Re: MM doesn't work now with 0.9.6e
configure mod_ssl --with-apache=../apache_1.3.26 Seems like you need to supply mod_ssl with all of the configure directives you show below for apache, and then when it comes time to compile apache, you just run the auto-generated config.status script. At least that worked for me using the same versions you are using (under Red Hat Linux). Of course, I don't have mod_perl, so that may make a difference... install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
I had originally assumed this was to do with a bug in early implementations of IE5, but since then we have had reports of the same behaviour in IE6 (which initially comes in 56-bit flavour under win2k unless patched). You should read the mod ssl documentation as it describes things like he 'CipherSuite' configuration parameter to use in your Apache httpd.conf file as defines what ciphers the client is permitted to negotiate when connecting to your site. Specifically, there's two I see a lot !EXP56:!EXPORT56 that perhaps would be turnning off such support. You could also consider getting a Thawte super cert which has a capability to allow the 56-bit export version of IE to not be so stupid and connect at the higher 128-bit when accessing your site. Good luck... David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with IE
to the ApacheModuleSSL.dll file on Windows NT), it reduced the intermittent Cannot find server or DNS error and Page cannot be displayed messages received when using the IE browser. I never received these errors when using the Netscape browser. I'd be interested to know if the mod-ssl config change solves this because I read a Nov 2001 article in Computer Technology Review that says, and I quote: Internet Explorer sometimes drops SSL sessions after very short time outs -- resulting in lost SSL connections for users. To compensate for this, the load balancer portion of the integrated device should be able to decrypt the user cookie, make the correct traffic management decision, and send the request to the right server. Through this process, Internet Explorer can renegotiate the SSL session ID as many times as it likes -- and the user still ends up in the right place. This is especially useful for long-lived sessions (e.g. financial applications), since the cookie lives on hte user system and does not consume memory on the load balancer. What is all means, I'm still not sure. I, too, have seen sessions get lost, often very soon after establishing a session, resulting not in your error, but in a relogin scenario, as if the actual 'session cookie' itself was somehow getting lost in the SSL negotiation described (yes, I know the SSL session id is distinct from the cookie session id for maintain web server user sessions). David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: key certificate file for a server with a dynamic ip..
how can i create a key certificate file for a server (linux/apache/modssl/openssl) with a dynamic ip address? Normally, I'd guess, since certs are associated with domain names, not IP addresses. Of course, you'll have some fun with domain names matching your dynamic ip address, but that's another story that DDNS is supposed to resolve. David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: DNS lookup
It may seem that at present it's a bit of a moot point since you can't have multiple SSL sites on a single IP This is not true if you run HTTPS on another port. In our world, this was the initial problem. We have a main web site that has HTTPS for registration and login. After the login, we redirect to another web application (currently on the same computer) using HTTPS but with a different port number. This worked fine on all browsers except AOL's that apparently decided to be slower, increase the congestion on the net and increase consumption of DNS resources, just so they could do a confirmation that is not even semantically correct (hell, a digital cert is assigned to a host name, not an IP address), and if they don't believe the first DNS lookup had the correct answer about which IP address belonged to the host name, why do they trust the second DNS lookup to be correct for the reverse lookup? David P.S. And yes, there's a backend handshake between the two web apps to ensure that the redirected user really did login through the first site smile __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: AOL 6.0 and mod_ssl not working
I had similar problems with out secure site. I found that these had nothing to do with my Apache/mod_ssl setup. The reason why AOL couldn't access the site, was a mssing reverse entry in the DNS server. Perhaps this is the same with your site. Thanks for this most interesting tip. But who's DNS are they querying for the reverse lookup? And does the reverse lookup need to return the exact same web server name in the certificate (i.e. www.yozons.com even though my reverse DNS might call it w1.yozons.com because that's the computer's real name, and it has several other alias names)? I'd love to have this fixed, that's for sure. Thanks, David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: DNS lookup
(they need to create a ptr record for 216.122.43.95 that resolves to your web site name) Thanks for this tip. It really did seem to resolve the problem. Apparently the AOL HTTPS code does the reverse lookup to see if the hostname for the specified IP address matches. What's interesting, of course, is that this is not been a problem for any browser we've tested before we ran into the AOL issue. And the concept seems broken, though, as a means of making SSL work. Most reverse IP addresses point to the real host name which is often different than name of the web server. After all, something as simple as www.yozons.com may be routed to several different IP addresses (based on DNS round robin), and many computers have multiple names and don't name their server 'www'. 'www' is just the name of the web server application running on a computer that may also do email or other applications. It also means that if I want to run HTTPS on port 443 as well as another on port 4430 (since SSL doesn't really work for virtual domain naming in Apache), that there would be a problem because only one IP address exists and I've got two web servers running using different names. Anyway, thanks so much for helping us troubleshoot this. It was a real mystery why we could have so many testers hit our site just fine, but couldn't get AOL to connect at all. David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
AOL 6.0 and mod_ssl not working
I have a site running at https://www.yozons.com I can access this site from a bunch of places, but from AOL 6.0 dialup, I cannot even make it open a connection. I can open it with http. I'm running Apache 1.3.19 with MM 1.1.3 and mod_ssl 2.8.1 and openssl 0.9.6 on Linux. Does anybody have any idea why AOL would have trouble, but I can access it from other ISPs okay?Thanks, David
