Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: > Cool, thanks!... So I've done that, I needed to use the make certificate > instead of the openssh commands because of the lack of a /dev/random on > Solaris 8 (I don't know why make is able to do make it happen when I > can't). Anyway, each time I run it it generates a new server.key file, > I need to keep each of these right?...perhaps name them based on the > virtual host each are for? Yes, exactly right. Dunno why the make certificate thing works when the openssl commands directly don't -- probably just some configuration issues. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
PRNG Seed
-- I've been reading FAQ's and mail archives for days, but I don't seem to be making any progress. Please help. I keep getting the following error: [Mon Jul 01 15:52:33 2002] [info] Init: Initializing OpenSSL library [Mon Jul 01 15:52:33 2002] [info] Init: Seeding PRNG with 0 bytes of entropy [Mon Jul 01 15:52:33 2002] [warn] Init: PRNG still contains not sufficient entro py! [Mon Jul 01 15:52:33 2002] [info] Init: Generating temporary RSA private keys (5 12/1024 bits) [Mon Jul 01 15:52:33 2002] [error] Init: Failed to generate temporary 512 bit RS A private key Configuration Failed I have tried the following options for SSLRandomSeed with the same results: #SSLRandomSeed startup builtin #SSLRandomSeed connect builtin #SSLRandomSeed startup file:/usr/local/apache2/conf/rand.dat #SSLRandomSeed connect file:/usr/local/apache2/conf/rand.dat #SSLRandomSeed startup file:/dev/egd-pool 512 #SSLRandomSeed connect file:/dev/egd-pool 512 #SSLRandomSeed startup egd:/dev/egd-pool #SSLRandomSeed connect egd:/dev/egd-pool #SSLRandomSeed startup exec:/usr/local/ssl/bin/openssl rand 512 #SSLRandomSeed connect exec:/usr/local/ssl/bin/openssl rand 512 SSLRandomSeed startup exec:"/usr/local/ssl/bin/openssl rand 512" SSLRandomSeed connect exec:"/usr/local/ssl/bin/openssl rand 512" /usr/local/apache2/conf/rand.dat was created using /usr/local/ssl/bin/openssl rand -out /usr/local/apache2/conf/rand.dat 512 (openssl-0.9.6d) and seems to be full of very random data. The socket at /dev/egd-pool was created using /usr/local/sbin/prngd /dev/egd-pool It seems to me, with my limited experience, that many of these methods should have worked to seed the random number generator with a few bits of entropy. Is there any other directive that could affect the error I'm getting? I'd also appreciate it if someone could explain to me why openssl can dump out reams of randomness when called from the command line, but doesn't have enough entropy to create a temporary key when my apache 2.0.39 comes to call. Thanks, - Mike __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined withvirtualhosts)...
If you wish to fix Solaris 8 to use /dev/random use the following Sun patch available thru Sunsolve dev random patch number 112438-01 >>> [EMAIL PROTECTED] 07/01/02 01:05PM >>> Cool, thanks!... So I've done that, I needed to use the make certificate instead of the openssh commands because of the lack of a /dev/random on Solaris 8 (I don't know why make is able to do make it happen when I can't). Anyway, each time I run it it generates a new server.key file, I need to keep each of these right?...perhaps name them based on the virtual host each are for? On Mon, 2002-07-01 at 15:18, Cliff Woolley wrote: > On 1 Jul 2002, Sean M Alderman wrote: > > > I'm hoping someone on the list might have some experience with > > multiple IP based virtual hosts and generating CSRs for ssl certs for > > each host. Something has me thinking that if I run the commans from the > > mod_ssl faq, I'll get several CSRs for the same host (either local or > > the main hostname). That shouldn't be, certs are hostname specific > > right? Anyway, if anyone would be so kind as to pass me a clue. > > The commands in the FAQ should be okay. When you run openssl and ask it > to generate a CSR, it will prompt you for various things, one of which is > "Common Name (CN)" -- enter the hostname with which the certificate should > be associated there, and that's all you should have to do. > > --Cliff > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system "Windows" is like naming an automobile "Wheels." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtualhosts)...
Cool, thanks!... So I've done that, I needed to use the make certificate instead of the openssh commands because of the lack of a /dev/random on Solaris 8 (I don't know why make is able to do make it happen when I can't). Anyway, each time I run it it generates a new server.key file, I need to keep each of these right?...perhaps name them based on the virtual host each are for? On Mon, 2002-07-01 at 15:18, Cliff Woolley wrote: > On 1 Jul 2002, Sean M Alderman wrote: > > > I'm hoping someone on the list might have some experience with > > multiple IP based virtual hosts and generating CSRs for ssl certs for > > each host. Something has me thinking that if I run the commans from the > > mod_ssl faq, I'll get several CSRs for the same host (either local or > > the main hostname). That shouldn't be, certs are hostname specific > > right? Anyway, if anyone would be so kind as to pass me a clue. > > The commands in the FAQ should be okay. When you run openssl and ask it > to generate a CSR, it will prompt you for various things, one of which is > "Common Name (CN)" -- enter the hostname with which the certificate should > be associated there, and that's all you should have to do. > > --Cliff > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system "Windows" is like naming an automobile "Wheels." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: > I'm hoping someone on the list might have some experience with > multiple IP based virtual hosts and generating CSRs for ssl certs for > each host. Something has me thinking that if I run the commans from the > mod_ssl faq, I'll get several CSRs for the same host (either local or > the main hostname). That shouldn't be, certs are hostname specific > right? Anyway, if anyone would be so kind as to pass me a clue. The commands in the FAQ should be okay. When you run openssl and ask it to generate a CSR, it will prompt you for various things, one of which is "Common Name (CN)" -- enter the hostname with which the certificate should be associated there, and that's all you should have to do. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Quickie on Certrificate Requests (combined with virtual hosts)...
Greetings all, I'm hoping someone on the list might have some experience with multiple IP based virtual hosts and generating CSRs for ssl certs for each host. Something has me thinking that if I run the commans from the mod_ssl faq, I'll get several CSRs for the same host (either local or the main hostname). That shouldn't be, certs are hostname specific right? Anyway, if anyone would be so kind as to pass me a clue. Thanks. -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system "Windows" is like naming an automobile "Wheels." __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Performance issue (PR#723)
Hi Lutz... I compile apache using...: (from mod_ssl dir) export CFLAGS='-DHARD_SERVER_LIMIT=8192'; ./configure --disable-rule=DEV_RANDOM --disable-rule=EXPAT --disable-rule=IRIXN32 --disable-rule=IRIXNIS --disable-rule=SHARED_CHAIN --disable-rule=WANTHSREGEX --enable-module=most --enable-module=mmap_static --enable-shared=max --with-apache=../apache_1.3.26 --with-ssl=../openssl-0.9.6d --prefix=/opt/apache-1.3.26 cd ../apache_1.3.26 make and I have...: denao@isherwood /opt/apache-1.3.26# bin/httpd -l Compiled-in modules: http_core.c mod_so.c suexec: disabled; invalid wrapper /opt/apache-1.3.26/bin/suexec and at the conf, I call...: LoadModule mmap_static_module libexec/mod_mmap_static.so LoadModule config_log_module libexec/mod_log_config.so #LoadModule mime_magic_module libexec/mod_mime_magic.so LoadModule mime_modulelibexec/mod_mime.so LoadModule status_module libexec/mod_status.so LoadModule info_modulelibexec/mod_info.so LoadModule imap_modulelibexec/mod_imap.so LoadModule access_module libexec/mod_access.so LoadModule expires_module libexec/mod_expires.so LoadModule setenvif_modulelibexec/mod_setenvif.so LoadModule negotiation_module libexec/mod_negotiation.so #LoadModule vhost_alias_module libexec/mod_vhost_alias.so LoadModule ssl_module libexec/libssl.so The real strange thing here, is that those high loads never happens using apache1.3.22 and mod_ssl 2.8.5... but any combination newer than this, brings me a high load. Best regards, and thank you so much for helping me out on this. Denis. On Sat, 2002-06-29 at 06:51, Lutz Jaenicke wrote: > On Fri, Jun 28, 2002 at 11:25:09PM +0200, [EMAIL PROTECTED] wrote: > > I tried with the prngd and exactly the same problem appeared. > > I don't think, that your problem has to do with random seeding. > Even the built-in seeding should not cause significant load increases. > > What other modules or add-ons do you use? I know that there is at least > one interaction between php4 and mod_ssl: child processes do not correctly > shut down, when both modules are used. > > Best regards, > Lutz > -- > Lutz Jaenicke [EMAIL PROTECTED] > http://www.aet.TU-Cottbus.DE/personen/jaenicke/ > BTU Cottbus, Allgemeine Elektrotechnik > Universitaetsplatz 3-4, D-03044 Cottbus > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- Denis A.V.Jr. - [EMAIL PROTECTED] Systems Engineer - ICQ 2524962 Universo Online perl -e 'print "computers are like air-conditioners: they stop working when you open windows ", pack("c*",hex "3A",sqrt(2025),(unpack(c,"=")-20),10);' __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Error viewing webpages with ssl
I just installed modssl and apache 2.0.39 (I used the modssl module that came with it) and got it to compile and start. But when I go to view one of my virtual hosts I get an error with mozilla (I get a similar one with netscape): hostname has received an incorrect or unexpected message. Error Code: -12227 where hostname is the name of the server I was connecting to. This happens on all my virtual hosts that I use ssl for. The certificate I created was self signed by me (figured it might be important). At the bottom is an excerpt from my httpd.conf and also an excerpt from my error_log file...I hope they help... Thanks, Scott Savarese Listen 443 SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.crt/server.key SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 NameVirtualHost *:443 ServerName virthost1:443 # The server names have been changed DocumentRoot /home/savarese/webpages Alias /music "/home/savarese/mp3/" SSLEngine on ServerName virthost2:443 DocumentRoot /home/savarese/webpages/photoalbums SSLEngine on ServerName virthost3:443 DocumentRoot /home/savarese/webpages/resume SSLEngine on And if you'd like to read on, here are the errorlogs that are generated (the webserver was started at 7:34AM): [Mon Jul 01 07:34:20 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:20 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:20 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:20 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:20 2002] [notice] Digest: generating secret for digest authentication ... [Mon Jul 01 07:34:20 2002] [notice] Digest: done [Mon Jul 01 07:34:23 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:23 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:23 2002] [warn] Init: Oops, you want to request client authentication, but no CAs are known for verification!? [Hint: SSLCACertificate*] [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Mon Jul 01 07:34:23 2002] [warn] RSA server certificate CommonName (CN) `Scott Savarese' does NOT match server name!? [Mon Jul 01 07:34:24 2002] [notice] Apache/2.0.39 (Unix) DAV/2 mod_ssl/2.0.39 OpenSSL/0.9.6c PHP/4.2.1 configured -- resuming normal operations [Mon Jul 01 09:11:45 2002] [error] SSL handshake failed (server skibum.dyndns.org:443, client 12.22.156.217) [Mon Jul 01 09:11:45 2002] [error] SSL Library Error: 336105671 error:140890C7:lib(20):func(137):reason(199) [Mon Jul 01 09:11:51 2002] [error] SSL handshake failed (server skibum.dyndns.org:443, client 12.22.156.217) [Mon Jul 01 09:11:51 2002] [error] SSL Library Error: 336105671 error:140890C7:lib(20):func(137):reason(199) [Mon Jul 01 09:12:45 2002] [error] Spurious SSL handshake interrupt [Hint: Usually just one of those OpenSSL confusions!?] [Mon Jul 01 09:12:49 2
Re: [BugDB] PRIVATE: problem on mod_ssl-2.8.10-1.3.26 and openssl-0.9.7-pre1.tar.gz (PR#726)
On Mon, Jul 01, 2002 at 12:52:14PM +0200, [EMAIL PROTECTED] wrote: > Full_Name: Dante Picca > Version: 2.8.10 > OS: Linux RedHat 7.2 Athlon > Submission from: (NULL) (195.110.148.66) > > > I've found a problem compiling mod_ssl-2.8.10-1.3.26 with > openssl-0.9.7-pre1.tar.gz ... > ssl_engine_vars.c:411: `NID_x500UniqueIdentifier' undeclared here (not in a > function) Do not use 0.9.7-pre1 (whowever released this version, it was not released from the OpenSSL team). If you use 0.9.7-betax, the version is correctly recognized and the problem does not appear. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] PRIVATE: problem on mod_ssl-2.8.10-1.3.26 and openssl-0.9.7-pre1.tar.gz (PR#726)
Full_Name: Dante Picca Version: 2.8.10 OS: Linux RedHat 7.2 Athlon Submission from: (NULL) (195.110.148.66) Hi, I've found a problem compiling mod_ssl-2.8.10-1.3.26 with openssl-0.9.7-pre1.tar.gz I've used the following commands: cd openssl-0.9.7 make make test make install cd ../mod_ssl-2.8.10-1.3.26 ./configure --with-apache=../apache_1.3.26 cd ../mod_perl-1.26 /usr/bin/perl Makefile.PL EVERYTHING=1 APACHE_SRC=../apache_1.3.26/src USE_APACI=1 PREP_HTTPD=1 DO_HTTPD=1 make make install cd ../apache_1.3.26 SSL_BASE=/path/to/openssl-0.9.7 ./configure --prefix=/xxx/xxx --enable-module=ssl --activate-module=src/modules/perl/libperl.a --enable-module=all --enable-shared=max --bindir=/zzz/zzz --sbindir=/yyy/yyy --libexecdir=/xxx/xxx/modules make During the last make I recive the message: ssl_engine_kernel.c: In function `ssl_callback_LogTracingState': ssl_engine_kernel.c:1901: warning: passing arg 1 of `SSL_state_string_long' discards `const' from pointer target type ssl_engine_kernel.c:1904: warning: passing arg 1 of `SSL_state_string_long' discards `const' from pointer target type ssl_engine_kernel.c:1907: warning: passing arg 1 of `SSL_state_string_long' discards `const' from pointer target type ssl_engine_kernel.c:1918: warning: passing arg 1 of `SSL_state_string_long' discards `const' from pointer target type ssl_engine_kernel.c:1921: warning: passing arg 1 of `SSL_state_string_long' discards `const' from pointer target type gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_rand.c && mv ssl_engine_rand.o ssl_engine_rand.lo gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_io.c && mv ssl_engine_io.o ssl_engine_io.lo gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_log.c && mv ssl_engine_log.o ssl_engine_log.lo gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_mutex.c && mv ssl_engine_mutex.o ssl_engine_mutex.lo gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_pphrase.c && mv ssl_engine_pphrase.o ssl_engine_pphrase.lo gcc -c -I../../os/unix -I../../include -DLINUX=22 -I/usr/include/db1 -DMOD_SSL=208110 -DMOD_PERL -DUSE_HSREGEX -DEAPI -DUSE_EXPAT -I../../lib/expat-lite `../../apaci` -fpic -DSHARED_MODULE -DSSL_COMPAT -DSSL_USE_SDBM -DSSL_ENGINE -I/home/apacheins/openssl-0.9.7/include -DMOD_SSL_VERSION=\"2.8.10\" ssl_engine_vars.c && mv ssl_engine_vars.o ssl_engine_vars.lo ssl_engine_vars.c:411: `NID_x500UniqueIdentifier' undeclared here (not in a function) ssl_engine_vars.c:411: initializer element for `ssl_var_lookup_ssl_cert_dn_rec[12].nid' is not constant make[4]: *** [ssl_engine_vars.lo] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/home/apacheins/apache_1.3.26/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/home/apacheins/apache_1.3.26' make: *** [build] Error 2 If I use openssl 0.9.6d I've no problems. I hope you'll find this information usefull Bye Dante __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]