RE: sorry all, test
Nope.. It didn't work. We didn't see anything. -Original Message- From: Kyle O'Donnell [mailto:[EMAIL PROTECTED]] Sent: Sonntag, 12. Januar 2003 12:41 To: [EMAIL PROTECTED] Subject: sorry all, test test __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
On Sun, Jan 12, 2003 at 09:23:27PM -0600, Barry Smoke wrote: o.k...you have my attention now... wildcard certificate? Can wildcard certificates be purchased, or is this only if you are self signing? According to Thawte's website they still issue wildcard certs. I sure would like to buy one certificate, and have all my subdomains on my main domain recognize it without a warning window popping up for internet customers... YMMV - some versions of MSIE does not accept wildcard certs because M$ decided to stop doing that for a couple of releases. https://arhosting.com https://www.arhosting.com https://secure.arhosting.com https://www.secure.arhosting.com I would like to cover all of my bases with one certificate... Is this possible? *arhosting.com should probably do it. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
I believe you can get wildcard certs from Thwate. Check out their site. NB - wildcards are like *.acme.com so www1.acme.com, www2.acme.com etc all work. You cannot get *.*.com to work in any case. Rgds, Owen Boyle -Original Message- From: Barry Smoke [mailto:[EMAIL PROTECTED]] Sent: Montag, 13. Januar 2003 04:23 To: [EMAIL PROTECTED] Subject: RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates) These NBVHs are all derived off the same 3rd-level domain, and thus we can use the same wildcard certificate for each NBVH (users whose browsers don't recognise wildcard certificates need only placate the browser once in most cases). o.k...you have my attention now... wildcard certificate? Can wildcard certificates be purchased, or is this only if you are self signing? I sure would like to buy one certificate, and have all my subdomains on my main domain recognize it without a warning window popping up for internet customers... https://arhosting.com https://www.arhosting.com https://secure.arhosting.com https://www.secure.arhosting.com I would like to cover all of my bases with one certificate... Is this possible? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
-Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)
Sorry - I didn't express that very well, but thanks for the reply. At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH. This is using 1.3.x; I haven't tested 2.x yet. My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme. Regards, James. PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well. Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. ^^^ I meant apache+modssl I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
-Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH. Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed en clair to the apache core. So now apache can apply its NBVH algorithm happily. This is using 1.3.x; I haven't tested 2.x yet. It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS. My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme. Not likely. Each request is allowed to contain its own Host header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to remember that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other. Rgds, Owen Boyle Regards, James. PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well. Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. ^^^ I meant apache+modssl I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
Boyle Owen [EMAIL PROTECTED] writes: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. There is already a document describing how to do this with SSL/TLS in the IETF standards pipeline. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
On Mon, Jan 13, 2003 at 07:32:24AM -0800, Eric Rescorla wrote: There is already a document describing how to do this with SSL/TLS in the IETF standards pipeline. Unfortunately this is not implemented very many places - so far the only place I've heard of is Apache 2.1 which has some preliminary and untested code for it. If anyone knows of a compliant client, then that would be much appreciated. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
Mads Toftum [EMAIL PROTECTED] writes: On Mon, Jan 13, 2003 at 07:32:24AM -0800, Eric Rescorla wrote: There is already a document describing how to do this with SSL/TLS in the IETF standards pipeline. Unfortunately this is not implemented very many places - so far the only place I've heard of is Apache 2.1 which has some preliminary and untested code for it. If anyone knows of a compliant client, then that would be much appreciated. I don't. Moreover even if there were it will be like 2-3 years before it's sufficiently widespread that you can count on it. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLSessionCaching on Win32
I am having trouble getting the SSLSessionCache directive working on Win NT and have been unable to find any examples or information where others have been able to implement this. Does anyone know if this directive is supported on Win32? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with2 Certificates)
Many thanks Owen - I'll sleep more easily now ;) Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH. Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed en clair to the apache core. So now apache can apply its NBVH algorithm happily. This is using 1.3.x; I haven't tested 2.x yet. It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS. My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme. Not likely. Each request is allowed to contain its own Host header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to remember that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other. Rgds, Owen Boyle Regards, James. PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well. Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. ^^^ I meant apache+modssl I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AW: SSLSessionCaching on Win32
...depends on your configuration. SSLSessionCache works fine with my apache 1.3.27, but I had some problems with apache 2. with 2.0.39, session cache was not honoured on win32 (bugzilla 10170), but this may have changed in the meantime. rgds michael -Ursprüngliche Nachricht- Von: Wilkins, Craig [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 13. Januar 2003 17:09 An: '[EMAIL PROTECTED]' Betreff: SSLSessionCaching on Win32 I am having trouble getting the SSLSessionCache directive working on Win NT and have been unable to find any examples or information where others have been able to implement this. Does anyone know if this directive is supported on Win32? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
Are there any docs for setting this up? thanks Robert - Original Message - From: James Collier [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 13, 2003 12:29 PM Subject: Re: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates) Many thanks Owen - I'll sleep more easily now ;) Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH. Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed en clair to the apache core. So now apache can apply its NBVH algorithm happily. This is using 1.3.x; I haven't tested 2.x yet. It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS. My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme. Not likely. Each request is allowed to contain its own Host header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to remember that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other. Rgds, Owen Boyle Regards, James. PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well. Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. ^^^ I meant apache+modssl I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl)