Re: Securing directories
I'd set these up as virtual hosts - the essence of what you want to do here is to make http://www.domain.com/ return different information than https://www.domain.com. Having done that (by following the links in the other reply you got) you then will need to set up what you want to happen on the http side of things - there is no automatic pop-up as you were asking for. What many do is simply configure http to do a redirect to https, like this: Redirect /https://www.domain.com/ or you can just put up a page with a link to https and explanatory text - which is often a good way of doing it so they have something to look at for explanation if their SSL client is not compatible with your site for example. -PeterV. Robert Lagana wrote: Hello, Using mod_ssl .. on Apache .. I would like to secure two directories.. https://www.domain.com/homedir https://www.domain.com/homedir2 Now if user go to http://www.domain.com will users get a pop up saying that SSL is required? Is this just a matter of having Port 80 and Port 443 enabled? Do I set these directories up as virtual hosts? Is there a link someone can provided that explains this? Thanks, Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Configuring Multiple Certicates SSL over an unique IP
I'm thinking you need to use Virtual Host directives - as others have replied, you already know that NameVirtualHost wont help - so you need to put each virtual host on a different IP. (or different port if no spare IP's_). firstly - configure your operating system to receive all the ip's you want to use - usually via ip-aliases - something you can do in unix and windows, but dont ask me how in windows. an example: your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra alias. I'm assuming you started with httpd.conf as provided with mod_ssl - this should have the basic SSL configuration bits. Then in your httpd.conf near the end, in the IfDefine SSL section, create a VHost for each cert/ip you want. VirtualHost 192.168.1.2:443 ServerName www.cert1domain.com SSLCertificateKeyFile conf/ssl.key/cert1.key SSLCertificateFile conf/ssl.crt/cert1.crt SSLEngine on ...other conf... /VirtualHost VirtualHost 192.168.1.3:443 ServerName www.cert2domain.com SSLCertificateKeyFile conf/ssl.key/cert2.key SSLCertificateFile conf/ssl.crt/cert2.crt SSLEngine on ...other conf... /VirtualHost [EMAIL PROTECTED] wrote: Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Configuring Multiple Certicates SSL over an unique IP
The default: Listen 443 achieves this already. Is there some advantage to doing separate Listen's? Boyle Owen wrote: Don't forget: Listen 192.168.1.2:443 Listen 192.168.1.3:443 -Original Message- From: Peter Viertel [mailto:peter.viertel;itaction.co.uk] Sent: Dienstag, 5. November 2002 14:17 To: [EMAIL PROTECTED] Subject: Re: Configuring Multiple Certicates SSL over an unique IP I'm thinking you need to use Virtual Host directives - as others have replied, you already know that NameVirtualHost wont help - so you need to put each virtual host on a different IP. (or different port if no spare IP's_). firstly - configure your operating system to receive all the ip's you want to use - usually via ip-aliases - something you can do in unix and windows, but dont ask me how in windows. an example: your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra alias. I'm assuming you started with httpd.conf as provided with mod_ssl - this should have the basic SSL configuration bits. Then in your httpd.conf near the end, in the IfDefine SSL section, create a VHost for each cert/ip you want. VirtualHost 192.168.1.2:443 ServerName www.cert1domain.com SSLCertificateKeyFile conf/ssl.key/cert1.key SSLCertificateFile conf/ssl.crt/cert1.crt SSLEngine on ...other conf... /VirtualHost VirtualHost 192.168.1.3:443 ServerName www.cert2domain.com SSLCertificateKeyFile conf/ssl.key/cert2.key SSLCertificateFile conf/ssl.crt/cert2.crt SSLEngine on ...other conf... /VirtualHost [EMAIL PROTECTED] wrote: Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Certificate Server
You certainly can. See the openssl FAQ http://www.openssl.org/support/faq.cgi#USER4 Miguel Angel Gomez Animas wrote: Hi all I want to know if is possible create a server certificate with modssl, something like a personal verisign or something like this... What do i have to do???, can you help me with this??? Thanks a lot _ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: httpd.conf
I notice that your virtual hosts are all using the ip address of your machine, but your testing example uses http://localhost/ It's probably worth pointing out that localhost usually resolves to 127.0.0.1 which is not the same thing as your machine's ip address. Try testing against https://192.168.0.3/ Cuong Tran wrote: Thanks for the tip John, But that shuts down port 443 altogether. I still need it open for my 1 SSL host VirtualHost 192.168.0.3:443 ServerName secure DocumentRoot /path ServerAdmin root@localhost ServerSignature email # Turning the 3 below on is VERY important SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key # must manually create file first SSLLogFile /var/www/html/WEBSITES/SITE2/logs/ssl.log /VirtualHost --- John Ott [EMAIL PROTECTED] wrote: Cuong Tran wrote: The problem I am having is that all the normal virtual hosts as a result have been SSL readable as well. # (below) won't make it automatically listen on the virtual server's port. Listen 443 Change the above to Listen 192.168.0.3:443 that will get the result you desire. later John begin:vcard n:Ott;John tel;pager:202 688 9735 tel;cell:301 502 4356 tel;work:202 687 8929 x-mozilla-html:FALSE org:Georgetown University;UIS-SNS version:2.1 email;internet:[EMAIL PROTECTED] title:UNIX Systems Programmer adr;quoted-printable:;;304E St. Mary's Hall=0D=0A3800 Reservoir Road, NW;Washington ;DC;20007;USA x-mozilla-cpt:;-13752 fn:John Ott end:vcard http://www.sold.com.au - SOLD.com.au - Find yourself a bargain! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem starting Apache (yes I have read the FAQs!)
there's more info on this in the reference manual, than the FAQ. http://www.modssl.org/docs/2.8/ssl_reference.html#ToC4 Basically try changing the 'startup' one to use a file:/path/to/file/with/junk/in/it that points at a file with something random enough in it - I'm not mr crypto, but, by random I take it that something an outside party cant guess ought to be enough, and you need to experiment with file lengths a bit to find what works enough - some people advocate using the syslog output. Of course if you're just hacking around and you dont care that the NSA or the Home Office might be able to decrypt your ssl streams, then why stress out about it? the 'connect' one however should get by using the builtin or see if you can get egd working - this one does affect performance, so avoid using the exec: option because spawning processes is not cheap on resources. [EMAIL PROTECTED] wrote: Hi all - This seems to be a commonly reported problem, but for all the archives and FAQs I've read, I am no further forward. Here is the situation: Apache 1.3.26, openSSL 0.9.6g, mod_ssl 2.8.10-1.3.26, Compaq Tru64 UNIX 4.0F. On starting Apache, it immediately exits and logs the following in the error log file: [Tue Aug 20 15:50:13 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Tue Aug 20 15:50:13 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) It also refers to problems at the make certificate stage; that seems to have gone through without any problems. I've also read that there are problems with PHP, so I have removed all reference in the httpd.conf file to the dynamic PHP module, and for good measure the dynamic Apache Jserv module, so these are not loading. Still no diference. Can anyone offer me some more pointers? Thanks Richard -- Richard Rogers IT Services, Staffordshire University __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Accelerators
My recommendation is to look through openssl-engine doco and pick a supported card. From experience, I can say that the nCipher ones work just fine on sparc-solaris, I'm sure the other cards there do the job too. I was testing out an nCipher nFast800 PCI card in a netra T1 today - seems to work as advertised... 800 sessions/second is what they say - it's based on the broadcom chip which a few vendors seem to have utilised. I don't know what your idea of affordable is and I dont actually know what they retail for though - see www.ncipher.com for sales contacts i guess, unfortunately you dont see these on ebay very often. The openssl-engine support for this one is invoked with the name 'ubsec' for comparison here's the output of openssl speed -engine ubsec on my 440Mhz Netra T1 test machine: signverifysign/s verify/s rsa 512 bits 0.0001s 0.0001s 14426.2 19789.0 rsa 1024 bits 0.0001s 0.0001s 15316.7 14650.9 rsa 2048 bits 0.s 0.s 24600.0 83740.0 rsa 4096 bits 0.0250s 0.0247s 40.0 40.5 signverifysign/s verify/s dsa 512 bits 0.s 0.s 30890.0 26485.6 dsa 1024 bits 0.s 0.s 29602.1 26078.6 dsa 2048 bits 0.s 0.s 29574.0 27347.2 and without acceleration. signverifysign/s verify/s rsa 512 bits 0.0058s 0.0005s171.6 1835.3 rsa 1024 bits 0.0325s 0.0018s 30.8566.0 rsa 2048 bits 0.2085s 0.0063s 4.8159.6 rsa 4096 bits 1.4543s 0.0232s 0.7 43.2 signverifysign/s verify/s dsa 512 bits 0.0054s 0.0067s185.2149.6 dsa 1024 bits 0.0173s 0.0216s 57.8 46.4 dsa 2048 bits 0.0607s 0.0758s 16.5 13.2 Daniel Lopez wrote: On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote: Can anyone out there recommend an affordable ssl accelerator that will work with a sun enterprise 420? I'm interested in either a pci card or a standalone unit. Unfortunately I'm about to launch a website under ssl and we really don't know just how much that's going to hamper performance. Also, any performance tuning tips for ssl would be appreciated (for apache webserver with mod_perl and bea weblogic) My first advice would be to compile openssl with assembly optimizations on, and make sure you configure session caching in the mod_ssl side. Have you considered having dedicated boxes doing the ssl, serving static content, and reverse proxying to the real servers? That will also reduce the load in Apache, since each request ties a process and in turn that child has a expensive Perl interpreter embedded, whether it is serving static content or not. (I am assuming you are using 1.3 here) Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: turning of SSL v2 in modssl
that will turn it off...see refguide at http://www.modssl.org/docs/2.8/ssl_reference.html#ToC9 I wonder if it's time to leave SSLv2 off completely? how many browsers out there dont work with v3 these days? Aditya wrote: Is it sufficient to change: +SSLv2 to -SSLv2 in SSLCipherSuite to disable SSLv2 in modssl? Is that enough to at least temporarily limit the exposure to the latest openssl vulnerability while I upgrade multiple machines? Thanks, Adi __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apachectl restart problem...
reloads dont work if your keys are encrypted - is this the case here? i have happliy sent a sig USR1 to an ssl apache setup each night for two years - and never a problem - only goes awry if a cert or key changes. Sean M Alderman wrote: I thought it might be something like that, but typically when I've run into this, I've made a change to a http virtual host, and all the other virtual hosts ssl or not, are then not accessible. Maybe apache needs a better way to reload configs for virtual hosts (such that it doesn't bother anything else)...but that's not a topic for this list. :) Thanks for the response. On Wed, 2002-07-31 at 09:48, Boyle Owen wrote: From: Sean M Alderman [mailto:[EMAIL PROTECTED]] Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. Restart sends a HUP to apache. I've found that this is sometimes insufficiently forceful to make apache reload certain SSL parameters (e.g. if you change the certificate). However, it should be sufficient for non-SSL edits. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: using rewrite with mod_ssl
If you cut and pasted that straight from your config then you have a typo in the rule Instead of: RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R] try RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(manual/.*) https://%{SERVER_NAME}/$1 [L,R] Peter Choe wrote: i have successfully limited access to a dirctory using mod_ssl. meaning that the files in that directory will only show when it uses ssl protocol. but when it doesn't uses ssl protocol but just, http://hostname/manual, it gives me a page can't be displayed message. i thought that with the rewrite, it would automatically send it to the ssl protocol (https://hostname/manual). i am wrong to think this? this is the rewrite statement i have in my httpd.conf RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/manual/(.*) https://%{SERVER_NAME}/$1 [L,R] how can i set up my server so that when someone goes to http://hostname/manual, they will automatically get redirected? Peter Choe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Two copies of Apache running on the same server...
you can run as many instances of apache that your system can support so long as no two instances listen on the same port - at least thats the theory. In practice, apache writes to various files such as the .pid file, lockfiles, mutex lockfiles etc - and it can be difficult to make sure the different instances dont run into each other. (and remembering this each time you compile a new version). On the other hand, it's just not necessary usually to run multiple instances - one apache instance can server http and https on multiple ports at the same time using VirtualHost stanzas. You've probably noticed that apache pre-forks several copies of itself, and its these children that handle connections in a parallel fashion and go some way to taking advantage of multiple CPU's, but it's not the absolute best possible - that would be if you were using solaris threads. As it happens Apache 2 is multi-threaded, yet still supports pre-forked children, so you can tune it up a lot better. On the balance of things, I feel it would be harder to get good performance out of a system if you used two separate apaches, than if you worked on tuning it up with just one. Yu, Ming wrote: I have a web environment that support both http and https on the same machine. The machine is a powerful SParc 450 with a lot of memory and CPU power. I am wondering if I can install copies of apache on the same machine, one runs http, and another runs https. Will this improve the server performance? - Ming - System Engineer - APL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hanging apache processes (1.3.29 + mod_ssl 2.8.9)
Perhaps if you watch the session with Eric Rescorla's excellent ssldump tool you may get to the bottom of it http://www.rtfm.com/ssldump/ Or another possibility altogether... I had a problem which looked similar to this which was some solaris specific mutex bug which meant that child processes did not get released properly after certain types of SSL connections - this was fixed only with rev 1.3.24, and also by adding 'AcceptMutex pthread' to the config file. Alex Kotov wrote: I've seen strange problems with IE5, too, but these connections have "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; DigExt)" as User-Agent. Unfortunately, changing tcp keepalive setting is not an option for us. I don't know all the intricacies of SSL handshake, but it looks like it starts by the server trying to read 11 bytes from the client, and this is where mod_ssl may wait for a long time without checking for a timeout. Could someone point me to the place in the code where this read happens? I would hate to switch to stronghold :( Thanks, - Alex On Mon, 24 Jun 2002, Andy Osborne wrote: I've seen this happen sometimes on our SSL servers (which do quite a lot of traffic). A quick search of the logs for recent connections from the same address always shows the client as IE5.0 - which is known to be broken. The connections seem to stall in the SSL negotiation and get killed off but our rather intolerant tcp keepalive settings. I've never found a real answer to the problem. Andy Alex Kotov wrote: Hi Cliff, Thanks for your response. I'm using SSLRandomSeed startup builtin SSLRandomSeed connect builtin and 5 is definitely the file descriptor for the network connection. Is there anything else I should check? Thanks, - Alex On Mon, 24 Jun 2002, Cliff Woolley wrote: On Sun, 23 Jun 2002, Alex Kotov wrote: After a while the server processes become stuck while waiting for the data from a socket. Running strace on a hung process produces read(5, for a long time, eventually followed by read(5, 0x959d2d8, 11) = -1 ETIMEDOUT (Connection timed out) Are you sure that file descriptor 5 is the connection to the client? What SSLRandomSeed are you using? This sounds like one of those /dev/random not-enough-entropy problems to me. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Andy Osborne "Vertical B2B Communities" Senior Internet Engineer Sift Group100 Victoria Street, Bristol BS1 6HZ tel:+44 117 915 9600 fax:+44 117 915 9630 http://www.sift.co.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
The problem here as usual is that he HAS got a SGC certificate - and some ie's barf unless you drop EXPORT56 from your offering when you have one of those certs. not worth the money as far as I'm concerned, not even when getting thawte's one. I feel its a scam the way they sell SGC's as some sort of premium security prouct when all they're doing is enabling functionality the browser already has. These were designed for another purpose altogether before the USA relaxed its crypto export rules a few years ago. Thomas Binder wrote: Hi! On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote: You could also consider getting a Thawte super cert which has a capability to allow the 56-bit export version of IE to not be so stupid and connect at the higher 128-bit when accessing your site. Just for the record, Thawte's Super Certs are what VeriSign calls Secure Site Server Pro (Global) ID. But they are quite a lot cheaper. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26 Upgrade Question
Why dont you just buy Stronghold? Sounds like you ought to be paying someone to do this work for you. -- http://www.redhat.com/software/apache/stronghold/index.html Jim Lee wrote: Hi, Could somebody help me create the Apache_1.3.26-Mod_SSL_x-OpenSSL_x file from the mod_ssl-2.8.9-1.3.26.tar.gz file that has been released recently. Thanks. Bye, -Jim. On Wed, 19 Jun 2002, Jim Lee wrote: We have been unable to find the above Apache_1.3.26-Mod_SSL_x file in the http://www.modssl.org/contrib/ area. Nobody's contributed one yet. I imagine it won't be that far off, it usually doesn't take too long. We also wish to know if the SSL certificate has to be re-created after Apache is upgraded to 1.3.26 with the new mod_SSL. No. --Cliff _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL site loads regardless of URL??
I went back and read your question again, and can see I missed your problem entirely. You can only have one SSL certificate per IP - that is to say that namevirtualhost does work on https, but always only one cert.. .this is because of the number one most FAQ on this list which is what Ralf describes as 'Some sort of chicken and egg problem' in his mod_ssl FAQ. If you want to make it so your ssl pages only come up when the client uses the right hostname then try this hack: NameVirtualHost 192.168.1.9:443 VirtualHost 192.168.1.9:443 ServerName oddshostnames RewriteEngine On RewriteRule^[F,L] /VirtualHost VirtualHost 192.168.1.9:443 ServerName www.donations.org.nz DocumentRoot /var/www/html/donations ErrorLog /var/log/httpd/donations-error_log TransferLog /var/log/httpd/donations-access_log /VirtualHost David wrote: Hi, I tried adding port 80 to the virtual hosts as you suggested but the issue still persists? -David. Peter Viertel wrote: Virtual hosts are defined agains the listening addresses you have for your host: Not sure what some of the host names resolve to but assuming 192.168 addresses are the actual ip of your host, and the other ip is the nat outside address for your host then the config would look like this: VirtualHost 192.168.1.9:443 ServerName www.donations.org.nz DocumentRoot /var/www/html/donations ErrorLog /var/log/httpd/donations-error_log TransferLog /var/log/httpd/donations-access_log /VirtualHost NameVirtualHost 192.168.1.9:80 VirtualHost 192.168.1.9:80 ServerName stats.domain1.co.nz DocumentRoot /var/www/html/domain1 ErrorLog /var/log/httpd/domain1-error_log TransferLog /var/log/httpd/domain1-access_log /VirtualHost VirtualHost 192.168.1.9:80 ServerName stats.domain2.co.nz DocumentRoot /var/www/html/domain2 ErrorLog /var/log/httpd/domain2-error_log TransferLog /var/log/httpd/domain2-access_log /VirtualHost VirtualHost 192.168.1.9:80 ServerName stats.domain3.co.nz DocumentRoot /var/www/html/domain3 ErrorLog /var/log/httpd/domain3-error_log TransferLog /var/log/httpd/domain3-access_log /VirtualHost David wrote: Hi, I have several virtually hosted web sites and only one site that is configured for SSL on my server. The issue is if someone uses https instead of http the certificated site pages load regardless of the url ie http://stats.domain1.co.nz loads pages from ../domain1 which is correct. https://stats.domain1.co.nz loads pages from ../donations, and the url remains https://stats.domain1.co.nz I assume I have a misconfigured .conf file? How can I resolve this, do I need to specify port 80 on the http sites or do I need to multi home the server with a unique IP for the SSL site? Thanks -David. Below is an illustration of the httpd.conf. VirtualHost www.donations.org.nz:443 ServerName www.donations.org.nz DocumentRoot /var/www/html/donations ErrorLog /var/log/httpd/donations-error_log TransferLog /var/log/httpd/donations-access_log /VirtualHost NameVirtualHost 219.88.240.45 VirtualHost 192.168.1.9 ServerName stats.domain1.co.nz DocumentRoot /var/www/html/domain1 ErrorLog /var/log/httpd/domain1-error_log TransferLog /var/log/httpd/domain1-access_log /VirtualHost VirtualHost 192.168.1.9 ServerName stats.domain2.co.nz DocumentRoot /var/www/html/domain2 ErrorLog /var/log/httpd/domain2-error_log TransferLog /var/log/httpd/domain2-access_log /VirtualHost VirtualHost 192.168.1.9 ServerName stats.domain3.co.nz DocumentRoot /var/www/html/domain3 ErrorLog /var/log/httpd/domain3-error_log TransferLog /var/log/httpd/domain3-access_log /VirtualHost __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Hardware key storage
Whether this can be done is something you should talk to the vendor of your HSM about. If you're still looking for one to buy, I can confirm that it can be done with nCipher's gear using openssl-engine and some extra binaries they provide, I personally have experience with Solaris and using an HSM protected key. They trick mod_ssl into running with a dummy key, and then openssl engine offloads the key transforms via their CHIL api. At http://www.ncipher.com/resources/index.html you will find their whitepapers on the subject. I work for an nCipher Solutions partner, so my view here is obviously biased, there are other HSM vendors apparently. -PeterV. Imran Badr wrote: Engine support inlcudes offloading RSA/DSA operations but I haven't found any way to notify moddssl that the key is in hardware key storage. Modssl always looks for disk files for private key and certificate files and I haven't figured out how to use hardware key storage. Apache will never start if those files are not in disk. Thanks for the reply. Imran. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Francois Desarmenien Sent: Saturday, June 08, 2002 5:56 AM To: [EMAIL PROTECTED] Subject: Re: Hardware key storage Le Wed, 5 Jun 2002 19:18:26 -0700 Imran Badr [EMAIL PROTECTED] a ecrit: Hi, I am sorry if this question has been asked before in this group. I wanted to find out what would be required to use private keys stored in hardware with apache and modssl ? Modssl code looks for private key file in the host machine and calls use_private_key() sort of function of openssl to store private key in ssl context. Is it possible to use modssl with apache when keys are created in tamper proof hardware and never leaves that? Is there any patch to do that? mod_ssl relies on OpenSSL and OpenSSL-engine handles access for some cryto cards. F. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 1 certificate for several sites using redirection ?
You could do that using reverse proxy, ie mod_proxy. Redirects are not going to help. Wim Godden wrote: Hi, I'd like to use a certificate to secure several of our subdomains... buying hundreds of certificates is simply too expensive. Is there some way to do this : - Install certificate on secure.ourdomain.com - Let people surf to https://secure.ourdomain.com/other-subdomain.ourdomain.com/what-ever-page.html Thanks in advance. Greetings, Wim Godden __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 1 certificate for several sites using redirection ?
yes, i think thats whats happening - you need to review the website content you are pointing at. For this to work you can't have any absolute hrefs, and also the backend site may issue redirects, for these to work you need a ProxyPassReverse which will rewrite the Location: header on any redirects the backend site may send. For example: ProxyPass /testhttp://other.subdomain.ourdomain.com/ ProxyPassReverse /test http://other.subdomain.ourdomain.com/ proxypassreverse unfortunately is not case insensitive, and the backend webserver may refer to itself canonically, so the location headers may have another hostname. Either fix up the backend webserver to match the proxypassreverse, or add extra proxypassreverse lines. The most common cause of redirects is the / bug handlers of tomcat, and IIS which kick in if your url ends with / and that resolves to a directory, then the webserver looks up what the directoryindex script is (eg. index.html) and sends a redirect. This is something to do with early revision browser releases, I have no idea which ones or if it matters anymore. Also note that mod_proxy got a big upgrade at apache release 1.3.23 that may help things along too in certain cases. [EMAIL PROTECTED] wrote: Sounds like you have some absolute links rather than relative links. You can also use proxypass /test https://other-subdomain.ourdomain.com If the data needs to be secured between the proxy and the destination server. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Wim Godden [mailto:[EMAIL PROTECTED]] Sent: 12 June 2002 11:06 To: [EMAIL PROTECTED] Subject: Re: 1 certificate for several sites using redirection ? proxypass /test http://other-subdomain.ourdomain.com doesn't work properly... I get errors about the images being insecure and all links point to the wrong position. Peter Viertel wrote: You could do that using reverse proxy, ie mod_proxy. Redirects are not going to help. Wim Godden wrote: Hi, I'd like to use a certificate to secure several of our subdomains... buying hundreds of certificates is simply too expensive. Is there some way to do this : - Install certificate on secure.ourdomain.com - Let people surf to https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh at-ever-page.html Thanks in advance. Greetings, Wim Godden __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- -- Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites ! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk 14th June 2002 is RNIB Look Loud Day - visit http://www.lookloud.org.uk to find out all about it. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support
Re: 1 certificate for several sites using redirection ?
thats basically right. the proxy spec in http/1.1 etc copes with rewriting headers - but nothing I've seen rewrites the actual html content - this would be possible of course, but there would have to be a new module for apache to do it, and architecturally you'd be creating a potential bottleneck as the proxy server would have to parse all of the content passing through it. Wim Godden wrote: So there's no system which allows me to really proxy pages and 'modify' them so that all future connections go through this 'proxy' as well ? Greetings, Wim Peter Viertel wrote: yes, i think thats whats happening - you need to review the website content you are pointing at. For this to work you can't have any absolute hrefs, and also the backend site may issue redirects, for these to work you need a ProxyPassReverse which will rewrite the Location: header on any redirects the backend site may send. For example: ProxyPass /testhttp://other.subdomain.ourdomain.com/ ProxyPassReverse /test http://other.subdomain.ourdomain.com/ proxypassreverse unfortunately is not case insensitive, and the backend webserver may refer to itself canonically, so the location headers may have another hostname. Either fix up the backend webserver to match the proxypassreverse, or add extra proxypassreverse lines. The most common cause of redirects is the / bug handlers of tomcat, and IIS which kick in if your url ends with / and that resolves to a directory, then the webserver looks up what the directoryindex script is (eg. index.html) and sends a redirect. This is something to do with early revision browser releases, I have no idea which ones or if it matters anymore. Also note that mod_proxy got a big upgrade at apache release 1.3.23 that may help things along too in certain cases. [EMAIL PROTECTED] wrote: Sounds like you have some absolute links rather than relative links. You can also use proxypass /test https://other-subdomain.ourdomain.com If the data needs to be secured between the proxy and the destination server. - John Airey Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Is the statement 'There is no such thing as truth' true? -Original Message- From: Wim Godden [mailto:[EMAIL PROTECTED]] Sent: 12 June 2002 11:06 To: [EMAIL PROTECTED] Subject: Re: 1 certificate for several sites using redirection ? proxypass /test http://other-subdomain.ourdomain.com doesn't work properly... I get errors about the images being insecure and all links point to the wrong position. Peter Viertel wrote: You could do that using reverse proxy, ie mod_proxy. Redirects are not going to help. Wim Godden wrote: Hi, I'd like to use a certificate to secure several of our subdomains... buying hundreds of certificates is simply too expensive. Is there some way to do this : - Install certificate on secure.ourdomain.com - Let people surf to https://secure.ourdomain.com/other-subdomain.ourdomain.com/wh at-ever-page.html Thanks in advance. Greetings, Wim Godden __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- -- Adverteren.be - 100% Nederlandstalig adverteren op kwalitatief hoogstaande sites ! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do
Re: Apache + MOD_SSL Win32 crash
That sounds like the ssl mutex mechanism not working properly. Not sure whether anyones got it working on win32 and mod_ssl on win32 is still listed as an alpha release. I too would choose to ditch windows, but if you do need it, then you should try apache 2 at least the asf say its production quality on win32 - not sure if there are precompiled win32 binaries with ssl though. Mike Campbell wrote: Hello, I'm running Apache 1.3.24 with MOD_SSL 2.8.8 on a Windows 2000 server. I've installed and configured according to the Apache + SSL on Win32 Howto http://tud.at/programm/apache-ssl-win32-howto.php3 and I've gotten a certificate from Thawte. I can and always have been able to make an (unsecure) http hit on the server. I can also make a secure https hit. However, if I reload the secure page a few times, sooner or later Apache crashes. The error message that pops up says Apache.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created. The Windows error log says it was an access violation and gives a stack dump, which I don't know how to read. The Apache error log and the SSL log are free of errors. When starting Apache, the only complaint I was getting from the config file was: Cannot add module via name 'mod_ssl.c': not in list of loaded modules so I've commented that line out. Does anyone have any suggestions? These are the relevant lines in httpd.conf: ### (other AddModules) ### #AddModule mod_ssl.c ... ### (other LoadModules) ### LoadModule ssl_module modules/mod_ssl.so ... Listen 80 Listen 443 ... SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel info VirtualHost XXX.XXX.XXX.XXX:80 DocumentRoot c:/... ServerName www.mydomain.com http://www.mydomain.com /VirtualHost ... ### (many other VirtualHosts) ### VirtualHost XXX.XXX.XXX.XXX:443 SSLEngine On SSLCertificateFile conf/ssl/pubkey.cert SSLCertificateKeyFile conf/ssl/prvkey.key DocumentRoot c:/... ServerName www.mydomain.com http://www.mydomain.com /VirtualHost - Mike Campbell Aktiv Software Corporation [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.aktiv.com (250) 708-0027 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [Q] VirtualHost problems..
Try reading the FAQ. http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 Han, Donghoon wrote: Hi everyone, I recently configured several named virtual hosts on my Apache 1.3.24 server. NameVirtualHost A.B.C.D:80 NameVirtualHost E.F.G.H:80 NameVirtualHost A.B.C.D:443 NameVirtualHost E.F.G.H:443 -- Several :80 virtual hosts -- VirtualHost A.B.C.D:443 E.F.G.H:443 ServerName blah.blah.com SSLCertificateFile A.crt SSLCertificateKeyFile A.key -- other configurations -- /VirtualHost VirtualHost A.B.C.D:443 E.F.G.H:443 ServerName blah2.blah2.com SSLCertificateFile A2.crt SSLCertificateKeyFile A2.key -- other configurations -- /VirtualHost I configured like this, but when I connect to blah2.blah2.com Explorer gets the certificate of the first virtual host. The other configurations are ok, I get authentication dialogs and I get the right file as I configured the virtual host. The only one problem is that I get the different certificate from the one I configured. Did I miss something? Thanks in advance. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Password protected access
Sure, If you're going to use the default http auth mechanism, then use SSL. if the URL is https:// something then it's all encrypted. (ok, unless you do something really odd with the server config). Note that the 'password window' is something your browser displays - once it's got the password it will usually post that password in a header in every subsequent request to the same domain name. If you're not planning on using SSL (one would then ask why you posted the question to modssl-users) then consider using mod_auth_digest. Potts, Ross A. wrote: Is there a way to encrypt the login window That I get when I want to reach restricted areas? I have the password file setup and can log in, but I understand that the password is sent in plaintext. I didn't see much in the way of documentation about this. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Runs on local...but can't see it anywhere else
You say you can connect to the 'actual server address' while on the actual machine but not from across the network. You do not say which operating system you're using - but if it's redhat linux for example, perhaps you've got iptables rules. Otherwise is network routing ok, like does the machien have it's default route set correctly? Alex Earl wrote: Hi! First off I would like to thank you for your help and knowledge! I enjoy this forum a lot! I have set up mod_ssl with Apache 1.3 and everything seems to run just fine on the local machine. I can curl https://localhost (and the actual server address) and get the right stuff...but when I try to access it from anywhere else I get a server not found error. Any ideas?! Thanks! Alex Earl __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE 5.00 - 5.01 SSL Connection Failures
Let me guess you have a '128 bit' SGC certificate on your server? If you do then change your cipher suite to not offer EXPORT56 for example: SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL This results in most people with older clients using 40 bit encryption, and people who care about security and upgrade their software get 128bit SSL3 or TLS.. You should alter your logs to log the resultant SSL cipher type and length so you can get some info on which clients give you problems - and you could put some warning notes about the browser types on the site somewhere to cover your butts. Louis Sabet wrote: On Fri, 17 May 2002 13:51:15 +0100 "Jeff" [EMAIL PROTECTED] wrote: MS IE 5.00 was a flawed release, that MS very quickly (4 weeks) replaced with 5.01, mainly for security reasons. You should be able to get any reasonable users (corporate or otherwise) to upgrade asap. MSIE 5.00 has some serious bugs when using SSL and cacheing, so you may be able to tweak all your users caching settings, and also to look at making your pages non-cacheable. I have to say though that in our experience with a group of 10 users of 5.00 it was far easier to get them to switch to Netscape until their 5.01 (in fact they went for 5.5) to arrive. Unfortunately in this sector of retail, our target audience is very fickle, and an abundance of similar online retailers in recent years have made this an extremely competitive market. We cannot afford to aggravate any customers at this point. In addition, a large proportion of our customers have little or no previous IT experience and cannot be expected to apply patches no matter how trivial it may seem to us! ***SNIP*** The problems you describe with 5.01, I have seen when SSL keepalive settings were enabled on the web-server. The SSLKeepAlive settings were invented to speed up a clients access to your site, so that as subsequent requests for images, css, etc etc were made, the SSL negotiation overhead was short-circuited. Unfortunately the MS 5.xx browsers never quite got it right. We use Apache, and this is the setting in httpd.conf SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 I checked our httpd.conf, and indeed we have the same line in all our SSL sites. So this particular problem must lie elsewhere. I'll agree with peoples' comments on IE5 being terrible, but unfortunately as an online retailer we have no choice as to what our customers access our website with, and a disturbing number of customers (33%) happen to be using IE5.00 to 5.01. If anyone else has any comments, they would be very much appreciated at this point! You can check your SSL logs to see if the keepalive settings are active - it they are you will see an incrementing number associated with each request from the same user that indicates the SSL negotiation was short-cut, and that previously negotiated keys are being used. 'nokeepalive' is fractionally slower, but at least your users will not get the regular 'page cannot be found' issue. As to sharing Client Certs between IE and NS - we do this happily for NS 4.0-4.75 and MSIE 5.01-6.0 without any issues. Regards Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Louis Sabet Sent: 17 May 2002 13:29 To: [EMAIL PROTECTED] Subject: IE 5.00 - 5.01 SSL Connection Failures Hi List, I work for a mobile phone retail company in the UK - www.mobiles.co.uk Recently we discovered that several of our customers were unable to complete the secure portions of their orders. The only common factor with all these problems were that all customers were using IE 5.00 to IE 5.01. Under Internet Explorer they receive "Page Connot Be Found". With Netscape all works fine, and with all other recent Internet Explorer versions, a successful connection can be made. I found nothing useful on the Microsoft site other than this: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q244302 It may be the root of the problem, but we cannot ask the 33% of our customers who use IE5 to patch their machines before accessing our site. It is obvious that MOST connections to https sites can be made from IE5, or it would have been better documented. I contacted Verisign to find out if there was a reason some certificates were useable with IE5, and others weren't, but I found their technical support to be quite useless. My last option is to ask you guys whether this could be a configuration issue - or whether there is some configuration tweak I can make to get around this problem for our IE5 users. Best regards, Louis -- Louis Sabet [EMAIL PROTECTED] http://www.webtedium.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List
Re: make certificate TYPE=custom?
make certificate does not work in apache 2 yet. copy your key and certificate from the 1.3 installation mineka fujimoto wrote: Hello I am a student to study Linux. I wantto use SSL in apache2.0.36 I stop apache 1.3 and tar apache2.0.36.. I use RedHat Linux7.1 I use ./configure --prefix=/usr/local_apache2 --enable-mods-shared="ssl" Then I use make certificate TYPE=custom. But I get message 「no target to make discontinuation」 Please help me. Thanks. Micky
Re: Certificates and Apache/modssl
Keep-alive is a pain all round really... But not necessarily so so as regards renegotiation. SSL has a concept of session resuming. The first thing exchanged during an ssl session is the previously negotiated session-id - the startup of these resumed sessions is a lot cheaper than an initial ssl negotiation. Some of the better load balancers can take advantage of this session-id to ensure a client's ssl session, and subsequent resumed sessions go to the same backend node. It should be noted that using the same certificate on multiple servers requires that the related private key is on each server too. commercial webservers tend not to be too positive about this, they take the high ground quoting best practice security etc etc, but I can't help feeling its more to do with pushing more business to the CA's than anything else. just so long as you remember that anyone with the private key can decode all your SSL traffic, so take some care over protecting the key from prying eyes. Jeff wrote: if you have two servers behind a load-balancer, you have to make sure that once a client starts an HTTPS conversation with one server, all subsequent requests are served by the same server. True. AFAIK there are no versions of MSIE that correctly support the keepalive setting, to unless you are willing to put up with the mysterious-1-page-in-5-is-just-blank problem you have to turn keepalive off, and every request gets renegotiated. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Owen Boyle Sent: 10 May 2002 09:02 To: [EMAIL PROTECTED] Subject: Re: Certificates and Apache/modssl Greg Jones wrote: All- We are planning on using commercial load balancing software for two servers running apache with modssl. Does Apache with modssl require that each server have its own certificate or can I use the same certificate on both servers since they'll be answering to the same virtual ip? Also, will my certificate be based on the virtual ip or the ip of the server. Users will always get to the web servers via virtual IP. The certificate is assigned to a fully-qualified domain name, not to an IP address. The idea is that when the browser goes to www.acme.com, it expects to see a certificate containing "www.acme.com" - thus proving that the site is really www.acme.com. This is authentication which is the second but equally important aspect of SSL that everyone forgets about... (the first aspect is encryption). Therefore, as long as both your servers are serving the same site, they can have the same certificate (indeed, they *should* have the same cert). There is one other problem, however. Remember that the public-key/private-key encryption is used only to negotiate the session-key. Once that has been established, the client and server communicate using the session-key and the certificate is forgotten. Now, if you have two servers behind a load-balancer, you have to make sure that once a client starts an HTTPS conversation with one server, all subsequent requests are served by the same server. In other words, if the session-key negotiation takes place on one server but the next request comes in to the second server, it will be encrypted with a key known only to the first server. I guess the solution would be to ensure requests are split on a client basis rather than request basis in the load balancer. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: N/A
Use VirtualHost stanzas: ie: VirtualHost _default_:80 ServerName www.foo.com Redirect/private https://www.foo.com/private DocumentRoot htdocs /VirtualHost ifdefine SSL VirtualHost _default_:443 ServerName www.foo.com SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLEngine on DocumentRoot secure /VirtualHost /ifdefine David Flanigan wrote: Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: N/A
You shouldnt be afraid of virtual hosts. If you split them up as vhosts, then you can do what you want. If you don't, you can't. In my example i used seperate DocRoot's, but this is not necessary. P.S. can you fix your PC's clock? your timezone is 13 hours out. David Flanigan wrote: Peter: This server is not running with virtual hosts (only a single domain), the doc root for SSL and non-SSL is the same. Anyway I can do the automatic redirect without moving the doc roots around? Thanks for your help. -- Kind Regards, David A. Flanigan -- Original Message --- From: "Peter Viertel" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tue, 07 May 2002 12:55:04 +0100 Subject: Re: N/A Use VirtualHost stanzas: ie: VirtualHost _default_:80 ServerName www.foo.com Redirect/private https://www.foo.com/private DocumentRoot "htdocs" /VirtualHost ifdefine SSL VirtualHost _default_:443 ServerName www.foo.com SSLCertificateFile conf/ssl.crt/server.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLEngine on DocumentRoot "secure" /VirtualHost /ifdefine David Flanigan wrote: Hello, My apologies if this has been discussed before, I did not turn up much in my archive search. I am new to modssl and to this list. Any help you can provide would be greatly appreciated. I have a server wide SSL certificate for my domain, but only need SSL support in certain areas. Is there a way to redirect non SSL requests (port 80) for particular directories to SSL without requiring the user to to do anything? So automatically: http://www.foo.com/private/ becomes https://www.foo.com/private I am currently using the SSLRequireSSL directive to lock out non-SSL connections to those directories, resulting in a error to the user. I have tried a location specific redirect like the following, but ended up with a loop (and a couple thousand extra entries in my log file). Location /private Redirect seeother /private https://www.foo.com/private /Location Am I on the right track or making this to difficult? I have no mod-rewrite skills, so have not tried that route as of yet. Thanks in advance. -- Kind Regards, David A. Flanigan ([EMAIL PROTECTED]) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] --- End of Original Message --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL-Problem with Mac MSIE
No I wouldnt want to disable SSL3 either... One case I know of like this is to do with advertising EXPORT56 ciphers on the server side... some variants of IE barf if they're talking to a site with a so called 128 bit certificate (an SGC cert). I have used this when a site has an uber-cert for marketing reasons, and the crypto requirement is not high: SSLCipherSuite !EXPORT56:ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL the broken clients end up using SSL3 with 40bit keylength, good clients talk SSL3/128bit or TLS, it still gives the option for SSL2 and allows null encryption too. Thomas Binder wrote: Hi! On Tue, Apr 23, 2002 at 06:38:22PM +0200, Nisbach, Thomas wrote: i found one (unsatisfying) solution: I disabled SSLv3 by setting SSLProtocol -SSLv3 If i do this MSIE on Mac runs but i worry about other browser that would not run anymore :-( Btw, as for my understanding this does not disable TLSv1: Does IE's TLS1-support work any better than its SSL3 implementation? And what also bothers me: Why do these problems only seem to affect OpenSSL based webservers, and not for example iPlanet? Do these non-affected servers contain other/better workarounds? Or do they only support SSL2? Is it really such a serious drawback to disable SSL3? Most current browsers (e.g. links, Mozilla, Opera) seem to support and default to TLS1, anyway. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: encipher box
Yes, I've done it a few times with apache 1.3 on Solaris, still mucking around with apache 2 though. what you need is: a) the nCipher software for the o/s - these are binary only and will set up a daemon called hardserver, and another package that installs the CHIL library. If they don't have packages for your o/s you are screwed. b) get/compile openssl-engine not the standard openssl. c) test openssl: on a sun it goes like this: # LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk # export LD_LIBRARY_PATH # openssl speed -engine chil d) now you have openssl talking nCipher ok, you need to recompile mod_ssl to use openssl-engine... use apache 1.3.24, and configure with SSL_EXPERIMENTAL option (without this, you cant get it to use nCipher). e) check you built httpd right: # LD_LIBRARY_PATH=/usr/lib:/opt/nfast/toolkits/hwcrhk # export LD_LIBRARY_PATH # httpd -L | grep SSLCryptoDevice f) add the following line to httpd.conf: SSLCryptoDevice chil Note this shows you how to get any nCipher to provide hardware acceleration, I think the stuff about getting apache to use keys stored in an nForce HSM is another topic altogether, and best left off-list unless enough people want to hear the gory details... Regards, PeterV. [EMAIL PROTECTED] wrote: Hi, does anybody have any experience, links or hints how connect mod_ssl and enchiper boxes ??? As I am new to this list I am not sure if this is right place to ask this question. cheers Alex Apostolopoulos ___ WebTechnology Smart Card Solutions Secartis AG-eSolutions by Giesecke Devrient Bretonischer Ring 3, D-85630 Grasbrunn, Germany Phone: +49(0)89 4119-7086, Fax: +49(0)89 4119-7403 Email: [EMAIL PROTECTED], Home: www.secartis.com ___ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: potential apachectl modification
soft restarts like this crash httpd if you have added/deleted SSL key or certificate lines to the config file - in these cases you must fully stop/restart the daemon. So I would say there is a case for a restartssl option, although I'm happy enough to run stop, check for all daemons dying, then running startssl as changing certs/keys is usually an infrequent task. Glen Mehn wrote: 'restart' and 'graceful' will restart the server with -DSSL, if it's (currently)running with -DSSL. 'restart' sends a SIGHUP to apache 'graceful' sends a SIGUSR1 to apache, which httpd reads as 'finish what you're doing, then HUP yourself'. glen On Mon, Apr 22, 2002 at 12:23:35PM -0400, Aryeh Katz wrote: Does it make sense to have a restartssl directive, to match the restart directive? --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Glen S Mehn Contract Systems Administrator SquareTrade, Inc [EMAIL PROTECTED] Building Trust in Transactions (sm) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: potential apachectl modification
httpd -t will error on SSL stuff not between ifDefine SSL lines. I think you'll find that your LoadModule is in an ifDefine while the unloadmodule isnt. httpd -DSSL -t is the way to check all the syntax in httpd.conf, without the -DSSL you're only checking half of it. Aryeh Katz wrote: Use apachectl graceful. I suppose I should have done a little more research before posting. I had a script that did a restart, and the restart reported an error. I then tried a start and everything worked fine, so I assumed that restart did a kill then a start, and thus needed to be changed for ssl. Once I got these mails, I looked a little closer, and I'm seeing some strange behavior. apachectl configtest complains on SSLEngine off in my :80 virtual host. Fine, doesn't bother me, I comment it out (wondering why only httpd -t complains, and not a regular startup). I then ran apachectl configtest again, and it reported no errors. I ran httpd -t from the command line, and it said Syntax OK Segmentation Fault. Call stack on the Segmentation Fault indicates that it's on the unload_module. I do have a module of my own that is loaded, which when removed, allows httpd -t to run fine. Does anyone have any suggestions for what my module might be doing to cause the configtest to core on unload? Thanks. Aryeh Frank - Original Message - From: "Aryeh Katz" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, April 22, 2002 9:23 AM Subject: potential apachectl modification Does it make sense to have a restartssl directive, to match the restart directive? --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] --- Aryeh Katz VASCO www.vasco.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]