Re: Urgent help please
Firefox will show you what links, images, etc are on a page and what protocol
they are using (http or https)
Kevin Klawon
203-675-5644
--Original Mail--
From: Yvo van Doorn [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Wed, 19 Sep 2007 16:59:03 -0700
Subject: Re: Urgent help please
Actually more specifically a web site development issue. You most
likely have static links pointing to content in your web development
code (html, css, php, whatever language they have). mod_rewrite
doesn't rewrite your actual code, you need to do that.
An *example* would be img src=http://www.example.com/example.jpg;.
When you attempt to access this on a secure page a certain web browser
(HINT: IE) goes all nutty and complains like you mention in your
original request. This is definitely not the correct place for the
problem you experience. A good decent google search would've clued
you in on any of this. I highly suggest this website on how to use
Google: http://www.googleguide.com/
On 9/19/07, a k [EMAIL PROTECTED] wrote:
Pretty sure that is a browser issue and not a web site issue.
Lindsay Hausner [EMAIL PROTECTED] wrote:
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jones, Stephen (SJONES)
Sent: Friday, August 03, 2007 10:16 AM
To: modssl-users@modssl.org
Subject: Urgent help please
Hello,
My site just did a redesign and now the SSL's do not work as desired
and I have no clue why.
Here is the scenario:
The Home page on initial connection is NOT using SSL.
I can select any noon SSL page and remain a noon SSL page
I select one of the 2 SSL pages and I get SSL (ie: https in the address
bar and the lock icon in the browser)
From this point on every page is now defined as SSL. I see this by
picking
any link on the page and the link displayed in the lower left corner is
listed as https. If I choose the link the address bar is https and the
lock icon appears.
The problem is that if I choose any of the links back to the Home page I
get the POP up This page contains both secure and non secure item.
The address bar stays as https but the lock icon disappears.
No changes were made to the httpd.conf or ssl.conf files.
I have the following redirects in place and I can see the first 2
working when I enable rewrite logging.
I never see the 3rd one run.
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} ^.*/cf/store/.*
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
## For Digsig
RewriteCond %{HTTPS} !=on
RewriteCond %{REQUEST_URI} ^.*/cf/digsig/.*
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R]
## For Everything Else
RewriteCond %{HTTPS} =on
RewriteCond %{REQUEST_URI} ^.*/.*
RewriteRule ^/(.*) http://%{SERVER_NAME}/$1 [L,R]
Any suggestions as to what or where to look would be greatly
appreciated.
Sorry for the delay.
This page contains both secure and non secure item. means there are url
paths in page oontent (usually graphics...image sources for links and the
like) which are http (and need to be https). I'm not to familiar w/
mod_rewrite, but a guess is that your rules apply to actual links, but not
urls for content such as .gif or .jpg files.
Hope this helps.
lh..
Moody friends. Drama queens. Your life? Nope! - their life, your story.
Play Sims Stories at Yahoo! Games.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Apache with SSL Issue
Well, I think as Apache2 is the root, you path is wrong for the certificate file, as the error shows, you config should be as follows: VirtualHost server-ip-address:443 SSLEngine On SSLCertificateFile conf/ssl/servername.cert SSLCertificateKeyFile conf/ssl/servername.key /VirtualHost Regards, Kevin Asad Habib wrote: Hello. I am running Windows XP and I am trying to make Apache2 run with mod_ssl. I have a certificate file and certificate key file in place but when I run Apache I get the following error: Syntax error on line 973 of C:/Program Files/Apache2/conf/httpd.conf SSLCertificateFile: file 'C:/conf/ssl/servername.cert' does not exist or is empty The code for my virtual host directive is as follows: VirtualHost server-ip-address:443 SSLEngine On SSLCertificateFile /conf/ssl/servername.cert SSLCertificateKeyFile /conf/ssl/servername.key /VirtualHost I lot of folks have had similar problems as I found out through Google, but I have not come across any viable solutions. Your help would be appreciated. Thanks. - Asad __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with SSL Issue
Probably the best think to do is add the absolute path to the files as: SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key The above paths are assumed to be correct. Kevin Asad Habib wrote: Hello. Thanks for your input. I have tried your suggestion already and it yielded the same Syntax error as mentioned below and the SSLCertificateFile error was as follows: SSLCertificateFile: Invalid file path conf/ssl/servername.cert - Asad On Wed, 8 Mar 2006, Kevin Smith wrote: Well, I think as Apache2 is the root, you path is wrong for the certificate file, as the error shows, you config should be as follows: VirtualHost server-ip-address:443 SSLEngine On SSLCertificateFile conf/ssl/servername.cert SSLCertificateKeyFile conf/ssl/servername.key /VirtualHost Regards, Kevin Asad Habib wrote: Hello. I am running Windows XP and I am trying to make Apache2 run with mod_ssl. I have a certificate file and certificate key file in place but when I run Apache I get the following error: Syntax error on line 973 of C:/Program Files/Apache2/conf/httpd.conf SSLCertificateFile: file 'C:/conf/ssl/servername.cert' does not exist or is empty The code for my virtual host directive is as follows: VirtualHost server-ip-address:443 SSLEngine On SSLCertificateFile /conf/ssl/servername.cert SSLCertificateKeyFile /conf/ssl/servername.key /VirtualHost I lot of folks have had similar problems as I found out through Google, but I have not come across any viable solutions. Your help would be appreciated. Thanks. - Asad __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with SSL Issue
Yep, as Eckard said, try surrounding the path with . I know if you typed the cd command to get to the path C:/Program Files/Apache2/conf/ssl/.cert in a Cmd DOS prompt, it would produce an error. Surrounding the path with would then execute the cd command successfully. Regards, Kevin Eckard Wille wrote: Kevin Smith schrieb: Probably the best think to do is add the absolute path to the files as: SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key If this still does not work try to surround the path with , like this: SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key Or, even better, put the Apache on a spare unix/linux box. Configuring apache/tomcat/mod_jk/whatever is more straightforward there than on a windows box. Greetings from Germany, Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with SSL Issue
Ok, try the following 3 examples and let me know how it goes. C:\Program Files\Apache2\conf\servername.cert C:\\Program Files\\Apache2\\conf\\servername.cert C://Program Files//Apache2//conf//servername.cert Kevin Asad Habib wrote: Hi Kevin. I already tried this but it did not work. I got an invalid file path error. - Asad On Wed, 8 Mar 2006, Kevin Smith wrote: Yep, as Eckard said, try surrounding the path with . I know if you typed the cd command to get to the path C:/Program Files/Apache2/conf/ssl/.cert in a Cmd DOS prompt, it would produce an error. Surrounding the path with would then execute the cd command successfully. Regards, Kevin Eckard Wille wrote: Kevin Smith schrieb: Probably the best think to do is add the absolute path to the files as: SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key If this still does not work try to surround the path with , like this: SSLCertificateFile C:/Program Files/Apache2/conf/ssl/servername.cert SSLCertificateKeyFile C:/Program Files/Apache2/conf/ssl/servername.key Or, even better, put the Apache on a spare unix/linux box. Configuring apache/tomcat/mod_jk/whatever is more straightforward there than on a windows box. Greetings from Germany, Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Patch providing v3 extensions in environment
I've patched mod_ssl to export some V3 extension information from certificates into the environment. We are issuing client certificates with the Subject Alternative Name being used to specify DNS names / email addresses and need to authenticate using this information. The patch is available from: http://www.andrew.cmu.edu/~kevinm/mod_ssl-2.8.14-patch1 It applies to 2.8.16 as well with patch -p9 mod_ssl-2.8.14-patch1 in the top level directory of the distribution. Please let me know if there are problems with this patch or if it's acceptable for inclusion in the distribution. Thanks, -Kevin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Patch providing v3 extensions in environment
Neat... I'd avoid doing separate strcEQs for V3EXT_ and the rest separately since strcasecmp is slow; and I'd also omit the V3EXT_ from the name completely, just call it SSL_*_SUBJECT_ALTNAME or something and do the one strcEQ in var_lookup_ssl_cert. I was assuming that at some point, it may be desirable to export data of other X509v3 extensions, and this would provide a clean separation. But, I see your point and will change the patch if people agree that no such separation is needed. Adding this in +StdEnvVars might be a bit much... Okay; adding another directive would obviously require a larger change, but it doesn't look too complicated and I'm willing to, if there is agreement that a ExtEnvVars or AdvEnvVars is desirable. How does OpenSSL serialize the altname extension if it contains multiple names; is it usable in SSLRequire then? It would look like: DNS:some.host.example.com, IP Address:10.0.0.1. So, usable in SSLRequire although perhaps not as useful as it could be. -Kevin --- Kevin C. Miller [EMAIL PROTECTED] Network Development Carnegie Mellon University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: this list
I am guessing that no one is able to block the mail from mmx.engelschall.com on the modssl.org list? Kevin Klawon CTO - InterSightTechnologies Tel.: (888) 843-6935 Ext. 483 Mobile: 203-675-5644 Office: 407-854-3447 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jeff Hallgren Sent: Monday, March 01, 2004 10:37 AM To: [EMAIL PROTECTED] Subject: this list Why do I keep getting spam from the modssl-users list when I'm not subscribed to it (anymore)?? Please stop. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Your Contact Info
Title: Your Contact Info This is the second Plaxo message you've received. Get Plaxo to automatically handle these messages. [EMAIL PROTECTED], I'm updating my address book. Please take a moment to update your latest contact information. Your information is stored in my personal address book and will not be shared with anyone else. Plaxo is free, if you'd like to give it a try. Thanks,Kevin Klawon Click the buttons below to change or confirm your info [EMAIL PROTECTED] no title no company no work address [EMAIL PROTECTED] no web page IM:none work:none fax:none mobile:none pager:none Is this information correct? P.S. I've attached my current information in a vcard. If you get Plaxo too, we'll stay in touch automatically. BEGIN:VCARD VERSION:2.1 X-PLAXO-VERSION:1.0 N:Klawon;Kevin;;; FN:Kevin Klawon ORG:InterSightTechnologies TITLE:CTO TEL;WORK;VOICE:407-854-8765 TEL;CELL;VOICE:203-675-5644 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] URL;WORK:www.intersighttechnologies.com END:VCARD
incorrect MAC
I set up a mod_ssl server using: Apache 1.3.27 mm 1.3.0 mod_ssl 2.8.14 OpenSSL 0.9.7b Slackware Linux 8.1 When I (attempt to) connect, Mozilla gives me this error: secure2.solidusdesign.com received a message with an incorrect Message Authentication Code. How do I fix this? Here is the procedure I used: OpenSSL: ./config make install mm: ./configure --disable-shared make install mod_ssl: ./configure --with-apache=../apache_1.3.27 Apache: SSL_BASE=../openssl-0.9.7b \ EAPI_MM=../mm-1.3.0 \ ./configure \ --prefix=/usr/local/apache \ --enable-module=so \ --enable-module=ssl \ --enable-shared=ssl \ --enable-shared=rewrite \ --enable-shared=speling \ --disable-module=userdir \ --htdocsdir=/var/www/htdocs \ --cgidir=/var/www/cgi-bin \ --runtimedir=/var/www/runtime \ --logfiledir=/var/www/logs \ --server-uid=apache \ --server-gid=apache -- Kevin DeGraaf __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problems with WebTV
WebTV has been behind all other browsers for years. Their JavaScript VM was so bad, that we actually checked for WebTV within the client and use a JavaScript POPUP that stated that our site would not work. My guess is, this is just another area that did not get implemented. I might add some client code to check for WebTV and change all URL targets dynamically to just use HTTP. Let me know if you need help in that area. Peace, KevinK - Original Message - From: Christopher McCrory [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, January 23, 2003 2:36 PM Subject: problems with WebTV Hello... We are having SSL problems with WebTV clients. Static pages seem to work, but POSTs seem to break with the following SSL error: [Thu Jan 23 11:18:01 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Thu Jan 23 11:18:01 2003] [error] OpenSSL: error:1407609C:lib(20):func(118):reason(156) What voodoo do I need to adjust for this 0.01% of the market browser? ;) Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a PHP/4.3.0 mod_ssl/2.8.12 OpenSSL/0.9.6b -- Christopher McCrory The guy that keeps the servers running [EMAIL PROTECTED] http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Getting error in error log that was similar to slapper worm
Hello -- I am running the Covalent release of apache 1.3.27, which has 0.9.6g of OpenSSL. I am getting the following error in my error_log along with the apache service crashing,(The exact same error happenright as the slapper worm became prevalent): [Mon Dec 2 16:18:17 2002] [error] [client 193.2.210.39] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /accept_mutex_on: No space left on device [Mon Dec 2 16:18:25 2002] [alert] Child 8390 returned a Fatal error... Apache is exiting! [Mon Dec 2 16:41:47 2002] [notice] jrApache[init] JRun 3.0 3.00.3664 Apache module - May 19 2000 13:00:51[Mon Dec 2 16:41:50 2002] [warn] pid file /usr/local/apache1.3/logs/httpsd.pid overwritten -- Unclean shutdown of previous Apache run?[Mon Dec 2 16:41:50 2002] [notice] jrApache[init] JRun 3.0 3.00.3664 Apache module - May 19 2000 13:00:51[Mon Dec 2 16:41:51 2002] [notice] Apache/1.3.27 (Unix) secured_by_Covalent/1.6.0 configured -- resuming normal operations[Mon Dec 2 16:41:51 2002] [notice] Accept mutex: sysvsem (Default: sysvsem) I thought it was the slapper worm causing the server to crash.I have plenty of room onalldisk partitions (includingthe root)and things look normal when running an ipcs. Has anyone seen this before or know what might be going wrong? This is the first time it has happen after upgrading to 1.3.27 with 0.9.6g. Thanks, KevinK
Apache SSL
Hi All, Does anyone know how to get round this problem when starting-up Apache SSL : I have,/usr/local/bin/prngd /var/spool/prngd/pool, running so not sure what's wrong ? [Fri May 3 15:55:06 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows)[Fri May 3 15:55:06 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded[Fri May 3 15:55:06 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Many thanks, Kevin Smith
make certificate Doesn't Work, Apache 2.0.28, Unix, and mod_ssl
Hi Group: I want to create a dummy self-signed certificate. Despite the Apache documentation, make certificate in the top-level source directory doesn't work. There's no certificate: target in the Makefile. Obviously once I have things working I'll be off to Verisign or Thawte for a real cert. I am working with Apache 2.0.28 under FreeBSD. I tried searching the list archive for this problem with no luck. Any info appreciated, TIA. Kevin --- Kevin McQuiggin VE7ZD [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Installing mod_ssl as a dso module, without recompiling apache.
Steve, Yes, you can do this. Coincidentally I am going through this procedure right now and I think I have it working. I also have a similar configuration to yours. I'd recommend going through the mod_ssl instructions and then you can let me know if you have any specific questions. Kevin Steve Sharp wrote: Hello All, Sorry if this has been answered millions of times before but... Is is possible to install mod_ssl into a dso enabled apache server.. I have OpenSSL already installed. The Machine is Sunsparc E450, with solaris 2.7 and apache 1.3.20 Any Help would be gratefully accepted. Kind Regards, Steve Sharp. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Kevin DeLuca Senior Software Engineer INRI/Logicon (401) 849-3524 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
compile produced httpd
Hello, I am on Solaris 8 and building modssl 2.7.1 with apache 1.3.14. I was able to follow the build instructions and get everything to compile. The problem is that I am getting an httpd program and not an httpsd program. Shouldn't there be an httpsd? I've tried messing with TARGET= in src/Configuration but it didn't help. Thanks. -- Kevin DeLuca Senior Software Engineer INRI/Logicon (401) 849-3524 [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Cipher problem?
Hello, I have recently set up mod_ssl2.6.6-25 with apache-1.3.12-25 on Linux 7.0 Everything (seems to) work with no problems except when trying to connect with IE 5.0 on Mac (Japanese version with 128bit encryption). On the browser side I get an "Encryption Error" message, and the browser hangs. Generally this happens before I can even see the page, however, on occasion I have been able to send the form data, and the next page will half load, with all the images broken. From there I am then unable to move on to the next https link. The ssl error logs state: [Fri Jun 1 09:19:41 2001] [error] mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows) [Fri Jun 1 09:19:41 2001] [error] System: Connection reset by peer (errno: 104) I have spent the last couple of days searching the web for any clues, but have found myself totally lost. In vain attempts to remedy the problem without knowing exactly what it was, I followed tips on other sites and made sure some lines in my httpd.conf file look like below, but I don't see anything else in httpd.conf I could do. Everything I found seemed to vaugly point to a problem with the ciphers, but how do I know what cipher the client is using? SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL A rush order of a (hopefully) good SSL book is on it's way but... In the mean time, if anyone knows where I should start looking, or what the problem might be realted to, suggestions will be greatly appreciated. Regards Kevin Cameron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Cipher problem?
On Tue, 5 Jun 2001, kevin wrote: I have spent the last couple of days searching the web for any clues, but have found myself totally lost. In vain attempts to remedy the problem without knowing exactly what it was, I followed tips on other sites and made sure some lines in my httpd.conf file look like below, but I don't see anything else in httpd.conf I could do. Everything I found seemed to vaugly point to a problem with the ciphers, but how do I know what cipher the client is using? SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL Kevin, What are you using for an SSL Session Cache? Nate, I didn't have a Session Cache set, so I guess it was on the default. However, I added SSLSessionCache dbm:/usr/local/apache/logs/ssl_gcache_data and everything works great now as far as I can see. I guess I'll still read my special order SSL book when it gets here though... so the $40 doesn't go to waste :-). Just wondering, does anybody know why is the default SSLSessionCache none? If a visible speed difference can be seen with one set, and it allows some browsers to actually use the site, what am I loosing be setting one? Thanks alot, Kevin Cameron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Mod_gzip] mod_gzip and SSL
Hi Eli... This is Kevin Kiley You wrote... Hi Kevin/Ralf/etc., Until recently, it was impossible to manipulate Apache responses (other than static content which a module can be written to serve) without patching the core Apache. Apache 2.0 tries to overcome this problem, but modules like mod_ssl had to insert many patches into the core source, a painful requirement, and also a dependency on any version of Apache, and need to update mod_ssl for any new version of Apache. mod_gzip pretends to solve this problem. There is no 'pretend'. It does it. mod_gzip basically proves that it has ALWAYS been relatively 'easy' to filter any kind of data coming from Apache from within Apache itself and there really wasn't much need for an EAPI interface in the first place. The mod_ssl folks just thought there was. mod_gzip actually shows how easily the filtering can be done in several different ways and on serveral different levels. The very first version of mod_gzip ( December, 2000 ) did nothing more than add a 'gather buffer' onto the same code that executes CGI programs and that worked for just about all external CGI ( Perl, Python, ColdFusion, etc ). The internal streams coming from other modules that were actually part of Apache were another story and the second version ( January, 2001 ) added a little more 'smarts' to the same 'gather buffer' approach. The latest version ( 1.3.19.1a ) was released a few days after Apache 1.3.19 was released so it could be tested against the latest release of Apache and it actually uses an entirely 'new' approach that works fine for both internal/external data streams and/or static/dynamic content. It's a significant improvement over the 'gather buffer' approach but it's interesting to note that both approaches actually work AOK. According to its documentation, it manipulates not only static files, but also the output of other modules. It comes as one C file (Apache module), without patching anything else. I'd appreciate if there are answers for my humble questions: 1. Am I wrong? Or the "trick" was finally found? You are not wrong... and it's not really a 'trick'. It simply uses standard Apache API calls and it works all the way back to Apache 1.3.1 and even farther than that if you are willing to simply compile it into the core. The only real limitation on the code as far as Apache version numbers go is that the current release ( 1.3.19.1a ) makes use of the ap_regexec() regular expression call to help 'filter' the request and response headers. Apache didn't add the 'ap_regexec' stuff until around 1.3.6 so if you want to use mod_gzip with something that pre-dates the addition of the regular expression calls you simply must comment out the references. 2. Can this trick be used for other purposes? (such as SSL; Such a trick may be used to avoid the EAPI patches which are inserted into the core source of Apache) mod_gzip can compress the output of mod_ssl just fine. It does it before SSL performs the encryption. I believe Tim Frank was the first to use mod_gzip to compress his SSL output and Henri Gomez has posted a message to the forum just today describing how he does it. There are actually a number of ways to 'do it'. I have a 'test' version of mod_gzip here that simply has it's own calls to the OpenSSL libraries in it and it produces the same result as using mod_gzip and mod_ssl together... but doesn't even require mod_ssl and doesn't even require Apache to be re-compiled. 3. Does mod_gzip and mod_ssl (the current) run together? Or is there any conflict? No conflicts at all. 4. Is there any cost for this trick? (i.e. is EAPI/etc. more efficient?) Define cost? The answer to that one is going to be pretty subjective, I'm afraid. It has always been a good idea to provide a 'connection level hook' in Apache ( which is what EAPI provides ) and it should be added to the standard code base so that you don't need the EAPI stuff to get it... but whether this connection level 'hook' is really necessary to do certain things or not is arguable. 5. Can your trick be used to manipulate the input (a.k.a. HTTP requests) and headers too? Yes. 6. Is there any conflict with mod_proxy? No. Can mod_gzip run together with mod_proxy? Does it gzip its output too? Yes. Matter of fact... that's one way to compress SSL. You simply set up a Virtual Host that is SSL and use mod_proxy to funnel the requests to/from the 'virtual' server and mod_gzip takes care of the compression phase. Works great. See message from Henri Gomez. (so you may add a reverse proxy to an existing web server, without touching it, but only speeding the output by compressing it externally) Yep... but you really don't even need the 'reverse proxy' to do that simple operation. The data that is 'leaving' Apache itself can already be compressed. BTW: mod_proxy has been always HTTP/1.0 which is not supported by gzip, but recently ported to support 1.1 as well. I don't kno
RE: SSL handshake interrupted
We had a similar problem. During some experimentation I tuned keepalive OFF for the entire site. We then began to have rejections on non-SSL connections as well as SSL. The problem also appeared to be network load related (it would only occur during primary working hours). I believe the problem was actually due to our network configuration. Our network would pass thru a router doing Network Address Translation (NAT) before connecting to the web server. We replaced that connection with a different device (firewall) and all of our problems disappeared. I assume the router had a problem with the increased number of connections created with keepalive OFF. I would be interested to know if you have similar results by turning keepalive OFF for the entire site. Kevin Payne Chief Architect Retailers Market Xchange [EMAIL PROTECTED] -Original Message- From: David Rees [SMTP:[EMAIL PROTECTED]] Sent: Friday, April 06, 2001 5:41 PM To: [EMAIL PROTECTED] Subject: RE: SSL handshake interrupted It really sounds like keepalive is turned on. Can you verify that keep alive is turned off? Disable keepalive for the entire server if need be. I'm using MSIE 5.50.4522.1800 (128bit) here, and I've never had problems connecting. -Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of kreso Sent: Friday, April 06, 2001 5:28 PM To: [EMAIL PROTECTED] Subject: Re: SSL handshake interrupted We are using 5.50.4134.0100 MSIE The problem is that when we access secure site, we get rejected about 20% of times. The error message is the standard browser message: This page cannot be displayed at this time... etc... Once rejected, if we re-submit the request, just a second or less after the rejection - the very same request... the request will go through. Please let us know if you need more info, as this is very frustrating... Thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem: Apache + mod_ssl + PHP4 + Oracle 8i + mod_auth_oracle8
Hi. I'm cross posting this message to the modssl-users and php-dev mailing lists because don't know where the problem is at this time. Any help or suggestions would be appreciated. My environment is Redhat Linux 6.2 Apache 1.3.12 OpenSSL 0.9.5a mod_ssl 2.6.5-1.3.12 mod_auth_oracle PHP 4.0.1 pl2 Oracle 8i (8.1.6) My problem is that Apache processes die from segmentation fault in certain circumstances only. I have apache configured with a virtual server running on port 80 and on port 443 (if SSL is enabled). The server documentroot is authenticated using mod_auth_oracle. I have an alias to a non-authenticated directory, also. In each of the directories (auth and nonauth), I have a simple PHP script that connects to Oracle and calls the OCIServerVersion() PHP function. An apache process dies in segmentation fault when the 2nd PHP document that calls Oracle is requested ONLY when - Apache is running in SSL mode, e.g.: ./httpd -DSSL -X - The PHP document that connects to oracle uses a persistent oracle connection by using the OCIPLogon() PHP function. - The first PHP document that uses Oracle is in the 'authenticated' portion of the web site. I've tried a number of things already in my attempts to identify where the problem is. - I've compiled each module (auth_oracle, PHP, and mod_ssl) static and as DSO in many combinations ... the problem exists the same in all cases. - The problem exists connecting to the web server on port 80 or SSL on port 443. - Run apache without SSL enabled (using the same binary), the problem goes away. - Make the 1st PHP document that calls Oracle in the non-authenticated branch of the documentroot, the problem goes away. - Change the PHP document to use a normal oracle connection, OCILogon() rather than OCIPlogon(), the problem goes away. A gdb stack trace follows: Starting program: /usr/apache/1.3.12/bin/./httpd -X -DSSL Program received signal SIGSEGV, Segmentation fault. 0x4016201c in kpuvers () from /usr/oracle/product/8.1.6/lib/libclntsh.so.8.0 (gdb) where #0 0x4016201c in kpuvers () from /usr/oracle/product/8.1.6/lib/libclntsh.so.8.0 #1 0x40198b71 in OCIServerVersion () from /usr/oracle/product/8.1.6/lib/libclntsh.so.8.0 #2 0x80ca091 in php_if_ociserverversion (ht=1, return_value=0x8368dbc, this_ptr=0x0, return_value_used=1) at oci8.c:3781 #3 0x813f5fc in execute (op_array=0x82e93f4) at ./zend_execute.c:1558 #4 0x813f7e1 in execute (op_array=0x82e9394) at ./zend_execute.c:1598 #5 0x813f7e1 in execute (op_array=0x8368264) at ./zend_execute.c:1598 #6 0x80ac8fb in php_execute_script (primary_file=0xb8ec) at main.c:1157 #7 0x8125120 in apache_php_module_main (r=0x8315bc0, fd=26, display_source_mode=0) at sapi_apache.c:93 #8 0x80aa6ab in send_php () #9 0x80aa6ec in send_parsed_php () #10 0x8149123 in ap_invoke_handler () #11 0x815cad9 in process_request_internal () #12 0x815cb3c in ap_process_request () #13 0x815434e in child_main () #14 0x81544fc in make_child () #15 0x8154659 in startup_children () #16 0x8154c86 in standalone_main () #17 0x8155423 in main () #18 0x407359cb in __libc_start_main (main=0x81550cc main, argc=3, argv=0xbaa4, init=0x80827c4 _init, fini=0x81f70fc _fini, rtld_fini=0x4000ae60 _dl_fini, stack_end=0xba9c) at ../sysdeps/generic/libc-start.c:92 (gdb) quit This is clearly a crash in the PHP module. My guess is that "something" is blowing away the persistent connection identifier in PHP when it is used in conjunction with mod_ssl and mod_auth_oracle. Any ideas on how / where to proceed from here? I'm all tapped out. thanks! kevin -- Kevin Hendrix Programmer - PennyPI, LLC. [EMAIL PROTECTED] http://www.pennypi.com/ - "I'd like to live as a poor man with lots of money." -Pablo Picasso __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
sign.sh error
I just started using OpenSSL and ModSSL and when making a custom certificate I get this error when I run sign.sh: su-2.03# ./sign.sh server.csr CA signing: server.csr - server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'US' stateOrProvinceName :PRINTABLE:'Maryland' localityName :PRINTABLE:'Crofton' organizationName :PRINTABLE:'BAK Internet Solutions' commonName:PRINTABLE:'BAKNet, Inc.' emailAddress :IA5STRING:'[EMAIL PROTECTED]' Certificate is to be certified until Jul 16 04:52:18 2001 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: server.crt - CA cert server.crt: /C=US/ST=Maryland/L=Crofton/O=BAK Internet Solutions/CN=BAKNet, Inc. [EMAIL PROTECTED] error 7 at 0 depth lookup:certificate signature failure What is this error and how can I fix it? -Thanks Kevin McGrath __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
common practice for giving passphrase at startup?
Hi all, regarding the SSLPassPhraseDialog option, I don't think it's practical for an admin to type in the pass phrase every time apache is restarted (builtin mode). I'm temporarily using a script which just echo's the passphrase (exec mode). I'm wondering how other people are handling this? any other ideas out there? thanks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
truerand.c and compiler optimization
Compiling truerand.c with HP's compiler and +O3 generates a number of warnings: cc: truerand(): warning 6005: Infinite loop detected. Check for spinning on non-volatile variable. (6005) cc: n_truerand(): warning 6005: Infinite loop detected. Check for spinning on non-volatile variable. (6005) And it does go into an infinite loop when run. The following patch seems to fix this: --- pkg.contrib/truerand.c~ Thu Jul 29 15:59:07 1999 +++ pkg.contrib/truerand.c Thu Apr 13 14:48:50 2000 @@ -48,7 +48,7 @@ #include sys/time.h static jmp_buf env; -static unsigned count; +volatile static unsigned count; static unsigned ocount; static unsigned buffer; __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
patch: HP-UX SSLMutex sem
HP-UX has SysV semaphores, and this patch permits "SSLMutex sem" on that platform (patch is against mod_ssl-2.6.0-1.3.12): --- pkg.sslmod/mod_ssl.h~ Thu Feb 24 20:51:13 2000 +++ pkg.sslmod/mod_ssl.hMon Feb 28 17:53:54 2000 @@ -261,7 +261,8 @@ __FreeBSD_version = 30) ||\ (defined(LINUX) defined(__GLIBC__) defined(__GLIBC_MINOR__) \ LINUX = 2 __GLIBC__ = 2 __GLIBC_MINOR__ = 1) ||\ -defined(SOLARIS2) +defined(SOLARIS2) ||\ +defined(__hpux) #define SSL_CAN_USE_SEM #define SSL_HAVE_IPCSEM #include sys/types.h __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SOLARIS 2.6
use openSSL 0.9.4 and you will find that you have better luck I had the same problem. Kevin At 11:44 AM 3/17/00 +0100, you wrote: On Fri, 17 Mar 2000, jessie wrote: I reinstalled Solaris 2.6 and now i'm trying to install apache 1.3.12 with SSL module. I was able to compile openSSL 0.9.5 with just the default settings. I ran make test on my compilation and everything worked I then applied the mod_ssl 2.6.1 patches to the apache source tree ... again no errors I then configured the apach source using SSL_BASE=../openssl0.9.5 \ ./configure \ --enable-module=ssl \ --prefix=/usr/local/apache everything worked ... i then ran make and everything compiled now i wanted to build test certificates so i ran make certificates then i just used all the defaults and then it asked me to enter a passphrase to encrypt the private key .. I entered 'test' twice then i got an ERROR message: unable to write key 26918:error:24064064:random number generator:SSLEAY_RAND_BYTES: prng not seeded:md_rand.c:470: mkcert.sh:Error: Failed to encrypt RSA private key can anyone help me? i got an error like this in a solaris 2.7+apache-1.3.12 when i configured openssl-0.9.5 as solaris-sparcv9-gcc. i changed that with solaris-sparcv7-gcc and it works fine. -- david manyé i robert departament d'enginyeria informàtica i matemàtiques universitat rovira i virgili autovia de salou, s/n 43006 tarragona tel.: 977-559706 e-mail: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: browser hangs on ssl
HI, the www.global.XXX addresses I used were pure example. So that is not the problem. Sorry for the confusion. I should have made it more obvious. On Thu, 10 Jun 1999, Andrew Hougie wrote: Is it as simple as - www.global.com is a valid address with working name servers, while the name servers for www.global.net are down: Query:All records (ALL):www.global.com Authoritative Answer www.global.comA 206.40.50.1 global.comNS global.com global.comNS east.mainstreet.net global.comNS west.mainstreet.net global.comA 206.40.50.1 east.mainstreet.net A 199.245.73.9 west.mainstreet.net A 207.5.0.40 Complete: www.global.com Query:All records (ALL):www.global.net Name server failed Complete:NO_DATA www.global.net Query:All records (ALL):global.net global.netNS AUTH1.GEO.net global.netNS AUTH2.GEO.net global.netNS AUTH1.GEO.net global.netNS AUTH2.GEO.net AUTH1.GEO.net A 166.90.0.1 AUTH2.GEO.net A 209.0.0.1 Complete: global.net www.global.net Server: auth1.geo.net Address: 166.90.0.1 *** auth1.geo.net can't find www.global.net: Server failed www.global.net Server: auth2.geo.net Address: 209.0.0.1 *** auth2.geo.net can't find www.global.net: Server failed On Thu, 10 Jun 1999 11:17:29 +0900 (JST), you wrote: It does not seem port 443 is accepting. How do you know you have apache listening on 443 if s_client connot connect to it? s_client will connect to the server defined in Section 1 of the httpd.conf ServerName www.global.com DocumentRoot/doc/root VirtualHost www.global.com:443 # use defaults from section 1 SSLEngine on SSLCertificateFile/opt/apache/conf/ssl.crt/global_com.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/global_com.key SSLCACertificatePath/opt/apache/conf/ssl.crt SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +FakeBasicAuth SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown /VirtualHost VirtualHost www.global.net:443 ServerName www.global.net DocumentRoot /global/net AddHandler cgi-script .cgi SSLEngine on SSLCACertificatePath /opt/apache/conf/ssl.crt SSLCertificateFile/opt/apache/conf/ssl.crt/global_net.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/global_net.key SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +FakeBasicAuth SSLLog /global/net/logs/ssl.log SSLLogLevel info /VirtualHost s_client will connect to www.global.com. no problem s_client will hang when trying to connect to www.global.net So to my understanding the server is answering on 443. But for some reason it is not answering when I use a different ServerName/DocumentRoot. ie, when I'm overriding the section 1 defaults. perplexed Kev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - Andrew Hougie, Rainbow House, London, England, NW6 1QE Email: [EMAIL PROTECTED]WWW: http://www.hougie.co.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: browser hangs on ssl
Hmmm, not seeing that behaviour here, here are the two links that are showing the behaviour I'm describing. +-+---+--+--+ |Site | IE 4.0| Nets 4.08| s_client | +-+---+--+--+ |https://www.twics.com/signup/signup.cgi | works | works| works| |https://www.twics.co.jp/signup/signup.cgi| hangs | hangs| hangs| +-+---+--+--+ the www.twics.com link works fine. the www.twics.co.jp link which is a virtual ip based host on the same server hangs. Kev On Thu, 10 Jun 1999, Rob Bastille wrote: I seem to be having the same problem that is being listed; however, it is ONLY in Netscape. IE 4.0+ accesses the server just fine. Netscape (version 4.53+) hangs. Rob Bastille IT Department Manager WildcatBlue.Com - http://www.wildcatblue.com/ First Computer Solutions, Inc. - http://fcomsolutions.com/ (606) 625-9453 (Voice) (606) 624-1233 (Fax) "The soul would have no rainbow had the eyes no tears" -Original Message- From: Lin Geng [SMTP:[EMAIL PROTECTED]] Sent: Wednesday, June 09, 1999 9:20 PM To: [EMAIL PROTECTED] Subject: Re: browser hangs on ssl It does not seem port 443 is accepting. How do you know you have apache listening on 443 if s_client connot connect to it? Cheers -Original Message----- From: Kevin Baker [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, June 08, 1999 11:32 PM Subject: browser hangs on ssl Hi, I upgraded our web server last week from Apache 1.2 to mod_ssl-2.2.8 apache_1.3.6 openssl-0.9.2b HP-UX B.10.20 The old httpd.conf was quite large due to a lot of virtual ip hosts. Some of which were SSL. I copied it across and cleaned it up to go with the new layout from httpd.conf.default. Now, on the real ip of the server we have have port 80 443 available. And this works fine (80 443). DocumentRoot /path/to/doc/root Port 80 Listen 80 Listen 443 VirtualHost real_ip:443 SSLEngine on /VirtualHost However _any_ another virtual host that lies on port 443 causes the browser to hang when it connects, eventually my netscape replies with... 'There was no response. Ther server could be down or is not responding' Any ideas? Yes I 1) run with -DSSL 2) Have Listen 443 3) Have SSLEngine on I know that 1 2 work because SSL works on the real_ip address. The real ip is using the default ip from section 1 of the httpd.conf adn the default certs too. Could there be something there that is messing up the others? I used s_client to test the others but it timed out with $ s_client -connect not_working_ip:443 -state -debug connect: Connection timed out connect:errno=238 I looked over the mailing list archive at www.progressive-comp.com but couldn't find anything that pin pointed this problem exactly. --- the idea here being eventually have my own ship/boat, an old minesweeper would be great, and do trips etc,...then stock up on weaponry and do a sly job on the south sea pirates. I can see it now, innocent looking older ship takes on pirates and reveals a hidden agenda. --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: browser hangs on ssl
It does not seem port 443 is accepting. How do you know you have apache listening on 443 if s_client connot connect to it? s_client will connect to the server defined in Section 1 of the httpd.conf ServerName www.global.com DocumentRoot/doc/root VirtualHost www.global.com:443 # use defaults from section 1 SSLEngine on SSLCertificateFile/opt/apache/conf/ssl.crt/global_com.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/global_com.key SSLCACertificatePath/opt/apache/conf/ssl.crt SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +FakeBasicAuth SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown /VirtualHost VirtualHost www.global.net:443 ServerName www.global.net DocumentRoot /global/net AddHandler cgi-script .cgi SSLEngine on SSLCACertificatePath /opt/apache/conf/ssl.crt SSLCertificateFile/opt/apache/conf/ssl.crt/global_net.crt SSLCertificateKeyFile /opt/apache/conf/ssl.key/global_net.key SSLVerifyClient none SSLVerifyDepth 10 SSLOptions +FakeBasicAuth SSLLog /global/net/logs/ssl.log SSLLogLevel info /VirtualHost s_client will connect to www.global.com. no problem s_client will hang when trying to connect to www.global.net So to my understanding the server is answering on 443. But for some reason it is not answering when I use a different ServerName/DocumentRoot. ie, when I'm overriding the section 1 defaults. perplexed Kev __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
browser hangs on ssl
Hi, I upgraded our web server last week from Apache 1.2 to mod_ssl-2.2.8 apache_1.3.6 openssl-0.9.2b HP-UX B.10.20 The old httpd.conf was quite large due to a lot of virtual ip hosts. Some of which were SSL. I copied it across and cleaned it up to go with the new layout from httpd.conf.default. Now, on the real ip of the server we have have port 80 443 available. And this works fine (80 443). DocumentRoot /path/to/doc/root Port 80 Listen 80 Listen 443 VirtualHost real_ip:443 SSLEngine on /VirtualHost However _any_ another virtual host that lies on port 443 causes the browser to hang when it connects, eventually my netscape replies with... 'There was no response. Ther server could be down or is not responding' Any ideas? Yes I 1) run with -DSSL 2) Have Listen 443 3) Have SSLEngine on I know that 1 2 work because SSL works on the real_ip address. The real ip is using the default ip from section 1 of the httpd.conf adn the default certs too. Could there be something there that is messing up the others? I used s_client to test the others but it timed out with $ s_client -connect not_working_ip:443 -state -debug connect: Connection timed out connect:errno=238 I looked over the mailing list archive at www.progressive-comp.com but couldn't find anything that pin pointed this problem exactly. --- the idea here being eventually have my own ship/boat, an old minesweeper would be great, and do trips etc,...then stock up on weaponry and do a sly job on the south sea pirates. I can see it now, innocent looking older ship takes on pirates and reveals a hidden agenda. --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] SSLRequireSSL in .htaccess (PR#44)
I *think* all you need to allow SSLRequireSSL in .htaccess is AllowOverride FileInfo. On Mon, 9 Nov 1998 [EMAIL PROTECTED] wrote: Full_Name: Mark Wagner Version: 2.0.15 OS: Linux Submission from: cdsl55.sttl.uswest.net (209.180.204.55) I want to use SLRequireSSL in an .htaccess file. Since the override for this directive is "not applicable" it seems as though AllowOverride must be set to All for this directory in access.conf. I could just add the SLRequireSSL in a Directory context for the dir in access.conf but this requires me to be able to edit that file. Is there anyway a user without write capability to access.conf make a directory require SSL without opening AllowOverride wide? __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
SSLRequireSSL
I've been trying to get SSLRequireSSL to work from .htaccess, so I can make certain directories require ssl. Nothing I do seems to work, and if I try to access a dir with SSLRequireSSL in the .htaccess, I get this error: Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator, [EMAIL PROTECTED] and inform them of the time the error occurred, and anything you might have done that may have caused the error. /home/tool/public_html/.htaccess: SSLRequireSSL not allowed here Is there something specific I need to do to allow SSLRequireSSL in .htaccess? Everything else works like it should except for this. Any help would be greatly appreciated. Thanks, Kevin West __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
