ssl renegotiation in post not allowed?
Hello: I'm having a problem using client authentication with POST method. I have an Apache 2.0.43, server side SSL works fine. The browser is an internet explorer 6.0. When I requiere client side authentication I can't POST any data. The error log follows: [Wed Dec 04 15:27:09 2002] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g mod_jk2/2.0.0 configured -- resuming normal operations [Wed Dec 04 15:28:26 2002] [error] Re-negotiation handshake failed: Not accepted by client!? [Wed Dec 04 15:28:26 2002] [error] Spurious SSL handshake interrupt [Hint: Usually just one of those OpenSSL confusions!?] [Wed Dec 04 15:29:03 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate [Wed Dec 04 15:29:07 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate [Wed Dec 04 15:29:10 2002] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate [Wed Dec 04 15:58:30 2002] [notice] caught SIGTERM, shutting down Of course we tried +OptRenegotiate but the problem persist. In Apache changelog this lists as fixed as of version 2.0.37. I have searched the mailing list archives and internet and found similar problems but can't find an answer. I need to get this working as soon as posible. Thanks in advance. Alejandro Dobniewski Siemens Itron Business Services S.A. Desarrollo __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
At 11:26 PM 12/03/2002, Justin Williams wrote: A whole new error class! RTFM errors and ID-10-T error codes alongside! If nothing else, it would be thoroughly entertaining! In my defense, I ALWAYS RTFM before asking questions like this. HOWEVER, in this case, the httpd.conf APPEARS to indicate that this type of configuration/support should be possible. So, being the curious, technical type of person that I am, I'd probably just start trying to make it work even before RTFMing to find that it's not actually supported. MUCH wasted time if I hadn't stumbled upon this conversation in this group. I'm of the opinion that it would be "NICE" if there was some info about this in the httpd.conf file on top of the manual and FAQ's. Note that I only say it would be "NICE". I'd still end up going to the manual and FAQ before posting such a question. I certainly don't mind the extra work, considering the absolutely awesome price of the product. ;) - hawk On Wednesday 04 December 2002 12:17 pm, Boyle Owen wrote: > From: Cliff Woolley [mailto:[EMAIL PROTECTED]] > > >But please, people, this is SUCH a frequently asked question. > >Definitely one of the top three. > > I'd say it is THE most frequently asked question (but I can't be > bothered scanning the archives to prove it :-) > > The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very > well, but it is rather technical for a newbie and, having been written > by someone for whom English is a second language, is not as illuminating > as it might be. I had a go a re-writing it a few years ago > (http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2) so > maybe we could start there... > > However, given the tendency of people to read the instructions only if > all else fails, putting a warning in the default config sounds like a > good idea. Putting an error message in the source-code would be even > better! > > Rgds, > > Owen Boyle > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any mistransmission. > If you receive this message in error, please notify the sender urgently > and then immediately delete the message and any copies of it from your > system. Please also immediately destroy any hardcopies of the message. > You must not, directly or indirectly, use, disclose, distribute, print, > or copy any part of this message if you are not the intended recipient. > The sender's company reserves the right to monitor all e-mail > communications through their networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be the > views of the sender's company. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC="pgcc" CFLAGS="-O2" \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: > Hi! > > I have a couple of questions: > > If mod_ssl is included in apache2.x why doesnt it show up in the modulelist > when I use: > > %> httpd -l > > ? > > If it's not "included" when I "default" compile (using the INSTALL-file > instructions), how do I know how to compile in the mod_ssl into the apache > (if this is my first time)? > > Where do I find information about these things, I certanly dont install > apache at a regulary basis.. ;-) > > I noted a default config file for SSL (I also found an include into the > httpd.config-file) and used the command: > > %>httpd -DSSL -k start > > .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I > shouldnt bother or?... Something I missed? > > All help will be appricated. > > Thanks... > > /Johan > > ps. Thinking of using Apache 1.3.7 instead due to the extended source of > good documentation... > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Mod_ssl in apache 2.X
Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: %> httpd -l ? If it's not "included" when I "default" compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %>httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
On Wed, Dec 04, 2002 at 01:17:12PM +0100, Boyle Owen wrote: > >From: Cliff Woolley [mailto:[EMAIL PROTECTED]] > > > >But please, people, this is SUCH a frequently asked question. > >Definitely one of the top three. > > I'd say it is THE most frequently asked question (but I can't be > bothered scanning the archives to prove it :-) > Yeah, I think so too. > The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very > well, but it is rather technical for a newbie and, having been written > by someone for whom English is a second language, is not as illuminating > as it might be. I had a go a re-writing it a few years ago > (http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2) so > maybe we could start there... > Yes, I'll add it to the 2.x docs. > However, given the tendency of people to read the instructions only if > all else fails, putting a warning in the default config sounds like a > good idea. Putting an error message in the source-code would be even > better! > I'm pretty sure there already is (at least in 1.3) but that requires people to read the error_log. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
A whole new error class! RTFM errors and ID-10-T error codes alongside! If nothing else, it would be thoroughly entertaining! On Wednesday 04 December 2002 12:17 pm, Boyle Owen wrote: > From: Cliff Woolley [mailto:[EMAIL PROTECTED]] > > >But please, people, this is SUCH a frequently asked question. > >Definitely one of the top three. > > I'd say it is THE most frequently asked question (but I can't be > bothered scanning the archives to prove it :-) > > The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very > well, but it is rather technical for a newbie and, having been written > by someone for whom English is a second language, is not as illuminating > as it might be. I had a go a re-writing it a few years ago > (http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2) so > maybe we could start there... > > However, given the tendency of people to read the instructions only if > all else fails, putting a warning in the default config sounds like a > good idea. Putting an error message in the source-code would be even > better! > > Rgds, > > Owen Boyle > > This message is for the named person's use only. It may contain > confidential, proprietary or legally privileged information. No > confidentiality or privilege is waived or lost by any mistransmission. > If you receive this message in error, please notify the sender urgently > and then immediately delete the message and any copies of it from your > system. Please also immediately destroy any hardcopies of the message. > You must not, directly or indirectly, use, disclose, distribute, print, > or copy any part of this message if you are not the intended recipient. > The sender's company reserves the right to monitor all e-mail > communications through their networks. Any views expressed in this > message are those of the individual sender, except where the message > states otherwise and the sender is authorised to state them to be the > views of the sender's company. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
>From: Cliff Woolley [mailto:[EMAIL PROTECTED]] > >But please, people, this is SUCH a frequently asked question. >Definitely one of the top three. I'd say it is THE most frequently asked question (but I can't be bothered scanning the archives to prove it :-) The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very well, but it is rather technical for a newbie and, having been written by someone for whom English is a second language, is not as illuminating as it might be. I had a go a re-writing it a few years ago (http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2) so maybe we could start there... However, given the tendency of people to read the instructions only if all else fails, putting a warning in the default config sounds like a good idea. Putting an error message in the source-code would be even better! Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
Hawk: Here is more info on why did doesn't work: http://www.ensim.com/support/sxc/faqs/4.10.html --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Hack Hawk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: how to add multiple SSL cert for each virtual host? What?!?!?! Are you absolutely sure about this? SSL certs are based on the Domain Name,,, NOT the IP address. It stands to reason that it would be possible for virtual hosts/domains to have their own certs. Perhaps modssl doesn't support it, but I think that in theory it's possible. - hawk At 10:24 AM 12/03/2002, you wrote: >Multiple SSL certs for name-based virtual hosts aren't possible based upon >the way SSL is designed. Each site requiring a separate cert must have it's >own IP address. > >--- >Shawn Syms | Systems Administrator >Infinet Communications | [EMAIL PROTECTED] >--- > > > >-Original Message- >From: Thomas Sandor [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, December 03, 2002 1:20 PM >To: [EMAIL PROTECTED] >Subject: how to add multiple SSL cert for each virtual host? > > >hi everyone, > >I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl >(openssl 0.9.6g). >Till now I had only one domain for which apache should use SSL cert files >(crt, key), but for our next project I have to add another SSL cert file a >specific domain. > >I have NameVirtualHost 12.34.56.78 and have a list of for >each of our domain, using ServerNamed base aliases, but for the ssl conf it >ain't works. In my ssl.conf in short looks like this: > >NameVirtualHost 12.34.56.78:443 > > > ServerName domain1.com > CustomLog "..." > ErrorLog "..." > SSLEngine on > SSLCertificateFile "/somewhere/ssl.crt/domain1.crt" > SSLCertificateKeyFile "somewhere/ssl.key/domain1.key" > > > > ServerName domain2.com > CustomLog "..." > ErrorLog "..." > SSLEngine on > SSLCertificateFile "/somewhere/ssl.crt/domain2.crt" > SSLCertificateKeyFile "somewhere/ssl.key/domain2.key" > > >The problem is that apache does not serve domain2 cert files for domain2, it >uses the first declaration for every https://domainX.com invoke. Does anyone >know how to tell apache to uses specific SSL cert I'd like to define for >each of my virtualhosts? > >Thanks in advance for any help. > >Regards, >Thomas > >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl and mod_jk (Win32)
Answering my own question in case anyone else ever encounters this: Modify Tomcat's server.xml specifying scheme="https" (rather than scheme="http") for the Connector used to wire Apache and Tomcat. Paul Christmann wrote: Environment: Running Apache 2.0.43/OpenSSL 9.6.g as downloaded from hunter.campbus.com and mod_jk 1.2.1 for build 2.0.43 from jakarta. Problem: When I access the URL https://localhost/app, I *hope* to get the contents of index.html (i.e., https://localhost/app/index.html). Instead, my browser (Mozilla 1.0) reports a "Bad Request" error, indicating that there was a protocol error in accessing the URL "http://localhost:443/app/index.html";. Of course there will be a protocol error -- using http to talk to the https port! Any ideas where that error might come from? I assume its something happening with a redirect in Tomcat. FWIW: Each of the following URLs work fine (right now, I have Apache configured to take all connections either from http or https and forward to Tomcat): + http://localhost/app + http://localhost/app/index.html + https://localhost/app/index.html Its only the https://localhost/app URL that's failing. Thanks for any assistance, Paul Christmann __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]