RE: Port-based questions?
See below, Rgds, Owen Boyle From: Jay States [mailto:[EMAIL PROTECTED]] I would like to clear up port-based hosting for mod-ssl: 1. https looks for port 443, but you can change that to any port with modification to the apache configure file and also as long as you specify the port in the url (https;//sample.com:445). Exactly correct. You need to say Listen 445 in the config and define a VH like VirtualHost 192.168.1.1:445. Then you have to use the port in the URL, as you show (to a browser, https means establish an SSL session with the following server; unless the port is specified, use port 443). 2. Mod-ssl does not work for name based hosting... Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL encrypts all the contents of the TCP/IP packet so the traffic has to be routed using only TCP/IP attributes, i.e. IP address and Port number. The Host header (which is needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is encrypted so you can't use it to route packets. We must use ports in order for it to work. Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a unique IP address:Port pair. 3. Can you specify more than one port to bind https? What if your only have 1 ip address and 10 different domain names. What do you do then? Place the domain names behind you firewall and use a class a,b or c ip addresses? You'd have to use 10 different ports. But you would have to specify the ports in the public URLs. I'm not sure what you're getting at with the FW idea... You can't get away with address translation in the FW adding on the port numbers since the packets are already encrypted when they arrive at the FW. Having said that, I was astonished some months ago when someone reported a hardware gadget which could route SSL traffic by hostname. It is a kind of SSL router which you put between your server and the internet. I don't know how it works - maybe you have to give it your private server keys so it can decrypt the incoming traffic. I've also forgotten what it was called! Search the archives on this list for SSL routers, hardware etc.. Maybe someone else can remember the link to this gadget? 4. If mod-ssl can be placed on more any one port what does the config file look like, I keep getting errors. All the docs I've read said that name-based virtual do not work. Because they don't. They do not say that multiple ports can not be specified. Because they can: Listen 192.168.1.1:445 VirtualHost 192.168.1.1:445 SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. /VirtualHost Listen 192.168.1.1:446 VirtualHost 192.168.1.1:446 SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. /VirtualHost Note: no need for NameVirtualHost, no need for ServerName. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verisign Global Server ID requires Stronghold
Hello, We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. Rgds, Viljo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign Global Server ID requires Stronghold
On Tue, Jul 30, 2002 at 11:10:01AM +0300, Viljo Marrandi wrote: Hello, We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. They will work just as well on apache with mod_ssl. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign Global Server ID requires Stronghold
You can use Apache+mod_ssl as well - we use fe. Put Stronghold into platform. Regards, Märt On 30 Jul 2002 at 11:10, Viljo Marrandi wrote: Hello, We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. Rgds, Viljo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mkraemer@www.engelschall.com
Hallo Ralf, Ich habe Probleme, mich mit {www,en5}.engelschall.com bzw. www.openssl.org per ssh zu verbinden. Meine Kennung dort war [EMAIL PROTECTED] Und in meiner authorized_keys war mein RSA1 pub key, trotzdem laesst mich die Maschine nun nicht mehr rein. Was hat sich geaendert? Kannst Du evtl. meinen DSA-Public Key in meiner authorized_keys ablegen? Ich haenge ihn an. Tausend Dank, Martin -- [EMAIL PROTECTED] | Fujitsu Siemens Fon: +49-89-636-46021, FAX: +49-89-636-47655 | 81730 Munich, Germany ssh-dss B3NzaC1kc3MAAACBANfuqxUCUdd6bQoRfDcOZ+WINv376gC3XXJ0uEgzmdKf1bJIqpnTm1x0xW8LA7DNm+fBphUcIUDkk9fsDDcEOaRc384waLNQTXA7u0BnipvzQuJAshLeChR7pZvymng+SXa1T6oMNjqEPsg7Bu1z7KBqSbtO6RBNB5lKRE7UuyTVFQCe7Mt1dqef7Nbee6JF9KsrbdU8iwAAAIAHSXTssiuKjHr8TKnxRyrV313Fx3HOTVLi3mPJS1nd4W/nBR0uIAAvJyTiEdJnXTQ+x1Y5zSFmuUcHI9NR+Io1j98VGAzbQ+XKH3lF8k1CMczWwYoCLhLVo1MPxgJGtaUWUfk60LrB9qin7W9kHMRnDgpTg9k4rRH++3bZOgPIjQAAAIEAmdRT/f546qE0i6JvS59EIzDdf0urYmMLCLAIY0u+/R38eDlXnuORmIqqAXhJkerSUPgXl582OGAoCz0gp1fd/1khU+1SGxBPEKKV88IzxBrI5PPQI/ayrKpkcmhTckkltL4hmdTJsJZtfITfOAkrvS4+oZNVIodGm0cSelrno3U= [EMAIL PROTECTED] msg14783/pgp0.pgp Description: PGP signature
Does Verisign Global Server ID requires Stronghold?
Hello, Before I wasn't subscribed to the list, so sorry if this comes twice. We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. Rgds, Viljo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does Verisign Global Server ID requires Stronghold?
- Original Message - From: Viljo Marrandi [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 30, 2002 3:19 PM Subject: Does Verisign Global Server ID requires Stronghold? Hello, Before I wasn't subscribed to the list, so sorry if this comes twice. We're making here one secure site and we ordered from Verisign their Global Server ID and there in ordering form it says that these ID's are available for platforms like C2Net Apache Stronghold, IBM, Netscape etc. So do I really have to buy for $1000 USD Stronghold and $700 costing RedHat or I can use this ID on free Apache/mod_ssl too? I found out that Stronghold also bases on mod_ssl and I didn't find any articles saying that these ID's don't work on free servers. Please enlighten me on this. Trust me, you can use these global server id's as well for plain old Apache with mod_ssl, I've used them myself. Questions is whether you really want a global server id? The only difference (besides price) between the two is that the global server id let's your clients step-up to 128 bit encryption IF the client is an older export-crippled browser (IE 5.01, NS 4.5). The standard secure server id also can do 128 bit encryption if the client browser is 128 bit native. If your clients all use relatively modern browsers (IE 5.0 and NN 4.5) than you don't need to spend the extra cash, your clients can use the secure server id and have strong encryption. hth Meint __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verisign Global Server ID requires Stronghold
Hi! On Tue, Jul 30, 2002 at 12:09:42PM +0200, Mads Toftum wrote: They will work just as well on apache with mod_ssl. Note that for them to work properly you have to follow Verisign's installation instructions, as browsers will not recognize Verisign's signature if you forget to install the intermediate certificate for the global server IDs. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
OpenSSL Security Advisory [30 July 2002]
Hi, FYI - don't sue me for posting this here - I know, everyone who needs this info *should* have it already, but maybe not ;-) Kind regards, B. Courtin -- OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 == A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 == Vulnerabilities --- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits There are no known exploits for this vulnerability. References -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements This vulnerability was discovered by Adi Stav [EMAIL PROTECTED] and James Yonan [EMAIL PROTECTED] independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. Combined patches for OpenSSL 0.9.6d: http://www.openssl.org/news/patch_20020730_0_9_6d.txt Combined patches for OpenSSL 0.9.7 beta 2: http://www.openssl.org/news/patch_20020730_0_9_7.txt URL for this Security Advisory: http://www.openssl.org/news/secadv_20020730.txt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
using rewrite with mod_ssl
i have successfully limited access to a dirctory using mod_ssl. meaning that the files in that directory will only show when it uses ssl protocol. but when it doesn't uses ssl protocol but just, http://hostname/manual, it gives me a page can't be displayed message. i thought that with the rewrite, it would automatically send it to the ssl protocol (https://hostname/manual). i am wrong to think this? this is the rewrite statement i have in my httpd.conf RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R] how can i set up my server so that when someone goes to http://hostname/manual, they will automatically get redirected? Peter Choe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: using rewrite with mod_ssl
If you cut and pasted that straight from your config then you have a typo in the rule Instead of: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R] try RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(manual/.*) https://%{SERVER_NAME}/$1 [L,R] Peter Choe wrote: i have successfully limited access to a dirctory using mod_ssl. meaning that the files in that directory will only show when it uses ssl protocol. but when it doesn't uses ssl protocol but just, http://hostname/manual, it gives me a page can't be displayed message. i thought that with the rewrite, it would automatically send it to the ssl protocol (https://hostname/manual). i am wrong to think this? this is the rewrite statement i have in my httpd.conf RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R] how can i set up my server so that when someone goes to http://hostname/manual, they will automatically get redirected? Peter Choe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
relation between apache-modssl-libMM
Hi ppl, Due to some security issues with openssl and the issue with libMM giving away a root account on systems where you can get a shell as the user apache is running as i'm forced to do some minor upgrades :) I'm trying to figure out the relationship with libMM, ldd on the libssl.so module and on the httpd binary returns that openssl is dynamically linked, great...but what about libMM? Since it doesn't show up it's static linked, but are the functions linked in the ssl module or do i have to replace the whole httpd binary? Anyway any idea, i get the idea that the libMM is used in the general EAPI interface, concluding that mm functions are used in the httpd binary..and all other modules? If anyone can shed some light on this? Frank __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
relation between apache-modssl-libMM
I am away from the office until the Monday 5th August 2002 I will get back to you as soon as i can on my return. If it's an urgent Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter that requires urgent attention then please contact either Sanjay1 or Jeff1 who should be able to help. All the best Alex __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl newbie
Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
For that you do not want SSL. Checkout: http://httpd.apache.org/docs-2.0/howto/auth.html For an introduction to SSL and Apache, you can check out a chapter I have online : http://apacheworld.org/ty24/site.chapter17.html Cheers Daniel On Tue, Jul 30, 2002 at 02:37:14PM -0500, Henning, Brian wrote: Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
you probably want to look at .htaccess which would prompt people for userid and password to access certain parts of your webserver. ssl provides encryption so that data being sent back and forth between your server and the client can't be easily read. At 03:37 PM 7/30/2002, you wrote: Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Peter Choe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
Many people seem to have the impression that security=ssl enabled, and in some ways it does enhance security, but, it's certainly by no means the end of the game, nor the beginning. security begins with the OS install. Not adding packages known to be exploitable redhat is the M$ of the linux workld these days, a kitchen sink of exploitable packages in the defaults available, closing out un-needed services not using NFS, then trun it off, disable it via the kernel rebuild process, etc, replacing telnet, ftp and the R* commands with ssh/scp, setting proper permissions throughout the directory structure to limit local exposures and abilities. Of course the game gets tougher once you allow others onto the system, once a person has a shell on the box, they have many more routes to compromise the system, so, trust begins to play a larger and larger role. so, to more directly answer your question, no mod-ssl is not going to fit your needs completely here. It begins at the administration level. Think of ssl enabled transactions as more of a secure tunnel for the protection of the exchange of information i.e. credit card info, other private personal information in an encryted tunnel over the pulic network. For those with actual login capqabilites on your system, you have a whole other set of worms to fish up and out. Even a ssl secured web server with open exploitable service runnning on other tcp/ip or udp ports will leave you 0w3d in short order. The system you are attempting to secure should not even touch the internet until *after* it has been properly configured and secured. Here's a reading list to get you started: http://rr.sans.org/ http://www.interhack.net/pubs/fwfaq/ http://geodsoft.com/howto/harden/ http://www.nfr.com/forum/publications.html http://www.ticm.com/info/insider/members/fwsecfaq/index.html http://www.avolio.com/columns/15.html http://www.wilyhacker.com/ http://www.jmu.edu/computing/runsafe/ http://csrc.nist.gov/itsec/guidance_W2Kpro.html http://www.networkcomputing.com/1120/1120ws1.html http://www.Linux-Sec.net/Policy/ http://www.pc-help.org/obscure.htm http://www.monkeys.com/security/proxies/ http://nms-cgi.sourceforge.net/ http://www.cgisecurity.com/articles/ http://www.apacheweek.com/features/security-13 http://www.cgisecurity.net/papers/ Thanks, Ron DuFresne On Tue, 30 Jul 2002, Henning, Brian wrote: Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
mod_ssl and mod_jk
i am trying to get mod_jk to work with mod_ssl. i am able to compile mod_jk. but when i try to start apache and i have mod_jk and mod_ssl enable, i get a message saying that apache cannot start. if i have one or the other, apache can start. is this a known problem? how i can fix this? Peter Choe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Error message help
Hi all, I'm new to the list and to mod_ssl, and well ssl in general, so I hope you'll forgive what may be dumb questions. I've been tasked with setting up a ssl site for a small company that wants to sell online. I've never done anything other than plain sites before, so I'm having to learn. I've done what all the docs have told me to, as near as I can tell, and I've gotten pretty far along. I'm still fuzzy on the exact syntax of the directives, but I've gotten it nearly working I think. This is all being done on a stock Caldera 3.11 server box. Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long I've googled on it, and searched FAQ's, etc, and nothing of help has appeared. I'd appreciate some help on this, I hate when I can't find help in the docs, I hate having to bother anyone. Thanks -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]