peer did not return a certificate No CAs known to server for verification?
Hello All, We have opened a java web service our clients are facing issues while accessing it. They are consistently getting SSL / TLS connection failure message. All these clients are using VeriSign class 1 certificates. In apache error logs we see below message: [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Re-negotiation handshake failed: Not accepted by client!? [Fri Oct 12 17:42:04 2007] [error] mod_ssl: Certificate Verification: Error (20): unable to get local issuer certificate [Fri Oct 12 17:42:04 2007] [error] mod_ssl: SSL error on writing data (OpenSSL library error follows) [Fri Oct 12 17:42:04 2007] [error] OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned This is happening only with class 1 certificates, class 3 certificates are working fine. Earlier we were using IBM HTTP Server our clients were able to connect to our web service. But since we have moved to Apache HTTP Server, they are facing this issue. Is there any known fix for this? kindly advice. You suggestions are real value for us. Note: All these clients are either PHP / .NET clients. Java clients are able to use class 1 certificates successfully. Thanks, Abhijit Mohan Bhate +91-98-50-886360
App requires port 8081, gets errors using HTTPS
I have a third-party XML application compiled into Apache as a module that requires using port 8081. I have run it successfully for years using HTTP on Apache 1.3.27 (the version required by the vendor), but now I need to run it using HTTPS. So, I installed openssl-0.9.4 and mod_ssl-2.8.14-1.3.27 and the installation seemed to go well except for the question File to Patch: , which I had to skip since I had no answer for it. The application still runs fine when I browse to http://my.app.com:8081, but when I try HTTPS using https://my.app.com:8081 I get a message that Secure Connection Failed - SSL received a record that exceeded the maximum permissible length (Error code: ssl_error_rx_record_too_long). An error codes reference says, This generally indicates that the remote peer system has a flawed implementation of SSL, and is violating the SSL specification. The Apache error log says Invalid method in request \x16\x03\x01 Any thoughts on how to troubleshoot this? Thanks, Dave -- View this message in context: http://old.nabble.com/App-requires-port-8081%2C-gets-errors-using-HTTPS-tp30238956p30238956.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote: Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Your verbose description of something goes is not working is hard to follow or condense down. Are you saying with the below configuration, you are seeing the SSLRequire work for all the users but that with the jblaine cert? It could be an SSLRequire implementation bug but it is hard to tell. Is the order of the users within the SSLRequire list significant? Why are you matching by the whole S_DN rather than based on e.g. S_DN_CN alone? You might be better off trying the httpd users' list: http://httpd.apache.org/lists.html#http-users Regards, Joe Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
On 11/1/2010 7:14 AM, Joe Orton wrote: On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote: Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Your verbose description of something goes is not working is hard to follow or condense down. Are you saying with the below configuration, you are seeing the SSLRequire work for all the users but that with the jblaine cert? I was originally seeing it work fine for everyone but 1 user (Simpson Mary B, below). Now it almost seems somewhat random in failure. People who used to succeed are now failing. I can get in fine (Blaine Charles J.) Granted, I am messing with all sorts of things trying to get it work after all this time dead in the water. It could be an SSLRequire implementation bug but it is hard to tell. Is the order of the users within the SSLRequire list significant? Ah, you mean if I reorder them, does the success/failure situation change as well? I don't know, I can try that. Why are you matching by the whole S_DN rather than based on e.g. S_DN_CN alone? Why not? It seems like the more fully correct way to match for security. It's documented and supposedly legit/correct. The cert-extracted DN (reported in log) matches the configured DN in the ssl.conf file exactly. I will try the httpd list. Thanks Joe Jeff Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: Specifying the openssl version used with mod_ssl
Hello all, Sorry for the delay. We found a work around and quit looking into the below issue. Thanks to Peter for the static library suggestion and Lee for the same and for getting me back on the topic. We were able to get everything working how it should. A note, we are compiling modssl into apache. We are not using it as a shared object. Here are the key config options for openssl and apache: Openssl: ./configure --prefix=/usr/local/ssl --shared Apache: ./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl It is probably a good idea to run a sudo make clean for each installation. At least it was for us since we re-installed about 50 times. Thanks again, Gunner Geller -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Gregg L. Smith Sent: Monday, September 13, 2010 12:48 PM To: modssl-users@modssl.org Subject: Re: Specifying the openssl version used with mod_ssl Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
Still trying to solve this, I stood up a separate brand-spanking-new Apache 2.2.17 from source with builtin SSL. I am using the same Apache SSL config as quoted below. I experience the following failure (further context is in my quoted message below): ... [Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request received for child 4 (server rtdev1.our.org:999) [Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by server configuration: /apps/rtsrv1dev/share/html/favicon.ico [19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E Blaine Charles J. - GET /favicon.ico HTTP/1.1 213 [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0] [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed to child 4 with standard shutdown (server rtdev1.our.org:999) NOTE: SUCCESS NOTE: SSL negotiation finished successfully NOTE: /apps/rtsrv1dev/share/html and all files in it are world-readable (644) Browser shows Forbidden IE 8 and Chrome 6 On 10/15/2010 5:49 PM, Jeff Blaine wrote: Hi folks. I'm *really* stumped here. If anyone has any ideas, I would love to hear them. How can I debug this further? I need more information that Apache + mod_ssl is giving me right now. All version information and configuration detail is after this next paragraph. Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Example: [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson Mary B - GET /index.html HTTP/1.1 295 [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Config Specifics: OS: RHELv5 Apache: 2.2.3 mod_ssl: 2.2.3-43.el5 VirtualHost 1xx.xx.9.85:443 ServerName rtdev1.our.org:443 ErrorLog logs/ssl_error443_log TransferLog logs/ssl_access443_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /apps/rtsrv1dev/share/html SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_access443_log \ %h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x CustomLog logs/ssl_error443_log \ %t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_UID}x \%r\ %b DocumentRoot /apps/rtsrv1dev/share/html AddDefaultCharset UTF-8 PerlRequire /apps/rtsrv1dev/bin/webmux.pl SetHandler default /Location Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Client Authentication
Good Afternoon Everybody, I am not sure if it is the right forum to ask this question. If not please guide me. mod_ssl provides fabulous mechanism of doing client authentication. It does so by issuing client certificates signed by your own CA certificate ca.crt. How we can use mod_ssl ( with client auth) when we we do not have control on whole community i.e people are using certificates that is signed by different CA.? One way I was thinking was to accumulate public certs ( which may not be CA cert) at one place( directory) and give its path to mod_ssl. However I am not sure if this a good practice or even doable practice. Any input will be highly appreciated. Thank you. rn __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Certs work, one doesn't, cannot determine why
Hi folks. I'm *really* stumped here. If anyone has any ideas, I would love to hear them. How can I debug this further? I need more information that Apache + mod_ssl is giving me right now. All version information and configuration detail is after this next paragraph. Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as SUCCESS when logging SSL_CLIENT_VERIFY via CustomLog Example: [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson Mary B - GET /index.html HTTP/1.1 295 [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Config Specifics: OS: RHELv5 Apache: 2.2.3 mod_ssl: 2.2.3-43.el5 VirtualHost 1xx.xx.9.85:443 ServerName rtdev1.our.org:443 ErrorLog logs/ssl_error443_log TransferLog logs/ssl_access443_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /apps/rtsrv1dev/share/html SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_access443_log \ %h - - %t \%r\ %{HTTPS}x %{SSL_PROTOCOL}x CustomLog logs/ssl_error443_log \ %t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_UID}x \%r\ %b DocumentRoot /apps/rtsrv1dev/share/html AddDefaultCharset UTF-8 PerlRequire /apps/rtsrv1dev/bin/webmux.pl SetHandler default /Location Location / SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J., \ /O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W., \ /O=our.org/OU=people/UID=mbs/CN=Simpson Mary B, \ /O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A. \ } /Location /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Specifying the openssl version used with mod_ssl
Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing openssl version from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLv3 alone (without TLSv1) does not work from client browser
In our Apache conf file, we have the following directives: SSLProtocol -all +SSLv3 +TLSv1 SSLCipherSuite ALL:!DH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL:!aNULL When we use a browser (Internet Explorer, or Firefox) to connect, it will work if we have both SSLv3 and TLSv1 configured within the browser. But, when we remove the TLSv1, we cannot connect. Does anyone know what could be the problem? Thanks in advance, Dan
RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache
Thanks, Why didn't I check that? Well, I made it validate correctly by doing a very strange and not usable workaround. I believe something is broken. I followed your suggestion and posted a more complete entry to the us...@httpd.apache.org list. I will file a bug report if no one can point out any errors I have made. /ulfW -Original Message- From: Joe Orton [mailto:jor...@redhat.com] Sent: den 17 augusti 2010 16:01 To: Ulf Wahlqvist Cc: modssl-users@modssl.org Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote: I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am clueless. The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert with the OCSP responder - this is expected behaviour. The modssl-users@ was used for discussion of mod_ssl for Apache httpd 1.3. For discussion of OCSP in httpd 2.3 I'd recommend us...@httpd.apache.org - file bugs if you think the code is buggy. http://issues.apache.org/bugzilla/ Regards, Joe
RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache
I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am clueless. Online Certificate Status Protocol tbsRequest requestList: 1 item Request reqCert hashAlgorithm (SHA-1) Algorithm Id: 1.3.14.3.2.26 (SHA-1) issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC86 issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0 serialNumber : 0x1bd40ed434d1da15a6003015024da46c - THIS IS THE SERIALNUMBER FOR THE CA-CERT /ulfW PS Is this mailing list active? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache
On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote: I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am clueless. The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert with the OCSP responder - this is expected behaviour. The modssl-users@ was used for discussion of mod_ssl for Apache httpd 1.3. For discussion of OCSP in httpd 2.3 I'd recommend us...@httpd.apache.org - file bugs if you think the code is buggy. http://issues.apache.org/bugzilla/ Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: OCSP-validation fails - UPDATE
I have now verified that if I use openssl directly from command line it will verify OK. Apparently there is no need for signing the request. openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile /usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text -url http://ocsp.trust.telia.com . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT /ulfW -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Ulf Wahlqvist Sent: den 27 juli 2010 16:43 To: modssl-users@modssl.org Subject: OCSP-validation fails Hi I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is OCSP_check_validity:status too old, but that doesn't make sense because the clocks are within 2 seconds. The client (Apache) says Mon Jul 26 15:50:06.488292 2010 and the response says Mon, 26 Jul 2010 13:50:05 GMT which is the same time. Can there be a problem with comparing timestamps? A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them. Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? ** my config * [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl ** error_log * [Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com' [Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure [Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) /ulfW __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
OCSP-validation fails
Hi I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is OCSP_check_validity:status too old, but that doesn't make sense because the clocks are within 2 seconds. The client (Apache) says Mon Jul 26 15:50:06.488292 2010 and the response says Mon, 26 Jul 2010 13:50:05 GMT which is the same time. Can there be a problem with comparing timestamps? A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them. Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? ** my config * [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl ** error_log * [Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com' [Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure [Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) /ulfW __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLCACertificateFile getting ignored when I use a Location directive
Hello, Adding Location around SSLVerifyClient and SSLVerifyDepth is causing my mutual authentication to fail with a ssl_error_handshake_failure_alert message. I can't seem to determine what might be causing this. I'll just jump right to the code below: [WORKS] Excerpting my httpd.conf: VirtualHost _default_:443 DocumentRoot path edited/htdocs SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL SSLCertificateFile path edited/Cert/ssl.crt/server.crt SSLCertificateKeyFile path edited/Cert/ssl.key/server.key SSLCACertificateFile path edited Cert/ca.cer SSLVerifyClient required SSLVerifyDepth 1 truncated The above works like a charm. The only problem is it works EVERYWHERE I use 443 ... which is as expected. So when I add my Location directive as below I get the Error code: ssl_error_handshake_failure_alert. Though it properly triggers this error on requests to the specified location. So I know that part is being picked up properly. Does anybody know what can be causing this? This seems to be how it was behaving before I added in the SSLCACertificateFile information. Could the Location tag be causing the server to somehow ignore my SSLCACertificateFile? [DOESN'T WORK] : Error code: ssl_error_handshake_failure_alert VirtualHost _default_:443 DocumentRoot path edited/htdocs SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP:+eNULL SSLCertificateFile path edited/Cert/ssl.crt/server.crt SSLCertificateKeyFile path edited/Cert/ssl.key/server.key SSLCACertificateFile path edited Cert/ca.cer Location /logonWithCertificate SSLVerifyClient required SSLVerifyDepth 1 /Location truncated Thanks in advance for any insight. -John
FTP and HTTP Mirror
Hello, here are the facts about our mirror: * URL of mirror: http://artfiles.org/modssl.org * URL of mirror: ftp://artfiles.org/modssl.org * Hosting institution, country and city where the mirror is located: Artfiles New Media GmbH, Hamburg, Germany * Contact email address: mir...@artfiles.org * Update frequency: daily * Speed: 1000MBit/s Please add us to your list. With best regards Artfiles New Media GmbH Andreas Worbs -- Artfiles New Media GmbH | Heidenkampsweg 100 | 20097 Hamburg Tel: 040 - 32 02 72 90 | Fax: 040 - 32 02 72 95 E-Mail: supp...@artfiles.de | Web: http://www.artfiles.de Geschäftsführer: Carsten Bals | Harald Oltmanns | Tim Evers Eingetragen im Handelsregister Hamburg - HRB 81478 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSL_SESSION_ID on RHEL 5.5
HI! For security reasons I'm using env var SSL_SESSION_ID to cross-check the application's session ID with the SSL session ID in my web application. This works without any issues on my openSUSE boxes. Browser is Seamonkey 2.0.4. But I have problems with Apache 2.2.3 shipped with Red Hat Enterprise Linux Server release 5.5 (Tikanga) Cery soon the SSL session seems to be renegotiated resulting in a new value in SSL_SESSION_ID Relevant settings for SSL session resumptions: SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 7200 Any hint? Were there relevant fixes to mod_ssl after release 2.2.3? Or maybe Red Hat backported patches against renegotiation attacks which cause the issue? Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Sat 08/05/10 and will not return until Mon 17/05/10. I will respond to your message when I return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLRequire on OID extension DER encoded field value
hey guys, I hope you're all doing fine. I need a little support here on ssl client verification, tell me please if this is not the right place. I need to check for specific extensions field value from x509 client certificates to grant access to defined users. I read this could be possible using oid() or peerextlist() functions. I had to determine the field oid using openssl java package, and I'm trying to debug the sslrequire check using setenfiv module SSI+perl printenv.pl (maybe there is a better way to do this?). So, my problem is I can't seem to find a way to validate my client based on this field. I was wondering if first: this should work? second: if extension value is der encoded would apache be able to handle this check and how would I store the granted values. I'm using apache 2.2.9. Let me know if you need some more detailed info on this, I can handle the certificate or my entire configuration file if needed. This is what I ended up trying and results: SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars SSLCertificateFile ssl/server.crt SSLCertificateKeyFile ssl/server-private.key LogLevel debug SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /ssl/clients/ca.crt Location / SetenvIf OID(2.5.4.5) (.*) OIDTEST=$1 SSLRequire 400023144340 in OID(2.5.4.5) /Location [Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied for 127.0.0.1 (requirement expression not fulfilled) [Mon May 10 15:59:43 2010] [info] Failed expression: 400023144340 in OID(2.5.4.5) Output if bypassing the sslrequire directive (this should return the oid matching field value, right?): OIDTEST= Thanks in advance for your help. Lionel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSL Session ID chaining
Hi I recently found a patch for mod_ssl trunk (http://svn.apache.org/viewvc?view=revisionrevision=779005) and it is in 2.3.5-alpha the SSL_SESSION_RESUMED, that is Initial or Resumed SSL Session. Note: multiple requests may be served over the same (Initial or Resumed) SSL session if HTTP KeepAlive is in use. However it show the 1st request as Initial, and resumed on nexts requests inside the same SSL_SESSION_ID (sometimes it show other Initial in the same SSL_SESSION_ID, maybe because are in other tcp connection). I had a situation were I make a client certificate authentication and I need to know how to get if a SSL_SESSION_ID is the first and the others are renegotiated (assuming a 5min. timeout), in a way showed bellow: Timestamp :SSL_SESSION_ID : Status 00:00:00: AA : Initial 00:05:00: BB : Renegotiated 00:10:00: CC : Renegotiated 00:15:00: DD : Renegotiated 00:20:00: EE : Renegotiated I can't find a way to make a relatioship between the SSL_SESSION_ID's, how can I get this? Best regards, Klaubert Herr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
???? Skipping generating temporary 512 bit RSA private key in FIPS mode
How do I get rid of these errors? FIPS Openssl 1.2 [Thu Apr 29 15:41:22 2010] [notice] Operating in SSL FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode [Thu Apr 29 15:41:22 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/FIPS DAV/2 SVN/1.6.11 configured -- resuming normal operations
Skipping generating temporary 512 bit RSA private key in FIPS mode
How do I get rid of these errors? FIPS Openssl 1.2 [Thu Apr 29 15:41:22 2010] [notice] Operating in SSL FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode [Thu Apr 29 15:41:22 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode [Thu Apr 29 15:41:22 2010] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/FIPS DAV/2 SVN/1.6.11 configured -- resuming normal operations _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3
Re: Client certificate do not work / renegociate
Hi, That is not a bug, it is a feature! With the TLS renegotiation there is a theoretical man-in-the-middle-attack possible. To prevent that the developers decided to deactivate the TLS renegotiation. Solution: use SSLInsecureRenegotiation on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation From the changelog: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol. Mario __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Client certificate do not work / renegociate
Hello, In a host where client certificate is optional and in some directories requirement. Server is SNI, and this configuration works fine before SNI. VirtualHost *:443 SSLVerifyClient optional Location /certrequirement SSLVerifyClient require /Location ... I use SNI client (firefox) with client certificate that works on optional locations but do not in certrequirement location. [info] Initial (No.1) HTTPS request received for child 5 (server www.1pc.es:443) [debug] ssl_engine_kernel.c(487): [client 192.168.1.40] Changed client verification type will force renegotiation, referer: http: [info] [client 192.168.1.40] Requesting connection re-negotiation, referer: http://www.1pc.es/ [debug] ssl_engine_kernel.c(724): [client 192.168.1.40] Performing full renegotiation: complete handshake protocol, referer: http [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSL renegotiate ciphers [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request A [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 flush data [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: SSLv3 write hello request C [info] [client 192.168.1.40] Awaiting re-negotiation handshake, referer: http://www.1pc.es/ [debug] ssl_engine_kernel.c(1861): OpenSSL: Handshake: start [debug] ssl_engine_kernel.c(1869): OpenSSL: Loop: before accept initialization [debug] ssl_engine_io.c(1873): OpenSSL: read 5/5 bytes from BIO#7f4325589ef0 [mem: 7f4325577083] (BIO dump follows) [debug] ssl_engine_kernel.c(1874): OpenSSL: Read: SSLv3 read client hello B [debug] ssl_engine_kernel.c(1893): OpenSSL: Exit: failed in SSLv3 read client hello B [error] [client 192.168.1.40] Re-negotiation handshake failed: Not accepted by client!?, referer: http://www.1pc.es/ openssl-1.0.0-0.13.beta4.fc12.x86_64 httpd-2.2.14-1.fc12.x86_64 mod_ssl-2.2.14-1.fc12.x86_64 Anyone knows where is the problem? Why do not work in required, and do the job in optional? -- http://www.1pc.es/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
I updated the patch. The most recent version is now available at http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch In addition to the v3 version of the patch, it now also contains a backport of the SSLInsecureRenegotiation directive introduced in Apache httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond. The patch needs some more testing, but backport was straightforward. Regards, Rainer On 01.01.2010 21:44, Rainer Jung wrote: On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of char *reneg is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c-client-ctx, ssl::reneg); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a ap::buff::read) at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLRequireSSL within LimitExcept
Hi, I've set up a SVN with access via apache with and without SSL. I like to confire that anoymous users have ro-access to the svn via http and https and authenticated users have rw-access only via https. I've seen a few examples on the internet where this has been made by adding SSLRequireSSL within LimitExcept. I added the following to my svn-config Location /svn DAV svn SVNPath /svn/svnpath AuthType Basic AuthName Subversion Repository AuthUserFile authfile LimitExcept GET PROPFIND OPTIONS REPORT Require valid-user SSLRequireSSL /LimitExcept /Location When I access the svn via https it works, but when I access it via http it does not work an I get the following error in my log: /var/log/apache2/error.log: [Fri Feb 19 13:53:09 2010] [error] [client 127.0.0.1] access to /var/www/svn failed, reason: SSL connection required /var/log/apache2/access.log: 127.0.0.1 - - [19/Feb/2010:13:53:09 +0100] GET /svn/ HTTP/1.0 403 183 - Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729) Should this work or is it just not possible to use SSLRequireSSL within LimitExcept? Greetings Tobias __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Wed 17/02/10 and will not return until Thu 18/02/10. I will respond to your message when I return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Which SSL Directives to use?
On 02/17/2010 02:08 AM, NT984 wrote: I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL Cert on my site. My existing configuration uses the following directives: SSLEngine on SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt In the Network Solutions instructions, it recommends using the following: SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl documentation , it states the following: SSLCertificateChainFile This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. Example: SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt SSLCACertificateFile This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath. Example SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt My question is... should I include both directives in my configuration? Is there an advantage to doing so? Now that I am upgrading, do I need to consider modification of my SSLCipherSuite setting? Any help would be appreciated. Thx. nt NT, You should use SSLCertificateChainFile if you're on Apache2.2. If you're on Apache 1.x, then typically you'll want to use SSLCACertificateFile. In Apache2, SSLCACertificate file is for Client Authentication, whereas in earlier versions it was for CertificateAuthority. Earlier versions of Apache 2.0 were able to use both interchangeably. Do not use both at the same time. Only if you're doing Client Authentication. As far as your cipher suite goes... You'll also want to disable MD5 based ciphers. (Opera 9.x will warn of weak ciphers in use as there are a few MD5 based in SSLv3/TLSv1.x) Hope this helps, --Sal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Which SSL Directives to use?
I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL Cert on my site. My existing configuration uses the following directives: SSLEngine on SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt In the Network Solutions instructions, it recommends using the following: SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl documentation , it states the following: SSLCertificateChainFile This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. Example: SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt SSLCACertificateFile This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath. Example SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt My question is... should I include both directives in my configuration? Is there an advantage to doing so? Now that I am upgrading, do I need to consider modification of my SSLCipherSuite setting? Any help would be appreciated. Thx. nt -- View this message in context: http://old.nabble.com/Which-SSL-Directives-to-use--tp27618358p27618358.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Auth with S/MIME certificates - certificate purpose problem
I found a solution, it looks like a dirty hack and making a security hole, but it works for our custom purposes. So I don't recommend to use this way. Somehow it may be interested for somebody. It's needed to patch openssl. In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function replace X509_STORE_CTX_set_default(ctx, s-server ? ssl_client : ssl_server); by X509_STORE_CTX_set_default(ctx, any); Yaroslav __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Client Auth with S/MIME certificates - certificate purpose problem
Hi all! I have an https server with apache/2.2.12+mod_ssl/2.2.14 and OpenSSL/0.9.8g. I want to perform authentication based on client S/MIME certificates. Clients have certificates with only the following purposes: - S/MIME signing - S/MIME encryption But no SSL client or SSL server. So I'm getting the following error while authentication: ... [Wed Feb 10 11:36:59 2010] [error] [client 127.0.0.1] Certificate Verification: Error (26): unsupported certificate purpose [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client certificate B [Wed Feb 10 11:36:59 2010] [info] [client 127.0.0.1] SSL library error 1 in handshake (server 127.0.1.1:443) [Wed Feb 10 11:36:59 2010] [info] SSL Library Error: 336105650 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned ... I tried to solve this by customizing 'ssl_engine_init.c' from mod_ssl. I added the following lines in ssl_init_ctx_verify function: /* * Configure CTX purpose */ if (SSL_CTX_set_purpose(ctx, X509_PURPOSE_ANY) { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, Purpose successfully set); } else { ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, Purpose set failed); } /* * Configure Client Authentication details */ But it doesn't work. Seems like it's all ok with SSL_CTX_set_purpose function and there is Purpose successfully set line in apache log file but I'm still getting unsupported certificate purpose error. I haven't found any certificate purpose configuration code in mod_ssl source. I will be grateful for any help. Yaroslav __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
mod ssl's update for apache 1.3.42?
The Apache Group is pleased to announce the legacy release of the 1.3.42 version of the Apache HTTP Server. This version of Apache is principally a security release. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: mod ssl's update for apache 1.3.42?
I wouldn't expect an update until it's in sync with the final 0.9.8m from the group, as a (probably final) update. Without 0.9.8m finished, due to an unfinished RFC, it's a bit trickier to move ahead. On 2/5/2010 6:19 AM, Bernard PREVOSTO wrote: The Apache Group is pleased to announce the legacy release of the 1.3.42 version of the Apache HTTP Server. This version of Apache is principally a security release. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLVerifyClient optional redirect or be graceful upon revoked certificate
When using SSLVerifyClient optional is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate? BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER[SSL_CLIENT_VERIFY] == SUCCESS (This is in a dedicated directory Directory ... carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: SSL peer rejected your certificate as revoked. If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate
I proposed this a while back but never got any responses. https://issues.apache.org/bugzilla/show_bug.cgi?id=46897 -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Jaz Sent: Friday, January 22, 2010 9:11 AM To: modssl-users@modssl.org Subject: SSLVerifyClient optional redirect or be graceful upon revoked certificate When using SSLVerifyClient optional is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER[SSL_CLIENT_VERIFY] == FAIL just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate? BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER[SSL_CLIENT_VERIFY] == SUCCESS (This is in a dedicated directory Directory ... carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: SSL peer rejected your certificate as revoked. If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLVerifyClient require per directory context
Thanks so much for your tip. Now I have a much better understanding of the problem. Aaron Hello, I faced the same issue. Actually, client authentication has been disabled on recent versions. It has nothing to do with your configuration. See (on my blog): http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html and then : http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html Regards, -- Jean-Christophe Baptiste j...@phocean.net Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : I'm trying to go through the most basic tutorials on mod_ssl and I'm having a problem trying to get my server to issue a certificate request for a particular URL. I'm listing my Apache and OpenSSL version information. # httpd -v Server version: Apache/2.2.14 (Unix) Server built: Dec 3 2009 10:25:53 # openssl version OpenSSL 1.0.0-fips-beta4 10 Nov 2009 I've followed the steps of this tutorial: http://www.vanemery.com/Linux/Apache/apache-SSL.html I've also tried to follow the SSL HowTo on the Apache site: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html I'll try to get at the heart of the issue. If I have the following in my ssl.conf file in the VirtualHost section SSLVerifyClient require SSLVerifyDepth 1 then everything works as expected. I have the client certificate installed in my client web browser, and when I click on the link to my https server, which is https://myserver, then it prompts me to get the certificate of the server and confirm a security exception, and also prompts me with a user identification request, at which point I can chose a certificate to identify the client to my server. I see my index.html page, which has a link to the directory https://myserver/Certneeded. I can click on this directory and see a list of the files in that directory. However, if I change my ssl.conf in an attempt to force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server, as per the Apache HowTo, then I never get prompted for this user identification request to which I can identify my client web browser to the server. In this case, my ssl.conf file changes to the following. SSLVerifyClient none Location /Certneeded Options Indexes SSLVerifyClient require SSLVerifyDepth 1 /Location Now, when I click on the link to https://myserver/Certneeded, the client browser just hangs until a timeout is reached, I'm never prompted to present a certificate for identification, and the contents of the directory are not listed. In Wireshark, I see a client hello, followed by a server hello, followed by a change cipher spec, presumably because I was never prompted for an identification certificate by the server within a set time. In the good case, when my SSLVerifyClient require statement is in the VirtualHost section of the ssl.conf file, in Wireshark, I see a client hello, followed by a server hello, followed by a certificate, server key exchange, certificate request, which seems to be where the window pops up in my client prompting me with a user identification request. In trying to debug this, I noticed that if I do a hack and revert back to an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that both configurations (per-server and per-directory contexts) work as expected. What might be wrong here? Aaron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLVerifyClient require per directory context
I'm trying to go through the most basic tutorials on mod_ssl and I'm having a problem trying to get my server to issue a certificate request for a particular URL. I'm listing my Apache and OpenSSL version information. # httpd -v Server version: Apache/2.2.14 (Unix) Server built: Dec 3 2009 10:25:53 # openssl version OpenSSL 1.0.0-fips-beta4 10 Nov 2009 I've followed the steps of this tutorial: http://www.vanemery.com/Linux/Apache/apache-SSL.html I've also tried to follow the SSL HowTo on the Apache site: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html I'll try to get at the heart of the issue. If I have the following in my ssl.conf file in the VirtualHost section SSLVerifyClient require SSLVerifyDepth 1 then everything works as expected. I have the client certificate installed in my client web browser, and when I click on the link to my https server, which is https://myserver, then it prompts me to get the certificate of the server and confirm a security exception, and also prompts me with a user identification request, at which point I can chose a certificate to identify the client to my server. I see my index.html page, which has a link to the directory https://myserver/Certneeded. I can click on this directory and see a list of the files in that directory. However, if I change my ssl.conf in an attempt to force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server, as per the Apache HowTo, then I never get prompted for this user identification request to which I can identify my client web browser to the server. In this case, my ssl.conf file changes to the following. SSLVerifyClient none Location /Certneeded Options Indexes SSLVerifyClient require SSLVerifyDepth 1 /Location Now, when I click on the link to https://myserver/Certneeded, the client browser just hangs until a timeout is reached, I'm never prompted to present a certificate for identification, and the contents of the directory are not listed. In Wireshark, I see a client hello, followed by a server hello, followed by a change cipher spec, presumably because I was never prompted for an identification certificate by the server within a set time. In the good case, when my SSLVerifyClient require statement is in the VirtualHost section of the ssl.conf file, in Wireshark, I see a client hello, followed by a server hello, followed by a certificate, server key exchange, certificate request, which seems to be where the window pops up in my client prompting me with a user identification request. In trying to debug this, I noticed that if I do a hack and revert back to an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that both configurations (per-server and per-directory contexts) work as expected. What might be wrong here? Aaron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLVerifyClient require per directory context
Hello, I faced the same issue. Actually, client authentication has been disabled on recent versions. It has nothing to do with your configuration. See (on my blog): http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html and then : http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html Regards, -- Jean-Christophe Baptiste j...@phocean.net Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : I'm trying to go through the most basic tutorials on mod_ssl and I'm having a problem trying to get my server to issue a certificate request for a particular URL. I'm listing my Apache and OpenSSL version information. # httpd -v Server version: Apache/2.2.14 (Unix) Server built: Dec 3 2009 10:25:53 # openssl version OpenSSL 1.0.0-fips-beta4 10 Nov 2009 I've followed the steps of this tutorial: http://www.vanemery.com/Linux/Apache/apache-SSL.html I've also tried to follow the SSL HowTo on the Apache site: http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html I'll try to get at the heart of the issue. If I have the following in my ssl.conf file in the VirtualHost section SSLVerifyClient require SSLVerifyDepth 1 then everything works as expected. I have the client certificate installed in my client web browser, and when I click on the link to my https server, which is https://myserver, then it prompts me to get the certificate of the server and confirm a security exception, and also prompts me with a user identification request, at which point I can chose a certificate to identify the client to my server. I see my index.html page, which has a link to the directory https://myserver/Certneeded. I can click on this directory and see a list of the files in that directory. However, if I change my ssl.conf in an attempt to force clients to authenticate using certificates for a particular URL, but still allow arbitrary clients to access the rest of the server, as per the Apache HowTo, then I never get prompted for this user identification request to which I can identify my client web browser to the server. In this case, my ssl.conf file changes to the following. SSLVerifyClient none Location /Certneeded Options Indexes SSLVerifyClient require SSLVerifyDepth 1 /Location Now, when I click on the link to https://myserver/Certneeded, the client browser just hangs until a timeout is reached, I'm never prompted to present a certificate for identification, and the contents of the directory are not listed. In Wireshark, I see a client hello, followed by a server hello, followed by a change cipher spec, presumably because I was never prompted for an identification certificate by the server within a set time. In the good case, when my SSLVerifyClient require statement is in the VirtualHost section of the ssl.conf file, in Wireshark, I see a client hello, followed by a server hello, followed by a certificate, server key exchange, certificate request, which seems to be where the window pops up in my client prompting me with a user identification request. In trying to debug this, I noticed that if I do a hack and revert back to an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that both configurations (per-server and per-directory contexts) work as expected. What might be wrong here? Aaron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org signature.asc Description: Ceci est une partie de message numériquement signée
NEED HELP!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Hi, Am Sorry for this message because it may get to you as supprise but it's because of the situation of things right now. I want use this opportunity to explain my problem. I was here in London on Vacation but yesterday thing change because i was mugged at hotel am staying. The worse of it is that bags, cash and cards and my cell phone was stolen at during the incident and it's such a crazy experience for me. Now, am stranded here without any money with me and i need flying back home. Although am so happy that am physically ok and my passport still save with me. I have been to police to make report about the inccident but the best help they could render to me is that they lead me to the embassy. Now, embassy have arrange a flight for me which was schedule on 25th of February 2010 but i dont want to wait long anymore before i can get back home. I have been able to raise some money through my friends and family but am short of $950 USD to complete the money for my flight ticket. Please, i need you to loan me with sum amount $950 USD and i promise you i will pay you back any amount you can afford to loan as soon as i get back home. You can check Western Union Website to locate the nearest outlet around you or wire the money online on their website (www.westernunion.com) I need you to wire the money to me via Western Union Money Transfer with my name: Receiver Name : Chris DiLorenzo My location : Dunstable Beds, LU5 5SD, United Kingdom. As soon as you wire the money you will need provide me the below information MTCN: ??? Amount Send: ??? Sender's Name: ??? So that i can visit any nearest Western Union Outlet to pick up the money with my passport here in United Kingdom. Please do not see this message as virus or spam and i will be very happy if you can help me out. Thank you Chris DiLorenzo
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of char *reneg is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c-client-ctx, ssl::reneg); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a ap::buff::read) at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of char *reneg is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c-client-ctx, ssl::reneg); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 UserDir, len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a ap::buff::read) at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Fri 25/12/09 and will not return until Mon 04/01/10. I will respond to your message when I return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
New mirror
Hello, here are the facts about our mirror: * URL of mirror: http://artfiles.org/modssl.org * Hosting institution, country and city where the mirror is located: Artfiles New Media GmbH, Hamburg, Germany * Contact email address: mir...@artfiles.org * Update frequency: daily * IP: 80.252.110.38 * Speed: 1000MBit/s Please add us to your list. Mit freundlichem Gruß Artfiles New Media GmbH Andreas Worbs -- Artfiles New Media GmbH | Heidenkampsweg 100 | 20097 Hamburg Tel: 040 - 32 02 72 90 | Fax: 040 - 32 02 72 95 E-Mail: supp...@artfiles.de | Web: http://www.artfiles.de Geschäftsführer: Carsten Bals | Harald Oltmanns | Tim Evers Eingetragen im Handelsregister Hamburg - HRB 81478 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: error in SSLv2/v3 read client hello A
I am still stack with the same issue : [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] I renewed one more time all my certificates, so I don't think there is anything wrong with it. My apache configuration hasn't changed : Directory /secured SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 Order allow,deny allow from All /Directory And any browser (Firefox, Opera) fail so I don't think it is a browser issue. Of course, I imported the CA and the client certificate... And still no prompt for the client certificate... Really no hint ? Could it be a bug in the distro package ? Thanks. On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste j...@phocean.net wrote: Hi all, I have been using client certificate for a while (more than 2 years) successfuly. But now, after migrating a server, I am stuck with a problem that I have no idea how to handle. I just spent 10 hours googling around and reading the doc without finding any clue. On my new set-up, the web browser seems to reject the negociation : [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2 established (server www.***.net:443) [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before/accept initialization [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows) [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791): +-+ [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H | [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836): +-+ [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in handshake (server www.***.net:443) [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to child 2 with abortive shutdown (server www.***.net:443) I have tried a bund of different settings. Of course, I re-generated several times all the certificates, from the CA to the client. Both the CA and the client were imported into the web browser. The mod-ssl settings are in no point different from the previous machine, so am I missing ? So any help, any hint would be greatly appreciated. Thank you in advance, Regards, Jean-Christophe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: error in SSLv2/v3 read client hello A
I continue talking to myself about it. Just to let people know that I submitted a bug to openSUSE, because it took me less than 5 minutes to get a blank Debian virtual machine to work with the exact same certificates, virtual host configuration and browser. There is definitely something weired... Le mardi 24 novembre 2009 à 17:24 +0100, Jean-Christophe Baptiste a écrit : I am still stack with the same issue : [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] I renewed one more time all my certificates, so I don't think there is anything wrong with it. My apache configuration hasn't changed : Directory /secured SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 Order allow,deny allow from All /Directory And any browser (Firefox, Opera) fail so I don't think it is a browser issue. Of course, I imported the CA and the client certificate... And still no prompt for the client certificate... Really no hint ? Could it be a bug in the distro package ? Thanks. On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste j...@phocean.net wrote: Hi all, I have been using client certificate for a while (more than 2 years) successfuly. But now, after migrating a server, I am stuck with a problem that I have no idea how to handle. I just spent 10 hours googling around and reading the doc without finding any clue. On my new set-up, the web browser seems to reject the negociation : [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2 established (server www.***.net:443) [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before/accept initialization [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows) [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791): +-+ [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H | [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836): +-+ [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv2/v3 read client hello A [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in handshake (server www.***.net:443) [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to child 2 with abortive shutdown (server www.***.net:443) I have tried a bund of different settings. Of course, I re-generated several times all the certificates, from the CA to the client. Both the CA and the client were imported into the web browser. The mod-ssl settings are in no point different from the previous machine, so am I missing ? So any help, any hint would be greatly appreciated. Thank you in advance, Regards, Jean-Christophe signature.asc Description: Ceci est une partie de message numériquement signée
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Backport is not totally straightforward, because the original patches use the filter architecture not present in Apache 1.3. Any Feedback on the patch is welcome. Some additional debug output can be activated by using -DRENEG_DEBUG. There are a few lines of c99 syntax in this patch (variable declarations of char *reneg in the middle of code) that cause it to fail with gcc 2.95. Seems to work fine otherwise. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Backport is not totally straightforward, because the original patches use the filter architecture not present in Apache 1.3. Any Feedback on the patch is welcome. Some additional debug output can be activated by using -DRENEG_DEBUG. There are a few lines of c99 syntax in this patch (variable declarations of char *reneg in the middle of code) that cause it to fail with gcc 2.95. Sorry, I forgot to fix those. Thanks for the feedback. Seems to work fine otherwise. Good to know! The more eyes the better. Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
[PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
Hi, I backported the patch against CVE-2009-3555 from Apache trunk, 2.2 and 2.0 (proposed). The patch is available at http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41.patch CVE-2009-3555 is about the Man in the Middle attack against HTTPS. The patch disables the use of client initiated SSL renegotiation. Server initiated reneg is still allowed (and vulnerable). See also: http://svn.apache.org/viewvc?rev=833582view=rev http://svn.apache.org/viewvc?rev=833622view=rev http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-v2.patch Backport is not totally straightforward, because the original patches use the filter architecture not present in Apache 1.3. Any Feedback on the patch is welcome. Some additional debug output can be activated by using -DRENEG_DEBUG. Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLRequire problem
On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote: Hi. I'm tearing my hair out over an SSLRequire directive that doesn't seem to be working. Can anyone help? The directive is actually quite simple: # Require SSL over non-obvious port 81 for SVN access SSLRequire %{SERVER_PORT} == 81 The port which %{SERVER_PORT} expands to is determined by the settings of UseCanonicalPhysicalPort and UseCanonicalName. For different combinations it will depend on either what the client sends in the request's Host header, what the ServerName directive is set to in the vhost, or what httpd derives as the canonical name for the vhost to be otherwise. See docs for more info: http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLRequire problem
On 11/20/2009 04:50 AM, Joe Orton wrote: On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote: Hi. I'm tearing my hair out over an SSLRequire directive that doesn't seem to be working. Can anyone help? The directive is actually quite simple: # Require SSL over non-obvious port 81 for SVN access SSLRequire %{SERVER_PORT} == 81 The port which %{SERVER_PORT} expands to is determined by the settings of UseCanonicalPhysicalPort and UseCanonicalName. For different combinations it will depend on either what the client sends in the request's Host header, what the ServerName directive is set to in the vhost, or what httpd derives as the canonical name for the vhost to be otherwise. See docs for more info: http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport Regards, Joe Huh! Never heard of those before! OK, well, I'm still not sure I quite understand the reason why, but UseCanonicalPhysicalPort on does seem to have fixed the problem. Thanks much for the help! DR __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSLRequire problem
Hi. I'm tearing my hair out over an SSLRequire directive that doesn't seem to be working. Can anyone help? The directive is actually quite simple: # Require SSL over non-obvious port 81 for SVN access SSLRequire %{SERVER_PORT} == 81 This is actually working fine when the client is a web browser. (i.e., using HTTPD method GET). But the server is actually hosting Subversion (via WebDAV), so the client is an SVN client (which uses HTTP methods OPTIONS, PROPFIND, and REPORT). And when the URL is accessed that way it fails, with the following appearing in the log: [Thu Nov 19 19:37:53 2009] [error] [client my ip address] access to our SVN path failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Even when I crank up the debugging, I still don't get any useful info as to what's happening: [Thu Nov 19 19:37:53 2009] [info] Failed expression: %{SERVER_PORT} == 81 Anyone have any idea what's going on here? Is there any way to debug the SSLRequire expression? I'm using mod_ssl 2.2.3 with Apache on CentOS 5.2. Thanks, DR __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Backporting Apache HTTPD 2.2.15 Patch for OpenSSL issue
Dear User List, is there any plan to have a backport of Apache HTTPD Patch 2.2.15 (as an alternative Workaround for the OpenSSL issue about Renegotiating TLS-Connections) for mod_ssl in combination with Apache HTTPD 1.3? Regards, Jens Schoenershoven __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Fri 06/11/09 and will not return until Mon 16/11/09. I will respond to your message when I return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Memory leak on apachectl restart
LoadModule ssl_module modules/mod_ssl.so SSLSessionCache shm:logs/ca(8192) SSLCertificateFile conf/ca.crt SSLCertificateKeyFile conf/ca.key SSLEngine off dbm shmht shmct does not fix the problem tested on apache 2.2.13 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
using mod_proxy to proxy ssl connection to backend...
Hello I'm looking to proxy a site which has an SSL admin from a backend server using mod_proxy and mod_proxy_ssl. So far, any non-ssl traffic is being proxied perferctly, with urls fixed with mod_proxy_html. However, i'm yet to correctly proxy ssl traffic, and am not sure i understand the best way to go about doing this. Here's a bit of background: 1) apache 2.2 2) sub.domain.com is 301 redirected to domain.com/sub 3) domain.com/sub (nonexistent directory) is then proxied to old.domain.com(backend server) using ProxyPass and ProxyPassReverse. This works with no problem at all. 4) i'm ATTEMPTING to proxy https://domain.com/sub/admin.php to https://old.domain.com/admin.php using proxy pass reverse, but cannot for the life of me get it to work. https://old.domain.com/admin.php works perfectly when connecting directly from the client (browser), but once the browser is pointed to the proxy, only non https traffic works. I've attempted configuring a separate virtual host (this server has a small handfull) as VirtualHost [ipaddress]:443 but that doesn't work (set SSLProxyEngine On, AllowCONNECT 443, etc). I've also tried doing it from the same virtual host that the other (working) proxy config resides in, but with no success. I can see a 443 request (in both netstat and logs) of the backend server, but it's a single line and never goes any further. Can someone explain how this should be configured properly? For some reason, the info i'm seeing in various messageboard/mailing list threads always seems incomplete or simply doesn't work for me. Thanks in advance, Carlos
Issue setting up a Verisign certificate
I have generated a CSR, sent it to Verisign and they sent me back a cer file that I have renamed to public.crt. As per their support instructions I installed their Intermediate CA (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=contentid=AR193) My virtualhost configuration is as follows: SSLEngine on SSLCertificateFile /etc/apache2/public.crt SSLCertificateKeyFile /etc/apache2/private.key SSLCACertificateFile /etc/apache2/interm.crt I am getting this error when trying to start Apache: [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server certificate from file /etc/apache2/secure.canadaeast.com.public.crt [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Any thoughts, because I am at a loss and am not interested in wait on how 35 minutes to speak to their support people. Thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Issue setting up a Verisign certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin escribió: | My virtualhost configuration is as follows: | | SSLEngine on | SSLCertificateFile /etc/apache2/public.crt - ^ | SSLCertificateKeyFile /etc/apache2/private.key | SSLCACertificateFile /etc/apache2/interm.crt I think this does not belong here, but I might be wrong. | [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server | certificate from file /etc/apache2/secure.canadaeast.com.public.crt - ---^ It seems your Apache is looking for the cert in a different file than you think. Probably because there is a different virtual host configuration for the SSL one. - -- - --- G S Sistemas de Informacion, S.L. | Teléfono: 9 02 01 44 43 Victoriano Giralt| Land line: +34-952-207-241 Torre de San Telmo, 8| Mobile:+34-670-332-720 E-29018 Malaga (Spain) | http://www.gssi.es/ - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKbgIWWHlx3l8ZumwRAk81AJ9aINiS57WlUCvEpHLboAsERThPdACfTp2f DZnobVXEnFsucQbkMINLcXQ= =SRHR -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Got it. Well, almost. It seems that where my https connection was concerned, I was running with AllowOverride None, so none of the rewrite directives in the .htaccess file were being processed. So I've solved this by 'opening up' my development machine by specifying on all directories: AllowOverride All Order deny, allow deny from all Allow from 127.0.0.1 I still don't fully understand, as those are the directives I was running for my drupal install directory already. Furthermore, the .htaccess file in that directory was being processed and allowing my ordinary http URL's to be rewritten properly. Obviously https is different 'somehow', so any explanations will be welcome. Meanwhile, I can get on and start playing with ssl on my development machine Mario Brandt wrote: I guess the rewriting is not turned on in the SSL vhost. Else there should be a rewriting to a php file which works with PATH_INFO You may check that out. Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Monday, July 20, 2009 10:53 AM To: modssl-users@modssl.org Subject: RE: modssl - URL's under domain name not found The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 45 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24606784.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager
RE: modssl - URL's under domain name not found
Well the AllowOverride manages what you are allowed to configure in .htacces Order deny, allow deny from all Allow from 127.0.0.1 This manage who can access these server from where. In your case you can only access from 127.0.0.1 aka. localhost your computer See the docs for more details http://httpd.apache.org/docs/2.2/howto/access.html Mario -Original Message- Got it. Well, almost. It seems that where my https connection was concerned, I was running with AllowOverride None, so none of the rewrite directives in the .htaccess file were being processed. So I've solved this by 'opening up' my development machine by specifying on all directories: AllowOverride All Order deny, allow deny from all Allow from 127.0.0.1 I still don't fully understand, as those are the directives I was running for my drupal install directory already. Furthermore, the .htaccess file in that directory was being processed and allowing my ordinary http URL's to be rewritten properly. Obviously https is different 'somehow', so any explanations will be welcome. Meanwhile, I can get on and start playing with ssl on my development machine __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
I guess the rewriting is not turned on in the SSL vhost. Else there should be a rewriting to a php file which works with PATH_INFO You may check that out. Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Monday, July 20, 2009 10:53 AM To: modssl-users@modssl.org Subject: RE: modssl - URL's under domain name not found The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 45 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Sounds good - I have checked that I'm loading mod_rewrite.so and tried RewriteEngine On in the ssl vhost on the dev machine - but that didn't work. So what else do I need to check regarding? I'm also confused why it should then be working on my live machine when the config' files are almost identical... I'm obviously missing something though :) Mario Brandt wrote: I guess the rewriting is not turned on in the SSL vhost. Else there should be a rewriting to a php file which works with PATH_INFO You may check that out. Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Monday, July 20, 2009 10:53 AM To: modssl-users@modssl.org Subject: RE: modssl - URL's under domain name not found The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 45 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566482.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
modssl - URL's under domain name not found
I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
SSL connection between Apache and Tomcat failing
I've got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the two together in Windows server 2003. Normally there isn't an issue with two servers serving the website but recently (and mainly with , it appears, mobile browsers), I'm getting the following errors: i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done [Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO#7d0ad8 [mem: 4a3aaa8] (BIO dump follows) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750): +--- --+ Dump details .| [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795): +--- --+ [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 992/992 bytes from BIO#7d0ad8 [mem: 4a3aaad] (BIO dump follows) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1750): +--- --+ Dump details [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1795): +--- --+ [Fri Jul 17 09:52:29 2009] [info] Initial (No.1) HTTPS request received for child 245 (server dev.jiscmail.ac.uk:443) [Fri Jul 17 09:52:35 2009] [debug] ssl_engine_io.c(1828): OpenSSL: I/O error, 5 bytes expected to read on BIO#73e708 [mem: 4a169e0] [Fri Jul 17 09:52:35 2009] [info] [client 130.246.76.83] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed. [Fri Jul 17 09:52:35 2009] [debug] ssl_engine_kernel.c(1770): OpenSSL: Write: SSL negotiation finished successfully I'd be grateful for any pointers in getting to the root of this issue (or ruling out mod_ssl issues). Thanks, Iain -- Scanned by iCritical.
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Sat 27/06/09 and will not return until Mon 20/07/09. I will respond to your message when I return. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSL connection between Apache and Tomcat failing
Iain: Wow! Am I glad to hear from you! I've been wrestling with exactly this problem - error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was beginning to think I was losing my mind. (while we leave that possibility aside for the moment(!),) here's what's different about our environment: Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 . We are using certificate authentication. Seeing this behavior under Firefox (Mac); haven't tried it using mobile browsers, though, presumably, you may be using a Mozilla-based mobile browser... We've recently upgraded to these current versions of Apache and OpenSSL, but the error behavior has not been impacted. The incessant prompting for certificate can be interrupted by setting Firefox's Advanced-Encryption-When a server requests my certificate-Select one automatically option. The above read error persists, however... The primary impact is - apparently - that the SSL session is constantly re-negotiated for GET of each page element; loading of a single page might generate 8-10 prompts for the certificate. We have fiddled with various settings for the Renogotiation buffer, including which buffer engine is used, its size, etc., all to no avail. Some of the settings result in Apache configuration errors, so I wonder if we're into an Apache - or mod_ssl - 'black hole' region. My quick research on this indicates that others have run into it, some have simply ignored it, but none have solved it. Hopefully we'll come up with something. Lou - Original Message - From: I Emsley (Iain) iain.ems...@stfc.ac.uk To: modssl-users@modssl.org Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern Subject: SSL connection between Apache and Tomcat failing I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the two together in Windows server 2003. Normally there isn’t an issue with two servers serving the website but recently (and mainly with , it appears, mobile browsers), I’m getting the following errors: i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done [Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO
Please remove my email from the list
Please remove my email from the list
How clients certificates are choosen ?
Hello ! I want to setup a proxy, allowing my internal hosts to connect on external https servers (which forces client authentication by using a certificate). Excerpt of my .conf : # TEST #ProxyPass /proxy/TEST/https://laposte.net #ProxyPassReverse/proxy/TEST/https://laposte.net SSLEngine on SSLProxyEngine on SSLProxyMachineCertificateFile /etc/httpd/conf/ssl/SSLproxy.pem SSLCertificateFile /etc/httpd/conf/ssl/my.cer SSLCertificateKeyFile /etc/httpd/conf/ssl/my.key SSLCACertificateFile /etc/httpd/conf/ssl/ca-bundle.crt /VirtualHost I try to connect on 2 servers with similar configuration (same CA used, both requiring client auth, ... ): One connection is successfull, as i can saw in my debug httpd log file : [debug] ssl_engine_kernel.c(1499): Proxy client certificate callback: (myproxy:443) found acceptable cert, sending /C=XX/ST=CITY/L=Port/ O=ORGANIZATION/OU=31/CN=myCN/emailAddress=myemail The other one not : [debug] ssl_engine_kernel.c(1571): Proxy client certificate callback: (myproxy:443) no client certificate found!? I wonder myself how clients certificates are choosen ? Any thoughts ? Thanks in advance -- Nicolas Cros Connaissez vous la maison du cordonnier ? Elle se trouve ici : http://barsa.free.fr __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
problem with client certificates
Hello, im using client certificates to authenticate myself with FakeBasicAuth to my webserver. This works quite fine. But there is one case where it doesnt work. When i open my website and then wait a little time (1-2 minutes) and then do a POST to upload a file i get an [error] Re-negotiation handshake failed: Not accepted by client!? error. Heres the log: 192.168.88.3 - /C=.../ST=.../O=.../CN=.../emailAddress=... [11/Jun/2009:16:34:29 +0200] GET /images/smilies/thumbsdown.gif HTTP/1.1 200 1130 [Thu Jun 11 16:36:25 2009] [error] Re-negotiation handshake failed: Not accepted by client!? 192.168.88.3 - - [11/Jun/2009:16:36:25 +0200] POST /upload2.php?filetoupload=lalala HTTP/1.1 103 - Whats the problem here? I thought that maybe this is some sort of timeout problem, but the only one i found was SSLSessionCacheTimeout and that is set like this: SSLSessionCacheshmht:/var/lib/apache2/ssl_scache(512000) SSLSessionCacheTimeout 600 So its more than 2 minutes. Also i forgot to mention that when the POST failed and i then load my page again (sending the POST doesnt work here) and then quickly POST again then it works. Thank you for your help. Regards, Pepe -- GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate und Telefonanschluss für nur 17,95 Euro/mtl.!* http://portal.gmx.net/de/go/dsl02 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
ssl_error_handshake_unexpected_alert
Hello, I'm using apache 1.3.41 with latest mod_ssl. In my https I'm using squrrelmail and, after sending an email (pressing the SEND button) I get a firefox error: SSL peer was not expecting a handshake message it received. (Error codei: ssl_error_handshake_unexpected_alert) Has anyone had this error before ? -- Kind regards, Andrei Manescu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Restricting access by arbitrary certificate extension
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail inline for reference of dev@ readers) On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote: mod_ssl can perform client authentication on certificate in Apache and client authorization on certain certificate extensions. We are setting up CA here and we want to restrict access to certain website by checking the presence of certain certificate extension using its OID. The syntax which mod_ssl is forcing us to use is the following: Location / SSLRequire “some string” in OID(“1.2.3.4…..”) /Location As you can see, we need to match this string exactly in extension’s value. We can encounter problem with this, because this extension may not be listed in openssl list of valid extensions (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, mod_ssl would not be able to match the string because the object of this OID does not have valid NID in openssl. OpenSSL seems incapable of determining the type of arbitrary extension we want to use as restricting factor. Hence, mod_ssl can not even extract its value from certificate. Well, I poked around the problem for some time and found no other way than to patch mod_ssl by adding one new function in ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() and ssl_expr_eval_oid() but does not intend to extract the value of certificate extension. I also added some change to ssl_expr_eval_comp(), so if you supply the zero-length word in SSLRequire, it uses my new function instead of ssl_expr_eval_oid(). So, the new syntax is like this: Location / SSLRequire “” in OID(“1.2.3.4…..”) /Location If you are aware of more attractive and “right” way to make it, please acknowledge. My patch for apache-2.2.11 is attached. I'd rather see a different syntax used for the new semantics, such as: SSLRequire has_oid(1.2.3.4) though I'm not sure whether the SSLRequire parser can cope with that. Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Restricting access by arbitrary certificate extension
mod_ssl can perform client authentication on certificate in Apache and client authorization on certain certificate extensions. We are setting up CA here and we want to restrict access to certain website by checking the presence of certain certificate extension using its OID. The syntax which mod_ssl is forcing us to use is the following: Location / SSLRequire “some string” in OID(“1.2.3.4…..”) /Location As you can see, we need to match this string exactly in extension’s value. We can encounter problem with this, because this extension may not be listed in openssl list of valid extensions (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, mod_ssl would not be able to match the string because the object of this OID does not have valid NID in openssl. OpenSSL seems incapable of determining the type of arbitrary extension we want to use as restricting factor. Hence, mod_ssl can not even extract its value from certificate. Well, I poked around the problem for some time and found no other way than to patch mod_ssl by adding one new function in ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() and ssl_expr_eval_oid() but does not intend to extract the value of certificate extension. I also added some change to ssl_expr_eval_comp(), so if you supply the zero-length word in SSLRequire, it uses my new function instead of ssl_expr_eval_oid(). So, the new syntax is like this: Location / SSLRequire “” in OID(“1.2.3.4…..”) /Location If you are aware of more attractive and “right” way to make it, please acknowledge. My patch for apache-2.2.11 is attached. -- Zhumabekov Yerden apache_oid_presence.patch.gz Description: application/gzip
Client SSL Proxy Configuration
Hello, I consume web services from an outside-of-my-firewall SSL server that requires clients to be SSL-authenticated (clients must pre-register). My application server resides inside of my firewall. I would like to access the aforementioned web services through a proxy in order to not expose my internal server hostname to the outside world. I have tried to setup my SSL connection (e.g., using my client certificate, trusting the web service provider) from within my internal application server w/ the client certificate generated for the proxy (as opposed to the hidden application) server but the SSL server would not fall for it. Assuming that my initial approach is not possible, I would like to use an apache http server as my proxy-server/SSL-client. My goal is to keep this apache server thin (i.e., only configuration, no extra java code). Is there a way to configure mod_proxy and (specially) mod_ssl to do this very thing? Here¹s my proxy.conf template: ProxyRequests On Proxy * Order deny,allow Deny from all Allow from internal_ip_address /Proxy Cheers, John.
SSLRequireSSL Ineffective
Hi, I have https working with Apache 2.2.11, but SSLRequireSSL seems to have no effect -- I can still browse docs in the htdocs directory with straight http or https. Here's the section I added to httpd-ssl.conf, which is Included from httpd.conf. No .htaccess files exist. Directory /usr/local/apache2/htdocs SSLRequireSSL SSLOptions +StrictRequire /Directory Thanks much for any help. -- Lee
Client Verification with sub ca's
I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a Certificate Verification: Error (2): unable to get issuer certificate error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
Hi, Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...). Regards Matt - Original Message From: leanmeandonothingmachine leanmeandonothingmach...@gmail.com To: modssl-users@modssl.org Sent: Thursday, March 12, 2009 2:03:07 PM Subject: Client Verification with sub ca's I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a Certificate Verification: Error (2): unable to get issuer certificate error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1) error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead of just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478226.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
mod_ssl errors
Hi All, I switched my LogLevel to info and noticed this error in the logs: [client ::1] (70007)The timeout specified has expired: SSL input filter read failed. Furthermore, when I do a graceful restart, I get this error: [client ::1] SSL library error 1 in handshake (server localhost:443) SSL Library Error: 336027900 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol speaking not SSL to HTTPS port!? [client ::1] Connection closed to child 9 with abortive shutdown (server localhost:443) I am using mod_ssl/2.2.11 compiled against Server: Apache/2.2.11, Library: OpenSSL/0.9.8h on OS X but I have also seen the problem on Linux as well. The setup I have is dead simple - I am setting up a virtual host on port 80 and on port 443, both serving static files from apache/htdocs. Does anybody have any ideas what could be causing these ssl errors? Thanks, Andres __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Strange CRL verification behaviour
Hello, I am a stunnel user, which implements code from mod_ssl for certificate/CRL verifications. I noticed a strange behaviour when verifying a CRL which uses the ssl_callback_SSLVerify_CRL function of mod_ssl : If the CRLfile is not a valid CRL, stunnel starts and ignores the CRLfile. Then, for any new connection, logs show CRL: verification passed, which means that ssl_callback_SSLVerify_CRL returned TRUE. - NOT OK, IMO. examples of wrong CRLs : a CRL issued by an unknown CA or a certificate in the PEM format. I propose the attached patch to modify behaviour of the ssl_callback_SSLVerify_CRL function, ie return false if no CRL corresponding to the issuer of each certificate of the chain is found. -- Christophe Nanteuil --- ssl_engine_kernel.c.saved 2009-02-03 18:47:51.0 +0100 +++ ssl_engine_kernel.c 2009-02-03 18:55:12.0 +0100 @@ -1615,6 +1615,7 @@ char *cp; char *cp2; ASN1_TIME *t; +BOOL good_crl = FALSE; /* * Unless a revocation store for CRLs was created we @@ -1724,6 +1725,7 @@ return FALSE; } X509_OBJECT_free_contents(obj); +good_crl = TRUE; } /* @@ -1764,8 +1766,9 @@ } } X509_OBJECT_free_contents(obj); +good_crl = TRUE; } -return ok; +return (good_crl?ok:FALSE); } /*
Using multiple certs with mod_ssl behind load balancer
I've been asked to implement a somewhat strange setup. We are going to handle ssl decryption on the load balancer then forward the connections to either an IIS or Apache server. I'm tasked with configuring the Apache servers. I need to be able to use multiple certs but I'm not sure how. I've made test runs using SSLCertificateChainFile and SSLCACertificatePath but I couldn't get either to work. What are the correct steps I need to follow? Joe Holt | Product Development, Intuit Small Business Web | 650-549-3454 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Multiple Requests for Client Certificate
hi, i'm in the setup of a ssl-enabled apache2 server with mod_ssl - works fine so far *but* when a client-browser opens multiple simulanous connections for one page to the server the Client-Certificate gets requested the same number of times from the user. The corresponding Browser-Configuration for firefox for example is named network.http.max-persistent-connections-per-server I am looking for a way to avoid these multiple questions for a client-cert but i have no influence on the Browser-Configurations. Is there a way to avoid those multi-questions? best regards -- Mit freundlichen Grüßen Wolfram Eifler Entwicklung Mail [EMAIL PROTECTED] e.siqia Informationstechnologien GmbH Saarbrücker Str. 36 10405 Berlin Tel. +49 30.284730-68 Fax +49 30.284730-99 Support via Tel: +49 (9001) 374742 (*1 Support via Tel: +49 (9001) esiqia (*2 http://www.esiqia.com Sitz: Berlin - Registergericht Berlin - AG Charlottenburg HRB 74684 - Geschäftsführer: Rainer Böhnke *1 = 1,85€/min (Festnetz Telekom,Versatel) *2 = 1,99€/min (Mobilfunk T-Com,Vodafone) Aus Rechts- und Sicherheitsgründen ist die in dieser eMail gegebene Information nicht rechtsverbindlich. Eine rechtsverbindliche Bestätigung reichen wir Ihnen gerne auf Anforderung in schriftlicher Form oder per qualifizierter elektronischer Signatur nach. Diese Nachricht ist vertraulich und ausschließlich für den Adressaten bestimmt. Jeder Gebrauch durch Dritte ist verboten. Die Nachricht ist vor Versand auf Viren geprüft. Falls Sie die Daten irrtümlich erhalten haben, nehmen Sie bitte Kontakt mit dem Absender auf und löschen Sie die Daten auf jeden Computer und Datenträger. For legal and security reasons this e-mail is not legally binding. However, we can on request provide you with legally binding written confirmation or with qualified electronical signed document at any time. This message is confidential and intended solely for the use by the adressee. The message is virus proofed before sending. Any use of this message by a third party is prohibited. If you received this message in error, please contact the sender and delete the data from any computer and data carrier. The sender is neither liable for the proper and complete transmission of the information in the message nor for any delay in its receipt. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
mod_ssl Environment Variable?
Hello, I would like to do the following (Apache 2.2 config): Directory /var/www/desert/storage/jctmirrorserver/dav/Service42 AuthUserFile /dev/null #SSLOptions +ExportCertData +FakeBasicAuth SSLOptions +FakeBasicAuth #SSLRequire (%{SSL_CLIENT_S_DN_O} in {ClientO1, ClientO2}) AuthLDAPURL ldap://192.168.1.3:389/dc=testnet,dc=de?uid; AuthType Basic AuthName Internal Server Content #AuthBasicAuthoritative Off AuthBasicProvider ldap Require ldap-user %{SSL_CLIENT_S_DN_OU} /Directory I want to use Client certificates, after Connect, one of the Fields in the Certificate i will check (existance) in an ldap Server. But in the apache Variable %{SSL_CLIENT_S_DN_OU} are not basicly the OU String (testorg), there is a very long String, like this: uid=/c=de/st=niedersachsen/o=ClientO1/ou=testorg/cn=maschinen/ [EMAIL PROTECTED] With this string now apache askes the ldap Server, that seems all correctly, but in the uid Field in my ldap is the Entry named testorg. Is this an Error, that the Variable %{SSL_CLIENT_S_DN_OU} contains ALL Client Cert Data and not the one requested (OU)? Or is it like an perl hash and my syntax is simply wrong? Wilhelm
Partitioned CRLs
Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. My question: Is mod_ssl/openssl prepared to support partitioned CRLs like the way described? In particular, if CRLs are cached, mod_ssl must be able to merge several different partitions according to the CDP to create a unified view over the revocation universe of a CA. Regards, Nuno Ponte __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Partitioned CRLs
Nuno Ponte a écrit : Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-devm=120350484626015q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: Partitioned CRLs
Hi Gilles, Thanks for your reply! :-) The CA also offers OCSP, which is obviously the preferred way to validate certificate status. I am just trying to make sure that there is support from the applications world to such a CRL partitioning scheme. Wide interoperability is a key goal. Regards, Nuno Ponte On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles [EMAIL PROTECTED] wrote: Nuno Ponte a écrit : Hi, We are running a CA that has thousands of revoked certificates, which leads to CRLs of several MBytes. On the next nenewal of the CA, we are thinking of partitioning the CRLs at each X number of issued certificates. The issued certificates will have different CRL Distribution Points (CDP) according to the partitions they are assigned. For example, for X=100, from certificate 1 to certificate 100, the CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-devm=120350484626015q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
unable to start apache with 2 certificates
Hi all, i have a problem with an apache 2.2.9, maybe this is not the correct mailing list but i am going to ask, my apologizes if this isn't the properly place. I had an instance of apache 2.2.9 with and IP serving contents with the port 80 and 443, we bought a godaddy certificate and all went pretty well, but we needed to install another certificate for other domain in the same machine. I had several domains and all works with vhosts with http, but when i first tried to use several vhosts for secure connections the apache seemed to restart well but stop working. With an only certificate, apache use to ask me the certificate password, but when i configure a second one, never asked and stop serving content, even in http. Then i tried to configure the system with 2 IPs, one for every certificate, but i got the same problem. The configuration files seems to be well formed (apachectl -t) and i saw some examples out of there: http://www.ibm.com/developerworks/opensource/library/wa-multissl.html am i doing something wrong? this is the correct mailing list to ask? thanks, and best regards. -- ;-) Jorge Martin Cuervo Outsourcing Emarketplace deFacto Powered by Standards email [EMAIL PROTECTED] voice +34 984 832 659 voice +34 660 026 384 DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así como el resto de los datos de carácter personal que nos facilite, serán objeto de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de información comercial y/o personal por vía electrónica. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgánica de Protección de Datos de Carácter Personal (LOPD. 15/1999), dirigiendo un escrito a C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias), o a nuestra dirección de correo electrónico ([EMAIL PROTECTED]). También informamos que la información incluida en este e-mail es CONFIDENCIAL, siendo para uso exclusivo del destinatario arriba mencionado. Si Usted lee este mensaje y no es el destinatario indicado, le informamos que está totalmente prohibida cualquier utilización, divulgación, distribución y/o reproducción de esta comunicación sin autorización expresa en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por esta misma vía y proceda a su eliminación. This e-mail contains information that will be added to our computerised guest data base and will be trated in the strict confidence. If you wish to access, correct, oppose or cancel your details, as specified the Law 15/99, December 13th, please send a certified letter to this effect to DE FACTO STANDARDS, S.L.., (C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias) SPAIN). If you read this message, and is not the destinatary, we informal you that is forbidden anything utility, distribution, divulgation or reproduction of this communication without express authorization, of the present law. If you received this message for mistake, we proud in order to the present law, immediate communication to us, and please erase this e-mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : Hi all, i have a problem with an apache 2.2.9, maybe this is not the correct mailing list but i am going to ask, my apologizes if this isn't the properly place. I had an instance of apache 2.2.9 with and IP serving contents with the port 80 and 443, we bought a godaddy certificate and all went pretty well, but we needed to install another certificate for other domain in the same machine. I had several domains and all works with vhosts with http, but when i first tried to use several vhosts for secure connections the apache seemed to restart well but stop working. Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered key ? Wich is result of httpd -S ? -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
Hi Cuesta Guilles, thanks for your quickly reply. No i am going to read the documentation about SSLPassPhraseDialog. This is my apachectl -S output: [EMAIL PROTECTED] bin]$ ./apachectl -S VirtualHost configuration: 213.134.38.66:443 cv.smra.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:266) 213.134.38.54:443 www.smartcv.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:81) wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost madrid.protean.eu (/home/jmartin/apache22/conf/httpd.conf:506) port 80 namevhost portal.protean.eu (/home/jmartin/apache22/conf/httpd.conf:519) port 80 namevhost uk.protean.eu (/home/jmartin/apache22/conf/httpd.conf:532) port 80 namevhost portaldeempleo.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:545) port 80 namevhost ofertasdeempleo.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:557) port 80 namevhost smra.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:572) port 80 namevhost gijon.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:580) port 80 namevhost esapa.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:588) port 80 namevhost curtidora.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:596) port 80 namevhost candidato.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:604) port 80 namevhost demo.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:617) port 80 namevhost democv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:624) port 80 namevhost fade.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:638) port 80 namevhost fadecv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:645) port 80 namevhost flc.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:659) port 80 namevhost flccv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:666) port 80 namevhost smartcv.org (/home/jmartin/apache22/conf/httpd.conf:680) port 80 namevhost coiipa.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:708) port 80 namevhost coiial.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:715) port 80 namevhost colegiado.coiial.net (/home/jmartin/apache22/conf/httpd.conf:724) port 80 namevhost ofertas.coiial.net (/home/jmartin/apache22/conf/httpd.conf:736) port 80 namevhost empleo.coiial.net (/home/jmartin/apache22/conf/httpd.conf:747) port 80 namevhost coiil.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:761) port 80 namevhost coiia.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:768) port 80 namevhost smartemployer.org (/home/jmartin/apache22/conf/httpd.conf:778) port 80 namevhost asturiasotrabajas.com (/home/jmartin/apache22/conf/httpd.conf:792) port 80 namevhost asturiasytrabajas.com (/home/jmartin/apache22/conf/httpd.conf:806) port 80 namevhost media.protean.eu (/home/jmartin/apache22/conf/httpd.conf:820) port 80 namevhost protean.es (/home/jmartin/apache22/conf/httpd.conf:832) port 80 namevhost colegios.protean.es (/home/jmartin/apache22/conf/httpd.conf:846) port 80 namevhost opea.protean.es (/home/jmartin/apache22/conf/httpd.conf:858) Syntax OK El lun, 20-10-2008 a las 10:16 +0200, Cuesta Gilles escribió: Jorge Martín Cuervo a écrit : Hi all, i have a problem with an apache 2.2.9, maybe this is not the correct mailing list but i am going to ask, my apologizes if this isn't the properly place. I had an instance of apache 2.2.9 with and IP serving contents with the port 80 and 443, we bought a godaddy certificate and all went pretty well, but we needed to install another certificate for other domain in the same machine. I had several domains and all works with vhosts with http, but when i first tried to use several vhosts for secure connections the apache seemed to restart well but stop working. Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered key ? Wich is result of httpd -S ? -- ;-) Jorge Martin Cuervo Outsourcing Emarketplace deFacto Powered by Standards email [EMAIL PROTECTED] voice +34 984 832 659 voice +34 660 026 384 DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así como el resto de los datos de carácter personal que nos facilite, serán objeto de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de información comercial y/o personal por vía electrónica. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgánica de Protección de Datos de
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : I tried with an SSLPassPhraseDialog in every VirtualHost and i get this message: [EMAIL PROTECTED] bin]$ ./apachectl -S Syntax error on line 82 of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: SSLPassPhraseDialog cannot occur within VirtualHost section or unciphered key ? how can i do it? do i need to contact with my certificate provider? http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Your key may be stored unciphered on your server. -- Pourquoi Pierre Lescure a quitté Canal? parce qu'il pensait créer une marionette Chuck Norris dans les Guignols de l'info !!! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
I tried with an SSLPassPhraseDialog in every VirtualHost and i get this message: [EMAIL PROTECTED] bin]$ ./apachectl -S Syntax error on line 82 of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: SSLPassPhraseDialog cannot occur within VirtualHost section or unciphered key ? how can i do it? do i need to contact with my certificate provider? thanks. El lun, 20-10-2008 a las 10:32 +0200, Jorge Martín Cuervo escribió: Did you try with SSLPassPhraseDialog in each VirtualHost ? -- ;-) Jorge Martin Cuervo Outsourcing Emarketplace deFacto Powered by Standards email [EMAIL PROTECTED] voice +34 984 832 659 voice +34 660 026 384 DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así como el resto de los datos de carácter personal que nos facilite, serán objeto de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de información comercial y/o personal por vía electrónica. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgánica de Protección de Datos de Carácter Personal (LOPD. 15/1999), dirigiendo un escrito a C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias), o a nuestra dirección de correo electrónico ([EMAIL PROTECTED]). También informamos que la información incluida en este e-mail es CONFIDENCIAL, siendo para uso exclusivo del destinatario arriba mencionado. Si Usted lee este mensaje y no es el destinatario indicado, le informamos que está totalmente prohibida cualquier utilización, divulgación, distribución y/o reproducción de esta comunicación sin autorización expresa en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por esta misma vía y proceda a su eliminación. This e-mail contains information that will be added to our computerised guest data base and will be trated in the strict confidence. If you wish to access, correct, oppose or cancel your details, as specified the Law 15/99, December 13th, please send a certified letter to this effect to DE FACTO STANDARDS, S.L.., (C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias) SPAIN). If you read this message, and is not the destinatary, we informal you that is forbidden anything utility, distribution, divulgation or reproduction of this communication without express authorization, of the present law. If you received this message for mistake, we proud in order to the present law, immediate communication to us, and please erase this e-mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
IE + SSL = File Upload Problems
Hello, Hopefully someone can help... Environment: Apache httpd 2.2 + mod_proxy + JK2 + mod_ssl -- JBoss (Tomcat 5.5) IE 6/7 + WinXP Pro/Win 2003 Problem: When a large file upload from a http form post reaches a max allowed limit (e.g. 20Mb) on the server, the server returns a response (e.g. 413/406). Somewhere the SSL part is causing (only) IE to hang for a while (consume lots of memory/processor time) and then display a page that says: Navigation to the webpage was stopped... Note: Turning SSL off fixes this behaviour. Can anyone shed any light on what might be causing this? Cheers, Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
X509 variables ..UID
in ssl_engine_vars, there seems to be a problem to me concerning the UID field. The syntax for the field is a bitstring and not a text. static const struct { char *name; int nid; } ssl_var_lookup_ssl_cert_dn_rec[] = { { C, NID_countryName}, { ST,NID_stateOrProvinceName}, /* officially(RFC2156) */ { SP,NID_stateOrProvinceName}, /* compatibility (SSLeay) */ { L, NID_localityName }, { O, NID_organizationName }, { OU,NID_organizationalUnitName }, { CN,NID_commonName }, { T, NID_title }, { I, NID_initials }, { G, NID_givenName }, { S, NID_surname}, { D, NID_description}, #if SSL_LIBRARY_VERSION = 0x00907000 { UID, NID_x500UniqueIdentifier }, #else { UID, NID_uniqueIdentifier }, #endif { Email, NID_pkcs9_emailAddress }, { NULL,0 } }; -- http://www.edelweb.fr *Edel/W/eb* Peter SYLVESTER Consultant Sécurité des Systèmes d'Information --- EdelWeb - Groupe ON-X 15, quai de Dion-Bouton F-92816 Puteaux Cedex Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58 www.edelweb.fr http://www.edelweb.fr / www.on-x.com http://www.on-x.com --- To verify the message signature, see edelpki.edelweb.fr http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité de racine http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. smime.p7s Description: S/MIME Cryptographic Signature
Re: X509 variables ..UID
Peter Sylvester wrote: in ssl_engine_vars, there seems to be a problem to me concerning the UID field. The syntax for the field is a bitstring and not a text. Nothing happened since I've filed this bug and raised the issue here: https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 It's broken = it should be fixed. Unfortunately no-one cares. :-( Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Jean-Pierre Guilloteau est absent.
I will be out of the office starting Fri 10/10/08 and will not return until Mon 27/10/08. Je répondrai à votre message dès mon retour. Cordialement. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Embedded purposes
If a user is trying to authenticate himself with an SSL web server, he needs to present a valid personal certificate, I understand. But what if the purpose of the client certificate is not valid? I mean, for one user's certificate, Mozilla SeaMonkey reports: This certificate has been verified for the following uses: Email Signer Certificate and Email Recipient Certificate. Will an SSL web server accept such a client certificate for authenticating an SSL web connection? Gunnar Vestergaard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Hi, Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. As you know there isn't an ask once option, which would be very nice. I don't think there is much that can be done to fix it other than coding up an ask once option in FF (which I haven't got the time to do :( ). Anyway you may also want to use/need the SSLOptions +OptRenegotiate if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, September 25, 2008 9:37:00 AM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Thank you very much Matt . That solved it :). I now have Client Certificate Authentication working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to Ask me every time instead of auto select client certificate I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading one and one item(image) on the website. If i switch to Auto select certificate it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use
Re: Can i use CA signed cert to create client authentication certificates ?
Thank you very much Matt . That solved it :). I now have Client Certificate Authentication working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to Ask me every time instead of auto select client certificate I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading one and one item(image) on the website. If i switch to Auto select certificate it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |--Create and Sign Apache Cert from SelfSigned CA |--Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a third party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à .+-š‡l²[¬z»¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨èÂÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]