RE: Certificate Server
Hi Miguel It is possible to create your own CA certificate and then create a server certificate which gets signed by your own CA key. You do these using openssl. Check http://www.freebsddiary.org/openssl-client-authentication.php He talks about client authentication but he is really doing server authentication. Regards Jose -Original Message- From: Miguel Angel Gomez Animas [mailto:miguelangelga;msn.com] Sent: 24 October 2002 19:28 To: [EMAIL PROTECTED] Subject: Certificate Server Hi all I want to know if is possible create a server certificate with modssl, something like a personal verisign or something like this... What do i have to do???, can you help me with this??? Thanks a lot _ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring my own CA
Hi Brian Netscape needs a pckcs12 format. I emailed the openssl list on the 16/10/2002 with subject Re: CSR/CA Issued Certificate where among other things I show how to create CA,server and client certificates (not keys) and how to convert them to PKSC12 format and import them into the browser. Cheers Jose -Original Message- From: Brian Lavender [mailto:brian;brie.com] Sent: 18 October 2002 03:30 To: [EMAIL PROTECTED] Subject: Configuring my own CA I am trying to configure my web server so when user brian attempts to connect to https://myhost/brian/ it authenticates him via his certificate and it allows him to view the directory. I successfully compiled apache + modssl with a test certificate signed by Snake Oil. So, here goes on the questions. Do I need to create my own Certificate Authority? If I create my own CA, how do I get Netscape to use it as a CA? I am using Netscape 4.7 on Solaris. If I create my own CA, does my Apache/modssl server perform that function? Do I need to create a certificate for Brian? Does it have to be signed by the CA? Here are the answers I came up with so far. It looks like I need to create a CA and that I can run it on the my modssl alongside the server.crt. Here is how I created the CA $ openssl genrsa -des3 -out ca.key 1024 I created a self signed CA certificate. $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt So this created my certificate authority certificate. I created at server.key. The CN for the server.key is the FQDN of my modssl web server. $ openssl genrsa -des3 -out server.key 1024 I created a request (server.csr) using that server key. openssl req -new -key server.key -out server.csr Then I signed the server key with the command: $ ./sign.sh server.csr which produced a server.crt file. So, it looks like I have a CA and the server certificate. I create a key for myself which I signed using the CA. $ openssl genrsa -des3 -out brian.key 1024 $ openssl req -new -key brian.key -out brian.csr $ sign.sh brian.csr Then I end up with the following files. brian.crt ca.crt ca.db.serial server.crt brian.csr ca.db.certs/ ca.key server.csr brian.key ca.db.indexfile.p12 server.key I can't seem to import my key (brian.crt) into my Netscape browser though. Is there some other format I need to import it into? brian -- Brian Lavender http://www.brie.com/brian/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
Hi John Yeah, I just wanted to make sure that your chain file was setup correctly which it seems to be. Unfortunately I have only used Apache 1.3.x and I haven't used any chain certificates as yet (just used my own generated certificates). The only thing I can think of is to compare the CA details in the Netscape truststore to the details of the CA available on the Apache side (using openssl to view it), just to eleminate that possibility. Try joining the netscape security mailing list and see if you can get any info there?? Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 20:56 To: [EMAIL PROTECTED] Subject: Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 [I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer. I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: no subject
As long as you have OpenSSL 0.9.6g then you are fine. -Original Message- From: Janek Richter [mailto:[EMAIL PROTECTED]] Sent: 09 October 2002 10:16 To: [EMAIL PROTECTED] Subject: no subject Hello, i'm using Apache/2.0.42 with integrated mod_ssl/2.0.42. Is it possible to upgrade to a higher version or is it the latest/SECURE release of modssl for apache 2? Lots of security scanner (nessus, slapperscan..) had found an https/ssl security hole. Apache start message: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g configured -- resuming normal operations thanks, Janek __ Jetzt testen fur 1 Euro! Ihr All-in-one-Paket! https://digitaledienste.web.de/Club/?mc=021106 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod.so errors.
You have to obtain the mod.so file and place it in the ../libexec directory.. its not there. -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 15:47 To: '[EMAIL PROTECTED]' Subject: Mod.so errors. Hello , I cannot get mod.so to work.. And I have no Idea where it should be here.. I build apache with the following options.. EAPI_MM=/usr/local/bin \ SSL_BASE=/usr/local/ssl \ ./configure \ --with-layout=Apache \ --server-uid=zandip \ --server-gid=other \ --with-perl=/usr/local/bin/perl \ --prefix=/apache \ --enable-module=most \ --enable-shared=max \ --enable-module=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --enable-module=so \ --enable-module=rewrite \ --enable-module=log_referer \ --enable-module=log_agent \ --enable-module=expires \ --enable-module=info \ --enable-module=usertrack \ Now When I execute I am getting the following.. Syntax error on line 204 of /apache/conf/httpd.conf: Cannot load /apache/libexec/mod.so into server: ld.so.1: /apache/bin/httpd: fatal: /apache/libexec/mod.so: open failed: No such file or directory ./apachectl start: httpd could not be started Looking at line 204 says LoadModule mod_so libexec/mod.so Ls -la of LIBEXEC Shows.. httpd.exp mod_asis.so mod_cgi.so mod_headers.so mod_log_referer.so mod_speling.so libproxy.so mod_auth.so mod_define.so mod_imap.so mod_mime.so mod_status.so libssl.so mod_auth_anon.somod_digest.so mod_include.so mod_mime_magic.so mod_unique_id.so mod_access.so mod_auth_dbm.so mod_dir.so mod_info.so mod_negotiation.so mod_userdir.so mod_actions.so mod_autoindex.somod_env.so mod_log_agent.so mod_rewrite.so mod_usertrack.so mod_alias.somod_cern_meta.somod_expires.so mod_log_config.so mod_setenvif.so mod_vhost_alias.so __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSLCipherSuite ALL error
It looks like the default CA certificate that comes with openssl has expired... The solution to this is to generate your own CA and then generate and sign your server certificate using this own CA. If you have perl in your machine, try this url (although its meant for FreeBSD, it works just as well on Linux): http://www.freebsddiary.org/openssl-client-authentication.php Just follow the part until he generates the server certificate and insert this and the CA on httpd.conf. The second part he's actually admited to me is not the client certificate he was mentioning, but rather the server certificate. Regards Jose -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:[EMAIL PROTECTED]] Sent: 07 October 2002 17:01 To: '[EMAIL PROTECTED]' Subject: RE: SSLCipherSuite ALL error OK, I think I narrowed this part down.. I am getting this on make certificate... Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil [EMAIL PROTECTED] error 10 at 1 depth lookup:certificate has expired Anyone ? -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS Sent: Monday, October 07, 2002 9:39 AM To: '[EMAIL PROTECTED]' Subject: SSLCipherSuite ALL error Hello , again.. I hate to be a pain here With ./apachectl startssl I am getting.. ../conf/httpd.conf 1234 lines, 44355 characters 109 /apache/bin ./apachectl startssl Syntax error on line 1085 of /apache/conf/httpd.conf: Invalid command 'SSLCipherSuite', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started Line 1085 says /// 1085 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: Navigation Canceled
By the way you are using AJPv13 and not AJPv12 on Tomcat right? Tomcat needs AJPv13 to identify requests made via HTTPS. Regards Jose -Original Message- From: ROUITS Olivier [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 12:05 To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: Navigation Canceled Our application is only in HTTPS, there is no unsecured content because all is forwarded to Tomcat (JSP/Images/HTML) in a virtual host that listen to 443 port. 80 port is not open on apache front machine. On IE 5.5 with 700Mhz pentium there is no problem On IE 6 the problem is systematic for certain multi frame pages. All the frames are updated simultaneously by onLoad javascript event on one of the frames. When only one frame is updated, no problem. Sometimes in navigation, some frames are not refreshed, requests are broken... I think that send requests at the same time (with javascript) to refresh a lot of frames (4 or 5) on the browser, breaks theses requests (in HTTPS on our configuration). Then the message Navigation Canceled is sent on a blank page in theses frames, but not in HTTPS mode (?), it's here that the message is shown in IE: unsecured and secured data in page (something like that, i'm french...). We have also this configuration (2 Linux machines interconnected by AJP) on Linux/390 (2 virtual linux/390 on IBM mainframe under zVM) with the front apache server in DMZ (internet access) and Tomcat server in PRODUCTION ZONE. Here it's worse, because of latency introduced by FIREWALLS, rooters, virtual machines wake up, and mainframe overload (many users connected on others virtual machines), ... in ssl_engine_log i see: Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits) in mod_jk.log i have a lot of error like: [Wed Oct 02 10:53:01 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 10:56:02 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:16 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:02:52 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:33:07 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 11:34:21 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:44:43 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed [Wed Oct 02 12:48:39 2002] [jk_ajp_common.c (948)]: Error ajp_process_callback - write failed Best regards. - Original Message - From: Clayton [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 04, 2002 10:54 AM Subject: RE: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: Navigation Canceled I don't think the problem is about any thing u mentioned which is IE6 and apache+mod_ssl+mod_jk+tomcat HTTPS. The common sense tell me that we shouldn't put unsecured and secured content together, you did mention those errors happened in some frame pages, within one page which u like users to connect. So, if u tried not to put those content together, I think u probably won't see the error message any more. Wish u make it solved. Best regards, Clayton Chen : ) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of ROUITS Olivier Sent: Friday, October 04, 2002 3:53 PM To: [EMAIL PROTECTED] Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: Navigation Canceled I'm going watch SSL Directives for this problem, it's very strange because its a random problem. I think there is a timout in IE for HTTPS (?) and mod_ssl+mod_jk forwarding is too slow for this timeout. Thanks! - Original Message - From: Harald Koch [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 7:23 PM Subject: Re: IE 6 and apache+mod_ssl+mod_jk+tomcat HTTPS problem: Navigation Canceled On some frames of web pages we have the message: Navigation Canceled = and IE says that the page has secured and unsecured elements. This pages are JSP pages from an front Apache Linux server that forward = requests with AJP (mod_jk, AJP 1.3) to another TOMCAT (4.0.3) Linux = server. In simple HTTP protocol there is no problem, Apache+AJP+Tomcat works = fine. This sounds to me like someone is redirecting HTTPS to HTTP, instead of maintaining the 'over SSL' status of the URL... Strange that you describe it as intermittent, though. Maybe a caching-related issue? Sorry this isn't more helpful... -- Harald Koch [EMAIL PROTECTED] It takes a child to raze a village. -Michael T. Fry __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __
RE: mod_ssl with apache 1.3.27 ?
Ralf has just announced in this list the new relased version of mod_ssl: 2.8.11 -Original Message- From: Stefan Nicolin [mailto:[EMAIL PROTECTED]] Sent: 04 October 2002 18:36 To: [EMAIL PROTECTED] Subject: mod_ssl with apache 1.3.27 ? Hi, Apache 1.3.27 was released. Is there a way to build it with the actual mod_ssl-2.8.10 ? Well this is more a rhetoric question. My only concern is the possibility to build apache with mod_ssl soon. As http://www.modssl.org/news/state.html; states, the next release of mod_ssl will be triggerd when apache 1.3.28 cames out. So with apache 1.3.27 there is no go ? Thanks, Stefan -- One Unix to rule them all, One Resolver to find them, One IP to bring them all and in the zone bind them. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Maintainership of mod_ssl
Hi all I agree, I haven't seen much movement/improvements with mod_ssl in the last months and in this industry things need to get moving in order to keep the software in touch with its neighbours (apache, open_ssl, mod_authz_ldap to name a few) and therefore each one improving on the other. If Ralf cannot afford the time then I am for someone else (like you Tim) to take over the reigns (either fully or partially). It is really important that users see mod_ssl constantly improving itself. Best regards Jose Correia -Original Message- From: Tim Tassonis [mailto:[EMAIL PROTECTED]] Sent: 25 September 2002 15:50 To: [EMAIL PROTECTED] Subject: Maintainership of mod_ssl Hi Ralf and everybody Wouldn't it now be about time to transfer maintainership of mod_ssl to somebody else (if there is anybody willing and capable available) , as this software is now obviously unmaintained except for important security fixes. Ralf has done a tremendous job in providing and maintaining mod_ssl, but obviously has no more time left to actively work on it. But there are still people (me at least) who would like to enhance mod_ssl beyond the very neccessary. Unfortunately mails with patches to do so are not even replied. How do other people and most of all, how does Ralf think about this? Bye Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
make certificate command
Hi all I'm trying to generate my fake client certificate for test purposes. For this I'm using the make certificate command under apache (which is tied to openssl via modssl). I have a question in the process, when I reach STEP 3 it tells me: STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/O=telkom/OU=users/CN=Jose Getting CA Private Key Verify: matching certificate key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: /C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil [EMAIL PROTECTED] error 10 at 1 depth lookup:Certificate has expired OK Does this mean my server.crt wasn't signed by the CA SnakeOil because it has expired?? Thanks in advance Jose Correia __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE:
Try at php4win.com (by the way if you had done a search for that file using a search engine like google.com, you would have found it yourself) Cheers Jose -Original Message- From: Frédéric [mailto:[EMAIL PROTECTED]] Sent: 11 September 2002 13:39 To: [EMAIL PROTECTED] Subject: Hi, how find the file php4apache-eapi.dll for use with apache-mod_ssl 1.3.26 ?? Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: No such module 'ssl'
Hi Alex Why are you using: --with-ssl=../apache_1.3.26/src/modules/ssl/ instead of --with-ssl=../openssl_0.9.6a (or whatever version you have) ?? Cheers Jose -Original Message- From: Alex Kirk [mailto:[EMAIL PROTECTED]] Sent: 05 September 2002 21:49 To: [EMAIL PROTECTED] Subject: Re: No such module 'ssl' Hi Alex I think he meant you to run ./configure from the mod_ssl installation directory and not the apache one. Still getting problems with that: bash-2.04# pwd /home/packages/mod_ssl-2.8.10-1.3.26 bash-2.04# SSL_BASE=/home/packages/openssl-0.9.6g/ ./configure --with-apache=../apache_1.3.26 --with-layout=Apache --with-ssl=../apache_1.3.26/src/modules/ssl/ --prefix=/usr/local/apache/ --enable-module=so --activate-module=src/modules/perl/libperl.a --activate-module=src/modules/php4/libphp4.a Configuring mod_ssl/2.8.10 for Apache/1.3.26 + Apache location: ../apache_1.3.26 (Version 1.3.26) + OpenSSL location: ../apache_1.3.26/src/modules/ssl/ + Auxiliary patch tool: ./etc/patch/patch (local) + Applying packages to Apache source tree: o Extended API (EAPI) o Distribution Documents o SSL Module Source o SSL Support o SSL Configuration Additions o SSL Module Documentation o Addons Done: source extension and patches successfully applied. Configuring for Apache, Version 1.3.26 + using installation path layout: Apache (config.layout) + activated perl module (modules/perl/libperl.a) + activated php4 module (modules/php4/libphp4.a) configure:Error: No such module named 'ssl' ./configure:Error: APACI failed I even checked for a libssl.a in apache_1.3.26/src/modules/ssl/; there wasn't one, but I found one in openssl-0.9.6g/ and copied it over. That didn't work, either. You'd really think this wouldn't be so complex... Alex Kirk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: No such module 'ssl'
Hi Alex I think he meant you to run ./configure from the mod_ssl installation directory and not the apache one. Regards Jose -Original Message- From: Alex Kirk [mailto:[EMAIL PROTECTED]] Sent: 04 September 2002 23:48 To: [EMAIL PROTECTED] Subject: Re: No such module 'ssl' I think you should try --with-ssl option. configure:Error: invalid option '--with-ssl=src/modules/ssl/' No, I don't think so. Thanks for the thought though. Any other ideas on how I should be doing this? Alex Kirk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 2.0.35 - ssl fails silently?
Have you tried looking in ssl_engine.log? -Original Message- From: Paul English [mailto:[EMAIL PROTECTED]] Sent: 02 September 2002 22:55 To: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 - ssl fails silently? On Mon, 2 Sep 2002, Paul English wrote: I'm working with a new setup of 2.0.35 under Linux, and having First of all, why 2.0.35 on a new setup? 2.0.36 was the first full release (back in April). 2.0.40 is the current release. Oops, I guess I should have said relatively new. It has been up and running without any SSL for a few months. I'm downloading 2.0.40 now, although I think the problem is most likely configuration somehow. Paul __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
availability of certificate info
Hi all I'm trying to setup Apache talking to OpenLdap using certificates via a module called mod_authz_ldap through the SSL port, using mod_ssl. While I haven't entirely gotten that to work, I'm trying to determine out of that setup if it is possible to: - When a user authenticates himself to the site using his/her certificate, is it possible to access the certificate's info that is being sent to the openldap database, through a servlet?? This might not be the right list, but since one of the components is modssl related I thought I would give it a try. Any pointers are appreciated. Best regards Jose Correia Isis __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
rebuilding apache + mod-ssl - urgent pls
Hi all I needed to rebuild apache + mod-ssl 2.84 + open-ssl-0.9.6a on top of my existing apache version 1.3.20. It all went fine and installed nicely. After rebooting the machine and trying to start the service with ssl (using /opt/apache/bin/apachectl startssl), I'm now getting this: Syntax error on line 224 of /opt/apache/conf/httpd.conf: Cannot load /opt/apache/libexec/mod_rewrite.so into server: /opt/apache/libexec/mod_rewrite.so: undefined symbol: dbm_fetch /opt/apache/bin/apachectl startssl: httpd could not be started Any ideas of a step I missed?? My errors.log file says: Tue Aug 27 14:55:13 2002] [error] mod_ssl: Init: Private key not found (OpenSSL library error follows) [Tue Aug 27 14:55:13 2002] [error] OpenSSL: error:0D084069:asn1 encoding routines:d2i_ASN1_SET:bad tag [Tue Aug 27 14:55:13 2002] [error] OpenSSL: error:0D09D082:asn1 encoding routines:d2i_RSAPrivateKey:parsing [Tue Aug 27 14:55:13 2002] [error] OpenSSL: error:0D09B00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib I'm using my previous server.crt and server.key and server.csr... must I regenerate these using make certificate?? thanks a lot Jose __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]