Re: Upgrade ?
Hi Mr Woolley, Thanks, for the email. That REALLY helped me to get my mod_ssl-2.8.7-1.3.23 upgraded to mod_ssl-2.8.10-1.3.26. aca# pwd opt/apache/bin aca# ./apachectl startssl Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) I was wondering is there a web page at apache/or modssl site that explains the upgrade process? This ? might not be for you or this group but I guess I'll ask anyway. When I use my phpinfo page, to see config info it shows that apache is : Apache VersionApache/1.3.23 but If I look a little further down on the phpinfo page I see the correct info: ["SERVER_SIGNATURE"] Apache/1.3.26 Server at aca.fff.com Port 443 ["SERVER_SOFTWARE"] Apache/1.3.26 (Unix) PHP/4.1.2 mod_ssl/2.8.10 OpenSSL/0.9.6 mod_perl/1.26 I have rebooted my system and still that one line in php shows the wrong version? Any Ideas? Thanks Again, Ron On Mon, 24 Jun 2002 11:32:06 -0400 (EDT) Cliff Woolley <[EMAIL PROTECTED]> wrote: On Mon, 24 Jun 2002, RON MCKEEVER wrote: > Im a little confused on how to upgrade my current mod_ssl-2.8.7-1.3.23, to > mod_ssl-2.8.10-1.3.26. > When I untar the new apache1.3.26 it is in it own dir.. So how do I upgrade > 1.3.23? When I run the configure statement in the mod_ssl-2.8.10 dir I cant > state --with-apache="1.3.23", I need to state the new apache dir, right?? Right... you give mod_ssl-2.8.10 the Apache 1.3.26 *source* directory for its --with-apache= argument. Then when you configure apache, tell it to *install* to the same location that 1.3.23 is currently installed using --prefix= (eg /usr/local/apache) and use the same directory structure (using --with-layout= ) that you used before, if any. Then when you run 'make install' from the Apache 1.3.26 source directory, it will overwrite your 1.3.23 installation. That should be it. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrade ?
On Mon, 24 Jun 2002, Thomas Binder wrote: > > Then when you run 'make install' from the Apache 1.3.26 source > > directory, it will overwrite your 1.3.23 installation. > > Just in case anyone wonders: it will NOT overwrite the config > files of the 1.3.23 installation. Oh right... meant to point that out. Thanks. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Upgrade ?
Hi! On Mon, Jun 24, 2002 at 11:32:06AM -0400, Cliff Woolley wrote: > Then when you run 'make install' from the Apache 1.3.26 source > directory, it will overwrite your 1.3.23 installation. Just in case anyone wonders: it will NOT overwrite the config files of the 1.3.23 installation. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
Perhaps if you watch the session with Eric Rescorla's excellent ssldump tool you may get to the bottom of it http://www.rtfm.com/ssldump/ Or another possibility altogether... I had a problem which looked similar to this which was some solaris specific mutex bug which meant that child processes did not get released properly after certain types of SSL connections - this was fixed only with rev 1.3.24, and also by adding 'AcceptMutex pthread' to the config file. Alex Kotov wrote: I've seen strange problems with IE5, too, but these connections have "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)" as User-Agent. Unfortunately, changing tcp keepalive setting is not an option for us. I don't know all the intricacies of SSL handshake, but it looks like it starts by the server trying to read 11 bytes from the client, and this is where mod_ssl may wait for a long time without checking for a timeout. Could someone point me to the place in the code where this read happens? I would hate to switch to stronghold :( Thanks, - Alex On Mon, 24 Jun 2002, Andy Osborne wrote: I've seen this happen sometimes on our SSL servers (which do quite a lot of traffic). A quick search of the logs for recent connections from the same address always shows the client as IE5.0 - which is known to be broken. The connections seem to stall in the SSL negotiation and get killed off but our rather intolerant tcp keepalive settings. I've never found a real answer to the problem. Andy Alex Kotov wrote: Hi Cliff, Thanks for your response. I'm using SSLRandomSeed startup builtin SSLRandomSeed connect builtin and 5 is definitely the file descriptor for the network connection. Is there anything else I should check? Thanks, - Alex On Mon, 24 Jun 2002, Cliff Woolley wrote: On Sun, 23 Jun 2002, Alex Kotov wrote: After a while the server processes become stuck while waiting for the data from a socket. Running strace on a hung process produces read(5, for a long time, eventually followed by read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) Are you sure that file descriptor 5 is the connection to the client? What SSLRandomSeed are you using? This sounds like one of those /dev/random not-enough-entropy problems to me. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Andy Osborne "Vertical B2B Communities" Senior Internet Engineer Sift Group100 Victoria Street, Bristol BS1 6HZ tel:+44 117 915 9600 fax:+44 117 915 9630 http://www.sift.co.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
I've seen strange problems with IE5, too, but these connections have "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)" as User-Agent. Unfortunately, changing tcp keepalive setting is not an option for us. I don't know all the intricacies of SSL handshake, but it looks like it starts by the server trying to read 11 bytes from the client, and this is where mod_ssl may wait for a long time without checking for a timeout. Could someone point me to the place in the code where this read happens? I would hate to switch to stronghold :( Thanks, - Alex On Mon, 24 Jun 2002, Andy Osborne wrote: > I've seen this happen sometimes on our SSL servers (which do > quite a lot of traffic). A quick search of the logs for > recent connections from the same address always shows the > client as IE5.0 - which is known to be broken. The connections > seem to stall in the SSL negotiation and get killed off > but our rather intolerant tcp keepalive settings. I've never > found a real answer to the problem. > > Andy > > Alex Kotov wrote: > > > Hi Cliff, > > > > Thanks for your response. > > > > I'm using > > > > SSLRandomSeed startup builtin > > SSLRandomSeed connect builtin > > > > and 5 is definitely the file descriptor for the network connection. > > > > Is there anything else I should check? > > > > Thanks, > > - Alex > > > > > > On Mon, 24 Jun 2002, Cliff Woolley wrote: > > > > > >>On Sun, 23 Jun 2002, Alex Kotov wrote: > >> > >> > >>>After a while the server processes become stuck while waiting for > >>>the data from a socket. > >>>Running strace on a hung process produces > >>>read(5, > >>>for a long time, eventually followed by > >>>read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) > >>> > >>Are you sure that file descriptor 5 is the connection to the client? > >> > >>What SSLRandomSeed are you using? This sounds like one of those > >>/dev/random not-enough-entropy problems to me. > >> > >>--Cliff > >> > >> > >>__ > >>Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >>User Support Mailing List [EMAIL PROTECTED] > >>Automated List Manager[EMAIL PROTECTED] > >> > >> > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > > > > -- > Andy Osborne "Vertical B2B Communities" > Senior Internet Engineer > Sift Group100 Victoria Street, Bristol BS1 6HZ > tel:+44 117 915 9600 fax:+44 117 915 9630 http://www.sift.co.uk > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
I've seen this happen sometimes on our SSL servers (which do quite a lot of traffic). A quick search of the logs for recent connections from the same address always shows the client as IE5.0 - which is known to be broken. The connections seem to stall in the SSL negotiation and get killed off but our rather intolerant tcp keepalive settings. I've never found a real answer to the problem. Andy Alex Kotov wrote: > Hi Cliff, > > Thanks for your response. > > I'm using > > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > and 5 is definitely the file descriptor for the network connection. > > Is there anything else I should check? > > Thanks, > - Alex > > > On Mon, 24 Jun 2002, Cliff Woolley wrote: > > >>On Sun, 23 Jun 2002, Alex Kotov wrote: >> >> >>>After a while the server processes become stuck while waiting for >>>the data from a socket. >>>Running strace on a hung process produces >>>read(5, >>>for a long time, eventually followed by >>>read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) >>> >>Are you sure that file descriptor 5 is the connection to the client? >> >>What SSLRandomSeed are you using? This sounds like one of those >>/dev/random not-enough-entropy problems to me. >> >>--Cliff >> >> >>__ >>Apache Interface to OpenSSL (mod_ssl) www.modssl.org >>User Support Mailing List [EMAIL PROTECTED] >>Automated List Manager[EMAIL PROTECTED] >> >> > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > > -- Andy Osborne "Vertical B2B Communities" Senior Internet Engineer Sift Group100 Victoria Street, Bristol BS1 6HZ tel:+44 117 915 9600 fax:+44 117 915 9630 http://www.sift.co.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse proxying of SSL traffic
On Mon, 24 Jun 2002, Philip Ravenscroft wrote: > > The reverse proxy should now make an SSL connection to > > webserver (this is > > running IBM HTTPServer, IBM's packaged Apache). webserver has it's own > > self-signed certificate. > > Out of the box, mod_proxy cannot negotiate secure connections, so it can't > connect to your backend server using https. (I don't know if anyone has > gotten this to work, though). This means that you should have the backend > proxy connect in the clear to your IBM server. Normally, one uses mod_rwrite on the exposed server to communicate with an internal reverse proxy or the actual content server. The content returned by the internal server can be returned using mod_proxy. Ralph Engelshall wrote a paper on mod_rewrite in the late Nineties that has a lot of detail on the function and use of this module. Reading the paper is time well spent. Nothing up this sleave. ... Ooh! I don't know my own strength! Bullwinkle J Moose Merton Campbell Crockett -- BEGIN: vcard VERSION:3.0 FN: Merton Campbell Crockett ORG:General Dynamics Advanced Information Systems; Intelligence Solutions N: Crockett;Merton;Campbell EMAIL;TYPE=internet:[EMAIL PROTECTED] TEL;TYPE=work,voice,msg,pref: +1(805)497-5045 TEL;TYPE=pager,msg: +1(877)528-0049 TEL;TYPE=fax,work: +1(805)497-5050 TEL;TYPE=cell,voice,msg:+1(805)377-6762 END:vcard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
Hi Cliff, Thanks for your response. I'm using SSLRandomSeed startup builtin SSLRandomSeed connect builtin and 5 is definitely the file descriptor for the network connection. Is there anything else I should check? Thanks, - Alex On Mon, 24 Jun 2002, Cliff Woolley wrote: > On Sun, 23 Jun 2002, Alex Kotov wrote: > > > After a while the server processes become stuck while waiting for > > the data from a socket. > > Running strace on a hung process produces > > read(5, > > for a long time, eventually followed by > > read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) > > Are you sure that file descriptor 5 is the connection to the client? > > What SSLRandomSeed are you using? This sounds like one of those > /dev/random not-enough-entropy problems to me. > > --Cliff > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse proxying of SSL traffic
> The reverse proxy should now make an SSL connection to > webserver (this is > running IBM HTTPServer, IBM's packaged Apache). webserver has it's own > self-signed certificate. Out of the box, mod_proxy cannot negotiate secure connections, so it can't connect to your backend server using https. (I don't know if anyone has gotten this to work, though). This means that you should have the backend proxy connect in the clear to your IBM server. Usually this is done with the proxy in the DMZ and the other server behind another firewall, so it is secure. Phil __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Two copies of Apache running on the same server...
you can run as many instances of apache that your system can support so long as no two instances listen on the same port - at least thats the theory. In practice, apache writes to various files such as the .pid file, lockfiles, mutex lockfiles etc - and it can be difficult to make sure the different instances dont run into each other. (and remembering this each time you compile a new version). On the other hand, it's just not necessary usually to run multiple instances - one apache instance can server http and https on multiple ports at the same time using VirtualHost stanzas. You've probably noticed that apache pre-forks several copies of itself, and its these children that handle connections in a parallel fashion and go some way to taking advantage of multiple CPU's, but it's not the absolute best possible - that would be if you were using solaris threads. As it happens Apache 2 is multi-threaded, yet still supports pre-forked children, so you can tune it up a lot better. On the balance of things, I feel it would be harder to get good performance out of a system if you used two separate apaches, than if you worked on tuning it up with just one. Yu, Ming wrote: >I have a web environment that support both http and https on the same >machine. The machine is a powerful SParc 450 with a lot of memory and CPU >power. I am wondering if I can install copies of apache on the same >machine, one runs http, and another runs https. Will this improve the >server performance? > >- Ming >- System Engineer >- APL >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse proxying of SSL traffic
Yep, I did that and port 80 works like a dream. When you say: >Then, set up a virtual server on port 443 with the same proxy stuff. >You reference the certificate file there. this is the bit that bothers me. Here's my virtual host: ServerName slrsdct1.internal.standardlife.com ErrorLog /oem/apache-mod_ssl/logs/error_log ProxyPass / https://webserver/ ProxyPassReverse / https://webserver/ SSLEngine On SSLCipherSuite ALL SSLCertificateFile /oem/apache-mod_ssl/conf/ssl/revproxy.crt SSLVerifyDepth 3 SSLCertificateKeyFile /oem/apache-mod_ssl/conf/ssl/revproxy.key I can make an SSL connection to this virtual host; the browser indicates that encryption is in use. The certificate/key that the reverse proxy is using is specified by the SSLCertificateFile and SSLCertificateKeyFile directives. The reverse proxy should now make an SSL connection to webserver (this is running IBM HTTPServer, IBM's packaged Apache). webserver has it's own self-signed certificate. I can make SSL connections to webserver with a browser satisfactorily, but the browser alerts me that it doesn't trust the certificate (because it's self-signed) and I have to click through. I imagine that revproxy doesn't trust the certificate either, which is causing the problem. Perhaps it's something else, but I am pretty sure I need to tell revproxy about webserver's certificate within httpd.conf. I can't find a suitable directive in the docs. BTW this is Apache/1.3.24 with mod_ssl-2.8.8-1.3.24 on AIX 4.3.3 I have also been trying to do this with another proprietary product that I'm not going to mention; it doesn't work (the supplier is working on a fix) and I really don't like the software. I would love to prove that Apache and mod_ssl are up to the job. Many thanks in advance! Michael To: <[EMAIL PROTECTED]> Sent by: cc: 24/06/2002 15:56 Please respond to modssl-users Set up two virtual servers for the same IP, one on port 80 (with just simple proxy rules). Confirm this works. Then, set up a virtual server on port 443 with the same proxy stuff. You reference the certificate file there. Phil > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, June 24, 2002 7:54 AM > To: [EMAIL PROTECTED] > Subject: Reverse proxying of SSL traffic > > > Hi list, > > I have a requirement to set up a reverse proxy (web > accelerator) which will > accept incoming HTTP and HTTPS connections (using our > Verisign credentials > on the proxy) and proxy those requests to other web servers. > > The catch is I need the connection between the proxy and the > web server to > be HTTPS if and only if the incoming connection to the proxy > is HTTPS. I > will be using self-signed certificates on the web servers. > > Apache+mod_ssl looks like it can do this with > ProxyPass/ProxyPassReverse > but where do I reference the self signed certificate of the > web server in > httpd.conf? > > At the moment I get the following error in my browser when I > try to use the > reverse proxy: > > Proxy Error > The proxy server received an invalid response from an upstream server. > > > The proxy server could not handle the request GET /. > > > Reason: SSL proxy connect failed > (slrsdct1.internal.standardlife.com:443): > peer 172.31.100.31:443: decryption failed or bad record mac > > > Thanks in advance. > > Michael Pacey > > > > For more information on Standard Life, visit our website > http://www.standardlife.com/ > > The Standard Life Assurance Company, Standard Life House, 30 > Lothian Road, > Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and > regulated by the > Financial Services Authority. Tel: 0131 225 2552 - calls may > be recorded or > monitored. This confidential e-mail is
Re: Upgrade ?
On Mon, 24 Jun 2002, RON MCKEEVER wrote: > Im a little confused on how to upgrade my current mod_ssl-2.8.7-1.3.23, to > mod_ssl-2.8.10-1.3.26. > When I untar the new apache1.3.26 it is in it own dir.. So how do I upgrade > 1.3.23? When I run the configure statement in the mod_ssl-2.8.10 dir I cant > state --with-apache="1.3.23", I need to state the new apache dir, right?? Right... you give mod_ssl-2.8.10 the Apache 1.3.26 *source* directory for its --with-apache= argument. Then when you configure apache, tell it to *install* to the same location that 1.3.23 is currently installed using --prefix= (eg /usr/local/apache) and use the same directory structure (using --with-layout= ) that you used before, if any. Then when you run 'make install' from the Apache 1.3.26 source directory, it will overwrite your 1.3.23 installation. That should be it. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Upgrade ?
Hello, Im a little confused on how to upgrade my current mod_ssl-2.8.7-1.3.23, to mod_ssl-2.8.10-1.3.26. When I untar the new apache1.3.26 it is in it own dir.. So how do I upgrade 1.3.23? When I run the configure statement in the mod_ssl-2.8.10 dir I cant state --with-apache="1.3.23", I need to state the new apache dir, right?? Am I missing something? If I am maybe someone can clarify the upgrade procees to me or point me to a doc that explains this? To me it sounds like you have to install mod_ssl-2.8.10-1.3.26, and move all your stuff form the old apache dir's to the new??? Thanks for your time up front. ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Two copies of Apache running on the same server...
I have a web environment that support both http and https on the same machine. The machine is a powerful SParc 450 with a lot of memory and CPU power. I am wondering if I can install copies of apache on the same machine, one runs http, and another runs https. Will this improve the server performance? - Ming - System Engineer - APL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Reverse proxying of SSL traffic
Set up two virtual servers for the same IP, one on port 80 (with just simple proxy rules). Confirm this works. Then, set up a virtual server on port 443 with the same proxy stuff. You reference the certificate file there. Phil > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Monday, June 24, 2002 7:54 AM > To: [EMAIL PROTECTED] > Subject: Reverse proxying of SSL traffic > > > Hi list, > > I have a requirement to set up a reverse proxy (web > accelerator) which will > accept incoming HTTP and HTTPS connections (using our > Verisign credentials > on the proxy) and proxy those requests to other web servers. > > The catch is I need the connection between the proxy and the > web server to > be HTTPS if and only if the incoming connection to the proxy > is HTTPS. I > will be using self-signed certificates on the web servers. > > Apache+mod_ssl looks like it can do this with > ProxyPass/ProxyPassReverse > but where do I reference the self signed certificate of the > web server in > httpd.conf? > > At the moment I get the following error in my browser when I > try to use the > reverse proxy: > > Proxy Error > The proxy server received an invalid response from an upstream server. > > > The proxy server could not handle the request GET /. > > > Reason: SSL proxy connect failed > (slrsdct1.internal.standardlife.com:443): > peer 172.31.100.31:443: decryption failed or bad record mac > > > Thanks in advance. > > Michael Pacey > > > > For more information on Standard Life, visit our website > http://www.standardlife.com/ > > The Standard Life Assurance Company, Standard Life House, 30 > Lothian Road, > Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and > regulated by the > Financial Services Authority. Tel: 0131 225 2552 - calls may > be recorded or > monitored. This confidential e-mail is for the addressee > only. If received > in error, do not retain/copy/disclose it without our consent > and please > return it to us. We virus scan and monitor all e-mails but are not > responsible for any damage caused by a virus or alteration by > a third party > after it is sent. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + Modssl mod_log_config.so bug
On Fri, Jun 21, 2002 at 03:00:40PM -0400, Karl Grindley wrote: > > after upgrading to Apache 1.3.26 and ModSSL 2.8.9, the webserver seems > to die after/during log rotation with the following errors. It appears > that when the logs either don't exists, or some other scenario, the > webserver dies after receiving a -HUP or -SIGUSR1. > > [Sat Jun 22 04:00:16 2002] [notice] SIGUSR1 received. Doing graceful > restart > Syntax error on line 62 of /var/www/conf/httpd.conf: > Cannot load /var/www/modules/mod_log_config.so into server: > /var/www/modules/mod_log_config.so: undefined symbol: ap_escape_logitem > > Anyone else experiencing this? seems to even happen with standard > RedHat apache version 1.3.22 also. You'll get this error if you don't completely stop and start the server after upgrading from 1.3.22 to 1.3.26. (since the 1.3.22 httpd binary is trying to load the 1.3.26 modules after the HUP or USR1 signal, but they aren't compatible) Regards, joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
undefined symbol X509_free
Hi, Have installed apache-2.0.39 with ssl module on redhat 7.3, when trying to start the server with -D SSL I get an error: Syntax error line 234 of httpd.conf Cannot load mod_ssl.so into server : undefined symbol X509_free When I build apache I used --enable-ssl=shared and --wth-ssl=/usr/local/openssl Can anyone suggest what I should do? Thanks Zac __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Reverse proxying of SSL traffic
Hi list, I have a requirement to set up a reverse proxy (web accelerator) which will accept incoming HTTP and HTTPS connections (using our Verisign credentials on the proxy) and proxy those requests to other web servers. The catch is I need the connection between the proxy and the web server to be HTTPS if and only if the incoming connection to the proxy is HTTPS. I will be using self-signed certificates on the web servers. Apache+mod_ssl looks like it can do this with ProxyPass/ProxyPassReverse but where do I reference the self signed certificate of the web server in httpd.conf? At the moment I get the following error in my browser when I try to use the reverse proxy: Proxy Error The proxy server received an invalid response from an upstream server. The proxy server could not handle the request GET /. Reason: SSL proxy connect failed (slrsdct1.internal.standardlife.com:443): peer 172.31.100.31:443: decryption failed or bad record mac Thanks in advance. Michael Pacey For more information on Standard Life, visit our website http://www.standardlife.com/ The Standard Life Assurance Company, Standard Life House, 30 Lothian Road, Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and regulated by the Financial Services Authority. Tel: 0131 225 2552 - calls may be recorded or monitored. This confidential e-mail is for the addressee only. If received in error, do not retain/copy/disclose it without our consent and please return it to us. We virus scan and monitor all e-mails but are not responsible for any damage caused by a virus or alteration by a third party after it is sent. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ANNOUNCE] mod_ssl 2.8.10
Another bugfixing round in the maintainance of mod_ssl 2.8 for Apache 1.3. Fetch it and upgrade from: o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Yours, Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Changes with mod_ssl 2.8.10 (19-Jun-2002 to 24-Jun-2002) *) Fixed off-by-one buffer overflow bug in the compatibility functionality (mapping of old directives to new ones). *) Fixed memory leak in processing of CA certificates. *) In case there is actually a certificate chain in the session cache, we now use the value of SSL_get_peer_certificate(ssl) to verify as it will have been removed from the chain before it was put in the cache. *) Seed the PRNG with a maximum of 1K from the internal scoreboard. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
REPOST [apache 2.0.39 w/SSL on HP-UX 11.0 ignores SSLRandomSeed setting]
- Forwarded message from "V. T. Mueller" <[EMAIL PROTECTED]> -
To: [EMAIL PROTECTED]
Date: Fri, 21 Jun 2002 14:33:47 +0200
From: "V. T. Mueller" <[EMAIL PROTECTED]>
Subject: apache 2.0.39 w/SSL on HP-UX 11.0 ignores SSLRandomSeed setting
User-Agent: Mutt/1.3.26i
Hello,
A recently built 2.0.39 fails to start with:
[Fri Jun 21 12:42:47 2002] [info] Init: Initializing OpenSSL library
[Fri Jun 21 12:42:47 2002] [info] Init: Seeding PRNG with 0 bytes of entropy
[Fri Jun 21 12:42:47 2002] [warn] Init: PRNG still contains not sufficient entropy!
[Fri Jun 21 12:42:47 2002] [info] Init: Generating temporary RSA private keys
(512/1024 bits)
[Fri Jun 21 12:42:47 2002] [error] Init: Failed to generate temporary 512 bit RSA
private key
Configuration Failed
Tracing revealed this behaviour:
[..]
write(8, "[ F r i J u n 2 1 1 2 : 4 ".., 77) ... = (77)
getpid() . = 23638 (23637)
open("/dev/urandom", O_RDONLY, 0666) . ERR#2 ENOENT
getuid() . = 0 (0)
time(NULL) ... = 1024656167
gettimeofday(0x7f7f8c08, NULL) ... = 0
write(8, "[ F r i J u n 2 1 1 2 : 4 ".., 84) ... = 84
[..]
To my surprise, this happens with the default configuration where
SSLRandomSeed is set to "builtin" and also when I change this
particular setting to point to the existing egd socket. It also
appears when the SSL include is commented out from httpd.conf .
Is there a bug in apache or mod_ssl or am I missing something here?
System is HP-UX 11.0, my build was:
CC=cc CFLAGS='+O3 +Onolimit -Ae' ./configure --enable-ssl
--with-ssl=/opt/openssl/0.9.6d --enable-so --prefix=/opt/apache2
TIA,
Volker
-
Volker T. Mueller
Continum AG Tel. +49 761 4794090
Boetzinger Strasse 29a Fax. +49 761 4794099
79111 Freiburg i. Br.http://continum.net
-
- End forwarded message -
-
Volker T. Mueller
Continum AG Tel. +49 761 4794090
Boetzinger Strasse 29a Fax. +49 761 4794099
79111 Freiburg i. Br.http://continum.net
-
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Performance issue (PR#723)
Hi! On Sat, Jun 22, 2002 at 01:49:12AM +0200, [EMAIL PROTECTED] wrote: > This caused a different behavior. I mean, it took a little while > (~3 minutes), to the loadav get high, and after a few minutes, > it got worse... the loadav reached ~60... Without the > "no-threads no-idea -fPIC" options at the openSSL compilation, > the high loadav is instantaneous. > > I can bring any information you need to debug this problem. Just > let me know what do you need. What kind of random seed do you use? As far as I know, IRIX has no /dev/random (nor /dev/urandom), so I might be a good idea to install prngd and let SSLRandomSeed point to its socket (using egd:/path/to/socket) This might already solve your problem. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
C compiler cannot create executables
Hi everybody. Hans I have a problem with mod_ssl 2.8.9 for Apache 1.3.26. When I try to configurethis module for compilation (# configure --with-apache=/var/tmp/apache_1.3.26 ) it gives the following error:Configuring mod_ssl/2.8.9 for Apache/1.3.26 + Apache location: /var/tmp/apache_1.3.26 (Version 1.3.26) + Auxiliary patch tool: ./etc/patch/patch (local)./configure:Error: Building of 'patch' tool failed:-x patch/rename.c, 1323 bytes, 3 tape blocksx patch/util.c, 9365 bytes, 19 tape blocksx patch/util.h, 2325 bytes, 5 tape blocksx patch/version.c, 280 bytes, 1 tape blocksx patch/version.h, 25 bytes, 1 tape blocksloading cache ./config.cachechecking for gcc... gccchecking whether the C compiler (gcc ) works... noconfigure: error: installation or configuration problem: C compiler cannotcreate executables.make: *** No targets. Stop.-Hint: Either try to build 'patch' under etc/patch/Hint: manually and re-run this 'configure' scriptHint: or provide us the path to your vendor 'patch'Hint: program via the --with-patch=FILE option (butHint: expect perhaps failures when applying patches!) My OS is Solaris 8 and I have tested it with two versions of gcc : 9.95.2 and 3.1 I had no problems with the installation of apache 1.3.20 and mod_ssl 2.8.4 Did anybody experienced this problem and have found a solution? Thanks in advance. Oscar.
