RE: Reverse Proxy SSL
Roy, You are right, in your case it's not a good idea to authenticate at the reverse proxy level. We should find a secure solution to access your internal application and keep your internal authentication with X509 certs. With my best knowledge, I don't know a transparent reverse proxysolution ? Maybe it doesn't exist ? The solution I see for this case will be using VPN technology. Maybe you can use a tunneling solution with SSL or SSH (SSH v3 now support PKI). Or you can use standard IPSEC software. But if we use VPN technology, the main disavantage is that we need to install a software client. In my point of view I prefere the reverse proxy solution because we don't need to install a client and is easier to use and more Glamour... If somebody has an other solution, it will be nice . Sylvain Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Roy Preece [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 14.07.2001 00:41 Please respond to modssl-users To:[EMAIL PROTECTED] cc: Subject:RE: Reverse Proxy SSL hm, Thanks Sylvain, but the perl scripts on my internal web server check cert details like issuer, common_name and expiry date before continuing. This is just additional security for permission to continue ie: If common name is in a db and issuer is myCA then continue - else - Nasty Msg. I would have to run these perl scripts on the external server for this to work. I am not comfortable with that idea. Therefore, I still need the following ; https clientTunnel reverse proxy server---https internal server with client Auth (X.509). Besides the users like it when the page presents prefilled web forms with details from their certificate mapped to a user db :-) You see, I have been running this system internally for quite some time, but now I need to open it up to some external users. The simplest secure way would be to reverse proxy SSL transparently. Is there really no-one else who needs to do this? Feeling like the odd one out again, Roy Preece -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Friday, July 13, 2001 10:14 PM To: [EMAIL PROTECTED] Subject: RE: Reverse Proxy SSL What you can do is: https - reverse proxy SSL with Client authentication (X509) https to your internal web server (192.168.x.y) as exemple In this case you authenticate on the reverse proxy with your personal cert and the reverse proxy get the internal content with https (SSL) proxypass/https://172.20.1.10:444/ # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. SSLVerifyClient require SSLVerifyDepth 10 It work on my side. Sylvain Sylvain Maret Senior Security Engineer e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Roy Preece [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 13.07.2001 14:02 Please respond to modssl-users To:[EMAIL PROTECTED] cc: Subject:RE: Reverse Proxy SSL Unfortunately, it seems that the answer is. #1. Nobody seems to have successfully reverse proxied to a https server on a private (192.168) network httpsStraight thru proxy--https cert authentication + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.) I will look at implementing the following less secure method. httpsAuthenticating Proxy + (perl $ENV{'SSL_CLIENT_S_DN_CN'} stuff.)--Plain old http + NFS. OR VPN Cheers, Roy Preece -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Roy Preece Sent: Wednesday, July 11, 2001 9:22 PM To: [EMAIL PROTECTED] Subject: Reverse Proxy SSL OK, from the lack of response to my previous email (SSLClient Browser -- Apache Proxypassreverse -- https://192.168.xxx.xxx) I can deduce one of two cases is true. 1. Nobody has successfully achieved a reverse proxy of SSL in the way I am describing, (Hard to believe) or... 2. You are really sick of this question.(Sorry) If you chose 2, I have read through all of the mail archives on this list and others with regard to reverse proxying https. The most popular config seems to be to run SSL between the browser and the proxy server and then plain old http between the
RE: Creating a UK CSR
I've just double-checked what I've said in my last posting, and I'm wrong on at least two counts (probably more). According to Thawte (and it probably isn't much different for anyone else). 1. The State within an SSL certificate must be an actual place, it cannot be a postcode. This is annoying to UK users as some places do change county. There are of course several unitary authorities who cannot be considered to be in a county. For example, when entering Bristol you'll see Welcome to the City and County of Bristol on the signs (ie, it isn't in Avon anymore). I've yet to hear whether we are OK to use Peterborough as both City and State. When I do I'll let the list know. 2. You can amend your CSR before the certificate is issued. Once the certificate is issued you would then have to start the process again, ie pay twice. Sorry if I've messed up your CSR! - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: matt [mailto:[EMAIL PROTECTED]] Sent: 10 July 2001 18:01 To: [EMAIL PROTECTED] Subject: Creating a UK CSR Hey All, Just a quickie on UK certs. Can I just leave state blank, and use London for locality, or should I use London for both? Also GB is the correct ISO country code right? Thanks, Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
BindAddress directive
Dear all, I am having a difficult on using apache + mod_ssl. My apache is 1.3.20 and my mod_ssl is 2.8.4-1.3.20. All the stuff compiles perfectly without any problems. However, I face difficulty when I edit httpd.conf to limit the server to listen to a specific address. It works fine if I issue apachectl start (that is no ssl support), but not apachectl startssl. I also tried to use Listen directive to limit the server, but still failed. I would like to ask if this is my problem or it is actually a bug. Thank you for your attention. William WK Lee MCP 465244 Hong Kong -- William's Home Online - www.williamlee.org William's Email - [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl: Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
When I enable SSL (SSLEngine on in httpd.conf) the following error is logged: [Sat Jul 14 19:34:55 2001] [error] mod_ssl: Init: (someserver:80) Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) After disable SSL everything's just fine. But I definitely need SSL! I am using: Apache/1.3.20 (Unix) PHP/4.0.6 mod_ssl/2.8.4 OpenSSL/0.9.6a (in fact SuSE Linux 7.2) Is anyone out there who can help me? Lukas Feiler /** EndlosProduktion Kusch Senoner OEG [EMAIL PROTECTED] www.endlos.at **/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Creating a UK CSR
Hey all, I checked out the Thawte IRC support, and was told there that I should just put London twice, once for state and once for location. I now have my certificate and its all OK, and works fine (cleared up some Macintosh IE5 problems too.) So thanks all for the help you've given, I'm now running a modssl with Apache and I think I understand most of the important issues! Matt -- #!/usr/bin/perl $A='A';while(print+($A.=(grep{($A=~/(...).{78}$/)[0]eq$_} A A A =~m{(...)}g)?A: )=~/([ A])$/){if(!(++$l%80)){print\n;sleep 1}} __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl: Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!)
Thanks for your quick response but SSLEngine on does not appears two times in my httpd.conf (I wished that would have been the problem) Can you (or anybody else!) think of an other reason (-solution) for my problem? Help needed! Lukas Feiler /** EndlosProduktion Kusch Senoner OEG [EMAIL PROTECTED] www.endlos.at **/ - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 16, 2001 11:34 AM Subject: RE: mod_ssl: Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) This is a wild guess, but you wouldn't happen to have SSLEngine on more than once in your httpd.conf? You can do this if they are in different virtual hosts, but I think this error would be caused otherwise. - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] -Original Message- From: Lukas Feiler [mailto:[EMAIL PROTECTED]] Sent: 16 July 2001 10:23 To: [EMAIL PROTECTED] Subject: mod_ssl: Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) When I enable SSL (SSLEngine on in httpd.conf) the following error is logged: [Sat Jul 14 19:34:55 2001] [error] mod_ssl: Init: (someserver:80) Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) After disable SSL everything's just fine. But I definitely need SSL! I am using: Apache/1.3.20 (Unix) PHP/4.0.6 mod_ssl/2.8.4 OpenSSL/0.9.6a (in fact SuSE Linux 7.2) Is anyone out there who can help me? Lukas Feiler /** EndlosProduktion Kusch Senoner OEG [EMAIL PROTECTED] www.endlos.at **/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Floating Point Errors
I'm still getting floating point errors when someone accesses my site via https://... Here's what I get in the log: in /var/log/messages: /kernel: pid 47234 (httpd), uid 65530: exited on signal 8 and in the apache error log: child pid 47234 exit signal Floating point exception (8) I can reproduce the problem by simply hitting the https side of apache and about half the time, this occurs. Anyone out there experience this? How can I debug such a thing? Since apache forks and reforks, I can't debug a single process. I've tried all the obvious things like reinstalling apache and mod_ssl but nothing seems to help. Perhaps I have some old libraries somewhere, but where? Michael Grant __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache error duing SSL client connection
Hi, Can someone give me some help? I got the following error from the Apache/logs/error_log directory I got this error when my SSL client program tries to connect to the apache server. It is urgent, anyone with any idea is greatly appreciated! [Mon Jul 16 18:56:58 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Mon Jul 16 18:56:58 2001] [error] System: Broken pipe (errno: 32) [Mon Jul 16 18:56:58 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Mon Jul 16 18:56:58 2001] [error] System: Broken pipe (errno: 32) [Mon Jul 16 18:56:58 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Mon Jul 16 18:56:58 2001] [error] System: Broken pipe (errno: 32) Thanks Patrick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and name-based virtual hosts
On Tue, 17 Jul 2001, Jan Vejvalka wrote: NameVirtualHost 1.2.3.4:443 VirtualHost 1.2.3.4:443 ServerName host1.mydomain.dom DocumentRoot /data/host1 ServerAdmin [EMAIL PROTECTED] /VirtualHost VirtualHost 1.2.3.4:443 ServerName host2.mydomain.dom DocumentRoot /data/host2 ServerAdmin [EMAIL PROTECTED] /VirtualHost (...) The rest of the virtual host configuration is the same (yes, using the same certificate for both hosts - I didn't try to change it, and I don't mind it in this application). I'm -sort-of- puzzled. Please help. If you're using the same SSL configuration and the same certificate for both hosts (generally not an option in the real world because of the security alert boxes it brings up in the browser), then you won't _notice_ a problem with namevirtualhost. That's because you're masking the fact that both of the vhosts are using the config of ther FIRST one. The fact that they're the same means it doesn't matter if they each use their own or if they both pick the same one. But like I said, this doesn't work in general because normally each vhost must have a certificate that matches its domain name lest trust error messages get triggered in the browser and scary-looking dialog boxes pop up in front of the user. Make sense? --Cliff -- Cliff Woolley [EMAIL PROTECTED] Charlottesville, VA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]