Re: preventing client certs to be used by multiple users??
- Original Message - From: Conrad Friedrich [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Wednesday, August 31, 2005 11:49 PM Subject: preventing client certs to be used by multiple users?? Hello, Is there a way to prevent users (that got a client ssl-certificate (pkcs12) for accessing my server) from giving their certs away to others and in that way enabling unwanted users access to my site? Or if there is no elegant solution, maybe someone knows how apache (or a log analyzer etc.) can inform me if two different IPs have tried to connect simultaneously using the same certificate? Many thanks Conrad Friedrich The other replies pretty much says it all. If you're trying to prevent people from sharing their access to your data then have them sign some papers instead. Certificates and login credentials just won't do that for you. /Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: https
There has been some discussion about that here lately. RS Engelschall said he would include a script that would produce a ca-bunde.crt from the Mozilla certdata.txt file in version 2.8.23 of mod_ssl which should be available now. kind regards /Daniel - Original Message - From: kalin mintchev [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Wednesday, July 13, 2005 10:51 AM Subject: https hi all... i tried http-users list without success... i recently upgraded httpd from 1.3.x to 2.0.54. compiled httpd with mod_ssl. OpenSSL 0.9.7e... i remember that when building 1.3.x with mod_ssl the certificate was done at the time of compilation of the server. now with 2.0.54 i'm trying the instruction on: http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#realcert i did follow this a few times and that didn't work. then i did this a few times: http://www.samspublishing.com/articles/article.asp?p=30115seqNum=4rl=1 it didn't work either.. in both cases the message i get is that the connection is refused... the only difference between the old 1.3.x apache build on the machine and the new 2.0.54 is these two lines below in the ssl conf section. when i start the new one i get a message that ca-bundle.crt is missing - and it is. on the old machine it came with the apache src. there isn't such file here now. i could copy it but maybe that's not a great idea, is it? SSLCACertificatePath /usr/local/httpd/conf/ssl.crt SSLCACertificateFile /usr/local/httpd/conf/ssl.crt/ca-bundle.crt i need this issue resolved relatively soon because that's the only thing stopping this machine to go in production... thanks a lot... -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: errors
That is not very much information but one possible reason I can think of from the top of my head (I'm no guru) is this. Make sure you're connecting with ssl and not http. Most browsers need to have https:// specified as far as I know. Trying to connect to http://www.example.com:443/ will not work since it's trying to connect with http protocol on a server only allowing ssl-protocol (they are completely different). Use https://www.example.cominstead. SSL establishes connection and then HTTP is tunneled inside of the SSL protocol. Just a thought. Kind regards /Daniel - Original Message - From: Cosmin To: modssl-users@modssl.org Sent: Monday, July 11, 2005 1:50 PM Subject: errors Hi,I'm tring to configure apache with mod_ssl and I get some weird errors:[Mon Jul 11 14:53:10 2005] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client 192.168.1.2) (System and OpenSSL library errors follow)[Mon Jul 11 14:53:10 2005] [error] System: Permission denied (errno: 13)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:81086072:lib(129):func(134):reason(114)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:81095076:lib(129):func(149):reason(118)[Mon Jul 11 14:53:10 2005] [error] OpenSSL: error:1408B005:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:DH libDoes anybody know what I'm doing wrong. Please helpMy server configuration:- Apache/1.3.33 (Unix, Solaris)- mod_ssl/2.8.22- OpenSSL/0.9.7d
Re: change your autoreply configuration!!!!
I'm so sorry, I had no idea that was happening. I'm using a company mail here. The only thing I can do about it is unsubscribe, I'll do that immediately. /Daniel - Original Message - From: Harald Langaker To: [EMAIL PROTECTED] Cc: modssl-users@modssl.org Sent: Friday, June 24, 2005 11:26 AM Subject: change your autoreply configuration Hey! You autoryply "out of office" to modssl-users@modssl.org Can you please STOP that, I DO NOT WANT TO GET A MAIL FROM YOU EVERY TIME SOMEONE SENDS A MAIL TO modssl-users@modssl.org!!! Otherwise there has to be taken action to get you off the list! Harald Langaker Senior Quality Assurance EngineerFon +49.6151.82897-46 Fax +49.6151.82897-26 www.secude.com mailto:[EMAIL PROTECTED] SECUDE IT Security GmbH Goebelstraße 21, 64293 Darmstadt, Germany CEO: Dr. Heiner Kromer SECUDE is member of iT_SEC SWiSS AG www.itsec-swiss.com
Re: certificate and authentication re-prompting
Could be your browsers settings. If you're running Firefox go to the menu Tools Options. Select Advanced and scroll down to the Certificates area. Set Client Certificate Selection to Select Automatically. This is often the cause of such behaviour. Hope this helps. Bestregards /Daniel - Original Message - From: C T To: modssl-users@modssl.org Sent: Wednesday, June 22, 2005 2:34 AM Subject: certificate and authentication re-prompting I need some advice/help. I am running...well my web host service is running... Apache/2.0.46 (Red Hat) Server openssl-0.9.7a-33.12 mod_ssl-2.0.46-44.ent Also, I was originally set up through some kind of "virtual hosting", but I paid extra for SSL, and I have a httpsdocs folder. (if you can't tell I'm new to this) I also use .htaccess with .htpasswd for user authentication. Everything seems to be working fine, but my problem is... I can enter my domain with the https://. OK I get prompted to accept the certificate, and I get prompted for the username/password. OK The problem surfaces when I begin to browse around in the https area. Sooner or later I will get re-prompted to accept the certificate and enter my username/password, again. I don't know why it does this, and my web hosting service can't seem to explain it either. I've reproduced the error on more than 4 computers. I can't find anything that would cause my browser session to expire, in mid-session. Can anyone help me or give me a direction to go in? Be Kind, I'm a new to apache and mod_ssl. Thanks, Craig [EMAIL PROTECTED]
Re: SSL Client Auth with Virtual Hosts
Yes, I've had an environment like that running. /Daniel - Original Message - From: Hoda Nadeem [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, May 31, 2005 6:05 PM Subject: SSL Client Auth with Virtual Hosts Does anybody know if it is possible to use virtual hosts with one virtual host with ssl client authentication, but the other one without? Example: NameVirtualHost 111.111.111.111:443 Virtualhost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-no-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key /VirtualHost NameVirtualHost 111.111.111.111:443 Virtualhost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-ssl-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt SSLOptions +StdEnvVars +ExportCertData SSLSessionCache none /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL Client Auth with Virtual Hosts
I'm not a guru but I would suspect that your NameVirtualHost directives need to differ. You probably need to configure the virtual hosts using their domain names, like this: NameVirtualHost abc1-no-client-auth.com:443 VirtualHost abc1-no-client-auth.com:443 ... /VirtualHost NameVirtualHost abc1-ssl-client-auth.com:443 VirtualHost abc1-ssl-client-auth.com:443 ... /VirtualHost Otherwise I think one will just overwrite the other. Also for MSIE compatibility it is recommended that you add the following to the virtual host configuration: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Hope this was helpful. /Daniel - Original Message - From: Hoda Nadeem [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, June 02, 2005 3:26 PM Subject: RE: SSL Client Auth with Virtual Hosts Are there any parameters that I am missing, or am I doing something incorrect? On my setup, client authentication is either on or off globally. I can't seem to isolate it at the virtual host level. Thanks. Nadeem Example again: NameVirtualHost 111.111.111.111:443 Virtualhost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-no-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key /VirtualHost Virtualhost 111.111.111.111:443 ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www ServerName abc1-ssl-client-auth.com SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/httpd/conf/ssl.crt/server-calist.crt SSLOptions +StdEnvVars +ExportCertData /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Redirection limit for this URL exceeded.
Do you have different VirtualHosts configured for the domain-name and the IP-address? If so, do they differ in configuration? /Daniel - Original Message - From: Rob Waldrum To: modssl-users@modssl.org Sent: Thursday, June 02, 2005 3:36 PM Subject: Redirection limit for this URL exceeded. Hi, I'm still getting this error: Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked. I have configured Tomcat for SSL on port 8443. I can bring tomcat up at https://www.mydomain.com:8443 just fine. But when I add the apps portion, such as: https://www.mydomain.com:8443/apps, I get the above error. However, when I just use the IP address, such as: https://12.34.56.78:8443/apps it works just fine. I have poured over tomcat documentatiom, reviewed my setup and configuration, checked the logs, everything. I'm stumped. Any ideas? Rob
Re: Getting 'no shared ciphers' while connecting to the server
Here follows a simple full server SSL setup for reference. -- SSLRandomSeed startup builtin SSLRandomSeed connect builtin AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex default SSLCertificateFile conf/ssl/www.yourdomain.com.crt SSLCertificateKeyFile conf/ssl/www.yourdomain.com.key SSLCACertificatePath conf/ssl SSLCACertificateFile conf/ssl/YourCA.crt SSLCARevocationFile conf/ssl/YourCA.crl SSLCipherSuite HIGH:MEDIUM SSLProtocol all -SSLv2 SSLEngine on SSLVerifyClient require SSLVerifyDepth 1 SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 -- This will allow connections with SSLv3 and TLSv1 from clients with proper certificates. To skip client auth just remove these two lines: -- SSLVerifyClient require SSLVerifyDepth 1 -- Hope that was helpful. /Daniel, Gizmondo Studios - Original Message - From: Alaka Pathy [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Tuesday, May 31, 2005 9:44 AM Subject: Getting 'no shared ciphers' while connecting to the server Hi All, I'm using Apache 1.3.31 with mod_ssl 2.8.17 and OpenSSL 0.9.7d binaries. I use RSA based self signed certificates for SSL communication. My httpd.conf has the following SSLCipherSuite configured SSLSessionCacheTimeout 600 SSLOptions +StdEnvVars +ExportCertData SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL But, in a freshly installed server, the server doesn't accept any requests and I get the following errors repeatedly in the Apache error log mod_ssl: SSL handshake failed (server 198.149.32.40:443, client 198.149.32.32) (OpenSSL library error follows) [Mon May 23 13:37:43 2005] [error] OpenSSL: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too restrictive SSLCipherSuite or using DSA server certificate?] I browsed the modssl FAQ and got, that sometimes regenerating certificates helps. I regenerated the server certificates, but I'm still facing the same issue. Has anybody experienced such an error ? Any help is appreciated. Thanks in advance, -Alaka __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]