Re: Mod_SSL for Windows 2000/NT/XP
Could the mirror sites not host ssl enabled version as they are not in the US as they are in the Uk, Austrailia etc? On 16 Jul 02, at 0:50, Cliff Woolley wrote: On Tue, 16 Jul 2002, Brendan Lloyd wrote: And last but not least: can anyone clarify what the state of Apache 2.0 is with regards to OpenSSL/mod_ssl? I've read in some places that Apache 2.0 supports/includes these, but then when I went to download the Windows binary distribution it had the suffix no_ssl? Source distributions of Apache 2.0 include mod_ssl. Binary distributions are a different story, but only because of ambiguities surrounding the (IMHO silly) export restrictions of the US government. We know we're allowed to export *source* for strong encryption software... but whether we're able to legally distribute *binaries* of strong encryption software is unclear. So we don't. Of course, that's more of a burden on our Windows users than on our Unix users, since the former tend to rely on binaries and the latter tend to roll their own since they tend to have the compilation tools on hand. The solution, as has been pointed out, is that somebody outside the US contributed binaries for mod_ssl for Apache 2.0 on Win32 and uploaded them to www.modssl.org/contrib, which is physically located in Germany, as opposed to www.apache.org, which is physically located in the western US. Sigh. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Technical Manager Online Learning Support Unit Middlesex University Business School [EMAIL PROTECTED] 020 8411 5092 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
loading mod ssl under NT
Hi I've been trying to get apache 2.0.39 +modssl to work under winNT. But i am failing at the first hurdle i.e. i cannot seem to get the apache mod_ssl.so module to load. It comes up with the following: Cannot load C:/apache2/modules/mod_ssl.so into server: The operating system cannot run %1 Any ideas greatfully received Alex Technical Manager Online Learning Support Unit Middlesex University Business School [EMAIL PROTECTED] 020 8411 5092 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
On Tue, 16 Jul 2002, Alex Moon wrote: Could the mirror sites not host ssl enabled version as they are not in the US as they are in the Uk, Austrailia etc? The way our mirroring system works, the mirrors do an rsync of www.apache.org/dist. So they can't have files on their sites that aren't on the main sites (or at least not for long), since rsync would delete those files. Additionally, it requires somebody outside the US do actually do the compiling and uploading -- and all our Win32 guys (who are committers and thus allowed to create official binaries) are in the US. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache Websphere application server
hello *, I trying to make apache, SSL and Websphere works together ... and i have the famous probleme loaded DSO /apps/[..]/mod_app_server.so uses plain Apache api ... this module migth crash ... re compile it with -DEAPI my probleme is : i don't have the source code of the websphere plugin ... do you know a way to use mod_ssl without compiling apache or compiling apache to perfectly support the old way DSO module ?? thanx by advance -- arno __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl mod_auth_radius
Apache_1.3.26 + mod_ssl-2.8.10 + openssl-0.9.6d ( as in http://www.modssl.org/example with added mod_proxy and mod_auth_radius found at: https://www.gnarst.net/authradius/ Proxy Ssl seems to work fine, but the combination with radius authentication fails. The https://www.gnarst.net/authradius/ site mentions: QUOTE Apply this patch to the Apache sourcecode apache-patches.tar.gz for use with apache 1.3.26 with modssl-2810 if you are going to use this apache as a proxy server. This will fix the fact that the 'proxing' webserver does not send the cookie back to the client. It also will fix the problem that apache does not send a Set-Cookie header back to the client in case the page requsted has not changed (Return code 304) HTTP_NOT_MODIFIED./QUOTE Unfortunately the apache-patches.tar.gz is not downloadable. Does anyone has this patch, or has any hint on how to do radius authentication on a proxy-ing apache with mod_ssl ... Regards. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems when compiling as DSO module (and workaround)
Replying to myself (again)... I think that the problem is with apxs, it only gets the CFLAGS configured at Apache's compile time. And they are not right for every module that one will want to add to Apache. Take for example ndbm.h which is needed by mod_ssl. When compiling mod_ssl statically into Apache, there's no problem since Apache takes care of finding where it is located. But when we're building mod_ssl with apxs, if Apache's configure has not figured out where ndbm.h is, compilation will fail. [...] This is wrong since not enabling a module that requires DBM doesn't mean that I'll never want to add one that does in the future. I don't see any trivial solution to this problem. The easier one, IMHO, is to do every check when mod_so is enabled. Adding this to src/modules/standard/mod_so.c (in Apache tarball) does the trick: /* The section for the Configure script: * MODULE-DEFINITION-START * Name: so_module * ConfigStart . ./helpers/find-dbm-lib * ConfigEnd * MODULE-DEFINITION-END */ I didn't find any other helper/check to add, but a more experienced Apache developer may find more. Best, GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems when compiling as DSO module (and workaround)
Hi all, I tried to figure out what caused these two problems, here's what I found. I think that the problem is with apxs, it only gets the CFLAGS configured at Apache's compile time. And they are not right for every module that one will want to add to Apache. Take for example ndbm.h which is needed by mod_ssl. When compiling mod_ssl statically into Apache, there's no problem since Apache takes care of finding where it is located. But when we're building mod_ssl with apxs, if Apache's configure has not figured out where ndbm.h is, compilation will fail. Here's an example: $ tar zxf apache_1.3.26.tar.gz $ cd apache_1.3.26 $ ./configure --enable-module=so $ make $ make install $ /usr/local/apache/bin/apxs -q CFLAGS -DLINUX=22 -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite apxs does not provide the location of ndbm.h since configure didn't needed it. $ cd .. $ rm -rf apache_1.3.26 $ tar zxf apache_1.3.26.tar.gz $ cd apache_1.3.26 If, for example, I enable mod_rewrite which requires DBM support, apxs will know where to look for DBM. $ ./configure --enable-module=so --enable-module=rewrite [...] + adding selected modules o rewrite_module uses ConfigStart/End + using -ldb1 for DBM support enabling DBM support for mod_rewrite [...] $ make $ make install $ /usr/local/apache/bin/apxs -q CFLAGS -DLINUX=22 -I/usr/include/db1 -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite This is wrong since not enabling a module that requires DBM doesn't mean that I'll never want to add one that does in the future. I don't see any trivial solution to this problem. The easier one, IMHO, is to do every check when mod_so is enabled. It's a similar problem for the DBM library, src/Makefile stores it into: LIBS1= -lm -lcrypt -ldb1 -ldl [...] LIBS=$(EXTRA_LIBS) $(LIBS1) but this is not exported to apxs. I'm not sure if it should. Am I making some sense here? What do people think about this? Should I file a bug report to Apache about this? I searched bugs.apache.org about this but I couldn't find a single bug about apxs... I think I need a drink! 8) GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
At 00:50 -0400 16/07/02, Cliff Woolley wrote: On Tue, 16 Jul 2002, Brendan Lloyd wrote: And last but not least: can anyone clarify what the state of Apache 2.0 is with regards to OpenSSL/mod_ssl? I've read in some places that Apache 2.0 supports/includes these, but then when I went to download the Windows binary distribution it had the suffix no_ssl? Source distributions of Apache 2.0 include mod_ssl. Binary distributions are a different story, but only because of ambiguities surrounding the (IMHO silly) export restrictions of the US government. We know we're allowed to export *source* for strong encryption software... but whether we're able to legally distribute *binaries* of strong encryption software is unclear. So we don't. Of course, that's more of a burden on our Windows users than on our Unix users, since the former tend to rely on binaries and the latter tend to roll their own since they tend to have the compilation tools on hand. The solution, as has been pointed out, is that somebody outside the US contributed binaries for mod_ssl for Apache 2.0 on Win32 and uploaded them to www.modssl.org/contrib, which is physically located in Germany, as opposed to www.apache.org, which is physically located in the western US. Sigh. Those interested in details on this legal stuff can see this site: http://www.bxa.doc.gov/Encryption/ What is nice with this policy update is that source code is now considered unrestricted (like Cliff said): - Also for the first time, all encryption source code that would be considered publicly available under Section 734.3(b)(3) of the EAR (such as source code posted to the Internet) and the corresponding object code may be exported and reexported under License Exception TSU -- Technology and Software Unrestricted (specifically, Section 740.13(e) of the EAR), once notification (or a copy of the source code) is provided to BIS and the ENC Encryption Request Coordinator. See Note. Even if a license fee or royalty is charged for commercial production or sale of products developed using the source code, such source code is eligible for license exception TSU and no post-export reporting is required. - The complete content of the Export Administration Regulation (EAR) is available at: http://w3.access.gpo.gov/bis/ear/ear_data.html Disclamer: reading the content of the EAR may cause an headache. 8) It looks like binaries made from publically available source code are still considered unrestricted. They explicitly say [publically available source code] and the corresponding object code may be exported and reexported under License Exception TSU. But the License Exception TSU states: - (2) Provisions and Destinations. (i) Provisions. Operation software may be exported or reexported provided that both of the following conditions are met: (A) The operation software is the minimum necessary to operate equipment authorized for export or reexport; and (B) The operation software is in object code. - mod_ssl is not the minimum necessary to operate equipment since it's an add-on module; Apache can work without mod_ssl. And part B totally confused me, it says that ONLY object code can be exported... I guess Apache's official policy is let's not take chance. That sucks... Couldn't they hire a legal advisor that could sort this out? Or easier, can't we just give a call to the BXA and ask them Do object code made from publically available source-code still falls under the License Exception TSU?, that would clear up the question... We could ask them for a signed letter, and if we get problems in the future, we could just show the letter and say that we did our homework. Ok, putting everything on modssl.org/contrib is MUCH MUCH easier. GFK's -- Guillaume Filion Logidac Tech., Beaumont, Québec, Canada - http://logidac.com/ PGP Key and more: http://guillaume.filion.org/ (this will redirect) PGP Fingerprint: 14A6 720A F7BA 6C87 2331 33FD 467E 9198 3DED D5CA __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Websphere application server
On Tue, 16 Jul 2002, arcean wrote: my probleme is : i don't have the source code of the websphere plugin ... do you know a way to use mod_ssl without compiling apache or compiling apache to perfectly support the old way DSO module ?? You'll have to either get IBM to provide you with an EAPI-compiled WebSphere DSO or set up two copies of Apache, one SSL and one non-SSL. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache Websphere application server
I haven't used at websphere in over a year, but look to see if they included 2 dso's: one for ssl and one for non-ssl. I know that BEA and others do this, but I can't recall if IBM does or not. David Marshall -Original Message- From: arcean [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 16, 2002 9:05 AM To: [EMAIL PROTECTED] Subject: Apache Websphere application server hello *, I trying to make apache, SSL and Websphere works together ... and i have the famous probleme loaded DSO /apps/[..]/mod_app_server.so uses plain Apache api ... this module migth crash ... re compile it with -DEAPI my probleme is : i don't have the source code of the websphere plugin ... do you know a way to use mod_ssl without compiling apache or compiling apache to perfectly support the old way DSO module ?? thanx by advance -- arno __ D O T E A S Y - Join the web hosting revolution! http://www.doteasy.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Websphere application server
On Tue, 16 Jul 2002, arcean wrote: yes i've think about this (when i was testing) but the point is : I need to provide Https pages with Websphere and i need to use Apache as front server a friend of me has opened a Ticket with IBM ... i pray to have a EAPI mod_app_server in return ... If that doesn't work out, you can just configure it [with rewriterules or with proxypassreverse] so that the SSL-aware Apache will act as a reverse proxy for the non-SSL websphereized Apache. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
I wrote: My situation is like Ike's: I too need to install mod_ssl and Open_SSL (ie. require secure web transaction capabilities) [on a Windows machine] is there a site from which I can download precompiled versions of (or an installation Wizard for) the above? Guillaume replied: I guess this is what you're looking for: http://www.modssl.org/contrib/Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip I'm somewhat confused. I downloaded and uncompressed the above archive, uncompressed and was delighted to find that mod_ssl was present in the modules directory. But I couldn't find any openssl.exe and, from what I gather, I need this executable/toolkit to generate a key pair and CSR? I'm a bit new to web server security and have just had responsibility thrust upon me, so I thank you all for your patience :) Kind regards, Brendan Lloyd I n f o r m a t i o n S y s t e m s A n a l y s t Wollongong UniCentre PO BOX U100 University of Wollongong NSW 2522 (02) 4221-8022 fax: (02) 4221-8026 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
Brendan wrote: I downloaded and uncompressed the above archive, uncompressed and was delighted to find that mod_ssl was present in the modules directory. But I couldn't find any openssl.exe and, from what I gather, I need this executable/toolkit to generate a key pair and CSR? I'm a bit new to web server security and have just had responsibility thrust upon me, so I thank you all for your patience :) Thanks all, everything now solved (thanks in large part to the realisation that all the stuff needed is under http://www.modssl.org/contrib AND the help of a kind soul named Mark Anderson in Queensland Australia). Thanks again kind regards, Brendan Lloyd __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]