Re: mod_ssl in fronend-backend Apache configuration
1-Feb-00 13:11 you wrote: > I saw some discussions about configuration of "lightweight" > mod_proxy+mod_ssl server and mod_perl server. > But, sorry, I can't call mod_proxy+mod_ssl "light" server. Mod_ssl adds a 1 > Meg to size of process. Who cares ? 1MiB or 20MiBs - no matter. It's just shared code. Real non-shared data for each apache copy is typically 40-50KiB's and usually tolerable. > Btw, it seems to be offtopic, but are there any tool kinda 'top' that shows > really used memory, because top shows: Heh. If you want to show "really used memory" you must define such thing first. In current *nix'es (including Linux; in fact ESCPECIALLY in Linux) there are no such thing as "really used memory". If you have pages shared between all apache copies (like mod_ssl configuarion data) - is it "really used memory" or not ? What about libmm's shared memory ? glibc is mapped in [almost] all processes in system - is it "really used memory" or not ? When you malloced 100MiB and not used it - is it "really used memory" (in such case Linux will not allocate virtual memory till first write!) ? Etc, etc, etc. > -- > 134 processes: 133 sleeping, 1 running, 0 zombie, 0 stopped > CPU states: 2.2% user, 3.3% system, 0.0% nice, 94.8% idle > Mem: 128396K av, 125284K used, 3112K free, 127332K shrd, 7976K buff > Swap: 130748K av, 3924K used, 126824K free 52540K cached > PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND > 28358 apache 0 0 17160 16M 11224 S 0 0.0 13.3 0:01 libhttpd.ep > 28361 apache 0 0 16920 16M 11272 S 0 0.0 13.1 0:01 libhttpd.ep > 28357 apache 0 0 16876 16M 11260 S 0 0.0 13.1 0:01 libhttpd.ep > 28356 apache 0 0 16396 16M 11320 S 0 0.0 12.7 0:01 libhttpd.ep > 28351 root 0 0 14316 13M 14188 S 0 0.0 11.1 0:01 libhttpd.ep > 28359 apache 0 0 14312 13M 14192 S 0 0.0 11.1 0:00 libhttpd.ep > 28360 apache 0 0 14312 13M 14192 S 0 0.0 11.1 0:00 libhttpd.ep > 28339 apache 0 0 1912 1912 1492 S 0 0.0 1.4 0:00 libhttpd.ep > 28346 apache 0 0 1720 1720 1488 S 0 0.0 1.3 0:00 libhttpd.ep > 28344 apache 0 0 1712 1712 1488 S 0 0.0 1.3 0:00 libhttpd.ep > 28337 apache 0 0 1672 1672 1472 S 0 0.0 1.3 0:00 libhttpd.ep > 28343 apache 0 0 1672 1672 1472 S 0 0.0 1.3 0:00 libhttpd.ep > 28341 apache 0 0 1664 1664 1468 S 0 0.0 1.2 0:00 libhttpd.ep > 28338 apache 0 0 1660 1660 1468 S 0 0.0 1.2 0:00 libhttpd.ep > 28345 apache 0 0 1660 1660 1472 S 0 0.0 1.2 0:00 libhttpd.ep > 28340 apache 0 0 1656 1656 1468 S 0 0.0 1.2 0:00 libhttpd.ep > 28342 apache 0 0 1652 1652 1464 S 0 0.0 1.2 0:00 libhttpd.ep > 28273 root 1 0 1536 1536 1388 S 0 0.2 1.1 0:00 libhttpd.ep > . > -- > 125284K used - is it real value ?? Looks so. And it's great: almost all memory is used - this mean that you server does not swap hard and then throwing out loaded pages (it can do other nasty things of course but in Linux situation where you have PLENTY free memory is alarm, not situations where [almost] all available memory is used). > I ask because Shared memory is greater than used :) I think this is > impossible. Hmm. Here I see even more strange shared memory value: -- cut -- 5:20am up 12 days, 13:49, 8 users, load average: 3.74, 3.59, 3.91 253 processes: 248 sleeping, 5 running, 0 zombie, 0 stopped CPU states: 143.7% user, 29.3% system, 0.0% nice, 0.0% idle CPU0 states: 73.0% user, 14.3% system, 0.0% nice, 13.0% idle CPU1 states: 70.6% user, 15.0% system, 0.0% nice, 14.6% idle Mem: 254748K av, 251876K used, 2872K free, 0K shrd, 2068K buff Swap: 240960K av, 10492K used, 230468K free 65828K cached PID USER PRI NI SIZE RSS SHARE STAT MCPU %CPU %MEM TIME COMMAND 5197 root 0 0 55112 53M 0 S 0 0.0 21.6 4:17 mirror 16843 apache 0 0 6516 6516 5980 S 1 0.0 2.5 0:00 apache 16914 apache 0 0 6372 6372 5912 S 1 0.0 2.5 0:00 apache 15778 apache 0 0 6228 6228 5948 S 1 0.0 2.4 0:00 apache 16549 apache 0 0 6224 6224 5948 S 0 0.0 2.4 0:00 apache 16546 apache 0 0 6216 6216 5948 S 0 0.0 2.4 0:00 apache 16912 apache 0 0 6216 6216 5948 S 1 0.0 2.4 0:00 apache 16913 apache 0 0 6216 6216 5948 S 1 0.0 2.4 0:00 apache 16942 apache 0 0 6216 6216 5948 S 0 0.0 2.4 0:00 apache 7939 root 0 0 5992 5992 5816 S 1 0.0 2.3 0:25 apache 8032 apache 0 0 4408 4408 3940 S 1 0.0 1.7 0:00 apache -- cut -- Since all works just fine I do not bother much. > Memory - is a main reason why I wanna place mod
Re: [BugDB] gunzip (PR#261)
3-Aug-99 23:15 you wrote:
>> Either your gzip is broken or (what I think is more true) you downloaded
>> incorrectly. Perhaps via FTP but without Binary mode or via HTTP and your
> If you downloaded via http/netscape, try rename the file to {file}.gz
> and then gunzip it ... My netscape messes things up like that - removes
> the extension without uncompressing !
Are you shure that it was not unpacked ? At least some versions of netscape
WILL unpack files without asking if they will see "Contentent-Encoding: x-gzip"
and www.mod_ssl.org gives it:
-- cut --
$ telnet www.modssl.org 80
Trying 129.132.7.171...
Connected to world.modssl.org.
Escape character is '^]'.
HEAD /source/mod_ssl-2.3.11-1.3.6.tar.gz HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 04 Aug 1999 03:00:42 GMT
Server: Apache/1.3.6 (Unix) mod_perl/1.20 mod_ssl/2.3.5 OpenSSL/0.9.3a
DAV/0.9.8Last-Modified: Tue, 03 Aug 1999 10:05:21 GMT
ETag: "4e4a5-9fbbf-37a6bee1"
Accept-Ranges: bytes
Content-Length: 654271
Connection: close
Content-Type: application/x-tar
Content-Encoding: x-gzip
Connection closed by foreign host.
-- cut --
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl for apachw 1.2.6?
3-Aug-99 22:37 you wrote: > "Holdich, Kristian" wrote: >> >> why don't you build a 1.3.6 apache with mod_ssl and mod_proxy / mod_rewrite, >> run it on port 80 and proxy the connection to the old version of apache? >> This works nicely for us. >> >> Kristian > how's the speed with this setup? i found apache 1.2.6 with oracle > modules to be > _at least_ twice as fast as oracle's webserver that comes with oas > 4.0.7. If you need SSL speed is not issue anymore. SSL is VERY processor-intensive so you'll got at most 10-20 connections per second. Additional timeout from ping-pong between 1.2.6 and 1.3.6 will be dwarfed by SSL timeout on any decent OS... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Possible FAQ?
30-Jul-99 18:29 you wrote: > First, I apologize if this is a FAQ, I did a search on the archive > but didn't find anything useful. > Here's my setup: > RedHat 6.0 with all updates > apache-1.3.6-7 rpm > I've downloaded and compiled openssl-0.9.3a > I've also downloaded modssl-2.3.10-1.3.6 > Here's my question. I'm trying to get modssl installed as a DSO with > the line > ./configure --with-apxs=/usr/sbin/apxs --with-ssl=/usr/local/ssl [skipped] > Does RedHat do something to their Apache build to compile with EAPI > support and yet not with any -DEAPI defines? I've noticed them in the > mod_ssl source and assume that's what its testing for. I have no > problems recompiling Apache and mod_ssl but I would like to think > that this should work. Am I completely in the wrong? Thanks. You ARE completely wrong. EAPI contains crypto-hooks so Apache with applied EAPI is non-exportable from US. Now RedHat is US company, you know. And RedHad Linux is distributed world-wide. So thay CAN not apply EAPI to Apache even if they want to... It is in the FAQ somewhere AFAIK... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mutex ipc semaphore
28-Jul-99 13:14 you wrote: > On Wed, Jul 28, 1999, Simon Weijgers wrote: >> I can't seem to find a configure option to enable ipc semaphore support >> in modssl. Does this mean it isn't stable yet? >>From the user manual under "SSLMutex": > (http://www.modssl.org/docs/2.3/ssl_reference.html) > o sem > This is the most elegant but also most non-portable Mutex variant > where a SysV IPC Semaphore (under Unix) and a Windows Mutex (under > Win32) is used when possible. It is only available when the underlying > platform supports it. Hmm ? -- mod_ssl.h -- [ skipped ] #ifdef USE_SYSVSEM_SERIALIZED_ACCEPT #define SSL_CAN_USE_SEM #define SSL_HAVE_IPCSEM #include #include #include #endif [ skipped ] -- cut -- Looks like it's supported when USE_SYSVSEM_SERIALIZED_ACCEPT is defined... The problem is... it's NEVER defined :-(( At least rgrep can find EXACTLY one place where USE_SYSVSEM_SERIALIZED_ACCEPT is used: this ifdef in mod_ssl.h Neither configure nor mod_ssl.h itself can define it so it's not clear how it can be used at all :-/ When -DUSE_SYSVSEM_SERIALIZED_ACCEPT was added to CFLAGS by hand `SSLMutex: sem' was accepted but I'm not sure if it works... I hope so since Linux SUPPORTS SysV IPC but still... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL variables running APACHE on Windows NT 4.0
23-Jul-99 09:03 you wrote:
> Hi Ralf,
> it's me again. I don't understand the use of ap_hook_use and how it would
> solve my problem. In my modules "URI to filename translation" phase I'd like
> to call the ssl's module handler "ssl_hook_fixup" which is setting up all
> SSL variables so the would be availbale to me immediately after the call to
> ssl_hook_fixup returns. Is there a way to do that right now?
No. Not easy, anyway...
> I read the documentation provided in ap_hook.c but I don't understand the
> workings I also would appreciate a short explanation of how ap_hook_use
> works. Must the hook specified in ap_hook_use be configured and registered
> in mod_ssl before it can be used?
No. You just call hook "ap::mod_rewrite::lookup_variable" to find out varible
value instead of standard Apache way. That's all. What's so problematic here ???
Why you are so inclined to setting up SSL variables ?
> Thanks a lot for your help.
> Arnold
> -Original Message-
> From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 22, 1999 2:17 AM
> To: [EMAIL PROTECTED]
> Subject: Re: SSL variables running APACHE on Windows NT 4.0
> On Mon, Jul 19, 1999, Ruetzel, Arnold wrote:
>> I wrote my own module which is loaded by Apache at startup time. This
> module
>> has to access the SSL variables in the "URI to filename translation"
> phase,
>> but the variables are not available at this phase. Does anybody know what
> I
>> have to do to make the SSL variables available to me in the "URI to
> filename
>> translation" phase ? Is there a way to make use of mod_ssl's API's to get
> my
>> hands on the SSL variables and how would that be done?
> When you looked into mod_rewrite, you would have found:
> #ifdef EAPI
> ap_hook_use("ap::mod_rewrite::lookup_variable",
> AP_HOOK_SIG3(ptr,ptr,ptr),
> AP_HOOK_DECLINE(NULL),
> &result, r, var);
> #endif
> A similar call in your module will give you the results.
>> PS: A note for Ralf Engelschall: Do you have any plans to change mod_ssl
> to
>> make the SSL variables available right from the start, that is before the
>> post_read_request or header_parser handlers are being called.
> Hmmm... mod_ssl currently does it in the "correct/intended" phase. But
> sure,
> it shouldn't harm to provide them earlier. I've to admit that I currently
> forgot what the reason was that have not done this already. I'll think about
> this again
>Ralf S. Engelschall
>[EMAIL PROTECTED]
>www.engelschall.com
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
> __
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Portability problem (flex) (PR#214)
23-Jul-99 09:31 you wrote: > Full_Name: Laurent FAILLIE > Version: mod_ssl-2.3.6-1.3.6 > OS: HP-UX 10.20 > Submission from: gk-fr2.michelin.com (195.115.130.37) > When I try to compile mod_ssl-2.3.6-1.3.6 on my HP-UX 10.20 box, > the compilation fail because some files (like ssl_expr_yy) needs flex > to compile. > I wander if "configure" can't use "lexx" if flex isn't in the system. flex and lexx are different enough :-(( But you SHOULD not need flex at all ! Something is wrong with timestamps or your make... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can I use RSA algorithms in Canada for mod_ssl?
22-Jul-99 13:04 you wrote: > I've been searching for some source of information about this... > I would like to be able to use OpenSSL + mod_ssl + Apache in order to > produce a secure web server; for a variety of reasons it would be very > nice if I could have one httpd serving both http and https clients. > While I am willing to pay Covalent or C2Net a fee in order to obtain a > legitimate license-to-use the RSA algorithms, I am highly averse to > blindly linking object code into my production Apache server! > Is it possible to compile Apache + mod_ssl + OpenSSL entirely from > source *AND* still include the RC4, RC5, etc... ciphers? Of course. Legality is completely other story, though... > This might be obvious already from my questions, but I haven't tried to > compile OpenSSL or mod_ssl yet. I'm trying to figure out if there's any > point in doing so. > I am a citizen of Canada, the company is a Canadian corporation and the > server will physically reside in Canada. From what I can tell, the > RSAREF issue is US-specific, but ? > Any pointers or explanations appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Compiling mod_ssl.c problem (PR#212)
22-Jul-99 20:35 you wrote: > Full_Name: Marco Teunissen van Manen > Version: 2.3.6 > OS: Linux (Slackware 3.5) > Submission from: n16152.telekabel.nl (212.142.16.152) > After configuring and setting up mod_ssl for module use with apache 1.3.6, > I got a message stating that an error was detected on line 496 of > mod_ssl.h in the apache/src/modules/ssl directoy. > That line defines a struct/union member of type AP_MM. However, > since ap_mm.h was NOT included, the compiler did not know what to do. Something is screwed up :-(( Are you sure that EAPI patches are applied clearly ? > Solution to overcome this minor problem: > in the Apache section, add in the CORE PRIVATE the following line: > #include "ap_mm.h" > which will then automatically be used when compiling. Resides in > apache/src/include and defines the type AP_MM. > Unfortunately, afterwards a lot of linking failures occur: > modules/ssl/libssl.a(ssl_engine_config.o): In function > `ssl_cmd_SSLSessionCache': > ssl_engine_config.o(.text+0x157d): undefined reference to `ap_mm_useable' > ssl_engine_config.o(.text+0x165d): undefined reference to > `ap_mm_core_maxsegsize' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_malloc': > ssl_engine_scache.o(.text+0xd6c): undefined reference to `ap_mm_malloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_calloc': > ssl_engine_scache.o(.text+0xdac): undefined reference to `ap_mm_calloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function > `ssl_scache_shm_realloc':ssl_engine_scache.o(.text+0xdec): undefined reference > to `ap_mm_realloc' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_free': > ssl_engine_scache.o(.text+0xe28): undefined reference to `ap_mm_free' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_init': > ssl_engine_scache.o(.text+0xe84): undefined reference to `ap_mm_create' > ssl_engine_scache.o(.text+0xe97): undefined reference to `ap_mm_error' > ssl_engine_scache.o(.text+0xed7): undefined reference to `ap_mm_permission' > ssl_engine_scache.o(.text+0xee3): undefined reference to `ap_mm_available' > modules/ssl/libssl.a(ssl_engine_scache.o): In function `ssl_scache_shm_kill': > ssl_engine_scache.o(.text+0xfe0): undefined reference to `ap_mm_destroy' > collect2: ld returned 1 exit status > make[2]: *** [target_static] Error 1 > make[2]: Leaving directory `/usr/src/apache_1.3.6/src' > make[1]: *** [build-std] Error 2 > make[1]: Leaving directory `/usr/src/apache_1.3.6' > make: *** [build] Error 2 Looks like ap_mm.c not included in your Apache... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl on NT
22-Jul-99 16:41 you wrote: > Hi, > I just want to ask whether we can secure apache web server on NT using > mod-ssl and openssl. Are the installations steps given fr win32 applicable > for NT also. If not can any one give me the outline of the steps or any > website from where i can follow the steps. :-))) Win32 is name of API used in Win9X and WinNT ... So, of course, steps for win32 must be applicable for WinNT as well. Just one subtle problem: Ralf does not have Win9X or WinNT (AFAIK) and thus all steps are not checked by him ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache source (and OpenSSL)
19-Jul-99 08:57 you wrote: > Hi, answering my own question.. had thought that mod_ssl would would use my > already intalled apache but found I needed to dl and unpack a fresh copy > for mod_ssl to work with. > Now can't find the source tree for OpenSSl, even though the entire > directory in right there. Any ideas from anyone? You donwloaded OpenSSL from ftp.openssl.org or once again expect that it'll materialize from thin air ? >>Hello, >>New at this. >>I am trying to run "./configure --with-apache=../apache_1.3.6" but get: >> >>./configure:Error: Cannot find Apache 1.3 source tree under ../apache_1.3.6 >>./configure:Hint: Please specify location via --with-apache=DIR >> >>I cant seem to find the correct path to the source tree, can anyone point >>me in the right direction? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compile error in :mod_ssl-2.3.6-1.3.6
19-Jul-99 20:52 you wrote: > well my configuration: > linux-2.2.10 > pgcc-1.1.3-3mdk > openssl-0.9.3a-3 > Perl 5.005.03 > What I see: ===>> src/modules/ssl > gcc -c -I../../os/unix -I../../include -DLINUX=2 -DMOD_SSL=203106 > -DUSE_HSREGEX -DEAPI `../../apaci` -DSSL_COMPAT -I/usr/include > -DMOD_SSL_VERSION=\"2.3.6\" mod_ssl.c > In file included from mod_ssl.c:65: > mod_ssl.h:496: parse error before `AP_MM' > mod_ssl.h:496: warning: no semicolon at end of struct or union > mod_ssl.h:511: parse error before `}' > mod_ssl.h:511: warning: data definition has no type or storage class > make[4]: *** [mod_ssl.o] Error 1 > make[3]: *** [all] Error 1 > make[2]: *** [subdirs] Error 1 > make[2]: Leaving directory `/usr/src/apache_1.3.6/src' > make[1]: *** [build-std] Error 2 > make[1]: Leaving directory `/usr/src/apache_1.3.6' > make: *** [build] Error 2 > I've attached the config.log There are .rej'ects :-(( Something is wrong. Doanload/unpack fresh copy of Apache/mod_ssl ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache just hanging with SSL - SOLVED!!!
16-Jul-99 08:17 you wrote: > Holger Reif wrote: >> >> Has the ssl_enginge_log told you that all servers have been configured >> already? Are you perhaps using /dev/random and temp key generation is >> somehow slowly? > YES! THAT WAS IT!!! > I really thank you for pointing me to this! But why did this work with > mod_ssl 2.2.8? By accident, I think. > Is it possible, that mod_ssl did a non_blocking read to > /dev/random, where mod_ssl 2.3.5/6 does a blocking read? No. Both will do blocking read. > The kernel was the same (linux 2.2.10). So it cannot be a change in > /dev/random. It's /dev/random after all :-) It can work... ugh... RANDOMLY :-) Use /dev/urandom for temporary keys and be happy... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache just hanging with SSL - SOLVED!!!
16-Jul-99 11:23 you wrote: > On Fri, Jul 16, 1999, Jens Leuschner wrote: >> > Has the ssl_enginge_log told you that all servers have been configured >> > already? Are you perhaps using /dev/random and temp key generation is >> > somehow slowly? >> >> YES! THAT WAS IT!!! >> I really thank you for pointing me to this! But why did this work with >> mod_ssl 2.2.8? Is it possible, that mod_ssl did a non_blocking read to >> /dev/random, where mod_ssl 2.3.5/6 does a blocking read? >> The kernel was the same (linux 2.2.10). So it cannot be a change in >> /dev/random. > No, ssl_engine_rand.c was not changed recently. But nevertheless you mention a > good idea to overcome the /dev/random variants which block: we could read in > non-blocking mode. H... that would be perhaps a reasonable thing. Any > opinions? But what to do when you'll got just 1 byte on enthropy ? Or 0 bytes ? IMO just big warning somewhere about preference of /dev/urandom over /dev/random for temporary keys will be enough... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Cannot load /usr/lib/apache/libssl.so
14-Jul-99 15:31 you wrote: > Le Wed, 14 Jul 1999, vous avez écrit : >> On Wed, Jul 14, 1999, Nick wrote: >> >> > Hi every body >> > I'm new to this list. and to SSL >> > I have probleme starting apache >> > - >> > the probleme is: >> > [root@xover conf]# /etc/rc.d/init.d/httpd start >> > Starting httpd: >> > Syntax error on line 9 of /etc/httpd/conf/httpd.conf.ssl: >> > Cannot load /usr/lib/apache/libssl.so into server: /usr/lib/apache/libssl.so: >> >undefined symbol: ap_global_ctx >> >> Now it's time for an FAQ entry: done for 2.3.6. Your problem is that you >> cannot use a plain Apache with mod_ssl. Instead you have to recompile Apache >> with EAPI. > Recompile Apache with EAPI ??? Sorry i'm new to this. > My Web site is based 50% on php3 and perl script, does it matter??? Usually not since Apache with EAPI can use standard modules just fine. But I'd recompiled mod_php and mod_perl as well. > If I recompile the src, which option i had . i.e.: > rpm --rebuild apache-1.3.6.src.rpm > ... Read INSTALL file from mod_ssl carefully. If you'll just rebuild apache you'll get fresh copy of Apache without EAPI :-) Or you can try to grab Apache+mod_ssl bundle rpm's from contrib on www.mod_ssl.org (not sure if you'll be able to use your versions of mod_php and mod_perl though). P.S. Yes, I know it looks like a "hard way" when compared with installation of RPM's but in fact it's REALLY better to try and compile stuff yourself if something goes wrong. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] Permission denied for session cache dbm files (PR#200)
14-Jul-99 17:55 you wrote:
> On Tue, Jul 06, 1999, [EMAIL PROTECTED] wrote:
>> We're running Debian Linux (kernel 2.2.7, glibc 2.1), apache 1.3.6 & mod_ssl
>> 2.3.5.
>>
>> Unless we manually chown the ssl_scache.dir and ssl_scache.pag files, we
>> get:
>>
>> Can't open SSLSessionCache DBM file for writing (store): system error
>> follows
>> w/ a system error of Permission denied.
>>
>> The system acts a little flaky, but I haven't been able to track down
>> consitent negative behavior.
>>
>> I added some debugging statements to ssl_engine_scache.c (in the
>> ssl_scache_dbm_init() function). It turns out that somehow,
>> SSL_DBM_FILE_SUFFIX_DIR and SSL_DBM_FILE_SUFFIX_PAG are both defined as
>> ".db" instead of ".pag" and ".dir", respectively. I don't know why they're
>> getting defined this way in mod_ssl.h (and I'm not sure how to debug
>> preproccessor stuff). This of course causes chown() to fail.
>>
>> Check those return values!!!
>>
>> Anyway, manually chowning the files fixes this, and as I said, I'm not sure
>> this caused any actual problems (besides presumably adding connection
>> overhead by forcing renegotiated sesssions).
>>
>> Thought you'd want to know, though. Let me know if you need more info.
> Because there is no really correct way to determine the file suffixes, mod_ssl
> 2.3.6 now does the chown() the hard way: 1. xx, 2. xx., 3.
> xx.db, 4. xx.{dir,pag}. Additionally it now allows you to configure via
> CFLAGS="-DSSL_DBM_FILE_SUFFIX_DIR=foo -DSSL_DBM_FILE_SUFFIX=PAG=bar" in case
> you have to make it running on even more esoteric platforms. I really hate
> this NDBM stuff. Seems like my next abstraction library will by a DBM
> library. :-(
Hmm. I STILL can not understood how Dave was able to get .dir & .pag files out
of GLibC 2.1 based system :-(( GLibC 2.1 includes BOTH Berkeley DB 1.x AND
Berkeley DB 2.x and in BOTH cases .db file is used, not pair of .dir/.pag
files !
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: Permission.
12-Jul-99 11:30 you wrote: > So what (besides using shared memory) is the solution for other distros > using Glibc 2.1 and building mod_ssl from source? In fact mod_ssl will work with GLibC 2.1: since the only thing from used in ndbm.h is definition of type "DB" and the only way this type is used is to declare some pointers you must be happy as long as are not interested in sizeof(DBM). Real problem is in mod_rewrite.h : since /usr/include/db.h does not define DB_LOCK nor DB_SHMEM you'll get wrong definition for NDBM_FILE_SUFFIX :-(( So for "real" fix you must borrow definition from mod_ssl and put in mod_rewrite.h (it's done already for Apache 1.3.7, AFAIK). P.S. Oh, and in all such cases you'll end up with Berkeley DB 2.x instead of Berkeley DB 1.x ! If you want Berkeley DB 1.x then you'll need to replace -- cut -- #ifndef NO_DBM_REWRITEMAP #if defined(__GLIBC_MINOR__) && __GLIBC_MINOR__ > 0 #include #else #include #endif -- cut -- with -- cut -- #ifndef NO_DBM_REWRITEMAP #if defined(__GLIBC_MINOR__) && __GLIBC_MINOR__ > 0 #include #include #else #include #endif -- cut -- in mod_rewrite.h, mod_auth_dbm.c and mod_ssl.h ... And you'll need to replace -- cut -- #include -- cut -- with -- cut -- #include -- cut -- in mod_auth_db.c Plus you'll need to find and replce all `-lndbm' and/or `-ldb' with `-ldb1'... I'm not know which version of Berkeley DB is better here so I end up with ugly hack for KSI-Linux 2.1 : mod_rewrite1.o, mod_auth_db1.o and mod_auth_dbm1.o will use Berkeley DB 1.x while mod_rewrite.o, mod_auth_db.o and mod_auth_dbm.o will use Berkeley DB 2.x (the same for mod_ssl: mod_ssl1.o will use Berkeley DB 1.x and mod_ssl.o will use mod_ssl.o)... Unfortunatelly loader of GLibC 2.1 is not smart enough so you can NOT mix them and use, say, mod_rewrite1.o and mod_auth_db.o in the same apache process :-(( __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question on MM Shared Memory library
12-Jul-99 15:36 you wrote: > On Mon, Jul 12, 1999, Jeffrey Burgoyne wrote: >> Any idea of what performance gain to expect? We get about 15000 real hits >> a day, about 6 total (including graphics). About 10% of those are SSL. >> I need to justify why we want to make the change to the web server and >> even a rough idea is all my employers need to see. > I've still not seen any benchmarks, but the shared memory based session cache > is certainly a magnitude faster then the disk-I/O dependent DBM based session > cache, of course. Why so ? Any decent OS will keep this file in memory so you'll get just a few additional syscalls and few memory moves... Disk will be usually touched only when connection will be served :-) Of course in case of inactivity DBM file will be pushed out of page cache but shared memory can be pushed in swap in such case as well ! Of course MM is faster but magnitude... Hardly... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl, installation problem.
12-Jul-99 19:25 you wrote: > Hi, I've already installed modssl with tar.gz package, but, > some others modules cause problemes. Now, I have to install > mod_ssl on a rpm_based apache. It's not possible. End of story. > I can't uninstall everything and redo all from the beginning. > I must install it from rpm. > I have 2 questions, the first one, just to be sure. > does openssl is a free REMPLACEMENT to SSLeay ??? It's SUCCESSOR for SSLeay. Not drop-in replacement. > And, second,.. the most important. how to fix this error > message. > Cannot load /usr/lib/apache/libssl.so into server: > /usr/lib/apache/libssl.so: undefined symbol: ap_global_ctx > I get this message when a restart the apache server. And you should :-) You need EAPI in your apache. You can not add it without recompilation. End of story. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question on MM Shared Memory library
In <[EMAIL PROTECTED]> Jeffrey Burgoyne ([EMAIL PROTECTED]) wrote: JB> On Mon, 12 Jul 1999, Khimenko Victor wrote: >> 12-Jul-99 08:13 you wrote: >> >> > After experienceing some "brownouts" in Stronghold SSL, I changed our web >> > server to modssl last week. We saw a huge increase in performance (of >> > course, the brownouts really dragged down the stats I expect) in the range >> > of 50 to 80 percent. >> >> > Since our site is a very high profile government site, I tried to keep >> > things as simple as possible for the cutover and left out the Shared >> > Memory library. I can't find an over abundance of documentation on this >> > feature and had some questions. >> >> > First off, does the cache apply to all http requests as well as https >> > requests. I'm assuming it does, but its not too exact in the >> > documentation. >> >> No it does not :-) AFAIK for now MM can be used only for SSL session cache. >> JB> Darn. >> > Secondly, is there any configuration parameters to allow me to specify how >> > much memory it uses. I'm generally running with about 300 Megs free. >> >> Yes, when you specify where to put SSL session cache and use MM you must >> specify size of MM pool as well. You do not want it really big. >> >> > Any idea of what performance gain to expect? We get about 15000 real hits >> > a day, about 6 total (including graphics). About 10% of those are SSL. >> > I need to justify why we want to make the change to the web server and >> > even a rough idea is all my employers need to see. >> >> Usually you'll get only very slight gain in perfomance: you did not said >> which OS you are using but in most modern OS'es with decent filesystem >> cache gain will be small. Usage of MM is better from security standpoint >> but will not you buy much from perfomance side. May be Ralf can add some >> arguments "pro MM", of course... JB> Running on a DEC Alpha (4.01 I believe). JB> One last question. Does every hit to the cahce still result in a log entry JB> being generated? It must be so... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question on MM Shared Memory library
12-Jul-99 08:13 you wrote: > After experienceing some "brownouts" in Stronghold SSL, I changed our web > server to modssl last week. We saw a huge increase in performance (of > course, the brownouts really dragged down the stats I expect) in the range > of 50 to 80 percent. > Since our site is a very high profile government site, I tried to keep > things as simple as possible for the cutover and left out the Shared > Memory library. I can't find an over abundance of documentation on this > feature and had some questions. > First off, does the cache apply to all http requests as well as https > requests. I'm assuming it does, but its not too exact in the > documentation. No it does not :-) AFAIK for now MM can be used only for SSL session cache. > Secondly, is there any configuration parameters to allow me to specify how > much memory it uses. I'm generally running with about 300 Megs free. Yes, when you specify where to put SSL session cache and use MM you must specify size of MM pool as well. You do not want it really big. > Any idea of what performance gain to expect? We get about 15000 real hits > a day, about 6 total (including graphics). About 10% of those are SSL. > I need to justify why we want to make the change to the web server and > even a rough idea is all my employers need to see. Usually you'll get only very slight gain in perfomance: you did not said which OS you are using but in most modern OS'es with decent filesystem cache gain will be small. Usage of MM is better from security standpoint but will not you buy much from perfomance side. May be Ralf can add some arguments "pro MM", of course... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Configuration question: SSLRequire(SSL), how to *require* use of SSL
11-Jul-99 22:51 you wrote: > Dear List Members, > We have successfully installed Apache 1.3.6 with openssl 0.9.3a, and mod_ssl > 2.3.3-1.3.6. We are using a httpd.conf file little changed from the one > created by the installation. Having experimented, read the mail list archives, > and read the manual at http://www.modssl.org/, there is still an issue that is > confusing us. We would like to set things up in such a way that documents > can only be accessed via https, and so that if a user references a document > using http, he/she will be redirected to the same document via https. It would > seem that SSLRequire and SSLRequireSSL should allow this, but we can't get > them to work this way. I think what we need are some concrete examples of > their use (the manual really needs examples, not just reference definitions). > Anyone willing to share some experience? You can reply directly by email, > and replies will be summarized and the summary sent back to the list. SSLRequireSSL will prevent your from accidently accessing protected documents via HTTP (instead of HTTPS). That's all. Nothing more. No automatic redirects. If you really need them then you'll need mod_rewrite ... > What we've done for the moment is create a top-level index.html file that > redirects to the actual top-level document, but using a URL with https. > Since we use only relative URLs within the document, as the user cruises > around, everything is done using https. This works, but of course does not > prevent a user from saving a url and accessing it later using http instead > of https. > Thanks in advance for any advice or pointers... You need SSLRequireSSL (just in case: to prevent accessing via HTTP) and redirect via mod_rewrite ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Perl Script to proccess Netscape Client and Microsoft certificate Request
9-Jul-99 14:03 you wrote: > I sent this out with no response. Can some one comment? > Am looking for some Perl CGI script that can proccess Netscape and > Microsoft Clients Certificate Request Automatiquely for mod_ssl-2.3.5 > + openssl_0_9_3a. The scrript must completely automate the process, > causing a client certificate to be installed once the request Html form > is submitted. If you know some place over the Internet where I can find > it or if you have it, please tell me. If i could have someone respond to > me with a response it would be greatly appreciated. Try to post this message to [EMAIL PROTECTED] as well... I'm not sure if you'll find script there but may be you'll got at least some ideas :-)) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Permission.
9-Jul-99 16:06 you wrote: > There was a discussion about DBM extension/permission under > GLIBC 2.1 some times ago. In fact even attached patch is not correct :-/ Since you can not just "#include " and be happy ... will include instead of so some defines still will be screwed up unless you are using -I/usr/include/db1 ... And you must link with -ldb1 in such cases, NOT with -lndbm !!! Ok, -lndbm works in GLibC 2.1.1 but it's not guranteed that it will work in later versions as well: libndbm.so is link to Berkeley DB 2.x and come from Berkeley DB 1.x so there are no guarantee that is compatible with -lndbm :-(( I wonder why there are such a mess in Berkeley DB 1.x/Berkeley DB 2.x support ?? Why db_dump185 (provides especially for dumping Berkeley DB 1.x databases AFAIK) is linked against Berkeley DB 2.x so you can not dump Berkeley DB 1.x database with it (but can dump Berkeley DB 2.x database just like db_dump!) after all ??? Yes, I know that I can fix it with easy: -- cut -- mv /usr/bin/db_dump185 /usr/bin/db_dump185.o sed s-libdb[.]so[.]3-libdb.so.2- < /usr/bin/db_dump185.o > /usr/bin/db_dump185 rm -rf /usr/bin/db_dump185.o -- cut -- And I can create /usr/include/ndbm.h for libndbm.so (libdb.so.3 in fact) easily: -- cut -- #ifndef _NDBM_H_ #define _NDBM_H_ #ifdef _DB_H_ #if DB_DBM_HSEARCH == 0 #error included before and DB_DBM_HSEARCH == 0 . Giving up. #endif #else #define DB_DBM_HSEARCH 1 #include #endif #endif -- cut -- But still :-/ Looks like someone was on drugs when developed Berkeley DB 1.x/NDBM compatibility stuff in GLibC 2.1 ... Binaries are supported fine but for developer it's nightmare :-/ > These problems are now fixed for the RPM we built with Magnus. > You could take a look at the attached patches. > Also why not using library MM to solve part of these problems ? And you STILL need patch over downloadable tarball :-)) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Does mod_ssl require flex to compile?
8-Jul-99 13:32 you wrote: > I'm trying to compile mod_ssl 2.3.5 for Apache 1.3.6 on AIX 4.3 but get > stuck at the following: > flex -Pssl_expr_yy -s -B ssl_expr_scan.l > make: flex: Command not found > make: *** [ssl_expr_scan.c] Error 127 > I didn't notice flex being a prerequisite in the INSTALL doc > (http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL). It does not. > Looking in the src/modules/ssl/Makefile for the offending target: > ssl_expr_scan.c: ssl_expr_scan.l ssl_expr_parse.h > flex -Pssl_expr_yy -s -B ssl_expr_scan.l > sed -e '/$$Header:/d' ssl_expr_scan.c && rm > -f lex.ssl_expr_yy.c > I noticed it was under the following header: > ## DEVELOPER AREA > ## We really don't expect end users to use these targets! > What's the scoop? Do I need flex, are the dependencies screwed up, or > what? Looks like you have ssl_expr_scan.l never then ssl_expr_scan.c ... Something is screwed up (wrong timestamp or error in AIX's make)... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: different certs for v. domains
8-Jul-99 15:20 you wrote: > call this a stupid question: > i have installed apache 1.3.6 with mod_ssl 2.3.5 and i am using OpenSSL > 0.9.3a. > i am unclear of how to have a different certificate for each virtual > domain. i am able to assign a certificate, but that certificate is the > same for all domains. i tried playing around with it, but there seemed > to be no obvious solution, unless i am overlooking something huge. if i > could have someone respond to me with a resolution it would be greatly > appreciated. If you have IP based vhosts (and you alredy aware that it's not possible with name based vhosts, right? it's in FAQ) then just specify different certificates for different vhosts (do not use _default_ one added automatically by mod_ssl)... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Permission.
8-Jul-99 09:40 you wrote: > Hello, > I've been playing around with mod-ssl. I wonder about the following > entries in the general error.log: > [Thu Jul 8 09:12:05 1999] [error] mod_ssl: Cannot open SSLSessionCache > DBM file `/var/run/ssl.dbm' for writing (store) (System error follows) > [Thu Jul 8 09:12:05 1999] [error] System: Permission denied (errno: 13) > I can see why it fails: > root@dps-1:/log/error # cd /var/run > root@dps-1:/var/run # ll ssl* > -rw--- 2 root root12288 jul 8 09:13 ssl.dbm.dir > -rw--- 2 root root12288 jul 8 09:13 ssl.dbm.pag > -rw--- 1 nobody root0 jul 8 09:13 ssl.sem.1113 > So my question is: > Why is the *.dbm files owned by root, when the webserver runs as nobody > - that is like asking for trouble! ;o) Somehow mod_ssl.h wrongly guessed extension for files: .db instead of .dir/.pag Permission denied come from the same problem... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SMP machine causes apache to segfault after hitting SSL server.
6-Jul-99 13:10 you wrote: > Well I have tried just about everything. I am now just trying to get Apache > 1.3.6, mod_ssl 2.3.5, and OpenSSL working. Basically it seems to work > somewhat during the first request by returning some or sometimes all the > data requested by the browser. I have tried IE and Netscape. Looking at > the documentation I thought it may have something to do with the OpenSSL > package and the -fPIC option. That didn't work either. Apache works great > until I attempt to hit a https page. I have tried the dummy cert and my own > certs with the same results. Could it be something to do with slackware > 4.0??? That seems to be the only common thing among systems here that don't > seem to want to run apache with SSL. Any ideas? Hmm. There are was problem with ndbm in Slackware 3.6. May be it's the same problem in 4.0 as well ? Try to use built-in sdbm or (better yet) shared memory version... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL as Module? (like mod_php3)
5-Jul-99 10:20 you wrote: > Hello! > I want to install the module for the "Sercure Socket Layer". I have an > apache www-server and i want to install a module. The php3 module was easy > to install as an module. But the module for ssl is realy hard. Yes, it should be :-)) Blame US goverment, not Apache developers. Even program with crypto-hooks (without any crypto built-in!) is not exportable in source form... And since some Apache developers are US citiziens... You got the point :-) > I want to install ssl as an module, but I don't know if that possible! It's not possible. > I have donwload sources (Apache 1.3.6, Open-SSL and Mod_SSL) and build the > binaries. At the end, I had a file named libssl.so; so I copied it in the > module-directory of my www-server (/usr/libexec/apache), added the lines in > my httpd.conf: > AddModule ssl_module libex/libssl.so > LoadModule ssl_module mod_ssl.c > Now I start my server new (/sbin/init.d/apache stop /sbin/init.d/apache > start), and I get the message: > Segmentation fault. Hmm. Something is really wrong then. Since server must just say that libssl.so is non-acceptable... > I just copied the libssl.so in the modules-directory. I don't update the > httpd binary, because I want to use my old server! You can not. > If I remove the lines from the httpd.conf everything works (without https). > Can't I install the SSL as a module? And why I can install it? Could I use ^ Huh. May be you wanted to ask "why I can not install it" ? Because crypto-hooks can not be added to Apache core and there are not enough flexability in internal Apache structure to do this without such hooks... > the old server-binary? No, you can not. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: inactive mod_ssl module may crash server-status
5-Jul-99 13:28 you wrote: > I built apache_1.3.6/mod_perl-1.20/mod_ssl-2.3.5-1.3.6/openssl-0.9.3a > for Solaris 2.5.1. > When I start the server without -DSSL, any children serving location > /server-status, configured with > ExtendedStatus On > > SetHandler server-status > Order deny,allow > Deny from all > Allow from .my.own.domain > > crash (segfault), in the middle of outputting the result. If I start > the server with -DSSL, no crashes occur. > If I change the lines in httpd.conf > > AddModule mod_ssl.c > > to simply > AddModule mod_ssl.c > and then start it without -DSSL, no crash occurs. My wild guess is > that without the module added, it may still try to output the > SSL/TLS session cache status, or access some other undefined code > or data structure. It will EXACTLY try to output SSL/TLS session cache status and will crash exactly there :-) That is code to output SSL/TLS session cache will try to find out mod_ssl configuration and it's not ready to get NULL as ponter to that configuration... > mod_perl and mod_ssl are linked statically, most other modules dynamically. Yes, this is the problem. Dynamically linked mod_ssl will work just fine, of course. I'm not sure how important this problem is, though... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: accepting/ installing certificates
1-Jul-99 15:14 you wrote: > Hi, > how do people build SSL systems which do not require the client to > accept certificates? E.g. if you want to order a book at www.amazon.de > and you are using the SSL connection, users do not have to accept the > certificates, although the certificate of the website is not in the > browser implemented, yet and the site is used the first time. It IS in browser. Not certificate of site by itself of course, but certificate of signer (Verisign, Thawte, etc). That's EXACTLY why you need certificate such companies at all :-)) > ANY HINTS It must be in FAQ somewhere. But may be not since it's so basic knowledge... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] PRIVATE: Setting up Apache Server with mod_ssl (PR#199)
1-Jul-99 12:28 you wrote: > May I politely point out that Win2K is _BETA_. > If something's b0rken, go back to a known, stable platform. And then you'll stuck at the same step 6 :-)) No, beta status of W2K is not as issue here... > -dsp > -Original Message- > From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]> > Date: Thursday, July 01, 1999 12:32 PM > Subject: [BugDB] PRIVATE: Setting up Apache Server with mod_ssl (PR#199) >>Full_Name: Kai Ming Chan >>Version: 2.3.5 >>OS: Windows 2000 >>Submission from: proxy2.ch.intel.com (143.182.246.21) >> >> >>I followed the steps in install.win32 and was able to build openssl and > apache. >>However, I don't know how to do step 6. >> >>"6. Now you're on your own, because Win32 is not an officially >>supported platform of mod_ssl. You have to setup the config files >>and certificates manually. Good luck..." >> >>I know win32 is not supported, but could you just give me some hints of > setting >>mod_ssl up with apache. What do I need to change in the cofig file? How > do I >>make the certificate and where do I put it? >> >>Thanks! >>Ming >> >>__ >>Apache Interface to OpenSSL (mod_ssl) www.modssl.org >>User Support Mailing List [EMAIL PROTECTED] >>Automated List Manager[EMAIL PROTECTED] >> > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apachectl startssl
30-Jun-99 16:50 you wrote: > hi,all: > when I do "apachectl startssl" , it would ask me password, I think it will > be not convenient , anyway to pass this? Huh. Read message there :-) You have some keys encrypted. Just use unencrypted ones (make certificate usually asks you if you want encrypted key or not)... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Question on upgrading from Stronghold
30-Jun-99 17:37 you wrote: > hi: > I have same problem,where can I get RTFM? > thanks a lot, You can not GET RTFM :-)) You can DO RTFM ... FM's are in your Apache distribution in subdirectory htdocs/manual. Point you browser on index.html and read about AuthDBMUserFile in section "Run-time configuration directives". > sincerely > sun > ------ > From: Khimenko Victor[SMTP:[EMAIL PROTECTED]] > Reply To: [EMAIL PROTECTED] > Sent: Wednesday, June 30, 1999 2:23 AM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: Question on upgrading from Stronghold > 29-Jun-99 12:15 you wrote: >> I'm having a bit of problem with the authentication in changing over from >> Stronghold to mod_ssl. In my new conf file I have added : >> >> AuthType Basic >> AuthName Strategis >> AuthDBMUserFile /rz6c/stronghold/pw/level1 >> require valid-user >> >> which mod_ssl doesn't like. Does mod_ssl support DBM user files for >> authentication, or do I have to use a .htaccess file and if so is there an >> available utility that I can use to do this. > Yes, mod_ssl does not support DBM user files. As well as plain text files. > It does not support authentification with MySQL and PostgreSQL as well. > You must use other modules for this. RTFM (not FM from mod_ssl but FM from > Apache itself). If I recall correctly AuthDBMUserFIle come from mod_auth_dbm > so you must have this module in bundle... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question on upgrading from Stronghold
29-Jun-99 12:15 you wrote: > I'm having a bit of problem with the authentication in changing over from > Stronghold to mod_ssl. In my new conf file I have added : > > AuthType Basic > AuthName Strategis > AuthDBMUserFile /rz6c/stronghold/pw/level1 > require valid-user > > which mod_ssl doesn't like. Does mod_ssl support DBM user files for > authentication, or do I have to use a .htaccess file and if so is there an > available utility that I can use to do this. Yes, mod_ssl does not support DBM user files. As well as plain text files. It does not support authentification with MySQL and PostgreSQL as well. You must use other modules for this. RTFM (not FM from mod_ssl but FM from Apache itself). If I recall correctly AuthDBMUserFIle come from mod_auth_dbm so you must have this module in bundle... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Testing SSL server with Netscape
30-May-99 23:31 you wrote: > I have installed the latest OpenSSL and ModSSL for Apache package. > The system works as for passing the security Certificate. When I then > go to view a secure Web page by typing the URL again with the https > directive I get a Secure Library error. > The error states that netscape has experienced an "Out of Memory Error". > Is there any way I can fix this. Please point me to the Howto's or > better yet state the solution to the problem. I've seen such error when I made wrong certificate. Are you sure that you entered FQDN of your server when was asked about "Your name:" by OpenSSL ? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Creating a server certificate
11-Mar-99 14:06 you wrote: > Sorry, but it's really nasty when people don't want to _READ_! > The gid-mkcert.sh script looks like: > | : > | ## ssleay ... get it from ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/ > | ## ca-fix ... get it from http://www.drh-consultancy.demon.co.uk/ca-fix.html > | ## pkcs12 ... get it from http://www.drh-consultancy.demon.co.uk/pkcs12faq.html > | ## > | > | # parameters > | ssleay="/sw/pkg/ssleay/bin/ssleay" > | cafix="/sw/pkg/ssleay/bin/ca-fix" > | pkcs12="/sw/pkg/ssleay/bin/pkcs12" > | sslcrtdir="." > | sslcsrdir="." > | sslkeydir="." > | : > In other words: FRIENDS, THE URLS ARE GIVEN JUST FOUR LINES AWAY FROM THE LINE > YOU'RE EDITING! Hmmm... I'm really wondering why I always write down such a > lot of details when people don't read it... It's simple: most peoples (like me :-) will real all this, will use info and will NOT write to the list. Few peoples will not read and will write to the list. The end result will look like noone ever try to read something :-)) > So, please walk to the given URLs, fetch the tools, install it somewhere and > edit the variables to reflect the used installation paths. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config, compile, install help - php3, ssl, apache 1.3.x
In <[EMAIL PROTECTED]> User Rick ([EMAIL PROTECTED]) wrote: >> 2-Mar-99 10:28 you wrote: >> > A note about php. If you choose to integrate database access for example to >> > mysql in the php install, then mysqld must be running for apache to start. >> > This is not very nice and means you must insure that upon a restart or cold >> > start that the database daemon is up before apache starts. >> >> Huh ? I have mysql and postgresql access compiled in PHP and in my initscripts >> mysqld starts AFTER httpd and postgresql is not installed at all on this server. >> All works just fine. >> UR> I'd like to find out what is different in your build from mine. When I UR> fetched the port from FreeBSD.org, the very first time make is run, some UR> script prompted me for which databases I'd like use. "the very first time make is run", "some script prompted me"... Huh. Are you sure that it's PHP *3*, not PHP/FI *2* ??? PHP 3 use standard autoconf stuff and there are no scripts to ask about databases (you could use configure script switches instead)... UR> I chose mysql and continued building. Subsequent invocations of make UR> did not invoke that initial script. >From where this initial script come from ??? UR> When I built and installed apache with php,ssl,frontpage the mysqld was UR> already running. The resulting build worked. However when I rebooted, the UR> apache error log contained messages indicating that php was not able to UR> connect to mysqld and apache failed to start. I changed the sequence of UR> starting mysqld and apache and everthing came up nicely. I kill mysqld and UR> tried again, yielding the original failure. I concluded that there was a UR> dependency and left it at that. I did not pursue it further. It works here even without mysql installed at all :-)) Are you sure that it's PHP *3*, not PHP/FI *2* ? __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config, compile, install help - php3, ssl, apache 1.3.x
2-Mar-99 10:28 you wrote: > A note about php. If you choose to integrate database access for example to > mysql in the php install, then mysqld must be running for apache to start. > This is not very nice and means you must insure that upon a restart or cold > start that the database daemon is up before apache starts. Huh ? I have mysql and postgresql access compiled in PHP and in my initscripts mysqld starts AFTER httpd and postgresql is not installed at all on this server. All works just fine. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: config, compile, install help - php3, ssl, apache 1.3.x
2-Mar-99 06:14 you wrote: >>This seems like a popular combination, perhaps it would be worth someone >>doing up an rpm combining these particular modules (but might be a lot of work >>keeping a package with all the latest versions after each upgrade). > That sounds like it'd be a nightmare for whoever would be kind enough to > create such an RPM - best solution to me still seems to create an RPM of > apache 1.3.x+mod_SSL which works with standard RedHat module RPMs. As I > said, not sure how feasible/easy that is to do. I have some RPMs on ftp://ftp.sch57.msk.ru/pub/redhat-addons/apache-rus There are apache (with EAPI), mod_ssl, mod_perl, PHP3 ... Unfortunatlly I can not upgrade them since I do not have RedHat anymore (I use KSI-Linux 2.0 and KSI-Linux 2.0 includes them "out of box"; you could try to grab .src.rpm s from KSI-Linux site ftp://ftp.ksi-linux.com and recompile them). __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: oops, info about system w/ segfaults
8-Feb-99 12:31 you wrote: > Khimenko Victor wrote: >> >> If you use libc5-based Linux then try to use built-in SDBM ! >> At least Slackware 3.6 has broken DBM :-(( > Uh oh. Yeah, definately a problem here. Slack 3.6 it is. Excuse me for > not knowing exactly what a "SDBM" is, but I'm left at a loss. Can you > elaborate a little on an easy procedure or docs to read? I'm never seen Slackware 3.6 myself but there are letter in mod_ssl mailing list: -- cut -- > Full_Name: Bryan Mawhinney > Version: 2.1.8-1.3.4 > OS: Slackware Linux 3.6 > Submission from: (NULL) (196.23.0.42) > Apache with mod_ssl and SSL session cache was seg faulting on most (but not all) > transfers, in a similar manner to that which other Linux users have described > (eg, PR# 57, 58, 74 and 78). Disabling the session cache fixes the problem, but > we don't want to do that. > We compiled with -g -ggdb3 and ran as non-root on port 8443. gdb of the > resulting core file showed that the fault occurs in memcpy, but doesn't show the > call stack (as with PR#74). Perhaps memcpy is corrupting the stack? > We recompiled mod_ssl and forced it to use the builtin SDBM (by renaming libdbm) > and the seg faults have disappeared. We're happy with this solution, but > thought this info might help you identify the problem. -- cut -- __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: oops, info about system w/ segfaults
8-Feb-99 10:57 you wrote: > Linux 2.0.36 > SSLeay-0.9.0b > apache_1.3.4 > mod_ssl-2.2.2-1.3.4 > rsaref-2.0 > Anything else needed? Libc version :-)) I'm seen reports about hangs with my RPMs on libc5-based systems (recompiled, of course :-) but could not reproduce it with RedHat 5.2 or KSI-Linux 2.0 (glibc2-based systems). If you use libc5-based Linux then try to use built-in SDBM ! At least Slackware 3.6 has broken DBM :-(( __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: httpsd -v
4-Feb-99 04:24 you wrote: > On 04-Feb-99 Ralf S. Engelschall wrote: >> On Wed, Feb 03, 1999, Philp Gwyn wrote: >> >>> How does one find what version of mod_ssl is compiled into a given >>> httpsd? httpsd -v tells me the apache version, but not the >>> mod_ssl >>> version. >> >> Hmmm... yes, that's because the -v option is done _before_ any >> modules are initialized and given a chance to identify theirself. >> As a first step I'll now add identification strings to the mod_ssl >> module, so you can at least do: > Oh. I was under the impression that ident string was generated at > compile time. Not in 1.3.x :-) >>| :> ident libssl.so >>| libssl.so: >>| $Id: mod_ssl/2.2.1 $ >>| :> what libssl.so >>| libssl.so >>| mod_ssl/2.2.1 >> >> for the next version. But for the -v I need to change the logic in >> Apache. Hmmm... perhaps we should allow a "-v -v" or a "-v2" or a >> similar variant which is the same as -v but is done _after_ an >> init round? > Don't the init rounds require config file parsing (and hence pass > phrase dialog)? If so, don't bother. > Another possiblity would be for httpsd -l to list the version of > each module. Do not help as well: -- cut -- [khim@khim khim]$ httpd -l Compiled-in modules: http_core.c mod_so.c [khim@khim khim]$ -- cut -- even if -- cut -- [khim@khim khim]$ telnet 127.0.0.1 80 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Thu, 04 Feb 1999 11:44:47 GMT Server: Apache/1.3.4 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.1c mod_perl/1.18 PHP/3.0.6 rus/PL27.5 Connection: close Content-Type: text/html; charset=koi8-r Expires: Thu, 01 Jan 1970 00:00:01 GMT Last-Modified: Thu, 04 Feb 1999 11:44:47 GMT Vary: accept-charset, user-agent Connection closed by foreign host. [khim@khim khim]$ -- cut -- BTW if mod_ssl is installed via some packaging system (RPM in my case) you usually could do something like this: -- cut -- [khim@khim khim]$ rpm -qf /usr/libexec/apache/mod_ssl.so apache-ssl-2.2.0.KSI2-1 [khim@khim khim]$ -- cut -- to find out it's version... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EAPI vs mod_ssl
3-Feb-99 16:56 you wrote: > On Tue, Feb 02, 1999, Ronan-Yann Lorin wrote: >> Wouldn't it be nice to have EAPI and mod_ssl available as two distincts >> distribs ? So we know when EAPI has been changed and we must rebuild apache >> binary, or when mod_ssl has been changed and we must rebuild mod_ssl DSO. > Hmmm... it would be nice to have a EAPI dist and a mod_ssl dist for the reason > that other module authors could use EAPI without mod_ssl, but not for the > reason you mention IMHO. Actually the rebuilding of DSOs should be no longer > needed, because Apache+EAPI since mod_ssl 2.2.0 can also load standard DSOs. > And OTOH for the "have to dists" issue: You have an EAPI distribution. It's > the same as the mod_ssl distribution but you use --with-eapi-only on the > configure command line. This way only EAPI is applied to the Apache source > tree. Isn't that what you actually want? Looks like you miss his point. It's NOT about OTHER DSO's but about mod_ssl itself. If EAPI and mod_ssl will be separated then with new version of mod_ssl you'll need just recompilation of mod_ssl via apxs but when EAPI is changed you should recompile Apache itself ! __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] segmentation fault on slackware 3.6 (PR#97)
31-Jan-99 00:33 you wrote: > Full_Name: Mario Medina > Version: 2.2.0-1.3.4 > OS: Linux 2.0.36 (slackware 3.6.0) ELF > Submission from: teccasa21.ccm.itesm.mx (148.241.166.21) > I compile and install all the files ok, i can access to a non-ssl page, but > when i try to acces to a https://machine/page.html it says that > connection refused... on the error_log file i see this: > httpd: [Sat Jan 30 17:28:00 1999] [notice] child pid 9957 exit signal > Segmentation fault (11) > On slackware 3.5.0 it runs very well! i compile all the software ( > SSLeay 0.9.0b, apache 1.3.4 and mod_ssl 2.2.0-1.3.4 using instruccions > on this page, with > perl ./Configure gcc > and > perl ./Configure linux-elf Slackware 3.6.0 has broken DBM, use built-in SDBM ... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: apache-mod_ssl-1.3.4-2.1.8 RPMs
25-Jan-99 15:02 you wrote: >> I just uploaded a version of apache-mod_ssl-1.3.4-2.1.8 >> to ftp://ftp.replay.com/pub/replay/incoming/ >> The directory layout is a hybrid between Apache and RedHat... >> > [GOMEZ Henri] Re-Hi, seems you like both mod_ssl and apache ssl > products. :-) > Do you now how add also php3 in the pack ??? Take a look on ftp://ftp.sch57.msk.ru/pub/redhat-addons/apache-rus/ ... Apache 1.3.4, mod_ssl 2.1.8, PHP 3.0.6, mod_perl 1.17, mod_fastcgi 2.0.18 ... Tested with RedHat 5.1 (and KSI-Linux 2.0, of course -- it's packages from there :-) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [BugDB] coldfusion compatability (PR#88)
24-Jan-99 16:13 you wrote: > Hello Ashley, >> has anyone been able to get mod_coldfusion (from allaire.com) >> and apache 1.3 and mod_ssl work together? As far as I can tell >> problems are caused by both SSLeay and mod_coldfusion having >> identical symbols in it ... >> >> Any suggestions as how to get around this (including the possibility >> of linking the mod_coldfusion.a into the SSLeay stuff ... > This has everything to do with the EAPI which is used by mod_ssl. > Every module has to be recompiled to run on an Apache with EAPI > enabled. Since the Cold Fusion module is compiled for a version > without EAPI, it doesn't work. > Apache 1.3.4 should compile by default with EAP, so any Cold Fusion > module suited for 1.3.4 specifically will work. Apache 1.3.4 does not include EAPI. It's possible to use modules compiled without EAPI support with mod_ssl 2.1.8 but Apache 1.3.4 DOES NOT include EAPI. > Another solution which I got from a fellow Allaire Forums > follower: use mod_rewrite and rewrite all your requests > using the cfml.exe?template=.exe method. Not too fast, > but it works! __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DSO situations and core dumps
15-Jan-99 18:35 you wrote: > We've already recognized that on some not-such-smart platforms Apache+mod_ssl > can dump core under the DSO situation. I've already traced it down and the > problem has to do with the fact that Apache _reloads_ the DSOs at startup-time > and that some dangling references to EAPI hooks exists this way. On platforms > like FreeBSD and Linux (where I develop mod_ssl) the modules always seem to be > reloaded to the same memory address, so I never recognized this problem. But > now Khimenko Victor's EAPI replacement patches gave me the essential hint that > the hooks are not unregistered correctly. This doesn't harm when the module > was reloaded to the same address, but causes core dumps when this isn't the > case. BTW my replacement patches are designed so that Apache will coredump without properly unregistered hooks even on "smart" platforms so there are ALL hooks (in mod_log_config, mod_proxy and mod_ssl itself) are correctly unregistered on module unload event. So mod_ssl with my patches should be safe even on non-such-smart platforms... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Re[2]: Sooo many problems with Debian & mod_ssl !
4-Jan-99 17:20 you wrote: > Thanks for your reply, > I'll then get the sources for apache 1.3.3 ;-) > But have to disagree with you about the solution you gave for the SSL_BASE > variable. Here is the problem: > (first, I wiped the test for the EAPI flag, otherwise, I cannot get further > ;-) > - When I don't set a SSL_BASE variable, I get a 'cannot find SSL > installation in /usr/local/ssl'. That is normal. > - The program that configure is trying to get is 'ssleay'. In Debian, it is > located as file '/usr/bin/ssl/ssleay'. > - If I set SSL_BASE to '/usr/bin/ssl', it will not find it, as the > line you use to test the presence of the ssleay file is: > 'if [ -f "$SSL_BASE/bin/ssleay" ]; then ...' > ($SSL_BASE/apps/ssleay is tried too) > As you can see, I cannot map /usr/bin/ssl into $SSL_BASE to match > the test ! > There are two possible modifications to make it work: > 1) Create a link in the /usr/bin/ssl directory named 'bin' that is a link > to the directory where it is (/usr/bin/ssl/bin will point to /usr/bin/ssl > ;-) > 2) Modify all the references in libssl.module to allow such mapping (that > makes 3 lines modified). > I think the easyest is the first solution. It would be cool to write to the > debian maintainer of the ssleay package to add such link in his package. > BUT: > There's the same problem with the include files from ssleay-dev. They are > located in a complete different location from the binary part of ssleay ( > they are in /usr/include/ssl). The problem is that the same variable is > used > (BASE_SSL) to point for binary and include files ;-( > So if I put '/usr/bin/ssl' in BASE_SSL, it will look in > /usr/bin/ssl/include for the include files ;-( > I've no solution for this, except modifying the libssl.module file. "Then you have to use SSL_BASE=SYSTEM as it's documented in the INSTALL file." Something not clear ? With SSL_BASE=SYSTEM ssleay command will be searched via PATH variable, /usr/include, /usr/include/ssl, /usr/local/include and /usr/local/include/ssl will be scanned for ssl.h and /lib, /usr/lib and /usr/local/lib will be scanned for libssl.a or libssl.so ... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Sooo many problems with Debian & mod_ssl !
4-Jan-99 15:33 you wrote: > Hello, > I'm trying to isntall mod_ssl on my Debian Linux box, but I couldn't, > there are too many problems with debian packages: > I'm using (trying to ;-) mod_ssl-2.1.5_1.3.3.tar.gz, and the > apache_1.3.3-3, apache-dev, and apache-common debian packages. You could not use mod_ssl with non-patched Apache. No way. > What I wanted to do was to compile the mod_ssl as a DSO module. This is not possible -- you could compile mod_ssl as DSO, but apache should be recompiled with EAPI patches and all other DSO modules should be recompiled as well. > When I run ./configure '--apxs=/usr/sbin/apxs', it complains that > it cannot find apxs. After looking at the configure script, I managed > to see that it cannot find a '-DEAPI' define from the output of > apxs -q CFLAGS. I only got '-DLINUX=2 -DUSE_HSREGEX'. Of course. Debian's apache could not include crypto-hooks ! > Here are some of the other problems I found: > - The name of the Apache daemon on debian is apache and not httpd. > - The directory where the ssleay & ssleay-dev (0.9 version) are > incompatible with the hard coded directories in the > pkg.sslmod/libssl.module file (it wants to find the program ssleay in > '$SSL_BASE/bin/ssleay', but on debian, they are on '/usr/bin/ssl/ssleay', > which cannot be put in $SSL_BASE ;-( There's the same problem with the > include files declarations (/usr/include/ssl). > - After patching the configure script, I managed to get a Makefile, But > when I run make, I get an error telling me that it cannot find 'ap_hook.h' > ! When looking in the apache-dev list of files, there isn't any ap_hook.h > file (only ap_compat.h, ap_config.h, ap_config_auto.h, ap_ctype.h, ap_md5.h > and > ap_mmn.h) ap_hook.h is part of EAPI and as such is not included in standard apache. > Has anyone managed to compile and use mod_ssl on a debian box ? > Is only way to get out of this seems to get all the sources of apache and > recompile everything ? Yes. You SHOULD patch apache sources to use mod_ssl. This patches COULD NOT be incorporated in main apache tree since this will make apache non-exportable from US. To Ralf: looks like question "How to create mod_ssl DSO for standard apache?" with answer "You could not do this" is the most frequiently asked question for last few weeks. Is it in FAQ now ? __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DSO compile instructions
2-Jan-99 16:59 you wrote: > On Sat, Jan 02, 1999, Achille M. Luongo wrote: >> I would like to compile or simply use a mod_ssl module under Linux >> (kernel 2.0.36) as a stand-alone DSO module for an apache 1.3.3 binary >> >> RPM package, but I didn't find istructions. >> Can anyone suggest me how to build mod_ssl as a stand-alone DSO module ? >> Is already available a RPM module with a DSO version of mod_ssl for such >> a kernel ? > How about this part of the INSTALL file in the mod_ssl distribution? > | Upgrading with APXS (EXPERTS ONLY) > | __ > | > | Once you've built and installed Apache with mod_ssl as a DSO (libssl.so) you > | can easily upgrade this libssl.so file with a stand-alone built procedure as > | long as the Extended API (EAPI) didn't change and you've SSLeay installed > | somewhere. For this you can use the following procedure: > | > | $ cd mod_ssl-2.1.x-1.3.x ALL > | $ ./configure \ALL > | --with-apxs[=/path/to/apache/sbin/apxs] \ALL > | --with-ssleay=/path/to/ssleay \ ALL > | --with-rsaref=/path/to/rsaref US > | $ make ALL > | $ make install ALL > | $ make distclean ALL > | > | This will build mod_ssl locally inside the pkg.modssl/ directory and then > | upgrades your existing libssl.so file. This approach is also interesting for > | package vendors. Because those can create an Apache+EAPI package (with the > | use of --with-eapi-only) and a APXS-based mod_ssl package (with the use of > | --with-apxs). > But please read it carefully: The generated libssl.so doesn't work with a > plain Apache. Your Apache has to already contain the Extended API. Thnx god this is minor problem: without patched Apache libssl.so will not be created in first place -- compilation will fail :-) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: DSO compile instructions
2-Jan-99 15:59 you wrote: > Hi! > I would like to compile or simply use a mod_ssl module under Linux > (kernel 2.0.36) as a stand-alone DSO module for an apache 1.3.3 binary > RPM package, but I didn't find istructions. Just since such instrictions could not be written at all :-) > Can anyone suggest me how to build mod_ssl as a stand-alone DSO module ? > Is already available a RPM module with a DSO version of mod_ssl for such > a kernel ? Kernel is not relevant at all (glibc is relevant :-)) and Apache SHOULD BE patched to use mod_ssl -- even is mod_ssl is used as DSO. KSI-Linux 2.0, for example, has such patched version of apache and separate module with mod_ssl at ftp://ftp.ksi-linux.com/pub/Devel/Nostromo for interested ones... But basically procedure is described in mod_ssl package ... P.S. PHP is in non-working state there just now :-(( __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [BugDB] Function index in ssl_engine_vars.c not found! (PR#69)
29-Dec-98 00:15 you wrote: > Full_Name: Christian Buysschaert > Version: 2.1.4-1.3.3 > OS: NT > Submission from: eagle.tvd.be (195.162.196.13) > I believe I followed the instruction correctly but I am unable > to compile Apache, more specifically ApacheModuleSSL.dll. > The error indicate he couldn't link a function index. Some > investigation leads me to ssl_engine_vars.c . The function > ssl_var_lookup_ssl_version seems slightly changed at the > end in the version 2.1.4 (compared to 2.1.3), namely > the use of a function index. > This is function is not found in all sources of mod_ssl. > This could mean it is a standard C which NT doesn't > have (although my C is somewhat rusty, I don't recall > such a function), or it is really missing. I have a feeling it > should be a shorthand for some stringfunction but I > haven't been checking the code in detail to know > exactly what should be the function of index. This is BSD version of strchr AFAIK. IMO better to use strchr, not index : index is BSD specific, while strchr is POSIX-required ! __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question regarding user-authentication for a site like https:/www....
12-Dec-98 10:16 you wrote: > On Fri, Dec 11, 1998, Bruce B. Platt wrote: >> I have a port 80, non-SSL site created for my family which has user >> authentication configured as follows in access.conf: >> >> AuthName "Restricted Access" >> AuthType Basic >> AuthUserFile /usr/local/apache/etc/athorized-users >> require valid-user >> >> I have just installed installed Apache mith mod-ssl which I find a great >> improvement over Apache-SSL in terms of ease of use. >> >> My question is this. >> >> I set up a virtual server on port 443 for the above referenced site, using >> the same lines from access.conf on both the port 80 and the port 443 servers. >> >> It appears as if the user-authentication dialog takes place using export >> grade RC4 and MD5 encryption even though the browser doesn't show a "lock >> or key" secure symbol while the user-name and password authentication box >> ispresented on the screen. I suspect this from examining the following >> lines from the ssl_request_log: >> >> [11/Dec/1998:17:15:00 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET / >> HTTP/1.0" 474 >> [11/Dec/1998:17:15:24 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET / >> HTTP/1.0" 2308 >> [11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET >> /_derived/index.html_cmp_global100_bnr.gif HTTP/1.0" 3593 >> [11/Dec/1998:17:15:25 -0500] server.domain.com SSLv3 EXP-RC4-MD5 "GET >> /_themes/global/glotextb.gif HTTP/1.0" 181 >> >> The first line from the log (above) is written to the log as the user-name >> and password dialogue box is presented to the browser. The remaining lines >> appear in the log after the user has entered their user-name and password, >> and the index page is retreived from the server. The "secure" synbol >> appears in the browser window at this point. >> >> Am I correct in assuming that the username and password which the user >> enters are encrypted in transmission? > Yes. The lock icon in Netscape isn't really synchronized with the SSL layer. > Actually the icon is displayed _after_ the complete webpage was loaded. Small correction: not when complete webpage will be loaded but when first part of actual .html text will be loaded (i.e. will be received :-) > But the encryption was enabled long time before, of course. In your case, the > Basic Auth is a facility on the HTTP layer. Under HTTPS below the HTTP layer > there is the SSL/TLS layer. And before the HTTP layer does any data > communication the SSL/TLS layer has already done the handshake and switched to > encryption. Correct. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Annc: NetBSD mod_ssl pkgs now available/updated
3-Dec-98 19:19 you wrote: > Ops, seems like I was too slow or you too fast. Last weekend I've added full > APXS support to the distribution. I think this would make your life easier. > When you're interesting you can test my APXS support. I've still not comitted > it for mod_ssl 2.1.x because it's not enough tested. But it already works > fine for me. You just have to use --with-apxs instead of --with-apache and > anything else works magically ;-) Let it me know when I can use you as a > beta-tester for this stuff... Where I'm could find this stuff ? It'll be fine to have separate apache and apache-ssl rpm's for KSI-Linux 2.0 (this way you'll be able use apache without installation of SSLeay :-) P.S. And when EAPI changes will be revised ? __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: 2.1b9-1.3.3 (2.1.0 to-be)
17-Nov-98 13:47 you wrote: > On Tue, Nov 17, 1998, Khimenko Victor wrote: >> 17-Nov-98 11:37 you wrote: >> >> 2) in Makefile.nt you invoke mod_ssl's makefile with >> >> >> >> nmake /nologo CFG="mod_ssl - Win32 %LONG%" -f Makefile >> >> nmake /nologo CFG="mod_ssl - Win32 %LONG%" -f Makefile clean >> >> ... >> >> >> >> The define CFG="mod_ssl - Win32 %LONG%" has nothing to do here. The >> >> other .mak need it, because they are generated by DevStudio, and it's >> >> the way they do it. Our Makefile is hand written. Also nmake looks for >> >> 'makefile' by default, so no need to use the -f option. You can just >> >> >> >> nmake /nologo all # or without 'all' >> >> nmake /nologo clean >> >> > I've removed the CFG=... and added the "all", but the "-f Makefile" I want to >> > leave as "/f Makefile" just to make sure this "broken platform" tools do what >> > they should do (perhaps "makefile vs. Makefile" or whatever next M$ break in >> > new releases of their VC++ stuff :-( ). >> >> Makefile and makefile (and MAKEFILE -- in fact this is name of "main file" for >> nmake) is one file under Windows 9x/NT and nmake will find this file by default >> (at least nmake from Microsoft C 5.0, Microsoft C 6.0, Microsoft C/C++ 7.0, >> Microsoft C/C++ 8.0 AKA MS VC++ 1.0, MS VC++ 1.5x, MS VC++ 2.0, MS VC++ 4.x >> (MS VC++ 3.x was skipped by MS, not by me :-), MS VC++ 5.0 and MS VC++ 6.0). >> Since nmake was able to find MAKEFILE for last 15 years I bet this will be so >> in the future as well and if not then Makefile will be not supported at all :-) > 15 years? Yes. AFAIK. I'm never seen Microsoft C [1-4].x myself but AFAIK nmake was able to find MAKEFILE starting from first version written back in 1983 for Microsoft C 1.0 (Microsoft C 1.0 was created to rewrite Windows 1.0 (initially Windows was written on Pascal (in 1983) but when Turbo Pascal completely and forever pushed MS Pascal from marketspace (yes, MS was not invincible then) Windows was rewritten on C but since there was no Microsoft C yet this took two years (to create Microsoft C 1.0 and then recreate Windows 1.0 with Microsoft C 1.0) and thus Windows 1.0 was out only in 1985... BTW MS VC++ is only marketing term. Internally it's Microsoft C/C++ Version 12.00.8168 ... > For Microsoft this usually doesn't count, of course. But ok, you convinced > me: I'll remove the "/f Makefile". Thanks for complaining, Trung. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: ANNOUNCE: 2.1b9-1.3.3 (2.1.0 to-be)
17-Nov-98 11:37 you wrote: >> 2) in Makefile.nt you invoke mod_ssl's makefile with >> >> nmake /nologo CFG="mod_ssl - Win32 %LONG%" -f Makefile >> nmake /nologo CFG="mod_ssl - Win32 %LONG%" -f Makefile clean >> ... >> >> The define CFG="mod_ssl - Win32 %LONG%" has nothing to do here. The >> other .mak need it, because they are generated by DevStudio, and it's >> the way they do it. Our Makefile is hand written. Also nmake looks for >> 'makefile' by default, so no need to use the -f option. You can just >> >> nmake /nologo all # or without 'all' >> nmake /nologo clean > I've removed the CFG=... and added the "all", but the "-f Makefile" I want to > leave as "/f Makefile" just to make sure this "broken platform" tools do what > they should do (perhaps "makefile vs. Makefile" or whatever next M$ break in > new releases of their VC++ stuff :-( ). Makefile and makefile (and MAKEFILE -- in fact this is name of "main file" for nmake) is one file under Windows 9x/NT and nmake will find this file by default (at least nmake from Microsoft C 5.0, Microsoft C 6.0, Microsoft C/C++ 7.0, Microsoft C/C++ 8.0 AKA MS VC++ 1.0, MS VC++ 1.5x, MS VC++ 2.0, MS VC++ 4.x (MS VC++ 3.x was skipped by MS, not by me :-), MS VC++ 5.0 and MS VC++ 6.0). Since nmake was able to find MAKEFILE for last 15 years I bet this will be so in the future as well and if not then Makefile will be not supported at all :-) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_ssl 2.1 User Manual (preview)
14-Nov-98 15:01 you wrote: > The last days I spent a lot of time to create the new User Manual for the > forthcoming 2.1.0 release. The current state is that all chapters except for > Chapter 4 (Compatibility) are now finished (at least IMHO ;-). So you now can > have a preview under > http://www.engelschall.com/sw/mod_ssl/docs/2.1/ > The idea behind this new user manual is: > 1. Although it's a HTML/online document, it's prepared >to form a nice paper/offline document when printed >via Postscript from Netscape 4.x. May be better to put .ps and .pdf files for download as well ? > 2. It's a lot more comprehensive than the mod_ssl 2.0 documentation. >Especially because it now contains a large SSL introduction chapter to >smooth the nasty stone-path new users have to walk when they want to use >SSL with Apache. > 3. It provides a lot more details on SSL directives. For instance >the first time the SSLCipherSuite (in the past SSLRequiredCiphers) >is documented, etc. > Please give me your opinion. Looks good except one problem: only 1/3 of my screen is used! Text looks like narrow column in the middle of screen and 2/3 of screen is just wasted :-(( BTW other pages on http://www.engelschall.com are also less then 1/2 of screen (usually on left) and this nasty blue bar on right :-(( Gosh. P.S. Yes, I know: I'm stupid geek who use full-screen browser in 1800x1440 for web-surfing but still there are A LOT OF web sites with more or less appropriate look (http://www.linuxhq.com, http://lwn.net/, http://www.apache.org, http://www.linuxworld.com, http://www.apacheweek.com, http://stashdot.org, http://www.linux.org.uk/, http://www.netcraft.com/ to name a few) but not http://www.cnet.com or http://www.engelschall.com :-(( __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
New hooks API, patch6
Changes from patch4: return types and declined values support (API changed)
Changes from patch5: use of 'inline' for C++ (API not changed)
SYNOPSIS
Main Setup:
void ap_hook_init (void);
void ap_hook_kill (void);
Hook Configuration and Registration:
ap_hook_define_client(hook_name,ret_value,hook_parameters,hook_call,decline_value);
int ap_hook_configure_hook_name(ap_hook_mode modeid);
int ap_hook_unconfigure_hook_name();
ap_hook_define_server(hook_name,ret_value,hook_parameters,hook_call);
int ap_hook_register_hook_name(ret_value (*func)hook_parameters);
int ap_hook_unregister_hook_name(ret_value (*func)hook_parameters);
ap_hook_define_client_global(mod_name,hook_name,ret_value,hook_parameters,hook_call,decline_value);
ap_hook_define_client_realize(mod_name,hook_name,hook_parameters,hook_call);
int ap_hook_mod_name_configure_hook_name(ap_hook_mode modeid);
int ap_hook_mod_name_unconfigure_hook_name();
ap_hook_define_server_global(mod_name,hook_name,ret_value,hook_parameters,hook_call);
ap_hook_define_server_realize(mod_name,hook_name,hook_parameters,hook_call);
int ap_hook_mod_name_register_hook_name(ret_value (*func)hook_parameters);
int ap_hook_mod_name_unregister_hook_name(ret_value (*func)hook_parameters);
Hook Usage:
int ap_hook_configured_hook_name();
int ap_hook_registered_hook_name();
int ap_hook_registered_func_hook_name(ret_value (*func)hook_parameters);
ret_value ap_hook_call_name(hook_parameters);
int ap_hook_mod_name_configured_hook_name();
int ap_hook_mod_name_registered_hook_name();
int ap_hook_mod_name_registered_func_hook_name(ret_value
(*func)hook_parameters);
ret_value ap_hook_mod_name_hook_name(hook_parameters);
DESCRIPTION
This implements a generic hook interface for Apache which can be used
for loosely couple code through arbitrary hooks. There are two use cases
for this mechanism:
1. Inside a specific code section you want to perform a specific
function call. But you want to allow one or even more modules to
override this function call by registering hook functions. Those
functions are registered on a stack and could return TRUE or FALSE.
As long as there are functions which return FALSE value the next
function on the stack is tried. When a function return TRUE the
hook call stops. The intent of this usage is to not hard-code
function calls. Note that the only return type allowed for hooks
is int and only two values could be returned: TRUE and FALSE. If
you want other return types or values use wrappers (see sample below).
2. Inside a specific code you have a function you want to export.
But you first want to allow other code to override this function.
And second you want to export this function without real linker
symbol references. Instead you want to register the function and let
the users call this function via name. The intent of this usage is to
allow inter-module communication without direct symbol references,
which are a big NO-NO for the DSO situation.
And we have one major design goal: The hook call should be very similar
to the corresponding direct function call while still providing maximum
flexiblity, i.e. any function signature (the set of types for the return
value and the arguments) should be supported.
Using this hook interface is always a four-step process(but see also
"NOTE for DSO modules" below!):
1. Initialize or destroy the hook mechanism inside your main program:
ap_hook_init();
:
ap_hook_kill();
2. Define and configure a particular hook by specifing its name and
argumets type:
ap_hook_define_client(lookup,void *,(void *x),(x),NULL);
ap_hook_define_client(echo,int,(void *x),(x),0);
ap_hook_configure_lookup(AP_HOOK_NORMAL);
ap_hook_configure_echo(AP_HOOK_TOPMOST);
This configures two hooks:
- A hook named "lookup" with the signature "lookup(void **,void *)"
and default return semantic.
- A hook named "echo" with the signature "echo(int *,void *)" and a
return code semantic which says: Only the top most function on the
registered function stack is tried, independed what value it
returns.
3. Define and register the actual functions which should be used by
the hook:
ap_hook_define_server(lookup,void *,(void *x),(x));
ap_hook_define_server(echo,int,(void *x),(x));
ap_hook_register_lookup(mylookup);
ap_hook_register_echo(myecho);
This registers the function mylookup() under the "lookup" hook and
function myecho() under the "echo" hook.
4. Finally use the hook, i.e. instead of using direct function calls
like
vp = mylookup("foo");
n = myecho("bar");
you now
New hooks API documentation
/*
* SYNOPSIS
*
*Main Setup:
* void ap_hook_init (void);
* void ap_hook_kill (void);
*
*Hook Configuration and Registration:
* ap_hook_define_client(hook_name,hook_parameters,hook_call);
* int ap_hook_configure_hook_name(ap_hook_mode modeid);
* int ap_hook_unconfigure_hook_name();
*
* ap_hook_define_server(hook_name,hook_parameters,hook_call);
* int ap_hook_register_hook_name(int (*func)hook_parameters);
* int ap_hook_unregister_hook_name(int (*func)hook_parameters);
*
* ap_hook_define_client_global(mod_name,hook_name,hook_parameters,hook_call);
* ap_hook_define_client_realize(mod_name,hook_name,hook_parameters,hook_call);
* int ap_hook_mod_name_configure_hook_name(ap_hook_mode modeid);
* int ap_hook_mod_name_unconfigure_hook_name();
*
* ap_hook_define_server_global(mod_name,hook_name,hook_parameters,hook_call);
* ap_hook_define_server_realize(mod_name,hook_name,hook_parameters,hook_call);
* int ap_hook_mod_name_register_hook_name(int (*func)hook_parameters);
* int ap_hook_mod_name_unregister_hook_name(int (*func)hook_parameters);
*
*Hook Usage:
* int ap_hook_configured_hook_name();
* int ap_hook_registered_hook_name();
* int ap_hook_registered_func_hook_name(int (*func)hook_parameters);
* int ap_hook_hook_name(hook_parameters);
*
* int ap_hook_mod_name_configured_hook_name();
* int ap_hook_mod_name_registered_hook_name();
* int ap_hook_mod_name_registered_func_hook_name(int (*func)hook_parameters);
* int ap_hook_mod_name_hook_name(hook_parameters);
*
* DESCRIPTION
*
*This implements a generic hook interface for Apache which can be used
*for loosely couple code through arbitrary hooks. There are two use cases
*for this mechanism:
*
*1. Inside a specific code section you want to perform a specific
* function call. But you want to allow one or even more modules to
* override this function call by registering hook functions. Those
* functions are registered on a stack and could return TRUE or FALSE.
* As long as there are functions which return FALSE value the next
* function on the stack is tried. When a function return TRUE the
* hook call stops. The intent of this usage is to not hard-code
* function calls. Note that the only return type allowed for hooks
* is int and only two values could be returned: TRUE and FALSE. If
* you want other return types or values use wrappers (see sample below).
*
*2. Inside a specific code you have a function you want to export.
* But you first want to allow other code to override this function.
* And second you want to export this function without real linker
* symbol references. Instead you want to register the function and let
* the users call this function via name. The intent of this usage is to
* allow inter-module communication without direct symbol references,
* which are a big NO-NO for the DSO situation.
*
*And we have one major design goal: The hook call should be very similar
*to the corresponding direct function call while still providing maximum
*flexiblity, i.e. any function signature (the set of types for arguments)
*should be supported. If you need return value use wrappers.
*
*Using this hook interface is always a four-step process(but see also
*"NOTE for DSO modules" below!):
*
*1. Initialize or destroy the hook mechanism inside your main program:
*
* ap_hook_init();
* :
* ap_hook_kill();
*
*2. Define and configure a particular hook by specifing its name and
* argumets type:
*
* ap_hook_define_client(lookup,(void **r,void *x),(r,x));
* ap_hook_define_client(echo,(int *r,void *x),(r,x));
*
* ap_hook_configure_lookup(AP_HOOK_NORMAL);
* ap_hook_configure_echo(AP_HOOK_TOPMOST);
*
* This configures two hooks:
* - A hook named "lookup" with the signature "lookup(void **,void *)"
* and default return semantic.
* - A hook named "echo" with the signature "echo(int *,void *)" and a
* return code semantic which says: Only the top most function on the
* registered function stack is tried, independed what value it
* returns.
*
*3. Define and register the actual functions which should be used by
* the hook:
*
* ap_hook_define_server(lookup,(void **r,void *x),(r,x));
* ap_hook_define_server(echo,(int *r,void *x),(r,x));
*
* static int mylookup_wrapper(void **r,void *x) {
* *r=mylookup(x);
* if (*r) return TRUE; else return FALSE;
* }
* static int myecho_wrapper(int *r,void *x) {
* *r=myecho(*r,x);
* return TRUE;
* }
*
* ap_hook_register_lookup(mylookup);
* ap_hook_register_echo(myech
Re: Hew hooks API. Second try
12-Nov-98 08:48 you wrote: > On Thu, Nov 12, 1998 at 12:52:10AM +0300, Khimenko Victor wrote: >> No more hacks in mod_so. Instead all modules unregister hooks before unload. >> Also some slightly non portable defines (still ANSI compliant AFAIK) moved >> in few separate defines in top of ap_hook.h and new ap_hook_define_global/ >> ap_hook_define_realize to make hooks more usable in multifiles client modules. > With --enable-shared=proxy I get...: > cc -c -I../../os/unix -I../../include -I/usr/include -I/mx3_54/local/include >-DSVR4 -D_XPG_IV -DHAS_DLFCN -DUSE_MMAP_FILES -DUSE_SYSVSEM_SERIALIZED_ACCEPT >-DNEED_UNION_SEMUN -DMOD_SSL=201009 -DUSE_HSREGEX -DEAPI -KPIC -DSHARED_CORE >-DSINIX_D_RESOLVER_BUG `../../apaci` mod_proxy.c ^^ > mod_proxy.c 215: [warning]: 'struct ap_hook_mod_proxy_struct_ap_proxy_canon of >size 0' undefined (access to structure member 'hook_addr') > mod_proxy.c 215: [error]: 'hook_addr' not a member of any 'struct' or 'union' > mod_proxy.c 215: [error]: a 'int' is not a function > mod_proxy.c 215: [warning]: 'struct ap_hook_mod_proxy_struct_ap_proxy_canon of >size 0' undefined (access to structure member 'next') > mod_proxy.c 215: [warning]: 'next' member of 'struct module_struct of size 112 >and others' and not of 'struct ap_hook_mod_proxy_struct_ap_proxy_canon of size 0' > mod_proxy.c 215: [error]: 'next' is ambiguous > mod_proxy.c 215: [warning]: 'ptr to struct module_struct of size 112' converted >to 'ptr to struct ap_hook_mod_proxy_struct_ap_proxy_canon of size 0' > mod_proxy.c 215: [warning]: 'ptr to struct >ap_hook_mod_proxy_struct_ap_proxy_canon of size 0' = 'ptr to struct module_struct of >size 112' Oops. I'm an idiot... I'm forgot to test this for non-gcc compilers (by eyes of course as I'm does not have non-gcc compilers here :-) Test this one... P.S. BTW what's the compiler is was ? EAPI-2-EAPIk-4-2.1b9-SNAP.patch3.gz
Hew hooks API. Second try
No more hacks in mod_so. Instead all modules unregister hooks before unload. Also some slightly non portable defines (still ANSI compliant AFAIK) moved in few separate defines in top of ap_hook.h and new ap_hook_define_global/ ap_hook_define_realize to make hooks more usable in multifiles client modules. EAPI-2-EAPIk-4-2.1b9-SNAP.patch2.gz
Re: New hooks API
On Wed, 11 Nov 1998, Martin Kraemer wrote:
> On Tue, Nov 10, 1998 at 08:03:54PM +0300, Khimenko Victor wrote:
> > May be while Ralf is busy with documentation things someone could take a look
> > on subj. This is just "working demo", but it's working enough to be usable as
> > replacement for mod_ssl 2.1b8 ! PLEASE, take a look and make suggestions. IMO
>
> I like it. Can I use it in my own projects?
>
Oops. Completely forgot about copyright problem :-(( Add the following in
the ap_hook.c and use as permitted:
-- cut --
/* ========
* Copyright (c) 1998 Khimenko Victor. All rights reserved.
*
* Choose one of two licenses:
*
*
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
*notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
*notice, this list of conditions and the following
*disclaimer in the documentation and/or other materials
*provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this
*software must display the following acknowledgment:
*"This product includes software developed by
* Khimenko Victor <[EMAIL PROTECTED]> for use in the
* mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)."
* except when used in mod_ssl-derived or Apache-derived products.
*
* 4. The names "mod_ssl" must not be used to endorse or promote
*products derived from this software without prior written
*permission. For written permission, please contact
*[EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "mod_ssl"
*nor may "mod_ssl" appear in their names without prior
*written permission of Ralf S. Engelschall.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
*"This product includes software developed by
* Khimenko Victor <[EMAIL PROTECTED]> for use in the
* mod_ssl project (http://www.engelschall.com/sw/mod_ssl/)."
*
* THIS SOFTWARE IS PROVIDED BY KHIMENKO VICTOR ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KHIMENKO VICTOR OR
* HIS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
*
* This is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
* License as published by the Free Software Foundation; either
* version 2 of the License, or (at your option) any later version.
*
* This code is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Library General Public License (http://www.gnu.org/copyleft/lgpl.html)
* for more details.
* =
*/
-- cut --
> Pro's:
> * Strong prototyping & type checking
> (on a "by function" basis). => No need to pre-define the "allowed" signatures.
>
> * Elegant automatic wrapping of the called functions into inlined functions
> (prerequisite for the strong typechecking)
>
> Con's:
> * Should be run thru indent to conform to Ralf's coding style
> (no offense intended ;-)
>
> Questions:
> * In the following code snippet, we create a static ap_hook_start_##hook_name
> pointer "per module" (i.e., for each module trat includes the header).
> Shouldn't it be a global list that's shared between modules? And if yes, you
> can't initialize it to NULL.
> +static struct ap_hook_struct_##hook_name { \
> + ap_hook_func_##hook_name hook_addr;\
> + struct ap_hook_struct_##hook_name* next; \
> +} *a
Re: mod_ssl 2.1b9 SNAP: please test
In <[EMAIL PROTECTED]> [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote: r> In <[EMAIL PROTECTED]> Ralf S. Engelschall ([EMAIL PROTECTED]) wrote: RE>> Hello mod_ssl hackers, RE>> I've prepared the new mod_ssl distribution layout (actually I wrote new RE>> programs which generate it for me ;_), incorporated all latest cleanups and RE>> patches and I'm now updating the documentation for 2.1b9/2.1.0. In the RE>> meantime I would appreciate when you can (re-)test the code and watch the code RE>> through your expert eyes to make sure that it's still stable and working as RE>> expected (because of the cleanups I had to re-adjust a lot of code again). r> Still my patches applied almost without rejects :-) RE>> PS: Especially under Win32 I hope all works now fine (again). I've included the RE>> init round patch and also tried to update the configure.bat file the same RE>> way the Unix configure script was overhauled. Trung, I hope you again find RE>> the bugs on this platform for us. RE>> Please try to test both the DSO and non-DSO situations when it's possible for RE>> you (i.e. Apache supports DSO on your platform). r> DSO version works here. Oops. Wrong version was attached :-(( Just two lines in mod_so.c and mod_ssl is not working at all :-(( P.S. Still my solution looks like un ugly hack -- may be there are exist better solution for problem... Anyway your solution is even more vulnerable since (as I'm understood it) it heavily depends on standard behaviour for loader: after unload and reload all modules will be pushed back at the same address. I'm not sure if it's the case for all systems where DSO are supported... EAPI-2-EAPIk-4-2.1b9-SNAP.patch.bz2
Re: EAPI = bloatware ? Of I'm just confused ...
8-Nov-98 12:03 you wrote:
> On Sun, Nov 08, 1998, Khimenko Victor wrote:
>> EAPI = bloatware ? Of I'm just confused ...
> Not intentionally bloatware, of course. More the result of trying to
> combine three major requirements: portability (full ANSI C compliant),
> functionality (works with the ugly Apache API restrictions and pitfalls) and
> minimum API (to reduce the source patching to a minimum and provide a
> intuitive ap_hook_xx interface).
> So the current design is more the result of trying to integrate the
> requirements. But perhaps I've integrated it too complex. This can be the
> case, of course. Here you can help me to simplify it now...
This is my try to simlify things :-) Take a look on attachment. This is not
full solution, but rather "working demo". This is patch for mod_ssl 2.1b8 to
use my approach (still horrible slow on startup but lighting fast on actuall
calls to hooks). Just "bare bones" -- no context handling and such, but
working...
>> After look on EAPI I'm could not understood why it's designed to be so bloat
>> and slow. Why other (MUCH more simpler) design is unacceptable:
>>
>> #define hook_define(hook_name,hook_signature,hook_params)\
>> extern struct hook_struct_##hook_name { \
>> int (hook_addr)hook_signature; \
>> struct hook_struct##hook_name* next; \
>> } *hook_start_##hook_name; \
>> static __inline__ int hook_call_##hook_name(hook_signature) {\
>> hook_struct_##hook_name *p=&hook_start_##hook_name;\
>> while (p) {\
>> if (p->hook_addr hook_params ) return 1; \
>> p=p->next; \
>> } \
>> }
>>
>> Then you'll use this all like
>> hook_define(Great_hook,(char x,void ** y,int(z)(char,int)),(x,y,z))
>> in .h file (to be included in both "client" module and "server" module) and
>> hook_register(Great_hook) in the initialization of client_module plus
>> hook_enable(Great_hook) in the initialization of server_module. Then all
>> hook calls (hook_call_Great_hook('a',&p,f) :-) will be just few comparisions
>> instead of lookup in string table. 10-15 times faster when simple hook is used
>> (almost the same speed as simple function call!) and 100+ times faster when
>> hooks are not used. Of course current approach is acceptable for mod_ssl
>> (encryption is slow by itself) but it's not acceptable as generic hook
>> mechanism (IMO, anyway). And even for mod_ssl it's not so good since this will
>> slow down non-SSL server as well. Or I'm misunderstood something ?
>>
>> P.S. Of course this is only schematic description -- you'll need pool to keep
>> track of pools, etc. But with current approach when there are will be a lot of
>> hooks each and every rputc will lead to lookup in big string table ! Clearly
>> unappropriate IMO :-((
> Correct, Martin Kraemer and I already recognized that the string comparisons
> can be too slow (although regarding Deans performance statements on the
> non-optimized ap_table_xxx stuff the performance penalty for
> string-comparisons is not such noticeable as one might expect. The real
> performance problems is I/O in Apache).
In fact I'm not sure that string comparision ON SERVER STARTUP are too slow.
Of course if apache used via inetd this could be a case but AFAIK most
installations are standalone and time for startup is not so big problem...
Of course current approach has speed n*n (where n -- number of hooks) and
it's slow (better to have n*log n :-) but it's only "working demo".
> But we can for instance optimize the EAPI stuff to use numeric IDs through a
> hash-table instead of strings as the unique identifiers. So, you're right
> that we can optimize EAPI a lot. But this doesn't mean we also can replace it
> directly with your non-bloated inline-approach, IMHO. These are two totally
> different things.
Not so different after all :-)) I'm want to inline (where inline is
supported :-) only actual hook calls (including setup for already setuped hooks
since this is required for each call in mod_proxy). This is done (see patch).
It works. At least here (KSI-Linux 2.0 beta, SSLeay 0.9.0b shared, mod_ssl DSO,
etc).
> Let me explain the design behind the EAPI stuff a little bit: I've thought
> about a pre-processing based approach first, of course. Because this way I
> could avoid
EAPI = bloatware ? Of I'm just confused ...
EAPI = bloatware ? Of I'm just confused ...
After look on EAPI I'm could not understood why it's designed to be so bloat
and slow. Why other (MUCH more simpler) design is unacceptable:
#define hook_define(hook_name,hook_signature,hook_params)\
extern struct hook_struct_##hook_name { \
int (hook_addr)hook_signature; \
struct hook_struct##hook_name* next; \
} *hook_start_##hook_name; \
static __inline__ int hook_call_##hook_name(hook_signature) {\
hook_struct_##hook_name *p=&hook_start_##hook_name;\
while (p) {\
if (p->hook_addr hook_params ) return 1; \
p=p->next; \
} \
}
Then you'll use this all like
hook_define(Great_hook,(char x,void ** y,int(z)(char,int)),(x,y,z))
in .h file (to be included in both "client" module and "server" module) and
hook_register(Great_hook) in the initialization of client_module plus
hook_enable(Great_hook) in the initialization of server_module. Then all
hook calls (hook_call_Great_hook('a',&p,f) :-) will be just few comparisions
instead of lookup in string table. 10-15 times faster when simple hook is used
(almost the same speed as simple function call!) and 100+ times faster when
hooks are not used. Of course current approach is acceptable for mod_ssl
(encryption is slow by itself) but it's not acceptable as generic hook
mechanism (IMO, anyway). And even for mod_ssl it's not so good since this will
slow down non-SSL server as well. Or I'm misunderstood something ?
P.S. Of course this is only schematic description -- you'll need pool to keep
track of pools, etc. But with current approach when there are will be a lot of
hooks each and every rputc will lead to lookup in big string table ! Clearly
unappropriate IMO :-((
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: User Interface bug or fundamental SSL bug?
On Wed, 4 Nov 1998, James wrote: > > Weird. I'm ready to got such question from dumb Winblows user but from > > Linux user... Unbeliveable :-(( > > I'm sorry you misunderstood. That was not a question so much as a > rhetorical question, a comment on the Navigator user interface. > Oops. > > Use mod_ssl logs or such not Netscape lock icon (BTW lock icon in Netscape > > shows state of RECEIVED document, not state of connection AFAIK)!!! > > You see, it is not good to have to tell customers "I know it looks like your > password is insecure, but, hey, just trust us..." Customers don't care > about mod_ssl logs or packet dumps. > Yes. And there are a trick: make ssl-enabled "welcome page" with link (or button) to password protected page. When "welcome page" will be downloaded lock will be in locked state and will not be unlocked even when you'll be asked about password :-) > > Are you on drugs ? I could not find other explanation for this try to find > > SOMETHING about SSL via Netscape buttons! > > Actually, I sent this to the mod_ssl mailing list in the hopes that you > might pressure Netscape to change their user interface. (Hint, hint...) > > > In reality not just handshake must be completed but the whole document > > must be downloaded... > > Yep, that's the problem... > In fact turned out that lock locks after first receved packet with actual data :-) Still to late maybe :-(( > >> It seems reasonable to expect that, when accessing a secure server, a > >> session key would be exchanged _before_ any other communication between > >> the server and browser. Superficially, this does _not_ seem to be the > >> case with Netscape's Communicator. > > > Of course it is the case with Netscape Communicator, Lynx-SSL and even %$% > > MS IE... > > Glad to have that confirmed. Thanks. > In fact all information is encrypted in HTTPS ! Even URL is going ecrypted ! __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building mod_ssl without apache source?
3-Nov-98 09:37 you wrote: > So far mod_ssl can only be built with apache sources. I've tanken a look at > mod_php3 and it can be built without the apache sources (just the header > files). Yes, but mod_php3 is HORRIBLE here. Right sample would be mod_perl 1.15 or 1.17 (mod_php3 does not use options stored in apxs and thus compiling of php3 in SSL-aware Apache is little tricky). In mod_perl 1.15_01 and 1.16 there are small error exactly in DSO support :-(( > Is there any way to build mod_ssl as a module without having the apache > sources. No and not planned in near future. > I think it would be very useful when building RPMs. Unfortunatelly it's not possible -- it's not technical question but rather political one :-(( > I think in mod_php3 they use something called apaci (I'm not familiar with > this). Not apaci but apxs of course and as you could guess a lot of peoples here (including Ralf who is more familiar then most of us :-)) knows a lot about apaci and apxs... > Is anything similar planned for mod_ssl? More or less. Something is done in 2.1.b7... > I'd love just to install mod_ssl to my existing apache installation, and > not installing a complete new apache. It's not possible. > Are there any cons against this approach? Exactly one but GIANT one: such hooks will make Apache non-exportable from US and thus will lead to split in Apache development. This is completely unappropriate. You could grab 2.1.b8 and create two RPMs : one with patched Apache and one with mod_ssl DSO (I am plan to do this when I'll have spare time :-) But you could not add mod_ssl in unpatched Apache in any way :-(( It was discussed here many times... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: User Interface bug or fundamental SSL bug?
3-Nov-98 23:54 you wrote: > In communicator-pro-v406-export.x86-unknown-linux2.0-glibc2.tar.gz > It seems reasonable to expect that, when accessing a secure server, a > session key would be exchanged _before_ any other communication between the > server and browser. Superficially, this does _not_ seem to be the case with > Netscape's Communicator. Of course it is the case with Netscape Communicator, Lynx-SSL and even %$% MS IE... > When Communicator accesses a password protected secure site for the first > time, first, I receive a certificate dialog box, second, I receive a > password dialog box, third, I receive a secure document dialog box, fourth, > I receive the web page, and lastly, the lock icon locks. Now this bit with ^^ ^^^ > the lock icon is what doesn't give me that warm-fuzzy-feeling. That is even if you got encrypted page lock icon locks only AFTER web-page was received! > Perhaps this is just bad user-interface design on Netscape's part. I would > have expected the lock icon to lock second, right after the certificate > dialog box, and _before_ the the password dialog box. I am skeptical that > this would not be what occurs in practice, but I've got to find out. Looks like you are never program such packages :-(( Of course state of icon in Netscape will net be changed till handshake (at least handshake) will be completed! In reality not just handshake must be completed but the whole document must be downloaded... > Alternatively, the lock icon does, in fact, display the true state of the > SSL negotiation, WHICH IS WHAT IT SHOULD DO, and, in fact, Communicator is > sending the secure site password in clear text, and is not very useful as a > secure browser. > So, please, which is it? Just COMPLETELY wrong instrument selected for job. Usage of big buggy package (Netscape Communicatir) without sources and even without log ability to find out something about things deep in SSL ... Are you on drugs ? I could not find other explanation for this try to find SOMETHING about SSL via Netscape buttons! This looks like try to find appendix state via shirt, suit and fur coat... Use mod_ssl logs or such not Netscape lock icon (BTW lock icon in Netscape shows state of RECEIVED document, not state of connection AFAIK) !!! "In communicator-pro-v406-export.x86-unknown-linux2.0-glibc2.tar.gz" ... Hm. Weird. I'm ready to got such question from dumb Winblows user but from Linux user... Unbeliveable :-(( __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Yeah: DSO support for mod_ssl...
24-Oct-98 18:14 you wrote: > Now with DSO you're happy: You can combine 1.) and 2.). Why? Because > you just make one Apache installation with mod_ssl as a DSO. And > then you you an additional > > LoadModule ssl_module libexec/libssl.so > > in your httpd.conf file. Now you can start the 70% non-SSL-aware httpds via > "httpd" and the remaining 30% (SSL-aware) httpds with "httpd -DSSL". Bingo! > Only one Apache installation required and no RAM penalty for the 70% of your > non-SSL servers. Hm. 1. Why you need two httpd servers in first place ? 2. How much is memory penalty for not-used mod_ssl ? So I'm not sure that this will help ISP's at all (you still must reinstall apache!) while this will be help distribution creators (like me :-)... > More information comes when the DSO stuff is available with 2.1b7 for your own > testing pleasure. But mainly the only difference you will see is a single > "--enable-shared=ssl" inside the INSTALL file. Anything else is automatically > configured. ;-) It's not good. For distribution creators will be FAR better to have separate patch file for Apache and separate mod_ssl distribution complable via apxs ... BTW problem with mod_perl is solved: --- mod_perl.c +++ mod_perl.c @@ -690,7 +690,7 @@ Apache__ServerStarting(FALSE); #if MODULE_MAGIC_NUMBER >= MMN_130 if(perl_module.dynamic_load_handle) - register_cleanup(p, NULL, mp_dso_unload, NULL); + register_cleanup(p, NULL, mp_dso_unload, null_cleanup); #endif } It was 100% mod_perl problem and from patch itself you should see (as clever programmer) why I had this program while you not :-)) It's was not platform-dependant problem as well... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Available: mod_perl 1.16
6-Oct-98 08:12 you wrote:
> This currently was announced on modperl-announce:
> | The URL
> |
> | http://perl.apache.org/dist/mod_perl-1.16.tar.gz
> |
> | has entered CPAN as
> |
> | file: $CPAN/authors/id/DOUGM/mod_perl-1.16.tar.gz
> | size: 278243 bytes
> |md5: 0ef261732f91bdefa655e98d9d51d5d2
> I'm totally busy with other mod_ssl things these days but those of you who had
> problems with the Apache+mod_perl+mod_ssl combination last time perhaps want
> to try out this new release. Give us feedback if it works and if it doesn't
> where problems still exist. Doug also created a INSTALL.simple.mod_ssl file
> in the mod_perl distribution as I recognized via the CVS commit messages.
> Look also at this file and give Doug MacEachern <[EMAIL PROTECTED]> feedback
> when you discover problems.
Thanx for the hint, but... mod_perl 1.16 works the same way as mod_perl 1.15_01
-- cut --
AddModule mod_ssl.c
AddModule mod_perl.c
-- cut --
does not work while
-- cut --
AddModule mod_perl.c
AddModule mod_ssl.c
-- cut --
works just fine. Instead of mod_ssl there are could be mod_jserv.c as well.
Without patch below child will hangs somewhere in cleanup_pool_for_exec()
This patch cure problem (at least for me) while I'm not sure that this is
correct solution.
In mod_perl.c I'm see the following:
-- cut --
#if MODULE_MAGIC_NUMBER >= 19970728
NULL, /* child_exit *//* mod_perl uses register_cleanup() */
#endif
-- cut --
Looks like this is problem but without patch apache still hangs while works
with patch :-(( So this is not a problem (but AFAIK here must be written
&ap_null_cleanup instead of just NULL -- not?).
--- apache_1.3.2/src/main/alloc.c.old Wed Oct 7 01:17:35 1998
+++ apache_1.3.2/src/main/alloc.c Wed Oct 7 01:19:13 1998
@@ -1601,7 +1601,7 @@
static void run_child_cleanups(struct cleanup *c)
{
while (c) {
- if (c->child_cleanup) (*c->child_cleanup) (c->data);
+ (*c->child_cleanup) (c->data);
c = c->next;
}
}
May be this patch will help you to find "right solution" but for now I'm have
at least working hack :-))
__
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: trouble getting mod_ssl working
In <[EMAIL PROTECTED]> Alan Spicer ([EMAIL PROTECTED]) wrote: AS> * Hello, AS> Thank you, I will try that to see if that fixes it, while AS> waiting also to see what Ralph Engelschall says. I thought AS> it was ok that the name on certificate was different, just AS> that person with browswer had to "accept" that. No. Netscape will be VERY confused in this case and will show "Document contains no data". Stupid message! Why not show some informative error ? Lynx-SSL and s_client (as described below) should work... AS> Hmm so that means that I filled out one of those lines wrong AS> when make'ing the test certificate. If that is so then probably I AS> will not have that problem when I get REAL certificate ;-) AS> At 07:58 PM 10/5/98 +0400, you wrote: >>5-Oct-98 15:49 you wrote: >>> On Mon, Oct 05, 1998, Alan Spicer wrote: >> Red Hat Linux 2.0.34 Apache 1.3.1 SSLeay-0.9.0.b mod_ssl-2.0.10-1.3.1 [...] I changed the "" to: and added my virtual host settings in there, and left everything else alone. The certificate is the default test certificate and it does ask me to: Enter PEM pass phrase: and tells me that httpd started. ps ax |grep httpd |less shows httpd's up and running: as httpd -DSSL (which looks encouraging). If Netscape is restarted fresh, I get the certificate pop-up boxes just fine (encouraging also), but never get any pages ... it just times out a few mins later. >> >>> H... because you get the certificate dialog in Netscape this means that >>> SSL is actually spoken on port 443. Can you connect with "s_client AS> -connect >>> host:port -debug" and then enter "GET / HTTP/1.0\n\n" and see the HTML AS> welcome >>> page of Apache? >> >>To me this looks like good old problem with certificate :-)) Netscape will be >>VERY confused (and will show "Document contains no data" message box) if name >>of server will not match name of user in certificate... >> >> >> AS> --- AS> Alan Spicer ([EMAIL PROTECTED]) __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: trouble getting mod_ssl working
5-Oct-98 15:49 you wrote: > On Mon, Oct 05, 1998, Alan Spicer wrote: >> Red Hat Linux 2.0.34 >> Apache 1.3.1 >> SSLeay-0.9.0.b >> mod_ssl-2.0.10-1.3.1 >>[...] >> I changed the "" to: >> >> and added my virtual host settings in there, and left >> everything else alone. The certificate is the default >> test certificate and it does ask me to: >> Enter PEM pass phrase: >> and tells me that httpd started. >> >> ps ax |grep httpd |less >> shows httpd's up and running: >> as httpd -DSSL (which looks encouraging). >> >> If Netscape is restarted fresh, I get the certificate >> pop-up boxes just fine (encouraging also), but never >> get any pages ... it just times out a few mins later. > H... because you get the certificate dialog in Netscape this means that > SSL is actually spoken on port 443. Can you connect with "s_client -connect > host:port -debug" and then enter "GET / HTTP/1.0\n\n" and see the HTML welcome > page of Apache? To me this looks like good old problem with certificate :-)) Netscape will be VERY confused (and will show "Document contains no data" message box) if name of server will not match name of user in certificate... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: httpd core dumping
29-Sep-98 08:01 you wrote: > On Tue, Sep 29, 1998, Khimenko Victor wrote: >> > AddModule mod_ssl.c >> > AddModule mod_perl.c >> >> > in http.conf (this is the default order). But when I switch these >> > two lines, everything works fine! >> >> See my postings in mod_ssl about mod_perl :-)) This is error in mod_perl, not >> in mod_ssl :-)) >>[...] > Ok, that's also what I think, because in mod_ssl 2.0 (the stable branch) the > mod_ssl.c code didn't change in the last versions. But the question now is: > How can we help Doug MacEachern to fix this problem for mod_perl 1.15_02? I > think those of you who discovered the problem should post as much details as > possible to the mod_perl mailing list (or directly to [EMAIL PROTECTED] if > you're not subscribed to the mod_perl ML), so Doug has a chance to fix it. Ok. What I'm know just now: when you have mod_ssl or mod_jserv (both modules will try to spawn child process (ssl_gcache for mod_ssl, java interpreten for mod_jserv) in INITIALIZATION phase) now you MUST use the following order: -- cut -- AddModule mod_perl.c AddModule mod_jserv.c AddModule mod_ssl.c -- cut -- I.e. you must add AddModule for such modules AFTER mod_perl.c. If you'll try to do this other way (i.e. mod_perl.c added after mod_ssl.c or mod_jserv.c in httpd.conf) apache will work just fine except core dump somewhere in child creation process (in ap_run_cleanup AFAIK but I'm not 100% sure about this while I'm sure that this is AFTER fork but before exec)... Apache 1.3.1 with mod_perl 1.15 works Ok... P.S. And of course apache will be unable to create https connections and will be unable to run servlets due lack of working ssl_gcache and/or JServ :-)) P.P.S. In my case this was apache+mod_ssl and mod_jserv/mod_perl compiled as DSO (via apxs) under bot RedHat 5.1 and KSI-Linux 2.0beta but looks like this problem is not related to DSO... May be this problem is related to Linux and/or glibc ? __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: httpd core dumping
28-Sep-98 13:20 you wrote: > On Mon, 28 Sep 1998, Ralf S. Engelschall wrote: >> >> Interesting is also that it seems that it's only occuring in combination with >> mod_perl. Hmmm... how do you build mod_perl? As a DSO or statically? >> > I use mod_perl 1.15_01 as DSO and have exactly the same problem > when I use > AddModule mod_ssl.c > AddModule mod_perl.c > in http.conf (this is the default order). But when I switch these > two lines, everything works fine! See my postings in mod_ssl about mod_perl :-)) This is error in mod_perl, not in mod_ssl :-)) > And I have another problem too (maybe not related to mod_ssl at all): > when I use Apache 1.3.2 + mod_ssl 2.0.11 + SSLeay 0.9.0b, I cannot use > PHP3 3.0.4 (as DSO) - when I try to run httpd, it hangs. When I comment > out mod_php in httpd.conf, everything tuns fine. PHP3 3.0.3 works fine > (as DSO, too). It seems to be bug in PHP3 3.0.4, but it costs nothing to > notify you... I'm 99% sure that it's error in PHP 3.0.4 MySQL support :-)) When PHP 3.0.4 asked about MySQL support it will add -lpthread. But this is EXACTLY FIRST QUESTION in Threads FAQ !!! You MUST use -D_REENTRANT when compile with -lpthread !!! Or remove -lpthread from Makefile or add -D_REENTRANT in PHP3 AND in Apache compilation process... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: mod_perl sometimes broke mod_ssl under apache 1.3.2
28-Sep-98 03:43 you wrote: > While testing binary version of apache for KSI-Linux I'm found nasty error > with mod_perl (1.15_01) and mod_ssl (2.0.11) under apache 1.3.2. > This version > -- cut -- > AddModule mod_perl.c > ... > AddModule mod_ssl.c > -- cut -- > will be ok, while this version > -- cut -- > AddModule mod_ssl.c > ... > AddModule mod_perl.c > -- cut -- > will not start ssl_gcache and will core dump somewhere in the ap_run_cleanup ! > P.S. mod_perl (1.15) and mod_ssl (2.0.10) under apache 1.3.1 works in both > cases just fine... Oops. This error turned out to be 100% mod_perl error :-(( -- cut -- AddModule mod_java.c ... AddModule mod_perl.c -- cut -- will not work, while -- cut -- AddModule mod_perl.c ... AddModule mod_java.c -- cut -- will work... The same problem -- core dump in ap_run_cleanup while trying to start java :-(( P.S. I'm not sure -- may be this is not mod_perl error but general apache error after all -- with 1.3.1 and mod_ssl 1.15 all works flawlessly but it's not mod_ssl specific anyway... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
mod_perl sometimes broke mod_ssl under apache 1.3.2
While testing binary version of apache for KSI-Linux I'm found nasty error with mod_perl (1.15_01) and mod_ssl (2.0.11) under apache 1.3.2. This version -- cut -- AddModule mod_perl.c ... AddModule mod_ssl.c -- cut -- will be ok, while this version -- cut -- AddModule mod_ssl.c ... AddModule mod_perl.c -- cut -- will not start ssl_gcache and will core dump somewhere in the ap_run_cleanup ! P.S. mod_perl (1.15) and mod_ssl (2.0.10) under apache 1.3.1 works in both cases just fine... __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: INSTALLING mod_perl + mod_ssl + extra modules?
24-Sep-98 19:04 you wrote: > At 18:04 1998-09-24 +0200, I wrote: >> >>Thanks. It worked finally. >> > The building, that is. > Starting with apachectl > $ sbin/apachectl start > sbin/apachectl start: httpd could not be started > $ cat var/log/error_log: > [Thu Sep 24 18:52:21 1998] [error] mod_ssl: Required SSLCacheServerPort > missing > And I don't even enable SSL in httpd.conf You must specify SSLCacheServerPort anyway AFAIK... > I use namevirtualhost like this (httpd.conf:) > #no explicit host; as it generates errors. > #Port 80 > NameVirtualHost 194.16.2.89 > > ... > > > ... > > > ... > > Is it possible to use ssl in one of the virtualhost:s and there enable ssl? Yes, but only in ONE and EXACTLY one. __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: INSTALLING mod_perl + mod_ssl + extra modules?
21-Sep-98 18:17 you wrote: > Sorry for interfering in the middle of tarball-rolling; > I'm in no hurry, but install-integration between mod_perl > and mod_ssl ought to be easier. > At 09:45 1998-09-21 +0200, Ralf S. Engelschall wrote: >> >> And here are the examples: >> >>$ gzip -d -c apache_1.3.x.tar.gz | tar xvf - >>$ gzip -d -c mod_ssl-2.0.x-1.3.x.tar.gz | tar xvf - >>$ gzip -d -c mod_perl-1.xx.tar.gz | tar xvf - >>$ cd mod_ssl-2.0.x-1.3.x >>$ ./configure >> --with-apache=../apache_1.3.x >>$ cd ../mod_perl-1.xx >>$ perl Makefile.PL >> EVERYTHING=1 >> APACHE_SRC=../apache_1.3.x/src >> USE_APACI=1 >> PREP_HTTPD=1 >> DO_HTTPD=1 >>$ make >>$ make install >>$ cd ../apache_1.3.x >>$ SSL_BASE=/path/to/ssleay >> ./configure >> --prefix=/path/to/apache >> --enable-module=ssl >> --activate-module=src/modules/perl In my case it was --activate-module=src/modules/perl/libperl.a and compilation was succesful... >> --enable-module=perl >>$ make > Everything went fine until mod_perl should compile. > <=== src/modules/ssl ===>> src/modules/perl > make[4]: *** No rule to make target `libperl.', needed by `lib'. Stop. > make[3]: *** [all] Error 1 > something wrong with $(LIBEXT) ? > I really like to have a more automated way to recompile a new httpd; > Used my own lousy script below; > Such ought to be included in some way. or a perl one. > regards, >magnus > > # makemyhttpd.sh > YOU_ARE_HERE=/usr/local/www > # > # These dirs must be on the same level as this script > MOD_SSLDIR=mod_ssl-2.0.9-1.3.1 > MOD_PERLDIR=mod_perl-1.15_01 > APACHEDIR=apache_1.3.1 > # ssl-root > # > SSL_BASE=/usr/local/ssl > cd $MOD_SSLDIR > ./configure --with-apache=../$APACHEDIR > cd ../$MOD_PERLDIR > perl Makefile.PL EVERYTHING=1 > APACHE_SRC=../$APACHEDIR USE_APACI=1\ > PREP_HTTPD=1 DO_HTTPD=1 > make > sleep 5 > make install > sleep 5 > cd ../$APACHEDIR > ./configure --prefix=$YOU_ARE_HERE/$APACHEDIR\ > --enable-module=ssl --activate-module=src/modules/perl --enable-module=perl > make > #make certificate > #make install > __ > Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ > Official Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] __ Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/ Official Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
