piled with this
option?
The option is /DEAPI for the underpriviledged... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschal
suite is involved) _only_.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
] mod_ssl: Init: Failed to generate
temporary 512 bit RSA private key
FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#entropy
Ralf S. Engelschall
[EMAIL PROTECTED
ciphers (use "openssl ciphers -v" to find the cipher spec string)
and/or SSLRequire and check the cipher bits with it.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
$HOME/.rnd with some initial garbage in it ("cp
/var/log/messages $HOME/.rnd").
Ralf S. Engelschall
[EMAIL PROTECTED]
O and forget to load it later
(i.e. no "LoadModule" directive in your httpd.conf).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
/ http://origin/" to the
HTTPS VirtualHost on proxy.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
the builtin seeding source instead.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
se.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSS
itional
SSLProxy directives available which are similar to SSL for the
HTTPS proxy situation and which can be used for verifying the backend
server.
Ralf S. Engelschall
correctly. What do I do?
Create a $HOME/.rnd file with some initial random data/garbish.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
filesystem where the DBM library perhaps deadlocks itself?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
discovered that it leaks a few bytes per restart while in the
past there was no leak. Can you find out with some tools where it leaks?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
touch $HOME/.rnd" doesn't work, of course.
Doing a "cp /vmunix $HOME/.rnd; openssl genrsa ..." or something similar
should work better.
Ralf S. Engelschall
On Sun, Mar 12, 2000, Robert Hiltibidal wrote:
[...]
I wonder could there be something in the -DEAPI option that could cause
SSL to "break"?
[...]
No, I don't think it can break anything.
Ralf S. E
immediately upgrade the Apache installation on
this box. That all...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ave to use "RewriteLogLevel", too...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
and VirtualHost directives match and that the VirtualHost
..:443 has an "SSLEngine on", too.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
s for your understanding.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSS
(Documentation, FAQs, Mailing Lists, Newsgroups,
etc.). Should your problems then still remain, feel free to contact me again.
Otherwise I'll assume the problem was already solved in the meantime.
Thanks for your understanding.
Ralf S. Engelschall
with this server
and versions.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL
On Wed, Mar 15, 2000, Jeff wrote:
Does anyone know what version of RSA BSAFE toolkit is used in OpenSSL 0.9.x
(crypto altgorithms, etc.)?
Our OpenSSL doesn't contain the RSA BSAFE toolkit, nor do we use it.
Or did I misunderstood your question?
Ralf S
it. APXS should be fixed to be aware of surrounding
sections.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
host container entries, etc.,
into newly created httpd.conf file ?
It will overwrite your executeables and DSOs, but it will
preserve your configuration files.
Ralf S. Engelschall
[EMAIL PROTECTED
away.
Hmmm... strange. But just to make sure: you nevertheless have a "nobody"
in your /etc/passwd, right? But it nevertheless doesn't allow you to
perform a "chown nobody" on some files if you are logged in as root?
H... very strange. What strange OS is this?
(NES) is configured with SSL (server cert only). Can
Apache Proxy act as a SSL client?
If mod_ssl is loaded, mod_proxy can act as a HTTPS client, yes.
Ralf S. Engelschall
[EMAIL PROTECTED
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing
. [...]
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support
for such
an experimental feature.
But keep in mind that for simple HTTPS client support in mod_proxy you
don't need this experimental stuff. mod_ssl always provides basic HTTPS
support for mod_proxy.
Ralf S. Engelschall
[EMAIL PROTECTED
mention apache API plugins.
Yes, and that's especially why the stuff is explicitly called "user
manual" and not "developer manual" ;)
Ralf S. Engelschall
here
"apxs" is the one from the Apache installation which includes EAPI!) and
use the resulting mod_bandwidth.so instead.
Ralf S. Engelschall
[EMAIL PROTECTED]
virtual server part. Check your server configuration, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
)
This stuff is declared experimental, because it was still _NOT_
tested in depth and is still _UNDOCUMENTED_. So keep in mind what
SSL_EXPERIMENTAL means and use this with care!
Ralf S. Engelschall
[EMAIL PROTECTED
here
"apxs" is the one from the Apache installation which includes EAPI!) and
use the resulting mod_bandwidth.so instead.
Ralf S. Engelschall
[EMAIL PROTECTED]
mention apache API plugins.
Yes, and that's especially why the stuff is explicitly called "user
manual" and not "developer manual" ;)
Ralf S. Engelschall
PHP and mod_ssl with the APXS
mechanism separately.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
AVE_IPCSEM
#include sys/types.h
Thanks for your feedback. I've comitted this for mod_ssl 2.6.3.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
only
HTTP is spoken. The reason is always a server mis-configuration.
Make sure your Listen and VirtualHost directives match and that an
"SSLEngine on" is present in your vitual host for HTTPS.
Ralf S. Engelschall
, correct?
Yes.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
laught, its not a joke).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL
... ??
No reason from my or out Majordomo's side. It just appears that ones
mailer has spooled the stuff for a few weeks and finally delivered
it
Ralf S. Engelschall
[EMAIL PROTECTED
MacOSX stuff, I think.
Sorry, I've no clue what MacOSX' problem is, but perhaps you should
first try to build mod_ssl as a regular/static module instead of a DSO.
Ralf S. Engelschall
[EMAIL PROTECTED
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing
verify your
server certificate. So it is clear that it asks you to manually force
it to trust your server certificate with a popup dialog. That's all the
usual and expected behavior.
Ralf S. Engelschall
[EMAIL PROTECTED
... for example an intermediate
certificate...
The intermediate certificate has to be configured with
SSLCertificateChainFile. And you need an SSLCipherSuite which allows
export ciphers, too.
Ralf S. Engelschall
[EMAIL PROTECTED
eFile". The "no
certifcate configured" was already fixed some time ago.
Ralf S. Engelschall
[EMAIL PROTECTED]
/ rsaref
Errr.. that has to be -L`pwd`/../rsaref-2.0/local/ (note the
backticks!).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
-1.3.9/pkg.sslmod'
make: [all] Error 2 (ignored)
Hmmm.. strange, I cannot reproduce this. Neither with OpenSSL 0.9.5 nor
OpenSSL 0.9.5a. Are you sure you're using OpenSSL 0.9.5?
Ralf S. Engelschall
[EMAIL PROTECTED
estination should have a source ip of 160.124.44.207.
You usually get this if the user pressed the stop button while the data
was still transferred. Usually nothing to worry about.
Ralf S. Engelschall
[EMAIL
your browser...
From within httpd.conf you can use "SSLRequire". From within a CGI
script you can base your restrictions on the SSL_ environment
variables. See the mod_ssl user manual for a complete list of those
variables.
Ralf S. E
works but the commands of mod_expire
still do not work? Then your problem is a missing AddModule command
after the LoadModule.
Ralf S. Engelschall
[EMAIL PROTECTED
implicitly by Apache for mod_ssl, because the
buffers were allocated from one of Apache's memory pools (see for
``ap_palloc(mc-pPool, ...)'' calls). So there should be no memory leak.
Ralf S. Engelschall
[EMAIL PROTECTED
of work is involved in making
this happen?
Sure, it is possible since a longer time. All you have to do is to
configure a DSA based cert/key pair instead of a RSA based one with
SSLCertificateFile and SSLCertificateKeyFile. See the user manual for
details.
Ralf S
pair. Just remove
the leading comment characters from the pre-configured directives for
server-sa.{crt,key}.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
static jmp_buf env;
-static unsigned count;
+volatile static unsigned count;
static unsigned ocount;
static unsigned buffer;
Thanks. I've comitted this for mod_ssl 2.6.3 together
with a few other cleanups for truerand.c.
Ralf S. Engelschall
httpd.conf which allows weak
ciphers (to allow them in first), a RewriteRule which redirects based
on the SSL_ variables (to redirect them) and a SSLRequire which
restricts access to only strong ciphers (to make sure they are gone).
Ralf S. E
$ nmake /f Makefile.nt
$ nmake /f Makefile.nt _apacher
Why? AFAIL "installr" builds _AND_ installs while "_apacher" just builds. The
intentions are that the stuff is also installed, so why should we replace
"installr" with "_apacher"?
an intermediate shell
is because it uses similar code as used the same way in other parts of
Apache. But for the exec:/foo/bar the shell is not really required.
You can change this yourself by editing line 247 of ssl_util.c.
Ralf S. Engelschall
encoding
routines:ASN1_COLLATE_PRIMITIVE:nested asn1 error
Are you _sure_ OpenSSL at least passes its "make test" procedure for you?
I think it will already fail there...
Ralf S. Engelschall
[EMAIL
Tomcat, sorry.
My only "special tip" here is to entirely forget WinNT for a real-world
server and use an arbitrary Unix flavor instead.
Ralf S. Engelschall
[EMAIL
ch, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSS
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
On Thu, Apr 27, 2000, W. Mark Smith wrote:
[..]
1. (When) does mod_auth user/password information get encrypted?
[..]
Yes, the basic auth is part of the HTTP protocol part and all
this stuff is already transferred encrypted.
Ralf S. Engelschall
else confirm that these
patches are really necessary for mod_ssl to build under Win32? I'm still
very sceptic whether gdi32.lib and winsock2.h are generic things which
are available under all Win32 environments...
Ralf S. Engelschall
and no mod_ssl.
Ok, but then the question remains: Why was this extra include and this
extra lib not necessary in the past to build Apache+mod_ssl under Win32
and why is it still not necessary for some users while users say it is?
Ralf S. Engelschall
that mod_ssl will exist in the future,
too ;)
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
I don't know if it's what you want, but it's what you get
the patch for
mod_ssl 2.6.4 now.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.6.4 (16-Apr-2000 to 01-May-2000)
*) Fixed Win32 build by adding gdi32.lib to the libraries
did the
openssl and the frontpage patch.
Should I add a path or copy a file somewhere ?
Do the "touch" in apache_1.3.12/src/modules/ssl/, please.
Ralf S. Engelschall
[EMAIL
ot;ap::mod_ssl::vendor::scache_init",
@@ -338,6 +337,8 @@
}
#endif
ssl_mutex_off(s);
+
+ssl_scache_dbm_expire(s, time(NULL));
return;
}
Ralf S. Engelschall
[EMAIL
mail contained a few keywords ("subscribe", "help", etc.) which let the
list manager software consider the email as an administrative mail.
Ralf S. Engelschall
he
sources again or do a simple "touch ssl_expr_scan.c ssl_expr_parse.c
ssl_expr_parse.h".
Ralf S. Engelschall
[EMAIL PROTECTED]
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support
Or (what I strongly recommend) use the current Apache 1.3.12 and
mod_ssl 2.6.4 version.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
your cert by letting your CA issue a new
certificate) and copying the stuff over your ssl.crt/server.crt and
ssl.key/server.key files.
Ralf S. Engelschall
[EMAIL PROTECTED
or testing purposes. If it becomes clear (hopefully when
2.0bX is started) that the API is stabilized in layout, I'll port
mod_ssl to Apache 2.0 for us.
Yours,
Ralf S. Engelschall
[EMAIL
*MSIE.*" nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
Yes, I've now even updated the distributed httpd.conf-dist file for mod_ssl
2.6.5 to use this. This way we can avoid the problem already by default ;)
Ralf S. E
nd Daniela and I found it not unreasonable if at least one
of our family members _at least by definition_ is more of a calming type ;)
Yours,
Ralf S. Engelschall
[EMAIL
.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl
(including the
Host: field), then perform a step-up to SSL/TLS and then transfer the response
already encrypted. And because here the Host: header is seen before the
SSL/TLS handshake is performed, this implicitly solves the name based virtual
hosting issues.
documentation on virtual hosting for details, please.
If the 2nd is answered with the key of the 1st, then you are using name-based
virtual hosts and not IP-based virtual hosts. Read the mod_ssl FAQ why you
need IP-based virtual hosts.
Ralf S. Engelschall
reed, Mads.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Suppo
).
And before even more people ask me: sure, as it has to be, Noah already has
its own Homepage since Friday: http://www.engelschall.com/ho/nse/ ;)
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED
then the IE5 bugs have to be related to the stricter
handling of the SSL protocol by mod_ssl. For instance mod_ssl performes a more
correct connection shutdown, etc. But then this is not mod_ssl's fault, it's
IE5's fault, of course.
Ralf S. Engelschall
://www.microsoft.com/windows/ie/security/schannel.asp
[...]
I've now added these points to the FAQ.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
default in the
pre-configured httpd.conf-dist. This way we are maximum conservative and
can perhaps avoid problems in the future.
Ralf S. Engelschall
[EMAIL PROTECTED]
FAQ entry about MSIE
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
is
then also equivalent to what Apache-SSL does).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
On Mon, Jul 03, 2000, Diana Shepard wrote:
Thanks much for your response. I will try this. Does
apxs somehow assume a -DEAPI compile option?
Yes, if Apache was built with EAPI, the installed apxs uses -DEAPI
automatically.
Ralf S. Engelschall
and openssl-xxx. The
ISP guys are already informed.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
://www.modssl.org/docs/2.6/ssl_faq.html#ToC31
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache
Gated Cryptography (SGC)
facility.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
or the .dsp and regenerate the
Makefiles files from them. But I'm no Windows geek, so perhaps there is a more
elegant way...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ling list, of course.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
to an "OBSOLETE" directory.
I'll then arrange this for us.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engel
, but without a particular patch I cannot comment on it. So,
please show us the code! ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
if OpenSSL has not all error strings loaded (but mod_ssl loads all, I
think). Under which situation does it occur?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
a debugger to find out where it
segfaults.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
801 - 900 of 1055 matches
Mail list logo