Re: cant start ssl on apache2
Are you calling apachectl using the full path to the apachectl that knows where THOSE conf files are? Sorry for top-posting... It just seemed like the right thing to do in this case. javier rojas wrote: Hello, im having some trouble when starting ssl on my apache2 server, first i must say that i did not install apache, so i really dont know if ssl was enabled, but i guess so since in the httpd.conf i have IfModule mod_ssl.c Include conf/ssl.conf /IfModule well, the second thing is that i have configured everything in my ssl.conf file (i think it is ok) but when i restart apache it doesnt even read the ssl.conf file, i renamed the ssl.conf file to ssl.conf.1 and apache restarted successfully, so i think it just doesnt look for it when restarting. i did comment the IfDefine SSL /IfDefine in ssl.conf, in order to be able to start apache always with ssl support im pretty sure my ssl.conf and my httpd.conf files are correctly since i have another server with the same configurations and its working properly, but when i netstat -nl | grep 443 theres nothing listening and on the /usr/local/apache/logs/ directory theres no ssl_request_log/ ssl_scache.dir ssl_scache.pag log files, can anyone help me? -- Ciao, Javier linux counter #393724 GPG Key Fingerprint = 46B76CFEDB0161089D9ECB22FEFDE7EBA8C2007E __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: cant start ssl on apache2
javier rojas wrote: 2007/4/27, Phil Ehrens [EMAIL PROTECTED]: Are you calling apachectl using the full path to the apachectl that knows where THOSE conf files are? Sorry for top-posting... It just seemed like the right thing to do in this case. hello :) well im using the only apachectl in my machine, thats in /usr/local/apache2/bin and i comment the line Listen 80 and then /usr/local/apache2/bin/apachectl restart to see if apachectl was reading the correct httpd.conf and it didn't start the server And when you run /usr/local/apache2/bin/httpd -V Does everything look okay? Phil -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: cant start ssl on apache2
javier rojas wrote: And when you run /usr/local/apache2/bin/httpd -V Does everything look okay? m, this is what i was looking for. /usr/local/apache2/bin/httpd -V Server version: Apache/2.0.49 Server built: Apr 23 2007 10:41:23 Server's Module Magic Number: 20020903:7 Architecture: 64-bit Server compiled with -D APACHE_MPM_DIR=server/mpm/prefork -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_PROC_PTHREAD_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT=/usr/local/apache2 -D SUEXEC_BIN=/usr/local/apache2/bin/suexec -D DEFAULT_PIDLOG=logs/httpd.pid -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_LOCKFILE=logs/accept.lock -D DEFAULT_ERRORLOG=logs/error_log -D AP_TYPES_CONFIG_FILE=conf/mime.types -D SERVER_CONFIG_FILE=conf/httpd.conf i think it was not compiled with ssl support:( It won't tell you that from -V. Is there a file named: /usr/local/apache2/modules/mod_ssl.so Phil -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Interesting. Must be an Apache 2.2.X thing. The symbol definitely does not appear in 2.0.55. Per Olausson wrote: Phil, Is it the way I am building Apache or is Linux or Solaris hiding this symbol? I've checked this on a gentoo build, but on my machine the module has no symbols. Details as below: Apache/2.2.3 OpenSSL 0.9.8c AIX 5200-09 * nm mod_ssl.so | grep SSL_get_shared_ciphers .SSL_get_shared_ciphers T 269028692 .SSL_get_shared_ciphers_139_116 t 269031772* nm(1): T Global text symbol. t Local text symbol. Regards, Per Phil Ehrens wrote: Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.trenchman.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Per Olausson wrote: Phil Ehrens: I just checked a couple different versions and did not see that function. I posted a question about this to the apache security mailbox, but nobody responded. I guess that is inline with the policy for that mailbox even if I find it somewhat unhelpful, considering that SSL isn't completely a rarity when using Apache. The reason I am concerned is because mod_ssl indirectly references SSL_get_shared_ciphers. It is in use. You can see this if you use something like nm and grep for this function. So is mod_ssl vulnerable? Is the functionality insulated and not possible to trigger from the mod_ssl user scenario, or is it? If anyone have any ideas please let me know! The symbol is not defined in mod_ssl on any of my Linux or Solaris systems, all of which are running Apache-2.0.55. What version are you looking at? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Does Mod_SSL use SSL_get_shared_ciphers()?
Stanley Laufer wrote: Does anyone know if Mod_SSL uses the SSL_get_shared_ciphers() function from OpenSSL? As you may know a buffer overflow has been detected in that function in OpenSSL versions prior to 0.9.8d. I'm trying to find out if Mod_SSL uses the vulnerable function. I just checked a couple different versions and did not see that function. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Detecting if https is used from within a .conf file
Toomas Aas wrote: I was thinking of putting this large block of directives into separate file and Include it in both vhost sections, to tidy up my main config file. But in order to do that, I would need to define some logic in this file for those cases where http and https need to be handled separately. I was certain that such possibility exists, but I'm starting to have some doubts now. Any advice? Very simple. Just add the logic to apachectl. It's a shell script. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: ssl trouples
Markus wrote: Made all the ca.key and the server.key and sign it via sign.sh everthing looked good so far. then the misery begins. ./configure --with apache... --with-ssl --with-mm --with-crt=/var/local/certs --with -key=/var/local/private --prefix=../apache_1.3.35 --enabled-shared-ssl Error: cannot find SSL x.509 certificated file /var/local/certs It wants the path to the cert, not to the directory containing the cert. I wonder why they didn't use --with-cert for the option name?! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: ssl trouples
Markus wrote: Phil Ehrens wrote: Markus wrote: Made all the ca.key and the server.key and sign it via sign.sh everthing looked good so far. then the misery begins. ./configure --with apache... --with-ssl --with-mm --with-crt=/var/local/certs --with -key=/var/local/private --prefix=../apache_1.3.35 --enabled-shared-ssl Error: cannot find SSL x.509 certificated file /var/local/certs It wants the path to the cert, not to the directory containing the cert. I wonder why they didn't use --with-cert for the option name?! I put that path in, however it still doesn't work. I put it in like this: the certs and keys are in /usr/local/certs and /usr/local/private. and i put in/usr/local/certs and /usr/local/private It wants something like: /usr/local/certs/httpdcert.pem ^^ | filename of cert __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: CRL Checking Uses Excessive Memory
I think the first thing you need to do is connect to this URL from someplace that doesn't have any certs related to you installed, like your local library: https://www.hill.af.mil/main/index.html I am not trying to be funny, I am just worried that either you are going to get yourself into trouble by exposing configuration info about .mil computers, or somebody else is going to get into trouble while trying to help you. Phil Walls Rob W Contr 75 CS/SCBS wrote: I work for the DoD. We have about a dozen CA's with their own CRL files. Some of these are over 20M in size. When CRL checking is enabled in Apache (for Linux or Windows), memory use is excessive and httpd processes are killed by the OS (Linux) due to out of memory conditions and all the memory swapping activity sends the proc utilization way up there and makes the server unresponsive. On Windows the CPU use just pegs at 100% (I have no idea what else is going on in there). CRL's are downloaded every day and openssl is used to make hash'd file names (ssl.conf is using SSLCARevocationPath). I don't currently restart apache after retrieving the new CRL files. The Linux machine runs redhat with dual 3ghz xeons and 2Gb ram. SSL works great, but as soon as CRLs are checked, apache starts to go south! I have a 2Gb swap partition and have added another 2Gb swap file to at least keep things running, but it becomes so slow it might as well crash. Each httpd process goes from using about 14Mb of memory when not CRL checking to 250Mb when CRL checking is enabled! BTW: anywhere from 10 to 20 concurrent httpd processes are normal for that machine. Any ideas on how to use large CRL's in Apache? Do I just need more memory? If Apache can't use many large CRL files, would an OSCP solution side-step these problems? Any good ones out there? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.yellow5.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Back in the ModSSL group?
BJ Swope wrote: Until the me toos this list received about 1 mail a month... And generally about old versions of the module. -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.yellow5.com 1200 East California Blvd.| http://www.tokyotosho.com Pasadena, CA 91125 USA| My gpg public key: Phone:(626)395-8518 Fax:(626)793-9744 | http://www.imbe.net/peligo.asc __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Aaron Turner wrote: I gotta ask though, just what are you doing where you expect 100K people trying to download a 15MB file all at the same time? You working for Microsoft and planning the next security tuesday patch update or something? :) That or he has the video of Gates getting raped by the penguin. Oops, I hope this isn't a family list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Pigeon wrote: Ok, lets assume I can get a network connection with: A)10mbit B)100mbit C)1000mbit And I will have 10k concurrent downloads (let us throw out 100k for now.. because i can alwasy scale up figures if we get a base). (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) So my question is.. What would be the best (given we cannot do blades or the like since we have to use 'standard' 1u/2u/4u boxes from the dedi center). Should we definitly beat the problem with iron and get 5servers doing load balancing? 2servers? If 2servers go with the 1000mbit connection? The short answer is that you need to benchmark using various configurations. You have a particularly bad problem, what with the per-request encryption beating on the CPU's, and the large file size beating on the network (and putting your servers at the mercy of the clients). Pushing all of the solutions downstream like this instead of coming up with a better front-end is going to cost you. This all just screams for a more elegant solution than just asking apache to stick it's finger in the dike. Good luck. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Migrating cert from Sun Web Server
SB wrote: I've already paid for a few Verisign certs (that were requested from and installed on Sun Web Server aka SWS aka ONE aka iPlanet) and now we are migrating from SWS to Apache and mod_ssl. I would like to reuse the certs but they (and the keys) use some weird db format. I have the certs in my email somewhere still so all I need is the keys. Anyone know how I can extract the key from the db file or elsewhere for use with mod_ssl and Apache2? I've already looked in the docs[1] and googled a bit but so far nothing. Any help is greatly appreciated! Look here (search for pk12util): http://docs.sun.com/source/816-5682-10/esecurty.htm -- Phil Ehrens [EMAIL PROTECTED]| Fun stuff: The LIGO Laboratory, MS 18-34 | http://www.ralphmag.org California Institute of Technology| http://www.yellow5.com 1200 East California Blvd.| http://www.total.net/~fishnet/ Pasadena, CA 91125 USA| http://slashdot.org Phone:(626)395-8518 Fax:(626)793-9744 | http://kame56.homepage.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
