On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Your verbose description of something goes is not
On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
I still don't get it. I used Wireshark and found out that the
certificate sent to the OCSP-responder is the CA-cert, not the
client-cert to be validated! I am clueless.
The code tries to verify each cert in the client cert chain
On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
seem to be working. Can anyone help?
The directive is actually quite simple:
# Require SSL over non-obvious port 81 for SVN access
SSLRequire
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the
deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail
inline for reference of dev@ readers)
On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
mod_ssl can perform client authentication
On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
On Thursday 26 June 2008, Florian Hackenberger wrote:
On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question
On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
Directory /usr/local/htdocs/directory/subdirectory
SSLVerifyClient require
SSLVerifyDepth 1
/Directory
The problem is that apache denies access to:
https//MYSERVER/directory
It denies access for what
On Thu, Jun 05, 2008 at 10:47:25AM -0600, Keith Hellman wrote:
This sounds a lot like
https://issues.apache.org/bugzilla/show_bug.cgi?id=42625
https://issues.apache.org/bugzilla/show_bug.cgi?id=12355
But I think it is different. I'm using certificates for authentication
to all of my
On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote:
HI!
(Re-sent since my message through gmane didn't come through.)
Maybe I'm overlooking the obvious but it seems that env var
SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication.
The following env vars
On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
In the current 2.x mod_ssl sources, UID maps to:
#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ UID, NID_x500UniqueIdentifier },
#else /* old name, OpenSSL 0.9.7 */
{ UID,
On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type
'uid' specified for pilotPerson). That seems right to me since it's
compliant with RFC 4514 which contains a table of short and long attribute
type names
On Mon, Nov 19, 2007 at 09:24:09AM +, Anony Mouse wrote:
I've found myself in the same quandary as this guy [1]. My CA
structure is as follows.
- RootCA
- SubCA1
- SubCA1 Server
- SubCA1 Clients
- SubCA2
- SubCA2 Server
- SubCA2 Clients
I have two HTTPS vhost
On Fri, Dec 14, 2007 at 02:10:17PM -0600, Chris Jordan wrote:
Hi folks,
I'm a complete newbie to compiling apache, and I'm trying to install my
first SSL certificate. All instructions I can find so far all assume that I
have mod_ssl installed already.
I'm willing to install it, but all of
On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote:
Hello,
I am setting up client authentication with X.509 certificates.
The client has the certificate subject DN of the following form:
/C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
I need to catch both OUs in my perl CGI script. But when
On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote:
On Thursday 31 August 2006 09:14, Patrick Patterson wrote:
(I'll probably take this over to modssl-devel, but since you asked, I
thought that I would bring it up here.)
Hmm - I thought there WAS a developers mailing
On Tue, Jun 06, 2006 at 03:36:37PM -0400, Paul D. Robertson wrote:
I'm trying to get mod_proxy to work as an SSL proxy using a client
certificate on the proxy to connect to a backend IIS server that's set up
to use any client certificate signed by my OpenSSL-based CA.
If I use a browser
On Mon, May 08, 2006 at 08:58:42AM +0200, Ralf S. Engelschall wrote:
On Tue, Apr 04, 2006, Love Hörnquist Åstrand wrote:
(gdb) bt
#0 CRYPTO_get_ex_data (ad=0xe8, idx=137019688) at ex_data.c:628
#1 0x4035c035 in SSL_get_ex_data (s=0x1, idx=296) at ssl_lib.c:2220
Looks like
On Wed, Apr 26, 2006 at 01:12:50PM +0800, Ken Chen wrote:
FYI.
We had to choose to test that by using other versions and we found
that the problem is resolved if we downgrade to 2.0.50.
Was this an exhaustive search: 2.0.51 failed but 2.0.50 worked? That
would be a little surprising: there
On Fri, Apr 21, 2006 at 10:23:24AM +0800, Ken Chen wrote:
Cliff,
I have reset the timeout to 600, but the problem remains. I wonder
whether it's the timeout problem because the problem appears
immediately after presssing Upload!
Sometimes the problem is Page can't be displayed; sometimes
On Tue, Feb 07, 2006 at 05:02:43PM -0500, Cliff Woolley wrote:
On 2/7/06, Gordon Ross [EMAIL PROTECTED] wrote:
I've got a Linux box with OpenSSL 0.9.8a installed (configured with
threads, zlib shared) I then configured and installed Apache 2.0.55
with SSL support (configure --enable-ssl
On Wed, Aug 31, 2005 at 10:47:39AM +0200, Bernhard Erdmann wrote:
this is exactly what I recognized. When Apache 2.0.54 runs on RHEL AS 3
using SSL, it opens TCP connections to itself on a regular schedule.
2.0 does this to wake up idle child processes, which can then exit, it's
perfectly
On Fri, Jun 03, 2005 at 08:56:56AM +0200, yvin Smme wrote:
Method 2 (SSLRequire):
The user-id field is just '-'.
Can I somehow configure apache/mod_ssl to only store certain elements of
the DN (e.g. the CN in the DN) as the user-id in the access-log?
mod_ssl in httpd 2.0 supports the
On Tue, May 31, 2005 at 05:10:27AM -0700, Bibhash Roy wrote:
I am hosting Apache Web Server on Red Hat Enterprise (RHEL4).
The apache rpm is httpd-2.0.52-9.ent
...
2.
When I add a ssl-enabled virtual-host, I get the following error on restart:
[EMAIL PROTECTED] ~]# /etc/init.d/httpd restart
There was some discussion on modssl-users a while back on this topic; we
had some concerns about extracting ca-bundle.crt directly from the
Mozilla CA list sources. But after discussing this with Frank Hecker
and some others there is agreement that there are no licensing issues
here really.
On Fri, Jan 14, 2005 at 04:48:09PM -0500, Jason Kaskel wrote:
This is technically both a mod_perl and mod_ssl question. Maybe I
should harass their mailing list too.
I have a PerlAccessHandler that needs to access certificate
information. According to what I've read the environment isn't
On Sat, Dec 25, 2004 at 10:52:27PM -0500, Cliff Woolley wrote:
On Sat, 25 Dec 2004, Adolfo Bello wrote:
I heartily agree.
Unfortunately, I've been waiting for more than a year for this problem
to be fixed in Apache 2.0.x :-(
This bug was opened on 2002-09-06
On Thu, Oct 07, 2004 at 02:32:18PM -0400, Adolfo Bello wrote:
Hi list:
I don't know if this is the right list to place this question.
I've been eagerly awaiting the solution of the certificate renegotiation
with post problem for Apache2. However, I just took a look at Apache 2.1
code and
Ralf, here's the fix I suggest for the CAN-2004-0885 SSLCipherSuite
bypass issue (http://issues.apache.org/bugzilla/show_bug.cgi?id=31505):
does it look OK?
I've tested this on a server running OpenSSL 0.9.6 from a custom-hacked
client which resumes the session during the renegotiation for a
On Tue, Jul 20, 2004 at 06:19:13PM +0200, Juergen Weigert wrote:
On Jul 17, 04 08:57:09 +0200, Ralf S. Engelschall wrote:
On Fri, Jul 16, 2004, Joe Orton wrote:
[...] I think it's portable to assume time_t is a long...
[...]
I'd appreciate
assert(sizof(time_t) == sizeof
On Sat, Jul 17, 2004 at 08:57:09AM +0200, Ralf S. Engelschall wrote:
Yes, although they are not security related, they could crash the
server, too. So we should fix those formatting bugs, too. A little bit
of extra casting might be required, I think. I've now committed to my
CVS for mod_ssl
I'm checking an older version of mod_ssl but there are a couple of other
uninteresting format string warnings from gcc. I think it's portable to
assume time_t is a long...
--- ./ssl_engine_io.c.warnings 2002-02-23 18:45:45.0 +
+++ ./ssl_engine_io.c 2004-07-16 22:02:32.0
On Thu, Jul 01, 2004 at 10:50:30PM +0200, Fulvio LAZ wrote:
If I set LogLevel debug and SSLVerifyClient require I can see into error_log:
[info] Server built: Mar 16 2004 15:30:28
[debug] prefork.c(1037): AcceptMutex: pthread (default: pthread)
[notice] child pid 18934 exit signal
On Thu, Jun 17, 2004 at 05:09:31AM +0900, AIDA Shinra wrote:
Hello,
I am packaging sole ca-bundle.crt for Fink.
http://sourceforge.net/tracker/index.php?func=detailaid=928157group_id=17203atid=414256
Fink package system has License field. I must fill it. What is the
license of sole
On Thu, May 27, 2004 at 05:09:17PM +0200, Boyle Owen wrote:
On Thu, May 27, 2004 at 15:21:37 +0200, Ralf S. Engelschall wrote:
Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004)
*) Fix buffer overflow in SSLOptions +FakeBasicAuth
implementation
if the Subject-DN
On Tue, May 25, 2004 at 09:42:58AM +0200, Boyle Owen wrote:
Greetings,
This alert has appeared recently. Is anyone aware of it?
Yes, this is CVE CAN-2004-0488. It can only be triggered if mod_ssl is
configured to use FakeBasicAuth and will trust a CA which issues a
client cert with a 6K long
On Wed, May 19, 2004 at 05:06:51PM +0200, Sven Geisler wrote:
Hi,
I upgraded from RedHat 7.3 to RedHat Enterprise Linux 3.0 with
httpd-2.0.46-32.ent.rpm and mod_ssl-2.0.46-32.ent.rpm.
Users with T-Online software 5.0 can't use https since this update.
Http works fine for this users.
I used
On Fri, Mar 12, 2004 at 01:19:04PM +0100, Boyle Owen wrote:
Does the DoS vulnerability reported in
http://secunia.com/advisories/11092/ affect the mod_ssl-2.8.16-1.3.29
codebase?
No, it doesn't.
joe
__
Apache Interface to
On Mon, Mar 08, 2004 at 03:59:29PM -0500, Kevin C Miller wrote:
I've patched mod_ssl to export some V3 extension information from
certificates into the environment. We are issuing client certificates with
the Subject Alternative Name being used to specify DNS names / email
addresses and
On Fri, Jan 30, 2004 at 11:02:06AM -0600, Avery, Ken wrote:
I have been tracking this down for a couple of weeks and thought it was
in the code my company is developing and it appears that is not the
case. In order to eliminate our code from the mix and isolate the
problem here is what I did:
On Wed, Oct 08, 2003 at 06:56:54AM -0400, Jeffrey Burgoyne wrote:
Hi;
I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
2.8.9 from Openssl 0.9.6d.
I now get the following errors :
Server www.eac-trousse.ic.gc.ca:443 (RSA)
Enter pass phrase:
Server
I am trying to compile in mod_ssl 2.8.15 into the apache1.3.28 source
and using openssl-1.9.7a-2 installed from an RH RPM and I am getting the
following error:
ranlib libstandard.a
=== src/modules/standard
=== src/modules/ssl
gcc -c -I../..
On Mon, Jul 28, 2003 at 10:09:49PM +1200, James Collier wrote:
I am in the process of upgrading a site from 1.3.x to 2.0.47, and have
encountered a (perhaps obscure) problem.
For mod_rewrite I sometimes need to extract and/or test client
certificate field values.
Under 1.3.27/2.8.14 and
On Fri, Mar 21, 2003 at 12:30:36PM +0100, Ralf S. Engelschall wrote:
-if ((xs = SSL_get_certificate(ssl)) != NULL)
+if ((xs = SSL_get_certificate(ssl)) != NULL) {
result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+X509_free(xs);
+}
}
That
in 1.3) and
wildcard DNS. Apache 2.0/mod_ssl is not vulnerable since it already
escapes this HTML.
Regards,
joe
--
Joe Orton, Red Hat Europe, Stronghold Engineering
http://stronghold.redhat.com/
__
Apache Interface to OpenSSL
Hi - you might be better of asking these questions on the openssl-users
list.
On Thu, Oct 10, 2002 at 10:18:48AM -0400, [EMAIL PROTECTED] wrote:
..
x509_extensions = usr_cert
This looks like a simple typo, the above requires a section called
'usr_cert', yet
documentation of SSLProxyMachineCertificateFile is at
least misleading.
Yes, it's been cut'n'pasted badly; you could report a documentation bug
on that at http://nagoya.apache.org/bugzilla/
Regards,
joe
--
Joe Orton, Red Hat Europe, Stronghold Engineering
On Tue, Oct 15, 2002 at 12:07:56PM -0700, Daniel Lopez wrote:
The Apache documentation (www.apache.org) describes SSLProxy* as part of
mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org?
(Probably Ralf Engelschall can explain this.)
Because nobody wrote it :( I
, this is someone trying but failing to exploit the vulnerability in
earlier versions of OpenSSL (probably the Slapper worm). You can also
ignore the interrupted handshake warnings too if you were worried
about them, they're quite normal on production servers.
joe
--
Joe Orton, Red Hat Europe
On Fri, Jun 21, 2002 at 03:00:40PM -0400, Karl Grindley wrote:
after upgrading to Apache 1.3.26 and ModSSL 2.8.9, the webserver seems
to die after/during log rotation with the following errors. It appears
that when the logs either don't exists, or some other scenario, the
webserver dies
On Mon, May 20, 2002 at 05:28:06PM -0400, Cliff Woolley wrote:
touch ssl_expr_parse.c
touch ssl_expr_parse.h
touch ssl_expr_scan.h
Crap, my fault... that last one should have been
touch ssl_expr_scan.c
There is no ssl_expr_scan.h.
HP-UX make can be tricky here though because it
On Fri, May 10, 2002 at 05:51:04PM +0100, Noel O'Kelly wrote:
We have a report of a problem from 2.8.6 onwards due to a change in the
seeding of the PRNG which halves the
performance of SSL requests. Any update on this ???
Hi, here's the fix we're using...
Submitted by: Nalin Dahyabhai
Here are the outstanding shmcb changes which didn't make it into 2.8.7,
extracted from Geoff's patch. These fix the remaining SIGBUS problem(s)
on SPARC etc.
--- pkg.sslmod/ssl_scache_shmcb.c.orig Fri Mar 30 11:00:34 2001
+++ pkg.sslmod/ssl_scache_shmcb.c Tue Jul 10 13:37:10 2001
@@
Hi,
On Tue, Jul 10, 2001 at 04:03:14PM +0100, Paul Hooper wrote:
./configure \
--with-apache=/vg_U2YDEV_HOME/u2ydev/users/phooper/UMS_WEB/build/apache_1.3.
12 \
--with-ssl=/vg_U2YDEV_HOME/u2ydev/users/ums_web/openssl-0.9.6a \
52 matches
Mail list logo