seless. That why CipherSuite strings usually start with some "XXX:YYY:ZZZ"
followed with appended ":+AAA:+BBB" where AAA and BBB are subparts of XXX, YYY
or ZZZ. Read the mod_ssl user manual carefully. I think I've explained it
there in detail.
t a client certificate is already known/present, it's
enough to manually force a client verification but skip the renegotation
handshake itself.
Is this optimized approach still secure?
Ralf S. Engelschall
[EMAIL
private address is not intended for user
support. Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
tial reason I
created the OptRenegotiate option. To allow the user to choose himself
whether this optimization is wanted by him.
Ralf S. Engelschall
[EMAIL PROTECTED]
of administration simplicity. It doesn't look
good when the browser complains about the hostname mismatch.
FAQ: http://www.engelschall.com/sw/mod_ssl/docs/2.2/ssl_faq.html#ToC30
Ralf S. Engelschall
[EMAIL PROTECTED
when
you build with RSAref.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL
ork? The HTML code? The
:SSL hyperlinks? Just posting two HTML code snippets isn't enough to expect a
reasonable answer, of course. When you mean why the :SSL doesn't work, please
first check your configuration. It's a plain mod_rewrite question and I guess
you
configure option thst i missed ??
Err.. no! Instead seems like you messed up something locally. I've checked
the configure script and extra tried it out: The user manual _IS_ correctly
installed.
Ralf S. Engelschall
[EMAIL
her local certs/keys.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.engels
a
libhttp. You just have to incorporate these work.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
.
Is this on a SuSE/Linux box?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.engelschall.co
/Linux box?
Sorry, i forgot to specify my system .., yep it's on SuSE 6.0 as well as on
SuSE 6.1.
Then welcome to the club of people fighting against SuSE's broken NDBM
library... Use --enable-rule=SSL_SDBM as a workaround.
a mismatch between your CA certs and
your client cert. Check these two things first.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
at
happens is not that the children are forked on the first request. They are
forked at startup, but the startup needs a lot more time than with a non
SSL-aware Apache.
Ralf S. Engelschall
[EMAIL
additional clues...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
est'
make: *** [tests] Error 2
I am running RedHat 5.2 Linux with gcc 2.8.1
Look at http://www.openssl.org/source/ and ftp://ftp.openssl.org/source/,
please. We've already released a patch which solves (ok, tries to avoid ;)
this RSAref-related problem.
Ralf S. E
On Fri, Apr 23, 1999, Volker Borchert wrote:
In message [EMAIL PROTECTED] Ralf S. Engelschall writes:
| What happens is that with
| mod_ssl the startup can take a few seconds(!) more (up to 10s on slow
| machines!)
It can take more than a minute on a Sparcstation 2.
Sure, it takes
it segfaults?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.engelschall.com/sw/mod_ssl
inside the Configure script of OpenSSL.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
ngine on" and is
similar to Listen in usage.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: src/include/ht
no chance for a quick'n lazy installation.
Perhaps a chance is that you try "perl Configure linux-elf no-asm" and
succeed...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
local browser issue.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.engels
this be easy to make into a FreeBSD port?
No, there is no such combined port. Instead it's easier to build without the
ports system by following the steps at the end of the mod_ssl INSTALL
document.
Ralf S. Engelschall
[EMAIL
tfile" to change the index.txt database file. For older versions
you've to edit it manually. How does is done was already explained in detail
on the openssl mailing lists. Look inside the archive, please.
Ralf S. Engelschall
6 and have installed gcc 2.8.1 yesterday. I assume
there is something simple I am missing, ld is in the path and I am stumped.
I guess you've installed gcc incorrectly or at least it's a binary not
intended for that particular Solaris platform and this way it's broken.
for this or I'll have to write it?
Use --enable-rule=SSL_SDBM
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
compatibility some RewriteRules exists for the
website and aliases will be provided for the old mail addresses, of course.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED
] (for replies to bugdb messages)
mailto:[EMAIL PROTECTED] (list manager)
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ne.
Check this first.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
st two little
entries: "want to run HTTP and HTTPS on the same machine. Is that
possible?" and "Why does my browser hang when I connect to my SSL-aware
Apache server?"....
Greetings,
Ralf S. Engelsc
it) and rsync (likewise).
So is there any chance you could produce a Snapshot tarball or two, in the
same way as the OpenSSL site does ?
/bin/done: ftp://ftp.modssl.org/snapshot/
Ralf S. Engelschall
[EMAIL PROTECTED
e between "not found" and "not decryptable" here and this way
mod_ssl can't give a more reasonable error message. I'll try to find a
solution for a better error message...
Ralf S. Engelschall
into httpd. Alternatively you can use just --enable-module=so do get it.
That's all you need for using APXS.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
've to fix it for Apache
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSS
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
seem to have an "AddModule mod_ssl.c" directive without either a
statically linked libssl.a or a DSO loaded previously via "LoadModule
ssl_module .../libssl.so". Check your configuration, please.
Ralf S. Engelschall
will allow me to
Generate Certificate and Private Keys for VeriSign enrollment. (
Client requirements)
To first read the mod_ssl FAQ, of course.
There are details on how to use OpenSSL to generate CSR and certificates.
Ralf S. Engelschall
).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
e-mail before I leave work for the night.
No, "eq" and "==" are actually totally equal in SSLRequire
Ralf S. Engelschall
[EMAIL PROTECTED]
S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
(i386). Do you have any suggestions?
Please upgrade to mod_ssl 2.2.8 and Apache 1.3.6.
There the problem should not occur. Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED
es for ISS. But perhaps
ISS per default does an unclean shutdown...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
they are prepared for
a long time) to the 2.3 CVS tree. But when you're interested in testing, I can
send you the patch for testing with the latest CVS snapshots.
Ralf S. Engelschall
[EMAIL PROTECTED
/src/Configuration.tmpl actually contains
a line for mod_ssl. When not, something already broke when applying the
sources.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
default
you cannot get the session id (and I see no real reason why you should), but
with two or three EAPI-related lines in mod_jserv and mod_ssl you could
retrieve this information from mod_ssl, I think.
Ralf S. Engelschall
,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
to resovle this problem?
Change the CN (Common Name) in your server certificate
to match the FQDN (Fully Qualified Domain Name) or
your server, i.e. usually CN=www.foo.dom
Ralf S. Engelschall
[EMAIL
o the file referenced under SSLCertificateFile?
In mod_ssl 2.2.8 this (confusing) error (message) occurs when mod_ssl cannot
find a private key at all. So make sure you've configured it correctly.
Ralf S. Engelschall
[EMAIL
uot;.*MSIE.*" nokeepalive ssl-unclean-shutdown
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing
control!
The FAQ would be your friend:
http://www.modssl.org/docs/2.3/ssl_faq.html#vhosts
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
result);
[...]
Is there a reason why you reverse the bytes?
I think it should be ``..."%s%x", result, pSessio..''.
OTOH you can use ssl_scache_id2sz() for this task
Ralf S. Engelschall
e latest mod_ssl
snapshot from ftp://ftp.modssl.org/snapshot/?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
or your efforts.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to O
logically, but
not physically. And as I said, when you do the redirect in an own module it
would be more clean to set the vars there, too.
Ralf S. Engelschall
[EMAIL PROTECTED
rder. At least with my
variant I've now comitted for 2.3.0 the SSL_SESSION_ID which a "GET
/cgi-bin/printenv HTTP/1.0" prints through a "openssl s_client" connection is
identical to the string "openssl s_client" itself prints out while processing.
it's
arguments and sets the variables inside an internal structure which you later
use under run-time. For instance something like
SSLLDAP server=callisto.comune.modena.it port=3389 dn=foobar passwd=test
Ralf S. Engelschall
) NameVirtualHost in the httpd.conf. Used
VirtualHost 1.2.3. for vhost1 and VirtualHost 4.5.6. for vhost2.
Why did you comment out Listen? You still need this, of course.
Ralf S. Engelschall
[EMAIL PROTECTED
? H.. I see no reasonable intention
in this. What's your intention for this wish?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
is removed.
Please update the INSTALL file to the release of
modssl 2.3.0. Thank you!
Ops, yes: you're right: "-DNO_IDEA" is now "no-idea". Same for the RSAref
stuff where one now can use "rsaref". I've fixed this for 2.3.0. Thanks for
your feedback.
the ssl_engine_dh.c source. It's now fixed. Please fetch the latest
tarball (= modssl-SNAP-19990521.tar.gz) any try again. Thanks for testing.
Ralf S. Engelschall
[EMAIL PROTECTED
BM library?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modss
uot; shows this...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.
to Versign - only to you -, so they couldn't send it
to you.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
you report this to the [EMAIL PROTECTED] mailing list,
so one of our Win32 experts can pick it up? Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
is a test page for apache..
Anyone have any help on this?
"SSLEngine on" (http://www.modssl.org/docs/2.3/ssl_reference.html#ToC7).
Additionally look inside the provided httpd.conf-dist file.
Ralf S. Engelschall
FAQ). Additionally make sure both the
server.crt and server.key file can be read with "openssl x509" and "openssl
rsa".
Ralf S. Engelschall
[EMAIL PROTECTED]
the new directory layout of the forthcoming OpenSSL
0.9.3 for the Win32 part of mod_ssl. I've now fixed the Makefile.win32 of
mod_ssl to include both /I$(SSL_INC) and /I$(SSL_INC)\openssl. Thanks for
your feedback.
Ralf S. Engelschall
ur problem is solved.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
SSL/TLS toolkit OpenSSL, which
is based on SSLeay from Eric A. Young and Tim J. Hudson. The mod_ssl package
was created in April 1998 by Ralf S. Engelschall and was originally derived
from software developed by Ben Laurie for use in the Apache-SSL HTTP server
project.
As a summary, here
On Tue, May 25, 1999, Paul Rubin wrote:
Thanks. Can you tell me Matthias Loepfe's email address?
It's in the source of gid-tagcert.c:
[EMAIL PROTECTED]
Ralf S. Engelschall
[EMAIL PROTECTED
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
, but perhaps has different binary headers on the
stored values.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
would make life so much simpler.
Sure, but then the whole efforts Netscape and Versign made would be useless,
of course. So, no, I don't think there will be a trick to tag the stuff
before importing it...
Ralf S. Engelschall
/ -lRSAglue -lrsaref
This has to read -L`pwd`/../rsaref-2.0/local/ (note the backticks!)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
/
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.3.1 (25-Apr-1999 to 28-May-1999)
*) Fixed two memory leaks in ssl_util_ssl.c related
with mod_ssl, will it wipe out my mod_perl?
You can build with both mod_ssl and mod_perl, of course.
Look at the end of the INSTALL document in the mod_ssl distribution
for details.
Ralf S. Engelschall
[EMAIL PROTECTED
Pala"
/Directory
Which mod_ssl version are you using?
Can you present the whole httpd.conf, too?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
out any of your OCSP patches)?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
ixed for 2.3.2. Thanks
for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
. It has to be a local platform related problem, IMO.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
important that
first you try it out with a plain Apache+mod_ssl without any OCSP patches from
you.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
, that's the idea behind using MM inside Apache. But the "SSLSessionCache
shm" stuff is still not released with 2.3.x. I'm planning to release it with
2.3.2 or 2.3.3. It's already prepared, but still keeps dumping core... ;)
Ralf S. E
will work, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL
u automatically. Then, when this worked fine for you,
you can start migrating to your old httpd.conf, etc.
Ralf S. Engelschall
[EMAIL PROTECTED]
dditionally when you use mod_ssl's "make certificate" the
questions _doesn't_ read "Your name". It explicitly asks for the FQDN!
Ralf S. Engelschall
[EMAIL PROTECTED
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing
with this one, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
15 minutes without initial knowledge, doubt me.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
s stuff is explained.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
contribute, of course.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User
ource tree and the source three
where you've already changes/adjusted the Win32 build files. All I need
is the output of this "diff -ru3" command.
Ralf S. Engelschall
. But I primarily
first need the source patches for the various Win32 build files.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
mod_ssl-2.2.6-1.3.6 + openssl-0.9.3 +RSA on Linux 2.0.36
(Red Hat)
No, this is usually harmless and for instance caused when the user pressed the
STOP button in the browser, AFAIK.
Ralf S. Engelschall
[EMAIL PROTECTED
to merge your old config files with the new
default config files (in case you want to use newer features, etc.).
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
, as
this is is hosted in Switzerland.
Correct, and Switzerland is even more liberal in crypto than Germany ;) (BTW,
the same applies to OpenSSL) Nevertheless these news are important to us...
Ralf S. Engelschall
[EMAIL
. Either use the default paths or adjust them
to meet your RH layout. Read Apache's INSTALL document for details on how you
can change the path layout.
Ralf S. Engelschall
[EMAIL PROTECTED]
t the
main advantage is that the session cache this way should be even more robust
because we no longer rely on the filesystem or external processes.
Greetings,
Ralf S. Engelschall
[EMAIL
301 - 400 of 1055 matches
Mail list logo
