Re: [warn] RSA server certificate CommonName (CN) `yin.*' does NOT match server name!?
Hello Owen, After I have set ServerName in the ssl.conf file to yin.fokus.gmd.de, this error [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!?does not exist in file error_log. It seems that I can start HTTP secure server ... ( I think that I have misunderstood your first mail below, I have only changed the ServerName in the file httpd.conf.) But now when I type https://yin.fokus.gmd.de; in my browser, and I got the error message in Browser . -- The server's certificate has an invalid signature. You will not be able to connect to this site securely. -- The following is the massage in error_log file. [Thu Jan 30 10:08:50 2003] [notice] Digest: generating secret for digest authentication ... [Thu Jan 30 10:08:50 2003] [notice] Digest: done [Thu Jan 30 10:08:52 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2 configured -- resuming normal operations [Thu Jan 30 10:09:11 2003] [error] SSL handshake failed (server yin.fokus.gmd.de:443, client 195.37.78.101) [Thu Jan 30 10:09:11 2003] [error] SSL Library Error: 336151570 error:14094412:lib(20):func(148):reason(1042) Thanks for any help. Best regards, Aihong Yin. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
autosigning certificate
Hi all, I tried to use my own CA in order to sign the CSR previously produced. Following what I got: [naunx04:aspprod] /home/aspprod/aspapp/mySSL/openSSL/bin ./sign.sh server.csr CA signing: server.csr - server.crt: Using configuration from ca.config Enter pass phrase for ./ca.key: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'IT' stateOrProvinceName :PRINTABLE:'Napoli' localityName :PRINTABLE:'Pozzuoli' organizationName :PRINTABLE:'SchlumbergerSema' organizationalUnitName:PRINTABLE:'EAI' commonName:PRINTABLE:'naunx04:8443' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Jan 29 17:29:55 2004 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: /C=IT/ST=Napoli/L=Pozzuoli/O=SchlumbergerSema/OU=EAI/CN=naunx04:8443/emailAd [EMAIL PROTECTED] error 18 at 0 depth lookup:self signed certificate /C=IT/ST=Napoli/L=Pozzuoli/O=SchlumbergerSema/OU=EAI/CN=naunx04:8443/emailAd [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure [naunx04:aspprod] /home/aspprod/aspapp/mySSL/openSSL/bin I see 2 ERRORS: error 18 at 0 depth lookup:self signed certificate error 7 at 0 depth lookup:certificate signature failure What they means? The certificate signing process is ok or not? Many thanks. Sergio. SchlumbergerSema ing. Sergio Zampognaro System Integration - SMA Via Antiniana 2A - 80078 Pozzuoli (NA) - ITALY Mobile*+39 335 131 54 26 Phone * +39 081 6103 483 Fax 6 +39 081 6103 200 e-mail * [EMAIL PROTECTED] This email is confidential and intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of SchlumbergerSema SpA. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error please notify the SchlumbergerSema Helpdesk, by telephone on +39.0125.810500 or by e-mail on [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Redirection on bad cert
Hello all, Is it possible to redirect user with bad cert to other page? As I understand, server doesn't return any error code after ssl error on expired cert. Therefore, ErrorDocument directive doesn,t work. Thank You Oleg Lebedev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Failed to enable Crypto Device API
Hello All, Please provide your thoughts on the problem I am facing. We use Apache 1.3.27 , mod_ssl 2.8.12 and OpenSSL 0.9.6h[engine]. The [engine] version is used because we use nCipher card as the hardware accelerator. The error that is baffling is: ./apachectl startssl ./apachectl startssl: httpd could not be started ssl_engine_log : [30/Jan/2003 08:12:23 01657] [error] Init: Failed to enable Crypto Device API `chil' error_log: [Thu Jan 30 08:12:23 2003] [error] mod_ssl: Init: Failed to enable Crypto Device API `chil I do not have much idea on this. Hence I request you to me atleast some pointers. Thanks in advance, Anbu begin:vcard n:Chelliah;Anbuchezhian tel;work:91-80-2051166 x-mozilla-html:FALSE adr:;; version:2.1 email;internet:[EMAIL PROTECTED] fn:Anbuchezhian end:vcard
Re: Verifying enabled ciphers?
One more question regarding the SSLCipherSuite line. Our security auditor recommended that we change the line SSLCipherSuite HIGH:MEDIUM:!ADH to SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL What is the difference? openssl ciphers -v 'HIGH:MEDIUM:!ADH' and openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL' both return the same cipher list. Is there a practical difference in the two directives? Thanks, -- Steve [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Failed to enable Crypto Device API
* Anbuchezhian ([EMAIL PROTECTED]) wrote: Hello All, Please provide your thoughts on the problem I am facing. We use Apache 1.3.27 , mod_ssl 2.8.12 and OpenSSL 0.9.6h[engine]. The [engine] version is used because we use nCipher card as the hardware accelerator. The error that is baffling is: ./apachectl startssl ./apachectl startssl: httpd could not be started ssl_engine_log : [30/Jan/2003 08:12:23 01657] [error] Init: Failed to enable Crypto Device API `chil' error_log: [Thu Jan 30 08:12:23 2003] [error] mod_ssl: Init: Failed to enable Crypto Device API `chil I do not have much idea on this. Hence I request you to me atleast some pointers. Try changing the SSLLogLevel directive to spit out more information. As apache is stopping virtually immediately, you could probaby afford to set SSLLogLevel debug. Anyway, that should probably dump the OpenSSL errors to the log too, which I believe will give you more clue as to the problem (most likely the nCipher-specific shared-library that openssl tries to load couldn't be found). Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Thu, Jan 30, 2003 at 11:38:04AM -0700, Steve Chadsey wrote: One more question regarding the SSLCipherSuite line. Our security auditor recommended that we change the line SSLCipherSuite HIGH:MEDIUM:!ADH to SSLCipherSuite HIGH:MEDIUM:-ADH:-aNULL What is the difference? openssl ciphers -v 'HIGH:MEDIUM:!ADH' and openssl ciphers -v 'HIGH:MEDIUM:-ADH:-aNULL' both return the same cipher list. Is there a practical difference in the two directives? Hmm, not now. aNULL is equivalent to ADH, as Anonymous DH ciphers are the only aNULL ciphers supported. If at any point in the future an anonymous cipher without DH would be added (does such thing exist?), it might make a difference. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Can't get to Https but http://address:443 works?????
Hi guys, Just a quick question my server just fell, i can't get back to https://theaddress, only http://theaddress:443 works??? any thoughts? Vince __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can't get to Https but http://address:443 works?????
On Fri, 31 Jan 2003, Vince Montuoro wrote: i can't get back to https://theaddress, only http://theaddress:443 works??? You probably don't have SSLEngine on in your SSL vhost. Right now, the client and server are both speaking HTTP, not HTTPS... the fact that it's over port 443 and not port 80 is irrelevant. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Can't get to Https but http://address:443 works?????
You are starting it with apachectl start instead of apachectl startssl ? Sounds like it's listening on 443 for http, not https connections. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Vince Montuoro Sent: Thursday, January 30, 2003 4:54 PM To: [EMAIL PROTECTED] Subject: Can't get to Https but http://address:443 works? Hi guys, Just a quick question my server just fell, i can't get back to https://theaddress, only http://theaddress:443 works??? any thoughts? Vince __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]