knowledge there is no
switch in mod_ssl to set this flag.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
line tool:
openssl x509 -in /etc/httpd/ssl.key/royal.crt -text
If the certificate is ok, you should see its contents here. But as the
tool is using the same routines as mod_ssl...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU
in the future an anonymous cipher
without DH would be added (does such thing exist?), it might make
a difference.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
RC2-CBC-MD5
RC4-64-MD5
These ciphers are SSLv2 ciphers.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
has to list its supported ciphers, so from the protocol side of view
the only option indeed is to test connections with the ciphers in
question.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus
the SSLRandomSeed
directive in httpd.conf. Details are found in the manual.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
a httpd.conf option
to enable this flag.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
upgrading from 0.9.6d to 0.9.6e, so no update for mod_ssl is
required.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
ld for HP.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
:
Something is wrong with the configuration?
Yes.
0d 0a 0d 0a 3c 21 44
carriage return
linefeed
carriage return
linefeed
!D
is the start of a plain HTTP answer. Your server doesn't have SSL active
on port 443. Check your configuration.
Lutz
--
Lutz Jaenicke [EMAIL
: `NID_x500UniqueIdentifier' undeclared here (not in a
function)
Do not use 0.9.7-pre1 (whowever released this version, it was not
released from the OpenSSL team). If you use 0.9.7-betax, the version
is correctly recognized and the problem does not appear.
Best regards,
Lutz
--
Lutz
out the
OpenSSL request tracker
http://www.openssl.org/support/rt2/
http://www.aet.tu-cottbus.de/rt2/NoAuth/Buglist.html
and more specifically Ticket #82
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=82
(guest account is guest/guest).
Best regards,
Lutz
--
Lutz Jaenicke
internal interface was
changed. I would thus recommend to recompile.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
, as it requires an
adjustment of mod_ssl, though.)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
) shows no errors.
You must specify the correct protocol to be used:
SSLRandomSeed startup egd:/path/to/egd-socket ...
^^^
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus
).
BTW: for netscape new versions are all shipped with full strength
encryption. Isn't the same available for IE?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine
this problem by an extension to OpenSSL (it would not
be difficult to add a second timeout value and to update sessions that
are reused automatically), but keeping this synchronized with the external
session cache would complicate things significantly.
Best regards,
Lutz
--
Lutz Jaenicke
database).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus
.)
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
server_cert.pem
SSLCertificateFile /path/to/server_cert.pem
SSLCertificateKeyFile /path/to/server_key.pem
* The client key. You already put it into iestuff.p12...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http
the cache
until the next connection is opened.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz
the peer's certificate, so when a session is re-used,
this information is not available.
- If you must examine the certificate chain, you only can do it for the
first session negotiated.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus
.
With respect to the error message, mod_ssl can write more messages
than that into e.g. an ssl_engine_log. Did you check all possible
logfiles?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen
-key.html
(I also have not initialized the trusted CA storage for openssl s_client,
which correspondingly complains about self signed certificate in
certificate chain).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU
lds can not exchange the session data, so if a new connection to another
child is opened, a new session will be negotiated (with new cert request).
Of course in this case the browser will drop all other old sessions
for this site.
Best regards,
Lutz
--
Lutz Jaenicke [
, of which no shared version exists and the modules
of which are normally not compiled relocatable (missing -fPIC). You cannot
link a shared library against a static library.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http
,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
-go so far.
The automatic usage is brand new and only included in the version to
become 0.9.7 one fine day. If you have =0.9.6 you have to explicitly
specify the place in httpd.conf
SSLRandomSeed startup egd:/var/run/egd-pool
Best regards,
Lutz
--
Lutz Jaenicke
or is
not configured, you have new handshake for every request.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
ormal http service. Of course s_client does not understand
the original http protocol.
Use a sniffer to confirm this theory and check out the logfiles on the
server.
Best,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-
it should speak https on port 443?
VirtualHost _default_:443
...
SSLEngine on
...
/VirtualHost
Please check out the example httpd.conf file.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/persone
it blindly, I would have
to work myself through the source.
If you are willing to spend some minutes, get ssldump from
www.rtfm.com/ssldump
It will analyse the the communication for you and probably give you the
right hint on the problem.
Best regards,
Lutz
--
Lutz Jaenicke
nd to have the dynamic loader
recheck the library paths (ldconfig -a?) on Linux, don't ask me for Sun...
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel.
/apache/log/ssl_engine_log
|+-
|| Lutz Jaenicke |
|| [EMAIL PROTECTED]|
|| ottbus.DE |
|| |
|| 11/01/2001 10:58
On Mon, Jan 15, 2001 at 04:19:57PM +0100, [EMAIL PROTECTED] wrote:
On Mon, Jan 15, 2001 at 14:54pm +0100 Lutz Jaenicke
[EMAIL PROTECTED] wrote:
It is in my ssl_engine_log, as of httpd.conf:
SSLLog /var/local/apache/log/ssl_engine_log
I set my SSLLogLevel to info and got
On Mon, Jan 15, 2001 at 04:19:57PM +0100, [EMAIL PROTECTED] wrote:
On Mon, Jan 15, 2001 at 14:54pm +0100 Lutz Jaenicke
[EMAIL PROTECTED] wrote:
It is in my ssl_engine_log, as of httpd.conf:
SSLLog /var/local/apache/log/ssl_engine_log
I set my SSLLogLevel to info and got
, I simply create my own CA and issue my
client certificate myself. It is not more to be trusted than a self
signed certificate.
The authenticity of a certificate can only be guaranteed, if you have
additional trustworthy information in form of the trusted CAs.
Best regards,
Lutz
--
Lutz
rification error
(as long as the maximum allowed chain length is not exceeded).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik T
the egd routine when it tries to start up?
Did you think of pointing apache to the socket of your already running egd
in httpd.conf?
...
SSLRandomSeed startup egd:/var/run/egd-pool
...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus
"Seeding PRNG with" information?
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetspl
) are introduced.
If you cannot interpret the dump yourself, you can send the output
(I would recommend the decrypted one).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke
On Wed, Jan 10, 2001 at 03:53:52PM +0100, Thierry Coopman wrote:
At 10:51 +0100 10/1/01, Lutz Jaenicke wrote:
- I remember having seen problems with Netscape and normal (no TLS/SSL)
connections with some sites. The data came in fast and was more or less
complete (totally complete from
a via the socket. So actually the PRNGD you have now does
not accomplish its main task, yet!
Would it help if I sent you the bind man page as a whole???
Hopefully yes, as indicated above.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbu
ase send me your configuration for inclusion
into future versions.
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universit
aller part of the wanted functionality :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetspl
. It should give you an y.tab.c.
If you don't have yacc (hey, you have it, otherwise we would see an error
message), the GNU replacement is called "bison".
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.T
for yacc:
bison -y $*
(Copy this line into a file called yacc, do "chmod a+rx yacc" and put it
into a directory within your PATH.)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/persone
installed in this case, but the openssl-0.9.5
shared libraries must be additionally available on the system.
Compatibility is only available at source level.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE
)
RSA keys... Breaking 40bit keys within a day doesn't seem completele
unreasonable in the near future.]
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elek
ModSSL includes its own tools...)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D
SA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5
OpenSSL is 0.9.6, the additional \ before the ! are needed by tcsh to not
perform history lookup.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
B
in httpd.conf
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus
t and ... I will get the error
message, because the name obtained in the cert "ssl.fruit.com" does not
match the host I wanted to connect to "banana.fruit.com".
_This_ is the actual problem with VBNH that is not solved by your
approach.
Best regards,
Lutz
--
Lutz Jaenicke
will communicate, so you have to instruct mod_ssl to use the egd interface.
SSLRandomSeed startup egd:/etc/entropy
...
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine
.
Older versions of mod_ssl cannot handle EGD sockets.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
gards,
Lutz
PS. Having this said, for several of my DAUs I have created the keys
and the computer center of our university offers the same service for
those who don't know how to create such a key...
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http:/
messages and can fake the signatures of your
clients. Hence, the automatic generation of the private key on a foreign
server really doesn't make sense. Hence, if I would write the software,
I would probably omit the feature you are requesting.
Best regards,
Lutz
--
Lutz Jaenicke
to check _all_ logfiles, there is especially the
ssl_engine_log.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69
storage, pushed by RSA_generate_key().
I've never seen an OpenSSL routine that fails without message...
Good night,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine
be smaller when EGD is drained)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044
vailable at port 443 of your host. If you have an
openssl s_server running, the default is 4433. At 443 there would be the
https server.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen
available)
egc.pl /etc/entropy read 255(retrieve 255bytes of random data)
... see egc.pl for the description.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine
a RSA certificate were present (no problem for OpenSSL clients
and Netscape), but IE just didn't work.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik
]
The next step in tracking this down would be to have a look into the
output of "openssl s_server -debug -state" to see what's up.
From the last posting it seems Ben is already on the track??
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
B
more weeks before I can think about publishing it :-)]
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universita
e.
This is necessary, since a DNS lookup (forward or reverse) is insecure,
so you cannot rely on a CNAME resolution or a lookup of the IP number,
only on the name you (the user) are expecting.
[wildcards, if supported, must follow this rule, too.]
Best regards,
Lutz
--
Lutz Jaenicke
regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69
first "configure" mod_ssl, then "configure" apache with
the ssl module enabled, tends to run fine).
I know it, I run it myself.
Sorry, I cannot give you better information with the data you supplied.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROT
scape, which I think to the better guess.
Sorry, no better answer, but I am also still looking for a better
explanation.
Good luck,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allge
it with a, hmm, comfortable script).
Regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044
and the client asks the user for the
password, the client PC will not send out packages to the server anymore
(with my SMTP server and TCP protocol).
So much for my actual knowledge,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://w
72 matches
Mail list logo