Shared mod_ssl problems
Justin E hit the nail on the head! I was writing my tale of woe about this problem (it's still below for your edification). As I see it, there's a missing link -- OpenSSL -- which isn't brought in to resolve these call references. If mod_ssl can be smartened up to use the ldconfig mechanism -- if it doesn't already -- this might be a solution. For background, I've been a member of this list a whole two hours... I too, am having this problem. Here's my Apache configuration: ./configure \ --enable-mods-shared=all \ --enable-ipv6=shared \ --enable-auth_ldap=shared \ --enable-ssl=shared \ --with-ssl=/usr/local/bin/ Here's my OpenSSL configuration: ./config \ --prefix=/usr/local \ shared \ zlib-dynamic [EMAIL PROTECTED] bin]# ./apachectl startssl Syntax error on line 262 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: undefined symbol: X509_free [EMAIL PROTECTED] bin]# The message indicates that mod_ssl.so can't find X509_free, no? X509_free is in /usr/local/lib/libssl.so.0.9.7. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
my apologies...I am an idiot...I found the other Listen directive ;-) terry R. DuFresne wrote: it sounds like perhaps yer http.conf file have perhaps more then one listen directive, perhaps outside the directives. Might try grepping the file for listen and see what comes up. or, better yet, egrepping for bind|listen|etc... thanks, Ron DuFresne On Fri, 7 Mar 2003, Terry Kerr wrote: Mark, Thanks for you suggestion, but whenever I try to put Listen my.ip.address:443 (with the correct ip address ;-) My http or https server does start at all on any port. The log error I get is [crit] (98)Address already in use: make_sock: could not bind to address 203.89.254.243 port 443 But I don't get a similar error for port 80, so I don't know why it also doesn't start. I also have Listen ip.address:80 defined, and have a NameVirtualHost ip.address defined. I have tried many different combinations of name based and ip based virtual hosting, but https always binds to all IP's. As soon as I put the Listen ip.address:443, I get the log error above and no servers start. terry Mark Boddington wrote: Hi Terry, Perhaps your directives are being overridden in a "IfDefine SSL" or "IfModule SSL" block ? Listen IP:Port does work, works for me. Do you have the following in your config ? Listen my.ip.address:443 ... NameVirtualHost my.ip.address:443 ... ... Cheers, Mark On Thu, 6 Mar 2003, Terry Kerr wrote: Hi, I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. The system has two IP's, and I only wish for apache to start on ports 80 and 443 on one of those IPs. I am using named based virtual hosting for many sites on the system for http, and have just one virtual host setup for https on port 443. The problem that I am having is that I cannot stop mod_ssl from binding to port 443 on both the IP's on my system. I have tried every possible combination of Listen, BindAddress, and Port, and have managed to prevent http from starting on all IP's, but https still starts on all IPs. Is there any way to stop this? ddD> Will I need to start two seperate servers, one serving http only, and one serving https only? If I was to do this, I may as well go back to using apache-ssl which is the default installation on debian anyway. Thanks in advance terry -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
was the domain moved over to your server, or did you generate key/csr/crt?
I'm having the same difficulty with one where the domain, cert and key were
transferred; all my others work properly...
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 5:20 PM
Subject: Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot
find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key
in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error
in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
it sounds like perhaps yer http.conf file have perhaps more then one listen directive, perhaps outside the directives. Might try grepping the file for listen and see what comes up. or, better yet, egrepping for bind|listen|etc... thanks, Ron DuFresne On Fri, 7 Mar 2003, Terry Kerr wrote: > Mark, > > Thanks for you suggestion, but whenever I try to put > > Listen my.ip.address:443 (with the correct ip address ;-) > > My http or https server does start at all on any port. The log error I get is > > [crit] (98)Address already in use: make_sock: could not bind to address > 203.89.254.243 port 443 > > But I don't get a similar error for port 80, so I don't know why it also doesn't > start. > > I also have Listen ip.address:80 defined, and have a NameVirtualHost ip.address > defined. I have tried many different combinations of name based and ip based > virtual hosting, but https always binds to all IP's. As soon as I put the > Listen ip.address:443, I get the log error above and no servers start. > > terry > > > > > > Mark Boddington wrote: > > > Hi Terry, > > > > Perhaps your directives are being overridden in a "IfDefine SSL" or > > "IfModule SSL" block ? Listen IP:Port does work, works for me. Do you > > have the following in your config ? > > > > Listen my.ip.address:443 > > ... > > NameVirtualHost my.ip.address:443 > > ... > > > > ... > > > > > > Cheers, > > > > Mark > > > > > > On Thu, 6 Mar 2003, Terry Kerr wrote: > > > > > >>Hi, > >> > >>I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. > >> > >>The system has two IP's, and I only wish for apache to start on ports 80 and 443 > >>on one of those IPs. I am using named based virtual hosting for many sites on > >>the system for http, and have just one virtual host setup for https on port 443. > >> The problem that I am having is that I cannot stop mod_ssl from binding to > >>port 443 on both the IP's on my system. I have tried every possible combination > >>of Listen, BindAddress, and Port, and have managed to prevent http from starting > >>on all IP's, but https still starts on all IPs. Is there any way to stop this? > >> > >> > > ddD> Will I need to start two seperate servers, one serving http only, and > > one > > > >>serving https only? If I was to do this, I may as well go back to using > >>apache-ssl which is the default installation on debian anyway. > >> > >>Thanks in advance > >> > >>terry > >> > >>-- > >>Terry Kerr ([EMAIL PROTECTED]) > >>Adroit Internet Solutions (www.adroit.net) > >>Phone: +61 3 9563 4461 > >>Fax: +61 3 9563 3856 > >> > >>__ > >>Apache Interface to OpenSSL (mod_ssl) www.modssl.org > >>User Support Mailing List [EMAIL PROTECTED] > >>Automated List Manager[EMAIL PROTECTED] > >> > >> > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager[EMAIL PROTECTED] > > > > > > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
undefined symbol: X509_free when apachectl startssl
Having searched through the archive, I could not find a solution to the above error. This error only occurs when I build mod_ssl as dynamic linked module. When I have done is - download zlib-1.1.4 source and build it --shared --prefix=/usr - download openssl-0.9.7a source and build it - download httpd-2.0.44 source and build it ./configure …. --enable-ssl=shared –with-ssl=/usr/local/ssl My OS is Red Hat 7.2.
Re: stop apache/mod_ssl binding to all IP's.
Mark, Thanks for you suggestion, but whenever I try to put Listen my.ip.address:443 (with the correct ip address ;-) My http or https server does start at all on any port. The log error I get is [crit] (98)Address already in use: make_sock: could not bind to address 203.89.254.243 port 443 But I don't get a similar error for port 80, so I don't know why it also doesn't start. I also have Listen ip.address:80 defined, and have a NameVirtualHost ip.address defined. I have tried many different combinations of name based and ip based virtual hosting, but https always binds to all IP's. As soon as I put the Listen ip.address:443, I get the log error above and no servers start. terry Mark Boddington wrote: Hi Terry, Perhaps your directives are being overridden in a "IfDefine SSL" or "IfModule SSL" block ? Listen IP:Port does work, works for me. Do you have the following in your config ? Listen my.ip.address:443 ... NameVirtualHost my.ip.address:443 ... ... Cheers, Mark On Thu, 6 Mar 2003, Terry Kerr wrote: Hi, I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. The system has two IP's, and I only wish for apache to start on ports 80 and 443 on one of those IPs. I am using named based virtual hosting for many sites on the system for http, and have just one virtual host setup for https on port 443. The problem that I am having is that I cannot stop mod_ssl from binding to port 443 on both the IP's on my system. I have tried every possible combination of Listen, BindAddress, and Port, and have managed to prevent http from starting on all IP's, but https still starts on all IPs. Is there any way to stop this? ddD> Will I need to start two seperate servers, one serving http only, and one serving https only? If I was to do this, I may as well go back to using apache-ssl which is the default installation on debian anyway. Thanks in advance terry -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
He lists the certificate, I'm speaking of the key.
Although this (URL) relates to unencypting (removing passphrase) of the key
(and ver 2.0) it is still relevant, and in some cases will prevent SSL (or
am I speaking of SSH?) the secure socket transport from properly
initializing. I know I've seen this other places in regards to apache, this
was just the first reference I could quickly find.
>From http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
Make sure the server.key file is now only readable by root:
$ chmod 400 server.key
- Original Message -
From: "R. DuFresne" <[EMAIL PROTECTED]>
To: "A. Putnam" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, March 06, 2003 3:23 PM
Subject: Re: private key not found
> On Fri, 7 Mar 2003, A. Putnam wrote:
>
> > The permissions for the server.crt file are rw-r--r-- but it still
cannot find
> > the Private Key.
>
> which would be 644 rather then 400 as the first person responded.
>
> >
> > On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > > Please check the permissions on your private key. They should be
readable
> > > only by owner (400)
> > >
> > > (knee-jerk first guess reaction)
> > >
> > > Best of luck
> > >
> > > - Original Message -
> > > From: "A. Putnam" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Friday, March 07, 2003 3:42 PM
> > > Subject: private key not found
> > >
> > >
> > > I'm trying to get mod_ssl to work on my server, but each time I try to
> > > restart
> > > apache with mod_ssl activated, it gives me this error:
> > >
> > > /etc/init.d/apache start returned 7 (Program is not running.)
> > > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > > Phrase Dialog)
> > > Some of your private key files are encrypted for security reasons.
> > > In order to read them you have to provide us with the pass phrases.
> > >
> > > Server matrix.pelathe.org:443 (RSA)
> > > Enter pass phrase:
> > > Apache:mod_ssl:Error: Private key not found.
> > > **Stopped
> > > stty: standard input: Inappropriate ioctl for device
> > > ..failed
> > >
> > > What I don't understand is how it can't find the Private key. The
> > > SSLCertificateKeyFile path in httpd.conf matches the location of the
key in
> > > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> > >
> > > I'm including the Virtual Host code (sans the explination text and a
> > > passkey).
> > > I'm very new to this so I won't be surprised if there is a glaring
error in
> > > here that I missed...
> > >
> > >
> > >
> > > DocumentRoot "/srv/www/htdocs"
> > > ServerName matrix.pelathe.org
> > > ServerAdmin [EMAIL PROTECTED]
> > > ErrorLog /var/log/httpd/error_log
> > > TransferLog /var/log/httpd/access_log
> > >
> > > SSLEngine on
> > >
> > > SSLCipherSuite
> > > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> > >
> > > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> > >
> > > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> > >
> > > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> > >
> > > #SSLCACertificatePath /etc/httpd/ssl.crt
> > > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> > >
> > > SSLCARevocationPath /etc/httpd/ssl.crl
> > > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> > >
> > > SSLVerifyClient require
> > > SSLVerifyDepth 10
> > >
> > > #
> > > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > > #
> > >
> > > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+StrictRequire
> > >
> > > SSLOptions +StdEnvVars
> > >
> > >
> > > SSLOptions +StdEnvVars
> > >
> > >
> > > SetEnvIf User-Agent ".*MSIE.*" \
> > > nokeepalive ssl-unclean-shutdown \
> > > downgrade-1.0 force-response-1.0
> > >
> > > CustomLog /var/log/httpd/ssl_request_log \
> > > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> > >
> > >
> > >
> > > Any help would be greatly appreciated. I'm using Apache 1.3.26 and
Mod_SSL
> > > 2.8.10 on a SuSE 8.1 box.
> > >
> > > Thanks,
> > > -Andrew
> > > __
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List [EMAIL PROTECTED]
> > > Automated List Manager[EMAIL PROTECTED]
> > >
> > >
> > > __
> > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > > User Support Mailing List
Re: private key not found
On Fri, 7 Mar 2003, A. Putnam wrote:
> The permissions for the server.crt file are rw-r--r-- but it still cannot find
> the Private Key.
which would be 644 rather then 400 as the first person responded.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be readable
> > only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key in
> > my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error in
> > here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> > 2.8.10 on a SuSE 8.1 box.
> >
> > Thanks,
> > -Andrew
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
>
>
--
~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart
testing, only testing, and damn good at it too!
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Apache 2.0.44 with Openssl -0.9.7
Does anyone have problem with apache 2.0.44 and Openssl 0.9.7. I installed the server, no problem. Then I wanted to start the httpd server, even without mod_ssl. ./apachectl -k start There is no message on the screen, but an error message in the log file. The apache engine did not start. [warn] Init: PRNG still contains insufficient entropy! [error] Init: Failed to generate temporary 512 bit RSA private key Configuration Failed Any suggestions. - Ming Yu __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
How did you generate the CSR to get the cert? What key file did you use for
this?
The cert (crt) file perms look ok, (444 would be better) but who owns it?
does this file exist?
/etc/httpd/ssl.key/server.key (according to your conf)
if so, the permissions should be
-r-
This file should be owned by root (in most all cases) and not the webserver
account (nobody/apache).
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 4:20 PM
Subject: Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot
find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key
in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error
in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Is it possible that root would need to be able to execute this file?
On Friday 07 March 2003 16:20, A. Putnam wrote:
> The permissions for the server.crt file are rw-r--r-- but it still cannot
> find the Private Key.
>
> On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> > Please check the permissions on your private key. They should be
> > readable only by owner (400)
> >
> > (knee-jerk first guess reaction)
> >
> > Best of luck
> >
> > - Original Message -
> > From: "A. Putnam" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Friday, March 07, 2003 3:42 PM
> > Subject: private key not found
> >
> >
> > I'm trying to get mod_ssl to work on my server, but each time I try to
> > restart
> > apache with mod_ssl activated, it gives me this error:
> >
> > /etc/init.d/apache start returned 7 (Program is not running.)
> > Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> > Phrase Dialog)
> > Some of your private key files are encrypted for security reasons.
> > In order to read them you have to provide us with the pass phrases.
> >
> > Server matrix.pelathe.org:443 (RSA)
> > Enter pass phrase:
> > Apache:mod_ssl:Error: Private key not found.
> > **Stopped
> > stty: standard input: Inappropriate ioctl for device
> > ..failed
> >
> > What I don't understand is how it can't find the Private key. The
> > SSLCertificateKeyFile path in httpd.conf matches the location of the key
> > in my directory. Isn't the SSLCertificateKeyFile the Private Key path?
> >
> > I'm including the Virtual Host code (sans the explination text and a
> > passkey).
> > I'm very new to this so I won't be surprised if there is a glaring error
> > in here that I missed...
> >
> >
> >
> > DocumentRoot "/srv/www/htdocs"
> > ServerName matrix.pelathe.org
> > ServerAdmin [EMAIL PROTECTED]
> > ErrorLog /var/log/httpd/error_log
> > TransferLog /var/log/httpd/access_log
> >
> > SSLEngine on
> >
> > SSLCipherSuite
> > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
> >
> > SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> > #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
> >
> > SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> > #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
> >
> > SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
> >
> > #SSLCACertificatePath /etc/httpd/ssl.crt
> > SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
> >
> > SSLCARevocationPath /etc/httpd/ssl.crl
> > #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
> >
> > SSLVerifyClient require
> > SSLVerifyDepth 10
> >
> > #
> > #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> > #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> > #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> > #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> > #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> > #
> >
> > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SSLOptions +StdEnvVars
> >
> >
> > SetEnvIf User-Agent ".*MSIE.*" \
> > nokeepalive ssl-unclean-shutdown \
> > downgrade-1.0 force-response-1.0
> >
> > CustomLog /var/log/httpd/ssl_request_log \
> > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> >
> >
> >
> > Any help would be greatly appreciated. I'm using Apache 1.3.26 and
> > Mod_SSL 2.8.10 on a SuSE 8.1 box.
> >
> > Thanks,
> > -Andrew
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
The permissions for the server.crt file are rw-r--r-- but it still cannot find
the Private Key.
On Thursday 06 March 2003 13:36, Ron Gedye wrote:
> Please check the permissions on your private key. They should be readable
> only by owner (400)
>
> (knee-jerk first guess reaction)
>
> Best of luck
>
> - Original Message -
> From: "A. Putnam" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, March 07, 2003 3:42 PM
> Subject: private key not found
>
>
> I'm trying to get mod_ssl to work on my server, but each time I try to
> restart
> apache with mod_ssl activated, it gives me this error:
>
> /etc/init.d/apache start returned 7 (Program is not running.)
> Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass
> Phrase Dialog)
> Some of your private key files are encrypted for security reasons.
> In order to read them you have to provide us with the pass phrases.
>
> Server matrix.pelathe.org:443 (RSA)
> Enter pass phrase:
> Apache:mod_ssl:Error: Private key not found.
> **Stopped
> stty: standard input: Inappropriate ioctl for device
> ..failed
>
> What I don't understand is how it can't find the Private key. The
> SSLCertificateKeyFile path in httpd.conf matches the location of the key in
> my directory. Isn't the SSLCertificateKeyFile the Private Key path?
>
> I'm including the Virtual Host code (sans the explination text and a
> passkey).
> I'm very new to this so I won't be surprised if there is a glaring error in
> here that I missed...
>
>
>
> DocumentRoot "/srv/www/htdocs"
> ServerName matrix.pelathe.org
> ServerAdmin [EMAIL PROTECTED]
> ErrorLog /var/log/httpd/error_log
> TransferLog /var/log/httpd/access_log
>
> SSLEngine on
>
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
> SSLCertificateFile /etc/httpd/ssl.crt/server.crt
> #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
>
> SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
> #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
>
> SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
>
> #SSLCACertificatePath /etc/httpd/ssl.crt
> SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
>
> SSLCARevocationPath /etc/httpd/ssl.crl
> #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> #
> #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
> #and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
> #and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
> # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
> #
>
> #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
> CustomLog /var/log/httpd/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
>
> Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
> 2.8.10 on a SuSE 8.1 box.
>
> Thanks,
> -Andrew
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
>
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
--
A. Putnam
Assistant IT Administrator
Pelathe Community Resource Center
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: private key not found
Please check the permissions on your private key. They should be readable
only by owner (400)
(knee-jerk first guess reaction)
Best of luck
- Original Message -
From: "A. Putnam" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 07, 2003 3:42 PM
Subject: private key not found
I'm trying to get mod_ssl to work on my server, but each time I try to
restart
apache with mod_ssl activated, it gives me this error:
/etc/init.d/apache start returned 7 (Program is not running.)
Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase
Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server matrix.pelathe.org:443 (RSA)
Enter pass phrase:
Apache:mod_ssl:Error: Private key not found.
**Stopped
stty: standard input: Inappropriate ioctl for device
..failed
What I don't understand is how it can't find the Private key. The
SSLCertificateKeyFile path in httpd.conf matches the location of the key in
my directory. Isn't the SSLCertificateKeyFile the Private Key path?
I'm including the Virtual Host code (sans the explination text and a
passkey).
I'm very new to this so I won't be surprised if there is a glaring error in
here that I missed...
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/ssl.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
#SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
SSLVerifyClient require
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
2.8.10 on a SuSE 8.1 box.
Thanks,
-Andrew
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
private key not found
I'm trying to get mod_ssl to work on my server, but each time I try to restart
apache with mod_ssl activated, it gives me this error:
/etc/init.d/apache start returned 7 (Program is not running.)
Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase
Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server matrix.pelathe.org:443 (RSA)
Enter pass phrase:
Apache:mod_ssl:Error: Private key not found.
**Stopped
stty: standard input: Inappropriate ioctl for device
..failed
What I don't understand is how it can't find the Private key. The
SSLCertificateKeyFile path in httpd.conf matches the location of the key in
my directory. Isn't the SSLCertificateKeyFile the Private Key path?
I'm including the Virtual Host code (sans the explination text and a passkey).
I'm very new to this so I won't be surprised if there is a glaring error in
here that I missed...
DocumentRoot "/srv/www/htdocs"
ServerName matrix.pelathe.org
ServerAdmin [EMAIL PROTECTED]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /etc/httpd/ssl.crt/server.crt
#SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt
SSLCertificateKeyFile /etc/httpd/ssl.key/server.key
#SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key
SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt
#SSLCACertificatePath /etc/httpd/ssl.crt
SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt
SSLCARevocationPath /etc/httpd/ssl.crl
#SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl
SSLVerifyClient require
SSLVerifyDepth 10
#
#SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL
2.8.10 on a SuSE 8.1 box.
Thanks,
-Andrew
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: Proxy http with modssl?
If you wish to terminate the https on the "new" machine and communicate to the old computer using http, then mod_proxy is what works for us. We use it extensively. -Torvald -Original Message- From: danalien [mailto:[EMAIL PROTECTED] Sent: 6. mars 2003 14:30 To: [EMAIL PROTECTED] Subject: Re: Proxy http with modssl? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 March 2003 06:56, Marko Asplund wrote: > On Wed, 5 Mar 2003, Chris Davis wrote: > > I'm looking for a method to hide an old web server behindt > > a modssl server. The hidden server has several applications > > served over http. What I'd like is for https requests > > to be rewritten in modssl and proxied to the hidden > > internal system. > > ... > > there are probably several possible implementations for the reverse proxy > configuration you're describing but one possibility is to use mod_accel > (http://sysoev.ru/mod_accel/) for this purpose. > or you could run stunnel (on that old machine, and close every other port except the one stunnel uses, or use port-forwarding on the "remote-pc" that uses stunnel to communicate with ssl-based software...). "Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code." -- www.stunnel.org - -- // with regards // ID :: danalien :: <[EMAIL PROTECTED]> -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Z01VHoWhCURqoogRAt6yAKCW6E6kolwJmV2YAhUVgFf9FLlqsACeMxhd +7BO07aYNgXKUpKp9wIsUNs= =RFh4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Proxy http with modssl?
Thanks everyone for the follow ups. I want to use mod_ Rewrite if I can get it to work. I've added the module in the server and in my virtualhost clause have these statements RewriteEngine On RewriteRule MyApp\/Version\/Five\/ http://10.x.x.x/Version/Five/ [P,NE,L] I call the application as https://modssl/MyApp/Version/Five/?Arg1=1&Arg2=2 The internal server receives the URL but has this in the access logs GET /Version/Five/%3FArg1=1&Arg2=2 So it appears as if this is close to working. How can I prevent the '?' from being changed to a '%3F' by Rewrite? Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
more info Re: intermittent IE problem,
Some more info: Looking more closely as ssl logs, I think I'm seeing the following behavior during our freezes: [06/Mar/2003 10:32:43 24491] [trace] OpenSSL: Loop: before/accept initialization [06/Mar/2003 10:37:23 24443] [debug] OpenSSL: I/O error, 5 bytes expected to read on BIO#001C4278 [mem: 00288B30] The server is completely unresponsive until after the I/O error is logged. Sometimes that's right away, other times it's 5 minutes, per above. On the subject of logging, I'm occassionally seeing something like: [06/Mar/2003 11:03:42 24782] [debug] OpenSSL: read 788/34821 bytes from BIO#001783D0 [mem: 0021DF50] (BIO dump follows) Is the "short" read really a short read, or just the debugging system logging something before the read is complete? Thanks for any and all info. -- jeff gelb On Tue, Mar 04, 2003 at 11:44:12AM -0500, jgelb wrote: > > Fwiw, I'm getting nearly identical symptoms as well. After an > indeterminate amount of time, SSL requests to the server seem to hang > indefinitely. The problem appears to temporarily clear itself for a > short time. > > -- jeff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: two server certificates.
>-Original Message- >From: kulkarni veena [mailto:[EMAIL PROTECTED] > >I have one machine which has apache+mod_ssl with a >self signed server certificate. is it possible to have >another self signed certificate using the same >Apache+mod_ssl instance but say a different port? Yes. You simply make two port-based virtualhosts and put the SSLCertificate* directives for cert 1 inside VH 1 and for cert 2 inside VH 2. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. > > >thanks in advance. > >-veena > > >__ >Do you Yahoo!? >Yahoo! Tax Center - forms, calculators, tips, more >http://taxes.yahoo.com/ >__ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List [EMAIL PROTECTED] >Automated List Manager[EMAIL PROTECTED] > This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
On Thu, 6 Mar 2003, Terry Kerr wrote: > Hi, > > I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. > > The system has two IP's, and I only wish for apache to start on ports 80 and 443 > on one of those IPs. I am using named based virtual hosting for many sites on > the system for http, and have just one virtual host setup for https on port 443. > The problem that I am having is that I cannot stop mod_ssl from binding to > port 443 on both the IP's on my system. I have tried every possible combination > of Listen, BindAddress, and Port, and have managed to prevent http from starting > on all IP's, but https still starts on all IPs. Is there any way to stop this? > > Will I need to start two seperate servers, one serving http only, and one > serving https only? If I was to do this, I may as well go back to using > apache-ssl which is the default installation on debian anyway. > add the IP address or FQDN to the port designation for the appropriate listen paramater: Listen someplace.com:80 Listen someplace.com:443 > Thanks in advance > > terry > > -- ~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Proxy http with modssl?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 March 2003 06:56, Marko Asplund wrote: > On Wed, 5 Mar 2003, Chris Davis wrote: > > I'm looking for a method to hide an old web server behindt > > a modssl server. The hidden server has several applications > > served over http. What I'd like is for https requests > > to be rewritten in modssl and proxied to the hidden > > internal system. > > ... > > there are probably several possible implementations for the reverse proxy > configuration you're describing but one possibility is to use mod_accel > (http://sysoev.ru/mod_accel/) for this purpose. > or you could run stunnel (on that old machine, and close every other port except the one stunnel uses, or use port-forwarding on the "remote-pc" that uses stunnel to communicate with ssl-based software...). "Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code." -- www.stunnel.org - -- // with regards // ID :: danalien :: <[EMAIL PROTECTED]> -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Z01VHoWhCURqoogRAt6yAKCW6E6kolwJmV2YAhUVgFf9FLlqsACeMxhd +7BO07aYNgXKUpKp9wIsUNs= =RFh4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
Hi Terry, Perhaps your directives are being overridden in a "IfDefine SSL" or "IfModule SSL" block ? Listen IP:Port does work, works for me. Do you have the following in your config ? Listen my.ip.address:443 ... NameVirtualHost my.ip.address:443 ... ... Cheers, Mark On Thu, 6 Mar 2003, Terry Kerr wrote: > Hi, > > I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. > > The system has two IP's, and I only wish for apache to start on ports 80 and 443 > on one of those IPs. I am using named based virtual hosting for many sites on > the system for http, and have just one virtual host setup for https on port 443. > The problem that I am having is that I cannot stop mod_ssl from binding to > port 443 on both the IP's on my system. I have tried every possible combination > of Listen, BindAddress, and Port, and have managed to prevent http from starting > on all IP's, but https still starts on all IPs. Is there any way to stop this? > ddD> Will I need to start two seperate servers, one serving http only, and one > serving https only? If I was to do this, I may as well go back to using > apache-ssl which is the default installation on debian anyway. > > Thanks in advance > > terry > > -- > Terry Kerr ([EMAIL PROTECTED]) > Adroit Internet Solutions (www.adroit.net) > Phone: +61 3 9563 4461 > Fax: +61 3 9563 3856 > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
