 .. mod_ssl-2.2.8 works with that - not with 1.3.4 (nb: the name is: mod_ssl-2.2.8-1.3.6.tar.gz) Nothing more to it. If you can wait a couple of days, that might be a good idea - mod_ssl-2.3.0 is supposed to be released and there is going to be a new version of OpenSSL too. vh Mads Toftum, QDPH --- System Designer / Developer Tele Danmark Nøglecenter - http://www.certifikat.dk/ email: [EMAIL PROTECTED] / [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: 23. maj 1999 22:31 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [BugDB] mod_ssl.c version error (PR#177) Full_Name: Version: 2.28 OS: linux 2.0.36 Submission from: du196.iro.ptd.net (204.186.7.196) I have apache-1.3.3, mod_ssl-2.2.4-1.3.4, openssl-0.9.2b, mod_perl-1.18, and php-3.0.6 with mysql-3.22.20a this combination works great I updated my sorce tree with apache-1.3.4 mod_ssl-2.28 compiled and installed these programs http starts up and works fine, however when i try to start https i receive an error stating that "version of mod_ssl.c incompatable please up-date this file" i'm using the "mod_ssl.c" file that came with mod_ssl-2.28 what can i do? [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] mod_ssl.c version error (PR#178)
Full_Name: Version: 2.28 OS: linux 2.0.36 Submission from: du196.iro.ptd.net (204.186.7.196) I have apache-1.3.3, mod_ssl-2.2.4-1.3.4, openssl-0.9.2b, mod_perl-1.18, and php-3.0.6 with mysql-3.22.20a this combination works great I updated my sorce tree with apache-1.3.4 mod_ssl-2.28 compiled and installed these programs http starts up and works fine, however when i try to start https i receive an error stating that "version of mod_ssl.c incompatable please up-date this file" i'm using the "mod_ssl.c" file that came with mod_ssl-2.28 what can i do? [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] mod_ssl.c version error (PR#177)
Full_Name: Version: 2.28 OS: linux 2.0.36 Submission from: du196.iro.ptd.net (204.186.7.196) I have apache-1.3.3, mod_ssl-2.2.4-1.3.4, openssl-0.9.2b, mod_perl-1.18, and php-3.0.6 with mysql-3.22.20a this combination works great I updated my sorce tree with apache-1.3.4 mod_ssl-2.28 compiled and installed these programs http starts up and works fine, however when i try to start https i receive an error stating that "version of mod_ssl.c incompatable please up-date this file" i'm using the "mod_ssl.c" file that came with mod_ssl-2.28 what can i do? [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] mod_ssl.c version error (PR#177)
On Sun, May 23, 1999, [EMAIL PROTECTED] wrote: Full_Name: Version: 2.28 OS: linux 2.0.36 Submission from: du196.iro.ptd.net (204.186.7.196) I have apache-1.3.3, mod_ssl-2.2.4-1.3.4, openssl-0.9.2b, mod_perl-1.18, and php-3.0.6 with mysql-3.22.20a this combination works great I updated my sorce tree with apache-1.3.4 mod_ssl-2.28 compiled and installed these programs http starts up and works fine, however when i try to start https i receive an error stating that "version of mod_ssl.c incompatable please up-date this file" i'm using the "mod_ssl.c" file that came with mod_ssl-2.28 I guess you've built mod_ssl via APXS outside the Apache source tree and because of EAPI changes between 2.2.4 and 2.2.8 it is considered incompatible by mod_so. Sorry, you've to rebuild the whole Apache package. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with IE 4.0 German Version
Hi, We have always the same problem with the IE 4.0 SP1 German (4.72.3110.8). We use Apache 1.3.6 with mod_ssl 2.2.8 and PHP 3.0.7 on Solaris 2.5.1 (The same problem is also with the Stronghold 2.4.2 webserver). When I connect to the secure webserver IE 4.0 say: "Die übertragene Datei ist nicht verfügbar. Dies könnte möglicherweise durch die Sicherheits- oder Spracheinstellungen verursacht worden sein, oder die angeforderte Datei konnte nicht vom Server geladen werden." With the IE 4.0 english same Version and IE 4.0 SP1a german work fine.Had anyone a solution for our problem ? Thank you. Stephan Toggweiler __ Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [PHP-DEV] ANNOUNCE: MM library, version 1.0b1 (fwd)
Hello, Currently I've implemented the following variants which already cover 95% of all current major Unix platforms AFAIK: Shared Memory: o Classical mmap() on temporary file o SVR4-style mmap() on /dev/zero o mmap() via POSIX.1 shm_open() on temporary file o 4.4BSD-style mmap() via MAP_ANON o SysV IPC shmget() Mutex/Semaphore: o 4.2BSD-style flock() on temporary file o SVR4-style fcntl() on temporary file o SysV IPC semget() I don't know if this is already in the plans, but while you are at it you could use this library to add support to PHP for named semaphores and shared memory. Currently the only way to share semaphores and shared memory keys between two instances of the same PHP script run by different Apache threads is by hardcoding key numbers in the script. The way I see it this raises a problem regarding the availability of the key. It might happen once in a while that the hardcoded key number may have been acquired by some other process besides the one that your PHP script runs on. This may be problematic because it may leave your script waiting for a semaphore that is being hold by some other process to arbitrate the access to a completely unrelated resource. My suggestion is that instead of using hardcoded keys, there should be a way to allocate a private key (IPC_PRIVATE). So, if the script wants acquire a semaphore/shared memory, it would pass a string that would be used an index for an associative array of keys. If there is no key associated to the given named index, the key allocation code would allocate a new private key and would store it in the associative array. So, next time the script asks for the same named key, the same private key would be fetched and returned. Of course all the associative array of keys would have to be stored in shared memory arbitrated with their own private set of semaphores. So, the shared memory/semaphore pools would come right in hand for the job. Just let me know what do you think about this and if you think it is feasable. Bye __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: MM library, version 1.0b1
Ralf S. Engelschall wrote: Mutex/Semaphore: o 4.2BSD-style flock() on temporary file o SVR4-style fcntl() on temporary file o SysV IPC semget() and send me your results. One thing I noticed that if all 3 mutexes are available, fcntl() will be chosen (since it's the last). The rub is that fcntl() is slow and expensive (well, it _can_ be) on systems running NFS. I would suggest the preferences be: semget() flock() fcntl() thus fcntl() is chosen only as a last resort... Make sense? -- === Jim Jagielski ||| [EMAIL PROTECTED] ||| http://www.jaguNET.com/ "That's no ordinary rabbit... that's the most foul, cruel and bad-tempered rodent you ever laid eyes on" __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Digest Version of the mod-ssl mailing list query
Is there a digest version of the mod-ssl mailing list available? Thanks, Travis. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
ANNOUNCE: mod_ssl 2.0.14 (stable maintainance version)
Now after finishing the DSO support for the 2.1 development branch I found
time to incorporate and backport stuff to the stable 2.0 branch. The detailed
CHANGES entries are appended. The most noticeable change (especially for
package maintainers) is the fact that `make certificate TYPE=dummy' works
again as expected.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.0.14 (09-Oct-1998 to 01-Nov-1998)
*) Backport from 2.1 branch:
Renamed snakeoil.{crt,key} to snakeoil-ca.{crt,key} and created a real
dummy server certificate/key pair as snakeoil.{crt,key} which is now
used under `make certificate TYPE=dummy'. This fixes the recently
occured problem where Netscape rejected the dummy certificates because
they had the CA flag set.
*) Upgraded to included Thawte Strong Extranet sources (ssl.contrib/sxnet/)
from version 1.2.2 to the current 1.2.3.
*) Backport from Apache-SSL:
Incorporation of recent Base64 (uuencode) encoding bugfixes.
*) Backport from 2.1 branch:
Fixed the "SSLVerifyType optional_no_ca" situation: The situation
has to be checked against more SSLeay errors, because under SSLv3
certificate chain loading leads to the presentation of the client CA
certs, too. Here SSLeay gives different errors.
*) Fixed documentation of SSL_CLIENT_Ix509 and SSL_SERVER_Ix509
environment variables.
*) Fixed mod_proxy source for the situation where
no --enable-module=ssl is used.
*) Make sure the stand-alone ssl_gcache program compiles
correctly even under SunOS where no strerror() exists.
*) Backport from 2.1 branch:
Fix "uchar" redefinition problem under AIX.
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
