Re: Compile of Apache

2002-08-20 Thread Andrew Lietzow 

On Wednesday 07 August 2002 11:08 am, you wrote:
> Firstly, excuse my weak English.
> I am trying to compile the Apache-1.3.26, with SSL (openssl-0.9.6d or
> mod_ssl-2.8.10-1.3.26) and mod_perl (mod_perl-1.26). I tried to compile
> in several different ways, for the Apache, using the openssl and for the
> mod_perl (INSTALL.simple.mod_ssl).
> Both seem to compile well and to generate the binary ones. SSL works
> well. However, in any situation I am getting to execute scripts PERL.
> Could anybody send me a compilation and installation script of the
> Apache with SSL and MOD_PERL that it works appropriately?
> I am using RedHat 6.2 in a Sun UltraSparc 10 with perl 5.003.
> Thank you.

Perhaps it's the "I love to be on the bleeding edge" drive in me which has 
regrettably proven to be something other than a brilliant move so many times, 
but I question why would you not install Apache 2.0.40 and skip the 1.3.26 
all together?  

It seems to work so much better right out of the tarball, having mod_so, 
pre-compiled into the code, making the addition of mod_perl and mod_ssl 
seemingly much easier.  

I do know that the install of 2.0.X has been quite smooth, relative to 
1.3.26.

Am I off track in that assumption?   Am I leading this fellow astray?   
Perhaps there are quirks that won't allow an install to RHL 6.2 and Sun US 10?

-- 
Andrew Lietzow
The ACL Group, Inc.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: virtual hosting and ssl

2002-05-06 Thread Andrew Lietzow 

While we're on this topic...
Owen Boyle wrote  on 01.03.26 
"This question comes up so often it ought to be in the .sig of the
list... ", and 
this ends with "Use different port numbers for different SSL
hosts".
I personally don't know what the .sig would mean, but the last comment

intriques me.  
By using different IP ports ... might something like the following
work?
For example:
192.168.1.1>
ServerAdmin
[EMAIL PROTECTED]
ServerName
www.acme.com
DocumentRoot
/var/www/www.acme.com

192.168.1.1:443>
ServerAdmin
[EMAIL PROTECTED]
ServerName
secure.acme.com
DocumentRoot
/var/www/secure.acme.com
SSLCertificateFile
/path/to/original/cert 
SSLCertificateKeyFile
/path/to/original/key

192.168.1.1>
ServerAdmin
[EMAIL PROTECTED]
ServerName
www.anotherdomain.com
DocumentRoot
/var/www/www.anotherdomain.com

192.168.1.1:745> (or other
unassigned IP Port) 
ServerAdmin
[EMAIL PROTECTED]
ServerName
secure.anotherdomain.com
DocumentRoot
/var/www/secure.acme.com
SSLCertificateFile
/path/to/second/cert 
SSLCertificateKeyFile
/path/to/second/key

My question is when running Apache 2.0.X, can one 
Listen 443
AND 
Listen 745 
and obtain the intended result?  I am close to trying this but
thought
maybe someone more experienced has already done so and knows
what results I could anticipate. 
Andrew Lietzow
The ACL Group, Inc. 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: important - virtual hosts for apache 2.0

2002-04-22 Thread Andrew Lietzow 

Hello Sonu,
RE:>>1. where do i put the virtual host details for http page<
In the virtual host directive section of your httpd.conf file.
Is this working?  If not, what about it does not work?  Once you have the
Secure ServerName, and
DocumentRoot for the MAIN server set, does the main server come up okay?  If
not, you will probably have
trouble making the virtual host work.

RE:>>2. where do i put the virtual host details for https page
SSLVerifyClient none<
This you put in the ssl.conf file.  Since Apache 2.0.35 already is mod_ssl
aware, all you
should need to do is something like:

Listen 443


DocumentRoot "/var/www/secure.server.com/"
ServerName secure.server.com:443

---
If you don't require the SSLClient to verify, then you shouldn't have to set
up anything because the web server
software should just handle your secure communications.

There are a few other settings that need to be set to read your certificate
files, but this should get you
to the point of users being able to connect to the https server.   And, you
said that you had all of the files
created so I would imagine that you can see how the default is set.  You
would change those settings to
point to YOUR CRT and KEY files instead.

Again, do you have a specific error message?  What does your access_log say
on that server?


RE:>>3. where do i put the virtual host details for https page
SSLVerifyClient<
---
Make sure the SSLVerifyClient require statement is uncommented in the
ssl.conf file.  I did this and immediately,
my secure server requests a certificate from my client.  I think you can
then pick the client cert you want to use from a list, if the client has
one.  (I don't have one in my client as I have never had a need for one).

The best info I had on this was from a message by Owen Boyle with a subject
line of "Creating Client Certificates".  If you can't find it, I'll forward
a copy to you...

RE:>>now I need to create three virtual hosts
One at 80, one at 443, and one at 8443?  Wouldn't this work?

Good luck.  I'm going to have to bow out because I would be the blind
leading the blind.  Hopefully I haven't steered you too far off track. :-)

Andrew Lietzow
The ACL Group, Inc.



- Original Message -
From: "Sonu Kishore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Monday, April 22, 2002 11:44 AM
Subject: Re: important - virtual hosts for apache 2.0


> Thanx Andrew for a quick response.
>
> I am in a mess ... this project landed in my lap just 8 days back when I
new
> nothing about apache's httpd.conf or PKI or openssl etc etc..
> But today i feel so much more aware.
>
> [http page]
> The problem is in our intranet site we have first page which has to be a
http
> page where the new user sends a request for certificate to my CA.
>
> [https Page - SSLVerifyClient none]
> The second page is where the new user is asked to provide user id & PEM
pass
> phrase to generate a certificate
>
> [http page - SSLVerifyClient require]
> The third page where all registered users fill there user id & password
and use
> the intranet aaplication.
>
> now I need to create three virtual hosts in
> [httpd.conf file]
> [ssl.conf file]
> how do configure the two files for the same.
>
> 1. where do i put the virtual host details for http page
> 2. where do i put the virtual host details for https page SSLVerifyClient
none
> 3. where do i put the virtual host details for https page SSLVerifyClient
> require
>
> Please suggest.
>
> Regards
>
> Sonu.
>
>
>
>
> --- Andrew Lietzow <[EMAIL PROTECTED]> wrote:
> > Dear Sonu,
> > RE:>>I have configured my httpd.conf & ssl.conf file also but probably I
am
> > not
> > doing something right as my site is not opening as required.
> > ...and...
> > RE:>>> I have one page which has to be http
> > > I have the second page which has to be https with sslverifyclient none
> > > I have a third page which is https with sslverifyclient require
> > > I have read that i will require IP base virtual hosts.
> > ...and...
> > RE:>>
> > I want to use apache 2.0 how do I configure it with mod_ssl & openssl.
> > 
> > Okay, now that you have shared the background, what exactly is
happening?  I
> > guess the reason I was (on Saturday) curious as to whether you have
followed
> > guides available
> > from Apache, openssl, and mod_ssl is because FOR ME, the Apache 2.0.35
> > system
> > configured very quickly to provide a secure server, without hardly a
> > whimper.  Download the tarball,
> > run configure, generate the key, csr, and crt, and voila, secure server
is
&

Re; Re; Even more so - Re: Urgent Help

2002-04-22 Thread Andrew Lietzow 

Dear Sonu,
RE:>>I have configured my httpd.conf & ssl.conf file also but probably I am
not
doing something right as my site is not opening as required.
...and...
RE:>>> I have one page which has to be http
> I have the second page which has to be https with sslverifyclient none
> I have a third page which is https with sslverifyclient require
> I have read that i will require IP base virtual hosts.
...and...
RE:>>
I want to use apache 2.0 how do I configure it with mod_ssl & openssl.

Okay, now that you have shared the background, what exactly is happening?  I
guess the reason I was (on Saturday) curious as to whether you have followed
guides available
from Apache, openssl, and mod_ssl is because FOR ME, the Apache 2.0.35
system
configured very quickly to provide a secure server, without hardly a
whimper.  Download the tarball,
run configure, generate the key, csr, and crt, and voila, secure server is
up and running.  This does
not, however, address your last configuration, with sslverifyclient =>
require.  That I have not tried.

However, if you can provide the scenario for your error or perceived
disfunctionality of the system,
then possibly someone can help you quickly move forward.  I doubt that it is
I, but send
more information and I'll be glad to help if I can.  Most here will do the
same, or so I believe,
or they probably wouldn't continue to subscribe.

Take some time to thoroughly clearly describe the error or the problem and
you may get some
very quick help.

Good Luck!

Andrew Lietzow
The ACL Group, Inc.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Urgent help

2002-04-20 Thread Andrew Lietzow 

Dear Sonu,
RE:>>> I want to use apache 2.0 how do I configure it with mod_ssl &
openssl.
AND
RE:>>Please guide its very very urgent.

Sorry to be the bearer of bad news, but it seems everyone who is in such a
hurry frequently fails to do the most essential of things which are critical
to their near term and long term success.  This is a basic step which they
probably already know but want to believe it to be otherwise.

If you MUST start this endeavor, and it appears from your urgency that this
is
not an optional activity, then instead of going to the golf course, or
enjoying time by the
pool; or being with your family or friends and enjoying ESPN, or whatever
else you could be doing, then, at least take the time to do your homework.

Should you charge ahead without being somewhat cognizant of the complexity
of
it all, your experience will be encumbered by significant frustration and
you will either
end up badmouthing the product, your operating system, the people on this
list, or
whomever; when all of that could have easily been avoided by taking this one
simple step.  RTFM.

I want to give you the absolute best advice of which I am cognizant, Sonu.
You may
think I'm being smart, arrogant, or simply rude, but I am going to pass on
to you
what some bright fellow from England recommended to me when "I" first wanted
to install this package.

And, it is a very important acronym to know if you are going to be
successful in
your endeavor.  RTFM.  "Read The Friendly Manual"...

This is not your son's tricycle that you are going to be putting together.
You might get away
with skipping the directions when you decide to put minor projects together
without
taking the time to read the directions.  However, IMO, this step CANNOT be
avoided if you
desire to attain success with your project.

With that said, you can go the the Apache or modssl.org web site and pick up
VOLUMES of information--for free!--helpful hints that will quickly get you
on your way.
Or, you can do like I did and immediately invest in at least one
comprehensive text on the
subject.   I know there are several very excellent texts out there and some
may have
been written by others on this very list.  I invested in one from Wrox Press
called
"Professional Apache" by Peter Wainwright.  Again, there are several other
excellent treatises on this subject and any of these will aid you IMMENSELY
in your
undertaking.  These people have gone before you, to pave the way and relieve
you of
untold hours, days, or even weeks of frustration and anquish.  The road is
now clear
and it is mostly smooth sailing, but you must have the roadmap if you are
going to
start the journey.

So, Sonu, if it is indeed true that you need this in a "very very urgent"
manner, then I would
recommend that you do this ASAP.Spend the little bit of money and take
the
few hours required to AT LEAST read the basics for installation.  If you
don't want
to spend the money, then you can study at numerous places on the web.  In
very short order, you can have your system up and running!--but you must
start at the
beginning.   IF YOU CHOOSE NOT TO DO THIS, IMO, you'll be coming to this
list all
of the time, screaming "FIRE, FIRE", when in reality, there is no fire.
There is only an
illusion of fire, easily put out with your very own fire extinguisher--your
mind.

If you are not willing to start at the beginning then you might as well go
play some
golf and let someone else relieve you of the frustration you are about to
experience...
IMHO...

Sincerely,

Andrew Lietzow
The ACL Group, Inc.
>

- Original Message -
From: "Sonu Kishore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Saturday, April 20, 2002 2:16 AM
Subject: Urgent help


> Please guide its very very urgent.
> Reply at
> [EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> Regards
> sonu
>
> __
> Do You Yahoo!?
> Yahoo! Games - play chess, backgammon, pool and more
> http://games.yahoo.com/
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: searching for Windows NT binary of Apache 2.0.35 with mod_ssl

2002-04-18 Thread Andrew Lietzow 

Johannes,
RE:>>Before I try further to compile the stuff by my own ...
RE:>>Currently there is only a non-ssl-version:
>  apache_2.0.35-win32-x86-no_ssl.msi
>  http://www.apache.org/dist/httpd/binaries/win32/#stable
>  This version is only available at present in a -no_ssl flavor,
> due to
> ongoing questions of strong crypto restrictions.
>  (??? sources are available - but the binary not ???) already
successful?

Can't tell you much about a binary for NT.  That's probably quite low on the
marketing development list as there are not too many
Apaches running on NT.  (Please point me to marketing data, should I be
incorrect in this statement).  I'm surprised they invest any time at all,
let alone developing a binary.

I do know that it compiled quite nicely on SuSE 7.3 Linux with only two
tries.  I have pulled a little hair out in the past, with some lower level
versions, but IMO, the new 2.0.35 is very easy to install with mod_ssl
enabled, on a platform where it will plug-n-play.So, if  you get tired
with Win NT, for about 80-160 bucks you can come back from the dark side...

The porters can help you, because they are very patient souls who want to
see the market expand for Apache and mod_ssl.  However, I'm unable to do
more than to point you to a solution that I know works well, right out of
the tarball...

I wish you well.

Andrew Lietzow
The ACL Group, Inc.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0.35 with SSL - wont start

2002-04-15 Thread Andrew Lietzow 

Dear Mads Toftum, 
> This is the default for Apache2 - the ssl configuration has been
> moved out of httpd.conf to ssl.conf
---
And what a marvelous business/IT decision  that was!  I applaude 
this whole-heartedly.   

I am but a mere mortal, simply needing to know enough to 
configure, launch, and maintain Apache mod_ssl enabled 
servers.  

IMO, this makes for a more straightforward configuration, 
allowing more users to adopt and utilize the technology.  Hopefully,
this is perceived to be a good thing by those who enable this project
to persist.   

Andrew Lietzow
The ACL Group, Inc. 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache 2.0.35 with SSL - wont start

2002-04-15 Thread Andrew Lietzow 

Hello Jeremy,
RE>::> 0.0.0.0 tells the OS to bind to all network adapters.  Its not really
a
> usable IP address.

Maybe this is a bit off subject, but doesn't the Apache web server have to
bind to a specific network interface?  If you are trying to have it listen
for packets on 443 or 8443, or whatever, you couldn't have it listen to four
(or some other multiple of one) IP addresses and associated ports
simultaneously... or could you?  I mean it might be "able" to do it, but how
would it know how to control traffic without specifically binding addresses
to an interface, whether they be static, or at least IP-masqueraded (as in
NAT).

Just for testing purposes, if one could say, either in the main server or in
a virtual host directive:
Listen _default_:*

with one network interface, what would happen if you had multiple network
interfaces?  The httpd daemon would start for the first one, possibly, but
could it route traffic for all of the interfaces and not know specific IP
address for those cards?  Obviously, I'm confused.

This will eventually lead to my burning question of how to setup multiple
secure servers with the VirtualHost directive.  I think I can do this by
assigning each server to a different port address but I'm not quite there
yet.

Andrew Lietzow
The ACL Group, Inc.



- Original Message -
From: "Jeremy Walton" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, April 15, 2002 9:41 AM
Subject: RE: Apache 2.0.35 with SSL - wont start


> 0.0.0.0 tells the OS to bind to all network adapters.  Its not really a
> usable IP address.
>
> Jeremy Walton
> DICE Corporation
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Andrew Lietzow
> Sent: Monday, April 15, 2002 10:27 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Apache 2.0.35 with SSL - wont start
>
>
> Dear Paul,
> RE:>>(13)Permission denied: make_sock: could not bind to address
> 0.0.0.0:443 no listening sockets available, shutting down AND I have
> tried changing the port to other numbers as well but to no luck
> ---
> Just a thought... can you ping to that IP address of 0.0.0.0?  And is
> this a port that you can bind to?  Seems like it ought to be either a
> private C Class address, or some other address than the default of
> 0.0.0.0.
>
> In other words, are you certain that you can direct TCP/IP framed
> packets through this IP address?
>
> Andrew Lietzow
> The ACL Group, Inc.
>
>
>
> - Original Message -
> From: "paul priestman" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: <[EMAIL PROTECTED]>
> Sent: Monday, April 15, 2002 8:18 AM
> Subject: Re: Apache 2.0.35 with SSL - wont start
>
>
> > i'm actually trying to run this server on port 8443 - the other httpd
> > runs on port 443 but i have stopped this server running (as its just
> > another
> test
> > server).  I am starting the server as my self - not as root but the
> > port
> is
> >  > 1024 anyway
> >
> > I have tried chaning the port to other numbers aswell but to no
> > luck
> >
> > Paul
> >
> > >From: "R. DuFresne" <[EMAIL PROTECTED]>
> > >To: paul priestman <[EMAIL PROTECTED]>
> > >CC: [EMAIL PROTECTED]
> > >Subject: Re: Apache 2.0.35 with SSL - wont start
> > >Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT)
> > >
> > >
> > >You're not trying to run two httpd's on the same set of ports are
> > >you,
> the
> > >old one running while trying to fire up the new?
> > >
> > >that's what the error suggests I think...
> > >
> > >thanks,
> > >
> > >Ron DuFresne
> > >
> > >On Mon, 15 Apr 2002, paul priestman wrote:
> > >
> > > > Hello all,
> > > >
> > > > I have downloaded and installed Apache 2.0.35 with SSL.  I have
> > >configured
> > > > the httpd.conf as they suggest in ssl.conf.  However, when i try
> > > > to
> > >start
> > > > apachectl i get the following message:
> > > >
> > > > (13)Permission denied: make_sock: could not bind to address
> 0.0.0.0:443
> > > > no listening sockets available, shutting down
> > > > ./apachectl startssl: httpd could not be started
> > > >
> > > > Has anyone any ideas what i'm doing wrong - i have succesfully got
>
> > > > ssl working with apache 1.3.22.
> > > >
> > > > Thanks for your time
> > > >
> > > > Paul
&g

Re: Apache 2.0.35 with SSL - wont start

2002-04-15 Thread Andrew Lietzow 

Dear Paul,
RE:>>(13)Permission denied: make_sock: could not bind to address 0.0.0.0:443
no listening sockets available, shutting down AND I have tried changing the
port
to other numbers as well but to no luck
---
Just a thought... can you ping to that IP address of 0.0.0.0?  And is this a
port
that you can bind to?  Seems like it ought to be either a private C Class
address, or some other address than the default of 0.0.0.0.

In other words, are you certain that you can direct TCP/IP framed packets
through this IP address?

Andrew Lietzow
The ACL Group, Inc.



- Original Message -
From: "paul priestman" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Monday, April 15, 2002 8:18 AM
Subject: Re: Apache 2.0.35 with SSL - wont start


> i'm actually trying to run this server on port 8443 - the other httpd runs
> on port 443 but i have stopped this server running (as its just another
test
> server).  I am starting the server as my self - not as root but the port
is
>  > 1024 anyway
>
> I have tried chaning the port to other numbers aswell but to no luck
>
> Paul
>
> >From: "R. DuFresne" <[EMAIL PROTECTED]>
> >To: paul priestman <[EMAIL PROTECTED]>
> >CC: [EMAIL PROTECTED]
> >Subject: Re: Apache 2.0.35 with SSL - wont start
> >Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT)
> >
> >
> >You're not trying to run two httpd's on the same set of ports are you,
the
> >old one running while trying to fire up the new?
> >
> >that's what the error suggests I think...
> >
> >thanks,
> >
> >Ron DuFresne
> >
> >On Mon, 15 Apr 2002, paul priestman wrote:
> >
> > > Hello all,
> > >
> > > I have downloaded and installed Apache 2.0.35 with SSL.  I have
> >configured
> > > the httpd.conf as they suggest in ssl.conf.  However, when i try to
> >start
> > > apachectl i get the following message:
> > >
> > > (13)Permission denied: make_sock: could not bind to address
0.0.0.0:443
> > > no listening sockets available, shutting down
> > > ./apachectl startssl: httpd could not be started
> > >
> > > Has anyone any ideas what i'm doing wrong - i have succesfully got ssl
> > > working with apache 1.3.22.
> > >
> > > Thanks for your time
> > >
> > > Paul
> > >
> > > _
> > > Chat with friends online, try MSN Messenger: http://messenger.msn.com
> > >
> > > __
> > > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > > User Support Mailing List  [EMAIL PROTECTED]
> > > Automated List Manager[EMAIL PROTECTED]
> > >
> >
> >--
> >~~
> > admin & senior security consultant:  sysinfo.com
> > http://sysinfo.com
> >
> >"Cutting the space budget really restores my faith in humanity.  It
> >eliminates dreams, goals, and ideals and lets us get straight to the
> >business of hate, debauchery, and self-annihilation."
> > -- Johnny Hart
> >
> >testing, only testing, and damn good at it too!
> >
>
>
>
>
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Reinstalling a Thawte CRT - Feasible?

2002-04-14 Thread Andrew Lietzow 

Dear mod_ssl'ers,
I have in my possesion a diskette on which I backed up my Thawte CRT file
(at least I'm bright enough to have done that...but at the time I didn't
know that I would need to have backed up TWO files... anyhow...).  It has
been successfully installed previously on a SuSE Linux 7.1 server.  The box
crashed hard last weekend (fortunately, it is was not quite yet a production
server).  I could not get that fairly old P-100 system to come back up.
Everything I tried failed.  Apparently, it took a hit on a memory chip or
something critical to the system such that it could not be rebooted.  I
pulled hair for about a day while searching the SuSE site, and the entire
Inet crash recover routines on a SuSE box.  No magical answer appeared.  I
made the decision to upgrade.

Now I have installed SuSE 7.3 on this new server and I need to reinstall my
CERT.  I have the securedomainname.crt file in my possession on a diskette
but I do not have the original securedomainname.key file, or the
securedomainname.csr file (because I trust servers to never crash?).  The
files are gone now as I have completely reformatted that system during the
new install.

I have gone through the steps at
http://www.thawte.com/ucgi/gothawte.cgi?a=e380614470105000 to generate a new
server.key and server.csr file.  Since I am running Apache 2.0.35, I
modified my /usr/local/apache2/conf/ssl.conf file to access the new .key and
OLD .crt file.  It appears to be work through the ssl.conf file just fine
and then dies with a mismatch error.

The entries I made look like this:
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/securedomainname.crt (the
old file from Thawte, copied over from diskette)
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/securedomainname.key
(a new file).

Of course, perhaps critical to this routine is whether I answered the
questions EXACTLY the same during the creation of the NEW
securedomainname.csr file.  It's possible, but I'm not 100% certain.

When I attempt to fire up with:
./apachectl startssl
the system prompts me for a passphrase and it accepts it.  I did NOT enter a
passphrase when I requested my original Thawte CERT.  I don't know if this
is critical (i.e. is my passphrase encrypted into the CSR file and they use
this as part of the generation of my private.crt file?).  Anyhow, when I
ATTEMPT to fire up with

./apachectl startssl
the system prompts with



I enter the pass phrase, and it returns



and then I get an "Unable to start httpd" error message.

I checked the /logs/error_log file where there is a record of a grumble...
.
Rather than spend hours attempting to make new .key and .csr files, and then
to "trick" the system into accepting my old.crt file, I need to ask the
question whether this is even feasible.  Was my original KEY file generated
with a random seed routine that made it so that when I sent my CSR file to
Thawte, I cannot ever create a KEY file on this server that would match to
my old CRT?

NOW that I see their caveat,
"Now PLEASE backup your www.xxx.com.key and make a note of the passphrase.
Losing your key will cost you money!" I imagine this is why this can't be
done, but I have to pose the question, just to be sure.  No use spending
another 100 bucks if I don't have to.  TIA,

Baffled and UNCERTIFIED on CRT'S,  I remain...

Andrew Lietzow
The ACL Group, Inc.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_perl

2002-04-13 Thread Andrew Lietzow 

Dear "Server Admin",
RE:>>Please just a little more help from anyone who is trying to run
frontpage with
apache+ssl-1.24./2.8.8. This is maddening
---
I'm sorry that I cannot help you but I share the sentiments of another
ISP--running FrontPage
is NOT something he allows his hosted domains to do.  If they want to run
FrontPage
extensions, he simply declines hosting their pages because he needs his
Apache
server to be very stable.  He shared with me recently that he hosts over
2,000 domains.

Is it possible that you are trying to use a product with Apache that is
wasn't designed to support?
Perhaps you would have better luck with IIES?  I don't know but I HOPE there
can be some discussion
of this on this list server.  Maybe I need to shift my focus because I'm
missing out on valuable functionality?

e.g. I would like to find an WYSIWYG HTML editor, but if it means that the
web server has to support
special extensions that crash the server, than how can this be a good thing?
Talk to me "Server Admin", or mod_ssl list.

Fortunately, I just downloaded Apache 2.0.35, ran ./configure and it's up
and running on SuSE LInux 7.3
with but a couple of whimpers.  (I'll be doing the same on my RH servers
soon, but they are production servers).

Now, even /server-status works and I had not been able to get that going
with 1.3.XX.  It worked right out of
the tarball; the first time!  Congratulations, Apache and mod_ssl folks!
(Now, if I can just apply my CERT again,
without a glitch).

So Server Admin, your statement was my experience over much of the past 16
years when
working with proprietary source vendors."This is maddening".

I made a choice to join the GNU/GPL generation and I'm not turning back
unless I hit a block wall.  So far, I wake up every morning seeing an even
bigger expanse of open spaces. I'm enjoying the view...

Andrew Lietzow
The ACL Group, Inc.






__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: ModSSL 2.8.8 + Apache 1.3.24 crashing on Windows

2002-04-03 Thread Andrew Lietzow 

Dear Hassan,
RE:>>Windows 2000
Not to be smart or anything but why are you trying to run a server based
application on a desktop operating system?   Since PC's are so cheap and
Linux is so cheap, why not invest in a machine that will do what you want it
to do without having to pull out all of your hair?

RE:>>> "The instruction at "0x6ff90e08" referenced memory at "0x72676f76".
The memory could not be read."
This tells very little about the problem.  Oh, I suppose the authors of
these programs might be able to figure out what instruction is in that
memory location at the exact time that your programs fail, but this is
typical of Desktop O/S's.  They give you a bomb and then hope you can figure
it out.

RE:>>This has become a critical issue for me!
If that were true, you would already be running this on Linux...   Well,
maybe that's a bit strong but I am serious that source code type
applications are more compatible with source code type O/S's.  Do you have a
vested interest in running this on Windows 2000?  Is that a must do for you?
IMHO, whatever is holding you back from installing this application onto
Linux, you might as well deal with it and then move on ... RedHat, SuSE,
Caldera, Mandrake... just do it!

Andrew Lietzow
The ACL Group, Inc.



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Nowhere talks about RPMS installation. Is it possible?

2002-04-03 Thread Andrew Lietzow 

Dear Sergie Mayordomo,

RE:>>> Is it normal that when I try  $apachectl startssl , or $httpd -SSLD
it don't works at all ?
---
In your apache home directory, e.g. /usr/local/apache, you have a few
important directories (they are probably ALL important but we're only going
to talk about three).

1) In the conf directory, do you have an httpd.conf?  If not, then it's
probably in your /etc/httpd directory.  Either way, load this datafile into
a text editor and examine all of your SSL statements.  Make sure SSL is set
up correctly.  What does correctly mean?  Set up so that it works.

2) In your bin directory, you have apachectl.  Execute <./apachectl
configtest> (there is a dot in front of the slash).  Does that run cleanly.
3) In the logs directory, you have the access_log and the error_log.  What,
if anything, about your problem shows up in these two files?  Are there any
clues that you can discover that might help?

Provide more infomation and maybe you can get it going.  The programs work
but you are still learning how to work the programs.  It might take a little
while.  This is a "non-trivial" application.

As for the RPM's I am sure thousands of people have made them work...

Good Luck!

Andrew Lietzow
The ACL Group, Inc.

- Original Message -
From: "Sergi Mayordomo" <[EMAIL PROTECTED]>
To: "modssl" <[EMAIL PROTECTED]>
Sent: Wednesday, April 03, 2002 5:41 AM
Subject: Nowhere talks about RPMS installation. Is it possible?


> Hi,
>
> I have:  -apache-1.3.22-2.i386.rpm,  mod_ssl-2.8.5-4.i386.rpm. under
> Redhat 7.2
> I have php-4.0.6-12.i386.rpm too.
> Is it normal that when I try  $apachectl startssl , or $httpd -SSLD it
> don't works at all ?
> the previous commands aren't recognized for apache.
>
> Do you know if any RPM version would work correctly ??
>
> Thanks.
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Dumb SSL question.

2002-04-02 Thread Andrew Lietzow 

Eric Ladner wrote
RE:>>Basically, I want to use encryption, but not have the user intervene to
enable/disable it.

--
In IE 5.5;
Tools, Internet Options, Security, Custom Level... Enable "Don't prompt for
Client Certificate..."
(or is it "Disable" -- it's a double negative and I always had trouble with
those... :-)

Don't know if this will help but it SEEMS like it could address your
question from the client side.

Good luck!

Andrew Lietzow
The ACL Group, Inc.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problems for install a Verisign Certificate

2002-03-09 Thread Andrew Lietzow 

Dear Miguel,
I'm rather new to this topic but I think I understand your problem and may
have a cure.  Put your directives in a  section, and you need
to point the server to where your CERT and key are stored.  I believe you
will have already generated the private.key file when you created the
private.csr file.   These need to match as they are CERT pairs.

Something like the following in the httpd.conf file worked for me.

SSLCertificateFile /path/to/certdirectory/ssl.crt/private.crt
SSLCertificateKeyFile /path/to/certdirectory/ssl.key/private.key

I currently have these directives serving the whole server, but as I
understand it, one could put these in a  section as well, for
example with

DocumentRoot /www/secureserver/directory (wherever you want to serve up your
secure web pages).
SSLCertificateFile /path/to/certdirectory/ssl.crt/domain.crt
SSLCertificateKeyFile /path/to/certdirectory/ssl.key/domain.key


Keep in mind that I have limited understanding but the above HAS worked for
me and maybe it will work for you.

And from recent discussions here, I've begun to believe that for more that
one SSL-enabled host, directives like the following may allow you to host
multiple sites. This web site speaks more on this topic,
http://marc.theaimsgroup.com/?l=apache-modssl&m=98559369910170&w=2 but is
short on examples.  (Anyone wanting to provide exact examples that implement
multiple SSL implementations, on ONE IP-address, this would be greatly
appreciated).  I'm sure the answers are out there somewhere but so far, they
remain illusive to me.


Port 8443
Listen 8443
SSLCertificateFile /path/to/certdirectory/ssl.crt/domain.crt
SSLCertificateKeyFile /path/to/certdirectory/ssl.key/domain.key


Good luck!

Andrew Lietzow
The ACL Group, Inc.


- Original Message -
From: "Miguel Angel Gomez Animas" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, March 08, 2002 8:06 PM
Subject: Problems for install a Verisign Certificate


> Hi.
>
> I need help to install a certificate, by defaul when I installed Linux 7.0
Apache server is installed too. And i didn't have any troubles to able de
SSL server, as you know, by default is installed a demo certificate. I need
to change this certificate by a verisign certificate.
>
> Let me explain the process to create the csr requirement.
>
> 1.- In he directory /etc/httpd/conf/ssl.crt  execute the follow command:
> openssl req -new -nodes -keyout private.key -out public.csr
>
> And Filled the fields with the necesary data ( State, City, Email...etc..)
> It generate  a privated key named public.csr
>
> This file (public.csr) I used for request in Verisign, I requested a Trail
ID,and thay email me back a key.
>
> 2.- The key that Verisign send me back I saved in the directory
/etc/httpd/conf/ssl.crt with the name server.crt
>
> 3.- I restarted the apache webserver, but this error appear:
>
> Starting httpd: [FAILED]
>
>
> Can you tell me what is wrong maybe I lost some step
>
> I really apreciate your helpThnaks a lot!!!
>
> Regards
>
> --
> 
> Miguel Angel Gómez Animas
> mailto:[EMAIL PROTECTED]
> URL: http://sites.netscape.net/miguelangelga/homepage
>
>
>
> __
> Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/
>
> Get your own FREE, personal Netscape Mail account today at
http://webmail.netscape.com/
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: new rpm for apache-mod_ssl?

2002-03-07 Thread Andrew Lietzow 

Dear R. J. Goyette at Argonne National Laboratory,

Just a FYI.  I went to your web site at http://zuul.pns.anl.gov/security/
and clicked on the four Links under Destinations.  Nothing happens.  No
propellers; no hour glass; no meter filling up on the browser-wowser.  Is it
possible that I have something hosed up on my end or are you intending that
these links be that secure?

Now, for my main question, about your posted CERT RISK statement, to wit:
-
RE:>> VULNERABILITY ASSESSMENT:  The risk is MEDIUM. To exploit the
overflow, the server must be configured to allow client certificates, and an
attacker must obtain a carefully crafted client certificate that has been
signed by a Certificate Authority (CA) which is trusted by the server.
-
Recently, I miraculously got mod_ssl working with apache in something less
than a day (with the secure server being hosted by a new second server which
was my first experience installing SuSE Linux).  I thought that to be
something just short of a miracle, considering the level of investment that
was made.  And, I have not even scratched the scratch of what is available
under the hood for additional features with mod_ssl.

However, just prior to this successful effort, I spent the better part of
two days figuring out why I could not telnet or ftp to one of my servers,
only to discover that it was because my firewall was so tight that it
wouldn't let telnet or ftp packets through.

I know that viruses, and those who continue to manufacture them, are at an
all time high.  And, I know that Governor Tom Rich and the Homeland Security
folks need to have a big chunk of their budget devoted to catching these
rascals; and then for the snacks and sandwiches required to feed the large
crowds that will gather at various sites around the country to see these
scoundrels hanged...

Yet in light of this reality, is the above statement of risk informing
smaller web server providers that we need to pay great homage to this
seemingly remote possibility, or risk being forever in a state of turmoil?
I really want to learn more about mod_ssl on this list, but if this is
necessary, then ...

Please open my eyes...

Andrew Lietzow
The ACL Group, Inc.








__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Virtual hosts and ssl.

2002-03-01 Thread Andrew Lietzow 

Dear David and list,
Jeff wrote:
RE:>>Name based VH's don't work on SSL.

It seems to me that every hosted DN would need to have its own CERT.  Sure,
the server could have just one CERT, with all of your DNS users sharing it,
but then the identity being confirmed would be that of the ISP.  What good
would that do for me as a purchaser, to access the Encrypted Key of the ISP
if the company with whom I am transacting business is simply one of their
hosted Domain Names?

If there is a way around having to purchase one CERT per Domain Name, I
would like to discover it. However, if I am understanding this correctly,
multiple domains can share one IP (which is how I host most domains), but I
never did understand the use of Name-Based VH's.

In what context are Name-Based VH's of value?  From what Jeff states,
obviously not on SSL.

Andrew L.
The ACL Group, Inc.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

SSL works from localhost but not elsewhere

2002-02-28 Thread Andrew Lietzow 

Dear Eric and list,
RE:>>I doubt it is the firewall since the I am trying to access
https://192.168.0.80/  from another PC on the same LAN, i.e. router does not
come into play.
-
 I only mention the firewall issue because if you have one, it could be the
culprit.  I just spent the better part of two days phutzing with my firewall
to allow two new services and the problem was the firewall.  I have an
internal LAN as well.   Test by flushing all ipchains rules and enabling all
policies to ACCEPT packets.  If it works, you've got your answer.

I am suspect of your NameVirtualHost and Virtual Host settings.  I would
spend some time studying the VirtualHost doc pages at the
http://www.apache.org web site and see if that doesn't give you some
options.

Just got through setting mod_ssl up myself last night so the process still
fresh in my memory.  Two days from now, I may not be so quick to offer
suggestions.  I did, however, set my secure server up on a different IP
address/machine than the DNS/web server.  i.e. the main pages are on one
server and the secure server is a different machine.
-
RE:>>and in both cases no log entries are made on the server in either
access_log or ssl_request log.

If you are using RedHat, you might check
>/var/log/messages<.
This could be where you get some clues as to whether it is a firewall issue.
I think this file structure is fairly standard across *nix's and it provided
major help for why my new services were not allowing access to the server.

Good Luck!

Andrew Lietzow
The ACL Group, Inc.
At any given moment, on a continuum between dunce and genius.  Hope you're
catching me on a good day. :-)



- Original Message -
From: "Eric Webber" <[EMAIL PROTECTED]>
To: "Andrew Lietzow" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Thursday, February 28, 2002 12:18 PM
Subject: Re: Re: SSL works from localhost but not elsewhere


> thanks for the reply.
>
> I doubt it is the firewall since
> the I am trying to access https://192.168.0.80/
> from another PC on the same LAN, i.e. router
> does not come into play.
>
> That IP address is an internal IP address to the
> LAN.  So for example my webserver with mod_ssl
> running is on IP 192.168.0.80, and the PC I am
> trying to access it with is 192.168.0.3 for
> example.
>
> When I use a web browser on 192.168.0.80 with
> URL https://localhost/ or the URL
> https://192.168.0.80/ SSL works fine with
> corresponding log entries in both access_log
> and ssl_request log being made.
>
> But when I use browser on 192.168.0.3 with
> URL https://192.168.0.80/  it responds with
> Page Cannot be Displayed with Explorer, and
> connection refused with Netscape and in
> both cases no log entries are made on the
> server in either access_log or ssl_request log.
>
>
> Of course I checked if normal http works from
> 192.168.0.3 and it does of course.
>
>
> I am at a loss as to why this is.
>
> warmest regards,
>
> Eric Sean Webber
>
>
>
>
>
>
>
> 
> Get your own "800" number
> Voicemail, fax, email, and a lot more
> http://www.ureach.com/reg/tag
>
>
>  On Thu, 28 Feb 2002, Andrew Lietzow ([EMAIL PROTECTED])
> wrote:
>
> > Dear Owen,
> > Personally I am not a big fan of opening attachments from unknown
> > sources.
> > Since you're on this list, you're
> > probably a trusted source but I was not aware that sending
> attachments
> > through this list server was even an option.  Perhaps I am a bit
> > paranoid
> > about viruses?
> >
> > With that said, here are a series of things that I would check.
> > 1) Do you have a firewall that might be preventing HTTPS access?
> > 2) Do other non-secure pages from that server come up in your
> > browser-wowser?
> > 3) In httpd.conf, do you have any entries similar to the following:
> >
> > NameVirtualHost $IPADDR
> >
> > 
> > ServerAdmin webmaster@$YOURDOMAINNAME
> > ServerName $YOURDOMAINNAME
> > Port 443
> > DocumentRoot /var/www/secure.yourdomain.name
> > (or whereever you store your documents that you want to
> bring up
> > on
> > the secure server.  You need to have something in that directory
> that
> > you
> > can bring up if you don't have index.html)
> >ErrorLoglogs/$YOURDOMAINNAME_err
> >    TransferLog    logs/$YOURDOMAINNAME_transfer
> > 
> >
> > If you have the ErrorLog file, what is it telling you?  Any hints
> there?
> >
> > Also, in your named.domain.xxx file, do you have an entry for your
> > secure
> >