[NB: I tried to post this to Ralf + the mod_ssl users list a week or two
ago but it apparently failed. I've since subscribed and am retrying this
message.]
-- Forwarded message --
Date: Tue, 21 Nov 2000 11:38:08 -0800 (PST)
From: Geoff Thorpe [EMAIL PROTECTED]
To: Ralf S
On Mon, 11 Dec 2000, Richard Botting - Development - Torr Hall wrote:
I am trying to build apache+mod-ssl, on a solaris 8 box, given apache 1.3.9,
mod_ssl-2.4.10-1.3.9 and openssl-0.9.6. Following the mod_ssl
INSTALL file I built openssl and configured mod_ssl with:
./configure
Hi there,
On Mon, 18 Dec 2000, Adam Nealis wrote:
On your test machine running a M$ OS, there is a file called
HOSTS in one of the system folders somewhere. Luckily it's in
UNIX hosts(5) format. Hack this file so that the IP address
ssshhh! They took the BSD TCP/IP sources in the first
ry Session Cache
as ssl_scache_shmcb.c. This was contributed by Geoff Thorpe
[EMAIL PROTECTED] and is derived from the "c2shm" variant used
in Stronghold V3. It uses a fixed size cyclic buffer placed over
a shared memory segment for storing SSL s
Hi there,
On Tue, 9 Jan 2001, Mads Toftum wrote:
I have these settings in my httpd.conf:
SSLSessionCache dbm:/www/secure_apache/logs/ssl_scache
Whoa there! Why do you have dbm for your session cache, when you
compiled with mm support? It should be set to shm (especially on
On Sat, 13 Jan 2001, Ralf S. Engelschall wrote:
On Fri, Jan 12, 2001, Doremus, Matthew wrote:
I have been looking through the mod_ssl v7.2.1 SHMHT code and it appears
that each server creates it's own hash table in the allocated shared memory.
Does this imply that when using SHMHT
Hi there,
On Tue, 16 Jan 2001, Doremus, Matthew wrote:
Is this to say that an underlying memory allocator would return an address
from the malloc function of memory which had previously been allocated by
another process ? This seems to be somewhat chaotic for any memory
allocation, shared
Hi there,
On Fri, 9 Feb 2001, David Rees wrote:
Curious, according to the docs, it shouldn't allow those browsers to
connect. Are you using one of the step-up certificates from Verisign?
So I'm told by the guy who acquired our certificates from Verisign. How do
I tell?
I'm not
Hi there,
On Mon, 29 Jan 2001 [EMAIL PROTECTED] wrote:
I don't want to prolong this discussion longer than necessary, however "a
large webfarm with really good loadbalancing" indicates you are running
several servers and a load balancer. If we are looking at an individual
server (which of
Hi there,
Before I reply - why the cross-posting? There's been a lot of cross-posting
between mod_ssl-users and openssl-users - are there good reasons for it? I can
only assume that subjects fit for both lists at the same time probably involve
people who are on both lists anyway ...
On Wed, 14
Hey there,
Warning: long mail ahead. I've been meaning to explain some details of shmcb for
a while and here it is. I can now recede further into my woodwork knowing that
I've brain dumped a little :-) If you're at all interested in this stuff please
take a squint through this. It may also help
Hi there,
I thought I would just mention something that is probably common knowledge to
many, but isn't mentioned in the INSTALL document. (Ralf, could you please
include a note to this affect in the INSTALL instructions?)
Apache1.*** + mod_ssl does not use threads. However, OpenSSL, if built
Hi there,
I've just taken a look at mod_ssl-2.8.2 (I had skipped over 2.8.1 which is
unfortunate, as this relates to 2.8.1 also).
Ralf, you mentioned in the ChangeLog that you'd updated mod_ssl to build/run
with 0.9.7-dev snapshots of OpenSSL. However, the configuration stuff for
enabling
Hi y'all,
Just a quick note to mention that I've finally got round to sticking "swamp"
online. This utility is a bit rough around the edges, but has served me quite
well when trying to bury the hell out of https servers (and other SSL/TLS apps)
and analyse resulting performance (and improve it).
On Fri, 30 Mar 2001, Mads Toftum wrote:
On Fri, Mar 30, 2001 at 12:06:38PM +0200, Ralf S. Engelschall wrote:
Hmmm.. yes, I think we can try this for 2.8.2. Let's move it out
of SSL_EXPERIMENTAL, but still do not use it by default in the
configuration. I've arranged this for us for 2.8.2.
Hi,
On Sat, 31 Mar 2001, Ralf S. Engelschall wrote:
Thanks for the hints, Geoff. How about the following for mod_ssl 2.8.3?
Looks good ... one question:
Index: ssl_engine_config.c
===
RCS file:
Hi there,
On Wed, 4 Apr 2001, Palanivel, Rajan wrote:
Where can I find documentation on hardware offloading of openssl crypto
operations? are there any well defined interfaces?
In mod_ssl, it's "SSLCryptoDevice" and currently requires you to use
SSL_EXPERIMENTAL when buiding (this uses the
Hi there,
On Wed, 4 Apr 2001 [EMAIL PROTECTED] wrote:
Thanks for this utility, it works well for me in testing SSL acceleration
cards (which I still haven't completed. What a slacker). In fact, this
program works so well, I could give you a big sloppy kiss, but I'll refrain
from doing so.
Everytime someone posts a "can I do name-based virtual hosting with SSL"
request, I'm inclined to suspect a troll because of the number of replies it
gets. :-) However, I have to make a comment because invariably many of the
replies say something that isn't actually true ...
On Tue, 17 Apr 2001,
Hi there,
On Tue, 17 Apr 2001, Jeff W. Boote wrote:
The trick is that you have to be able to use a regex for your server's CN in the
server certificate to keep browsers from complaining... This works well for
sites that multiple "related" web sites, but of course doesn't work for the
Hi there,
Dunno if this will get back to the person who submitted the BUGDB report??
Anyhow ...
On Thu, 19 Apr 2001 [EMAIL PROTECTED] wrote:
Full_Name: Phil Allen
Version: 2.8.2-1.3.19
OS: Solaris 7
Submission from: (NULL) (209.22.30.2)
Compiled mod_ssl with shared enabled, openssl is
Um, as I haven't looked at the source and am unlikely to have a chance to dig
into it for you, I'm wary of leaping in with off-the-top-of-my-head suggestions
... *but* ... :-)
On Tue, 24 Apr 2001, Diana Shepard wrote:
Thanks very much for the taking the time
to respond. I tried your
Hi there,
On 13 May 2001, Michael T. Babcock wrote:
On 11 May 2001 19:49:46 -0400, R. DuFresne wrote:
Hire someone who can.
Who makes claims they can totally secure a system connected to the
internet from ever being compromised? What person or company offers such
a guarantee?
On Thu, 24 May 2001, Lars Hecking wrote:
OS: SunOS 5.8 Generic_108528-07
Compiler: gcc 2.95.3
Software: mm-1.1.3, openssl-0.9.6a,
apache_1.3.19 and mod_ssl-2.8.3-1.3.19,
apache_1.3.20 and mod_ssl-2.8.4-1.3.20
The new shmcb option in SSLSessionCache is broken,
Hi there,
On Wed, 30 May 2001, James Bromberger wrote:
I tried posting the following to the openssl-users list, but it seems that my
requests for subscription and my post regarding the following issue went into
the ether. I'll quote what I wrote earlier, and although this question is more
Hi there,
On Thu, 31 May 2001, James Bromberger wrote:
I built 0.9.6a-engine under Solaris 8 and have the hardware device configured.
Sun ships a library called libswift.so (a link to libswift.so.5.2.2),
along with libraries for Netscape Server (swiftns351.so, swiftns351.so.1) and
Hi there,
On Sun, 3 Jun 2001, Carl Bowden wrote:
but apachectl startssl refuses to start
this is the /var/log/httpd/ssl_engine_log:
[03/Jun/2001 10:59:15 06923] [info] Server: Apache/1.3.19,
Interface: mod_ssl/2.8.3, Library: OpenSSL/0.9.6a
[03/Jun/2001 10:59:15 06923] [info] Init: 1st
Hey there,
On Fri, 8 Jun 2001, David Rees wrote:
I've been using these settings:
SetEnvIf User-Agent MSIE [1-4] nokeepalive
ssl-unclean-shutdown downgrade-1.0 force-response-1.0
SetEnvIf User-Agent MSIE [5-9] ssl-unclean-shutdown
and it seems to do the trick
On Fri, 8 Jun 2001, Cliff Woolley wrote:
On Fri, 8 Jun 2001, Geoff Thorpe wrote:
(If there's Apache developers listening, this is also why threading in 2.0 won't
solve the problems of 1.3, it'll just scale them back a bit - threads aren't
free, they're just a small linear factor cheaper
Hi all,
I've just whipped up this patch to the latest (one hopes) version of mod_ssl. It
adds a new directive, 'SSLCryptoDeviceCtrl', to supplement the existing
directive that hooks the ENGINE API of OpenSSL (ie. 'SSLCryptoDevice', without
the 'Ctrl' suffix).
On Fri, 13 Jul 2001, JJohnson wrote:
That really doesn't come close to answering my question. I know what SSL
accelerators do, and how they can help and how they can't help. What I need
to know is what is needed to get apache+modssl to *USE* the accelerator. Do I
need to add things to the
On Thu, 26 Jul 2001, Owen Boyle wrote:
[EMAIL PROTECTED] wrote:
Can I assign privet ip's to a virtual host and still server it on the web?
Or will I have to buy public ips?
I assume you are trying to get round the problem of only-one-SSL-host
per IP address (otherwise there is no
On Mon, 6 Aug 2001, Owen Boyle wrote:
It makes no sense (indeed, it is dangerous) to have an encrypted
conversation with someone if you don't know their identity. And you
cannot be sure of identity without authentication.
To briefly fuel the fire ... :-)
Authentication is IMHO far more
Hi all,
Summary:
Just wanted to point out how to plug what appears to be a security flaw in
mod_ssl (although whether this flaw is readily exploitable or not would have to
be explained to us by some protocol expert ... Mr Rescorla, are you there?? :-)
I first mentioned this a while
wanted, but I hope
it helps anyway.
Cheers,
Geoff
--
Geoff Thorpe
http://www.geoffthorpe.net
mailto:geoff@geoffthorpe(dot)net
Capitalism - a means to quantify wealth and prosperity that doesn't include
crime, illness, therapy, hate, education, awareness, civil-liberty,
objectivity
Hi there,
On Fri, 7 Sep 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
Geoff,
Thanks for the detailed explaination - it does make a lot of sense..
As you've pointed out in case of SHMHT, if a server is lightly loaded, the
session id will be cached for a time greater than the
Ah, thanks Joe. I was trying to track down where I'd seen another such
SIGBUS problem and couldn't for the life of me find it. I will roll this
other case in together with the other stuff that's come up of late and
resubmit it all back to Ralf ASAP.
Cheers,
Geoff
On Friday 14 December 2001
Hi there,
This *really* should be on modssl-users ... please take any further
questions and discussion there. This list is for users of OpenSSL. Your
problem and any solutions to it are specific to modssl.
I am on modssl-users too - so if you are not already subscribed, please do
so, and
Hi all,
No spam intended, just a quiet note to those of you on this list who use
swamp for hacking round with their servers (I know there's a few of you -
too many to mail individually).
There's a new release of swamp out that has improved features and a
first-cut at
Hi there,
I can recommend trying swamp for testing your servers, but that is (of
course) a take-it-or-leave-it tip, no strings attached.
http://www.geoffthorpe.net/crypto/swamp/
However, the README/FAQ files in that contain quite a bit of information on
this subject that will help you if
Hey there,
On Sunday 03 March 2002 07:22, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
wrote:
just iterating on point (a) mentioned by Geoff, if you force the
negotiation using RC4 (which I believe is forced by iPlanet), you should
see a substantial increase in the no. of connections handled..
Hi,
On Monday 11 March 2002 03:18, [EMAIL PROTECTED] wrote:
Are you using the engine version of openssl? Unless you have a supported
crypto accelerator, then you shouldn't be using the engine version.
I can assure you that it should make no difference. The only reason the
non-engine version
Hey there,
On Tuesday 09 April 2002 10:18, you wrote:
Steve Gonzales wrote:
One list is enough for me. SSL theory doesn't change from 1.3.xx to
2.0.xx; only the configuration and installation changes.
There are many other issues, like the -DEAPI and 3rd party modules
that cause Apache
Hi Lynn,
Not having the time to deal with 2.0.** right now, I haven't been keeping an
eye on how swamp is finding it. In principle however, swamp's satisfaction
with Apache 2.0 should be roughly equivalent to that of openssl s_client.
However, if Apache 2.0 itself doesn't like the GET
that is large enough to obscure the benefits of tighter tuning at
the session caching level. Again, I'd recommend taking a look at 'swamp's
README (you can read it online if you don't want to download the package).
Regards,
Geoff
--
Geoff Thorpe, geoff(at)geoffthorpe(dot)net
2000 years on, it's
Hi,
On Fri, 31 May 2002, Cliff Woolley wrote:
On Fri, 31 May 2002, Geoff Thorpe wrote:
oh yeah, there's also that security problem with modssl that I mentioned
ages ago - AFAIK this still hasn't been changed in modssl and *may* not
yet have changed in apache 2.0 either. Ralf or David
is the same sort of thing as 0.9.7-dev.
OTOH: It might be something else different altogether :-)
Cheers,
Geoff
--
Geoff Thorpe, geoff(at)geoffthorpe(dot)net
2000 years on, it's a different empire but the same
zealots and the same attrocities
Hi there,
On 10 Jun 2002, Sean M Alderman wrote:
Opps...Nevermind, I just found that I had missed changing one line in
the conf/httpd.conf to change the port number from 8443 to 443.
Is there are a reason why the config defaults to ports 8080 and 8443
instead of 80 and 443?
You can only
Hi,
On Thu, 27 Jun 2002, Peter Cronin wrote:
Was wondering if anyone can help me? I believe I have mod_ssl loaded
correctly and configurd correctly, but I get the following situation
when I access my SSL site.
- https://secure.aebdemo.com, it just hangs on site, but says host contacted...
On Mon, 8 Jul 2002, New Disorder Records wrote:
well, that's a lot more than I needed. I think the key is somewhere in
the
SSL_BASE=SYSTEM thing.
I have openssl installed, this is redhat, but when I set SSL_BASE=SYSTEM,
I still get the error:
Error: Cannot find SSL binaries under
On Mon, 8 Jul 2002, Robert McMonigal wrote:
I have been trying to get an aep hardware acclerator to work under apache
2.0.39. Everything installs fine and it runs fine with SSLCryptoDevice
builtin. But if I change builtin to aep and try to start it, it appears to
start mormally (no error
On Sat, 13 Jul 2002, Daniel Lopez wrote:
How far along is the mod_ssl port to Apache 2?
It is basically done, already bundled with Apache itself as a regular module
Has anyone hacked up a distributed session cache?
The closest I know of is for Apache-SSL, which Ben Laurie mentioned at
Hi Fred,
I was just starting to wonder what might be behind all this when you hit
the nail on the head.
On Mon, 15 Jul 2002, Frederic DONNAT wrote:
I change a function call and it works fine now. I do not know if this is
the real way to solve my problem but this provide a solution.
In file
waiting to start.
http://www.openssl.org/support/faq.html#USER9
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
5% loaded...
The obvious suggestion would be that the machine you're reverse proxying
to is the reason for the slow-down.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl
is perhaps not the only information you're
looking for.
BTW: The README may be useful even if you don't want to use swamp - it's
online at;
http://www.geoffthorpe.net/crypto/swamp/swamp-1.1.0/README
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED
Hi there,
On Thursday 03 Oct 2002 4:18 am, Boyle Owen wrote:
You mean you have one IP address and one FQDN but many physical machines?
Then you need a load-balancer. That is, the LB carries the external IP
address so all packets are routed initially to it. Then it re-routes the
packets to
Hi there,
I suppose as the author of the implementation you're disecting I should
probably respond in some way :-)
I'm in agreement with most of your comments and appreciate you having
taken a look and provided some analysis. I'll respond to a couple of
specific points but will mostly make
or elsewhere), then you
should find the ssl module sitting in the source.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
for quickly-blurted emails as it is for coding ...
with this slight slip of the fingers I make an already silly reference
utterly incomprehensible.
Apologies, I meant a tarball from apache.org.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net
has cached it locally - so when plugging in
external caching hooks to openssl, mod_ssl should also turn off the
process-local caching. End of story.
This has apparently been fixed in Apache 2 but hasn't (IIRC) in mod_ssl.
I mentioned it more than once, so I've given up.
Cheers,
Geoff
--
Geoff
a reference to
compare against.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
representation of the data from the server is the start
of an error page !DOCTY.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
to the log too,
which I believe will give you more clue as to the problem (most likely
the nCipher-specific shared-library that openssl tries to load couldn't
be found).
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net
of configuration issue is quite different between adding
mod_ssl to apache 1.3 and using apache2's builtin version.
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl
Hello,
* Erik Melkersson ([EMAIL PROTECTED]) wrote:
Geoff Thorpe wrote:
... The kind of linker
error you report usually suggests the code was compiled against one
openssl version's headers, but is trying to link against a different
openssl version's libraries
Yes, I tried to compile
didn't AFAICS require any hacking).
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager
previous efforts -
eg. your previous installation attempts probably created weird
directories like /usr/include/bin, /usr/include/include, etc.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager
* jgelb ([EMAIL PROTECTED]) wrote:
[snip]
We've been using shm for our session cache.
Which one? shmht or shmcb?
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL
* Otto L. Miller ([EMAIL PROTECTED]) wrote:
[snip]
I checked permissions and thought that might be the problem, however,
the problem persists even if I 'chmod 444
/opt/sisapache/conf/ssl.crt/server.crt'. Any thoughts?
Could you post a copy of the server.crt file?
Cheers,
Geoff
--
Geoff
associated stuff;
http://www.distcache.org/
Note that I've also uploaded (experimental) RPM packages - I'd
appreciate any comments from users of RPM-based systems as I'm new to
RPM building and feedback would be a huge help.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http
interested, please
take a surf to;
http://www.distcache.org/
Oh, and download something, try it out, and mail the distcache-users
list with any comments, complaints, compliments, or questions.
Regards,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net
.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List
or you're not sure what you're doing, wait
for someone to do what John did (and perhaps wait a while in case someone
else finds a problem or correction) and then *privately* do the same -
ie. mail the appropriate abuse-reporting address ([EMAIL PROTECTED] in this
case).
Cheers,
Geoff
--
Geoff
that, indicating that the session store failed.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
*/
#endif
-
My advice would be to use shmcb rather than dbm, if you can. Not that I'm
biased of course, oh no. :-)
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
__
Apache Interface
appreciate being able to replace the one on my site. I
don't think Ralf wants to include this functionality now that mod_ssl is
just in maintenance-mode and (kinda) deprecated in favour of apache2.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
Même ceux qui se sentent pas
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux,
seront, plus que jamais, chez eux chez nous.
-- Loco Locass
__
Apache Interface to OpenSSL (mod_ssl
(and the subsequent discussion might be useful for
ongoing development).
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.geoffthorpe.net/
Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux,
seront, plus que jamais, chez eux chez nous.
-- Loco Locass
81 matches
Mail list logo