Re: mod_sll virtual hosts
Try something like this using IP based virtual hosts:
Each one of your virtual hosts can have different SSL key material it points to.
# This section only goes in the conf file once -
Port 80
ServerName domain.com
NameVirtualHost x.x.x.x
#- Domain.com -
VirtualHost x.x.x.x
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/
ServerName domain.com
ServerAlias domain.com www.domain.com
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined
CustomLog logs/domain.com_log combined
ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
/VirtualHost
VirtualHost x.x.x.x:443
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/httpd/html/
ServerName domain.com #name on certificate
SSLEngine on
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca.crt
SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLLog logs/ssl_engine_log
SSLLogLevel warn
LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined
CustomLog logs/domain.com_log combined
ScriptAlias /cgi-bin/ /home/httpd/cgi-bin/
/VirtualHost
Repeat the domain.com section for the other domains you need.
-Ron
On 16 Aug 2002 19:17 CDT you wrote:
When I try to load apache, I get the error:
[Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost :80 has no
VirtualHosts
[Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost yy:80 has no
VirtualHosts
[Fri Aug 16 15:11:41 2002] [warn] NameVirtualHost xxx:80 has no
VirtualHosts
/usr/local/apache/bin/apachectl startssl: httpd could not be started
contrary to what it says, http runs, but without ssl and I have virtualhosts
for each namevirtualhost.
How should I make my virtual hosts work with mod_sll? Can someone please
provide a example?
--
Iuri Fiedoruk
Santa Maria, RS, Brazil
GnuPG Key fingerprint = 9D5F 7FA6 EF2C 6A5E 914F E01B 9434 AA7D 032B 240F
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: mod_sll virtual hosts
My mistake. I have an entry NameVirtualHost but it is in the form of NameVirtualHost ip.address.of.host probably left over from some testing. It works for me (as is) which is why I left it in the example. My apologies. -Ron On 17 Aug 2002 14:31 CDT you wrote: Em Sab 17 Ago 2002 11:21, Cliff Woolley escreveu: On Sat, 17 Aug 2002, Ron Ridley wrote: Try something like this using IP based virtual hosts: Each one of your virtual hosts can have different SSL key material it points to. # This section only goes in the conf file once - Port 80 ServerName domain.com NameVirtualHost x.x.x.x #- Domain.com - VirtualHost x.x.x.x:443 Um, if I'm following this discussion correctly, I believe this advice is mistaken. NameVirtualHost's can *NOT* be used with SSL. Every name-based vhost would in reality get the certificate of the first one listed in the config file. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ToC47 . Hum, but in case all the virtualhosts are related (as in my case) this would not matter much. But in case not, this would be a really problem. Thanks for your advice. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: IE browser does not disply proper error message if the certificate is expired
I posted a couple weeks back on the same problem. I had also tried setting specific ErrorDocument directives in my httpd.conf, but it didn't work. From what I can tell is that since the default errors are written into the apache/mod_ssl code to display errors in http not https and when all traffic from my site is forced through https(certificate required) you get a page cannot be displayed error. Looking around newsgroup archives the only suggestion I found was to prompt for a cert and add logic to your web app to allow access only if the proper credentials were set as environment variables. Unfortunately not everyone has their site setup with that much flexibility (mine for instance). I challenge those of you knowledgable in the intricacies of mod_ssl to explain why error messages don't display and a feasible workaround (preferrably using mod_ssl verification). On 07 Mar 2002 13:50 CST you wrote: Any help from anyone? I need this desperately. Sincerely Shiva --- Shiva Murugesan [EMAIL PROTECTED] wrote: Many thanks jon. The problem occurs in 5.5 and 6.0 as well. I have tried unchecking the Show friendly error message, still it is not displaying the correct SSL message. After unchecking, it started asking twice to present the client certificate. After presenting the client certificate for the second time, it displays the standard error message. Ta Shiva --- jon schatz [EMAIL PROTECTED] wrote: On Mon, 2002-03-04 at 15:50, jon schatz wrote: if you uncheck Tools - Internet Options - Advanced - Show Friendly HTTP error messages, you can get more useful info. Unfortunately, the default is to show the same error message for everything. You'll have to change this by hand on your end users' machines (or write an ActiveX control to do it for you). oops. this is on ie 5.5/6.0. i can't speak for ie 5.0 personally. so ymmv. -jon -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. ATTACHMENT part 2 application/pgp-signature name=signature.asc __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Try FREE Yahoo! Mail - the world's greatest free email! http://mail.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
ErrorDocuments and SSLVerifyClient
I have apache 1.22 w/ mod_ssl 2.8.5 running on NT from the contribs directory on modssl.org. I have the server configured to require a certificate through the 'SSLVerifyClient require' directive. My users can get in fine, however if they have no certificate or a revoked certificate, they get an IE error page (Cannot find server or DNS error). The apache and ssl error logs note that: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This is done every time the user gets the error page. I set up an Alias to a directory containing custom error pages. I also setup multiple ErrorDocument directives to refer to the alias. I can access the error pages manually, but I am unsure on how to get them to show up when the certificate prompt fails. I have tried all of the IE related fixes in the FAQ (SetEnvIf, etc), and I still have not been successful in getting the error messages to show up. Here is the catch to this: My webserver can run on one port only(888) and I have no VirtualHosts. In my test environment I have set them up, but I get a handshake renegotiation error instead of the http-https error. Any ideas? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: CRL questions
In reference to making Apache reload the CRL are you sending a SIGHUP to do that or something else? -Ron On Thu, Aug 09, 2001 at 08:17:36AM +0200, [EMAIL PROTECTED] sent this message: Hello Ron, As I Know there is no way to learn the new CRL file without making an Apache stop and start. But you should be able to make a RELOAD only. I used it in my Apache on Unix and it works quite well. Maybe in the future Apache-ModSSL will support OCSP and it will solve this problem. Sylvain Sylvain Maret Senior Security Engineer - Strategic Director e-Xpert Solutions SA Route de Pré-Marais 29 1233 Bernex / Geneva Switzerland Tel: +41 22 727 05 55 Fax: +41 22 727 05 50 Mail: [EMAIL PROTECTED] Ron Ridley [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 09.08.2001 03:16 Please respond to modssl-users To: [EMAIL PROTECTED] cc: Subject:CRL questions Background: I have a win32 installation of apache 1.3.12 w/ mod_ssl 2.6.1 running on aN T4 server. I am using W2K CA to handle client certs. This setup is specialb /c apache runs as a part of the firewall service (Raptor 6.5) to enable secure access to a web based auth page. Problem: Users can connect to the site fine with their certs, however, problems exists setting up a CRL. I want to update the CRL every couple of days, yet it requires a restart of apache to re-read the CRL. My problem lies in that this alsor equires a restart of the firewall. Question: Can someone verify my findings into the fact that apache must be restartedt o load the updated CRL? If this is the case then are there plans to allow updating/reloading of the CRL without reloading apache(e.g. CRL expirationp eriod)? Thanks in advance. Ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] --- DISCLAIMER This email and any files transmitted with it, including replies and forwarded copies (which may contain alterations) subsequently transmitted from the Company, are confidential and solely for the use of the intended recipient. It may contain material protected by attorney-client privilege. The contents do not represent the opinion of e-Xpert Solutions SA except to the extent that it relates to their official business. If you are not the intended recipient or the person responsible for delivering to the intended recipient, be advised that you have received this email in error and that any use is strictly prohibited. If you are not the intended recipient, please advise the sender by return e-mail, then delete this message and any attachments. e-Xpert Solutions SA: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
CRL questions
Background: I have a win32 installation of apache 1.3.12 w/ mod_ssl 2.6.1 running on a NT4 server. I am using W2K CA to handle client certs. This setup is special b/c apache runs as a part of the firewall service (Raptor 6.5) to enable secure access to a web based auth page. Problem: Users can connect to the site fine with their certs, however, problems exists setting up a CRL. I want to update the CRL every couple of days, yet it requires a restart of apache to re-read the CRL. My problem lies in that this also requires a restart of the firewall. Question: Can someone verify my findings into the fact that apache must be restarted to load the updated CRL? If this is the case then are there plans to allow updating/reloading of the CRL without reloading apache(e.g. CRL expiration period)? Thanks in advance. Ron __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
