Re: Basic auth with SSL - again
On Tue, Mar 23, 1999, Achille M. Luongo wrote: I installed Apache/1.3.3 (Win32) mod_ssl/mod_ssl/2.1b8 SSLeay/0.9.0b. 2.1b8? Oh, that's really _OLD_, I hope you now this. I've no clue on your problem, but this is the first version which ran on Win32, so I strongly suggest that you upgrade to 2.2.5. Because the chance is high that this was implicitly solved by the changes since 2.1b8. Thanks for the answer, Ralf. My problem is that I can't build applications under Win32 platform. Is anybody able to build and uplownload on ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 ? Perhaps one of the Win32 users can put a binary there. I cannot do it, because my Win32 box is still totally messed up. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: GSID, mod_ssl and Apache...
Ralf S. Engelschall wrote: Then this is a client problem! The server cannot do anything here. At least Netscape is very smart and remembers that he is reconnecting to a server with a GlobalID cert and then _immediately_ starts with a strong cipher and never does the stepup again (at least not until it's restarted or the server cert changes). But I've not tried this with IE. But its Microsoft, what have you expected... Yes I know, it's a client problem. ...and Microsoft... nothing more to say about them... Thanks for your replies, it's always good to hear someone else explain what you already suspects. --Patrik __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: POST problem
Ralf S. Engelschall wrote: Ok, then I've to check now POST+keepalive+redirection, too. What a nice thing that the HTTP protocol makes has such a lot of esoteric combinations possibleI'll investigate when I find time. Just FYI, i've also come across the POST+keepalive+redirection problem. I think i'm right in saying it's still a problem because i can't see it in the changes for 2.2.6. thanks, Tony. -- - Tony Locke [EMAIL PROTECTED] Programmer, Open World Limited - __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
Full_Name: Andre Albuquerque Version: 2.2.6-1.3.6 OS: Linux 2.0.36 Submission from: (NULL) (161.148.222.154) I have just installed the new mod_ssl-2.2.6-1.3.6 with the new apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean compiling, I have the following error while trying to get a page: [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client 161.148.222.154, server www s.visualnet.com.br:443) (OpenSSL library error follows) [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac Is it a mod_ssl error or an openssl error? BTW: my system have the following conf: Linux 2.0.36 (i386) Apache/1.3.6 mod_ssl/2.2.6 OpenSSL/0.9.2b PHP/3.0.7 Thanks in advance, Gustavo __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: mod_ssl 2.2.5-1.3.4
On Fri, Mar 19, 1999, [EMAIL PROTECTED] wrote: "Ralf S. Engelschall" [EMAIL PROTECTED] writes: *) The SSLCertificateFile and SSLCertificateKeyFile directives now can read PEM (=DER+Base64+headers), DER+Base64 (without headers) and plain DER format certificate and private key files. This is mostly provided for convinience reasons. I haven't spent much more time on this, sorry, but I still cannot get this to work. Using Ralf's patch from last week, there appears to be a problem with how the private key is being read. Just for kicks, I went and got the latest versions of mod_ssl and OpenSSL via rsync last night and tried again. (I built directly out of pkg.apache.) This time I dump core on startup. I would appreciate it if someone who has this working successfully, try this out with the provided _sample_ server cert and key. The second cert is the ca cert used to issue the server cert. And let me know how it goes. [...] -BEGIN ENCRYPTED PRIVATE KEY- MIIBeDAaBgkqhkiG9w0BBQMwDQQIS0XKnH4OhTICAQUEggFY7p+anDqPJaJbDQMC CSqitvjPRt1kg1O98O4bnB+GYiGMZPeFEB537OvRsyrhOpDHaV/JD+c4eMwshgVU UUbaXqURzSi2vIV8LfCHUzjtQciJSjL721MHeyhN1z+rILFD8CmXDB2DV/NYjb28 uVuU7ESIUnfKakRTJz6npj58DvpLJ/DaHJUp9/ap+EYrKgxFf3+A6Nnvr3vRLq1p HYngIgSqWDCD9csCrGv9Yu1KCU+ht35nLHbf2+AnLgDtTxHZM2tEh6yhMt/9298L HeTygTgcPHjsRd5uv6J3DSQm3Hx90lHrvXCgliL7x1zXbZWKW50D1ZFke2QGJzW9 l5xZJ7mVMEgjp8KNB/dx2kwE+zeFCQUZYkfnoy36iCsshVZVV5lQEyL553jL71y5 xdLxh6q/RhVO/UEnFM9Jk0QjxcVwIoNhjhc08ZmaeODm9QnWRCqtb9A7G9c= -END ENCRYPTED PRIVATE KEY- Yeah, the problem is that OpenSSL doesn't know these "ENCRYPTED PRIVATE KEY" headers. Mod_ssl cannot change this, of course. The question now is: From where do they come, i.e. which program created this format? And what's in this container? Just a Base64-encoded DER key? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: Full_Name: Andre Albuquerque Version: 2.2.6-1.3.6 OS: Linux 2.0.36 Submission from: (NULL) (161.148.222.154) I have just installed the new mod_ssl-2.2.6-1.3.6 with the new apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean compiling, I have the following error while trying to get a page: [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client 161.148.222.154, server www s.visualnet.com.br:443) (OpenSSL library error follows) [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac Is it a mod_ssl error or an openssl error? H I've only the following ideas for you: 1. When this isn't Linux on a Intel box make sure you've built OpenSSL correctly. Usually on Alpha boxes you need to use a different platform id. 2. Make sure OpenSSL works correctly by running "make test" after "make" inside the OpenSSL source tree. 3. Try to build OpenSSL without assembler stuff 4. Try to connect to the server with "openssl s_client" to make sure your browser isn't broken. Greetings, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 (PR#133)
At 15:44 24/03/1999 +0100, you wrote: On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: Full_Name: Andre Albuquerque Version: 2.2.6-1.3.6 OS: Linux 2.0.36 Submission from: (NULL) (161.148.222.154) I have just installed the new mod_ssl-2.2.6-1.3.6 with the new apache 1.3.6 distrib and openssl 0.9.2b, but, depite of a clean compiling, I have the following error while trying to get a page: [Wed Mar 24 08:48:23 1999] [error] mod_ssl: SSL handshake failed (client 161.148.222.154, server www s.visualnet.com.br:443) (OpenSSL library error follows) [Wed Mar 24 08:48:23 1999] [error] OpenSSL: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac Is it a mod_ssl error or an openssl error? H I've only the following ideas for you: 1. When this isn't Linux on a Intel box make sure you've built OpenSSL correctly. Usually on Alpha boxes you need to use a different platform id. It is an Intel box (Linux 2.0.36 i386) 2. Make sure OpenSSL works correctly by running "make test" after "make" inside the OpenSSL source tree. It worked correctly. I've done this test. 3. Try to build OpenSSL without assembler stuff 4. Try to connect to the server with "openssl s_client" to make sure your browser isn't broken. Ok Ralf, I'm going to test this as soon as possible. I've tested with netscape 4.5 and MSIE 4.0 (4.72.3110.8), both for WinNt 4.0. Thanks, Gustavo __ Andre Gustavo de C. Albuquerque [EMAIL PROTECTED] PGP Public Key:http://www.visualnet.com.br/~gustavo/pgpkey.asc __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Basic auth with SSL - again
"Ralf S. Engelschall" [EMAIL PROTECTED] wrote: [...] Thanks for the answer, Ralf. My problem is that I can't build applications under Win32 platform. Is anybody able to build and uplownload on ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 ? Perhaps one of the Win32 users can put a binary there. I cannot do it, because my Win32 box is still totally messed up. I've uploaded Apache_1.3.6-mod_ssl_2.2.6-openssl_0.9.2b-WIN32-i386.zip to the contrib area. (The mod_proxy source was patched to fix one crash bug and a bug preventing cache GC from functioning) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
2.2.6-1.3.6 problems
I'm having some strange problems... When compiling for the mod_ssl-2.2.6-1.3.6 RPMs I get a server that works with Win Netscape 4 Win M$IE 4, but *not* with Mac Netscape 4.5 Linux Netscape 4.08 (ssl connections that is, normal connections work fine) I use Redhat 5.2, kernel 2.2.4, openssl 0.9.1c (yeah, I know, but I did not find .2b RPMs and was lazy [could the former be the problem?]) Entries in ssl_engine.log: [info] Connection to child 2 established (server starbug.inbox.se:443) [info] SSL handshake stopped: connection was closed Netscape pops up a dialog "Netscape has encountered bad data from the server." No errors in httpd error_log /magnus __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Mod_SSL and PHP 3.0.7? (PR#132)
On Wed, Mar 24, 1999 at 08:22:06AM +0100, [EMAIL PROTECTED] wrote: On Wed, Mar 24, 1999, [EMAIL PROTECTED] wrote: Full_Name: John Hoffmann Version: 2.2.5-1.3.4 OS: Solaris 2.6 Submission from: stargate.trytel.com (209.167.85.20) I'm trying to switch from StrongHold 2.4 to Apache 1.3.4 with mod_ssl, and I must say the installation went 200 times easier. One thing I am having a problem with however is getting PHP 3 to work at all. I recently compiled StrongHold with mod_auth_mysql-2.20, php 2.01 and php 3.0.7 and it worked fine, but when I compile these same modules into Apache 1.3.4 with mod_ssl the php3 engine seems to die. When accessing a .php3 page I simply get a "The document contains no data". PHP 2 pages work fine. I've checked my configuration: srm.conf:AddType application/x-httpd-php3 .php3 But no PHP 3 pages will return any data. Any ideas at all? No, I'm neither using PHP3 myself nor have deep experiences with it, so I cannot help you very much. But because this doesn't look like it's really mod_ssl related, I recommend you to write to the PHP3 support mailing lists. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com The problem turns out to be a limit on the file descriptors that each process can open, I removed some VirtualHosts and it worked, now to figure out how to increase the limit on Solaris 2.6 ... anyways, thanks for the quick response, much faster than the Stronghold Commercial team ;') -- John Hoffmann [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSl 0.9.2b test failed
On Wed, Mar 24, 1999, Igor S. Livshits wrote: I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having problems building openssl-0.9.2b. Configuration and compilation seems to go fine, but when I run the tests, I get this failure: ./rsa_oaep_test Decryption failed! Decryption failed! Decryption failed! make[1]: *** [test_rsa] Error 1 I am trying this on a RedHat 5.2 system with the following flags: perl Configure linux-elf -DRSAref -lRSAglue -L`pwd`/../rsaref-2.0/local/ -lrsaref I'd appreciate any hints... The RSA OEAP stuff is brand new. Nevertheless I guess the actual source of your problem is the RSAref library. Compile without it and try again. I'm 95% sure then it will work. If not, you can try to contact Ulf Moeller [EMAIL PROTECTED] which wrote this stuff. Perhaps he has a clue why it could fail for you... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Now I can be my own CA but there's more...
Carlo Marcelo Arenas Belon wrote: Juan Carlos Castro y Castro wrote: Hi! I just bought a Brazilian RH Linux distribution with Apache 1.3.3 and mod_ssl 2.0.something. When I follow the instructions to create my own CA and sign the server certificate I just created, I get this in the verification phase: error 7 at 0 depth lookup:certificate signature failure there is not a problem wit your distribution.. there is a strange "bug" on ssleay/openssl which doesn't allow the same values for a server.crt and a ca.crt so if you wan't to selfsigned your certify you need to change the values you are putting on both certicates i've learned this the difficult way.., should be on the FAQ, you could get a clue if you check the list archives YES! It worked! THANK YOU! Now I stumbled on an ugly thing: while Netscape issues me a warning and allows me to proceed until the certificate expires, IE 3 disallows access altogether. Anyway I can hack the Registry or something like that so IE3/4/5 users can go to my site? Like, adding my phony CA to IE's list of CAs? By the way, is there such hack to Netscape too? Cya, -- ___THE___ One man alone cannot fight the future. USE LINUX! \ \ / / ___ \ V / |Juan Carlos Castro y Castro| \ /|[EMAIL PROTECTED] | / \|Linuxeiro, alvinegro, X-Phile e Carioca Folgado| / ^ \ |Diretor de Informática e Eventos Sobrenaturais | / / \ \ |da E-RACE CORPORATION | ~~~ ~~~ --- RACER __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] https only sends 65536 bytes (PR#134)
Sounds more like an MTU problem. Perhaps the MTU for port 443 is set to a lower number than for port 80 on your router? HTH [EMAIL PROTECTED] wrote: Full_Name: Paul Curtis Version: mod_ssl/2.2.2 SSLeay/0.9.0b OS: Linux Submission from: nyor1ts1.ny.us.ibm.net (165.87.14.10) A large PDF file, ~221KB, gets truncated at 65536 bytes. There are no errors logged, the access log shows a completed request delivering 65536 bytes. The problem does not occur when the file is requested via a non-SSL URL. Thanks, allan --- Allan Liska Spectrum Computers http://www.spectrum-computers.com http://www.webcreations-va.com If I don't document something, it's usually either for a good reason, or a bad reason. -- Larry Wall __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: OpenSSl 0.9.2b test failed
(Hi Igor) This is almost certainly a problem due to building openssl-0.9.2b with RSAref. The problem is that OAEP is a new RSA "encryption scheme" defined in RFC2347 dated October 1998. RSAref 2.0 appears to date back to 1994. My fond hope here is that the "make test" failure is a minor oversight (forgetting to skip invocation of rsa_oaep_test when -DRSAref is used.) I just commented out the invocation of it in test/Makefile.ssl and got through the rest of "make test" (and "apps/openssl speed") without problems. Hope to try out mod-ssl-2.2.6-1.3.6 + openssl-0.9.2b + rsaref-2.0 on a production server tomorrow morning to see if my fond hope is wrong. Two background URLs: http://www.progressive-comp.com/Lists/?l=openssl-devm=92211886324200w=2 http://www.cis.ohio-state.edu/htbin/rfc/rfc2437.html Ed -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign "Ralf S. Engelschall" wrote: On Wed, Mar 24, 1999, Igor S. Livshits wrote: I am attempting to upgrade to mod-ssl-2.2.6-1.3.6 and am having problems building openssl-0.9.2b. Configuration and compilation seems to go fine, but when I run the tests, I get this failure: ./rsa_oaep_test Decryption failed! Decryption failed! Decryption failed! make[1]: *** [test_rsa] Error 1 I am trying this on a RedHat 5.2 system with the following flags: perl Configure linux-elf -DRSAref -lRSAglue -L`pwd`/../rsaref-2.0/local/ -lrsaref I'd appreciate any hints... The RSA OEAP stuff is brand new. Nevertheless I guess the actual source of your problem is the RSAref library. Compile without it and try again. I'm 95% sure then it will work. If not, you can try to contact Ulf Moeller [EMAIL PROTECTED] which wrote this stuff. Perhaps he has a clue why it could fail for you... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ... -- Ed Kubaitis - [EMAIL PROTECTED] CCSO - University of Illinois at Urbana-Champaign __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Basic auth with SSL - again
Trung Tran-Duc ha scritto: "Ralf S. Engelschall" [EMAIL PROTECTED] wrote: [...] Thanks for the answer, Ralf. My problem is that I can't build applications under Win32 platform. Is anybody able to build and uplownload on ftp://contrib:[EMAIL PROTECTED]/sw/mod_ssl/ (read/write access). an update version of Apache (Win32) with mod_ssl/mod_ssl/2.2.5 ? Perhaps one of the Win32 users can put a binary there. I cannot do it, because my Win32 box is still totally messed up. I've uploaded Apache_1.3.6-mod_ssl_2.2.6-openssl_0.9.2b-WIN32-i386.zip to the contrib area. (The mod_proxy source was patched to fix one crash bug and a bug preventing cache GC from functioning) Thanks for the upload: I installed it and Apache works fine on my system, too. As Ralf forecasted, the current version of mod-ssl fixes the authentication problem I found on the old version of mod-ssl and that I reported few days ago. Bye, Achille. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Now I can be my own CA but there's more...
What are the "VALUE"s that you refered? ( ...so if you wan't to selfsigned your certify you need to change the values you are putting on both certicates) Thanks. -Original Message- From: Juan Carlos Castro y Castro [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Wednesday, March 24, 1999 4:10 PM Subject: Now I can be my own CA but there's more... Carlo Marcelo Arenas Belon wrote: Juan Carlos Castro y Castro wrote: Hi! I just bought a Brazilian RH Linux distribution with Apache 1.3.3 and mod_ssl 2.0.something. When I follow the instructions to create my own CA and sign the server certificate I just created, I get this in the verification phase: error 7 at 0 depth lookup:certificate signature failure there is not a problem wit your distribution.. there is a strange "bug" on ssleay/openssl which doesn't allow the same values for a server.crt and a ca.crt so if you wan't to selfsigned your certify you need to change the values you are putting on both certicates i've learned this the difficult way.., should be on the FAQ, you could get a clue if you check the list archives YES! It worked! THANK YOU! Now I stumbled on an ugly thing: while Netscape issues me a warning and allows me to proceed until the certificate expires, IE 3 disallows access altogether. Anyway I can hack the Registry or something like that so IE3/4/5 users can go to my site? Like, adding my phony CA to IE's list of CAs? By the way, is there such hack to Netscape too? Cya, -- ___THE___ One man alone cannot fight the future. USE LINUX! \ \ / / ___ \ V / |Juan Carlos Castro y Castro| \ /|[EMAIL PROTECTED] | / \|Linuxeiro, alvinegro, X-Phile e Carioca Folgado| / ^ \ |Diretor de Informática e Eventos Sobrenaturais | / / \ \ |da E-RACE CORPORATION | ~~~ ~~~ --- RACER __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]