Re: SSL with secure/nonsecure virtual hosts
> Hello. I am running Apache and am hosting three virtual domains. I'd > like to have secure pages for all of them. Am I able to use separate > certificates for secure pages on each of the servers? Are there any > tricks to implementing this? If they are IP based virtual domains, then yes. If they are name based virtual hosts then you should create one certificate for something like secure.domain.com and create different environments and so on for the domains like http://secure.domain.com/domain1 and domain2 etc. That's the only way nowdays. It's not so elegant but could be very useful. Bye, Ago __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL with secure/nonsecure virtual hosts
Hello. I am running Apache and am hosting three virtual domains. I'd like to have secure pages for all of them. Am I able to use separate certificates for secure pages on each of the servers? Are there any tricks to implementing this? Thanks in advance. Apache/1.3.19 (Unix) mod_ssl/2.8.1 OpenSSL/0.9.6 -- Mike Carter Systems Admin Apple Computer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient
On Fri, Mar 16, 2001 at 03:10:48PM -0300, Aldo Kogima Pompeo wrote: > Hi, > > I'm trying to use SSLClient, but i don't know how many days i'll spend to do it. > > I modify my httpd.conf like above: > ## My httpd.conf > SSLVerifyClient require > SSLVerifyDepth 10 > > > And it works, but i need to add some client's cert, and i search at openssl site and >i didn\'t found any thing.. > > How can I do it work??? not sure what you mean by "need to add client's cert"... Just for clarification: you don't add client certificates on the server side (if that's what you mean), but rather have your users install their certificates in their browsers. The server just has to accept the CA that issued the client certificate, that's all. If you need to do user authentication you might want to try mod_ssl's ability to mimic HTTP basic authentication with client certificates (using the "Subject Distinguished Name" (DN) of the cert). See the mod_ssl option: SSLOptions FakeBasicAuth in the docs. Of course, you can also roll your own authentication scheme by accessing the SSL-related env variables (see also "SSLRequire" for that). Erdmut -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLVerifyClient
Hi, I'm trying to use SSLClient, but i don't know how many days i'll spend to do it. I modify my httpd.conf like above: ## My httpd.conf SSLVerifyClient require SSLVerifyDepth 10 And it works, but i need to add some client's cert, and i search at openssl site and i didn\'t found any thing.. How can I do it work??? Thanks Aldo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: web server errors
This looks very much like the standard MSIE IO exceptions. Here's how to fix it: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 -Dave > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, March 12, 2001 8:15 AM > To: [EMAIL PROTECTED] > Subject: web server errors > > > > I am not sure if the problem I have is related to ssl or not but > at this point I > am trying to figure out the solution and can use any help I can get. > > We just installed Linux Red-Hat 7.0 which comes with Apache > version 1.3.14 and > mod_ssl 2.7.1-3. Our customers are complaining that when they try > to place an > order on our secured site they get > "page can not be displayed" error or "An error occurred in the > secured channel > support" error. After few attempt sometimes they are successful > in placing the > order. We have noticed that after about 90 seconds order goes through > successfully. We have seen this happening with AOL 5.x and some > IE 4.x and 5.x > versions. It works if the order is placed through non-secured site. > > Has anybody notified you such error or do you have any idea why > this can be > happening. I will really appreciate, if you can guide me to the > right direction > to resolve this problem because we are loosing lot of orders > placed through web. > > Thank you very much for your help __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-1.3.19+mod_ssl-2.8.1+php-4.0.4pl1 segfault (no core filecreated)
I recompiled without DSO support. Both mod_ssl and php4 are built into
apache. Now it will run, but it segfaults while running...
https://io.viptx.netsegfaults
https://io.viptx.net/index.html loads the page
I tried running through gdb:
root@Io:/usr/local/apache/bin# gdb ./httpd
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(gdb) set args -X -DSSL
(gdb) run
Starting program: /usr/local/apache/bin/./httpd -X -DSSL
Cannot access memory at address 0x40016e48
(gdb)
Here is the tail end of a strace of it failing:
...
getpid()= 3119
write(18, "[16/Mar/2001 10:33:29 03119] [in"..., 123) = 123
alarm(0)= 300
alarm(300) = 0
read(5, "\27\3\0\1%!&\374D\35\2274^\371\33\225\261\270P\272\346"..., 18437) = 298
rt_sigaction(SIGUSR1, {SIG_IGN}, {SIG_IGN}, 8) = 0
time(NULL) = 984760409
alarm(300) = 300
alarm(0)= 300
time(NULL) = 984760409
getpid()= 3119
write(18, "[16/Mar/2001 10:33:29 03119] [in"..., 113) = 113
stat64("/usr/local/apache/htdocs", {st_mode=S_IFDIR|0755, st_size=4096,
...}) = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
I followed my own build procedure on a glibc 2.1.2, linux box and
everything worked fine, perfect even. tarred it up and moved it over to
my glibc 2.2.2 system and it segfaults.
(gdb) set args -X -DSSL
(gdb) run
Starting program: /usr/local/apache/bin/httpd -X -DSSL
Program received signal SIGSEGV, Segmentation fault.
0x4000c837 in _dl_signal_error () at eval.c:88
88 eval.c: No such file or directory.
(gdb) bt
#0 0x4000c837 in _dl_signal_error () at eval.c:88
#1 0x401ae721 in _dl_close (_map=0x8114ed8) at dl-close.c:63
#2 0x401aed30 in _dl_close (_map=0x8113ea8) at dl-close.c:276
#3 0x400be46b in dlclose_doit (handle=0x8113ea8) at dlclose.c:25
#4 0x4000ca9b in _dl_catch_error () at eval.c:88
#5 0x400be7ff in _dlerror_run (operate=0x400be450 , args=0x8113ea8) at
dlerror.c:130
#6 0x400be491 in dlclose (handle=0x8113ea8) at dlclose.c:31
#7 0x8097808 in ap_os_dso_unload (handle=0x8113ea8) at os.c:133
#8 0x8075ae2 in unload_module (modi=0x80eed68) at mod_so.c:182
#9 0x807852e in run_cleanups (c=0x80fa2f8) at alloc.c:1947
#10 0x8076bf7 in ap_clear_pool (a=0x80ee968) at alloc.c:690
#11 0x808719b in standalone_main (argc=3, argv=0xbb1c) at http_main.c:4741
#12 0x8087a53 in main (argc=3, argv=0xbb1c) at http_main.c:5123
#13 0x400dcf5c in __libc_start_main (main=0x80876f8 , argc=3,
ubp_av=0xbb1c, init=0x80500d0 <_init>, fini=0x80be040 <_fini>,
rtld_fini=0x4000ce30 <_dl_fini>, stack_end=0xbb14) at
../sysdeps/generic/libc-start.c:129
Ok, is this a glibc issue? I know they made quite a few changes in
glibc-2.2.2 maybe they screwed something up? Or maybe mod_ssl was using
some workaround for something that _was_ broke and now its fixed?
Of course I may have no clue what I'm talking about. Can someone even
tell me where eval.c is?
--
"To err is human, to forgive is beyond the scope of the Operating System"
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Library Issues
Has anybody seen messages like this before? [Fri Mar 16 10:04:41 2001] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [Fri Mar 16 10:04:41 2001] [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag [Fri Mar 16 10:04:41 2001] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing [Fri Mar 16 10:04:41 2001] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib I went ahead and checked to keys to see if they were still good and openssl told me that they were (but it could be lying). I already checked the paths to the key and the servers settings in httpd.conf. Everything was working and then 'magically' stopped working for my customer. Any clues would be appreciated. Jeremiah Stanley __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: credit card processing
Barry Smoke wrote: > > I have seen a custom apache that had a different(commercial) ssl compiled in > it, and a company that did processing of credit cards if you had that setup. > > Is there a company out there that works with mod_ssl? Yes. All of them. I think you are misunderstanding what SSL is about. SSL gives you a secure communications channel between the client and the server. That lets customers send you their credit card numbers with full security. What you then do with the numbers is up to you. You can contact a gateway (e.g. Europay) or go through a third-party. You can even phone in the number in the traditional corner-shop way. You have to watch out for liability issues (don't let just anyone read those numbers...) You can use SSL again to communicate with the gateway or they may have their own favourite communications protocol. Or you can use SET! In short, e-commerce is quite a complicated beast and installing SSL on your web-server is only the start of the battle. If you don't mind a hefty overhead charge, go with a third-party company - you give them the bill and they pay you (90%...) Then they deal with the communication with the payment gateway. (search on "Payment Services" to find one near you). Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
credit card processing
I have seen a custom apache that had a different(commercial) ssl compiled in it, and a company that did processing of credit cards if you had that setup. Is there a company out there that works with mod_ssl? What is everyone else doing? This will be for multiple virtual domains. I am doing web hosting, and my customers are starting to ask for this. I have a credit card machine already set up for my own business bank account... is it possible to interface with that for processing? That probably wouldn't work very well for a busy site... 10 orders come in at once...it would take forever for one machine to process that. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 4 problem
Did you read the FAQ or search the mail archives? Your question is
answered multiple times.
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49
http://marc.theaimsgroup.com/?l=apache-modssl&r=1&w=2
-Dave
On Fri, Mar 16, 2001 at 10:18:44AM -0500, Joel Helbling wrote:
> I am using mod_ssl 2.7.1-1.3.14 (Stronghold 3.0 build 3013). When I hit
> any ssl encrypted page on my server using IE 4, (4.72) I get a pop-up
> window which says, "Internet Explorere cannot open the Internet site
> https://{url}. An error occured in the secure channel support."
>
> This seems to happen about 90% of the time with IE 4.
>
> Here are my SSL directives:
>
> SSLMutex file:/{path}/ssl_mutex
> SSLProtocol +SSLv3
> SSLEngine on
> SSLCertificateFile /{path}/httpd.cert
> SSLCertificateKeyFIle /{path}/httpd.key
> SSLCACertificateFile /{path}/client-rootcerts.pem
>
> I've also tried "SSLProtocol all -SSLv3", "SSLProtocol +SSLv2", as well
> as omitting the SSLProtocol directive.
>
> There does not appear to be an error generated in the error_log by this
> problem.
>
> Any help is much appreciated.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
IE 4 problem
I am using mod_ssl 2.7.1-1.3.14 (Stronghold 3.0 build 3013). When I hit
any ssl encrypted page on my server using IE 4, (4.72) I get a pop-up
window which says, "Internet Explorere cannot open the Internet site
https://{url}. An error occured in the secure channel support."
This seems to happen about 90% of the time with IE 4.
Here are my SSL directives:
SSLMutex file:/{path}/ssl_mutex
SSLProtocol +SSLv3
SSLEngine on
SSLCertificateFile /{path}/httpd.cert
SSLCertificateKeyFIle /{path}/httpd.key
SSLCACertificateFile /{path}/client-rootcerts.pem
I've also tried "SSLProtocol all -SSLv3", "SSLProtocol +SSLv2", as well
as omitting the SSLProtocol directive.
There does not appear to be an error generated in the error_log by this
problem.
Any help is much appreciated.
-Joel Helbling
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: SSL Support for Cookie Disabled Browsers
On Fri, Mar 16, 2001 at 02:45:57PM +0530, Seshagiri Dev Kurmana wrote: > Hi, > I have a problem regarding SSL on Apache.I'm using NS 4.74 and IE 5.5 > as my clients.I have integrated SSL support for Apache 1.3.12 with > modssl and OpenSSL.My problem is when I disable cookies in my browsers, > I 'm getting session expired everytime. I don't think that this "session expired" refers to the SSL-sessions. Rather, I guess it refers to the web application not suceeding when trying to establish a usersession using cookies (e.g. as used for user tracking, etc.). You might consider embedding session-IDs in dynamically created URLs instead, if you don't want to force your users to have cookies enabled (assuming you have control over the web application source, the CGIs, or whatever you are using) > Please tell me if I have to change any settings in the Configuration > files or anything else.I shall be very grateful to you for this act of > kindness. we would need a little more information on what you are trying to do to be able to help... Regards, Erdmut -- Erdmut Pfeifer science+computing ag -- Bugs come in through open windows. Keep Windows shut! -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
How can I get the file server.key containing private key?
Dear Dir, I have a problem with using MOD_SSL in APACHE server. I created a keystore and certificate request with the keytool of Java, and received from Verisign the correct reply to our certificate request, that is, I have had the server.crt file or a real digital certificate. To use a digital certificate in APACHE with MOD_SSL, the two files server.crt and server.key must be at hand. But now I can not extract the file server.key containing private key from keystore. Can you throw a light on how your product support keytool? Any response will be appreciated. Thanks with Best Regards Zou Bin eBridgeX.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Stop Mac/IE from using unencrypted connection over HTTPS?
Hi, the text is not telling you the truth. At least when I checked it. Use Interarchys traffic watcher on the mac or some other sniffer and you will see that it is encrypted. Its just ... /Hans Brian O'Neill wrote: > > We ran into an interesting problem. > > Using IE 5.0 on a Mac, connecting to apache 1.3.14/mod_ssl 2.7.1 via HTTPS > which has a certificate signed by an unknown CA (haven't quite figured out > how to import the CA cert in IE yet), IE seems to allow you to proceed > using the connection (a dialog box allows you to continue), but over an > UNENCRYPTED channel. It is still communicating via HTTPS, but IE does not > identify a cipher being used and the dialog implies that is is not using > any. > > I want to disable this. I'm already using the recommended SSLCipherSuite > line of: > > ALL:!EXP1024-RC4-SHA:!EXP1024-DES-CBC-SHA:ALL:!ADH:!EXPORT56:\ > RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP > > I've tried adding !eNULL at the end and before the !EXPORT56, but it > doesn't seem to matter. > > Is there a way to prevent unencrypted communications? > > -- > == > Brian O'Neill @ home [EMAIL PROTECTED] > At work I'm: [EMAIL PROTECTED] > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ Hans Lohmander -- Sigma Exallon Information AB Research & Development Talkto:+46 (0)40 665 91 65 Faxto:+46 (0)40 24 99 50 Mobile# +46 (0)703-79 09 51 mailto:[EMAIL PROTECTED] http://www.ei.sigma.se/ ICQ# 9319123 _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ begin:vcard n:Lohmander;Hans tel;cell:+46 (0)703 790 951 tel;fax:+46 (0)40 690 63 46 tel;work:+46 (0)40-665 91 65 x-mozilla-html:FALSE url:http://www.ei.sigma.se/ org:Sigma Exallon Information AB;Research & Development adr:;;Dockplatsen 1;Malmö;;S-211 19;Sweden version:2.1 email;internet:[EMAIL PROTECTED] title:Konsult x-mozilla-cpt:;3 fn:Hans Lohmander end:vcard
Re: Very[OT]:Technical query re: scratchpad lookups for my() vars
Paul writes:
>
> --- Brian Ingerson <[EMAIL PROTECTED]> wrote:
> > Garrett Goebel wrote:
> > >
> > > From: Paul [mailto:[EMAIL PROTECTED]]
> > > >
> > > > Anybody know offhand *why* my() lexicals are supposedly faster?
>
>
>
> > Yes this is OT, but I'll contribute to the problem as well...
> >
> > My coworker Gisle Aas (maybe you've heard of him ;) says that globals
> > and lexicals have identical speed because Perl optimizes out the
> > symbol-table lookup.
> >
> > Trust Gisle.
>
> lol -- now *there's* an answer.
> So for my details I should go to the parse tree docs, and the code, I'm
> thinking.
>
> BTW -- with many thanks to everyone -- my question was "why are they
> faster", but the reason was never the speed -- it was to understand the
> way Perl stores and *accesses* lexicals.
>
> Any input? =o)
If you have a reasonably recent Perl, you can do the following:
% perl -MO=Terse,exec -e '$f = 123'
OP (0x8180688) enter
COP (0x8180628) nextstate
SVOP (0x8175298) const IV (0x80f8770) 123
SVOP (0x817b488) gvsv GV (0x81017b0) *f
BINOP (0x8180600) sassign
LISTOP (0x8180660) leave
% perl -MO=Terse,exec -e 'my $f = 123'
OP (0x81805d0) enter
COP (0x8180598) nextstate
SVOP (0x8104b88) const IV (0x8104c9c) 123
OP (0x817b490) padsv [1]
BINOP (0x81761f0) sassign
LISTOP (0x81752a0) leave
As you can see from the output, for a non-lexical $f, Perl uses an
opcode "gvsv GV *f". The gvsv instruction gets a pointer to the
entire glob (*f) from which it dereferences the SV (scalar) part and
pushes it on the stack. See pp_hot.c:
PP(pp_gvsv)
{
djSP;
EXTEND(SP,1);
if (PL_op->op_private & OPpLVAL_INTRO)
PUSHs(save_scalar(cGVOP_gv));
else
PUSHs(GvSV(cGVOP_gv));
RETURN;
}
For the lexical, Perl has already determined at compile time that
$f is in pad slot number 1 (think stack or register allocation).
padsv is:
PP(pp_padsv)
{
djSP; dTARGET;
XPUSHs(TARG);
...
If you navigate all the macros, you'll find that takes curpad
(a pointer to an array of SV pointers: the current "stack frame"
where "stack" is in the sense of a traditional compiler, not the
(main) Perl stack) and pushes curpad[1] (remember $f was allocated
slot 1 at compile time) onto the (main Perl) stack.
--Malcolm
--
Malcolm Beattie <[EMAIL PROTECTED]>
Unix Systems Programmer
Oxford University Computing Services
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
SSL Support for Cookie Disabled Browsers
Hi, I have a problem regarding SSL on Apache.I'm using NS 4.74 and IE 5.5 as my clients.I have integrated SSL support for Apache 1.3.12 with modssl and OpenSSL.My problem is when I disable cookies in my browsers ,I 'm getting session expired everytime. Please tell me if I have to change any settings in the Configuration files or anything else.I shall be very grateful to you for this act of kindness. Thanks,With Warm Regards,K.Seshagiri Dev,Systems Engineer,Survey No.64,Madhapur,WIPRO TECHNOLOGIES.Email to: [EMAIL PROTECTED]
Re: Very[OT]:Technical query re: scratchpad lookups for my() vars
Garrett Goebel wrote:
>
> From: Paul [mailto:[EMAIL PROTECTED]]
> >
> > Anybody know offhand *why* my() lexicals are supposedly faster?
>
> Because a dynamic variable allocates a "new" value at runtime which occludes
> the global value until it's scope expires. In contrast, a lexical variable
> is unique to its code value's (CV) context which was determined at parse
> time. However, if you recursively call that CV, then Perl has to allocate a
> new value for the lexical.
>
> Urban legend says that lexicals are on average 10% faster than dynamic
> variables. I wonder if that is true... and what difference recursion makes.
> I wonder how you'd write a script to benchmark that and actually benchmark
> the right thing...
Yes this is OT, but I'll contribute to the problem as well...
My coworker Gisle Aas (maybe you've heard of him ;) says that globals
and lexicals have identical speed because Perl optimizes out the
symbol-table lookup.
Trust Gisle.
--
perl -le 'use Inline C=>q{SV*JAxH(char*x){return newSVpvf
("Just Another %s Hacker",x);}};print JAxH+Perl'
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
mod_ssl and WAP
I am trying to get my WAP device to talk to my OpenMail email system. I can see the whole process begin with the SSL handshake but then I get a handshake failed error. The error from the apache error_log is: [Tue Mar 13 20:19:14 2001] [error] mod_ssl: SSL handshake failed (server defiant.tmocon.com:443, client 216.198.139.74) (OpenSSL library error follows) [Tue Mar 13 20:19:14 2001] [error] OpenSSL: error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000) Has anyone come across this problem before? Versions of OS and software: Redhat 7.0 - kernel 2.2-17-14 Apache 1.3.14 mod_ssl-2.7.1-3 openssl-0.9.5a-14 Thanks Tom Obuck __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
version numbers
I can't seem to find where the mod_ssl version numbers are explained. if we are using an older apache, must we use an older mod_ssl? For instance, if we were using apache 1.3.12 would we have to use: mod_ssl-2.6.6-1.3.12 ? thanks, brett __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL v3.0 protcoll question
Rory Chisholm <[EMAIL PROTECTED]> writes: > This isn't really purely modssl related but I thought I'd give it a try here. > > The SSL v.3 protocol has an optional client_verify where the client signs > the handshake > messages with it's secret key thus verifying it not only has a client > certificate but knows the > certificates secret key. > > There seems to be no corresponding handshake message where the server signs > the handshake > and thus proves it knows the servers secret key which matches the server > certificate it presented. > > Now either I'm missing something here or this seems to be an omission - > surely the client > would like to make sure it is talking to a server that knows it's own > secret key ? There are two common cases: (1) The client encrypts the master key for the session (used to generate the keying material) with the server's public key. Thus, the server's ability to decrypt that key proves possession. (2) The servr signs a temporary public key with his private key. That signature binds the connection to the server's key. Thus, in either case the client knows that the server has the key he claims to have. No special message is required. -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of "SSL and TLS: Designing and Building Secure Systems" http://www.rtfm.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] PRIVATE: pkg.eapi/ap_ctx.h macros not 64-bit safe (PR#529)
On Wed, Mar 07, 2001, [EMAIL PROTECTED] wrote: > Full_Name: John Wilkins > Version: 2.8.1-1.3.19 > OS: Compaq Tru64 4.0E > Submission from: (NULL) (204.186.46.20) > > While compiling Apache 1.3.19 with mod_ssl-2.8.1-1.3.19 using gcc 2.8.1 under > Compaq Tru64 4.0E, I got the following warnings: > > ssl_engine_kernel.c:803: warning: cast from pointer to integer of different > size > > ssl_engine_kernel.c:807: warning: cast to pointer from integer of different > size > > The lines in question make use of the AP_CTX_PTR2NUM and AP_CTX_NUM2PTR macros, > which are defined in mod_ssl-2.8.1-1.3.19/pkg.eapi/ap_ctx.h > > These macros are not 64-bit safe since pointers on Alpha machines are 64-bits > long but unsigned int's are only 32, thus the warning when casting either > direction. The greatest concern, of course, would be PTR2NUM. Provided that no > significance is lost, this problem is probably of low priority, right? Yes, only very small numbers are stored, so no real problem should occur. I'll try to use "unsigned long" instead of "unsigned int" in mod_ssl 2.8.2. This then should solve the problem, too. Right? Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] gcc include files (Ref. PR#176)
On Thu, Mar 08, 2001, [EMAIL PROTECTED] wrote: > Full_Name: Roberto De Luca > Version: 2.8.1 > OS: Solaris 7 > Submission from: (NULL) (168.96.66.29) > > [...] > fi > ! if [ ".$SSL_INCDIR" != ./usr/include ]; then > ! SSL_CFLAGS="$SSL_CFLAGS -I\$(SSL_INCDIR)" > ! fi > > # > # determine location of OpenSSL libraries > > > This change prevents the script to add "-I/usr/include" to the > command line. I believe that this modification have no negative > side effects, /usr/include should be among the compiler internal > default list of searched directories. Yes, sounds reasonable. Now comitted to CVS for mod_ssl 2.8.2. Thanks for your feedback. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
web server errors
I am not sure if the problem I have is related to ssl or not but at this point I am trying to figure out the solution and can use any help I can get. We just installed Linux Red-Hat 7.0 which comes with Apache version 1.3.14 and mod_ssl 2.7.1-3. Our customers are complaining that when they try to place an order on our secured site they get "page can not be displayed" error or "An error occurred in the secured channel support" error. After few attempt sometimes they are successful in placing the order. We have noticed that after about 90 seconds order goes through successfully. We have seen this happening with AOL 5.x and some IE 4.x and 5.x versions. It works if the order is placed through non-secured site. Has anybody notified you such error or do you have any idea why this can be happening. I will really appreciate, if you can guide me to the right direction to resolve this problem because we are loosing lot of orders placed through web. Thank you very much for your help __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
