Https problems with MSIE
Hello. We have a user with MSIE 6.00.2800.1106 who is unable to connect to one of the sites we are hosting (https://www.lindorffd.com). He is using Windows 2000 SP3. Have any of you had problems with MSIE 6.0 browsers? I have seen suggestions to disable SSLv3, but wouldnt that adversely affect other users? Any suggestions are welcome. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Https problems with MSIE
You can find a tip regarding the MSIE issue at http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49. --I have already done this, to get MSIE 5.0 browsers to work. I also discovered that the newest MSIE has more trouble with mod_ssl than other browsers. We saw that a MS Proxy Server (or MS ISA Server) with enabled authentification using NTLM increase the issue. We use the another way to resolve the MSIE keepalive issue. We have set up a KeepaliveTimeout of 120 seconds. The apache server may need more memory resources because there are more open apache processes to cope with the longer timeout. --Hmmm... but the FAQ mentioned the nokeepalive option, wouldnt that cancel the KeepAliveTimeout?? -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with old MSIE 5.0
Hello. After upgrading to 2.0.47 we have been experiencing problems with clients using old MSIE 5.0 browsers (40 bit versions). They are suddenly unable to connect, and get a The page cannot be displayed error. However, disabling SSLv3 cures the problem. We are using glibc-2.3.2. The MSIE version we have tried is 5.00.2614.3500, on W2K, but quite a few clients are experiencing problemms. Any suggestions? -Torvald Bringsvor Ergo Integration AS __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
I dont think theese browsers are supported, no. However, quite a few clients are using them still and our customers does not accept us tossing our hands in the air and saying that we dont support all browsers. It has worked in the past, and therefore it is our problem that theese browsers are indeed broken. We have had a similar problem with 56 bit browsers before, and had a lot of problems convincing our customers that the browsers are broken. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
Sorry, I misunderstood this. As it turns out, it is not W2k as I said in my original post, it is Win98 SE, and there is no MSIE service pack installed. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
It seemes that you are right that SSLSessionCache is important! I set up a test server (with 2.0.47) and it worked when SSLSessionCache was enabled, but didnt when it was disabled. What I will do next is to reconfigure the production environment with SSLSessionCache enabled, and we will see if that cured it. Thanks! -Torvald -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 29. juli 2003 13:02 To: [EMAIL PROTECTED] Subject: RE: Problems with old MSIE 5.0 Neither the browser or the OS is supported by Microsoft anymore, http://support.microsoft.com/default.aspx?scid=fh;en-gb;lifewin98, with the exception of security fixes and paid support. Are the users aware of this? They can upgrade to IE5.5 or 6 for free (although I doubt that this will go down particularly well). I don't see a great deal of point in putting resources into solving this one, except to ask what SSLSessionCache settings are you using? These have been known to cause problems with IE. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] After over 144 years, there's still no fossil evidence of Evolution. -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 11:33 To: '[EMAIL PROTECTED]' Subject: RE: Problems with old MSIE 5.0 Sorry, I misunderstood this. As it turns out, it is not W2k as I said in my original post, it is Win98 SE, and there is no MSIE service pack installed. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with old MSIE 5.0
what I tried was the default, dbm But perhaps shm is quicker -Torvald -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 29. juli 2003 14:05 To: [EMAIL PROTECTED] Subject: RE: Problems with old MSIE 5.0 I use SSLSessionCache shm:logs/ssl_scache(512000) SSLSessionCacheTimeout 300 and it works for me... John -Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: 29 July 2003 12:48 To: '[EMAIL PROTECTED]' Subject: RE: Problems with old MSIE 5.0 It seemes that you are right that SSLSessionCache is important! I set up a test server (with 2.0.47) and it worked when SSLSessionCache was enabled, but didnt when it was disabled. What I will do next is to reconfigure the production environment with SSLSessionCache enabled, and we will see if that cured it. Thanks! -Torvald - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problems with POSTing
Hello. Have run into a strange problem with Apache/mod_ssl 2.0.43: I have set up a url that requires client certificates. And GET operations on this URL works very well indeed. But POST doesnt work: [Thu Jun 12 11:06:27 2003] [error] SSL Re-negotiation in conjunction with POST method not supported! hint: try SSLOptions +OptRenegotiate I have tried +OptRenegotiate all over, but it doesnt make a difference. Googling a bit reveals that this used to be a problem, but it seemes to be uncertain if it still is (in newer versions). Have any of you run into this one? Regards Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Proxy http with modssl?
If you wish to terminate the https on the new machine and communicate to the old computer using http, then mod_proxy is what works for us. We use it extensively. -Torvald -Original Message- From: danalien [mailto:[EMAIL PROTECTED] Sent: 6. mars 2003 14:30 To: [EMAIL PROTECTED] Subject: Re: Proxy http with modssl? -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 06 March 2003 06:56, Marko Asplund wrote: On Wed, 5 Mar 2003, Chris Davis wrote: I'm looking for a method to hide an old web server behindt a modssl server. The hidden server has several applications served over http. What I'd like is for https requests to be rewritten in modssl and proxied to the hidden internal system. ... there are probably several possible implementations for the reverse proxy configuration you're describing but one possibility is to use mod_accel (http://sysoev.ru/mod_accel/) for this purpose. or you could run stunnel (on that old machine, and close every other port except the one stunnel uses, or use port-forwarding on the remote-pc that uses stunnel to communicate with ssl-based software...). Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. Stunnel can allow you to secure non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having Stunnel provide the encryption, requiring no changes to the daemon's code. -- www.stunnel.org - -- // with regards // ID :: danalien :: [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+Z01VHoWhCURqoogRAt6yAKCW6E6kolwJmV2YAhUVgFf9FLlqsACeMxhd +7BO07aYNgXKUpKp9wIsUNs= =RFh4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SV: An apache web proxy with client auth?
Ok, have tried to make this work with common sense, but have given up. Therefore I repeat the question, in hope that it might clarify somewhat: I have a machine A, which communicates with a machine C via a proxy B (running apache with mod_ssl). Today, all communication is handled via http. We must move the communication between B and C to ssl, and C will require client certificates. The question now is how can I set up B to send client certificates to C when it connects to it? The directives I have seen mentioned are: SSLProxyMachineCertificateFile SSLProxyVerifyDepth SSLProxyCACertificateFile SSLProxyCACertificatePath ...but I have not seen any documentation on any of them, does it exist? regards Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
An apache web proxy with client auth?
Sorry to bug you folks if this is a FAQ, but I haven't seen a clear answer in the docs. The situation I have is that some clients are connecting (via http) to an apache configured as a reverse proxy, which then in turn connects to another machine (again via http). Now there is a need to change the communication between the apache and the third party machine to use https and the remote server requires client certificates. Is it possible to configure apache + mod_ssl to authenticate itself to the other server? -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Strange server failiure!
Hey. Last night, when logrotate HUP'ed some of our apache servers with mod_ssl, like it does every night, we got a strange error: [Sun Oct 13 04:02:01 2002] [error] mod_ssl: Init: (conan.os.ergo.no:443) Ops, no RSA or DSA server certificate found?! [Sun Oct 13 04:02:01 2002] [error] mod_ssl: Init: (conan.os.ergo.no:443) You have to perform a *full* server restart when you added o r removed a certificate and/or key file The strange thing is that we have neither removed or added certificates. Is this a bug in mod_ssl? We have mod_ssl 2.8.7-4.on one, and 2.8.7-6 on the other. Is this a known bug? It makes no sense to me Med vennlig hilsen, Torvald Baade Bringsvor ErgoIntegration AS Postboks 4364 Nydalen, 0402 Oslo Telefon 23 14 50 00, Telefaks 23 14 50 01 Direkte tlf.nr. 23 1452 72, Mobilnr 979 80 494www.ergogroup.no