Re: mod_ssl 2.2.3
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 modssl is built into the 2.x.x apache versions. your consultant must be asking you to upgrade full apache versions. the 1.3.x apache tree still has a separate modssl base to add and build off of. This should not be a concern for you since you are running the newer apache tree. Thanks, Ron DuFresne On Tue, 1 Apr 2008, Sir June wrote: I have a Solaris box with Apache 2.2.3 and mod_ssl 2.2.3. Our security consultant ran a vulnerability software and the report recommended to upgrade to mod_ssl 2.8.24 or higher. Is this possible ? as i only see releases for Apache 1.3.x What are your recommendations? thanks, Sir june You rock. That's why Blockbuster's offering you one month of Blockbuster Total Access, No Cost. http://tc.deals.yahoo.com/tc/blockbuster/text5.com - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFH8lYmst+vzJSwZikRAm6YAJ9e9NwNJu8sGjuFE3CcnljNI3kVxgCfXl4x R0NJeZnoKQpRfqrff0Xir+o= =sIQZ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL by Domain Name Error
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 more likely www.mydomain.com is not in DNS, perhaps trying this works: https://mydomain.com If that works it is DNS issues. Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: I'll bet you're right when you say your provider may not be forwarding https requests properly. I'd run this one past them and see what they have to say about it. Rob Archer wrote: When accessing it by ip address using the debug option of openssl it returns what you would expect (i.e. the text of the key certificate). When accessing by domain name it says :- Loading 'screen' into random state - done Connect: bad file descriptor Connect:errno=10060 I assume this is the equivalent of the Internet Explorer cannot display the webpage error in IE !!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: 19 June 2007 17:07 To: modssl-users@modssl.org Subject: Re: Ref : RE: Ref : RE: Ref : RE: SSL by Domain Name Error Rob Archer wrote: No entry for https and domain name in the access.log and a Internet Explorer cannot display the webpage in ie when trying to get to the server. Do you have access to the openssl command line program? It would tell you whether you are making a connection, and possibly shed some light on the problem. Like this: openssl s_client -connect www.mydomain.com:443 -debug GET / __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer8Qst+vzJSwZikRAqLUAKDUuvO8OPDrUqBCSRcVBzIMqQqD3QCgkknb OfdmiAQeSnhLiCJFg4hsVlQ= =ItZS -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even more revealing was the passphrase prompt, not required for plain httpd... Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer+zst+vzJSwZikRAlhnAJ4rLby4nNIlTNYwr0Vq2bQdI1TGmwCgwn1e itrUfe7Vl+cuoIdY3KOVw8M= =LeZD -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: modssl intsllation problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, 23 Jun 2006, Arsen Hayrapetyan wrote: Hello, I am trying to install mod_ssl-2.8.27-1.3.36 and I've faced the following problem when I do 'make' in the the directory where the apache's source resides: gcc -DLINUX=22 -DHAVE_SET_DUMPABLE -DMOD_SSL=208127 -DUSE_HSREGEX -DEAPI -DNO_DL_NEEDED `./apaci` -L/home/ahairape/prereqs/openssl-0.9.8b \ -o httpd buildmark.o modules.o modules/standard/libstandard.a modules/ssl/libssl.a main/libmain.a ./os/unix/libos.a ap/libap.a regex/libregex.a -lm -lcrypt -lssl -lcrypto -lexpat /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x35): In function `dlfcn_load': : undefined reference to `dlopen' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x95): In function `dlfcn_load': : undefined reference to `dlclose' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0xbc): In function `dlfcn_load': : undefined reference to `dlerror' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x147): In function `dlfcn_bind_var': : undefined reference to `dlsym' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x172): In function `dlfcn_bind_var': : undefined reference to `dlerror' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x237): In function `dlfcn_bind_func': : undefined reference to `dlsym' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x262): In function `dlfcn_bind_func': : undefined reference to `dlerror' /home/ahairape/prereqs/openssl-0.9.8b/libcrypto.a(dso_dlfcn.o)(.text+0x52b): In function `dlfcn_unload': : undefined reference to `dlclose' ___ I've done the following pre-installations: openssl-0.9.8 I thnk yer error rests here. One makes apache and mod-ssl together and installs/configs as one application with a module loaded. apache-1.3.36 And I am following instructions in INSTALL file of mod_ssl to configure it: cd mod_ssl-2.8.27-1.3.36 ./configure --with-apache=/home/cawebuser/apache_1.3.36 \ --with-ssl=/home/ahairape/prereqs/openssl-0.9.8b \ --prefix=/usr/local/apache-1.3.36 [Here '/home/ahairape/prereqs/openssl-0.9.8b' is the directory where I've unpacked openssl, '/home/cawebuser/apache_1.3.36' is the directory where I've unpacked apache and /usr/local/apache-1.3.36 is the directory where the apache is installed] cd /home/cawebuser/apache_1.3.36 make Can anybody tell me the solution to this problem? Thanks, Ron DuFresne - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEoIQost+vzJSwZikRApeAAKCOluoPwYNnVTfopjcdJ8GD4bxU9gCfe9Ns uk5X6+qNGrDDxevv2SGU1IQ= =SyPP -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache sends wrong certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm sure this has been answered, but in case it has not; You can not virtualize https to more then one hostsite, you have to have real IP addresses for https. Thanks, Ron DuFresne On Wed, 24 May 2006, Frank van Beek wrote: Hi all, This morning we migrated 4 of our websites to a new server. Each of these websites uses a certificate for https connections. We've got only one Apache instance running with 4 virtual hosts on 4 different IP-addresses. This worked fine on the old server. But since the move this morning Apache sends the certificate for the first VirtualHost to all 4 IP-addresses. Two of these sites need an additional SSLCertificateChainFile, and this file is send *correctly* depending on the IP-address. So Apache does see 4 different VirtualHosts, but somehow ignores the individual SSLCertificateFiles. Here is the relevant part of httpd.conf for these 4 hosts: - Listen xxx.xxx.198.62:443 NameVirtualHost xxx.xxx.198.62:443 VirtualHost xxx.xxx.198.62:443 SSLEngine On SSLCertificateChainFile chain1 SSLCertificateFile crt1 SSLCertificateKeyFilekey1 /VirtualHost Listen xxx.xxx.198.61:443 NameVirtualHost xxx.xxx.198.61:443 VirtualHost xxx.xxx.198.61:443 SSLEngine On SSLCertificateChainFile chain2 SSLCertificateFile crt2 SSLCertificateKeyFilekey2 /VirtualHost Listen xxx.xxx.198.63:443 NameVirtualHost xxx.xxx.198.63:443 VirtualHost xxx.xxx.198.63:443 SSLEngine On SSLCertificateFile crt3 SSLCertificateKeyFilekey3 /VirtualHost Listen xxx.xxx.198.64:443 NameVirtualHost xxx.xxx.198.64:443 VirtualHost xxx.xxx.198.64:443 SSLEngine On SSLCertificateFile crt4 SSLCertificateKeyFilekey4 /VirtualHost - The old server is still up and running. I've upgraded Apache on that system to the same version (2.0.58) and copied httpd.conf to that machine. The above configuration somehow works correctly there. I've been trying to debug this using openssl s_client -state -connect and I do see some relevant differences, but I've been unable to interpret them. I know this report lacks a lot of possibly relevant details. But I didn't want to send the whole httpd.conf and all of the terminal output to this list. Is there an obvious mistake in my configuration? Or have I stumbled on a bug in Apache 2.0.58? Met groet, Frank. - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEe4tVst+vzJSwZikRAq+sAJ4mHff+nYpHLXBgfoQdFIYVBMRhYgCgw29G ZcxkcdgHNKCofvRN3Hc5miA= =BwdU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: HTTPS Without OpenSSL Native
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 26 Jul 2005, Pj wrote: Download the apache source and study mod_ssl its pretty clean... The ugly end is when he needs to DL and study the openssl code which is likely to be far less clean and much more hefty. thanks, Ron DuFresne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Delfim Machado Sent: Tuesday, 26 July 2005 4:18 AM To: modssl-users@modssl.org Subject: Re: HTTPS Without OpenSSL Native stunnel? On Jul 25, 2005, at 21:12, Leonardo Cavallari Militelli wrote: Hi all, I'm looking for another way to implement ssl on an apache web server than using mod_ssl or apache-ssl. Is there a way to implement ssl directly with Openssl? I'm developing an intrusion detection and prevention system for my msc thesis. I already use the sample web server that comes with openssl, but now I need to know which are the relation between mod_ssl and the openssl? tks anyway! Leo -- Delfim Machado ~ Serei sempre o que nunca irei ser! Sempre serei o que nunca vais ver! - Eu mesmo -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.4/57 - Release Date: 22/07/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.9.5/58 - Release Date: 25/07/2005 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFC6AXBst+vzJSwZikRAhpGAJ93muvCmR2w70iJIl2j9VA2CyUlegCdEz2a oIsZ5luuj/lnaIGrThM/iE0= =hPwk -END PGP SIGNATURE-
Re: Apache starts, SSL site unavailable
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 21 Jun 2005, Jon August wrote: Can I just remove the IfDefine tags? or is that not recommended? You could though the gain might not be there, why not just run the server in the proper mode? Thanks, Ron DuFresne On Jun 21, 2005, at 2:35 PM, Cliff Woolley wrote: On Tue, 21 Jun 2005, Jon August wrote: Hi, I'm switching from Stronghold to Apache 2.0.54 with mod_ssl enabled. When I start apache, everything appears to work except the SSL site. There's some sort of warning about the cache. mod_ssl.c is listed as a compiled in module, and there's an: Include conf/ssl.conf in the httpd.conf Any suggestions would be greatly appreciated. Are you starting httpd with the -D SSL command line argument? If not, then the entire block of configuration directives inside the IfDefine SSL container in your config file will be ignored. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCuG+7st+vzJSwZikRAkQTAJ90dOrQfPiSAUfkUmBC86FHoF4q3ACcDWRp AhbKUmB4KKzSvs0cwU66e1Y= =KtmY -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl
Hopefully stratech has you on the bench right now so ya get paid to go back and read the dcs you obviously avoided for a quickie fix here smile. Did you complie with all hte proper settings for ssl? is this 1.3.x or 2.0.x? there are differences, slightly in how one enables ssl in each. Do you have the pre=coreqs in place to implimnet ssl under apache? with 1.3.x you ned apache, openssl, and the modssl package as well as mm, with 2.0.x I beleive yer only needing apache and openssl. But, no one replaied mostlikely to yer earlier post as you include such scant information as to what the issue is. Yer not a transplant down here are ya? Thanks, Ron DuFresne On Tue, 1 Feb 2005, Plantier, Spencer wrote: I cant get ssl to work. I did a search on my httpd.conf and it has (IfModule mod_ssl.c) Include conf/ssl.conf (/IfModule) And when I do a httpd -l I get: Compiled in modules: core.c mod_access.c mod_auth.c mod_include.c mod_log_config.c mod_env.c mod_setenvif.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_negotiation.c mod_dir.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c Spencer Plantier System Network Administrator 301 Gregson Dr Cary, NC 27511 Office 919-379-8513 Cell919-272-8833 [EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words make and stay become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins Still Life With Woodpecker __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
apache java question
I know this might be more suited to the apache users list, but, there's enough knowledgebase here I'm sure to answer a question as I work a project with deadlines looming and little time to deal with an additional list to join and parse over for info. The project I'm engaged in is a migration from sun/solaris/iPlanet to a linux/apache realm, with apache/linux doing that VM game on the s390 big iron. Now, though these are and have always been deemed 'static' websites, and I have someplace between 130-200 virtual sites to migrate, the concpet of static is a tad different then the stanard view of 'static'. Turns out many of my clients are doing far more dynamic content then was believed or understood till we started to take a closer look at what functionality we needed to port to apache to replace that clients have under iPlanet. My clients are doing a tad bit-o jave/jsp stuff. So, my questions are; what at least minimal java capability is provided with plain ole pache without adding in a tomcat or websphere component. does the installation of the java sdk provide any basic or additional functionality to plain ole apache. if so, what kinda httpd.conf references do I need to provide to point to either a jre or java bin for my clients to make use of? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Flex failure during apache 1.3.28 make
wasn't this an issue with a modssl version a year or two ago? something like the source files in the tarball not having the proper date stamps and as Mad's mentiones, required a touch of a few files to make flex more 'flexable'? Thanks, Ron DuFresne On Mon, 21 Jul 2003, Mads Toftum wrote: On Mon, Jul 21, 2003 at 02:23:22PM +0200, Boyle Owen wrote: Greetings, I'm trying to compile the new 2.8.15 with apache 1.3.28 but hit a problem when make tries to run flex on the file src/modules/ssl/ssl_expr_scan.l. This shouldn't happen unless timestamps were messed up. Try touching src/modules/ssl/ssl_expr_scan.c to make sure its timestamp is newer than the .l file. vh Mads Toftum -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CVS repository / Maintainers?
[EMAIL PROTECTED] as always. Thanks, Ron DuFresne On Mon, 7 Jul 2003, Douglas K. Fischer wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Who is currently maintaining mod_ssl for Apache 1.3.x? I've been tracking down a bug and wanted to check the latest mod_ssl repository code against 2.8.14 (current release) to see if anything has changed that might address this bug. All the old links I've found that dealt with the repository and bug database at modssl.org are dead... Many thanks, Doug -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use http://www.pgp.com iQA/AwUBPwnZTZ938qfSpraDEQLi8gCg64z0ifDQ8w+99Ii7yoCfvUidf5YAoK4a aCKvtN0S20v/YjkwcJLK5WXs =Cpk7 -END PGP SIGNATURE- This email, and any included attachments, have been checked by Norton AntiVirus Corporate Edition (Version 8.0), AVG Server Edition 6.0, and Merak Email Server Integrated Antivirus (Alwil Software's aVast! engine) and is certified Virus Free. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
webtrends, exposed?
A tad off topic here, but, is anyone here using webtrends servers exposed to the internet public? any concerns with such with such an exposed placement for this application? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Virtual Host question?
If you have set this for the entire server as the default, you should not have to reset it for each virtual host as they should carry the default unless otherwise conf'ed not to. Thanks, Ron DuFresne On Wed, 18 Jun 2003, rmck wrote: Hello, I have an apache1.3.27/mod_ssl2.8.12. I was told today I needed to fix this issue with my web server HTTP TRACE Enabled. Now I have module mod_rewrite as a Loaded Module. The fix for this is as follows: If you are using Apache, add the following lines for each virtual host in your configuration file : RewriteEngine on RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] I'm confused about where to place this in my httpd.conf? I have two virtual hosts in my httpd.conf file. Does this look correct, thanks alot for your help: -VirtualHost 111.111.111.111- Redirect / https://host.company.com/ Servername host.company.com RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] -/VirtualHost- -VirtualHost _default_:443- # General setup for the virtual host DocumentRoot /opt/apache/htdocs ServerName host.company.com ServerAdmin [EMAIL PROTECTED] ErrorLog /opt/apache/logs/error_log TransferLog /opt/apache/logs/access_log RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule .* - [F] # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL / # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable nokeepalive for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables downgrade-1.0 and # force-response-1.0 for this. SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /opt/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b -/VirtualHost- Regards, Rob __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: openssl upgrade
On Thu, 20 Mar 2003 [EMAIL PROTECTED] wrote: [SNIP] It should not be too hard (but I am not using RedHat): 1) read http://www.openssl.org/support/faq.html Note the RedHat sections. 2) download the latest (0.9.7a) to some dir (I use something like /usr/local/src/openssl). 3) untar it and check its signature (see faq). 4) read the following in the expanded dir: FAQ and INSTALL and/or INSTALL.whatever 5) make you choices and do a ./config --whatever=whatever \ ... make make test 6) if OK, you have proved you can get openssl compiled and tested from source. 7) now is the tricky part; examine your current installed openssl, determine it's location, and, if you are sure you know what's what, remove it with rpm (man rpm if ?s). I assume you can always revert to the RedHat version by re-installing the 'official' RedHat openssl rpm. (I hope you are doing this on a test machine.) and get the sources and recompile all red-hat apps that rely upon openssl. There are others on the list that might beable to document what those applications are, but, I believe there are a few. 8) make location changes (prefix=) (if necessary) and repeat from step 4. 9) make install and ldconfig. 10)test and, etc. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to start mod ssl?
it looks as though ssl might not be enabled in the httpd.conf file. do you have these statements included there: LoadModule ssl_module libexec/libssl.so AddModule mod_ssl.c Thanks, Ron DuFresne On Mon, 17 Mar 2003, Mitchell, Edmund wrote: Hello all I just built from source apache 2 on RedHat 8 with this config: $-./configure --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --enable-mods-shared=all --enable-so --with-mpm=worker --enable-ssl --with-ssl=/usr/include/openssl --libexecdir=/usr/lib/httpd/modules --mandir=/usr/share/man --sysconfdir=/etc/httpd/conf --datadir=/var/www --localstatedir=/var --disable-imap --disable-dav --disable-dav_fs --disable-speling --disable-autoindex and it went smoothly, as did make and make install. I tried to startssl, but it complained about the cert and key file, so I built those using the makefile that RedHat provides to build dummy certs and keys, and that went smoothly. It then complained about the DocumentRoot, so I fixed that, and now it doesn't complain, but nothing happens. #-/usr/sbin/apachectl startssl #-ps -eaf | grep httpd root 19590 19172 0 13:53 pts/100:00:00 grep httpd #-/usr/sbin/httpd -DSSL #-ps -eaf | grep httpd root 19594 19172 0 13:53 pts/100:00:00 grep httpd I figured it was a weird situation so I tore out everything, and rebuilt from scratch. Twice, and yes, both times I md5summed the tarball. However, each time, if I don't start ssl, it works: #-/usr/sbin/httpd -k start #-ps -eaf | grep httpd root 19597 1 0 13:56 ?00:00:00 /usr/sbin/httpd -k start nobody 19598 19597 0 13:56 ?00:00:00 /usr/sbin/httpd -k start nobody 19599 19597 0 13:56 ?00:00:00 /usr/sbin/httpd -k start nobody 19600 19597 1 13:56 ?00:00:00 /usr/sbin/httpd -k start root 19658 19172 0 13:56 pts/100:00:00 grep httpd and then, I can connect to localhost, but not to port 443, even though I have no firewall at all. #-/sbin/iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination #-/usr/bin/openssl s_client -connect localhost:80 CONNECTED(0003) 19856:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: #-/usr/bin/openssl s_client -connect localhost:443 connect: Connection refused connect:errno=29 The syntax seems to be OK; I haven't changed anything but what I mentioned above - #-/usr/sbin/httpd -t Syntax OK #-/usr/sbin/httpd -S VirtualHost configuration: Syntax OK I'm (obviously) new to this whole thing, so I'd be grateful if anyone who's been through this before can steer me in the right direction. Thanks for your time E --- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: problem installing cert on virtual host
If this is tough to get into the FAQ, being it is asked weekly, perhps it can be added to the footer of list messages? Thanks, Ron DuFresne On Sat, 15 Mar 2003, Jeff wrote: Actually, the answer is RTFM.. You can not have multiple SSL vhosts responding to one IP/port combination.. The FIRST SSL vhost will ALWAYS respond when making the connection.. This is due to how the protocol works.. Refer http://marc.theaimsgroup.com/?l=apache-modsslm=98576871506980w=2 for more info Rgds Jeff - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, March 15, 2003 4:47 PM Subject: Re: problem installing cert on virtual host On 14 Mar 2003 at 17:14, Dan McComb wrote: Thanks Beau, Here's the pertinent bits (this file may look a bit strange -- it's a Mac OS X Server conf file, but functions in almost every way like traditional http.conf file): [...] On Friday, March 14, 2003, at 04:58 PM, [EMAIL PROTECTED] wrote: On 14 Mar 2003 at 16:20, Dan McComb wrote: I've successfully installed one virtual host on my server to listen on port 443, and it's been running great. But when I added another virtual host directive to listen on same port further down in the file, I find that the first listener is the one that picks up the request. This results in an error in IE: the identity certificate name is not correct. If I comment out the first virtual host, the problem disappears and the second one works fine. I need them to work together... Anyone know how can I configure my virtual hosts/httpd.conf to avoid this problem? /dan mccomb -- -- [...] Hi - I see nothing wrong with your conf file. I have some suggestions: * since your SSL servers work one at a time, perhaps this is not an SSL problem. Remember, the first vhost is the 'default': any request that does not match a name (within that ip:port group) is sent to that first server. Why don't you comment out the SSL directives, change the ports to 80, and see if you can browse to each vhost? * in the same vein, is you bind (dns) server setup OK? * you may want to look at each server cert: openssl rsa -noout -text -in whetever.crt the subject CN should match the server name. * if you certs are self-signed, your browser will give you an error - that the CA is not recognized as trusted - but everything else should be OK if your CN matches the server name. Let me know how it goes... Aloha = Beau; __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Installation Woes
On Fri, 14 Mar 2003, Rick Root wrote: Evan Dillon wrote: try the apache/mod_ssl part of this: http://www.devshed.com/Server_Side/PHP/SoothinglySeamless/page1.html Evan, That looks great... but... it doesn't tell me how to configure SSL in the httpd.conf. SSL is nowhere to be found in my httpd.conf, the default one that came with my apache 1.3.27 source distribution. which means that you have not configured mod-ssl and openssl properly into your apache setup. Once properly done the default config will reflect the changes you seek. Thanks, Ron DuFresne cam wrote: Have you tried this? http://www.tldp.org/HOWTO/Apache-Compile-HOWTO/ Cam, I don't have any problem compiling apache with mod_ssl. I don't know how to configure it in the httpd.conf because after installation, SSL is nowhere to be mentioned in the httpd.conf that is installed. Thanks. Rick Root __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
you should beable to safely move then into place. make sure perms are restricted as possible to prevent their info from being leaked. On Fri, 14 Mar 2003, A. Putnam wrote: Okay, I cleaned out all of the older versions of the keys and ran the scripts again. I ended up with this: 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated CA verifying: www.pelathe.org.crt - CA cert www.pelathe.org.crt: OK That does mean it worked, right? Everything is good? If so, should I move the new files I have to their respective directories or should I change my httpd.conf file to point to the new directory? I don't know if moving or copying/patsing damages the integrity of the encryptions or not. On Thursday 13 March 2003 05:01, camun2020 wrote: --- On Thu 03/13, A. Putnam [EMAIL PROTECTED] wrote: Still no luck. I get the same error with this script too. Thank you for pointing out the script though. It was a LOT easier to use than the other one I had been using. OK, now I'm getting vague but could this be to do with the fact that you have some 'incomplete' keys and data in your ca.db.certs directory from the previous failed attempts? Make sure you start in a whole new clean directory... Having said that, I haven't actually tried those scripts with the most recent openssl so perhaps there are new problems. cam ___ No banners. No pop-ups. No kidding. Introducing My Way - http://www.myway.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
On Thu, 6 Mar 2003, Terry Kerr wrote: Hi, I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. The system has two IP's, and I only wish for apache to start on ports 80 and 443 on one of those IPs. I am using named based virtual hosting for many sites on the system for http, and have just one virtual host setup for https on port 443. The problem that I am having is that I cannot stop mod_ssl from binding to port 443 on both the IP's on my system. I have tried every possible combination of Listen, BindAddress, and Port, and have managed to prevent http from starting on all IP's, but https still starts on all IPs. Is there any way to stop this? Will I need to start two seperate servers, one serving http only, and one serving https only? If I was to do this, I may as well go back to using apache-ssl which is the default installation on debian anyway. add the IP address or FQDN to the port designation for the appropriate listen paramater: IfDefine SSL Listen someplace.com:80 Listen someplace.com:443 /IfDefine Thanks in advance terry -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: private key not found
On Fri, 7 Mar 2003, A. Putnam wrote: The permissions for the server.crt file are rw-r--r-- but it still cannot find the Private Key. which would be 644 rather then 400 as the first person responded. On Thursday 06 March 2003 13:36, Ron Gedye wrote: Please check the permissions on your private key. They should be readable only by owner (400) (knee-jerk first guess reaction) Best of luck - Original Message - From: A. Putnam [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, March 07, 2003 3:42 PM Subject: private key not found I'm trying to get mod_ssl to work on my server, but each time I try to restart apache with mod_ssl activated, it gives me this error: /etc/init.d/apache start returned 7 (Program is not running.) Starting httpd [ Mailman PHP4 SSL ]Apache/1.3.26 mod_ssl/2.8.10 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server matrix.pelathe.org:443 (RSA) Enter pass phrase: Apache:mod_ssl:Error: Private key not found. **Stopped stty: standard input: Inappropriate ioctl for device ..failed What I don't understand is how it can't find the Private key. The SSLCertificateKeyFile path in httpd.conf matches the location of the key in my directory. Isn't the SSLCertificateKeyFile the Private Key path? I'm including the Virtual Host code (sans the explination text and a passkey). I'm very new to this so I won't be surprised if there is a glaring error in here that I missed... VirtualHost _default_:443 DocumentRoot /srv/www/htdocs ServerName matrix.pelathe.org ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /etc/httpd/ssl.crt/server.crt #SSLCertificateFile /etc/httpd/ssl.crt/server-dsa.crt SSLCertificateKeyFile /etc/httpd/ssl.key/server.key #SSLCertificateKeyFile /etc/httpd/ssl.key/server-dsa.key SSLCertificateChainFile /etc/httpd/ssl.crt/ca.crt #SSLCACertificatePath /etc/httpd/ssl.crt SSLCACertificateFile /etc/httpd/ssl.crt/ca-bundle.crt SSLCARevocationPath /etc/httpd/ssl.crl #SSLCARevocationFile /etc/httpd/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 10 #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #/Location #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /srv/www/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost Any help would be greatly appreciated. I'm using Apache 1.3.26 and Mod_SSL 2.8.10 on a SuSE 8.1 box. Thanks, -Andrew __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: stop apache/mod_ssl binding to all IP's.
it sounds like perhaps yer http.conf files have perhaps more then one listen directive, perhaps outside the virtual Host directives. Might try grepping the file for listen and see what comes up. or, better yet, egrepping for bind|listen|etc... thanks, Ron DuFresne On Fri, 7 Mar 2003, Terry Kerr wrote: Mark, Thanks for you suggestion, but whenever I try to put Listen my.ip.address:443 (with the correct ip address ;-) My http or https server does start at all on any port. The log error I get is [crit] (98)Address already in use: make_sock: could not bind to address 203.89.254.243 port 443 But I don't get a similar error for port 80, so I don't know why it also doesn't start. I also have Listen ip.address:80 defined, and have a NameVirtualHost ip.address defined. I have tried many different combinations of name based and ip based virtual hosting, but https always binds to all IP's. As soon as I put the Listen ip.address:443, I get the log error above and no servers start. terry Mark Boddington wrote: Hi Terry, Perhaps your directives are being overridden in a IfDefine SSL or IfModule SSL block ? Listen IP:Port does work, works for me. Do you have the following in your config ? Listen my.ip.address:443 ... NameVirtualHost my.ip.address:443 ... VirtualHost my.ip.address:443 ... /VirtualHost Cheers, Mark On Thu, 6 Mar 2003, Terry Kerr wrote: Hi, I am running apache 1.3.26 and mod_ssl 2.8.9-2.1 on a debian linux system. The system has two IP's, and I only wish for apache to start on ports 80 and 443 on one of those IPs. I am using named based virtual hosting for many sites on the system for http, and have just one virtual host setup for https on port 443. The problem that I am having is that I cannot stop mod_ssl from binding to port 443 on both the IP's on my system. I have tried every possible combination of Listen, BindAddress, and Port, and have managed to prevent http from starting on all IP's, but https still starts on all IPs. Is there any way to stop this? ddD Will I need to start two seperate servers, one serving http only, and one serving https only? If I was to do this, I may as well go back to using apache-ssl which is the default installation on debian anyway. Thanks in advance terry -- Terry Kerr ([EMAIL PROTECTED]) Adroit Internet Solutions (www.adroit.net) Phone: +61 3 9563 4461 Fax: +61 3 9563 3856 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl 2.8.12 + apache 1.3.26
additionally, each version of modssl is diff'ed against the version of apache it is designated for. There have been times I think Ralf has givien out probable ways to fit one modssl version into a newer apache release prior to the new modssl version, but has given warnings about certain things possibly being borked in the process. Thanks, Ron DuFresne On Fri, 28 Feb 2003, Jeff Bert wrote: Yes. You should use mod_ssl 2.8.12 and apache 1.3.27 as there is a security issue with apache 1.3.26 Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ihor Bilyy Sent: Friday, February 28, 2003 10:16 AM To: [EMAIL PROTECTED] Subject: mod_ssl 2.8.12 + apache 1.3.26 Hello All, is there any problem running this combination (subj)? thanks -i- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: securing one area of a vhost in apache 2
You gave this site it's own IP address yes? Virtual hosting with non-ssl works in a 'software' aware mode, while virtual hosting with ssl is more 'hardware' in nature requireing specifici IP addressing to function properly. Thanks, Ron DuFresne On Wed, 26 Feb 2003, Nick Tonkin wrote: Hello, I am using Apache/2.0.44 (Unix) mod_perl/1.99_09-dev Perl/v5.8.0 mod_ssl/2.0.44 OpenSSL/0.9.7 I have a virtual host which mostly is served without SSL. But it has one area, /secure, that needs to be secured with SSL. I've tried various combinations of directives but can't get it to work. Right now I have: VirtualHost 123.456.789.123:8080 SSLEngine on SSLProtocol all SSLCipherSuite HIGH:MEDIUM SSLCertificateFile /home/debug/www/_conf/certs/ladyraquel.crt SSLCertificateKeyFile /home/debug/www/_conf/certs/ladyraquel.key SSLCACertificateFile /home/debug/www/_conf/certs/ca.crt SSLVerifyClient none Directory /home/debug/www/ladyraquel/secure SSLVerifyClient require SSLVerifyDepth 1 /Directory /VirtualHost The server starts fine, serves non-SSL pages fine, but hangs when I request /secure . The error log has nothing, but the access log shows that the request went instead to the server's first virtual host, with a weird method of 'L'. Any advice much appreciated. - nick -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: securing one area of a vhost in apache 2
On Thu, 27 Feb 2003, Nick Tonkin wrote: On Thu, 27 Feb 2003, R. DuFresne wrote: You gave this site it's own IP address yes? No. It is using NameVirtualHost. Virtual hosting with non-ssl works in a 'software' aware mode, while virtual hosting with ssl is more 'hardware' in nature requireing specifici IP addressing to function properly. Hmm. I must have missed this in the docos. Rechecking ... Hm. Well, I see that I was on the wrong track with How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server? ... that appears on closer inspection to deal with certificate-wielding clients ... Hm. So, bottom line, it is not possible to have a virtual host accessible via http and require SSL for a part of it. Is that correct? It's somewhat dependant upon what you are serving up. If there are like perhaps two ends of the virtual hosts, say, http://www.someplace.com and https://someplace.com under the same IP address space, then you will work okay. If you are virtual hosting more then this, then you need seperate IP addresses for at least each and every SSL vh, and if there's a no0n-ssl end, that vh would need to most likely match the IP addressing setup of the ssl side. I'm sure others will correct or enhance what I'm prolly splaining poorly here. thanks, Ron DuFresne Thanks, - nick -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to run apache in https only ?
there are a couple of areas to check to see if your settings are correct for this; ... # BindAddress: You can support virtual hosts with this option. This directive # is used to tell the server which IP address to listen to. It can either # contain *, an IP address, or a fully qualified Internet domain name. # See also the VirtualHost and Listen directives. # #BindAddress * ... # # Port: The port to which the standalone server listens. For # ports 1023, you will need httpd to be run as root initially. # Port 80 ... for apache 2.0.xx, this might be in an ssl specifici configuration file as the tendancy is once again for 'segmentation' ## SSL Support ## ## When we also provide SSL we have to listen to the ## standard HTTP port (see above) and to the HTTPS port ## IfDefine SSL Listen someplace.com:80 Listen someplace.com:443 /IfDefine port 80 references are http, port 443 references are https. Edit these settings as appropriate for your setup. Providing those are properly set and the certs properly generated and available as stated in the configs, then your systems should listen at the proper address/interface on the appropriate port there for connections/services. I believe bindaddress has been depriciated for the listen directive. Thanks, Ron DuFresne On Sun, 23 Feb 2003, Jay Moore wrote: I know this is a bit off-topic for this list, and I deserve all the flames I get... But I'm in a hurry, so here goes... I want to run Apache so it responds only to https on port 443; http requests are to be simply ignored. I thought I knew how to do this, but then read something about using mod_rewrite which gave me a headache. Is there a simple how-to describing how to run your server so it responds only to https over port 443? Thanks, Jay __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple SSL VirtualHosts in apache
Yes, and thanks to Owen for rounding out our, mine and yours, knowledge levels on this. I seem to have forgotten the FDQN is what the browsing public is used to for web traversals. Few fall back to IP's even in times when DNS is borked. I get firewall-1 licesning issues and cert issues confused at times. Hopefully I did not mislead anyone smile. Thanks, Ron DuFresne On Thu, 20 Feb 2003, Jack L. Stone wrote: Owens' reply is more in line with what I thought. In applying for my Cert, I provided docs to prove ownership of the www.domain, addresses and some other stuff. When clicking on the website, the Cert requested must match the domain requested -- nothing about IPs has ever been involved. This is why the post about IPs caught my attention and wondered if I was behind the times. I'm applying for a renewal now and again it's all about the www.domain and nothing is entered into the cert about the IP verification. Then, there is the question of a wildcard cert which I understand can be used for several vhosts without setting off alarms on the browser. If there is anyone who would be willing to share with me their httpd.conf setup when using vhosting, I would be forever greatful. Offlist would be fine if need for privacy. Thanks. It's IP and/or port based. But, do remember, if port based then one is server only one cert, and the trouble is making sure the cert is constructed in a fashoin such that hostnames are not contained within the CN and such. In this case, and others can correct me if I'm wrong here, you would need to generate the cert on the IP rather then FDQN. And I'm not sure openssl allows such a cert, but others might well be better clued then I on this smile. A server cert bound to an IP address wouldn't make much sense (not sure if you can even do it). The thing to remember is that SSL is about two things - encryption and authentication. For encryption to work you just need to send the server's public key to the client - the hostname is not important. However, for the authentication aspect, it is essential that the the common name in the server cert matches the FQDN in the client request. Put it another way, you surf to amazon.com and are about to type in your credit card number but then you look inside the server cert and see that it is registered to shady-character.com. Do you still send your card number? This is why browsers always complain when you use a test or self signed certificate if the CN doesn't match the FQDN. So, while you can have an encrypted session with an untrusted server, in the real world it doesn't make much sense to do so. Encryption is sending your money to the bank in an armoured car, authentication is making sure the armoured car actually goes to the bank. Rgds, Owen Boyle Thanks, Ron DuFresne On Wed, 19 Feb 2003, Jack L. Stone wrote: Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't work??? Just getting ready to do a fresh install involvoing vhosts and this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: I believe that I read somewhere that you must have a different ip address for each ssl virtualhost. Ian Moon On Wed, 19 Feb 2003, Boyle Owen wrote: -Original Message- From: Steve Pirk [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 6. Februar 2003 02:02 To: [EMAIL PROTECTED] Subject: Multiple SSL VirtualHosts in apache I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm...
Re: Multiple SSL VirtualHosts in apache
The error you posted from logs implies the request the server is getting is http rather then https, perhaps your redirect or rewrite is not functioning properly? Thanks, Ron DuFresne On Wed, 5 Feb 2003, Steve Pirk wrote: I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. VirtualHost 172.16.202.25:7000 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7001 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7002 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost -- Steve (egrep) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple SSL VirtualHosts in apache
It's IP and/or port based. But, do remember, if port based then one is server only one cert, and the trouble is making sure the cert is constructed in a fashoin such that hostnames are not contained within the CN and such. In this case, and others can correct me if I'm wrong here, you would need to generate the cert on the IP rather then FDQN. And I'm not sure openssl allows such a cert, but others might well be better clued then I on this smile. Thanks, Ron DuFresne On Wed, 19 Feb 2003, Jack L. Stone wrote: Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't work??? Just getting ready to do a fresh install involvoing vhosts and this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: I believe that I read somewhere that you must have a different ip address for each ssl virtualhost. Ian Moon On Wed, 19 Feb 2003, Boyle Owen wrote: -Original Message- From: Steve Pirk [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 6. Februar 2003 02:02 To: [EMAIL PROTECTED] Subject: Multiple SSL VirtualHosts in apache I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm... Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. VirtualHost 172.16.202.25:7000 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7001 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7002 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost -- Steve (egrep) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org
RE: Problems compiling mod_ssl with apache 2.0.44
are you sure you wish to degrade the security of your apache server with front[age extensions? Frontpage and coldfusion have a nasty security history. Thanks, Ron DuFresne On Fri, 7 Feb 2003, Boulytchev, Vasiliy wrote: This is off the modssl track, but has anyone gotten frontpage extensions working for httpd-2.0.44? 2.0.40 is the supported version, and the install quits if that is not it. Just checking -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Friday, February 07, 2003 2:39 AM To: [EMAIL PROTECTED] Subject: Re: Problems compiling mod_ssl with apache 2.0.44 I have just succesfully compiled apache 2.0.44 with mod_ssl and openssl 0.9.7 on RH8. First I have compiled openssl then apache and everything works fine. On trick after make install in openssl it doesn't copy headers so you have to manually copy them to your install directory. On 2/7/2003 10:25 AM, Erik Melkersson a écrit: Hi! Thanks for the reply. Geoff Thorpe wrote: ... The kind of linker error you report usually suggests the code was compiled against one openssl version's headers, but is trying to link against a different openssl version's libraries Yes, I tried to compile it against different openssl-version and didn't make clean in betweend (dumb fault by me) After cleaning and compiling again we get some other errors. undefined reference to OPENSSL_free, RAND_egd and RAND_status (se below for complete data) In order to make apache compile we - changed OPENSSL_free to CRYPTO_free in a #define in the modules/ssl/ headers file. (As that is done in openssl anyway) - commented out the 3+3 lines where RAND_egd and RAND_status are used in modules/ssl/ssl_engine_rand.c Now we can compile and use it over ssl even though commenting out non working code is propably a bad thing to do. ./configure --prefix=/service/apache2 --exec-prefix=/service/apache2/arch/linux-intel --enable-ssl --with-openssl=/service/apache2/openssl/ ...lots of rows... make ...lots of rows... /bin/sh /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libtool --mode=link gcc -g -O2 -pthread-DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/include -I/service/apache2/openssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -I. -I/usr/local/service/apache2/src/httpd-2.0.44/os/unix -I/usr/local/service/apache2/src/httpd-2.0.44/server/mpm/prefork -I/usr/local/service/apache2/src/httpd-2.0.44/modules/http -I/usr/local/service/apache2/src/httpd-2.0.44/modules/filters -I/usr/local/service/apache2/src/httpd-2.0.44/modules/proxy -I/usr/local/service/apache2/src/httpd-2.0.44/include -I/usr/local/ssl/include/openssl -I/usr/local/ssl/include -I/usr/local/service/apache2/src/httpd-2.0.44/modules/dav/main -export-dynamic -L/usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib -L/usr/local/ssl/lib -o httpd modules.lo modules/aaa/mod_access.la modules/aaa/mod_auth.la modules/filters/mod_include.la modules/loggers/mod_log_config.la modules/metadata/mod_env.la modules/metadata/mod_setenvif.la modules/ssl/mod_ssl.la modules/http/mod_http.la modules/http/mod_mime.la modules/generators/mod_status.la modules/generators/mod_autoindex.la modules/generators/mod_asis.la modules/generators/mod_cgi.la modules/mappers/mod_negotiation.la modules/mappers/mod_dir.la modules/mappers/mod_imap.la modules/mappers/mod_actions.la modules/mappers/mod_userdir.la modules/mappers/mod_alias.la modules/mappers/mod_so.la server/mpm/prefork/libprefork.la server/libmain.la os/unix/libos.la -lssl -lcrypto /usr/local/service/apache2/src/httpd-2.0.44/srclib/pcre/libpcre.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/libaprutil-0.la -lgdbm -ldb /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr-util/xml/expat/lib/libexpat.la /usr/local/service/apache2/src/httpd-2.0.44/srclib/apr/libapr-0.la -lm -lcrypt -lnsl -lresolv -ldl modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_hook_UserCheck': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:875: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify': /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1206: undefined reference to `OPENSSL_free' /usr/local/service/apache2/src/httpd-2.0.44/modules/ssl/ssl_engine_kernel.c:1210: undefined reference to `OPENSSL_free' modules/ssl/.libs/mod_ssl.al(ssl_engine_kernel.lo): In function `ssl_callback_SSLVerify_CRL':
Re: newbie request for assistance
If I recall, apache on sun boxen requires some additional work to get /dev/urandomerandom PRNG to work ccorrectly. This is a common question, and is other covered in the archives, or might well be in the FAQ. If this is incorrect, or not the issue at hand, others will step in to spank me into clued space smile. Thanks, Ron DuFresne On Mon, 3 Feb 2003, Kurt A. Buckardt wrote: I am trying to bring up Apache 2.0.44 with mod_ssl module on Solaris 8, and can't get an https connection to the box. Http works just fine. Any suggestions on how to proceed would be greatly appreciated. I've downloaded installed OpenSSL 0.9.6g (sunfreeware.comn I've created a certificate and key: /usr/local/apache2/conf/ssl.crt/server.crt /usr/local/apache2/conf/ssl.key/server.key I've downloaded, compiled, made Apache with --enable-ssl Here's Apache's ssl.conf file, which is called from Apache's httpd.conf file: IfDefine SSL Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:logs/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLRandomSeed startup file:/dev/urandom 512 VirtualHost _default_:443 DocumentRoot /usr/local/apache2/htdocs ServerName new.host.name:443 ServerAdmin [EMAIL PROTECTED] ErrorLog logs/error_log TransferLog logs/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /usr/local/apache2/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost /IfDefine __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: modssl versus other ssl servers
Any answer you get will probably be a best guess. The closest stat on modssl use might relate somewhat to the number of list memebers here, though, even that number will not be fully definative as some folks use more then one product, some onlyread the list and not really have modssl up and running, etc... Thanks, Ron DuFresne On Fri, 31 Jan 2003, Chris Davis wrote: Hi, Does anyone know how many modssl installations there are versus other SSL servers? I'd like to know what percentage of SSL sites use modssl. Thanks, Chris __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
On Fri, 24 Jan 2003 [EMAIL PROTECTED] wrote: [SNIP] A cynic may well claim that pictures of the Earth from space are faked. After all, that claim has been levelled against the Bible for years (and every year, more and more evidence is uncovered to support its authenticity. eg http://news.bbc.co.uk/1/hi/world/middle_east/2655781.stm, although their statement about it being the first piece of physical evidence needs taking with a large pinch of salt) Are you saying the bible isn't spherical??!! gryn Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl Project Environment Migrated
On Sun, 15 Dec 2002, Ralf S. Engelschall wrote: On Sun, Dec 15, 2002, Mads Toftum wrote: On Sun, Dec 15, 2002 at 09:41:11AM +0100, Ralf S. Engelschall wrote: Just for your information: the Apache mod_ssl project environment was migrated to a new location. In case of any problems, contact me. It seems that cvs is broken - http://www.modssl.org/source/cvs/ and the docs taken from the sorce - like http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL both result in Internal Server Error. Ops, yes, of course. Because there is no more active development on mod_ssl for Apache 1.3, the CVS environment is no longer provided publically (because there would be no interesting things to monitor at all) and hence the new public project environment has no CVS setup. So, CVS related things are now gone from the website. Just my fault in forgetting to synchronize the website. Now fixed. Thanks for the hint. Ralf, does this imply there are to be no more apache 1.3 developement or version updates, thus modssl is now moving entirely into the source for apache 2.0? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: hardwiring the semaphores directory, revisited
Error messages in software have always sucked, programmers see to never really think of end users when designating them in their coding, when they are designated and not left to the OS to obfuscate. FAQ's and documentation should include as much error code info as possible to help guide these matters as endusers encounter them. Thanks, Ron DuFresne On Wed, 11 Dec 2002, Hernan Laffitte wrote: After looking at the source code, I realized that the problem I described in my previous post is related to the FAQ entry titled: Apache creates files in a directory declared by the internal EAPI_MM_CORE_PATH define. ... The FAQ entry doesn't mention semaphores or the error message a badly-defined EAPI_MM_CORE_PATH can cause, so I missed it on my initial troubleshooting of this problem. I think it would be useful to add a couple of sentences to this entry, something like: If you don't have permissions to write to the directory pointed by EAPI_MM_CORE_PATH, httpd may fail on startup with an error message similar to this: Ouch! ap_mm_create(1048576, /opt/apache/logs/httpd.mm.25669) failed Error: MM: mm:core: failed to open semaphore file (Permission denied): OS: No such file or directory This could help people doing a textual search for the error message. Does this make sense? Thanks, Hernan -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Server Load problems under heavy SSL traffic
Cool, another NC person on this list, howdy from Chapel Hill, we remain powerless, day 9 and counting, and hope to have it restored today or tomorrow since Duke finally made it to our little nook out here in the boonies. A backup generator has allowed this server to remain active. If server laod with encryption is getting to be a mess, and I'm not sure what cards AIX might support, you might wish to look into off-loading the SSL stuff to a dedicated encryption card and move to the open-ssl-engine code to facillitate that. Others on the list might be able to better direct you to hardware that will function on an AIX system. Thanks, Ron DuFresne On Thu, 12 Dec 2002, Dale Weaver wrote: We are experiencing problems under heavy traffic to our SSL site. I have read the FAQ on performance and have decided to switch to shmcb caching, but I don't know if that will help the problem. With about 300 concurrent users the server loads skyrocket and the server no longer spawns child processes for CGI scripts. I have the Apache 1.3.27 server set up for 4096 concurrent connections and have made all the suggested performance tuning measures suggested on the Apache site. This problem does not occur on the non-ssl site which has significantly more traffic. Can anyone offer any insight into this problem? Here are my specs: AIX 4.3.3 Dual Processor F40 w/ 1GB RAM 2GB SWAP Apache with mod_ssl (compiled in) 1.3.27-2.8.11 Openssl 0.9.6g from http.conf: VirtualHost hostname:443 DocumentRoot /usr/local/apache/ssldocs ServerName hostname ServerAdmin me ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log ScriptAlias /cgi-bin/ /usr/local/apache/sslcgi/ SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/apache/conf/ssl.crt/public.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/private.key SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediate.crt SSLVerifyClient none SSLVerifyDepth 10 Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /usr/local/apache/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /usr/local/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost Any help is appreciated. - Dale Weaver [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod SSL version's compatibility with Apache
not really, each modssl version is built to function with the newer apache version. Also, openssl, which I assume you are using has issues and you will want to make sure you are running at least OpenSSL 0.9.6g. Thanks, Ron DuFresne On Thu, 12 Dec 2002, Vira, Hiten wrote: Hi, We are currently using Apache 1.3.19 with ModSSL version 2.8.1 on Windows NT. Because of some security alerts the recommended ModSSL version is 2.8.10 or higher. My question is, Can we upgrade to ModSSL version 2.8.10 without upgrading Apache? I am asking this because on ModSSL I saw a definite linking of one ModSSL version to a corresponding Apache version. TIA, Hiten -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
shrug I have that statement coming after the IfDefine SSL directive (meaning it's defined within that IfDefine SSL//IfDefine). Of course, and I dont't state my conf file is the cleanest of meanest, I have 3 such openings and closings of like this: IfDefine SSL /IfDefine IfDefine SSL /IfDefine IfDefine SSL /IfDefine This happens to be the first such set if IfDefine SSL directives: IfDefine SSL Listen domain.com:80 Listen domain.com:443 ... /IfDefine Damn, now I have to go cleanup things one of these days smile. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: Is this directive the same thing as if mod_ssl.c? Thanks! - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: Justin Williams [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 2:19 PM Subject: Re: (Hopefully) easy SSL question under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
Perhaps including it in the defauly httpd.conf file underr the VirtualHost directives as commentary might help? # General setup for the virtual host # ...name based VHing does not work, you need to...to get this to # ...work...if you ask this in the modssl-users list, you might #well be berated for failing to read documentation... Perhaps putting the information in the README as well as in the INSTALL docs, tthus putting it in as many places as possible might help? Thanks, Ron DuFresne P.S. this is of course not limiting adding it to the list footer grin: Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ...name based VHing does not work, you need to...to get this to ...work...if you ask this in the modssl-users list, you might #well be berated for failing to read documentation... On Tue, 3 Dec 2002, Cliff Woolley wrote: [SNIP] But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I wonder if we can't find a better way to document this? Anyone have any ideas? I'd say un-hiding it from the FAQ page would be a good start... it's a prominent question, give the answer a more prominent location. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with... proxy? Module? Or what?
On Thu, 21 Nov 2002, Alex Povolotsky wrote: Hello! I'm running FreeBSD, and apache/mod_ssl with virtual hosts in jailed environment. Jail means that I can have only one IP address for apache, ipfilter's ipnat is used to multiplex several external IPs. I also need to support https virtual hosts, and here my troubles begins. Of course, I could not use pure name-based virtual hosts, and I even understand, why. What's a bit worse, that I seems to be unable to obtain data from /dev/ipl from inside the jail. It sounds like yer jail is lacking the libs and devices for this access. Now, whether or not your jail will be safe if you move what's required to get this to function within the jail is another matter you will have to determine after setting up a working jailed testbed with those items. lsof and various other tools are you friend in this endeavor. One of the recent system admin editions had a good article on how to work through the process of setting up jailed applications I think it was the last months or two months back edition. Maybe someone can guide me towards proper proxy? Things like mod_real_ip should not help much, and I'm still trying to make pound (http://www.apsis.ch/pound/) to work. Having received https connection via some proxy, how can I pass SSL variables by the easiest way? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem with... proxy? Module? Or what?
On Fri, 22 Nov 2002, Alex Povolotsky wrote: On Thu, 21 Nov 2002 15:25:20 -0500 (EST) R. DuFresne [EMAIL PROTECTED] wrote: RD I'm running FreeBSD, and apache/mod_ssl with virtual hosts in RD It sounds like yer jail is lacking the libs and devices for this access. libs exists; device exists. I'm getting IOCTL error trying to access /dev/ipl. Nov 21 20:11:01 class-a tproxy[52225]: ioctl(SIOCGNATL): Bad address Maybe, ipfilter requires kmem or mem; in this case, I'm surely helpless. RD recent system admin editions had a good article on how to work through the RD process of setting up jailed applications I think it was the last months RD or two months back edition. URL? I don't think I'll be able to get hold on it in reasonable time... If you're in that much of a time pinch hopefully you googled for it yourself, rather then waiting on me smile: http://www.sysadminmag.com/ Look at the past couple of issues, the article should be in there on jailing deamons. Which I did not locate with a quick search on the site with the term 'jail' yet there were at least 5 articles found with that term relating to this, at least one specific to freebsd. Searching with the term chroot produces more results and between the two, should locate information to help you here. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Configuring a stand alone SSL enabled apache webserver
As far as I'm aware, and others can correct me if I'm saying something wrong here, the virtual server directives are optional. The key would be the server root for the ssl based pages to be served, tough enclosing a SERVERROOT directive within the virtual server directives would benefit you in seperation of pages being servered. don't be overly confused by the virtual server directives, they aren't just for VH hosting smile. Thanks, Ron DuFresne On 19 Nov 2002, Kent Perrier wrote: Hi all, I am looked in the archives and I have not found anything, so I am asking here. I want to run a different web server on port 443 for SSL traffic (not a virtual server in the configuration file for the server on port 80). Looking at log file, mod_ssl is loaded on start and it is listening on port 443, but the server does not support SSL encrypted traffic. I removed the SSLEngine On directive from the conf file since that only works in a virtual server. How do I make this work? I am running Apache 1.3.27, mod_ssl 2.8.12 0.9.6g FYI, here is my httpd.conf Thanks! Kent ## ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://www.apache.org/docs/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /usr/local/apache1.3/conf/srm.conf and then /usr/local/apache1.3/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with / (or drive:/ for Win32), the # server will use that explicit path. If the filenames do *not* begin # with /, the value of ServerRoot is prepended -- so logs/foo.log # with ServerRoot set to /usr/local/apache will be interpreted by the # server as /usr/local/apache/logs/foo.log. # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://www.apache.org/docs/mod/core.html#lockfile); # you will save yourself a lot of trouble. # ServerRoot /usr/local/apache1.3 # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to # the filename. # #LockFile /usr/local/apache1.3/logs/httpd.lock # # PidFile: The file in which the server should record its process # identification number when it starts. # PidFile /usr/local/apache1.3/logs/httpd.pid # # ScoreBoardFile: File used to store internal server process information. # Not all architectures require this. But if yours does (you'll know because # this file will be created when you run Apache) then you *must* ensure that # no two invocations of Apache share the same scoreboard file. # ScoreBoardFile /usr/local/apache1.3/logs/httpd.scoreboard # # In the standard configuration, the server will process httpd.conf (this # file, specified by the -f command line option), srm.conf, and access.conf # in that order. The latter two files are now distributed empty, as it is #
Re: How can I tell if mod_ssl is installed with Apache
These directives: --enable-module=ssl --enable-shared=ssl, made mod-ssl as a loadable module, it's not part of apache's core binary, so look in /webroot/libexec/ for the mdoule you built to load on the httpd.conf file; libssl.so. Additionally, I suggest you read through all the documentation as well, you are mising things like this which are clearly defined there. This is seen also in the fact you issued these directive as well as the ones stated below in the wrong place: --enable-module=rewrite --enable-shared=rewrite --enable-module=proxy --enable-shared=proxy --sysconfdir=/home/.autoserv/apache/conf --htdocsdir=/home/.autoserv/html --cgidir=/home/.autoserv/cgi-bin --sysconfdir=/home/.autoserv/conf --enable-module=ssl --enable-shared=ssl Thanks, Ron DuFresne On Fri, 15 Nov 2002 [EMAIL PROTECTED] wrote: I configured and installed mod_ssl with Apache but it does not seam to be working. When I run the ./httpd -l comand on Apache it does not show that mod_ssl.c is installed in Apache this is a list of every thing that is in there. Should it be in there? http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c This is how I configured and installed mod_ssl 1. cd to mod_ssl directory 2. ran this comand ./configure --with-apache=../apache --with-ssl=../openssl --prefix=/home/.autoserv/apache --target=autohttpd --enable-module=rewrite --enable-shared=rewrite --enable-module=proxy --enable-shared=proxy --sysconfdir=/home/.autoserv/apache/conf --htdocsdir=/home/.autoserv/html --cgidir=/home/.autoserv/cgi-bin --sysconfdir=/home/.autoserv/conf --enable-module=ssl --enable-shared=ssl 3. cd ../apache 4. make 5. make certificate 6. make install -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLRandomFIle Error (Apache-mod_ssl)
On Fri, 15 Nov 2002, Manoj Kithany wrote: Thanks Lutz: Where to put SSLRandomSeed? Becos I put it in Virtual Host as shown: VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 #SSLRandomFile file /dev/egd-pool 1024 SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost and it throws following Error: # ./apachectl startssl Syntax error on line 983 of /kit/conf/httpd.conf: SSLRandomSeed cannot occur within VirtualHost section ./apachectl startssl: httpd could not be started # The clue here is clearly stated: SSLRandomSeed cannot occur within VirtualHost section, move the SSLRandomSeed directives higher up in the conf file, before the VirtualHost sections. Perhaps more directly under the IfDefine SSL or prior to that. Thanks, Ron DuFresne From: Lutz Jaenicke [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLRandomFIle Error (Apache-mod_ssl) Date: Fri, 15 Nov 2002 22:17:31 +0100 On Fri, Nov 15, 2002 at 09:11:48PM +, Manoj Kithany wrote: Hi: I think I have Apache + mod_ssl on my IBM AIX box. My httpd.conf file contains: --- VirtualHost * ServerAdmin [EMAIL PROTECTED] DocumentRoot /kit ServerName www.my.server.name ErrorLog logs/log1 SSLRandomFile file /dev/egd-pool 1024 SSLCertificateFile /usr/local/ssl/certs/cert.cer SSLCertificateKeyFile /usr/local/ssl/bin/private.key /VirtualHost --- When I RUN my Apache, I get following Error: --- # ./apachectl startssl Syntax error on line 980 of /kit/conf/httpd.conf: Invalid command 'SSLRandomFile', perhaps mis-spelled or defined by a module not included in the server configuration ./apachectl startssl: httpd could not be started --- Do you know what is the problem? I read the documentation regarding the above since my IBM AIX Box does NOT have /dev/random But you didn't read carefully enough. If you are using an EGD style device, you must explicitely tell: SSLRandomSeed startup egd:/var/run/egd-pool SSLRandomSeed connect egd:/var/run/egd-pool _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + mod_ssl - config/install
you used --enable-shared=ss, so mod-ssl is a shared module, not part of the core compiled in stuff in the httpd binary you made. Now you have to load the module in the httpd.conf file and configure the ssl related settings to get it to run for you when you apachectl startssl. Most the settings and directives should be in the default httpd.conf file generated in the make;makeinstall, and await you editing refinements. the man pages and online documentation at the apche and mod-ssl sites should guide you through any settings not clarified fully in the comments in the default httpd.conf file Thanks, Ron DuFresne On Thu, 14 Nov 2002, Manoj Kithany wrote: Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. SO, I got mod_ssl from the site and installed it using #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later when I check if my APACHE was configured for SSL by using: # ./httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /kit/bin/suexec # As Seen above, MOD_SSL Module is NOT LISTED above. When I Installed/configured (as shown above) I did not receive any ERROR - but still could NOT see if MOD_SSL was configured? Any suggestions/hints _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Segmentaion faults
For one, all you source is dated, and vulnerable. I'd update first thing. Thanks, Ron DuFresne On Sat, 9 Nov 2002, Avinash S wrote: Hi, I am using Red Hat 7.3 with apache-1.3.26, mod_ssl-2.8.7-4 and openssl-0.9.6b-18. Apache has crashed three times in last week with the following error in apache's error_log. [Mon Nov 4 15:58:07 2002] [error] [client 147.213.65.178] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Nov 4 15:58:16 2002] [error] mod_ssl: SSL handshake failed (server www.nonstock.com:443, client 147.213.65.178) (OpenSSL library error follows) [Mon Nov 4 15:58:16 2002] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143) [Mon Nov 4 15:58:17 2002] [notice] child pid 14246 exit signal Segmentation fault (11) Please help. Thanks in advance Avinash. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Chicken and Egg
On Thu, 24 Oct 2002, Cabuzel Thierry wrote: -Original Message- From: Boyle Owen [mailto:Owen.Boyle;swx.com] Sent: jeudi 24 octobre 2002 16:18 To: [EMAIL PROTECTED] Subject: RE: Chicken and Egg I guess you will say, but it's just a lab setup, I don't care about authentication - well that's fine, but why then do you need encryption? Perhaps he don't need encryption too :) I am seting up a web folder on my web server with mod_dav. But the firewall of my company is soo old (well no comment :))that he doesn't reconize some of the extension of then HTTP 1.1 protocol needed by mod_dav. He react to this by blocking theses request rendering my web folder unuseable. My only work around, is to put my folder in a ssl channel to go through the firewall letting him pass because he can't control what's going on :) I just need the ssl channel. I don't bother about the encryption (nothing would be enough as long as the firewall don't try to block me) and less about of the authentification :) If you are gaining ssl/https, you have encryption, you just do not have authentication. Thus you are tunneling the required needs ot the mod_dav traffic within the encrypted ssl space to achieve your means of circumventing the firewall/proxy wishes. You might well be better off here working with the firewall/proxy admin to define the needs and open the proxy to serve them properly. Otherwise, if you are circumventing policy, you might find your access in deeper troubles once the circumvention is discovered. Owens' advise to the previous, primary requestor in this thread to good, he suggests that that person actually do thing right and correct, to get full use of what he has compiled and is trying to design, rather then working with a semi-broken implimentation that does not fully grant the authentication the clients of the website are going to trust and want. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: can't load /usr/local/apach2/modules/mod_sll.so into server undefined symbol x509_free
didyou install openssl with shared libs? I recall this being a requirement for the apache 2 code. Also there is a newer version of apache available, it is a security update. Thanks, Ron DuFresne On Fri, 16 Aug 2002, Venkat Reddy Valluri wrote: Hi, I installed openssl 0.9.6g engine on redhat 7.3 over which i installed apache 2.0.39, It seems installation to be successful, but when i tried to start apache with sll ./apachecntl startssl iam getiing can't load /usr/local/apache2/modules/mod_ssl.so into server /usr/local/apache2/modules/mod_ssl.so Any help greatly apprecitated Thks in advance Venkat -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Fri, 9 Aug 2002, Cliff Woolley wrote: On Fri, 9 Aug 2002, Cliff Woolley wrote: That's what I get for not reading all of my email before responding to any of it. 0.9.6g was also released today. Sigh. :) I guess today was the day for releases. Apache 2.0.40 is now out as well. Any word on if this compiles on those older linux kernels as the previous release was a total dud in that realm? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
This is a security fix release for those using apache in Cygwin environments! quote Date: Fri, 9 Aug 2002 22:07:52 +0100 (BST) From: Mark J Cox [EMAIL PROTECTED] To: [EMAIL PROTECTED], Full Disclosure [EMAIL PROTECTED], Vuln-Dev [EMAIL PROTECTED] Subject: [Full-Disclosure] Apache 2.0 vulnerability affects non-Unix platforms -BEGIN PGP SIGNED MESSAGE- For Immediate Disclosure === SUMMARY Title: Apache 2.0 vulnerability affects non-Unix platforms Date: 9th August 2002 Revision: 2 Product Name: Apache HTTP server 2.0 OS/Platform: Windows, OS2, Netware Permanent URL: http://httpd.apache.org/info/security_bulletin_20020809a.txt Vendor Name: Apache Software Foundation Vendor URL: http://httpd.apache.org/ Affects: All Released versions of 2.0 through 2.0.39 Fixed in: 2.0.40 Identifiers: CAN-2002-0661 === DESCRIPTION Apache is a powerful, full-featured, efficient, and freely-available Web server. On the 7th August 2002, The Apache Software Foundation was notified of the discovery of a significant vulnerability, identified by Auriemma Luigi [EMAIL PROTECTED]. This vulnerability has the potential to allow an attacker to inflict serious damage to a server, and reveal sensitive data. This vulnerability affects default installations of the Apache web server. Unix and other variant platforms appear unaffected. Cygwin users are likely to be affected. === SOLUTION A simple one line workaround in the httpd.conf file will close the vulnerability. Prior to the first 'Alias' or 'Redirect' directive, add the following directive to the global server configuration: RedirectMatch 400 \\\.\. Fixes for this vulnerability are also included in Apache HTTP server version 2.0.40. The 2.0.40 release also contains fixes for two minor path-revealing exposures. This release of Apache is available at http://www.apache.org/dist/httpd/ /quote and SNIP Thanks, Ron DuFresne On Fri, 9 Aug 2002, Cliff Woolley wrote: On Fri, 9 Aug 2002, Cliff Woolley wrote: That's what I get for not reading all of my email before responding to any of it. 0.9.6g was also released today. Sigh. :) I guess today was the day for releases. Apache 2.0.40 is now out as well. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Regarding mod_ssl version which suits apache 2.0.39
none are required, it's built into the 2.0.x code. Thanks, Ron DuFresne On Wed, 31 Jul 2002, Venkat Reddy Valluri wrote: Hi, Can you please let me know where exactly i can get the suitable mod_ssl version which suits for apache 2.0.39, I tried to find out in www.modssl.org, but found out only the mod_ssl_2.8.10-1.3.26 which suits for apache 1.3.26, Any help greatly apprecited Thks Venkata Reddy V __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
Many people seem to have the impression that security=ssl enabled, and in some ways it does enhance security, but, it's certainly by no means the end of the game, nor the beginning. security begins with the OS install. Not adding packages known to be exploitable redhat is the M$ of the linux workld these days, a kitchen sink of exploitable packages in the defaults available, closing out un-needed services not using NFS, then trun it off, disable it via the kernel rebuild process, etc, replacing telnet, ftp and the R* commands with ssh/scp, setting proper permissions throughout the directory structure to limit local exposures and abilities. Of course the game gets tougher once you allow others onto the system, once a person has a shell on the box, they have many more routes to compromise the system, so, trust begins to play a larger and larger role. so, to more directly answer your question, no mod-ssl is not going to fit your needs completely here. It begins at the administration level. Think of ssl enabled transactions as more of a secure tunnel for the protection of the exchange of information i.e. credit card info, other private personal information in an encryted tunnel over the pulic network. For those with actual login capqabilites on your system, you have a whole other set of worms to fish up and out. Even a ssl secured web server with open exploitable service runnning on other tcp/ip or udp ports will leave you 0w3d in short order. The system you are attempting to secure should not even touch the internet until *after* it has been properly configured and secured. Here's a reading list to get you started: http://rr.sans.org/ http://www.interhack.net/pubs/fwfaq/ http://geodsoft.com/howto/harden/ http://www.nfr.com/forum/publications.html http://www.ticm.com/info/insider/members/fwsecfaq/index.html http://www.avolio.com/columns/15.html http://www.wilyhacker.com/ http://www.jmu.edu/computing/runsafe/ http://csrc.nist.gov/itsec/guidance_W2Kpro.html http://www.networkcomputing.com/1120/1120ws1.html http://www.Linux-Sec.net/Policy/ http://www.pc-help.org/obscure.htm http://www.monkeys.com/security/proxies/ http://nms-cgi.sourceforge.net/ http://www.cgisecurity.com/articles/ http://www.apacheweek.com/features/security-13 http://www.cgisecurity.net/papers/ Thanks, Ron DuFresne On Tue, 30 Jul 2002, Henning, Brian wrote: Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
modssl with a shared ssl lib base
Since apache 2.0.X will not function with older kernels, we have been trying to upgrade to apache_1.3.26 and wheen out of reliance for present upon the mod_blowchunks.so thing we have implimented till time permitted. But, we had decided to build ssl-engine with shared capability, so as to not have to jump through hoops if matters with apache 2.0.X changed and such. But, we are failing to get a working httpd when going this route. I'm wondering if the older apache fails, at least on older kernels, when ssl has been compiled as an so? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. I'm pretty sure, and others will correct me if I'm wrong that openssl, the engine version, is the part that enables cryto devices accelerator cards, and the documentation for it should define those devices it supports; This is from the README.ENGINE file for openssl-engine-0.9.6b/, note that this is not the most current version, and 0.9.6d might well have new device support: quote ENGINE == With OpenSSL 0.9.6, a new component has been added to support external crypto devices, for example accelerator cards. The component is called ENGINE, and has still a pretty experimental status and almost no documentation. It's designed to be faily easily extensible by the calling programs. There's currently built-in support for the following crypto devices: o CryptoSwift o Compaq Atalla o nCipher CHIL ... No external crypto device is chosen unless you say so. You have actively tell the openssl utility commands to use it through a new command line switch called -engine. And if you want to use the ENGINE library to do something similar, you must also explicitely choose an external crypto device, or the built-in crypto routines will be used, just as in the default OpenSSL distribution. PROBLEMS It seems like the ENGINE part doesn't work too well with Cryptoswift on Win32. A quick test done right before the release showed that trying openssl speed -engine cswift generated errors. If the DSO gets enabled, an attempt is made to write at memory address 0x0002. /quote Unfortunately, the documentation on the engine directives is fairly poor and sparse. If I recall, others have used such devices with the engine version and may well beable to help you more then I can at present. They should respond a tad later in the day as the sun rises near their locations smile. Sorry I'm not of more help here. Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Thanks Ron... I just did this, and there was no change -- it still doesn't like this directive: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration My build was effectively: cd openssl* sh config -fPIC -DSSL_EXPERIMENTAL shared make cd .. cd mm-1.1.3 ./configure --disable-shared make cd .. cd mod_ssl-2.8.10-1.3.26 ./configure --with-apache=../apache_1.3.26 \ --with-ssl=../openssl-engine-0.9.6d \ --with-mm=../mm-1.1.3 \ --enable-rule=SSL_EXPERIMENTAL \ --enable-module=ssl \ --prefix=/usr/local/apache --enable-shared=ssl \ --enable-module=most \ --enable-shared=max --enable-module=so cd .. cd apache_1.3.26 make make install package-root=`pwd`/package-root The difference I am doing is removing the --enable-shared=ssl and --enable-shared=max, and then it works (as a static). Thanks, James [EMAIL PROTECTED] 06/28/02 01:45pm It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security
RE: OT: Encryption and Credit Card Processing (fwd)
-- Forwarded message -- From: Geoff Thorpe [EMAIL PROTECTED] Subject: RE: OT: Encryption and Credit Card Processing (fwd) Resent-Subject: RE: OT: Encryption and Credit Card Processing (fwd) Date: Wed, 29 May 2002 10:56:15 -0400 (EDT) Resent-Date: Thu, 27 Jun 2002 14:22:36 -0400 (EDT) Resent-From: R. DuFresne [EMAIL PROTECTED] To: [EMAIL PROTECTED] Resent-To: R. DuFresne [EMAIL PROTECTED] Hi there, On Wed, 29 May 2002, R. DuFresne wrote: Can others with more incite to verisign certs verify this information for me? thanks in advance: Dunno about the insightful, but I'll try instead ... In response to your question (see below) about surrogate/gated functionality built into the major browsers since Netscape and IE version 3, the answer is simple. To address the global needs of the US financial community, the US Government agreed to this functionality for both domestic and exportable versions of the browser. The Federal Government agreed to this provided the server that triggers the higher strength processing is operating in the US or Canada and a domestic commercial certificate authority (CA) with the capability of issuing such certificates is utilized. To my knowledge, only VeriSign can provide such certificates. I have been involved with the installation of global certificates on Netscape, iPlanet, and IIS web servers since at least the first quarter of the Year 2000. Initially, WebLogic servers could not handle global certificates even though BEA claimed its software did. Once BEA completed its legal agreement with VeriSign, the issue was supposedly resolved. While I expect that this is true, I have never validated it for myself. I don't recall that an Apache web server could handle the Global certificates. To function properly, the supplier of the web server must obtain special (export controlled) code from the issuing CA. Apache-based servers can handle this - it requires a sufficient version of OpenSSL, it has very little to do with apache nor even the ssl module (it should make no difference between apache-ssl and mod_ssl, for example). IIRC, configuration is a problem - because these SGC (Server Gated Crypto) usually consist of a cert chain with an intermediate CA cert that is unknown to browsers (it is in turn signed by a CA cert that *is* known to browsers). So, you need to ensure the intermediate cert is also in the server cert file (or was it the CA list? I forget ...) One of the problems was that these certificates were being issued with one or both of a netscape cert extension and a microsoft cert extension. If your signed cert didn't contain the microsoft one, then you'd be fine no matter which version of openssl you were running - in short, without the microsoft extension present in the cert, even IE browsers would obey the SSL protocol. With the microsoft extension present however, IE would enter some deranged brain-state in which it thought it could simply make up it's own new twist on the SSL protocol. This confused various servers except IIS until everyone figured out what was going on with Microsoft's creative side and developed workarounds for it - hence the point about having a sufficient version of OpenSSL. All recent releases of OpenSSL are OK and can cope with these brain-damaged SSL renegotiate hacks from IE. Whether you get a microsoft extension in your SGC cert or not probably depends on the competency, care, and mood of Verisign - and as with all things involving either microsoft and/or verisign, you probably need an agreeable alignment of the planets too. IIRC, people running apache based servers were being issued with SGC certs some of which contained the microsoft extension and some of which didn't. Also, the intermediate signing certificate varied quite frequently, so it wasn't possible to hard-code a fixed set of intermediate certs as trusted - it was usually necessary to treat the intermediate cert as part of the server-cert-chain. But this is all rather moot, see below ... Note: I'm note exposing any secrets here. You should be able to obtain this information freely from the VeriSign, Netscape, and Microsoft public web sites. You just may have to dig for it awhile. SGC certs are no longer required. It was only ever an issue for export-crippled browsers anyway and those simply don't (or shouldn't) exist any more. SGC also cost heaps more. Get a normal cert. Cheers, Geoff -- Geoff Thorpe, geoff(at)geoffthorpe(dot)net 2000 years on, it's a different empire but the same zealots and the same attrocities. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl
Re: Off-Topic - Encryption and Credit Card Processing (resent) (fwd)
-- Forwarded message -- From: Kevin Steves [EMAIL PROTECTED] Subject: Re: Off-Topic - Encryption and Credit Card Processing (resent) Cc: 'Marc E. Mandel' [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Sun, 26 May 2002 16:23:00 -0700 On Sat, May 25, 2002 at 11:07:11AM +0200, Ben Nagy wrote: Netscape and MS appear to support step-up or server gated cryptography. Presumably any browser could (or they could have just not export crippled themselves in the first place). MS tries to take credit for it, but the history is unclear in the quick search I performed. Netscape was the first to announce, as I recall. MS SGC, initially at least, did not conform to SSLv3, as they decided for performance reasons to short-circuit the renegotiation protocol. This is the Netscape press release: http://wp.netscape.com/flash2/newsref/pr/newsrelease428.html This is really all moot at this point, with the wide-spread availability of non-crippled browsers. I don't know why some are still purchasing 128-bit SSL certificates. Finally, this is dated (written shortly after the Netscape announcement in 1997) but may be useful. I think there are more technical details (OIDs etc.) in a document in the mod_ssl distribution. Netscape Exportable 128-bit SSL Software Kevin Steves [EMAIL PROTECTED] Hewlett-Packard Summary Netscape recently received federal approval to export Netscape Communicator with 128-bit encryption to customers worldwide, and to export Netscape servers featuring 128-bit encryption to certified banks worldwide. There has been confusion regarding the technical details of this exportable 128-bit encryption method, due largely to the lack of published technical information from Netscape. This brief paper will describe the technical implementation details of the Netscape method for establishing a 128-bit Secure Sockets Layer (SSL) session using an exportable Netscape client. This method has been referred to by Netscape personnel as step-up encryption. These details have been derived from public mailing lists and private e-mail with Netscape and HP employees. SSL Handshake Protocol SSL utilizes a handshake protocol to perform authentication and negotiate cryptographic parameters. During the SSL handshake, the client and server agree on a single cipher suite, which includes a key exchange algorithm, an encryption algorithm (bulk cipher), a message digest for data integrity, and a boolean identifying exportability. For example, the SSL_RSA_EXPORT_WITH_RC4_40_MD5 cipher suite is exportable and specifies that RSA is used for key exchange, 40-bit RC4 for bulk encryption, and MD5 for data integrity. The SSL client initiates the handshake by transmitting a hello message to the server with a preference ordered list of cipher suites supported by the client. The server will select one cipher suite from the client's list and respond with its own hello message. Following is an abbreviated handshake example in which an exportable SSL client transmits both a 40-bit RC4 and 40-bit RC2 cipher suite; the server selects the RC4 cipher suite. C-S: ClientHello(SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5) S-C: ServerHello(SSL_RSA_EXPORT_WITH_RC4_40_MD5) S-C: Certificate(server_certificate) S-C: ServerHelloDone C-S: ClientKeyExchange C-S: Finished S-C: Finished server_certificate is verified by the client via some local trust policy (e.g. the certificate is signed by a trusted certifying authority). SSL Session Renegotiation SSL version 3 added the capability for a client or server to renegotiate, or redo, the security parameters of an existing SSL session. This is typically used during client authentication, where a client establishes a secure connection to a server (with server authentication only), then requests a document which requires client authentication, which is followed by a server request to renegotiate the session and require the client to present a valid certificate before the request is returned. Step-up Encryption Netscape's step-up encryption method utilizes special X.509 version 3 extensions agreed upon by Netscape and Verisign, a special Verisign global certifying authority that is hardcoded into the Netscape executable, and SSL session redo. To utilize set-up encryption with an international browser, a company must obtain an SSL version 3 compliant server than supports 128-bit encryption (for Netscape servers this currently requires Netscape Enterprise Server version 3.0; the reason is explained below), a Verisign global ID, and Netscape Communicator version 4.0 or greater. With these conditions satisfied, a sample handshake will proceed as follows: C-S: ClientHello(SSL_RSA_EXPORT_WITH_RC4_40_MD5,
Re: SSLCryptoDevice: works as a static, not as a DSO...?
It might depend upon how you compliled openssl, was it compiled shared also? Thanks, Ron DuFresne On Fri, 28 Jun 2002, James Bromberger wrote: Hey people. I have been running fine with Apache + Mod_SSL under Solaris with everything working fine. I am now recompiling to Apache 1.3.26, Mod_SSL 2.8.10, OpenSSL 0.9.6d, and MM1.1.3. My httpd.conf is pretty much the default, except for just above the SSLPassPhraseDialog (around line 1090) where I have: SSLCryptoDevice cswift (it is a Sun Cyrpto Accelerator 1 (just a rebadged CryptoSwift) in a Netra T1, on Solaris 8) There are two compiles I have done: one where I have done everything as a static, and one where it is DSO. When static, I removed my LoadModules and AddModules, and of course, when as a DSO, I add these back in. ALl pretty straight forward. When I use static, my hardware crypto is working and everything is wonderful. Birds sing, etc... When I go DSO and then `apachectl configtest`: Invalid command 'SSLCryptoDevice', perhaps mis-spelled or defined by a module not included in the server configuration Which is odd, because all the other SSL directives are OK. If I do a `strings libexec/libssl.so` then I can see that the SSLCryptoDevice is mentioned in the module, however using mod_info, it is not mentioned against mod_ssl as being available. Does anyone know what is going on here? Why would this work fine as a static, and not as a DSO? This was working with earlier versions (1.3.20 2.8.4 0.9.6b). Any help appreciate. James -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Newbies : Apache - mod-ssl error
not sure how it is on winblows machines, but, on unix/linux systems the modules are found under libexec in the installed apache tree, it maybe looking for your module in the wrong place? Thanks, Ron DuFresne On Wed, 26 Jun 2002, Andy Soedibjo wrote: Hi, I tried to install Apache1.3.26 - mod-ssl2.8.9-1.3.26 - OpenSSL0.9.6d in windows2000. I think i've succeeded to install everything. Now for Apache, i can run it without SSL. But, if i try to add LoadModule ssl_module modules/mod_ssl.so and run it ... it returns error : Syntax error on line 192 of d:/apache/conf/httpd.conf: Cannot load /apache/modules/mod_ssl.so into server: (126) The specified module could not be found: i'm sure i've put the mod_ssl.so in the modules directory with others Apache modules. I've tried to used the full directory LoadModule ssl_module D:/Apache/modules/mod_ssl.so but, still get the same error. Syntax error on line 192 of d:/apache/conf/httpd.conf: Cannot load d:/apache/modules/mod_ssl.so into server: (126) The specified module could not be found: Does anyone knows what's wrong? Any suggestion will be accepted. Thanks in advance, Andy. -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 2.0 hates older linux kernels:
On Tue, 25 Jun 2002, B. van Ouwerkerk wrote: uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown and no matter how we configure, apache dies under SNIP Just tested it on my old local testbed server.. (not online) Slackware 7.1.0 Kernel 2.2.16 Apache 2.0.39 Umm, yers might be considered older in relative terms, but, I'm using a slackware 3.6 version on the box I'm trying to work on, so the kernel is a patched up 2.0.35-6 derivative, older yet then the 7.1 slackware/2.2.16 kernel you are working on there. Now, thanks to Cliff w/ apache.org we have gotten farther, but are still a tad short; #define HZ 100 in mod_status and it will at least come closer to compiling. Cliff, This comes so close, yet remains so far; the compile looks to complete without any serious errors: I edit mod_status.c; /* #ifdef NEXT #if (NX_CURRENT_COMPILER_RELEASE == 410) #ifdef m68k #define HZ 64 #else #define HZ 100 #endif #else #include machine/param.h #endif #endif NEXT */ #define HZ 100 here is my config statement; configure --disable-threads --enable-suexec --with-suexec-caller=nobody --with-suexec-uidmin=500 --enable-module=mod_rewrite --enable-module=mod_cgi --enable-module-shared=ssl --with-ssl=/usr/local/ssl --enable-static-rotatelogs --enable-static-logresolve this goves me a httpd, httpd -l Compiled in modules: core.c mod_access.c mod_auth.c mod_include.c mod_log_config.c mod_env.c mod_setenvif.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_suexec.c mod_cgi.c mod_negotiation.c mod_dir.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c should suexec be compiled into the httpd binary itself? It gives me static binaries under support; -rwx-- 1 root root 5561 Jun 24 18:37 ab* -rwx-- 1 root root 5591 Jun 24 18:37 checkgid* -rwx-- 1 root root 5576 Jun 24 18:37 htdbm* -rwx-- 1 root root 5591 Jun 24 18:36 htdigest* -rwx-- 1 root root 5591 Jun 24 18:36 htpasswd* -rwx-- 1 root root19875 Jun 24 18:37 logresolve* -rwx-- 1 root root 272278 Jun 24 18:37 rotatelogs* -rwx-- 1 root root24613 Jun 24 18:38 suexec* -rw--- 1 root root20595 Jun 24 17:25 apxs but, under modules/ssl, it looks like it was mostly untouched, no compiled .so is left there, nothing. The only files that appear might have been touched in the process; -rw--- 1 root root 3371 Jun 24 17:25 Makefile ... -rw--- 1 root root 51 Jun 24 17:25 modules.mk Though this may well be the reseult of the make clean just prior to the last config/make... So, we're almost there, any clues? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
openssl shared:
uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown config shared no-threads make make test works fine for openssl-engine-0.9.6b/ works fine for openssl-0.9.7-beta2/ Fails miserably for openssl-engine-0.9.6d/ Thanks, Ron DuFresne -- ~~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache 2.0 hates older linux kernels:
uname -a Linux darkstar 2.0.35 #4 Mon Dec 14 18:18:57 CST 1998 i586 unknown and no matter how we configure, apache dies under: /bin/sh /mnt/src/httpd-2.0.39/srclib/apr/libtool --silent --mode=compile gcc -g -O2-DLINUX=2 -D_REENTRANT -DAP_HAVE_DESIGNATED_INITIALIZER -I/mnt/src/httpd-2.0.39/srclib/apr/include -I/mnt/src/httpd-2.0.39/srclib/apr-util/include -I/mnt/src/httpd-2.0.39/srclib/apr-util/xml/expat/lib -I. -I/mnt/src/httpd-2.0.39/os/unix -I/mnt/src/httpd-2.0.39/server/mpm/prefork -I/mnt/src/httpd-2.0.39/modules/http -I/mnt/src/httpd-2.0.39/modules/filters -I/mnt/src/httpd-2.0.39/modules/proxy -I/mnt/src/httpd-2.0.39/include -I/mnt/src/httpd-2.0.39/modules/dav/main -prefer-non-pic -static -c mod_status.c touch mod_status.lo mod_status.c: In function `status_handler': mod_status.c:270: `HZ' undeclared (first use this function) mod_status.c:270: (Each undeclared identifier is reported only once mod_status.c:270: for each function it appears in.) make[3]: *** [mod_status.lo] Error 1 make[3]: Leaving directory `/mnt/src/httpd-2.0.39/modules/generators' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/mnt/src/httpd-2.0.39/modules/generators' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/mnt/src/httpd-2.0.39/modules' make: *** [all-recursive] Error 1 Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: 56-bit/128-bit IE problems
Are there still export restriction on the 128bit browsers? I was under the impression those export restrictions had been lifted a few years back. Thanks, Ron DuFresne On Fri, 21 Jun 2002, Thomas Binder wrote: Hi! On Fri, Jun 21, 2002 at 08:39:04AM -0700, David Wall wrote: You could also consider getting a Thawte super cert which has a capability to allow the 56-bit export version of IE to not be so stupid and connect at the higher 128-bit when accessing your site. Just for the record, Thawte's Super Certs are what VeriSign calls Secure Site Server Pro (Global) ID. But they are quite a lot cheaper. Ciao Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL for apache 2.0.39
On Wed, 19 Jun 2002, Jess Williams wrote: I downloaded the binary for RedHat for 2.0.39 and installed it on RedHat 7.1. For some reason apache will not start listening on 443! Its driving me crazy. It works fine for port 80 just not 443. Do I need to download something in addition? I am trying to use ./apachectl startssl to start it up Don't be so lazy smile dump the rmp's, meaning uninstall em and grab the apache source and openssl source and hand compile, all should function then. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How to disable part of the HTTP pages?
This might depend upon what the site wants to do in the end. Disabling port 80 will help keep folks from popping in on http, it can be a bennie for sites open only to a chosen few. Redirects are good for sites open to all and pushing clients to the https aspect. So, it can depend upon what the sites requirements are. Thanks, Ron DuFresne On Tue, 11 Jun 2002, Dale Weaver wrote: I believe it is more accurate to redirect. It causes less confusion: VirtualHost *:80 ServerName whatever Redirect permanent / https://whatever /VirtualHost Avoids confusion and irritation on the part of site visitors. - When a true genius appears in the world, you may know him by this sign; that the dunces are all in confederacy against him. -- Jonathan Swift ___ Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 779-3360 On Sun, 9 Jun 2002, Han,Donghoon wrote: Put Deny from all in Directory /some_directory_to_block /Directory in the vhost settings where the serving port is 80. Ex) VirtualHost *:80 BlahBlahBlah Directory /usr/docs Order Deny,Allow Deny from all /Directory /VirtualHost VirtualHost *:443 BlahBlah Directory /usr/docs Order Allow,Deny Allow from all /Directory /VirtualHost Refer to the apache manual for further information. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of lin geng Sent: Saturday, June 08, 2002 10:44 AM To: [EMAIL PROTECTED] Subject: RE: How to disable part of the HTTP pages? Disable port 80. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Conrad Ng Sent: Wednesday, June 05, 2002 8:47 PM To: [EMAIL PROTECTED] Subject: How to disable part of the HTTP pages? Dear all After I have implemented the SSL technology in my servers, I understand that users can access securely under HTTPS://link. However, they can still access through HTTP://link. Is there any way to block people from accessing under HTTP:// ? I'm not meaning to block the whole port 80 but only some pages, is it belong to the settings of Apache or what? Please instruct. Thanks a lot!! Regards Conrad Ng __ Scott Wilson Ltd celebrates its new name during its 50th year in Hong Kong! This e-mail and any attachments to it are intended only for the party to whom they are addressed. They may contain privileged and/or confidential information. If you have received this transmission in error please notify the sender immediately and delete any digital copies and destroy any paper copies. Thank you. Scott Wilson accepts no contractual liabilities or commitments arising from this e-mail unless subsequently confirmed by fax or letter or as an e-mail attachment giving company name, address, registration number and authorized signatory. __ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL
RE: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8
(but I don't want to start another discussion on that either!) Dang! Everyones killing some of my better discussion topics! grin Ya'll have a great weekend folks. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: OT: Encryption and Credit Card Processing (fwd)
Can others with more incite to verisign certs verify this information for me? thanks in advance: In response to your question (see below) about surrogate/gated functionality built into the major browsers since Netscape and IE version 3, the answer is simple. To address the global needs of the US financial community, the US Government agreed to this functionality for both domestic and exportable versions of the browser. The Federal Government agreed to this provided the server that triggers the higher strength processing is operating in the US or Canada and a domestic commercial certificate authority (CA) with the capability of issuing such certificates is utilized. To my knowledge, only VeriSign can provide such certificates. I have been involved with the installation of global certificates on Netscape, iPlanet, and IIS web servers since at least the first quarter of the Year 2000. Initially, WebLogic servers could not handle global certificates even though BEA claimed its software did. Once BEA completed its legal agreement with VeriSign, the issue was supposedly resolved. While I expect that this is true, I have never validated it for myself. I don't recall that an Apache web server could handle the Global certificates. To function properly, the supplier of the web server must obtain special (export controlled) code from the issuing CA. Note: I'm note exposing any secrets here. You should be able to obtain this information freely from the VeriSign, Netscape, and Microsoft public web sites. You just may have to dig for it awhile. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache + MOD_SSL Win32 crash
What else might be running on this system? If it were me, I'd move everything to a solid unix based system. Widows does not play well with others, not ready for prime time, but, that's me. Thanks, Ron DuFresne On Thu, 23 May 2002, Mike Campbell wrote: Hello, I'm running Apache 1.3.24 with MOD_SSL 2.8.8 on a Windows 2000 server. I've installed and configured according to the Apache + SSL on Win32 Howto http://tud.at/programm/apache-ssl-win32-howto.php3 and I've gotten a certificate from Thawte. I can and always have been able to make an (unsecure) http hit on the server. I can also make a secure https hit. However, if I reload the secure page a few times, sooner or later Apache crashes. The error message that pops up says Apache.exe has generated errors and will be closed by Windows. You will need to restart the program. An error log is being created. The Windows error log says it was an access violation and gives a stack dump, which I don't know how to read. The Apache error log and the SSL log are free of errors. When starting Apache, the only complaint I was getting from the config file was: Cannot add module via name 'mod_ssl.c': not in list of loaded modules so I've commented that line out. Does anyone have any suggestions? These are the relevant lines in httpd.conf: ### (other AddModules) ### #AddModule mod_ssl.c ... ### (other LoadModules) ### LoadModule ssl_module modules/mod_ssl.so ... Listen 80 Listen 443 ... SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/SSL.log SSLLogLevel info VirtualHost XXX.XXX.XXX.XXX:80 DocumentRoot c:/... ServerName www.mydomain.com /VirtualHost ... ### (many other VirtualHosts) ### VirtualHost XXX.XXX.XXX.XXX:443 SSLEngine On SSLCertificateFile conf/ssl/pubkey.cert SSLCertificateKeyFile conf/ssl/prvkey.key DocumentRoot c:/... ServerName www.mydomain.com /VirtualHost - Mike Campbell Aktiv Software Corporation [EMAIL PROTECTED] http://www.aktiv.com (250) 708-0027 -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Server private key
not if the ley is properly protected as it should be. On Tue, 14 May 2002, Rafael Amer wrote: Hi. Does anyboy know if it is possible to access the RSA private key of an Apache server with mod_ssl from another module written in C or Perl (mod_perl)? Thanks. Regards, R. Amer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: virtual hosting and ssl
The ony other issue one really has that Owen has not covered, is trsting the issuing CA to do things correctly. There's an incident not too long in the past whence a site not Microsoft affilliated obtained a fake microsoft cert. Of course there are also man in the middle exploits, even with ssl and ssh, though they tend to be rare and hard to impliment, for the most part. With wireless being the new toy in use by many, there are issues of information leakage too, but these are different topics in and of themselves... Cool writeup Owen, we;re saving it here to send out as common requests come in. Thanks, Ron DuFresne On Tue, 7 May 2002, Owen Boyle wrote: Steve Leach wrote: Owen, I just followed this thread - thanks for that condensed 'how it works' for certificates - I picked up two things I did not know, and as they say knowledge is power :) I am wondering at the last statement as to whether the limitation lies in the ability to produce a certificate that could verify all hosted domains, or whether Apache (or indeed any HTTPS server) could work with such a beast? As I understand it, the trouble is that there are two aspects to SSL: encryption and authentication. If it was only about encryption, you wouldn't have to tie your certificates to the different sites - so you could just serve up a general server-certificate which would contain your public key (which is, after all, just a big long number). The client would use this to send you a session-key and you'd have established the secure channel. Then you could exchange the HTTPS packets in confidence and use the Host: fields therein to select virtualhosts. Indeed, this is what happens when people naively set up NBVHs on port 443 - the server just uses the certificate from the first VH for any request it receives. However, we've forgotten about authentication. If you really want a secure connection, it is no use just encrypting the datastream; you have to be sure that the packets are really going to the destination you want. If you send your credit card details to www.amazon.com how can you be sure that the server at the other end really does belong to Amazon Books Inc. and is not a fake server with a copy of their site and that some crook has not hijacked a router somewhere along the way? The answer is that when you get the cert from amazon.com it contains not only the public key but also their site name. Their cert has also been signed by Verisign or somesuch and so can be verified. Now you can't just make a self-signed cert which says you're amazon.com because the browser does not recognise the authority which signed this certificate. Really, these problems are all client-side. The server is only interested in setting up a secure channel so will use any cert that seems appropriate. The trouble only starts when the browser starts checking out the cert and finds that it can't verify it because the signing authority is unknown or that it looks fishy because the site-name on the request doesn't match the site-name in the cert. This is really just the browser manufacturers protecting you from being conned and themselves from being sued. Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: More Apache 2.0.35 testing
On Wed, 1 May 2002, Lynn Gazis wrote: I'm now getting unresolved externals when trying to build Apache 2.0.35 with SSL enabled on Solaris 7, and would like, before I go farther in trying to diagnose this particular problem (and the shared memory cache problem I am having on HP UX), to ask a couple of general questions: 1) In testing Apache 2.0, should I be testing with the latest version of OpenSSL 0.9.6 or with the latest pre-release version of OpenSSL 0.9.7? perhaps the most stable code will be either 0.9.6b or 0.9.6c, I can't speak for 0.9.7. 2) Is there some option that I have not found which I should be using to enable to engine code (right now I am doing so by modifying mod_ssl.h to turn SSL_EXPERIMENTAL and SSL_ENGINE on)? There are two versions of openssl source available, the engine version and the non-engine version. Both will work pretty much the same. But, if you ever intend upon using hardware encryption devices you will want the engine version. 3) Should the shared memory cache be automatically included in Apache 2.0, or should I be somehow including mm-1.1.3, as I have been doing with modssl? My understanding is that mm is not longer required. So yes, its built in. 4) Should I be reporting problems I run across in testing Apache 2.0 to a different list from this one? This list is at least one spot, I'm sure others here might recommend other lists to x-post such problems to. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Urgent help
So much ergency, what perhaps 4 different Urgent requests?? shakes his head Oh well... Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
yes, remove and directives in http.conf for port 80 and just keep the port 443 stuff. Thanks, Ron Dufresne On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: Hello, I have the following config: Apache/1.3.23 (Unix) mod_ssl/2.8.7 OpenSSL/0.9.6 I notice that if i enter: https://server/www/index.php it works great. Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? Thanks, Ron -- Pop3Now Personal, Get quick remote access to your email accounts! Sign Up Now! Visit http://www.pop3now.com/personal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http and https
Would this not still leave port 80 open and bound? Is not just removing the port delcarations for 80 and only having 443 set better and perhaps more secure? Thanks, Ron DuFresne On Thu, 18 Apr 2002, Cliff Woolley wrote: On Thu, 18 Apr 2002 [EMAIL PROTECTED] wrote: Now if if I enter this http://server/www/index.php I get to the same location and it is not SSL secured So my question is can you turn off access to http? See the SSLRequireSSL directive. Or you might want to set up a Redirect so that the client is automatically sent over to the https side. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started It's *not* trying to start on 8443 though... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: i'm actually trying to run this server on port 8443 - the other httpd runs on port 443 but i have stopped this server running (as its just another test server). I am starting the server as my self - not as root but the port is 1024 anyway I have tried chaning the port to other numbers aswell but to no luck Paul From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 with SSL - wont start
As owen I think mentioned, you might have to cleanup the old httpd.conf file, it might well be trying to setup two connections on thesame port. another suggested here it might be your config, you might not be binding to a specific IP/NIC. Thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: So its trying to bind to 443 - i have stated in my ssl.conf to listen on port 8443 and have set up a virtual host for port 8443 with ssl enabled - how come it tries to bind to port 443? I have therefore tried to start the server as root - it started okay but I cannot make a ssl connection - i goto https://servername.com:443 but get a server error telling me i could not connect to server - in the error logs i get: mod_ssl: Unable to set session id context to 'servername.com:443' (OpenSSL library error follows) OpenSSL: error:140DA111::lib(20) :func(218) :reason(273) (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started It's *not* trying to start on 8443 though... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: i'm actually trying to run this server on port 8443 - the other httpd runs on port 443 but i have stopped this server running (as its just another test server). I am starting the server as my self - not as root but the port is 1024 anyway I have tried chaning the port to other numbers aswell but to no luck Paul From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: From: R. DuFresne [EMAIL PROTECTED] To: paul priestman [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: Apache 2.0.35 with SSL - wont start Date: Mon, 15 Apr 2002 09:12:42 -0400 (EDT) You're not trying to run two httpd's on the same set of ports are you, the old one running while trying to fire up the new? that's what the error suggests I think... thanks, Ron DuFresne On Mon, 15 Apr 2002, paul priestman wrote: Hello all, I have downloaded and installed Apache 2.0.35 with SSL. I have configured the httpd.conf as they suggest in ssl.conf. However, when i try to start apachectl i get the following message: (13)Permission denied: make_sock: could not bind to address 0.0.0.0:443 no listening sockets available, shutting down ./apachectl startssl: httpd could not be started Has anyone any ideas what i'm doing wrong - i have succesfully got ssl working with apache 1.3.22. Thanks for your time Paul _ Chat with friends online, try MSN Messenger: http://messenger.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! _ Send and receive Hotmail on your mobile device: http://mobile.msn.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too
Re: Apache 2.0.35 with SSL - wont start
Actually, the capability to seperate parts of the configuration has always been in place, it just was not the standard nor the adopted practise in earlier apache releases. In fact, I think seperation of configuration was dropped fairly early on in apache/modssl development as some early web admins found it confusing. Thanks, Ron DuFresne On Mon, 15 Apr 2002, Andrew Lietzow wrote: Dear Mads Toftum, This is the default for Apache2 - the ssl configuration has been moved out of httpd.conf to ssl.conf --- And what a marvelous business/IT decision that was! I applaude this whole-heartedly. I am but a mere mortal, simply needing to know enough to configure, launch, and maintain Apache mod_ssl enabled servers. IMO, this makes for a more straightforward configuration, allowing more users to adopt and utilize the technology. Hopefully, this is perceived to be a good thing by those who enable this project to persist. Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Reinstalling a Thawte CRT - Feasible?
pull the drive and pop it into another machine so you can recover what ya need. Thanks, Ron DuFresne On Sun, 14 Apr 2002, Andrew Lietzow wrote: Dear mod_ssl'ers, I have in my possesion a diskette on which I backed up my Thawte CRT file (at least I'm bright enough to have done that...but at the time I didn't know that I would need to have backed up TWO files... anyhow...). It has been successfully installed previously on a SuSE Linux 7.1 server. The box crashed hard last weekend (fortunately, it is was not quite yet a production server). I could not get that fairly old P-100 system to come back up. Everything I tried failed. Apparently, it took a hit on a memory chip or something critical to the system such that it could not be rebooted. I pulled hair for about a day while searching the SuSE site, and the entire Inet crash recover routines on a SuSE box. No magical answer appeared. I made the decision to upgrade. Now I have installed SuSE 7.3 on this new server and I need to reinstall my CERT. I have the securedomainname.crt file in my possession on a diskette but I do not have the original securedomainname.key file, or the securedomainname.csr file (because I trust servers to never crash?). The files are gone now as I have completely reformatted that system during the new install. I have gone through the steps at http://www.thawte.com/ucgi/gothawte.cgi?a=e380614470105000 to generate a new server.key and server.csr file. Since I am running Apache 2.0.35, I modified my /usr/local/apache2/conf/ssl.conf file to access the new .key and OLD .crt file. It appears to be work through the ssl.conf file just fine and then dies with a mismatch error. The entries I made look like this: SSLCertificateFile /usr/local/apache2/conf/ssl.crt/securedomainname.crt (the old file from Thawte, copied over from diskette) SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/securedomainname.key (a new file). Of course, perhaps critical to this routine is whether I answered the questions EXACTLY the same during the creation of the NEW securedomainname.csr file. It's possible, but I'm not 100% certain. When I attempt to fire up with: ./apachectl startssl the system prompts me for a passphrase and it accepts it. I did NOT enter a passphrase when I requested my original Thawte CERT. I don't know if this is critical (i.e. is my passphrase encrypted into the CSR file and they use this as part of the generation of my private.crt file?). Anyhow, when I ATTEMPT to fire up with ./apachectl startssl the system prompts with Some of your private key files are encrypted for security reasons. In order to read them, you have to provide us with the pass phrases. securedomainname.com:443(RSA) I enter the pass phrase, and it returns Ok: Pass Phrase Dialog successful and then I get an Unable to start httpd error message. I checked the /logs/error_log file where there is a record of a grumble... yadda, yadda, yadda, key values mismatch. Rather than spend hours attempting to make new .key and .csr files, and then to trick the system into accepting my old.crt file, I need to ask the question whether this is even feasible. Was my original KEY file generated with a random seed routine that made it so that when I sent my CSR file to Thawte, I cannot ever create a KEY file on this server that would match to my old CRT? NOW that I see their caveat, Now PLEASE backup your www.xxx.com.key and make a note of the passphrase. Losing your key will cost you money! I imagine this is why this can't be done, but I have to pose the question, just to be sure. No use spending another 100 bucks if I don't have to. TIA, Baffled and UNCERTIFIED on CRT'S, I remain... Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_perl
frontpage can be used without the extensions. At least the client can use frontpage on his end and then push the pages out without the extensions being allowed, though, this may well disable some of the special scripting. Folks that shy away from frontpage tend to do so due to it's repeated history of having security issues, though there may well be further stability issues I'm unaware of additinally. you might find better help on getting FP up and running if really required on the apache list or a FP specific listing. Thanks, Ron DuFresne On Sat, 13 Apr 2002, Server Admin wrote: Andrew, thanks for your sentiments and I quite agree about the FrontPage frustration being shared by many of the aministrators I've discussed this issue. I'm really interested in drifting away from the use of FP as well, but, alas, one major domain that publishes an online tech magazine to 180 countries needs the assist that is provided by the FP client in its fast procution of html and pages with functionality... there is a tremendous amount of new content produced each month being an online mag. FP saves a lot of time on this heavy production. No need to learn html or cgi for the workstations... just type it and publish it...done. Thus, there is an immediate need until another way is found. Frontpage is running just fine at the moment on a server with Apache-1.23 (and earlier 1.22 and 1.20), but once trying to move to the Apache-1.24+ssl... no frontpage extensions. No doubt I'm missing some ingredient, but as I said in the previous post, EVERY install of Apache+FP version seems to be different Even is I start Apache-1.24 without ssl, I cannot load the darn extensions. Suspect it has to do with permissions but, if I knew the answer to that, I'd be able to fix it. My long workaround until I solve this FP thing is to run the FP domains on the Apache-1.23+FP and the Apache+ssl on another server using a separate domain which provides the secure website for processing online orders. But, it means forwarding the traffic from the HTTP server to the HTTPS server and any pages produced by FP will have to be FTP'd. For some reason, the order pages containing FP bots still work once loaded, even though the FP extensions are not loaded... kinda scares me though and is why I still want to find the answer to loading the extensions BTW, I have not been able to get /server-status or /server-info wo work either it tries to run, but answers with you don't have permissions and I'm running ROOT!!! At 09:55 AM 4.13.2002 -0500, Andrew Lietzow wrote: Dear Server Admin, RE:Please just a little more help from anyone who is trying to run frontpage with apache+ssl-1.24./2.8.8. This is maddening --- I'm sorry that I cannot help you but I share the sentiments of another ISP--running FrontPage is NOT something he allows his hosted domains to do. If they want to run FrontPage extensions, he simply declines hosting their pages because he needs his Apache server to be very stable. He shared with me recently that he hosts over 2,000 domains. Is it possible that you are trying to use a product with Apache that is wasn't designed to support? Perhaps you would have better luck with IIES? I don't know but I HOPE there can be some discussion of this on this list server. Maybe I need to shift my focus because I'm missing out on valuable functionality? e.g. I would like to find an WYSIWYG HTML editor, but if it means that the web server has to support special extensions that crash the server, than how can this be a good thing? Talk to me Server Admin, or mod_ssl list. Fortunately, I just downloaded Apache 2.0.35, ran ./configure and it's up and running on SuSE LInux 7.3 with but a couple of whimpers. (I'll be doing the same on my RH servers soon, but they are production servers). Now, even /server-status works and I had not been able to get that going with 1.3.XX. It worked right out of the tarball; the first time! Congratulations, Apache and mod_ssl folks! (Now, if I can just apply my CERT again, without a glitch). So Server Admin, your statement was my experience over much of the past 16 years when working with proprietary source vendors.This is maddening. I made a choice to join the GNU/GPL generation and I'm not turning back unless I hit a block wall. So far, I wake up every morning seeing an even bigger expanse of open spaces. I'm enjoying the view... Andrew Lietzow The ACL Group, Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] our website: http://www.sage-one.net/ Best regards, Jack L. Stone Server Admin
Re: Problem with Compiling Mod_ssl
You're going to have to recomplie the whole thing anyways. And that should well leave the http.conf file alone, you can use yer old, just add in any new directives you will need. To be safe, tar up what you have incase you wanna revert back, or setup the new to go to a nice sweet new spot in the tree. Thanks, Ron DuFresne On Sat, 13 Apr 2002, Server Admin wrote: At 02:45 PM 4.12.2002 +0200, you wrote: Server Admin wrote: Owen: I run FBSD 4.5-stable and have tried 5-6 times to install apache+mod_ssl-1.3.24+2.8.8 directly from ports that does all the work, where I simply use make install clean but I'm getting the same (or similar) error message, but don't have a clue as to how to do the re-compile. Could you please point me to the ...the INSTALL document in the mod_ssl distro is quite good... that you refer to. I'm desparate to set up a secure server as time is of the essence. Does mod_ssl install that document in the /usr/local/share/ directory during the install. To be more specific, here is the error I get: == [Wed Apr 10 18:26:46 2002] [warn] Loaded DSO libexec/apache/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) [Wed Apr 10 18:26:46 2002] [warn] Loaded DSO libexec/apache/mod_frontpage.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) == When you untar the mod_ssl distro it's right there in the top directory. Here are my notes from the last time I installed plain statically compiled apache+mod_ssl (this is version 1.3.14 - just change the numbers and the installation paths to suit your distro): Installing Apache 1.3.14 with mod_ssl and mm --- (see http://www.modssl.org/example/) - Get the sources: - www.apache.org -- apache_1.3.14.tar.gz - ftp://ftp.openssl.org -- openssl-0.9.6.tar.gz - www.modssl.org -- mod_ssl-2.7.1-1.3.14.tar.gz - www.engelschall.com/sw/mm/ -- mm-1.1.3.tar.gz - Save all these in /home/obo/downloads/tar_files # cd /home/apache # gzip -d -c /home/obo/downloads/tar_files/apache_1.3.14.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/openssl-0.9.6.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/mod_ssl-2.7.1-1.3.14.tar.gz | tar xvf - # gzip -d -c /home/obo/downloads/tar_files/mm-1.1.3.tar.gz | tar xvf - - Need to add perl and ar to the path; # PERL=/usr/local/bin/perl # export PERL # PATH=$PATH:/usr/local/bin:/usr/ccs/bin # export PATH - first, compile MM # cd mm-1.1.3 # ./configure --prefix=/home/apache/mm # make # make test # make install - All the files are untarred, so we go to openssl-0.9.6 # cd ../openssl-0.9.6 # ./Configure solaris-sparcv9-gcc --prefix=/home/apache # make clean # make - Switch to the modd_ssl directory and configure it. # cd ../mod_ssl-2.7.1-1.3.14 # ./configure --with-apache=../apache_1.3.14 --with-ssl=../openssl-0.9.6 --prefix=/home/apache - Switch to the apache directory # cd ../apache_1.3.14 # SSL_BASE=../openssl-0.9.6 # export SSL_BASE # ./configure --enable-module=ssl --prefix=/home/apache # make # make install __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Many thanks, Owen for the details of your last install. But, on FBSD, if I already have Apache-1.23+OpemSSL+other mods all set on a server, what would be the same syntax details to just add the mod_ssl-2.8.7-1.3.23.tar.gz so not to mess up the existing setup that has a number of vhosts already. Thanks for your patience with my questions our website: http://www.sage-one.net/ Best regards, Jack L. Stone Server Admin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated
RE: modssl for Apache 2.0
Lookin at it now. So, are compile directives pretty much the same, as for pointing at the ssl source and mm source trees? The docs are not as clear on this as Ralf has them in the mod-ssl structures smile. Thanks, Ron DuFresne On Thu, 11 Apr 2002, Cliff Woolley wrote: On Thu, 11 Apr 2002, R. DuFresne wrote: When is apache 2.0 coming out of beta and into primetime? How did you manage to miss the party? :) It went GA last week with the release of 2.0.35. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl for Apache 2.0
When is apache 2.0 coming out of beta and into primetime? Thanks, Ron DuFresne On Thu, 11 Apr 2002, George Walsh wrote: Chuck: With Apache 2.0, mod_ssl is a part of the 'whole'. The build is a far simpler process, and the server, at least in my experience, is much crisper in terms of response. As for windows, that is NOT my cup of tea. We are a Micro-soft Free zone here, so I cannot comment on the peculiarities you might experience in your environment. I really do not know hy you would want to run a secure server on top of a windows box, but then I admit to a happy ignorance about it, at least :-) George I see all the activity on the list about Apache 2.0 and modssl. Where can I get the necessary stuff for Apache 2.0. I don't see it on the modssl, openssl or Apache web sites. I need to get ssl up on Apache on Windows 2000. Chuck -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Build SSL on Access Remote Database
You bastion host the webserver, then bastion host the mysql box, and put it either on a seperate DMZ, or at least a seperate host, and only allow it to talk to the mysql db, and you bastion host the firewall, and only allow http requests to the webserver in the DMZ. Tis the standard way to deal with these beasts. It helps too if you have a screening router dropping most everything through the firewall to the webserver also. It costs a tad more to add all the sec stuffs, but, then intel boxen are pretty cheap. And one can NAT the backend... Thanks, Ron DuFresne On Thu, 28 Mar 2002, Bruno Georges wrote: Nick, I don't want to be pedantic but, just a quick comment, Having MYSQL behind the DMZ won't prevent people from breaking into it. If someone can pass through your firewall it'll be quite easy for that person to get Mysql username and password from your php code and access the data you try to protect using a DMZ. As a result I would keep MYSQL where you have the WEBSERVER, it'll be faster and as secure. Saying that, I assume that the MYSQL db server is not accessed behind the DMZ, if this is the case , yes you'd better keep it protected. Hope that makes sense. Bruno Georges Nick Miles wrote: Sorry seem to be confusing people here. I was trying to say it would be faster behind the firewall than the way he is approaching it at present. Currently he has: MYSQL | --- USER -| INTERNET|- WEBSERVER --- Where he wants to securley connect to MySQL from the webserver. Im saying performance and security would be better as: - - USER -| INTERNET |-| FIREWALL |- WEBSERVER -| DMZ |- MYSQL - - Or combinations there of. Hope that makes sense :/ Nick Quoting David Marshall [EMAIL PROTECTED]: Obviously it should be said that no matter what this set up would be more dangerous than having a MySQL server behind the firewall where the apache/php server is hosted, also would be terribly slow. Depending on your firewall, performance does not have to be slow. Firewalls must be sized for the load, just like servers. We run a CISCO ArrowPoint Load Balancing CSS in front of Apache 1.3.19 Mod_SSL(StrongHold 3 build 3014) We run a CISCO PIX 520 between Apache and WebLogic 5.1. We run a CISCO PIX 535 between Weblogic and Oracle 8i without performance issues. The Oracle datafiles are on a Net Appliance Filer, with a 1GB ethernet from Oracle to the Filer. David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How does mod_ssl work with Apache?
If you built apache with modssl support read the FAQ on how to do this if you have not, and have setup your httpd.conf file properly again read the FAQ on particulars as well as going over the default httpd.conf file suppiled once apache is compiled with modssl support then you start appache like thus: apachectl startssl There are variations on this theme, but, this is the standard way to get apache up with ssl enabled once properly compiled and configured. Hope this help, Ron DuFresne On Tue, 19 Mar 2002, Søren Neigaard wrote: I have Apache running on port 80, and I want to SSL enable one of my VirtualHosts. I don't even know how to start mod_ssl properly. I found the following command somewhere in an example, but I'm not sure what it does, and right now it doesn't work (as I remember it has started before without errors), but this is what it says now: openssl s_client -connect 192.168.1.4:443 connect: Connection refused connect:errno=61 Why? Am I trying to connect to a wrong port? I really need some hints here please. -- Med venlig hilsen/Best regards, Søren Neigaard mailto:[EMAIL PROTECTED] -- One finds limits by pushing them. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Re[2]: How does mod_ssl work with Apache?
Welcome, my pleasure. Thanks, Ron DuFresne On Tue, 19 Mar 2002, Søren Neigaard wrote: That helped a lot, thanks :) /Søren Tuesday, March 19, 2002, 7:11:15 PM, R. wrote: RD If you built apache with modssl support read the FAQ on how to do this if you have not, and have setup your httpd.conf file properly again read RD the FAQ on particulars as well as going over the default httpd.conf file RD suppiled once apache is compiled with modssl support then you start RD appache like thus: RD apachectl startssl RD There are variations on this theme, but, this is the standard way to get RD apache up with ssl enabled once properly compiled and configured. RD Hope this help, RD Ron DuFresne RD On Tue, 19 Mar 2002, Søren Neigaard wrote: I have Apache running on port 80, and I want to SSL enable one of my VirtualHosts. I don't even know how to start mod_ssl properly. I found the following command somewhere in an example, but I'm not sure what it does, and right now it doesn't work (as I remember it has started before without errors), but this is what it says now: openssl s_client -connect 192.168.1.4:443 connect: Connection refused connect:errno=61 Why? Am I trying to connect to a wrong port? I really need some hints here please. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: [BugDB] mod_ssl segfaults under Solaris 2.8 (PR#671)
On Sun, 10 Mar 2002 [EMAIL PROTECTED] wrote: On Sun, Mar 10, 2002 at 09:04:04AM +0100, [EMAIL PROTECTED] wrote: Full_Name: Ari D Jordon Version: 2.8.7 OS: Solaris 2.8 Submission from: (NULL) (68.49.144.213) using apache 1.3.23, starting httpd with -DSSL immediately seg faults. post mortem revealed it was dying in ssl_cmd_SSLEngine, specifically in that mySrvConfig() was returning 0. not quite sure if this is a problem with mod_ssl or apache itself, as mySrvConfig is a define for ap_get_module_config. any suggestions would be appreciated. Are you using the engine version of openssl? Unless you have a supported crypto accelerator, then you shouldn't be using the engine version. But, it should not make a difference if he is should it? The documentation for the engine version states: NOTES = openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do not need to download both. openssl-engine-0.9.6.tar.gz is usable even if you don't have an external crypto device. The internal OpenSSL functions are contained in the engine openssl, and will be used by default. No external crypto device is chosen unless you say so. You have actively tell the openssl utility commands to use it through a new command line switch called -engine. And if you want to use the ENGINE library to do something similar, you must also explicitely choose an external crypto device, or the built-in crypto routines will be used, just as in the default OpenSSL distribution. So the engin version should be compatible with the non-engine version unless there has been something I have missed in the list here or elsewhere? Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Hardware acceleration questions . . .
If the tarball still exisits upon the server, the one would gain a clue via ls; openssl-engine-0.9.6b.tar.gz If the tarball was rm'ed but the sources exist, again a search would tell; /usr/local/src/installed/web/openssl-engine-0.9.6b/apps /usr/local/src/installed/web/openssl-engine-0.9.6b/apps/apps.c /usr/local/src/installed/web/openssl-engine-0.9.6b/apps/apps.h /usr/local/src/installed/web/openssl-engine-0.9.6b/apps/apps.o /usr/local/src/installed/web/openssl-engine-0.9.6b/apps/app_rand.c /usr/local/src/installed/web/openssl-engine-0.9.6b/apps/app_rand.o etc... else one might get a clue via the ssl install location perhaps looking at the include files I'm guessing here; /usr/local/ssl/include/openssl/engine.h I'm thinking if the engine version was not installed this header file might be lacking, folks without the engine version will have to confirm. of course, much of this stuff might well and should be missing from a running exposed system. but, I'm also guessing there are differences in the sizes of the binaries that are generated, suspecting the engine version to be somewhat larger. I'm not going to take the time here to build a non-engine version to verify, I'll leave that to someone else. Additionally this might well give a clue, the maintainers of the openssl code would beable to verify; strings openssl|grep engine Thanks, Ron DuFresne On Fri, 8 Mar 2002, Amir Abiri wrote: From: lgazis [EMAIL PROTECTED] I'm not sure how you tell, from the Apache end, whether Apache was built with the engine version of OpenSSL or not. httpd -V ? -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Advisory 012002: PHP remote vulnerabilities (fwd)
Considering the plethroa of php users on the list, and the fact many are perhaps not reading bugtraq: -- Forwarded message -- From: [EMAIL PROTECTED] Subject: Advisory 012002: PHP remote vulnerabilities Date: Wed, 27 Feb 2002 12:30:56 +0100 To: [EMAIL PROTECTED], [EMAIL PROTECTED] e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Multiple Remote Vulnerabilites within PHP's fileupload code Release Date: 2002/02/27 Last Modified: 2002/02/27 Author: Stefan Esser [[EMAIL PROTECTED]] Application: PHP v3.10-v3.18, v4.0.1-v4.1.1 Severity: Several vulnerabilities in PHP's fileupload code allow remote compromise Risk: Critical Vendor Status: Patches Released Reference: http://security.e-matters.de/advisories/012002.html Overview: We found several flaws in the way PHP handles multipart/form-data POST requests. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. Details: PHP supports multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Unfourtunately there are several flaws in the php_mime_split function that could be used by an attacker to execute arbitrary code. During our research we found out that not only PHP4 but also older versions from the PHP3 tree are vulnerable. The following is a list of bugs we found: PHP 3.10-3.18 - broken boundary check(hard to exploit) - arbitrary heap overflow (easy exploitable) PHP 4.0.1-4.0.3pl1 - broken boundary check(hard to exploit) - heap off by one (easy exploitable) PHP 4.0.2-4.0.5 - 2 broken boundary checks (one very easy and one hard to exploit) PHP 4.0.6-4.0.7RC2 - broken boundary check(very easy to exploit) PHP 4.0.7RC3-4.1.1 - broken boundary check(hard to exploit) Finally I want to mention that most of these vulnerabilities are exploitable only on linux or solaris. But the heap off by one is only exploitable on x86 architecture and the arbitrary heap overflow in PHP3 is exploitable on most OS and architectures. (This includes *BSD) Users running PHP 4.2.0-dev from cvs are not vulnerable to any of the described bugs because the fileupload code was completly rewritten for the 4.2.0 branch. Proof of Concept: e-matters is not going to release exploits for any of the discovered vulnerabilities to the public. Vendor Response: Because I am part of the php developer team there is not much I can write here... 27th February 2002 - An updated version of php and the patch for these vulnerabilities are now available at: http://www.php.net/downloads.php Recommendation: If you are running PHP 4.0.3 or above one way to workaround these bugs is to disable the fileupload support within your php.ini (file_uploads = Off) If you are running php as module keep in mind to restart the webserver. Anyway you should better install the fixed or a properly patched version to be safe. Sidenotice: This advisory is so short because I don't want to give out more info than is needed. Users running the developer version of php (4.2.0-dev) are not vulnerable to these bugs because the fileupload support was completly rewritten for that branch. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6 Copyright 2002 Stefan Esser. All rights reserved. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: the same virtualhost with http and https?
On Fri, 15 Feb 2002, Matus fantomas Uhlar wrote: - I'd like to know, how does modssl decide which port is ssl and which one is - non-ssl? if I bind apache to two ports, how to tell which one should be used - for ssl connects and which one for non-ssl connects? - - Apache is the process - mod_ssl is just a module. Only port 80 is - listened to by default by apache so to get SSL to work you must - explicitly say Listen 443. Yes i know that :) The question is - how will mod_ssl know that it should process connections on port 443 and not on port 80. For one, it's a standard well known port: darkstar:~# grep 443 /etc/services https 443/tcp https # http protocol over TLS/SSL for two, it would most likely be part of your httpd.conf, with the listen directive. Get to know your /etc/services file and know it well, and if you have one not, or a sparse one, do a google search, the well know port/protocol combos are well documented on various url's out there... - Another question. if I run http on port 80 and httpd on port 443, and I - define only one virtualhost: - - VirtualHost ip.address - ServerName blablabla - /VirtualHost - - will that virtualhost be available via both ports/protocols? - - I guess so... but this not a good idea since SSL requires lots of extra - directives (like SSLEngine on - how they would interact with the HTTP - host is not obvious... hmmm. I think I can put genric SSL directives into server's config and none special are _required_ for virtualhosts. I just have some virtualhosts and wish to give access to all of them without reconfiguring them. And that ebout sslengine was exactly hat i wanteddo know. couls i turnon SSLEngine on for all connections to one port and turn it off for all connections on other port? Have you actually parsed through the defult httpd.conf file that is installed when you compile the openssl/mod-ssl/apache combo some folks will ass in MM in that combo It's pretty well documented, and reading through it as one parses the FAQ and other documentation included is always a good starting point. - Or, do I need to define two virtualhosts, one on port 80 without ssl and one - on 443 with ssl? - - This is a much better idea - keep the SSL and HTTP hosts completely - separate, you will sleep better. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: https without certificate
On Mon, 11 Feb 2002, Mathieu Arnold wrote: Ralf S. Engelschall wrote: In article [EMAIL PROTECTED] you wrote: I was wondering if it may be possible to configure modssl to do crypto with no certificate. No. too bad I know that it should be possible because certificates are just a way to authenticate the server, not to establish the crypto. No, the server certificate is also important and required for the secure exchange of the crytography parameters of SSL/TLS. Without this, the client and server would not be able to securely exchange the necessary symmetric encryption parameters. well, that's right, but, if I don't really care about that much security and would just like some crippled http to get rid of young kiddies ? chuckle Well ya could always banner-up: Warning, no one underage allowed! rofl Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Pass phrase
Sounds like perhaps you fat-fingers it as entering it, or are not using caps or special chars you did when you entered it. I'ts case sensitivve, so caps count, spcial chars count. did you start the passphrase, typo then backspace? if so, try that excat sequence and see if it works for ya. Barring that your quickest fix is to redo the certs... Thanks, Ron DuFresne On Sat, 9 Feb 2002, Scott Taylor wrote: I believe I have successfully configured Apache/PHP/mod_ssl/openssl on Red Hat 7.2. When starting SSL with ./apachectl startssl I get: Server localhost.localdomain:443 (RSA) Enter pass phrase: I put my password in and get: Apache:mod_ssl:Error: Pass phrase incorrect I thought that this was the pass phrase I entered when making the certificate. I am sure I knew (and still believe) the correct pass phrase. However, is there a way of finding out from my system files? I have tried to understand the typically obscure instructions that come with software but have failed. Is it openssl rsa -noout -text -in server.key where server.key is the file in the /apache/conf/ssl.key directory? The result is: read RSA key Enter PEM pass phrase: I enter password and get: unable to load key 14555:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:277: 14555:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c.451: If someone has an answer, could they please tell me exactly where I should run the relevant command. Please help Regards Scott __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: libssl.so won't load
Dale, You maybe running into the ld.so issue that faced a few sun admins trying to install mod-ssl on those systems recently. This would require an update of your systems ld.so system similiar to theirs. The man pages for AIX should give you a clue as to the ways to do this for your AIX system (a symlink from the out of bounds shared mod-ssl lib to the standard ld.so lib dirs, the environment variable LD_LIBRARY_PATH, fixing the cache file /etc/ld.so.cache, etc, as well look at the archives of the past few weeks on these issues for those sun users. Hope this helps, thanks, Ron DuFresne On Fri, 8 Feb 2002, Dale Weaver wrote: I have an AIX server running 4.3.3. I have installed openssl-0.9.6.3, Apache 1.3.19 and mod_ssl 2.8.2.0. All installed fine, however when I try to start the server I get the errors: Syntax error on line 236 of /etc/apache/httpd.conf: Cannot load /usr/local/lib/apache/libssl.so into server:0509-022 Cannot load module /usr/local/lib/apache/libssl.so. 0509-150 Dependent module /usr/local/lib/libssl.a(libssl.so) could not be loaded. 0509-152 Member libssl.so is not found in archive 0509-022 Cannot load module /usr/local/lib/libssl.a. 0509-150 Dependent module /usr/local/lib/libssl.a could not be loaded -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How do I create a un-encrypted private key (without pass phrase)?
On Wed, 6 Feb 2002, Cliff Woolley wrote: On Wed, 6 Feb 2002, Owen Boyle wrote: Having a password means that no-one can use your certificate - even if they obtain a copy of it. They can load the cert into their server but it won't let the server come up unless they know the password. The downside is that you have to type in the password personally to start apache. Tricks like putting the password in a program and so on just shift the risk - the hacker just needs to grab the program. My personal tuppence-worth is that if you have a machine where there is a risk that hackers can steal root-privileged files then you should not be running it as an SSL web-server (if they can steal a cert, they can steal your customer's private data - exposing you to a liability issue). So if you protect your server to the utmost, you have no need of a password protected certificate. s/certificate/private key/g, and this matches my sentiments exactly. Passphrases just give a false sense of security. Cool, since the vast majority of websites are run insecurely, and most folks putting up a server install all the little toys and trinkets of the underlying OS distributions they choose to run, and since many of these sites run insecure off the shelf freebie scripts, just give out the most insecure pointers they can actually allow, and make the issue of security of any aspect for them a moot point. Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: simple name-based virtual host tutorial, PLEASE Now: pleasehelp me to better flame off-topic posters
On Wed, 6 Feb 2002, Eduardo Gomez wrote: Could someone PLEASE post a simple tutorial on flaming off-topic inappropriate posts that have nothing to do with the list topic? Haha, that was funny... You're right, I sent this by accident to 2 lists (one is this one) Sorry...i'll see that it doesn't happen again :) You can lead a horse to google.net, but ya can't make em typo in the incorrect search parms... Thanks, Ron DuFresne -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl virtual host IP's
Lat time I checked, and perhaps it has been updated and fixed, it was not a few mere weeks ago, Linuxconf was an open security hole waiting for exploitation. You may want to fix that. Thanks, Ron DuFresne On Tue, 5 Feb 2002, Sir SoilentG_kov wrote: thanks, FYI i used Linuxconf instead of ifconfig (newbie here) and it works like a champ. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Owen Boyle Sent: Tuesday, February 05, 2002 12:38 AM To: [EMAIL PROTECTED] Subject: Re: ssl virtual host IP's Sir SoilentG_kov wrote: I've been looking thru the mod_ssl users archives and have learned that I can't do SSL on Virtual Hosts that are name based. I've seen that it is possible to use it on Virtual Hosts with IP based. Correct. Also, port based... Are these IP based hosts separate computers or can they be Virtual IP's all pointing to the same computer? What I want to do is have two domain names routed to my Linux Web Server and have them both have separate certs. However, I have no clue how I'd go about setting up two IP's that point to the same box... doesn't make sense to me so I'm guessing it's not possible... but would love it if it does. It is entirely possible. Any single interface card (i.e. the physical device, e.g. eth0) can listen to many IP addresses. On an internet connected unix machine the basic procedure is: - obtain two IP addresses (on the same network - e.g. 192.168.1.1 and 192.168.1.2) - define your two sites in DNS (these two points are done via your ISP usually) - use ifconfig to make your NIC listen to the two IPs (see man pages for more detail on this command) - configure apache to Listen to the two IPs and - define two VHs for each IP e.g. Listen 192.168.1.1 VirtualHost 192.168.1.1 ServerName www.site1.com DocumentRoot /path/to/site1 /VirtualHost Listen 192.168.1.2 VirtualHost 192.168.1.2 ServerName www.site2.com DocumentRoot /path/to/site2 /VirtualHost Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
This may well be the fat for your mail reader, but, on the better mail readers, I prefer pine or elm, when it asks how one wishes to reply choosing no on Use Reply-To: address instead of From: address? allows one to reply to both the list and the original sender. Why would one really need to Bcc: the list? Thanks, Ron DuFresne On Tue, 5 Feb 2002, Chris Cooper wrote: Although modification of the subject by inserting an identifier e.g. [xxx] helps when ppl BCC a copy to the list (not that that has been a problem with this list however ;-) Re, Chr!s - - - - - - Chris Cooper [EMAIL PROTECTED] Student Service Centre [EMAIL PROTECTED] Edith Cowan University http://www.ecu.edu.au/ Pearson Street Tel: +61 8 9273 8652 Churchlands Fax: +61 8 9273 8000 - - - - - - [EMAIL PROTECTED] 02/05/02 12:11pm Thats a shortcoming on your part though, a proper mail reader can accomplish this chore. Thanks, Ron DuFresne __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
filter on this: To: [EMAIL PROTECTED] Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick Quoting Toomas Aas [EMAIL PROTECTED]: Hi Eduardo! On 4 Feb 02 at 12:12 you wrote: Can this list implement a default header in the subject of all messages that reads like [modssl-users] and THEN the subject? I prefer it the way it is. I'm spending enough time sorting my mail box out already. Why? Most modern mail clients let you sort the incoming mail into folders automatically. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: message headers
Thats a shortcoming on your part though, a proper mail reader can accomplish this chore. Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: As just said, I do not have filtering!! The list is not high traffic enough to concern me terribly, but would be nice. Quoting R. DuFresne [EMAIL PROTECTED]: filter on this: To: [EMAIL PROTECTED] Thanks, Ron DuFresne On Tue, 5 Feb 2002, NickM wrote: No way, thats something that problems me also. Not every emailer has filtering, esp web email. Also it is standard practice to have a small key in the subject for visually filtering what's what. It doesnt have to be big, something like [modu], and would not invade those with filters but allow those without or not using them to have something of use. Thanks, Nick __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [BugDB] IE Problems connecting to mod_ssl server Linux (PR#663)
Carol, It was my understanding, and perhaps I've misread posts here, that the list here has long advocated this setting for IE issues: SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown Also, for mozilla problems it has often been advocated to set this in the httpd.conf: SetEnvIf User-Agent .*Mozilla.* nokeepalive There well maybe more current setting recomended, but, I have not had to deal with such issues and have paid them little heeed unless I faced problems specifically realted to list recomendations. Thanks, Ron DuFresne On Thu, 31 Jan 2002, Kuczborski, Carol L wrote: I reported this same issue in the Apache mod_ssl Bug DB over 6 months ago, but received no response. I eventually worked with Oracle Worldwide Support (which packages Apache and mod_ssl with it's Oracle9i Application Server) in regards to the errors. The Cannot find server or DNS error along with Page cannot be displayed errors were not completely eliminated, but greatly reduced. Everything worked fine with Netscape, but not IE. Here was our workable resolution: I did not completely eliminate the errors, but reduced them quite significantly by making the following changes: 1. Modified httpd.conf as follows (to remove the nokeepalive directive): SetEnvIf User-Agent .*MSIE.* ssl-unclean-shutdown 2. Oracle Worldwide Support patched the ApacheModuleSSL.dll file. The patch to ApacheModuleSSL.dll implements a workaround in the code for reading from a socket for WIN32. According to the details for the ApacheModuleSSL.dll patch, there was mention of a bug in the select function in Windows NT 4.0: When checking a socket, if data can be read without blocking, select () returns yes, but when actually reading from the socket with recv(), that function returns WSAEWOULDBLOCK, which says that reading would block. It seems that this problem does not occur in usual operation, but only in an SSL enabled Apache (modssl or apache-ssl) with https. The code for WIN32, which handles writing to a socket, already contains a workaround for this. The code for reading from a socket did not have a workaround. Basically, they added a retry loop so that if a read from the socket failed, it tried the read again. Carol Kuczborski EDS - Enabling Business Solutions MS A6N-B47 13600 EDS Drive Herndon, VA 20171 * phone: +01-703-742-1025 (8-432) * mailto:[EMAIL PROTECTED] www.eds.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 9:42 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [BugDB] IE Problems connecting to mod_ssl server Linux (PR#663) Full_Name: Version: OS: Submission from: (NULL) (80.132.185.116) I'm having some very weird problems getting some IE clients to connect to a mod_ssl-enabled apache install, and I'm hoping someone has some insight on this beyond what's in the FAQ. The environment is as follows: Webserver version: [ Apache/1.3.20 (Linux/SuSE 7.3) PHP/4.0.6 mod_ssl/2.8.4 OpenSSL/0.9.6b ] I have a 128-bit selfmade cert installed. I have the complete FAQ fixes in (they were already there, actually) as far as an SSL session cache and the 56-bit export proto being turned off. Clients are Win2K ,Win98 with various patched IE 5.5 and Linux with Mozilla and Konqueror. In the case of IE, we have checked all protocols for SSL-Support. Here's a rough breakdown of what works and what doesn't: Linux / Mozilla /Konqueror: always works fine Win2K / IE 5.x: doen't work Win2K / NS 6.x: doen't work (doesn't work means that IE spits out that crappy Cannot finds server or DNS error) I also added in the http.conf SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:!NULL But nothing works!! Please help me or i will hang me up soon. *s* __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too!