Re: Extracting SSL_CLIENT_S_DN_UID does not work
DONT SEND ME THIS CRAP THANK'S
-- Original message from Michael Ströder [EMAIL PROTECTED]: -- Joe, many thanks for your response. Joe Orton wrote: On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote: Maybe I'm overlooking the obvious but it seems that env var SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication. The following env vars displayed in my SSI HTML text are relevant here (obfuscated to protect privacy): SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name SSL_CLIENT_S_DN_UID: (none) Is it caused by UID not being the leaf RDN? That shouldn'
t make
any difference. Ok, fine.What versions of OpenSSL and httpd/mod_ssl are you using? Actually pre-built RPMs shipped with openSUSE 10.3: # rpm -q openssl apache2 openssl-0.9.8e-45.5 apache2-2.2.4-70.4 Not sure whether these RPMs are based on sources patched by openSUSE.The "UID" DN tag is ambiguous and probably maps to something other than what your subject DN uses. In the current 2.x mod_ssl sources, UID maps to: #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */ { "UID", NID_x500UniqueIdentifier }, #else /* old name, OpenSSL 0.9.7 */ { "UID", NID_uniqueIdentifier }, #endif Hmm, the user ID is already stored by mod_ssl with attribute name "UID" in env var SSL_CLIENT_S_D
N. Giv
en that it's OpenSSL 0.9.8 and that the attribute type seems to be interpreted as UID is it safe to assume that the cert contains the right OID? If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway... Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!
stop stop sending me this bs , i have no idea who are you stop !!! -- Original message from Dave Paris [EMAIL PROTECTED]: -- It seem like you might be confusing "shared infrastructure" with "single ip". As others have said, you need a distinct address for each SSL-enabled httpd or proxy, although they can reside on the same hardware. A good example of this is the typical configuration for larger server farms. You find multiple High Availability load balancers in the DMZ for both http and https using something like ha/keepalived for linux. These proxy the incoming request back into private address space. The SSL proxies terminate the SSL connection and broker the request on behalf of the user and everything goes to the private address space in plain http. This allows each of the _real_ webservers to achieve better performance since the SSL overhead is not present. While you can use Apache as an SSL-terminating proxy, I find I get better performance, lower memory utilization and easier configuration using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have multiple public IP addresses floating between several hosts and pound binds https to those addresses. Hope that adds a bit of additional clarity, Dave Cuesta Gilles sent forth: So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en__ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!
THANK'S -- Original message from "Shahadat Hossain" [EMAIL PROTECTED]: -- you know what, You are a f***en idiot. if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. send an email to [EMAIL PROTECTED] address (you can also find it at the bottom of this message) with subject as 'Remove me'. ok? On Mon, Jul 14, 2008 at 7:10 PM, [EMAIL PROTECTED] wrote: stop stop sending me this bs , i have no idea who are you stop !!! -- Original message from Dave Paris [EMAIL PROTECTED]: -- It seem like you might be confusing "shared infrastructure" with "single ip". As others have said, you need a distinct address for each SSL-enabled httpd or proxy, although they can reside on the same hardware. A good example of this is the typical configuration for larger server farms. You find multiple High Availability load balancers in the DMZ for both http and https using something like ha/keepalived for linux. These proxy the incoming request back into private address space. The SSL proxies terminate the SSL connection and broker the request on behalf of the user and everything goes to the private address space in plain http. This allows each of the _real_ webservers to achieve better performance since the SSL overhead is not present. While you can use Apache as an SSL-terminating proxy, I find I get better performance, lower memory utilization and easier configuration using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have multiple public IP addresses floating between several hosts and pound binds https to those addresses. Hope that adds a bit of additional clarity, Dave Cuesta Gilles sent forth: So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en__ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
stop sending me this stuff please !!!!!!!!!!!
stop sendig me this stuff please take me out of your mailing list !!! thanks -- Original message from Frederic Heem [EMAIL PROTECTED]: -- Hi, Valgrind has found a problem related to an overlapping memcpy in mod_ssl (Apache/2.2.9 (Unix)), here is the output: ==18546== Thread 5: ==18546== Source and destination overlap in memcpy(0x425E0E8, 0x425E10E, 141) ==18546== at 0x4007A42: memcpy (mc_replace_strmem.c:402) ==18546== by 0x446C464: ssl_io_input_read (in /usr/local/apache2/modules/mod_ssl.so) ==18546== by 0x446C781: ssl_io_filter_input (in /usr/local/apache2/modules/mod_ssl.so) ==18546== by 0x8068DB5: ap_rgetline_core (in /usr/local/apache2/bin/httpd) ==18546== by 0x80690CE: ap_get_mime_headers_core (in /usr/local/apache2/bin/httpd) ==18546== by 0x80696FC: ap_read_request (in /usr/local/apache2/bin/httpd) ==18546== by 0x80799DA: ap_process_http_connection (in /usr/local/apache2/bin/httpd) ==18546== by 0x8076CEC: ap_run_process_connection (in /usr/local/apache2/bin/httpd) ==18546== by 0x807FFD3: worker_thread (in /usr/local/apache2/bin/httpd) ==18546== by 0x4057603: dummy_worker (in /usr/local/apache2/lib/libapr-1.so.0.3.0) ==18546== by 0x8E145A: start_thread (in /lib/libpthread-2.5.so) ==18546== by 0x71323D: clone (in /lib/libc-2.5.so) This happens when an axis2 client sends a https request. Let me know if you need more information. Frederic Heem __ --- NOTICE --- This email and any attachments are confidential and are intended for the addressee only. If you have received this message by mistake, please contact us immediately and then delete the message from your system. You must not copy, distribute, disclose or act upon the contents of this email. Personal and corporate data submitted will be used in a correct, transparent and lawful manner. The data collected will be processed in paper or computerized form for the performance of contractual and lawful obligations as well as for the effective management of business relationship. The data processor is Telsey S.p.A. The data subject may exercise all the rights set forth in art. 7 of Law by Decree 30.06.2003 n. 196 as reported in the following url http://www.telsey.com/privacy.asp. __ 798t8RfNa6Dl8Ilf __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
