Re: Mod_ssl and how to reduce overhead

2005-09-26 Thread Jeffrey Burgoyne 
Well, the math is simple

1000mbit/1 users = 100 kilobit/sec, or 12K per second, or 1200
seconds, 20 minutes per downlaod. Marginally acceptable by todays
standards.

To concurrently process that much data, that many connections, you will
want a load balancer out front.

With the system I'm currently administering, with a dual 3Gig Xeon we can
safely handle about 2000 concurrent connections non SSL, although we have
a rather overweight config. I would expect you need at least two boxes,
and 5 would probably not be overkill.

BTW, do you really need SSL? From a project design perspective, would it
be possible to encrypt the file to be down downloaded (encryption cost
only once)? Then using sendfile you could really have it hum.


Jeffrey Burgoyne

Chief Technology Architect
KCSI Keenuh Consulting Services Inc
[EMAIL PROTECTED]

On Mon, 26 Sep 2005, Pigeon wrote:

> Ok, lets assume I can get a network connection with:
> A)10mbit
> B)100mbit
> C)1000mbit
>
> And I will have 10k concurrent downloads (let us throw out 100k for now..
> because i can alwasy scale up figures if we get a base).
>
> (The reason I say 10k concurrent is because we have an update system (sorta
> like windows update).. and as soon as we tell their computer to update, we
> have 10k boxes saying give me the file!)
>
> So my question is..
> What would be the best (given we cannot do blades or the like since we have
> to use 'standard' 1u/2u/4u boxes from the dedi center).
> Should we definitly beat the problem with iron and get 5servers doing load
> balancing? 2servers? If 2servers go with the 1000mbit connection?
>
>
>
> thank you for all of your time and input!
>
> thanks
> Lee
>
>
>
>
>
> - Original Message -
> From: "Mads Toftum" <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, September 26, 2005 1:27 PM
> Subject: Re: Mod_ssl and how to reduce overhead
>
>
> > On Mon, Sep 26, 2005 at 11:28:11AM -0400, Pigeon wrote:
> >> Hmm.. 10k -100k are pretty much  guaranteed numbers..
> >>
> > That's quite a wide margin. Are we talking concurrent users or just
> > number of people who could be using it over a period of xx?
> >
> >> So my main computer crunching will be done at the beginning? (and to
> >> relive
> >> this I can do session key caching.. how long can I cache a key? is this
> >> 'secure'?)  (also.. all transfers will be ~15megs in size)
> >>
> > well, with 15meg files you've got more work to do encrypting the content
> > as the session goes along. You can cache the key as long as you want,
> > but depending on the type of encryption used, most browsers will not
> > allow the key to live for all that long. I usually run for about 1 hour,
> > but ymmv depending on the chosen parameters.
> >
> >> And using a single server is out of the question?
> >>
> > the number of concurrent users has very much to say in that regard.
> > Maybe an ibm power 5 64 proc or a fully loaded sun e25k - and add an
> > ssl accelerator to the mix.
> >
> >> If we just go with one server.. shouldn't it be something super fast..
> >> amd64 1gig ram?
> >>
> > Super fast / amd 64 with only 1 gig mem? you've got to be kidding - I'm
> > pretty sure you couldn't keep even without SSL.
> > Doesn't your pr0n streaming business generate enough income to pay for a
> > real server? ;)
> >
> > vh
> >
> > Mads Toftum
> > --
> > `Darn it, who spiked my coffee with water?!' - lwall
> >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  modssl-users@modssl.org
> > Automated List Manager[EMAIL PROTECTED]
> >
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Mod_ssl and how to reduce overhead

2005-09-26 Thread Jeffrey Burgoyne 
Just wondering, is this for the charter.net music download? I cannot
believe you would have 100,000 comcurrent connections for a service such
as that. I also see the download file is listed at 1.5MB, not 15.

As as for bandwidth, that better be upgraded. It took over a minute just
to download the home page of off charter.net.

Jeffrey Burgoyne

Chief Technology Architect
KCSI Keenuh Consulting Services Inc
[EMAIL PROTECTED]

On Mon, 26 Sep 2005, Pigeon wrote:

> Hmm.. 10k -100k are pretty much  guaranteed numbers..
>
> So my main computer crunching will be done at the beginning? (and to relive
> this I can do session key caching.. how long can I cache a key? is this
> 'secure'?)  (also.. all transfers will be ~15megs in size)
>
> And using a single server is out of the question?
>
> If we just go with one server.. shouldn't it be something super fast.. amd64
> 1gig ram?
>
> thanks!
> Lee
>
>
> >
> > On Mon, 26 Sep 2005, Pigeon wrote:
> >
> >> Hello, I am trying to plan a system that can handle 10k-100k users.
> >>
> >> I am only using apache w/mod-ssl
> >>
> >> What should I look at to reduce overhead of bandwidth/cpu/mem?
> >>
> >> At what point should I look at ssl accelerators?
> >>
> >> Should I definitly look at clustering?
> >>
> >> Also.. I ahve heard about ssl session key caching, anyone know how much
> >> this
> >> will improve things?
> >>
> >> Any good resources I can read?
> >>
> >>
> >> thanks!
> >> Lee
> >> __
> >> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >> User Support Mailing List  modssl-users@modssl.org
> >> Automated List Manager[EMAIL PROTECTED]
> >>
> >
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: ASN.1 Encoding errors

2003-10-08 Thread Jeffrey Burgoyne 

Hmm, just noticed something a bit more suspicious. The error does not come
up every time for the same certs. It sometimes does not seem to come up at
all.

Jeff

On Wed, 8 Oct 2003, Jeffrey Burgoyne wrote:

> Hi;
>
> I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
> 2.8.9 from Openssl 0.9.6d.
>
> I now get the following errors :
>
> Server www.eac-trousse.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server biotech.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server strategis.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server production.paymentnotification.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server ip-pi.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server cbac-cccb.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporations.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporationscanada.ic.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.
> /usr/local/apache/bin/apachectl startssl: httpd started
> strategis>
>
>
>
> The virtual hosts with the error still seem to work fine.
>
> Ideas?
>
> Jeffrey Burgoyne
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

ASN.1 Encoding errors

2003-10-08 Thread Jeffrey Burgoyne 
Hi;

I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
2.8.9 from Openssl 0.9.6d.

I now get the following errors :

Server www.eac-trousse.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server biotech.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Server strategis.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Server production.paymentnotification.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server ip-pi.gc.ca:443 (RSA)
Enter pass phrase:

Server cbac-cccb.ca:443 (RSA)
Enter pass phrase:

Server corporations.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server corporationscanada.ic.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/usr/local/apache/bin/apachectl startssl: httpd started
strategis>



The virtual hosts with the error still seem to work fine.

Ideas?

Jeffrey Burgoyne
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: SSL Not Working from Outside LAN

2002-10-06 Thread Jeffrey Burgoyne 


How about a simple test to ensure it is not the firewall. Set apache to
listen to HTTPS across port 80, which you already know works outside the
firewall. Then you can easily test to ensure it is not the firewall.

Jeff


On Sun, 6 Oct 2002, Jeff Umstead wrote:

> I've recently added a Red Hat 7.3 Linux server to our network running Apache and 
> mod_ssl.  My problem is I can't make an https (over standard port 443) connection 
>from 
> outside our network.  I can connect via http (port 80) from both inside and outside 
>our 
> LAN.  
> 
> I have the necessary port pass throughs, firewall rules etc in place for both ports. 
> It 
> works perfectly from inside our lan (subnet) to either http or https but not from 
>our other 
> sites (different subnets) or from the internet.
> 
> I believe the problem is either an incorrect setting in httpd.conf or perhaps in a 
>network 
> configuration file I've overlooked.  Or ???
> 
> Any help / tips  would be greatly appreciated.
> 
> Thanks
> --
> Jeff Umstead
> IS Director
> Merrill Tool Holding Company
> Saginaw MI USA
> 
> 
> 
> This e-mail (and attachment(s)) has been virus scanned by
> McAfee WebShield.
> 
> This message is intended only for use of the individual or
> entity to whom it is addressed, and may contain information
> that is privileged, confidential and exempt from disclosure
> under applicable law.  If the reader of this message is not
> the intended recipient, or the employee or agent
> responsible for delivering the message to the intended
> recipient, you are hereby notified that any unauthorized
> use, dissemination, distribution or copying of this e-mail
> or attachments, in whole or in part is strictly prohibited
> and may be unlawful.  If you have received this message in
> error, please inform the sender by replying to this message
> and then delete the message and any attachments from your
> system and destroy all copies. Thank You
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Apache SSL redundancy

2002-01-25 Thread Jeffrey Burgoyne 


A more expensive solution would be using a hardware based SSL switch up
front like the Nortel Alteon series.

Jeff

On Fri, 25 Jan 2002, Thierry Coopman wrote:

> Hi,
> 
> I'm trying to do this. The main problem is HTTPS session IDs I guess. This
> makes load-balancing a bit more complicated since you need to forward every
> request to the same server that has the sessionID. This is doable with Linux
> LVS, your firewall or with HW load-balancing kit.
> 
> Now, what ahppens on a failure?
> - The server(s) that still exist can take over the ip address of the failing
> server
> - The LoadBalancing system detects it and doesn't use the machine any more.
> 
> On the SSL side, since the server that fails over doesn't have the SSL
> session, the browser connecting to it fails to communicate.
> 
> I'm not sure if it is safe to use the same cert for every machine, or that
> it is a requirement to have the same cert on every machine.
> 
> Verisign requires you to ask for a different certificate for every server
> (with a different OU) in a cluster. (I think this is just a commercial
> reason, not a technical reason, but I'm not sure)
> 
> It is possible to sync the session cache over different hosts with things
> like Splash  but I haven't found an
> implementation with mod_ssl (only Apache-SSL)
> 
> I would be gratefull if someone has a clean solution or if there is someone
> with experience on trying to accomplish this.
> 
> 
> On 24-01-2002 23:34, "Yu, Ming" <[EMAIL PROTECTED]> wrote:
> 
> > Does anyone have information about how to build redundant apache web site
> > with SSL?
> > 
> > Thanks 
> > 
> > - Ming Yu
> > 
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> > 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems running on DEC

2001-05-02 Thread Jeffrey Burgoyne 


Machine: DEC ES40
OS: OSF 1 V5.0 910 Alpha

Apache/1.3.12 
Mod_ssl/2.6.4
Openssl 0.9.5a



We just upgraded our boxes and have moved upgraded
apache/modssl/openssl. Everything builds fine, but when I start up the web
server it just hangs after asking for the pass phrase. It seems to be
stuck in the temporary key generation phase. The ssl_engine_log reads :

[30/May/2000 08:30:42 09500] [info]  Server: Apache/1.3.12,
Interface: mod_ssl/2.6.4, Library: OpenSSL/0.9.5a
[30/May/2000 08:30:42 09500] [info]  Init: 1st startup round (still not
detached)
[30/May/2000 08:30:42 09500] [info]  Init: Initializing OpenSSL library
[30/May/2000 08:30:42 09500] [info]  Init: Seeding PRNG with 136 bytes of
entropy
[30/May/2000 08:30:42 09500] [info]  Init: Generating temporary RSA
private keys (512/1024 bits)


I'm just using builtin for PRNG generation which seems to work fine. 

The code appears to be looping as it is taking virtually 100% of one of
the CPU's :

root   9510   5103  0.0 08:33:01 pts/20:00.01
/usr/local/apache/bin/apachectl startssl
root   9511   9510 99.9 08:33:01 pts/20:21.11
/usr/local/apache/bin/httpd -DSSL

(these are the only two related apache processes started).

Anyone run into any similar problems?


Jeff

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problem with connecting to site

2001-04-10 Thread Jeffrey Burgoyne 


Check the ssl_engine_log and look for their IP's. That will tell you if
they tried to connect.

I see this type of thing a lot, and the problem is always on the other
side. See if  they have a proxy to negotiate which may not be set up for
SSL. Can they get to other SSL sites?

Jeff

On Tue, 10 Apr 2001, D. Scott Davidson wrote:

> 
> I am having a problem at our site with one group
> of people on a common network not being able to connect
> to our ssl-enabled site. People outsite of that one
> network can connect to our ssl enabled site. I am trying to
> track the problem to see what the error is. I am fairly
> new to this mod_ssl package and could use some suggestions on
> how to track this problem or on what the this problem could
> be.
> 
> 
> Here is our situation:
> 
> - We are not denying anyone from our web sites with a deny
>   statement in our httpd.conf file or other assoc config files.
> 
> - The people on that one network CAN connect to non-ssl sites
>   fine. They can even connect to the site in question when apache
>   is brought up without ssl.
> 
> - The error that results is that the our site is not responding.
> 
> 
> I get the impression that it is a handshake problem.
> Has anyone run into a simular problem ?
> Any suggestions ?
> 
> 
> Thanks in advance
> 
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Apache Bench equivelant for SSL?

2001-03-22 Thread Jeffrey Burgoyne 


I'm not really looking at benchmarking web servers, but to run performance
analysis on some of our on-line systems.

stunnell seems workable. Year end hours must make my brain fuzzy because I
should have thought of that.

I also considered putting SSL into the ab program itself. It doesn't
actually look that hard to do. 

Jeff


On Thu, 22 Mar 2001, David Rees wrote:

> Take a look at the program siege, (search on freshmeat.net), it benchmarks
> web servers over SSL pretty well.
> 
> -Dave
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey Burgoyne
> >
> > People;
> >
> > Is anyone aware of a tool like apache bench (ab) for SSL?
> >
> > Jeff Burgoyne
> >
> > [EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Apache Bench equivelant for SSL?

2001-03-22 Thread Jeffrey Burgoyne 

People;

Is anyone aware of a tool like apache bench (ab) for SSL?

Jeff Burgoyne

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Missing Graphics?

2001-03-19 Thread Jeffrey Burgoyne 



See my previous message about keep alives.

Jeff

On Mon, 19 Mar 2001, Chong, Arthur wrote:

> 
> We are noticing missing graphic icons when displayed 
> on some IE 5 browsers (Mac and Windows) on a https SSL link.
> 
> (mod_ssl 2.8.0 on Apache 1.3.17 on Linux)
> 
> The page shows up fine, but the graphics are missing?
> 
> On some browsers, they show up just fine...?
> 
> Any ideas?  Anybody seen this as well?
> 
> -Arthur.
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: timeouts, errors, oh my...

2001-03-12 Thread Jeffrey Burgoyne 


Over SSL I'd suggest turning keep alives off. We have had awful problems
with IE keepalives under SSL.

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown



Jeff

[EMAIL PROTECTED]

On Mon, 12 Mar 2001, Deocs Postmaster wrote:

> At 10:55 PM 03/04/2001 , you wrote:
> >Over my head, and apparently our web master also.  We have mod_ssl running 
> >on a linux box.  Netscape usually works.  IE 4 doesn't load all the 
> >references (graphics and .js fils) that means it loads SOME and they are 
> >all referenced the same.  Hit refresh and there is an 'error in secured 
> >channel'  wait a while, and refresh works again.  Where does one look?
> 
> 
> I don't know if this is pertinent, but I am having an intermittent
> problem as well.  I submitted this to DavExplorer and mod_dav
> yesterday.
> 
> I am using DavExplorer 0.71 in SSL mode with:
>   Apache_1.3.19
>   mod_ssl_2.8.1
>   mod_dav_1.1.0
>   Windows 98 SE
> 
> When I try to write files from the local directory to the
> web directory I sometimes get a Java message from DavExplorer:
>  >Connection error:
>  >java.net.SocketException: Connection reset by peer: socket write error
> 
> The DavExplorer log shows:
> = Outbound Message Header =
> PUT /davssl/jdk11htm.exe HTTP/1.1
> Host: www.deocs.com:443
> Connection: TE
> TE: trailers, deflate, gzip, compress
> User-Agent: UCI DAV Explorer/0.71 RPT-HTTPClient/0.3-2E
> Accept-Encoding: deflate, gzip, x-gzip, compress, x-compress
> Content-type: application/octet-stream
> Content-length: 899090
> 
> The Apache error log reports a one line error:
>  > [Sun Mar 11 13:39:18 2001] [error] [client 192.168.1.1]
>  > An error occurred while reading the request body.  [400, #0]
> 
> The error seems to be likely to happen with files of 100K bytes
> or more, and some files will work after trying them a few times.
> 
> Thanks,
> Dave
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Lost environment variables

2001-02-07 Thread Jeffrey Burgoyne 



On Wed, 7 Feb 2001, Anne Durand wrote:

> When opening the URL https://sympa.archi.fr/printenv, the system seems
  

 
> 
 ^^^

>   SSLOptions +StdEnvVars +ExportCertData
> 


Hint :


Try changing the script to printenv.cgi



Jeff

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Sharing SSLSessionCache in load balanced environment

2000-11-02 Thread Jeffrey Burgoyne 


I have not played around with the session cache stuff, but a quick look on
my system seems to indicate it is a file. Would it be possible to NSF
mount this file among multiple machine making it shared? It would be
useful for myself as we are adding a second server to our installation and
all our pertinant files are on a shared HDS drive. If this could be shared
as well, it would be quite helpful.

Thoughts?


Jeff

[EMAIL PROTECTED]
 

On Thu, 2 Nov 2000, Owen Boyle wrote:

> "Wohlgemuth, Michael J." wrote:
> > I would like to implement some sort of load balancing for this site.  
> > ...the SSLSessionCache will need to be shared
> > somehow across separate physical hosts.  
> 
> This is an interesting question which we have been considering since we
> are planning to use load-balancing in the future. 
> 
> We have a different approach and what we plan to do is to configure the
> load-balancer so that all transactions within the same session are
> routed to the same server.
> 
> Since we haven't yet decided what to use for load balancing, we haven't
> yet discovered how to do this... :-)
> 
> Regards,
> 
> Owen Boyle.
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: KeepAlive and mod_ssl

2000-10-20 Thread Jeffrey Burgoyne 

I'd assume so. I'm no expert in this conf file configuration, but it look
equivelant to what I put in that stopped all problem on my site.

Jeff

On Fri, 20 Oct 2000, Schwartz, Mark wrote:

> I have this in my httpd.conf file by default.  Does this solve the problem?
> 
> 
> 
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> 
> 
> 
> -Mark Schwartz
> -Original Message-
> From: Aaron Beveridge [mailto:[EMAIL PROTECTED]]
> Sent: Friday, October 20, 2000 9:25 AM
> To: [EMAIL PROTECTED]
> Subject: RE: KeepAlive and mod_ssl
> 
> 
> How can you turn off all keep alives for every version of IE?
> 
> Aaron
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey Burgoyne
> Sent: Friday, October 20, 2000 9:21 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: KeepAlive and mod_ssl
> 
> 
> 
> I have turned off all keep alives for every version of IE on SSL only.
> It provided no end of grief.
> 
> Jeff
> 
> 
> On Fri, 20 Oct 2000, Wallace, William wrote:
> 
> > Internet Explorer behaves terribly when using keep-alive connections over
> > HTTPS. After downloading a page it sometimes assumes the connection to the
> > server is still open, even if the server has timed it out and closed it.
> > When it tries to reuse the connection it will throw up a spurious error
> page
> > saying the server failed (nice way to cover for their own bugs).
> >
> > > -Original Message-
> > > From: William Deegan [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, October 17, 2000 12:10 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: KeepAlive and mod_ssl
> > >
> > >
> > > Greetings,
> > >
> > > Any sugguestion as to whether to use or not use KeepAlive for https??
> > > (with mod_ssl of course 8))
> > >
> > > Thanks,
> > > Bill
> > >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: KeepAlive and mod_ssl

2000-10-20 Thread Jeffrey Burgoyne 

In my section for SSL access

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

This seems to have done the trick. Possibly :

BrowserMatch ".*MSIE.*" nokeepalive ssl-unclean-shutdown

Would do it as well. 



Jeff


On Fri, 20 Oct 2000, Aaron Beveridge wrote:

> How can you turn off all keep alives for every version of IE?
> 
> Aaron
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey Burgoyne
> Sent: Friday, October 20, 2000 9:21 AM
> To: '[EMAIL PROTECTED]'
> Subject: RE: KeepAlive and mod_ssl
> 
> 
> 
> I have turned off all keep alives for every version of IE on SSL only.
> It provided no end of grief.
> 
> Jeff
> 
> 
> On Fri, 20 Oct 2000, Wallace, William wrote:
> 
> > Internet Explorer behaves terribly when using keep-alive connections over
> > HTTPS. After downloading a page it sometimes assumes the connection to the
> > server is still open, even if the server has timed it out and closed it.
> > When it tries to reuse the connection it will throw up a spurious error
> page
> > saying the server failed (nice way to cover for their own bugs).
> >
> > > -Original Message-
> > > From: William Deegan [mailto:[EMAIL PROTECTED]]
> > > Sent: Tuesday, October 17, 2000 12:10 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: KeepAlive and mod_ssl
> > >
> > >
> > > Greetings,
> > >
> > > Any sugguestion as to whether to use or not use KeepAlive for https??
> > > (with mod_ssl of course 8))
> > >
> > > Thanks,
> > > Bill
> > >
> > __
> > Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> > User Support Mailing List  [EMAIL PROTECTED]
> > Automated List Manager[EMAIL PROTECTED]
> >
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: KeepAlive and mod_ssl

2000-10-20 Thread Jeffrey Burgoyne 


I have turned off all keep alives for every version of IE on SSL only. 
It provided no end of grief.

Jeff


On Fri, 20 Oct 2000, Wallace, William wrote:

> Internet Explorer behaves terribly when using keep-alive connections over
> HTTPS. After downloading a page it sometimes assumes the connection to the
> server is still open, even if the server has timed it out and closed it.
> When it tries to reuse the connection it will throw up a spurious error page
> saying the server failed (nice way to cover for their own bugs).
> 
> > -Original Message-
> > From: William Deegan [mailto:[EMAIL PROTECTED]]
> > Sent: Tuesday, October 17, 2000 12:10 PM
> > To: [EMAIL PROTECTED]
> > Subject: KeepAlive and mod_ssl
> > 
> > 
> > Greetings,
> > 
> > Any sugguestion as to whether to use or not use KeepAlive for https??
> > (with mod_ssl of course 8))
> > 
> > Thanks,
> > Bill
> > 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: www.modssl.org site down

2000-06-01 Thread Jeffrey Burgoyne 


Actaully, the machine has seemed to be up, but the web server has not been
up. I've had problems over the last several days as well.

Jeff

[EMAIL PROTECTED]

On Thu, 1 Jun 2000, James Ford wrote:

> On Wed, 31 May 2000, Gil Vidals wrote:
> 
> >I have tried to access modssl.org from California, USA for the past
> >several days and the site is down. Also, the engelschall.com site is
> >down.
> 
> I can successfully get to it from my neck of the woods.
> 
> Tracing the route to world.modssl.org (129.132.7.171)
> 
> (snip)
>   3 Serial5-1-1.GW3.ATL1.ALTER.NET (157.130.25.185) 12 msec 12 msec 8 msec
>   4 106.ATM1-0.XR1.ATL1.ALTER.NET (146.188.232.114) 12 msec 8 msec 12 msec
>   5 195.at-1-1-0.TR1.ATL5.ALTER.NET (152.63.81.22) 16 msec 12 msec 12 msec
>   6 129.at-6-0-0.TR1.NYC9.ALTER.NET (152.63.0.114) 28 msec 28 msec 32 msec
>   7 187.ATM6-0.XR1.NYC4.ALTER.NET (152.63.21.121) 32 msec 28 msec 28 msec
>   8 189.ATM7-0.GW2.NYC6.ALTER.NET (152.63.22.1) 28 msec 32 msec 32 msec
>   9 switchng-gw.GW2.NYC6.ALTER.NET (157.130.29.210) 32 msec 36 msec 32
> msec
>  10 swiEG1-A5-0-0-1.switch.ch (130.59.33.1) 144 msec 148 msec 148 msec
>  11 swiEZ1-F1-0-0.switch.ch (130.59.20.206) 144 msec 144 msec 160 msec
>  12 ezci1-eth-switch-fast.ethz.ch (192.33.92.65) 148 msec 144 msec 144
> msec
>  13 rou-etz-1-mega-transit.ethz.ch (129.132.99.79) 148 msec 144 msec 160
> msec
>  14 opensource-01.ee.ethz.ch (129.132.7.153) 144 msec *  144 msec
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems running on DEC : More Info

2000-05-30 Thread Jeffrey Burgoyne 


A quick update. The code is infinitely looping in crypto/bn/bn_prime.c,
lines 151 (The lop label) to 177 (goto loop).

It appears that there is never a primce number generated.

Notes : add is NULL and callback is NULL



Is this something better dicussed on the openssl list?


Jeff

[EMAIL PROTECTED]


Original


Machine : DEC ES40
OS  : OSF 1 V5.0 910 Alpha

Apache/1.3.12 
Mod_ssl/2.6.4
Openssl 0.9.5a



We just upgraded our boxes and have moved upgraded
apache/modssl/openssl. Everything builds fine, but when I start up the web
server it just hangs after asking for the pass phrase. It seems to be
stuck in the temporary key generation phase. The ssl_engine_log reads :

[30/May/2000 08:30:42 09500] [info]  Server: Apache/1.3.12,
Interface: mod_ssl/2.6.4, Library: OpenSSL/0.9.5a
[30/May/2000 08:30:42 09500] [info]  Init: 1st startup round (still not
detached)
[30/May/2000 08:30:42 09500] [info]  Init: Initializing OpenSSL library
[30/May/2000 08:30:42 09500] [info]  Init: Seeding PRNG with 136 bytes of
entropy
[30/May/2000 08:30:42 09500] [info]  Init: Generating temporary RSA
private keys (512/1024 bits)


I'm just using builtin for PRNG generation which seems to work fine. 

The code appears to be looping as it is taking virtually 100% of one of
the CPU's :

root   9510   5103  0.0 08:33:01 pts/20:00.01
/usr/local/apache/bin/apachectl startssl
root   9511   9510 99.9 08:33:01 pts/20:21.11
/usr/local/apache/bin/httpd -DSSL

(these are the only two related apache processes started).

Anyone run into any similar problems?


Jeff

[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problems running on DEC

2000-05-30 Thread Jeffrey Burgoyne 


Machine : DEC ES40
OS  : OSF 1 V5.0 910 Alpha

Apache/1.3.12 
Mod_ssl/2.6.4
Openssl 0.9.5a



We just upgraded our boxes and have moved upgraded
apache/modssl/openssl. Everything builds fine, but when I start up the web
server it just hangs after asking for the pass phrase. It seems to be
stuck in the temporary key generation phase. The ssl_engine_log reads :

[30/May/2000 08:30:42 09500] [info]  Server: Apache/1.3.12,
Interface: mod_ssl/2.6.4, Library: OpenSSL/0.9.5a
[30/May/2000 08:30:42 09500] [info]  Init: 1st startup round (still not
detached)
[30/May/2000 08:30:42 09500] [info]  Init: Initializing OpenSSL library
[30/May/2000 08:30:42 09500] [info]  Init: Seeding PRNG with 136 bytes of
entropy
[30/May/2000 08:30:42 09500] [info]  Init: Generating temporary RSA
private keys (512/1024 bits)


I'm just using builtin for PRNG generation which seems to work fine. 

The code appears to be looping as it is taking virtually 100% of one of
the CPU's :

root   9510   5103  0.0 08:33:01 pts/20:00.01
/usr/local/apache/bin/apachectl startssl
root   9511   9510 99.9 08:33:01 pts/20:21.11
/usr/local/apache/bin/httpd -DSSL

(these are the only two related apache processes started).

Anyone run into any similar problems?


Jeff

[EMAIL PROTECTED]

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Submit form sometimes fails connecting to secure server

2000-05-04 Thread Jeffrey Burgoyne 


This could quite possibly be something that has driven me nuts tracking
down.

We have a problem for IE 5 only where links on the SSL side will sometimes
not be displayed when clicked on. A reload works fine. 

What we found was  that the packet would leave the machine, but not reach
the actual server. The packet was dropped somewhere in our network. This
happened only in our production environment, not our development
environment.

Our firewall people are currently testing this problem and feel that it is
probably the wirewall or some device that is dropping the packet. Chances
are there is some non-critical problem with the packet (data or
otherwise) that the device or firewall considers offending.

Hope this helps somehwat. We only have the problem with IE 5 on the SSL
side. You may want to run tcpdump on your server to see if the packet with
the request actually shows up.


Jeff
[EMAIL PROTECTED]

On Thu, 4 May 2000, James Treworgy wrote:

> I am running apache 1.3.12 + mod_ssl 2.6.4 (openssl 0.9.5a) + mod_php 
> 3.0.16 on RH Linux 6.0, though this problem has occurred in previous 
> versions of the software (e.g. 1.3.9 + prev. mod_ssl).  mod_ssl is 
> installed as a dso.
> 
> A user clicks a "submit" button on a form, or even a link, on an insecure 
> page which loads a secure page.  In my testing, occasionally the first time 
> you click the button it will come up with a server error e.g. "can't find 
> page".  Clicking the back arrow and clicking the button again always works, 
> and the problem will not recur in that session, but of course most users 
> won't figure this out!  I generally use IE5 which is where this error has 
> been happening, I haven't been able to reproduce it yet in Netscape.  The 
> action of the URL is a complete url (e.g. "https://xxx.xxx.xxx/x.php3") 
> which happens to be a different domain -- but same physical server - than 
> the referring page, though I can't imagine that this could be related.
> 
> Any ideas?  My gut tells me that the server hangs for a sec when first 
> starting a secure session and for some reason.  (My server hosts a few 
> fairly low traffic web sites).  I thought installing it as a DSO might help 
> but it still happens.  I can't seem to create a specific circumstance under 
> which it will happen - e.g. if I restart httpd it won't do it the first 
> time I hit the site, it just happenssometimes.
> 
> James Treworgy
> [EMAIL PROTECTED]
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Trapping weak ciphers and redirecting

2000-04-19 Thread Jeffrey Burgoyne 


People;

I didn't see a way to do this request from the docs :

"Could we allow users with 128 bit capable browsers accessing our site to
connected directly, but those using 40 bit browsers would be redirected to
a standard page telling them to upgrade."


We have many entry point sinto our SSL side, many of which are
simply HTML pages. We don't want to cut access out of the web server for
the 40 bit ciphers simply because the error message displayed would
confuse our user base (not to mention some of the managers internal). We
do want to enforce 128 bit however.


Is there a way to do this, sothing like accept these ciphers, and
route all others over to a set page?

Jeff

[EMAIL PROTECTED]


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Logging a user off the secure server

2000-04-08 Thread Jeffrey Burgoyne 

The username/password feature is a generic http protocol command and not
exclusively part of the secure side. As well. there is only a single part
of the protol - username required. 

That said, you musr realize that you log into the server and out with
every connection. The browser caches the user id and password and makes it
seemless to you. Therefore the logout button would have to be part of
browser functionality and it is not. You can do it by
messing around with theprotocol message back to the client, but it just
forces them to log in again, so a very good logout IMO.

Jeff



On Fri, 7 Apr 2000, Doug Poulin wrote:

> We are running a brand new server using Red Hat Linux 6.1 and Apache with 
> SSL.  Everything is up and appears to be working correctly.  The problem I 
> can't seem to find an answer to is, how do I log a user off?
> 
> When our secure application starts up you go through an authentication 
> process and the application starts up in a new (browser) window.  When you 
> close the application window you go back to the original window.  If you 
> click on the application start button you get logged right in.  No more 
> authentication (userid/password) form.  How do we get it so that they have 
> to re-log in everytime a user connects to our server?
> 
> I have searched the archives and everywhere else I can think of but can't 
> find any info.  It has to be something simple but what is it?
> 
> Doug Poulin
> __
> Get Your Private, Free Email at http://www.hotmail.com
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Triplet boys!!

2000-02-24 Thread Jeffrey Burgoyne 


Congratulations Bruce, and I hope you have a heck of a lot of family
nearby ... I have two year old twins and I won't even begin to describe
how much work the last two years have been (as we had no family close).
While it is rough for about a year, its gets to be a joke after that. They
just play with one another and you get to sit back and watch.


Jeff




On Wed, 23 Feb 2000, Bruce E. Harris wrote:

> Hi All,
> 
> After wanting a boy for over 20 yrs, my wife delivered triplet boys on 1 Feb.
> They should be home in a few more days.
> 
> 
> --
> Best Regards,
> 
> Bruce
> 
> http://harrisherd.ahv.cx
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Images not SSL encrypted

1999-09-27 Thread Jeffrey Burgoyne 


You would have to reference all the images with the full url name.

For example, if youur page is

https://mydomain.com/index.html

All your graphics on the page would have to be 

http://mydomain.com/graphic1.gif

instead of just /graphic1.gif 

Of course, the user will end up with messages about unencrypted data being
displayed on a secure connection (of something of the sort).


Jeff



On Mon, 27 Sep 1999, Scott Alexander wrote:

> Hi,
> 
> My Apache 1.3.9 server sends out images encrypted.
> 
> How can I send images not encrypted and save some resources.
> 
> 
> regards
> 
> Scott
> 
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: mod_ssl for apachw 1.2.6?

1999-08-04 Thread Jeffrey Burgoyne 


I'm not really sure why the big difference. Aound January our performance
with 1.2.6 was really dropping to the point everyhing was unusable. We
then added a second CPU to the DEC box, and got very interimitent
performance. It would go along great for a few minutes, then slow down to
a crawl. At times during the night (when there was a lot of processor time
available), the server would sometimes take ten minutes to serve up a
page.

About the best I could figure was that the SSL or Apache's multi-threading
had some problem.

After upgrading the intermitent dropouts went completely away. Loads are
well distributed across the CPU's. What caused the dropouts was never
discovered, but it made it very hard to guage the previous performance
accurately. By looking at the best response times, we still had a
performance gain, but more in the magnatiude of 50%.

Jeff


On Wed, 4 Aug 1999, Mark Dedlow wrote:

> 
> Victor Khimenko wrote:
> 
> > If you need SSL speed is not issue anymore. SSL is VERY processor-intensive
> > so you'll got at most 10-20 connections per second. Additional timeout from
> > ping-pong between 1.2.6 and 1.3.6 will be dwarfed by SSL timeout on any
> > decent OS...
> 
> 
> However, last week someone on this list said:
> 
> > I must say that the performance boost we got when moving from stronghold
> > to mod_ssl (1.2.5 apache to 1.3.6) was quite signifigant. At peak we
> > handle over 500 connections per second with no performance degredation
> > (Two CPU Alpha).
> 
> 
> How to account for the humongous difference?
> 
> Mark
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: apache-modssl performace specs

1999-07-31 Thread Jeffrey Burgoyne 


I must say that the performance boost we got when moving from stronghold
to mod_ssl (1.2.5 apache to 1.3.6) was quite signifigant. At peak we
handle over 500 connections per second with no performance degredation
(Two CPU Alpha).

I'd say your performance stats are definitely low for the performance you
should be getting.


Jeff


On Fri, 30 Jul 1999, Timothy Canfield wrote:

> Hi,
> 
> I would love to use apache and mod ssl for new site I'm putting up.
> However I ran some performance tests on it and am a little worried about
> the numbers I saw.
> 
> I was only able to open about 8 connections per second, and this was
> swamping the processor (p3 450).
> 
> With 20K files, I was able to get less than 1 Mbit per second (about 7
> hits per second, and again this was swamping the processor).
> 
> Are these the type of numbers I should expect, or does it seem as if I
> have things misconfigured?
> 
> Thanks,
> Tim
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problem with verisign certificates

1999-07-31 Thread Jeffrey Burgoyne 


Well, the problem (unfortunately) is a little more complex. Browsers
should not complain about the Certificate until January 1, which is about
the worst date they could have thought of. It is definitely a bug in the
3.X browser that almost seems to be dependant on the common name in the
certificate.


Jeff


On Fri, 30 Jul 1999, Albert Steiner wrote:

> We ran into this problem a while ago.
> 
> The problem is that the browser root verisign cert no longer matches the one
> that is root for the server.  However the common name on the cert is the same
> as the name on the newer ca root that lasts beyound 2000.  This means you can
> accept the cert, but you need to remove the other.
> 
> 
> These are the instructions from Phil Tracy at Northwestern University.
> 
> The two possible remedies are (1) tell people to upgrade to a more modern 
> browser, or (2) publish a set of instructions which guides users through 
> the process of updating their older browsers to work with the newer digital 
> certificates. This will be a non-trivial process for most users. Which 
> support approach are you interested in? Both?
> If you want to try out the certificate authority replacement approach, do 
> this (Windows): 
> Open Netscape 3.0x. 
> Under Options/Security, select Certificate Authorities. 
> Then select Verisign Secure Server. 
> Delete this certificate. 
> Go to URL http://www-gate.it-services.nwu.edu/it/new-verisign-ca.cacert 
> Follow the dialog boxes to accept the new certificate authority
> 
> Albert Steiner
> 
>  At 12:04 PM 7/29/99 -0400, you wrote:
> >
> >Openssl .93a
> >modssl 2.3.6
> >apache 1.3.6
> >Dec Unix 4.01
> >
> >B
> >Hmm, ran into a dousy. 
> >
> >We just upgraded our verisign cert on our development server, and suddenly
> >Netscape 3 browsers get a database security error when trying to connect.
> >Everything else seems fine. Any ideas?
> >
> >
> >
> >Jeff
> >
> >
> >__
> >Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> >User Support Mailing List  [EMAIL PROTECTED]
> >Automated List Manager[EMAIL PROTECTED]
> > 
> --
> Albert Steiner  Coordinator Distributed Computing
> Emerging Technologies Group of Academic Technologies
> N O R T H W E S T E R N   U N I V E R S I T Y
> 1603 Orrington Suite #1400, Evanston, IL 60201-5064
> [EMAIL PROTECTED]  Phone 847-491-4056 FAX 847-467-7732 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Newbie question on 3.X browsers and mod_SSL

1999-07-31 Thread Jeffrey Burgoyne 



On Fri, 30 Jul 1999, Tim Rosmus wrote:

> Sorry if this has been asked before but I could not find any archives 
> of this list around.
> 
> Moving a site from an old Stronghold DEC UNIX Alpha server to a 
> Solaris 2.6 server running
> 
>  Apache/1.3.6 (Unix) ApacheJServ/1.0 PHP/3.0.9 mod_perl/1.19 
>  mod_ssl/2.3.1 OpenSSL/0.9.3a. 
> 
> The site in question uses SSL and everything works just fine for 
> recent MS and NS browsers.  The problem is with MS and NS 3.X
> browsers which give errors like this...
> 
>(Netscape 3.01)
>The security library has experienced a databas error
>You will probably be unable to connect to this site securely.
> 

Same problem I had. What seems to be intering is that is does it on the
exact same software installation for dserver.ic.gc.ca but not for
strategis.ic.gc.ca. Both certificates were made the exact same way, signed
by Verisign on almost the exact same date, and h\seem to ol\nly differ by
common name.

I'm on vacation and not investigating because it only affects our
development environment, not production. Regardless, its pretty
perplexing. I expect it may be a Netscape bug and am quite certain that
the message in the error log is not pointing in the right direction. As
well (as past experience has shown), don't believe what Netscape is
telling you either.

Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Problem with verisign certificates

1999-07-30 Thread Jeffrey Burgoyne 


Hmm, with a little more investigation ...


I installed a new certificate generated the exact same way into
production and it works fine.

Then I found an opensll message in 443 error log :

[Fri Jul 30 06:00:12 1999] [error] mod_ssl: SSL handshake failed (client
142.53.67.22, server dserver.ic.gc.ca:443) (OpenSSL library error follows)
[Fri Jul 30 06:00:12 1999] [error] OpenSSL: error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate [Hint: Subject CN in
certificate not server name!?]


But this only happens when connecting with Netscape 3.X. At first the
message would seem to indicate that there is a problem with the cert, but
subsequent connections with other browsers prove otherwise?


Any ideas?


Jeff


On Thu, 29 Jul 1999, Jeffrey Burgoyne wrote:

> 
> Openssl .93a
> modssl 2.3.6
> apache 1.3.6
> Dec Unix 4.01
> 
> B
> Hmm, ran into a dousy. 
> 
> We just upgraded our verisign cert on our development server, and suddenly
> Netscape 3 browsers get a database security error when trying to connect.
> Everything else seems fine. Any ideas?
> 
> 
> 
> Jeff
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Problem with verisign certificates

1999-07-29 Thread Jeffrey Burgoyne 


Openssl .93a
modssl 2.3.6
apache 1.3.6
Dec Unix 4.01

B
Hmm, ran into a dousy. 

We just upgraded our verisign cert on our development server, and suddenly
Netscape 3 browsers get a database security error when trying to connect.
Everything else seems fine. Any ideas?



Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Browser/Certificate question

1999-07-27 Thread Jeffrey Burgoyne 


I don't suppose (Yes, I'm being quite hopeful here) that there is a way to
have more than one server certificate for an SSL server and which
certificate is sent depends upon the browser version. 

This would be extremely useful in handling the Verisign root CA rollover
with the lovely date of Jan 1, 2000.



Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Experimental: input sucking for POST problem

1999-07-26 Thread Jeffrey Burgoyne 


I'll give this a try as well given that I'm giving a demo tomorrow morning
:)


Thanks


Jeff

On Mon, 26 Jul 1999, Ralf S. Engelschall wrote:

> 
> As Matthias L. found out, the problems with POST requests in conjunction with
> per-directory/location SSL renegotiations is that the pending POST request
> body in the SSL BIO caused problems for the handshake. I've today spended four
> hours in the morning and hacked together an experimental patch which does the
> following: before the SSL handshake for renegotiations is performed it sucks
> in all received data from the SSL BIO. Then the handshake is performed and
> when Apache's BUFF code wants to read more from the BIO SSL we are aware of
> the pre-sucked data. With this patch I was able to get a form working which
> POSTs its data to a CGI (I was also to reproduce the I/O error problem before,
> of course).
> 
> Matthias, can you try this out, too? I'm still not convinced whether this is
> the correct way (perhaps we can also maipulate the SSL BIO or whatever), but
> it at least is a solution. I've less time these days and weeks, so I would
> appreciate when you investigate more for us - starting from this first cut of
> a solution. Thanks.
> 
> Greetings,
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> 
> Index: include/buff.h
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/include/buff.h,v
> retrieving revision 1.6
> diff -u -r1.6 buff.h
> --- include/buff.h1999/01/10 11:07:22 1.6
> +++ include/buff.h1999/07/26 09:26:06
> @@ -227,6 +227,10 @@
>  
>  /* enable non-blocking operations */
>  API_EXPORT(int) ap_bnonblock(BUFF *fb, int direction);
> +/* enable blocking operations */
> +API_EXPORT(int) ap_bblock(BUFF *fb, int direction);
> +/* check for blocking mode */
> +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction);
>  /* and get an fd to select() on */
>  API_EXPORT(int) ap_bfileno(BUFF *fb, int direction);
>  
> Index: main/buff.c
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/main/buff.c,v
> retrieving revision 1.14
> diff -u -r1.14 buff.c
> --- main/buff.c   1999/03/21 12:00:11 1.14
> +++ main/buff.c   1999/07/26 09:25:30
> @@ -580,6 +580,44 @@
>  #endif
>  }
>  
> +API_EXPORT(int) ap_bblock(BUFF *fb, int direction)
> +{
> +int fd;
> +int mode;
> +
> +fd = (direction == B_RD) ? fb->fd_in : fb->fd;
> +mode = fcntl(fd, F_GETFL, NULL);
> +#if defined(O_NONBLOCK)
> +return fcntl(fd, F_SETFL, mode&~(O_NONBLOCK));
> +#elif defined(O_NDELAY)
> +return fcntl(fd, F_SETFL, mode&~(O_NDELAY));
> +#elif defined(FNDELAY)
> +return fcntl(fd, F_SETFL, mode&~(FNDELAY));
> +#else
> +/* : this breaks things, but an alternative isn't obvious...*/
> +return 0;
> +#endif
> +}
> +
> +API_EXPORT(int) ap_bisblock(BUFF *fb, int direction)
> +{
> +int fd;
> +int mode;
> +
> +fd = (direction == B_RD) ? fb->fd_in : fb->fd;
> +mode = fcntl(fd, F_GETFL, NULL);
> +#if defined(O_NONBLOCK)
> +return (mode & O_NONBLOCK) ? FALSE : TRUE;
> +#elif defined(O_NDELAY)
> +return (mode & O_NDELAY) ? FALSE : TRUE;
> +#elif defined(FNDELAY)
> +return (mode & FNDELAY) ? FALSE : TRUE;
> +#else
> +/* : this breaks things, but an alternative isn't obvious...*/
> +return FALSE;
> +#endif
> +}
> +
>  API_EXPORT(int) ap_bfileno(BUFF *fb, int direction)
>  {
>  return (direction == B_RD) ? fb->fd_in : fb->fd;
> Index: modules/ssl/mod_ssl.h
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/mod_ssl.h,v
> retrieving revision 1.108
> diff -u -r1.108 mod_ssl.h
> --- modules/ssl/mod_ssl.h 1999/07/25 11:24:13 1.108
> +++ modules/ssl/mod_ssl.h 1999/07/26 08:02:23
> @@ -715,6 +715,7 @@
>  void ssl_io_register(void);
>  void ssl_io_unregister(void);
>  long ssl_io_data_cb(BIO *, int, const char *, int, long, long);
> +void ssl_io_suck(SSL *);
>  
>  /*  PRNG  */
>  int  ssl_rand_seed(server_rec *, pool *, ssl_rsctx_t);
> Index: modules/ssl/ssl_engine_io.c
> ===
> RCS file: /e/modssl/cvs/mod_ssl/pkg.apache/src/modules/ssl/ssl_engine_io.c,v
> retrieving revision 1.23
> diff -u -r1.23 ssl_engine_io.c
> --- modules/ssl/ssl_engine_io.c   1999/05/04 07:58:53 1.23
> +++ modules/ssl/ssl_engine_io.c   1999/07/26 09:53:23
> @@ -64,6 +64,138 @@
>  -- Unknown*/
>  #include "mod_ssl.h"
>  
> +/*  _
> +**
> +**  I/O Sucking
> +**  _
> +*/
> +
> +static char *suc

Re: [BugDB] I/O error during security authorization (PR#210)

1999-07-22 Thread Jeffrey Burgoyne 


apache 1.3.6
openssl .9.3a
modssl 2.3.4


Interestingly enough, I found the exact same problem this morning. I'm
just writing our first cgi to require client certificates, and if the form
to be submitted is a get to the GET method, all is fine. Set it to post,
and I get an I/O error on the browser. My ssl_engine_log has the following
entries :

[22/Jul/1999 05:14:17] [info]  Connection to child 6 established (server
dserver.ic.gc.ca:443)
[22/Jul/1999 05:14:18] [info]  Connection: Client IP: 142.53.67.60,
Protocol: SSLv3, Cipher: EXP-RC4-MD5 (40/128 bits)
[22/Jul/1999 05:14:18] [info]  Initial (No.1) HTTPS request received for
child 6 (server dserver.ic.gc.ca:443)
[22/Jul/1999 05:14:18] [info]  Requesting connection re-negotiation
[22/Jul/1999 05:14:18] [info]  Awaiting re-negotiation handshake
[22/Jul/1999 05:14:18] [error] Re-negotiation handshake failed: Not
accepted by client!?
[22/Jul/1999 05:14:18] [error] SSL error on reading data (OpenSSL library
error follows)
[22/Jul/1999 05:14:18] [error] OpenSSL: error:140940F5:SSL
routines:SSL3_READ_BYTES:unexpected record
[22/Jul/1999 05:14:18] [error] SSL error on writing data (OpenSSL library
error follows)
[22/Jul/1999 05:14:18] [error] OpenSSL: error:140940F5:SSL
routines:SSL3_READ_BYTES:unexpected record
[22/Jul/1999 05:14:18] [info]  Connection to child 6 closed with standard
shutdown (server dserver.ic.gc.ca:443)

Netscape 4.03 on Linux is what I'm using for a browser. However, it
appears to work on IE 4.0.

As well, starting with a fresh browser I found that when the methos is set
to post, the browser never even asks for the user cert. 

Perhaps the Netscape browser is having problems with reposting the data
for the CGI in renegotiation, as the data does not have to be reposted
when you use a get?


Jeff




On Thu, 22 Jul 1999 [EMAIL PROTECTED] wrote:

> On Wed, Jul 21, 1999, [EMAIL PROTECTED] wrote:
> 
> > Full_Name: Dario Castagnino
> > Version: 2.2.4
> > OS: Linux 2.0.36
> > Submission from: (NULL) (200.1.228.95)
> > 
> > We are using Mod_ssl & Open_ssl with Apache server 1.3.4.
> > We are having problems when we try to use the post method
> > to communicate to programs via CGI.
> > 
> > When the browser tries to make the post, it pops a window saying:
> > an I/O error ocurred during security authorization.
> > We do not get the error when we use GET method. 
> > 
> > We tried to solve it by changing the executables permissions so that
> > everybody can execute, read and write on them. After that the error
> > persisted on some programs , but not all of them. Also on the programs
> > that worked, it also failed from time to time.
> > 
> > The error_logs of the apache shows nothing about the problem.
> > Also if we try the same applications with no ssl (apache without ssl)
> > there are no problems at all.
> > 
> > Any help on this will be appreciated
> 
>   Changes with mod_ssl 2.2.5 (04-Mar-1999 to 18-Mar-1999)
> 
>*) Fixed the POST-problem where kept-alive HTTPS connections hang or
>   resulted in an I/O error inside the browser because the ``SSL close
>   notify'' alert couldn't be sent correctly because of Apache's internal
>   ``lingering close'' handling. EAPI was changed to now correctly call the
>   close_connection module hook also on timeout and linger closes. This
>   EAPI change means you cannot upgrade your libssl.so with --with-apxs to
>   this version. A complete Apache rebuild with the updated EAPI code is
>   necessary.
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Can't negotiate compatible protocol

1999-07-21 Thread Jeffrey Burgoyne 



On Wed, 21 Jul 1999, Leon Brooks wrote:

> Using Apache 1.3.6, Mod-SSL 2.3.5-1.3.6, OpenSSL 0.9.3a, PHP 3.0.10 all
> built from source under Linux kernel 2.2.9 (Mandrake 6.0 distro) I can
> browse through the resulting server using HTTP no problems, but HTTPS
> yields Netscape (4.61) complaining about not being able to negotiate
> compatibly, 

Perhaps its negotiating Ciphers. I and several people have had this
problem and the error message is misleading. In my case the machine name I
had set up in the conf file was not the machine name, although it was a
valid DNS entry. On linux I especially noted that simply entering new
entries in the /etc/host file on a stand alone machine was not good at
all.

As with you, I had s_client always working fine.


Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Question on MM Shared Memory library

1999-07-13 Thread Jeffrey Burgoyne 



On Tue, 13 Jul 1999, Ralf S. Engelschall wrote:

> On Mon, Jul 12, 1999, Khimenko Victor wrote:
> 
> > [...]
> > Yes, when you specify where to put SSL session cache and use MM you must
> > specify size of MM pool as well. You do not want it really big.
> 
> And on some platforms you not even _can_ make it very large, because of
> restrictions of the underlaying shared memory implementation! But MM and
> mod_ssl check this, so don't worry to much about this.  A cache of 512 KB is
> usually fine.

Any limit on Dec Alpha as to how big it can be? Politics be what they may,
I'm trying to convince a group to rewrite one of their CGI's as it takes
120 Meg of memory when its runs (and its written in C). Their reason for
not rewriting is that we generally have 300 megs free memory on the 
server, so whats the big deal? 

:)


Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Question on MM Shared Memory library

1999-07-12 Thread Jeffrey Burgoyne 



> 
> > Any idea of what performance gain to expect? We get about 15000 real hits
> > a day, about 6 total (including graphics). About 10% of those are SSL.
> > I need to justify why we want to make the change to the web server and
> > even a rough idea is all my employers need to see.
> 
> I've still not seen any benchmarks, but the shared memory based session cache
> is certainly a magnitude faster then the disk-I/O dependent DBM based session
> cache, of course.

Agreed. Is there anything else available for memory based caches for
Apache? We have over a million documents (and dozens of online systems
through CGI's). About 150 documents (all from the http side) account for
40% of our traffic and many of the graphics are fairly common among the
pages. Even a small memory based cache would have signifigant advantages
for our site. 

Regardless, would I see much advantage from implementing this feature? 95%
of our accesses on the SSL side are CGI programs, and I'm not sure what
the cache would store that would be useful. Since its session based, I
assume some keys would be stored. 


Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: Question on MM Shared Memory library

1999-07-12 Thread Jeffrey Burgoyne 



On Mon, 12 Jul 1999, Khimenko Victor wrote:

> 12-Jul-99 08:13 you wrote:
> 
> > After experienceing some "brownouts" in Stronghold SSL, I changed our web
> > server to modssl last week. We saw a huge increase in performance (of
> > course, the brownouts really dragged down the stats I expect) in the range
> > of 50 to 80 percent.
> 
> > Since our site is a very high profile government site, I tried to keep
> > things as simple as possible for the cutover and left out the Shared
> > Memory library. I can't find an over abundance of documentation on this
> > feature and had some questions.
> 
> > First off, does the cache apply to all http requests as well as https
> > requests. I'm assuming it does, but its not too exact in the
> > documentation.
> 
> No it does not :-) AFAIK for now MM can be used only for SSL session cache.
>

Darn.   
 
> > Secondly, is there any configuration parameters to allow me to specify how
> > much memory it uses. I'm generally running with about 300 Megs free.
> 
> Yes, when you specify where to put SSL session cache and use MM you must
> specify size of MM pool as well. You do not want it really big.
> 
> > Any idea of what performance gain to expect? We get about 15000 real hits
> > a day, about 6 total (including graphics). About 10% of those are SSL.
> > I need to justify why we want to make the change to the web server and
> > even a rough idea is all my employers need to see.
> 
> Usually you'll get only very slight gain in perfomance: you did not said
> which OS you are using but in most modern OS'es with decent filesystem
> cache gain will be small. Usage of MM is better from security standpoint
> but will not you buy much from perfomance side. May be Ralf can add some
> arguments "pro MM", of course...


Running on a DEC Alpha (4.01 I believe).

One last question. Does every hit to the cahce still result in a log entry
being generated?


Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Question on MM Shared Memory library

1999-07-12 Thread Jeffrey Burgoyne 


After experienceing some "brownouts" in Stronghold SSL, I changed our web
server to modssl last week. We saw a huge increase in performance (of
course, the brownouts really dragged down the stats I expect) in the range
of 50 to 80 percent. 

Since our site is a very high profile government site, I tried to keep
things as simple as possible for the cutover and left out the Shared
Memory library. I can't find an over abundance of documentation on this
feature and had some questions.

First off, does the cache apply to all http requests as well as https
requests. I'm assuming it does, but its not too exact in the
documentation.

Secondly, is there any configuration parameters to allow me to specify how
much memory it uses. I'm generally running with about 300 Megs free. 


Any idea of what performance gain to expect? We get about 15000 real hits
a day, about 6 total (including graphics). About 10% of those are SSL.
I need to justify why we want to make the change to the web server and
even a rough idea is all my employers need to see.


Jeff

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: different certs for v. domains

1999-07-09 Thread Jeffrey Burgoyne 


(Not that I have done this, but ...)

You should include a seperate SSLCertificateFile and SSLCertificateKeyFile
directive within each secure server virtual host pointing to the
appropriate file that holds the certs and associated keys.



Jeff


On Thu, 8 Jul 1999, Brent Holden wrote:

> call this a stupid question:
> 
> i have installed apache 1.3.6 with mod_ssl 2.3.5 and i am using OpenSSL
> 0.9.3a.
> i am unclear of how to have a different certificate for each virtual
> domain.  i am able to assign a certificate, but that certificate is the
> same for all domains.  i tried playing around with it, but there seemed
> to be no obvious solution, unless i am overlooking something huge.  if i
> could have someone respond to me with a resolution it would be greatly
> appreciated.
> 
> thanks,
> -brent
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Question on upgrading from Stronghold

1999-06-29 Thread Jeffrey Burgoyne 


I'm having a bit of problem with the authentication in changing over from
Stronghold to mod_ssl. In my new conf file I have added :


AuthType Basic
AuthName Strategis
AuthDBMUserFile /rz6c/stronghold/pw/level1
require valid-user



which mod_ssl doesn't like. Does mod_ssl support DBM user files for
authentication, or do I have to use a .htaccess file and if so is there an
available utility that I can use to do this.



Jeff


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Re: "Test" Server Certificate

1999-06-29 Thread Jeffrey Burgoyne 



Rather than give a technical reason, I can give you an intersting example
of a real world situation.

I'm currently implementing an E-Commerce system for Industry Canada, and
some company won the bid to supply us with software (namely OpenMarket,
and yes I accept your condolances ). 

An integral part of the process involves the users going off site to the
ecommerce site and back to our site for fullfillment. To ensure goods are
paid for we need to use a web server called the secure link bridge.

Our secure link bridge needs a certificate and it installs with a test
type certificate. Our client services group did not like this because the
browser would ask to accept that certificate and mentioned security
concerns. When we approached the company on how to generate a real
certificate request (seeing as securelink bridge will only accept
certficiates generated from their software) they seemed suprised we wanted
to do this. Why spend the extra money they said as it was just as secure.


The answer is maybe its secure enough, but does it give your superiors
(who in my case have a somewhat limited technical understanding in this
area) and customers that "vote of confidence" that you are providing the
most secure solution possible. If your data really has a need to be
secure, then whats a few hundred bucks?



Jeff


On Mon, 28 Jun 1999, Jason Gilmore wrote:

> I have very recently (today) set up a secure server, and am currently
> using the test certificate to test the setup.
> 
> The reason why I am using a secure server is to protect database data
> for a project we are currently working on. The database will be for
> internal use only, and will not be accessible to the outside.
> 
> Therefore, my question is:
> 
> Is the test certificate good enough for encryption, or is it suggested
> that we purchase a certificate?
> 
> If it is not good enough, why? I have read the docs, but must not
> understand something...
> 
> Many thanks!
> 
> -- jason
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

fixed : was Re: No common encryption algorithims

1999-06-18 Thread Jeffrey Burgoyne 



After a bit of investigation and fiddling, I have finally solved this
problem. The error message wasn't all that helpful unfortunately.


The problem lied in the fact that the actual hostanem on the machine was
different than the hostname with which my browser was accessing the box.
The box was called y2kalpha2.ic.gc.ca. This was on a self contained
ethernet subnet in our y2k lab. As it wasn't being used, they added an ATM
card to the box and it could be accessed from my desktop as
strata0.ic.gc.ca. 

Once I changed the hostname on the machine from y2kalpha2.ic.gc.ca to
strata0.ic.gc.ca and restarted the web server, it all worked fine.

Thanks for all the hints.


Jeff

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

Query on security requirements for Canada

1999-05-15 Thread Jeffrey Burgoyne 


According to the documentation, RSAref is a mandatory requirement for US
citizens. I can find no reference to Canadian citizens, but past
experience has led me to believe that most security requirements for the
United States also applies to Canada. Does anyone know if this applies to
the US only or if I have to install it as well?

To go even further, I do host sites from American companies. If they wish
to use my secure server, would they have to follow these requirements?


Jeff Burgoyne (proud member of the state of Canada  :) )


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]