RE: Directing users wihtou enough encryption capability

2002-08-19 Thread Philip Ravenscroft 

One way option is along these lines:

ErrorDocument 403 


SSLOptions +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} > 128


> > I have a site with strong encryption, demanding 128 bit 
> encryption with:
> >SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
> > 
> > A lot of users don't have browsers with 128 bits encryption
> > capabilities, so wat I would to do is:
> > 
> > When a user cannot use 128 bits encryption, he/she should be
> > redirected to a page with info about upgrading, in stead of just
> > getting no connection.
> > 
> > Any idea how to do that?
> 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Reverse proxying of SSL traffic

2002-06-24 Thread Philip Ravenscroft 

> The reverse proxy should now make an SSL connection to
> webserver (this is
> running IBM HTTPServer, IBM's packaged Apache). webserver has it's own
> self-signed certificate.

Out of the box, mod_proxy cannot negotiate secure connections, so it can't
connect to your backend server using https.  (I don't know if anyone has
gotten this to work, though).  This means that you should have the backend
proxy connect in the clear to your IBM server.

Usually this is done with the proxy in the DMZ and the other server behind
another firewall, so it is secure.

Phil



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

RE: Reverse proxying of SSL traffic

2002-06-24 Thread Philip Ravenscroft 

Set up two virtual servers for the same IP, one on port 80 (with just simple
proxy rules).  Confirm this works.

Then, set up a virtual server on port 443 with the same proxy stuff.  You
reference the certificate file there.

Phil

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Monday, June 24, 2002 7:54 AM
> To: [EMAIL PROTECTED]
> Subject: Reverse proxying of SSL traffic
>
>
> Hi list,
>
> I have a requirement to set up a reverse proxy (web
> accelerator) which will
> accept incoming HTTP and HTTPS connections (using our
> Verisign credentials
> on the proxy) and proxy those requests to other web servers.
>
> The catch is I need the connection between the proxy and the
> web server to
> be HTTPS if and only if the incoming connection to the proxy
> is HTTPS. I
> will be using self-signed certificates on the web servers.
>
> Apache+mod_ssl looks like it can do this with
> ProxyPass/ProxyPassReverse
> but where do I reference the self signed certificate of the
> web server in
> httpd.conf?
>
> At the moment I get the following error in my browser when I
> try to use the
> reverse proxy:
>
> Proxy Error
> The proxy server received an invalid response from an upstream server.
>
>
> The proxy server could not handle the request GET /.
>
>
> Reason: SSL proxy connect failed
> (slrsdct1.internal.standardlife.com:443):
> peer 172.31.100.31:443: decryption failed or bad record mac
>
>
> Thanks in advance.
>
> Michael Pacey
>
>
>
> For more information on Standard Life, visit our website
> http://www.standardlife.com/
>
> The Standard Life Assurance Company, Standard Life House, 30
> Lothian Road,
> Edinburgh EH1 2DH, is registered in Scotland (No. SZ4) and
> regulated by the
> Financial Services Authority. Tel: 0131 225 2552 - calls may
> be recorded or
> monitored. This confidential e-mail is for the addressee
> only. If received
> in error, do not retain/copy/disclose it without our consent
> and please
> return it to us. We virus scan and monitor all e-mails but are not
> responsible for any damage caused by a virus or alteration by
> a third party
> after it is sent.
>
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  [EMAIL PROTECTED]
> Automated List Manager[EMAIL PROTECTED]
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]

error page on failure to negotiate ssl connection

2002-03-22 Thread Philip Ravenscroft 

We are using server-gated cryptography to mandate 128 bit key strength, but
to also upgrade export browsers.  However, we would like users who do not
have adequate ssl support to see an error page we create rather than
whatever their browser's error message it.

Is there a way to do this with apache+mod_ssl?  I imagine it's a bit of a
chicken-and-egg problem because in order to redirect the user to an error
page, a ssl connection has to be made at the lower cipher strength.

Philip


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]