Apache 2.2.6 mod_ssl won't serve subdirectories
This is my first experience with SSL. I have done the Google thing and searched Apache FAQ etc but found nothing regarding my problem. In a nutshell, I have the following file structure: /var/ssl/www/index.html /var/ssl/www/budget/index.html Everything in both paths is owned by root and either 755 or 644 as appropriate for directories and files. I have the server working for /var/ssl/www/index.html but I get a HTTP Error 403 - Forbidden error trying to view /var/ssl/www/budget/index.html The logs are uninformative as to WHY access to /var/ssl/www/budget/index.html is being forbidden. My impression was that subdirectories should inherit the access rights of their parent if I do nothing to override that behavior. I have an http server configured similarly running in the same instance of Apache 2.2.6 (on port 2080 so as to not conflict with my production web site running on port 80). It works as expected, including acces to subdirectories. The URLs are https://daniel.ameriroots.com and http://daniel.ameriroots.com:2080 I have reduced the httpd.conf file to the following essentials (this is what is presently running on the above URLs): # # Main Server Configuration # ServerRoot /usr/daniel/apache2 ServerName danniel.ameriroots.com ServerAdmin [EMAIL PROTECTED] Listen 64.249.12.251:2080 Listen 64.249.12.251:443 User www Group www Directory / Options FollowSymLinks AllowOverride None Order deny,allow Deny from all /Directory DirectoryIndex index.html FilesMatch ^\.ht Order allow,deny Deny from all Satisfy All /FilesMatch LogFormat %h %l %u %t \%r\ %s %b \%{Referer}i\ \%{User-Agent}i\ combined LogFormat %h %l %u %t \%r\ %s %b common ErrorLog /var/log/apache_error_log2 LogLevel info CustomLog /var/log/apache_access_log2 combined # # HTTP SERVER ON PORT 2080 # VirtualHost _default_:2080 ErrorLog /var/log/http_error_log2 LogLevel info CustomLog /var/log/http_access_log2 combined DocumentRoot /var/www Directory /var/www Allow from all /Directory /VirtualHost # # HTTPS SERVER ON PORT 443 # SSLCertificateFile/var/ssl/conf/daniel.crt SSLCertificateKeyFile /var/ssl/conf/daniel.key VirtualHost _default_:443 SSLEngine On CustomLog /var/log/https_access_log2 combined ErrorLog /var/log/https_error_log2 LogLevel info BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 DocumentRoot /var/ssl/www Directory /var/ssl/www Allow from all /Directory /VirtualHost The log files are unenlightening, even at debug level where I get lots of detail on SSL calculations, but a simple access denied message on the file itself. What am I missing here? Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
SOLVED: Apache 2.2.6 mod_ssl won't serve subdirectories
Problem found and fixed - after getting some sleep I checked for about the 5th time and found the problem - the directory budget had permission 644 instead of 755. Stupid me :-( --- Orville Weyrich - KD7HJV [EMAIL PROTECTED] wrote: In a nutshell, I have the following file structure: /var/ssl/www/index.html /var/ssl/www/budget/index.html Everything in both paths is owned by root and either 755 or 644 as appropriate for directories and files. Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Compiling Apache with mod_ssl on Mac OS 10.5
Hello. I'm having trouble compiling Apache with mod_ssl, on an MacBook Pro running Mac OS 10.5.1. I'm trying to build the following programs (rather than using the ones that come with the OS): openssl-0.9.8g mm-1.4.1 mod_ssl-2.8.30-1.3.39 apache_1.3.39 Everything works until I try to make Apache. I get the message ld: warning in ./libhttpd.so, file is not of required architecture, and then it exits due to some undefined symbols. If I look at file src/ libhttpd.so, it gives me Mach-O bundle i386, which looks correct. Anyone know why this would happen? More details are below. If I don't pass --enable-module=ssl --enable-rule=SHARED_CORE when configuring Apache, I don't get this error, so I assume it's somewhat related to mod_ssl. Jacob The end of the make output looks like this: === src/modules gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` modules.c gcc -c -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` buildmark.c cc -bundle -undefined suppress -flat_namespace -o libhttpd.so buildmark.o modules.o modules/ssl/libssl.a modules/standard/ libstandard.a main/libmain.a ./os/unix/libos.a ap/libap.a regex/ libregex.a gcc -I./../../mm-1.4.1 -I./os/unix -I./include -DDARWIN - DMOD_SSL=208130 -DUSE_HSREGEX -DEAPI -DEAPI_MM -DSHARED_CORE `./ apaci` -L$BUILD_DIR/openssl-0.9.8g -L./../../mm-1.4.1/.libs \ -o libhttpd.ep -DSHARED_CORE_TIESTATIC main/http_main.c \ -L. -lhttpd -ldbm -lssl -lcrypto -lmm -lexpat ld: warning in ./libhttpd.so, file is not of required architecture Undefined symbols: _ap_validate_password, referenced from: _suck_in_ap_validate_password in ccRuUDHX.o _ap_main, referenced from: _main in ccRuUDHX.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [libhttpd.ep] Error 1 make[1]: *** [build-std] Error 2 make: *** [build] Error 2 I'm running the following commands (with $TAR_DIR, $BUILD_DIR, and $INSTALL_DIR defined): cd $BUILD_DIR tar xzvf $TAR_DIR/openssl-0.9.8g.tar.gz cd $BUILD_DIR/openssl-0.9.8g ./config --prefix=$INSTALL_DIR --openssldir=$INSTALL_DIR/openssl make cd $BUILD_DIR tar xzvf $TAR_DIR/mm-1.4.1.tar.gz cd $BUILD_DIR/mm-1.4.1 ./configure --disable-shared make cd $BUILD_DIR tar xzvf $TAR_DIR/apache_1.3.39.tar.gz tar xzvf $TAR_DIR/mod_ssl-2.8.30-1.3.39.tar.gz cd $BUILD_DIR/mod_ssl-2.8.30-1.3.39 ./configure --with-apache=../apache_1.3.39 --with-ssl=../ openssl-0.9.8g --prefix=$INSTALL_DIR cd $BUILD_DIR/apache_1.3.39 export SSL_BASE=../openssl-0.9.8g export EAPI_MM=../mm-1.4.1 ./configure --enable-module=ssl --enable-module=headers --enable- module=expires --enable-module=so --enable-module=rewrite --enable- rule=SHARED_CORE --prefix=$INSTALL_DIR make # the error happens here __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl
I have a feeling that I'm missing something elementary here. I have an install of apache 2.0.55 with mod_ssl enabled on a HP-UX system in /opt/apache2. This one runs fine. I recompiled another copy of apache (same version) into /opt/apache2a (for testing purposes) to add mod_ldap support and that one worked as well. Then I tried recreating apache2a in apache2 by doing a recompile using a prefix of apache2 and then doing an install after backing everything up and moving the old apache install out of the way. However, this one DOESN'T work. If I launch it WITHOUT SSL turned on (i.e, no SSLEngine on) directive, everything works great. But as soon as I turn on SSL in a VirtualHost, then strange things happen. A client will connect to the test port via SSL, the SSL negotiation appears to work just fine (tested using openssl s_client), but when you attempt to do a GET, the request is sent, but a reply never shows up. Nothing appears in the access_log, and child processes begin to spawn with each request. I can pull up the server-status url and everytime I hit refresh, one child process goes to W and another one is spawned. Clicking repeatedly will continue this process until there are a ton of processes, all stuck at Waiting with 0/0/0 under the Acc columntDo it enough, the server's load average starts to climb. I've checked and double checked every permission I can possible find. The User and Group directives are both set to webadmin which is the same in all configurations. The permissions of the sub-directories in both directories match between the two. I have this feeling that it's simple with the directory permissions and/or structure but I just can't seem to locate it. Anyone have any ideas on what else I might need to look at? Aaron Aaron Smith[EMAIL PROTECTED] System Administrator (269) 337-7496 Kalamazoo College
Apache and mod_ssl (extra info)
So I tried something kind of new. I completely removed the directory with the non-functioning apache install. I went back to the source, did a make clean, a new configure using the same parameters as before: ./configure --prefix=/opt/apache3 --enable-auth-dbm=shared --enable-expires=shared --enable-headers=shared --enable-rewrite=shared --enable-mime-magic=shared --enable-info=shared --enable-status=shared --enable-userdir=shared --enable-http --enable-so --enable-ssl=static --with-ssl=/opt/openssl098d --with-perl=/opt/perl58 --with-ndbm --enable-ldap=shared --enable-auth_ldap=shared --with-ldap=/usr/local/OpenLDAP.2.3 Had SHLIB_PATH set to /opt/openssl098d/lib:/usr/local/OpenLDAP.2.3/lib as well as CPPFLAGS and LDFLAGS set with -I and -L flags for those two non-standard directories. This is all the same as what I had done before. After the make, make install, I went in to the installed directory and made as minimal changes as I could. I changed Listen port in the main httpd.conf to 8040 and the Listen port (as well as the VirtualHost port) in ssl.conf to 8045 so it wouldn't step on the toes of the production apache process. I then changed the User and Group directives in httpd.conf to the webadmin user which the other apache process runs as. Launched this just about plain jane apache using apachectl startssl. Connecting via http to 8040, everything looks fine. Connecting via https to port 8045 shows the behavior of child processing hanging in a waiting state. Am I wrong in thinking this is a permissions issue? Or perhaps something is funky with the fact that the SSL libraries are in a strange spot? I've tried adding the library path to envvars in apache3/bin and having PassEnv SHLIB_PATH in the httpd.conf. However, the WORKING installation is linked to these exact same libraries and although there's a PassEnv command in it's httpd.conf, nothing was added to envvars. If it *is* a permissions issue, what does mod_ssl need permission to get to in order to function properly? I notice that the ssl_scache.dir and ssl_scache.pag files are created in the logs directory, (though the .dir file is 0 bytes) both owned by webadmin, so that user can at least CREATE files in that directory.
Re: Apache and mod_ssl - refusing connections on https?
Yes, I have SSLEngine On in ssl.conf, here's my ssl.conf file: SSLRandomSeed startup builtin SSLRandomSeed connect builtin IfDefine SSL Listen 443 Listen my.ip.ad.dr:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin SSLSessionCache dbm:/var/run/ssl_scache SSLSessionCacheTimeout 300 SSLMutex file:/var/run/ssl_mutex VirtualHost _default_:443 DocumentRoot /usr/pkg/share/httpd/htdocs ServerName www.mydomain.net:443 ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log TransferLog /var/log/httpd/access_log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/pkg/etc/httpd/ssl.crt/server.crt SSLCertificateKeyFile /usr/pkg/etc/httpd/ssl.key/server.pem FilesMatch \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /FilesMatch Directory /usr/pkg/libexec/cgi-bin SSLOptions +StdEnvVars /Directory SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /var/log/httpd/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b /VirtualHost /IfDefine Any ideas? --- Omar W. Hannet [EMAIL PROTECTED] wrote: SSLEngine On? Glyn Astill wrote: Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] ___ Yahoo! Answers - Got a question? Someone out there knows the answer. Try it now. http://uk.answers.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl - refusing connections on https?
Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl - refusing connections on https?
SSLEngine On? Glyn Astill wrote: Hi people, I'm new to this list, so hello. I've been trying to get https working with apache 2.0.59 on NetBSD 3.99 today, and it's beginning to make my face ache. Basically when I try to view a page via https I get connection refused. Apache is compiled with mod_ssl.c, I have openssl installed. This is what I've done so far: 1) Copied the example openssl cfg from examples to /etc/openssl/openssl.cnf 2)Generated my server key, then pem file then the csr and crt. 3)Then coppied them all into ssl.key (server.pem, server.key), ssl.csr (server.csr) and ssl.crt (server.crt). This is where my ssl.conf expects them. 4) Made sure ssl.conf is pointing to these files properly and is listening on port 443 (Listen ipaddress:443) 5) Made sure ssl.conf is included in httpd.conf properly 6) check that mod_ssl.c is compiled in with https -l 7) checked my apache access and error logs - nothing ! And still nothing, it can't be listening on 443. If I do the following: #openssl s_client -connect localhost:443 -state -debug I get: connect: Connection refused connect:errno=61 I've even tried copying all my virtual hosts and changing :80 to :443, still nothing. This is really the first time I've ever touched ssl, so I'm hoping I'm missing something really dumb. I've basically just got the standard ssl.conf example modified ever so slightly so that things point in the right place. ? Any ideas? Cheers Glyn ___ Yahoo! Mail is the world's favourite email. Don't settle for less, sign up for your free account today http://uk.rd.yahoo.com/evt=44106/*http://uk.docs.yahoo.com/mail/winter07.html __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even more revealing was the passphrase prompt, not required for plain httpd... Thanks, Ron DuFresne On Tue, 19 Jun 2007, Omar W. Hannet wrote: Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] - -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 ...We waste time looking for the perfect lover instead of creating the perfect love. -Tom Robbins Still Life With Woodpecker -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFGer+zst+vzJSwZikRAlhnAJ4rLby4nNIlTNYwr0Vq2bQdI1TGmwCgwn1e itrUfe7Vl+cuoIdY3KOVw8M= =LeZD -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache with mod_ssl
Are you quite certain that the LoadModule for mod_ssl has been commented out? The reason I ask: the output from 'apachectl start' which you provided below shows 'mod_ssl/2.2.4'. In the log file /opt/apache-2.2.4/logs/error_log, on lines that contain 'Apache/2.2.4' and 'configured -- resuming normal operations', do you see 'mod_ssl/2.2.4'? If so, it is still being loaded from somewhere in your configuration. Saikat Saha wrote: Sorry for late response on this one. This is what we have in httpd.conf which is generated at compile time. This problem does not go away even if I comment out last four lines and restart apache. Could you please advise what else could be leading apache to think it is https rather than http? # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule With above commented out, when I try to start apache, I get following passphrase prompt and apache does not start even after saying passphrase successful, no logs in logs directory although log level is debug ]# ./apachectl start httpd: Could not reliably determine the server's fully qualified domain name, using 10.3.110.109 for ServerName Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [EMAIL PROTECTED] bin]# Thanks you very much for your help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Monday, June 18, 2007 8:34 AM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Do you have IfModule ssl_module tags surrounding all SSL directives in your configuration file? For example: IfModule ssl_module SSLPassPhraseDialog builtin # etc. /IfModule Saikat Saha wrote:_module Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache with mod_ssl
We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? Also can apache support both http and https at different ports at the same time? Thanks much for your help. SS [EMAIL PROTECTED] bin]# ./apachectl start Apache/2.2.4 mod_ssl/2.2.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 10.3.110.109:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. Httpd.conf # Secure (SSL/TLS) connections #Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent # but a statically compiled-in mod_ssl. # IfModule ssl_module SSLRandomSeed startup builtin SSLRandomSeed connect builtin /IfModule
Re: Apache with mod_ssl
Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Apache with mod_ssl
Apache was compiled as below ./configure --with-ldap --enable-mods-shared=all ssl ldap cache proxy authn_alias mem_cache file_cache authnz_ldap charset_lite dav_lock disk_cache --prefix=/opt/apache-2.2.4 Httpd -l gives below [EMAIL PROTECTED] bin]# httpd -l Compiled in modules: core.c prefork.c http_core.c mod_so.c How do I compile so that it does not load mod_ssl automatically and loads only if httpd.conf is configured. Surprisingly there are no error logs even at debug level. Thank you so very much for the kind help. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Omar W. Hannet Sent: Friday, June 15, 2007 4:13 PM To: modssl-users@modssl.org Subject: Re: Apache with mod_ssl Saikat Saha wrote: We have apache 2.2.4 compiled with all modules but commented out all load modules. Do not have anything in httpd.conf file to state that this is https. But when I start apache, it tries to goto https and prompts for pass phrase. How does apache determine that this is https whereas this is actually a http server. Perhaps mod_ssl is a compiled-in module. Run 'httpd -l' to check this. After I enter a passphrase, it shows successful but the server never starts up. Can someone please help? The reason probably can be found in Apache's error_log file. Also can apache support both http and https at different ports at the same time? Yes. The defaults are port 80 for http and port 443 for https. -- Omar W. Hannet http://www.allez-oop.net/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
I've learned that I can fix this problem by not using an external style sheet. This only affects IE6 on XP without SP2. Everyone else seems to be able to view my pages fine, and even these problematic IE6/XP customers can view pages with external style sheets that are not using HTTPS. Specifically, if I delete this line from my HTML: link rel=stylesheet type=text/css href=https://www.beileysoftware.com/main.css; then these problematic browsers can view the page fine. I've also changed the HTML to include the exact contents of the style sheet inline, and this works fine. It is only when the style sheet is external that the browser can't display the contents. If I leave the external style sheet in place, I can see in the logs the browser requesting the page and then the style sheet. Both are returned with no errors, but the browser just sits there with a blank page, and never really finishes. It seems like it is waiting for something to complete, but it never finishes. I'm guessing this was some bug in early versions of IE6, but does anyone know what the specific problem is, and how I can fix it by configuring Apache differently? Thanks, Mark http://www.beiley.com Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Interesting... I hadn't thought of that. I know some other sites using a Starfield certificate. I'll see if these customers experience the same problem when they go there. Thanks for your help! Mark http://www.beiley.com - Original Message - From: Sven Geisler [EMAIL PROTECTED] To: modssl-users@modssl.org Sent: Thursday, June 07, 2007 11:30 PM Subject: Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2) Hi Mark, Did you try Google http://www.google.com/search?q=Starfield+cert+ie6? I guess, the root certificate causes the trouble. Sven. Mark Beiley schrieb: Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] -- Sven Geisler [EMAIL PROTECTED] Tel +49.30.921017.81 Fax .50 Senior Developer, AEC/communications GmbH Co. KG Berlin, Germany __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0 + mod_ssl problems with IE6 on XP (no SP2)
Hi Sven, Thanks for the reply. I believe I have KeepAlive off for this browser. In my ssl.conf file I have: SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 Thanks, Mark http://www.beiley.com Hi Mark, Do you have KeepALive on in you server config for this browser? Sven. Mark Beiley schrieb: Hello, Several customers are not able to access my server via HTTPS. Their browser just sits there, and doesn't display anything. I've determined the common properties of these cases to be: Windows XP (all of them without SP2) Internet Explorer 6 I can see their requests show up fine in my log files, without errors. These customers can visit other HTTPS sites. My site works fine for the vast majority of people. I'm stumped on the next step to try and debug the problem. Any suggestions? My server configuration: Apache 2.0.54 with mod_ssl and mod_deflate, running on Windows XP For an example URL, try: https://www.beileysoftware.com/handy.html Thanks, Mark http://www.beiley.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache with Mod_SSL installation problems
Hope this is the right place to ask this question. Please direct to another list if I'm off-topic here. I'm trying to install Apache 1.3.31 with Mod_SSL on a Windows Server 2003 box, ultimately for Apache-MySQL-PHP applications. I have all set up ok on my desk top and thought it would be a simple to do the same on the server but Apache is unable to access httpd.conf and php dll's. Obviously it's a permissions problem, but I logged in as a local administrator for the installation, which I've been told by the server administrator is a 'local user'. He doesn't understand why Apache would be denied permission to access httpd.conf, and I'm at a loss to explain why this is happening. Can anyone enlighten me how to proceed? Thanks in advance. David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache and MOD_SSL
On Mon, Dec 27, 2004 at 11:06:21PM -0500, leandro asnaghi-nicastro wrote: $ openssl s_client -connect def.con.ca:443 CONNECTED(0003) 24271:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: That's usually what happens if the server is responding in HTTP instead of HTTPS. You could try adding -state -debug to the openssl s_client command to get more info. Also check your error log on the server, it should have something about invalid method. If def.con.ca is in fact the host with the problem, then I get the following with -debug: [SNIP] - 3c 21 44 4f 43 54 59 !DOCTY The !DOCTY should never be sent in plain text over an SSL encrypted connection, so I'm quite sure SSL isn't on. Further reading online: add SSLEngine on within the Virtual Host setting (I'm guessing they meant in mod_ssl.conf?) and that is done. It has to go inside the VirtualHost block for the port 443 vhost. You also need a few other settings there pointing to the certificates. You could try posting the ssl related part of that vhost. [EMAIL PROTECTED]:/etc/apache# netstat -tln | grep 443 tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN Okay, so I'm not that off. Certainly there is something listening on port 443 - the s_client error would have been different if there was nothing on that port. Obviously I am doing something wrong, albeit I am at a loss as to what excatly I screwed up. Can someone kindly kick me in the right direction? It still looks like you don't have SSLEngine on in the right place. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache and MOD_SSL
Hello everyone. I apologize for disturbing with this request, but I am a little stumped. I have Linux Slackware 2.4 on a Duron 700 with 150 MB of ram or so. I wanted access to SquirrelMail and I wanted to be able to do so with https, so that I was secure when doing it outside of the local network. Despite generating the keys (password free) and signing them, configuring to what I believed to be correct (obviously not) conf files for mod_ssl and httpd, I get the following error: $ openssl s_client -connect def.con.ca:443 CONNECTED(0003) 24271:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I did some searching online and reading around someone suggested that I'd add the following to httpd.conf: LoadModule ssl_module libexec/libssl.so AddModule mod_ssl.c There is no need: [EMAIL PROTECTED]:/etc/apache# apachectl configtest [Mon Dec 27 22:08:58 2004] [warn] module ssl_module is already loaded, skipping [Mon Dec 27 22:08:58 2004] [warn] module mod_ssl.c is already added, skipping Further reading online: add SSLEngine on within the Virtual Host setting (I'm guessing they meant in mod_ssl.conf?) and that is done. As well it was suggested that there may be a lack of directory. That's present as well. Checking the status: [EMAIL PROTECTED]:/etc/apache# netstat -tln | grep 443 tcp0 0 0.0.0.0:443 0.0.0.0:* LISTEN Okay, so I'm not that off. Obviously I am doing something wrong, albeit I am at a loss as to what excatly I screwed up. Can someone kindly kick me in the right direction? leandro -- leandro asnaghi-nicastro - editor in chief - [EMAIL PROTECTED] capital of nasty electronic magazine - http://con.ca/ irc.con.ca #con / icq uin 889318 / msn [EMAIL PROTECTED] more annoying than any other leading brand __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Apache 1.3.26 + mod_ssl 2.8.10 + OpenSSL 0.9.7a + ubsec engine questions
Hi, Currently I'm setting up a Broadcom 5820 accelerator on company's web server. Everything seem to work. I compiled mod_ssl with enabled experimental code, when I start the apache the module for the broadcom card gets used. When I do requests to the apache, the statistic program of broadcom card show that the card is used. Everything seems fine. But I stress test the apache and to my surprise the result doesn't look good at all: 27 hits/sec without broadcom card 28 hits/sec with broadcom card (ubsec engine). So I suppose something in my config is wrong or the card is unusable. So I'm asking for help if someone has ever made apache working with ubsec engine and similar card and does he have similar results. And if someone has better results what he did in order to achieve them. Here is my setup: Slackware Linux 8.1 Apache 1.3.26 + mod_ssl 2.8.10 + OpenSSL 0.9.7a bcm 1.81 driver Regards Kostadin Galabov System Administrator Netclime Inc. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!!
-Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 15:15 To: [EMAIL PROTECTED] Subject: RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!! Sensitivity: Confidential Why is apachectl in /usr/sbin/apachectl? This sounds like the default installation that came with RH. Your apachectl and httpd should be in /home/aspco1/apache_1.3.27/bin. What happens if you do /home/aspco1/apache_1.3.27/bin/apachectl startssl? I think this is your MAIN problem... You should be able to install this on Red Hat with no problems (I haven't tried it yet though. Compiling openssl 0.9.7 on Red Hat 7.2 and above is on my todo list). Remove the Red Hat apache, modssl and mm packages first with: rpm -e mm apache modssl You might find you have other packages installed, eg php. You'll need to remove these too. DON'T REMOVE THE REDHAT OPENSSL PACKAGE. You'll have even more problems if you do... Like Owen, I don't think you can build mod_ssl without mm either. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] A world of difference - in the UK, 37 million people put their faith on the last census as Christian. In Saudi Arabia, this answer would carry a death sentence for any Saudi. - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 =PROBLEMS!!!
Title: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.12 = PROBLEMS!!! Hi, everything is in the subject! I installed everything following this procedure: $ ./config --prefix=/home/aspco1/openSSL $ make $ make test $ make install # extract the packages $ gzip -d -c apache_1.3.27.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.12-1.3.27.tar.gz | tar xvf - # apply mod_ssl to Apache source tree $ cd /mod_ssl-2.8.12-1.3.27 $ ./configure --with-apache=../apache_1.3.27 $ cd .. # build/install Apache with mod_ssl $ cd apache_1.3.27 $ SSL_BASE=/home/aspco1/openSSL $ ./configure --prefix=/home/aspco1/apache_1.3.27 --enable-module=proxy --enable-module=ssl $ make $ make certificate TYPE=test $ make install $ cd .. # cleanup after work $ rm -rf mod_ssl-2.8.12-1.3.27 $ rm -rf apache_1.3.27 Everything seems to be ok, but when I try to start the web server: $ apachectl start Ouch! ap_mm_create(1048576, /var/run/httpd.mm.22620) failed Error: MM: mm:core: failed to open semaphore file (Permission denied): OS: No such file or directory /usr/sbin/apachectl start: httpd could not be started Even bad with SSL: $ apachectl startssl usage: /usr/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help) start - start httpd stop - stop httpd restart - restart httpd if running by sending a SIGHUP or start if not running fullstatus - dump a full status screen; requires lynx and mod_status enabled status - dump a short status screen; requires lynx and mod_status enabled graceful - do a graceful restart by sending a SIGUSR1 or start if not running configtest - do a configuration syntax test help - this screen (startssl is not recognized!!!), and finally: $ httpd -l Compiled-in modules: http_core.c mod_so.c suexec: enabled; valid wrapper /usr/sbin/suexec Even if I compiled with --enable-module=proxy --enable-module=ssl options I can't see proxy and ssl modules in the list of compiled-in modules!!! What's happening??? thanks Sergio
RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!!
PLain text please.. Now you have to plough through the mail below to find my comments Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Zampognaro Sergio [mailto:[EMAIL PROTECTED] Sent: Dienstag, 25. Februar 2003 15:05 To: [EMAIL PROTECTED] Subject: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!! Importance: High Sensitivity: Confidential Hi, everything is in the subject! I installed everything following this procedure: $ ./config --prefix=/home/aspco1/openSSL $ make $ make test $ make install # extract the packages $ gzip -d -c apache_1.3.27.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.12-1.3.27.tar.gz | tar xvf - # apply mod_ssl to Apache source tree $ cd /mod_ssl-2.8.12-1.3.27 $ ./configure --with-apache=../apache_1.3.27 $ cd .. # build/install Apache with mod_ssl $ cd apache_1.3.27 $ SSL_BASE=/home/aspco1/openSSL $ ./configure --prefix=/home/aspco1/apache_1.3.27 --enable-module=proxy --enable-module=ssl $ make $ make certificate TYPE=test $ make install $ cd .. # cleanup after work $ rm -rf mod_ssl-2.8.12-1.3.27 $ rm -rf apache_1.3.27 Everything seems to be ok, but when I try to start the web server: $ apachectl start Ouch! ap_mm_create(1048576, /var/run/httpd.mm.22620) failed Error: MM: mm:core: failed to open semaphore file (Permission denied): OS: No such file or directory /usr/sbin/apachectl start: httpd could not be started * Why is apachectl in /usr/sbin/apachectl? This sounds like the default installation that came with RH. Your apachectl and httpd should be in /home/aspco1/apache_1.3.27/bin. What happens if you do /home/aspco1/apache_1.3.27/bin/apachectl startssl? I think this is your MAIN problem... Be certain you are executing the right apache before proceeding! Also, did you install the MM shared memory library (http://www.ossp.org/pkg/lib/mm/)? I don't think it is entirely necessary although I've never installed without it. * Even bad with SSL: $ apachectl startssl usage: /usr/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help) start - start httpd stop - stop httpd restart- restart httpd if running by sending a SIGHUP or start if not running fullstatus - dump a full status screen; requires lynx and mod_status enabled status - dump a short status screen; requires lynx and mod_status enabled graceful - do a graceful restart by sending a SIGUSR1 or start if not running configtest - do a configuration syntax test help - this screen (startssl is not recognized!!!), and finally: $ httpd -l Compiled-in modules: http_core.c mod_so.c suexec: enabled; valid wrapper /usr/sbin/suexec Even if I compiled with --enable-module=proxy --enable-module=ssl options I can't see proxy and ssl modules in the list of compiled-in modules!!! What's happening??? thanks Sergio This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Hello All, I want to provide updated information to my earlier described scenario using mod_ssl + mod_proxy + mod_headers: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server The following discussion focuses on Apache 2.0.43 and 2.0.44. I have implemented a solution to transfer the Web browser's client certificate (and other SSL information) to the backend Web server: Component: Web Browser --- Proxy (mod_proxy) --- Web Server SSL Role: SSL Client --- SSL server | SSL Client --- SSL Server Client Cert (and other SSL information) -- Transfer as HTTP Headers The problem was that mod_headers' RequestHeader directive didn't really matched the requirements. RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e is not a practical solution to forward the client's certificate to the backend server for the following reasons: 1. SSL_CLIENT_CERT produces multi-line output and the RequestHeader directive isn't able to transfer it into a correct multi-line HTTP header. 2. The decorations (-BEGIN/END CERTIFICATE-) and the multi-line format are not very useful in this scenario. Therefore I have introduced the option E in addition to e for putting environment variables in headers. The E has the following meaning: %{FOOBAR}E The base64 encoded content of the environment variable FOOBAR. If the environment variable already contains a base64 encoded body (e. g. SSL_CLIENT_CERT) the body will be set as the value of the header variable. The result is in any case a single line of base64 characters only. This behavior serves two requirements: 1. There is no problem escaping special characters when putting other SSL information in HTTP headers. In many cases, SSL_CLIENT_S_DN will probably contain characters that have to be escaped. 2. Reduces the overhead produced by decorations and multi-line format. Here is an example for forwarding the SSL Client Certificate and other SSL information: RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}E env=SSL_CLIENT_S_DN RequestHeader set SSL_CLIENT_CERT_CHAIN_0 %{SSL_CLIENT_CERT_CHAIN_0}E env=SSL_CLIENT_CERT_CHAIN_0 RequestHeader set SSL_CLIENT_CERT_CHAIN_1 %{SSL_CLIENT_CERT_CHAIN_1}E env=SSL_CLIENT_CERT_CHAIN_1 RequestHeader set SSL_CIPHER_USEKEYSIZE %{SSL_CIPHER_USEKEYSIZE}e env=SSL_CIPHER_USEKEYSIZE RequestHeader set SSL_CIPHER_SUITE%{SSL_CIPHER}e env=SSL_CIPHER To make this work I also patched two other things: 1. mod_headers' RequestHeader directive wasn't able to take an env clause as a forth argument in contrast to the Header directive. I don't know the reason for that behavior, but env clause seams to work fine with the SSL environment variables for RequestHeaders. This was necessary to avoid an empty header if the environment variable isn't present. If there are objections, let me know. 2. SSL_CLIENT_CERT_CHAIN_n is broken. To me it seems that somebody has tried to change SSL_CLIENT_CERT_CHAINn to SSL_CLIENT_CERT_CHAIN_n. However, the introduction of the _ wasn't quite consistent. I patched that and now I can see the intermediate CAs as SSL_CLIENT_CERT_CHAIN_0 to SSL_CLIENT_CERT_CHAIN_n in the environment. Last but not least I have updated the mod_headers documentation with the new option E and an example for forwarding the Web browser's client certificate and some other SSL information. I think the described patches and enhancements are quite reasonable and I would like to make them part of the standard Apache distribution. I have already produced a patch file that works for Apache 2.0.43 and 2.0.44. I would appreciate guidance on how to proceed. Comments welcome! Regards, Maik Maik Mueller Development Architect SAP __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Patches and Enhancements for a SSL-Proxy Based on Apache 2.0 (mod_ssl, mod_proxy, mod_headers)
Cool.. Can you please post the patch to the list, so that ppl can review the code, and give their comments. -Madhu No problem! Here is my short README describing the patch and its history form Apache version 2.0.43 to 2.0.44: Hello! This is the distribution point for the Apache 2.0 as SSL Intermediary Patch. Currently you need this patch to use Apache 2.0 as a trusted intermediary in configuration with the SAP J2EE Engine. The patch is subject to become part of the standard Apache 2.0 distribution. Feedback welcome! Maik ([EMAIL PROTECTED]) INSTRUCTIONS: - extract the Apache 2.0.43 distribution (httpd-2.0.43.tar.gz) - change directory to httpd-2.0.43 - apply the patch with -p1 (patch -p1 Apache-2.0.43-SSLintermediary.patch) - follow the Apache INSTALL instructions HISTORY: 02-12-30 initial release (available SAP internal) 03-01-07 httpd-2.0.43-patched-as-SSLintermediary.zip added In this ZIP archive the Apache-2.0.43-SSLintermediary.patch is already applied. More convenient for users not so familiar with the usage of diff patch. 03-01-08 httpd-2.0.43-win32-src-patched-as-SSLintermediary.zip added You cannot use the UNIX source to build the WIN32 binaries. This ZIP archive contains the already patched version of httpd-2.0.43-win32-src. Use it to build the WIN32 binaries. If you want to apply Apache-2.0.43-SSLintermediary.patch to the original httpd-2.0.43-win32-src be aware that you have to convert CR-LFs in CR before applying the patch. In the successfully patched files you can again expand CR to CR-LF. 03-01-20 Bug in base 64 padding found. The calculation of the number of padding characters ('=') needed computes wrong results in some cases. 03-02-07 Apache 2.0.44 Released Apache-2.0.44-SSLintermediary.patch corresponds to httpd-2.0.44.tar.gz The documentation changes are NO longer part of the patch. Download mod_headers_mai.html.en for proposed documentation changes. SSLproxy.conf is a good example for a proxy's mod_ssl configuration. The SAP proposed header names are use in the example added to the mod_headers documentation (see mod_headers_mai.html.en). And here follows the patch (My proposed changes to the HTML docu are now not included in the patch. Please advice me if and how to post this changes to mod_headers.html.en): --- httpd-2.0.44.ori/modules/metadata/mod_headers.c Mon Nov 4 19:31:57 2002 +++ httpd-2.0.44/modules/metadata/mod_headers.c Fri Feb 7 18:00:18 2003 @@ -109,6 +109,7 @@ #include apr_lib.h #include apr_strings.h #include apr_buckets.h +#include apr_base64.h #include apr_hash.h #define APR_WANT_STRFUNC @@ -198,6 +199,62 @@ else return (null); } + +/* Base 64 encoded ASN.1 data is usually tagged with decorations of + * the following style: + * -BEGIN description- + * base64 encoded body + * -END description- + * The defines are used to search for such decorations. + */ +#define DECORATION_MARKER_BEGIN -BEGIN +#define DECORATION_MARKER_END -END +#define DECORATION_EOF_MARKER - + +static const char *header_request_env_varB64(request_rec *r, char *a) +{ + const char *s = apr_table_get(r-subprocess_env,a); + char *pStartBody = NULL; + char *pBehindBody = NULL; + char *ptr; + + if (s) { +/* search for decorations marking encapsulated base64 encoded data */ +ptr = strstr((char *)s, DECORATION_MARKER_BEGIN); +if (ptr) { + ptr = strstr(ptr + strlen(DECORATION_MARKER_BEGIN), DECORATION_EOF_MARKER); + if (ptr (ptr + strlen(DECORATION_EOF_MARKER) + 1) != '\0') { + /* explicit check that there are sitll chars in the string */ + pStartBody = ptr + strlen(DECORATION_EOF_MARKER) + 1; + + ptr = strstr(pStartBody, DECORATION_MARKER_END); + if (ptr strstr(ptr, DECORATION_EOF_MARKER)) + pBehindBody = ptr; + } +} + +if (pStartBody pBehindBody) { + /* encapsulated base64 encoded data found */ + /* all except the body will be skipped */ + *pBehindBody = '\0'; + apr_base64_cleanB64(pStartBody); + return pStartBody; +} else { + /* call apr_base64_encode() to encode the data */ + int inlen = strlen(s); + int outsize = apr_base64_encode_len(inlen); + char *encoded = apr_palloc(r-pool, outsize); + int rc = apr_base64_encode(encoded, s, inlen); + if (rc outsize) + return (null); + else + return encoded; +} + } + else +return (null); +} + /* * Config routines */ @@ -407,7 +464,7 @@ /* Handle the envclause on Header */ if (envclause != NULL) { -if (inout != hdr_out) { +if (inout != hdr_out inout != hdr_in) { return error: envclause (env=...) only valid on Header directive; } if (strncasecmp(envclause, env=, 4) != 0) { @@ -448,12 +505,23 @@ return
Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade
Hi, We plan on upgrading to Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g from Apache 1.3.26 mod_ssl 2.8.10 openssl 0.9.6d on Windows. We are considering the following two options: Option A: Download the Apache_1.3.27-Mod_SSL_2.8.12-OpenSSL_0.9.6g-Win32.zip file, upzip it and copy over the files to the current installation directory, overwriting the old files with the new files (excluding the conf and certificate files, etc). Option B: Re-Install Apache 1.3.27 (preserve the config and certificate files during the installation) and then copy over the unzipped files from the above zip file to the installation directory. Which of the above two options is recommended and which one is the best way to upgrade this server on windows. Any advice would be greatly appreciated. Thanks and Regards, Bye, -Jim. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade
Small Correction: Read first line of Option B as: Fresh install of Apache 1.3.27 using apache_1.3.27-win32-x86-no_src.msi at the current Apache 1.3.26 installation location. From: Jim Lee [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g Upgrade Date: Fri, 15 Nov 2002 20:38:53 + Hi, We plan on upgrading to Apache 1.3.27 mod_ssl 2.8.12 openssl 0.9.6g from Apache 1.3.26 mod_ssl 2.8.10 openssl 0.9.6d on Windows. We are considering the following two options: Option A: Download the Apache_1.3.27-Mod_SSL_2.8.12-OpenSSL_0.9.6g-Win32.zip file, upzip it and copy over the files to the current installation directory, overwriting the old files with the new files (excluding the conf and certificate files, etc). Option B: Re-Install Apache 1.3.27 (preserve the config and certificate files during the installation) and then copy over the unzipped files from the above zip file to the installation directory. Which of the above two options is recommended and which one is the best way to upgrade this server on windows. Any advice would be greatly appreciated. Thanks and Regards, Bye, -Jim. _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache and mod_ssl
hi guys! i have following question: i installed an apache webserver with mod_ssl. on this server serveral projekts are available, what i want is, that only one directory (projekt)is accessible viahttps/ssl (only https/ssl) for all users (also internet) and the rest of the site should ONLY be acccessible via http. is that possible? i played around with my httpd.conf, but i didn't get it. thx steve
RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
Hi John Yeah, I just wanted to make sure that your chain file was setup correctly which it seems to be. Unfortunately I have only used Apache 1.3.x and I haven't used any chain certificates as yet (just used my own generated certificates). The only thing I can think of is to compare the CA details in the Netscape truststore to the details of the CA available on the Apache side (using openssl to view it), just to eleminate that possibility. Try joining the netscape security mailing list and see if you can get any info there?? Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 10 October 2002 20:56 To: [EMAIL PROTECTED] Subject: Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 [I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer. I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
[I had to be out of the office, sorry to be slow in following up] Thanks for the reply, Jose. Either I posed my question poorly or I don't understand your answer. I have two servers running (they are on the same host (distinguished ports), the CN value in the certificate won't be an issue). One is Apache1+modssl-addon, the other is Apache2+modssl-builtin. Both are set up with a copy of our secure server certificate from Verisign (SSLCertificateFile), and the Verisign-provided intermediate certificate (SSLCertificateChainFile). (And of course both have the same SSLCertificateKeyFile). Now. When I point IE6 (or Opera) at either server, it recognizes the intermediate certificate, figures out that it knows who Verisign is (in its list of known CAs), and trusts our Verisign-issued server cert. If I point Netscape at the Apache1 version, it behaves in this way also. If I now point Netscape at the trial Apache2 setup, it claims that (as noted) the server cert was issued by an unrecognized CA. So .. the only way I can articulate this situation is .. that there is some difference in the way the mod_ssl addon for Apache 1 and the mod_ssl builtin for Apache 2 delivers intermediate certificate chain info, and that only Netscape seems to be sensitive to the difference. Jose Correia (J) wrote: To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
To my knowledge the Netscape behaviour is actually the normal one. If the server certificate is not installed in their browser Trusted certificate store (ot its higher parent) then there is no way its going to recognize it as a trusted certificate. Regards Jose -Original Message- From: J. B. Chambers [mailto:[EMAIL PROTECTED]] Sent: 03 October 2002 17:41 To: [EMAIL PROTECTED] Subject: NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2 Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
NS7 sees cert diff in Apache 1.3+mod_ssl and Apache 2
Hi. My production server is currently running Server: Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6g and I'm test driving Server: Apache/2.0.42 (Unix) mod_ssl/2.0.42 OpenSSL/0.9.6g I have a secure server certificate from Verisign, and the intermediate cert from their website installed as the SSLCertificateChainFile. Things work fine on the production platform. On the test platform, things work fine using IE6 or Opera as the browser, and the certificate details are okay on inspection. However, Netscape 7 (and also Mozilla, BTW) returns the error The certificate was issued by a certificate authority that Netscape 7.0 does not recognize which would seem to be a cert chain problem. Probing with openssl s_client does not suggest a server problem. You can, of course, just tell NS7 to permanently accept the cert and continue, but it's upsetting to some users to have to do that. Info at mozilla.org suggests that, at least up til recently, there have been known SSL/TLS issues, but I don't see anything quite like this. Anyone with a similar experience/problem/solution? Thanks in advance. John Chambers [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache 1.3.26 + mod_ssl 2.8.10 dumps core
Sorry for this blast-o-gram. I realized that the patch that I'd posted was totally a wrong one - and did not achieve what it was meant for :-(. For those interested, here's something which is pretty close to what I'd intented). Thanks -Madhu diff -ru mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_io.c apache_1.3.26/src/modules/ssl/ssl_engine_io.c --- mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_io.cFri Aug 2 13:44:24 2002 +++ apache_1.3.26/src/modules/ssl/ssl_engine_io.c Thu Aug 8 16:38:09 2002 @@ -346,6 +346,14 @@ if ((ssl = ap_ctx_get(fb-ctx, ssl)) != NULL) { rc = SSL_read(ssl, buf, len); + +c = (conn_rec *)SSL_get_app_data(ssl); +if (c-aborted) { +ssl-rwstate = SSL_NOTHING; +ssl_hook_CloseConnection(c); +return -1; +} + /* * Simulate an EINTR in case OpenSSL wants to read more. * (This is usually the case when the client forces an SSL @@ -380,6 +388,14 @@ if ((ssl = ap_ctx_get(fb-ctx, ssl)) != NULL) { rc = SSL_write(ssl, buf, len); + +c = (conn_rec *)SSL_get_app_data(ssl); +if (c-aborted) { +ssl-rwstate = SSL_NOTHING; +ssl_hook_CloseConnection(c); +return -1; +} + /* * Simulate an EINTR in case OpenSSL wants to write more. */ diff -ru mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_kernel.c apache_1.3.26/src/ modules/ssl/ssl_engine_kernel.c --- mod_ssl-2.8.10-1.3.26/pkg.sslmod/ssl_engine_kernel.cFri Aug 2 13:44 :24 2002 +++ apache_1.3.26/src/modules/ssl/ssl_engine_kernel.c Thu Aug 8 16:19:31 2002 @@ -457,6 +457,9 @@ if (ssl == NULL) return; +if (SSL_want_read(ssl) || SSL_want_write(ssl)) +return; + /* * First make sure that no more data is pending in Apache's BUFF, * because when it's (implicitly) flushed later by the ap_bclose() --- -Original Message- From: MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) [mailto:[EMAIL PROTECTED]] Sent: Sunday, August 04, 2002 10:08 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: [PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps core Hi, I'm not sure whom to approach for this problem - so I'm sending it to both the mailing lists. Here's a pretty easy way to reproduce the SEGV that I'm experiencing (on HP-UX 11.0 / 11i) 1. Download OpenSSL 0.9.6e, Apache 1.3.26 and mod_ssl 2.8.10 2. Build and install Apache (ofcourse with mod_ssl capability) 3. Set the Timeout to 20 secs (pl. note it's the hard timeout and not the keepalive / SSLSessionCacheTimeout) 4. Create a simple HTML file (/opt/apache/htdocs/a.html) as follows : --- html headtitleside_menu.htm/title/head body p/p pa href=./10mb.pdfpdf-test/font/a/p /body /html 5. And ofcourse, create /opt/apache/htdocs/10mb.pdf file. 6. Start Apache with SSL capability, and access the URL https://servername/a.html (Client browser was Win2K box/IE 5.5). 7. Right click on pdf-test, and select the Save as tab. This should bring up the Save As dialog box. 8. Don't do any thing - and you'll see a SEGV in /opt/apache/logs/error_log after about 20 secs. Now, is this the expected behavior? I don't believe so. A closer investigation seemed that mod_SSL had nothing to do with the core dump. It's the way a aborted connection was handled. The following patch seemed to resolve the core dump issue for me - but I don't believe it's the correct fix. Can somebody please evaluate the patch and let me know if it's okay? Also, I've not evaluated the side-effects of doing such a thing. [I don't know what's the difference b/w hard timeout and soft timeout - in the sense where/how should it be used. It'd be great if somebody could explain the difference] Thanks -Madhu $ cvs diff http_protocol.c Index: http_protocol.c === RCS file: /home/cvspublic/apache-1.3/src/main/http_protocol.c,v retrieving revision 1.325 diff -u -r1.325 http_protocol.c --- http_protocol.c 9 Jul 2002 15:26:26 - 1.325 +++ http_protocol.c 4 Aug 2002 16:54:45 - @@ -2362,7 +2362,7 @@ if (length == 0) return 0; -ap_soft_timeout(send body, r); +ap_hard_timeout(send body, r); while (!r-connection-aborted) { if ((length 0) (total_bytes_sent + IOBUFSIZE) length) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[PATCH - Apache 1.3] Apache 1.3.26 + mod_ssl 2.8.10 dumps core
I am away from the office until the Monday 5th August 2002 I will get back to you as soon as i can on my return. If it's an urgent Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter that requires urgent attention then please contact either Sanjay1 or Jeff1 who should be able to help. All the best Alex __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
LoadModule mod_ssl.so fails with win 2000, apache 1.3.26, mod_ssl 2.8.10, openssl 0.9.6d
Hello, Apache fails to start with message: Syntax error on line 193 of c:/readybuilt_1.3.26_2.8.10/conf/httpd.conf: Cannot load c:/3party/apache/modules/mod_ssl.so into server: (182) This fails both with my own build, and also the build at: http://www.modssl.org/contrib/Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Wi n32.zip I have checked that the mod_ssl.so file is present, and not read only. The same symptoms were reported by Danalien [mailto:[EMAIL PROTECTED]] on apache 1.3.24 + mod_ssl 2.8.8, also with Windows 2000. Any suggestions? Nigel Rushton __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 1.3.26+mod_ssl 2.8.9 + vhost problem
Hello! I've got problems using $SUBJECT together. System is: - Debian Woody, security upgraded Apache and mod_ssl - related packeges: ii apache 1.3.26-0woody1 Versatile, high-performance HTTP server ii apache-common 1.3.26-0woody1 Support files for all Apache webservers ii libapache-mod- 1.0.3-3A DAV module for Apache ii libapache-mod- 2.8.9-2Strong cryptography (HTTPS support) for Apac I can't live without SSL because I provide file upload to virtual hosts via DAV, and don't want that somebody sniff one of my user's passwd. Don't complain: they are not able to use SSL keys so I can't authenticate them in ths way. So I need SSL. What happens when I have all modules enabled: [Mon Jul 15 00:21:52 2002] [error] mod_ssl: Init: (www.xy.hu:80) Illegal attempt to re-initialise SSL for server (theoretically shouldn't happen!) Related directives: Listen 443 (previously 30443 packets redirected via ipchains/iptables = it wasn't necessary to start is as root) Listen 80 (prev.: 30080) BindAddress * LoadModule vhost_alias_module /usr/lib/apache/1.3/mod_vhost_alias.so LoadModule access_module /usr/lib/apache/1.3/mod_access.so LoadModule auth_module /usr/lib/apache/1.3/mod_auth.so LoadModule dav_module /usr/lib/apache/1.3/libdav.so LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so Port 80 (Previously 30080) ServerName T.X.Y.Z (numeric IPv4 address) DocumentRoot /var/www/ Directory / Options SymLinksIfOwnerMatch AllowOverride None /Directory Directory /var/www/ Options Includes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all /Directory SSLEngine on SSLCACertificateFile conf/ssl.crt/ca.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLCertificateFile conf/ssl.crt/server.crt SSLLog /var/log/apache/ssl_log SSLLogLevel warn NameVirtualHost T.X.Y.Z:80 Include virt/ In directory virt: virtserver1.conf virtserver2.conf etc. Example virtserver (only the name and IP address removed): VirtualHost T.X.Y.Z ServerName www.domainname.hu ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/virtuals/domainname/html /VirtualHost Directory /var/www/virtuals/domainname/html AllowOverride AuthConfig FileInfo Limit Options FollowSymLinks /Directory Any ideas? I've seen a similar thread in the archives without the answer. Thanks, Ago __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26+mod_ssl 2.8.9 + vhost problem
On Sun, Jul 14, 2002 at 11:30:05PM +0200, Deim Agoston [EMAIL PROTECTED] wrote: OK, it's solved. For the sake of archive, here it is: - don't write SSLEngine into the main server config - use a virtualhost for this directive - create the virtualhost you want use for the purpose to access it via HTTPS A simple config file looks like this (with real names): VirtualHost 195.56.172.166:443 ServerName webadmin.lsc.hu ServerAdmin [EMAIL PROTECTED] DocumentRoot /var/www/webadmin/ #SSL beallitasok SSLEngine on SSLCACertificateFile conf/ssl.crt/ca.crt SSLCertificateKeyFile conf/ssl.key/server.key SSLCertificateFile conf/ssl.crt/server.crt SSLLog /var/log/apache/ssl_log SSLLogLevel warn /VirtualHost Bye, Ago __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault
My library update hadn't completely propigated across our network from the fileserver, so parts of my mish-mash compiled against different versions of openssl. All better. Maybe this will help someone else down the road. On Thu, Jun 20, 2002 at 06:09:17PM -0400, Cliff Woolley wrote: On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: Per the recently announced vulnerability in versions of apache 1.3.26, I decided to be a happy little prole and update all of my webservices. Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded the packages like I always do: write(15, [20/Jun/2002 16:50:05 04493] [in..., 95) = 95 brk(0x8109000) = 0x8109000 open(./php.ini, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/php.ini, O_RDONLY) = -1 ENOENT (No such file or directory) brk(0x810a000) = 0x810a000 brk(0x810b000) = 0x810b000 brk(0x810c000) = 0x810c000 brk(0x810d000) = 0x810d000 ... brk(0x8123000) = 0x8123000 brk(0x8125000) = 0x8125000 brk(0x8126000) = 0x8126000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Sounds like PHP is borked. Try building a new copy. --Cliff Garrett -- Garrett Kuchta [gkuchta[at]astro.umn.edu] Assistant System Manager Dept. of Astronomy University of Minnesota, Twin Cities http://www.astro.umn.edu/~gkuchta msg14417/pgp0.pgp Description: PGP signature
Two certificates in apache and mod_ssl
Hello, I defined two virtual hosts in apache + mod_ssl with two different server certificates. I tried to access the https connection and I got for both virtual hosts the certificate of the first virtual host. How do I have to configure it to get the right certificate of each virtual host. Or is it not possible? Or how? Stefan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Two certificates in apache and mod_ssl
Try adding the following directive to your VirtualHosts/VirtualHosts definition: SSLCertificateFile /path/to/file SSLCertificateKeyFile /path/to/file Also make sure that the above directives are not configured for the main server. That's it. Brian Vaughan -Original Message- From: Kirchner Stefan [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 10:34 AM To: '[EMAIL PROTECTED]' Subject: Two certificates in apache and mod_ssl Hello, I defined two virtual hosts in apache + mod_ssl with two different server certificates. I tried to access the https connection and I got for both virtual hosts the certificate of the first virtual host. How do I have to configure it to get the right certificate of each virtual host. Or is it not possible? Or how? Stefan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Two certificates in apache and mod_ssl
Are you using IP Based virtual hosting? I don't think you can have multiple certificates on a since IP on the same port. On Fri, 2002-06-21 at 10:34, Kirchner Stefan wrote: Hello, I defined two virtual hosts in apache + mod_ssl with two different server certificates. I tried to access the https connection and I got for both virtual hosts the certificate of the first virtual host. How do I have to configure it to get the right certificate of each virtual host. Or is it not possible? Or how? Stefan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system Windows is like naming an automobile Wheels. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault
Hi, Per the recently announced vulnerability in versions of apache 1.3.26, I decided to be a happy little prole and update all of my webservices. Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded the packages like I always do: apply mod_ssl to apache, apply mod_perl to apache, compile apache, install apache, compile mod_ssl apxs module. however, this time around, upon running ./apachetel startssl, apache segfaulted: 275 [HAL:root](/usr/apache):./bin/apachectl startssl ./bin/apachectl: line 184: 4423 Segmentation fault $HTTPD -DSSL ./bin/apachectl startssl: httpd could not be started apache starts fine without ssl enabled. Here's an strace: ... ... ... [snip] stat(/usr/apache/conf/access.conf, {st_mode=S_IFREG|0600, st_size=348, ...}) = 0 lstat(/usr/apache/conf/access.conf, {st_mode=S_IFREG|0600, st_size=348, ...}) = 0 open(/usr/apache/conf/access.conf, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0600, st_size=348, ...}) = 0 fstat(3, {st_mode=S_IFREG|0600, st_size=348, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4019f000 read(3, ##\n## access.conf -- Apache HTTP..., 4096) = 348 read(3, , 4096) = 0 close(3)= 0 munmap(0x4019f000, 4096)= 0 brk(0x80f7000) = 0x80f7000 pipe([3, 4])= 0 fork() = 4494 close(3)= 0 fcntl(4, F_GETFL) = 0x1 (flags O_WRONLY) fstat(4, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x4019f000 _llseek(4, 0, 0xbfffda00, SEEK_CUR) = -1 ESPIPE (Illegal seek) dup2(4, 2) = 2 pipe([3, 5])= 0 fork() = 4495 close(3)= 0 fcntl(5, F_GETFL) = 0x1 (flags O_WRONLY) fstat(5, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404ac000 _llseek(5, 0, 0xbfffda00, SEEK_CUR) = -1 ESPIPE (Illegal seek) open(/var/adm/https.log, O_WRONLY|O_APPEND|O_CREAT, 0666) = 3 fcntl(3, F_DUPFD, 15) = 15 close(3)= 0 fcntl(15, F_GETFL) = 0x401 (flags O_WRONLY|O_APPEND) fstat(15, {st_mode=S_IFREG|0644, st_size=11391310, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404ad000 _llseek(15, 0, [0], SEEK_CUR) = 0 munmap(0x404ad000, 4096)= 0 time(NULL) = 1024609805 open(/etc/localtime, O_RDONLY)= 3 read(3, TZif\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\4\0\0\0\4\0..., 44) = 44 read(3, \236\246,\200\237\272\371p\240\206\16\200\241\232\333p..., 1170) = 1170 fstat(3, {st_mode=S_IFREG|0644, st_size=1262, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404ad000 read(3, \377\377\271\260\1\0\377\377\253\240\0\4\377\377\271\260..., 4096) = 48 close(3)= 0 munmap(0x404ad000, 4096)= 0 getpid()= 4493 write(15, [20/Jun/2002 16:50:05 04493] [in..., 110) = 110 time(NULL) = 1024609805 getpid()= 4493 write(15, [20/Jun/2002 16:50:05 04493] [in..., 82) = 82 time(NULL) = 1024609805 getpid()= 4493 write(15, [20/Jun/2002 16:50:05 04493] [in..., 72) = 72 brk(0x80f8000) = 0x80f8000 brk(0x80f9000) = 0x80f9000 brk(0x80fa000) = 0x80fa000 brk(0x80fb000) = 0x80fb000 brk(0x80fd000) = 0x80fd000 brk(0x80fb000) = 0x80fb000 brk(0x80fd000) = 0x80fd000 time(NULL) = 1024609805 getpid()= 4493 write(15, [20/Jun/2002 16:50:05 04493] [in..., 119) = 119 open(/etc/ssl/www.cert, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0600, st_size=1493, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404ad000 read(3, -BEGIN CERTIFICATE-\nMIIE..., 4096) = 1493 brk(0x80fe000) = 0x80fe000 brk(0x80ff000) = 0x80ff000 close(3)= 0 munmap(0x404ad000, 4096)= 0 open(/etc/ssl/www.key, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0600, st_size=887, ...}) = 0 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x404ad000 read(3, -BEGIN RSA PRIVATE KEY-\n..., 4096) = 887 close(3)= 0 munmap(0x404ad000, 4096)= 0 time(NULL
Re: Apache 1.3.26/mod_ssl-2.8.9-1.3.26 segfault
On Thu, 20 Jun 2002 [EMAIL PROTECTED] wrote: Per the recently announced vulnerability in versions of apache 1.3.26, I decided to be a happy little prole and update all of my webservices. Unpacking clean source for apache, mod_ssl and mod_perl-1.26, I upgraded the packages like I always do: write(15, [20/Jun/2002 16:50:05 04493] [in..., 95) = 95 brk(0x8109000) = 0x8109000 open(./php.ini, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/lib/php.ini, O_RDONLY) = -1 ENOENT (No such file or directory) brk(0x810a000) = 0x810a000 brk(0x810b000) = 0x810b000 brk(0x810c000) = 0x810c000 brk(0x810d000) = 0x810d000 ... brk(0x8123000) = 0x8123000 brk(0x8125000) = 0x8125000 brk(0x8126000) = 0x8126000 --- SIGSEGV (Segmentation fault) --- +++ killed by SIGSEGV +++ Sounds like PHP is borked. Try building a new copy. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsI9x6FoQlEaqKIEQKKOQCfQTAK3SV7vSoe8aE8YQqv7cjVqrQAoOe7 DmQQDW2F53itoAyTwCj7zlEj =hTM+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsI9x6FoQlEaqKIEQKKOQCfQTAK3SV7vSoe8aE8YQqv7cjVqrQAoOe7 DmQQDW2F53itoAyTwCj7zlEj =hTM+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsO/x6FoQlEaqKIEQIOiACdFE57iQebkBg6r1wIbjJf4TOWDYIAoKwY o1SRuk++dFNMuY/7MNbsgYT5 =Z7o4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsO/x6FoQlEaqKIEQIOiACdFE57iQebkBg6r1wIbjJf4TOWDYIAoKwY o1SRuk++dFNMuY/7MNbsgYT5 =Z7o4 -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
in Apache conf file you shoul add both, first LoadModule ssl_module modules/mod_ssl.so and an somewhere after that AddModule mod_ssl.c but I think this error also reports when someone forget to copy the files ssleay32.dll and libeay32.dll to WINNT\System32 did you do it? - Original Message - From: Danalien [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 03, 2002 4:51 PM Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsI9x6FoQlEaqKIEQKKOQCfQTAK3SV7vSoe8aE8YQqv7cjVqrQAoOe7 DmQQDW2F53itoAyTwCj7zlEj =hTM+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 nope, I have no attributes on it/them. At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 At least on Windows NT, the .so file can not be read-only, or you get a similar error. Is it possible that your file is read-only? Jay -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:18 AM To: [EMAIL PROTECTED] Subject: RE: RE: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Japp, allready put it here. Can you go to c:/program files/apache_ssl/modules and see the mod_ssl.so file? Your second test seems logical since the module wasn't loaded in the LoadModule section. Eric -Original Message- From: Danalien [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 8:52 AM To: [EMAIL PROTECTED] Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files
Re: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 BINGO! :), that was it! There you have the solution : ) Some, put this in INSTALL.Win32 or in an error FAQ: Check and delete any other/older ssleay32.dll libleay32.dll that exist in: 1] winnt\system32 2] or any other path that exist in your %path%-varable. Simply remove the path from %path%-variable, or remove it from there. Because other/older complied dll's in tandem with newer may cause an 182 (minor) error, while starting up apache. maybe it is cygwin that puts it there ( in winnt\system32) or I did? a llonng looong time ago and forgot about it : ) *hehe* thanks, kristjan! in Apache conf file you shoul add both, first LoadModule ssl_module modules/mod_ssl.so and an somewhere after that AddModule mod_ssl.c but I think this error also reports when someone forget to copy the files ssleay32.dll and libeay32.dll to WINNT\System32 did you do it? - Original Message - From: Danalien [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, April 03, 2002 4:51 PM Subject: apache 1.3.24 + mod_ssl 2.8.8 for Windows (2000) -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I need some help, i patch, complie, and everything according to: http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/INSTALL.Win32 all goes fine fine, only get a few warnings (during the apache complie) I then go to the httpd.conf (%my_apache_ssl_root%/conf) and put this in: LoadModule ssl_module modules/mod_ssl.so and I get (this) when i do apache -t : C:\Program Files\Apache_SSLapache -t Syntax error on line 62 of c:/program files/apache_ssl/conf/httpd.conf: Cannot load c:/program files/apache_ssl/modules/mod_ssl.so into server: (182) Note the errors or messages above, and press the ESC key to exit. 26... C:\Program Files\Apache_SSL *thinking* *thinking*... ... then I just do a little test. remove the previos loadModule by puting a # infront (lite this): #LoadModule ssl_module modules/mod_ssl.so and add: AddModule mod_ssl.c and get : C:\Program Files\Apache_SSLapache -t Syntax error on line 110 of c:/program files/apache_ssl/conf/httpd.conf: Cannot add module via name 'mod_ssl.c': not in list of loaded modules Note the errors or messages above, and press the ESC key to exit. 23... C:\Program Files\Apache_SSL and do a apache -l where I get this: Compiled-in modules: http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c and my suspicions were correct, where are/is the SSL - module(s)? cause it ain't in the compiled apache :) If some could explain/help me how to meld this SSL module into apache, it would be great :) thanks. // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKsI9x6FoQlEaqKIEQKKOQCfQTAK3SV7vSoe8aE8YQqv7cjVqrQAoOe7 DmQQDW2F53itoAyTwCj7zlEj =hTM+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] // with regards // ID :: danalien :: [EMAIL PROTECTED] PGP Public Key Fingerprint: C891 D3A1 427A A5E7 449F B19E 1E85 A109 -BEGIN PGP SIGNATURE- Version: PGPsdk version 1.7.1 (C) 1997-1999 Network Associates, Inc. and its affiliated companies. iQA/AwUBPKtotx6FoQlEaqKIEQIX3wCgyU0jTRFr7QDy33yCfqNi6MN+SDsAoIFh fHG20gxts/XK/YItoLuC0Q8I =1hCU -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
WebLogic 5.1 sp11 mod_wl_ssl.so for Apache 1.3.12/mod_ssl 2.6.6 breaks SSL
We've just upgraded from service pack 8 to service pack 11 on our WL servers and installed the sp11 mod_wl_ssl.so on our Apache servers. Unfortunately, any attempts to access an SSL page that must get proxied to the Weblogic layer results in a HTTP 404 response while an SSL request for a static HTML page works fine. The interesting thing is the sp8 mod_wl_ssl.so works just fine - so that is what we are using. However, I want to resolve the issue with the sp11 mod_wl_ssl.so. Here is our configuration: All servers: SPARC/Solaris 8 with latest patch updates Apache servers: Apache 1.3.12 with mod_ssl 2.6.6 WebLogic servers: WL 5.1 service pack 11 [03/Apr/2002 16:58:42 04816] [info] Server: Apache/1.3.12, Interface: mod_ssl/2.6.6, Library: OpenSSL/0.9.6c [03/Apr/2002 16:58:42 04816] [info] Init: 1st startup round (still not detached) [03/Apr/2002 16:58:42 04816] [info] Init: Initializing OpenSSL library [03/Apr/2002 16:58:42 04816] [info] Init: Loading certificate private key of SSL-aware server www.questia.com:443 [03/Apr/2002 16:58:42 04816] [info] Init: Requesting pass phrase from dialog filter program (/u01/app/apache/bin/SSLpassword) [03/Apr/2002 16:58:42 04816] [trace] Init: (www.questia.com:443) encrypted RSA private key - pass phrase requested [03/Apr/2002 16:58:42 04816] [info] Init: Wiped out the queried pass phrases from memory [03/Apr/2002 16:58:42 04816] [info] Init: Seeding PRNG with 136 bytes of entropy [03/Apr/2002 16:58:42 04816] [info] Init: Generating temporary RSA private keys (512/1024 bits) [03/Apr/2002 16:58:44 04816] [info] Init: Configuring temporary DH parameters (512/1024 bits) [03/Apr/2002 16:58:51 04827] [info] Init: 2nd startup round (already detached) [03/Apr/2002 16:58:51 04827] [info] Init: Reinitializing OpenSSL library [03/Apr/2002 16:58:51 04827] [trace] Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0 [03/Apr/2002 16:58:51 04827] [info] Init: Seeding PRNG with 136 bytes of entropy [03/Apr/2002 16:58:51 04827] [info] Init: Configuring temporary RSA private keys (512/1024 bits) [03/Apr/2002 16:58:51 04827] [info] Init: Configuring temporary DH parameters (512/1024 bits) [03/Apr/2002 16:58:51 04827] [info] Init: Initializing (virtual) servers for SSL [03/Apr/2002 16:58:51 04827] [info] Init: Configuring server www.questia.com:443 for SSL protocol [03/Apr/2002 16:58:51 04827] [trace] Init: (www.questia.com:443) Creating new SSL context (protocols: SSLv2, SSLv3, TLSv1) [03/Apr/2002 16:58:51 04827] [trace] Init: (www.questia.com:443) Configuring permitted SSL ciphers [ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL] [03/Apr/2002 16:58:51 04827] [trace] Init: (www.questia.com:443) Configuring RSA server certificate [03/Apr/2002 16:58:51 04827] [trace] Init: (www.questia.com:443) Configuring RSA server private key [03/Apr/2002 16:59:08 04849] [info] Connection to child 13 established (server www.questia.com:443, client 10.1.0.55) [03/Apr/2002 16:59:08 04849] [info] Seeding PRNG with 1160 bytes of entropy [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Handshake: start [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Loop: before/accept initialization [03/Apr/2002 16:59:08 04849] [debug] OpenSSL: read 11/11 bytes from BIO#0008ADA8 [mem: 000C89D8] (BIO dump follows) +-+ | : 80 4c 01 03 00 00 33 00-00 00 10 .L3 | +-+ [03/Apr/2002 16:59:08 04849] [debug] OpenSSL: read 67/67 bytes from BIO#0008ADA8 [mem: 000C89E3] (BIO dump follows) +-+ | : 00 00 04 00 00 05 00 00-0a 01 00 80 07 00 c0 03 | | 0010: 00 80 00 00 09 06 00 40-00 00 64 00 00 62 00 00 ...@..d..b.. | | 0020: 03 00 00 06 02 00 80 04-00 80 00 00 13 00 00 12 | | 0030: 00 00 63 9d 06 0a c0 65-3b 74 73 a4 06 ef ef 08 ..ce;ts. | | 0040: eb d7 fa ... | +-+ [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Loop: SSLv3 read client hello A [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Loop: SSLv3 write server hello A [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Loop: SSLv3 write certificate A [03/Apr/2002 16:59:08 04849] [trace] OpenSSL: Loop: SSLv3 write server done A [03/Apr/2002 16:59:08 04849] [debug] OpenSSL: write 835/835 bytes to BIO#0008ADA8 [mem: 000D6A00] (BIO dump follows) +-+ | : 16 03 00 00 4a 02 00 00-46 03 00 3c ab 89 3c e6 J...F. | | 0010: ee 49 7c 19 b0 2e 79 a0-b7 55 1c f8 8e 74 34 0d .I|...y..U...t4. | | 0020: cb 23 1e d1 6d 38 9f 0b-fa 50 a8 20 33 41 0e ab .#..m8...P. 3A.. | | 0030: 9b c0 3f 1d 7c 9d 5e 7f-c4 ba 1f 4e 05 61 34 13 ..?.|.^N.a4. | | 0040: e6 8c 10
Re: apache with mod_ssl
Hi Shouban, I am also exactly facing the same problem and struggling to find the solution. I have some clues on this problem. It happens only in the following scenario. If the server has 128bit encrypted server certificate, then it asks the NE client to present the certificate multiple times. It does not happen if we have the following. (1)If the server certificate has 40bit encryption. (2)If both the server and client certificates are issued by same CA. ( even for 128 bit encryption, it asks only once in NE to present the certificate ). It will be extremenly helpful if someone helps how to get the NE not asking to present the client certificate more than once. Shiva --- Shouben Zhou [EMAIL PROTECTED] wrote: I currently use apache-SSL and am switching to the apache with modssl module. The building process is success. The version I am using to build apache-modssl is apache_1.3.23, modssl-2.8.7.-1.3.23 and openssl-0.9.6a. I am having 2 problems when using this httpd: 1) when access the HTTPS server, netscape is asked to select the user certificate, then passphease. After that netscape is asked again twice to select user certificate! This never happens on my apache-SSL version. SSLVerifyClient require SSLVerifyDepth 1 2) When I switch to HTTP server ( VirtualHost same node ), most times netscape crashs! This also never happens on my apache-SSL version. I have tried both shared and static building methods and no luck. What am I missing here? *--* * Shouben Zhou | * * ICASE | * * Mail Stop 132C, Bldg. 1152| Phone: (757) 864-6558 * * NASA Langley Research Center | Fax: (757) 864-6134 * * Hampton, VA 23681-2199| Email: [EMAIL PROTECTED] * *--* __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache with mod_ssl
I currently use apache-SSL and am switching to the apache with modssl module. The building process is success. The version I am using to build apache-modssl is apache_1.3.23, modssl-2.8.7.-1.3.23 and openssl-0.9.6a. I am having 2 problems when using this httpd: 1) when access the HTTPS server, netscape is asked to select the user certificate, then passphease. After that netscape is asked again twice to select user certificate! This never happens on my apache-SSL version. SSLVerifyClient require SSLVerifyDepth 1 2) When I switch to HTTP server ( VirtualHost same node ), most times netscape crashs! This also never happens on my apache-SSL version. I have tried both shared and static building methods and no luck. What am I missing here? *--* * Shouben Zhou | * * ICASE | * * Mail Stop 132C, Bldg. 1152| Phone: (757) 864-6558 * * NASA Langley Research Center | Fax: (757) 864-6134 * * Hampton, VA 23681-2199| Email: [EMAIL PROTECTED] * *--* __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache with mod_ssl
I am not in the office for the week 18-22 March 2002 If it's an Online Learning Support Unit / Web/ MUBSWEB/ MUBS Online matter that requires urgent attention then please contact either Kirsteen1 or Sanjay1 who should be able to help. Otherwise I will contact you as soon as possible on my return. If you are student on MKT3035 GIS for Business - I will contact you asap or if urgent please contact the module tutor All the best Alex __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache and mod_ssl
I have installed apache web server software and the Apache interface to OpenSSL(mod_ssl) in order to have a secure server. I have changed the configuration file httpd.conf and ssl is enabled on port 443. But the problem is whenever I try the url https://localhost:443, it says cannot connect to server. It seems that it is not able to connect to port 443. Also in the error log it says invalid method in request. I am attaching the conf file: ---***-IFDefine SSL LoadModule ssl_module modules/mod_ssl.so /IFDefine VirtualHost 127.0.0.1:80 ServerAdmin [EMAIL PROTECTED] ServerName 127.0.0.1 /VirtualHost IfDefine SSL SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/ssl.log SSLLogLevel info VirtualHost 127.0.0.1:443 SSLEngine on SSLCertificateFile conf/ssl/my-server.cert SSLCertificateKeyFile conf/ssl/my-server.key /VirtualHost #SSLVerifyClient require #SSLVerifyDepth 1 #SSLCACertificatePath conf/ssl #SSLCACertificateFile conf/ssl/my-server.cert /IfDefine I would appreciate if anyone could give me a solution Thanks Bhawna __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache and mod_ssl
Hi bhawna! On 7 Feb 02 at 16:02 you wrote: problem is whenever I try the url https://localhost:443, it says cannot connect to server. Have you tried just https://localhost ? It should work without specifying the port, but it also should work when you do specify the port. Do you have 'Listen 443' somewhere in your config file? You should. -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * Make yourself at home! Clean my kitchen. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache and mod_ssl
You neet to point your browser to https://www.yourdomain.foo or http://www.yourdomain.foo:443. Unless you are testing from the local http server, you will need to update your DNS with the new domain name(s). You also need to tell Apache to listen on port 443 in the httpd.conf file. If you are using virtual hosts, you will need to add other things in the httpd.conf file like (this config is for name-based v-hosts): NameVirtualHost *:80 NameVirtualHost *:443 IfDefine SSL Listen 80 Listen 443 /IfDefine VirtualHost *:443 SSLEngine on SSLCACertificatePath /usr/local/apache/conf/certs/ SSLCACertificateFile /usr/local/apache/conf/certs/ca.crt SSLCertificateChainFile /usr/local/apache/conf/certs/ca.crt SSLCertificateFile /usr/local/apache/conf/certs/server.crt SSLCertificateKeyFile /usr/local/apache/conf/certs/server.key DocumentRoot /usr/local/apache/htdocs ServerName www.yourdomain.foo [or www.sub.yourdomain.foo] /VirtualHost -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of bhawna sinha Sent: Thursday, February 07, 2002 4:02 PM To: [EMAIL PROTECTED] Subject: apache and mod_ssl I have installed apache web server software and the Apache interface to OpenSSL(mod_ssl) in order to have a secure server. I have changed the configuration file httpd.conf and ssl is enabled on port 443. But the problem is whenever I try the url https://localhost:443, it says cannot connect to server. It seems that it is not able to connect to port 443. Also in the error log it says invalid method in request. I am attaching the conf file: ---***-IFDefine SSL LoadModule ssl_module modules/mod_ssl.so /IFDefine VirtualHost 127.0.0.1:80 ServerAdmin [EMAIL PROTECTED] ServerName 127.0.0.1 /VirtualHost IfDefine SSL SSLMutex sem SSLRandomSeed startup builtin SSLSessionCache none SSLLog logs/ssl.log SSLLogLevel info VirtualHost 127.0.0.1:443 SSLEngine on SSLCertificateFile conf/ssl/my-server.cert SSLCertificateKeyFile conf/ssl/my-server.key /VirtualHost #SSLVerifyClient require #SSLVerifyDepth 1 #SSLCACertificatePath conf/ssl #SSLCACertificateFile conf/ssl/my-server.cert /IfDefine I would appreciate if anyone could give me a solution Thanks Bhawna __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache and mod_ssl
On Thu, 2002-02-07 at 16:02, bhawna sinha wrote: Also in the error log it says invalid method in request. that means you're talking SSL to a normal http server. in other words, port 443 is not listening for ssl connections. -- [EMAIL PROTECTED] || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html You are in a twisty little maze of Sendmail rules, all confusing. signature.asc Description: This is a digitally signed message part
RE: Apache and Mod_SSL
You can use cygwin and it comes with openssl compiled. Regards, Lin Geng -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eduardo Fresno Sent: Wednesday, January 23, 2002 5:54 AM To: [EMAIL PROTECTED] Subject: Apache and Mod_SSL Hi, I was wondering if you could help me on this issue. I'm trying to make Apache a secure server by adding SSL performance. There may exist two main ways to do it: 1) Mod_SSL 2) Apache-SSL I've tried out the first option, but during the process, I've been asked for the 'nmake' compiler. I don't have this compiler and I don't want to pay for it, as I think it is provided with Visual C++ ($$$). So I was wondering if there exist another way to make it. ?? If not, I'm thinking about using Apache-SSL instead of Mod_SSL, in spite of the fact that most people may prefer Mod_SSL. Is it worth using Apache-SSL instead of Mod_SSL? I mean, are there big differences between both two options? Which one is the best? Thanks in advance, -- Edd. ___ Do You Yahoo!? Yahoo! Messenger Comunicación instantánea gratis con tu gente. http://messenger.yahoo.es __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[BugDB] apache/tomcat/mod_ssl 304 error (PR#660)
Full_Name: Version: 2.8.5 OS: Solaris 2.8 Submission from: (NULL) (199.46.199.231) Configured the mod_ssl with ./configure \ --with-apache=../apache_1.3.22 \ --with-ssl=/usr/local/ssl \ --prefix=/usr/local/apache \ --enable-shared=ssl \ --enable-module=most \ --enable-shared=max \ --enable-rule=SSL_SDBM \ --with-crt=/usr/local/ssl/misc/WebServer/server.crt \ --with-key=/usr/local/ssl/misc/WebServer/server.key \ I also created and installed mod_jk (part of tomcat) after making and installing apache with mod_ssl. I am running tomcat 3.3a. ...since version 4.0 does not support load balancing... reloading the http://hostname/examples/jsp/index.html page periodically will give a strange result. The top part of the page contains the results header from the previous request. This seems to only occur with Netscape 4.7x and not IE 5.x The following is the page when the problem occurs. Error: 304 Location: /examples/jsp/index.html HTTP/1.1 304 Not Modified Date: Tue, 15 Jan 2002 22:55:08 GMT Server: Apache/1.3.22 (Unix) mod_jk/1.1.0 mod_ssl/2.8.5 OpenSSL/0.9.6b Content-Length: 121 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html Error: 304 Location: /examples/jsp/index.html I have been able to determine that the error does not occur with non-tomcat pages with ./apachectl startssl and also does not occur at all with ./apachectl start (instead of startssl). Even tomcat works without the mod_ssl enabled. It seems that the combination of using tomcat and mod_ssl have created a unique condition on 304 errors. If you hold the shift down, the problems disappears since there are only 200 error codes returned. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Problem building Apache 1.3.22 + mod_ssl 2.8.5
Hello! I have a site which is currently running Apache 1.3.20 + PHP 4.0.6 + mod_ssl 2.8.4 on FreeBSD 4.3. Both mod_php4 and mod_ssl are statically built into Apache. I'm trying to upgrade to Apache 1.3.22 + PHP 4.1.1 + mod_php 2.8.5 but can't figure out a problem which seems to exist between Apache and mod_ssl. I follow these steps: # setenv EAPI_MM SYSTEM # setenv SSL_BASE SYSTEM # cd mod_ssl-2.8.5-1.3.22 # ./configure --with-apache=../apache_1.3.22 \ --with-crt=/usr/local/etc/httpd/ssl.crt/server.crt \ --with-key=/usr/l ocal/etc/httpd/ssl.key/server .key # cd ../apache_1.3.22 # ./configure --with-layout=GNU --enable-module=ssl # make some output snipped gcc -c -I/usr/local/include -I../os/unix -I../include -funsigned-char -DMOD_SS L=208105 -DEAPI -DEAPI_MM -DUSE_EXPAT -I../lib/expat-lite -DNO_DL_NEEDED `../apaci` http_core.c http_core.c: In function `set_accept_mutex': http_core.c:1140: warning: return makes pointer from integer without a cast http_core.c: In function `set_acceptfilter': http_core.c:2538: `ap_acceptfilter' undeclared (first use in this function) http_core.c:2538: (Each undeclared identifier is reported only once http_core.c:2538: for each function it appears in.) *** Error code 1 Stop in /mirror01/usr/src/local/apache_1.3.22/src/main. *** Error code 1 Stop in /mirror01/usr/src/local/apache_1.3.22/src. *** Error code 1 Stop in /mirror01/usr/src/local/apache_1.3.22. *** Error code 1 Stop in /mirror01/usr/src/local/apache_1.3.22. the unhappy end of compile This procedure worked on the same machine with Apache 1.3.20 + mod_ssl 2.8.4 but now for whatever reason it doesn't. I can successfully build Apache alone or Apache with statically compiled mod_php4, but as soon as I try to add mod_ssl 2.8.5, the above error appears. How can I fix this situation? -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * Life would be easier if I had the source code. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problem building Apache 1.3.22 + mod_ssl 2.8.5
Hi [EMAIL PROTECTED]! Thanks for replying so soon. On 15 Jan 02 at 13:41 you wrote: What version of openssl do you have? Are you aware that you have spaces in your configure section below, or is that just the pasting process going wrong? Apache 1.3.22 should compile with openssl 0.9.6b or 0.9.6c. That might be my problem right here, then. I use OpenSSL version which is included in the base system of FreeBSD 4.3-RELEASE. The version is 0.9.6: $ openssl version OpenSSL 0.9.6 24 Sep 2000 Can anyone confirm that mod_ssl 2.8.5 doesn't work with this version of OpenSSL? BTW, the spaces *were* caused by my mailer as I pasted the text. -- Toomas Aas | [EMAIL PROTECTED] | http://www.raad.tartu.ee/~toomas/ * Nostalgia isn't what it used to be... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problem building Apache 1.3.22 + mod_ssl 2.8.5
-Original Message- From: Toomas Aas [mailto:[EMAIL PROTECTED]] Sent: 15 January 2002 13:50 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Problem building Apache 1.3.22 + mod_ssl 2.8.5 Hi [EMAIL PROTECTED]! Thanks for replying so soon. That might be my problem right here, then. I use OpenSSL version which is included in the base system of FreeBSD 4.3-RELEASE. The version is 0.9.6: $ openssl version OpenSSL 0.9.6 24 Sep 2000 Can anyone confirm that mod_ssl 2.8.5 doesn't work with this version of OpenSSL? There's a README.Versions file with the mod_ssl package, but this is all it has at the end of it: 23-Jan-2001 2.8.0 1.3.17 0.9.3-0.9.6 03-Mar-2001 2.8.1 1.3.19 0.9.3-0.9.6 30-Mar-2001 2.8.2 1.3.19 0.9.3-0.9.6 04-May-2001 2.8.3 1.3.19 0.9.3-0.9.6a 20-May-2001 2.8.4 1.3.20 0.9.3-0.9.6a (The figures are the release dates, mod_ssl, Apache and openssl versions). 2.8.5 was released on 16th October, and openssl 0.9.6c was released on 21st December, hence my statement that it should work with 0.9.6b or 0.9.6c. Unless Ralf can say otherwise, it looks like 2.8.5 should build with 0.9.6. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Agnostic (Greek) = Ignoramus (Latin) - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem building Apache 1.3.22 + mod_ssl 2.8.5
On Tue, Jan 15, 2002 at 02:23:32PM -, [EMAIL PROTECTED] wrote: There's a README.Versions file with the mod_ssl package, but this is all it has at the end of it: 23-Jan-2001 2.8.0 1.3.17 0.9.3-0.9.6 03-Mar-2001 2.8.1 1.3.19 0.9.3-0.9.6 30-Mar-2001 2.8.2 1.3.19 0.9.3-0.9.6 04-May-2001 2.8.3 1.3.19 0.9.3-0.9.6a 20-May-2001 2.8.4 1.3.20 0.9.3-0.9.6a (The figures are the release dates, mod_ssl, Apache and openssl versions). 2.8.5 was released on 16th October, and openssl 0.9.6c was released on 21st December, hence my statement that it should work with 0.9.6b or 0.9.6c. Unless Ralf can say otherwise, it looks like 2.8.5 should build with 0.9.6. I should think so too (I think that I have seen somebody use those versions). At least recent changes in mod_ssl has been minimal and just following the changes in apache. There are two things to note: 1. openssl should be upgraded to at least 0.9.6b for security reasons 2. compiling and configuring a seperate openssl specifically for use with mod_ssl using the config option no-thread will improve the performance of mod_ssl vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apache mod_proxy mod_ssl?
Title: apache mod_proxy mod_ssl? Hi All, Has anyone have done/suggestions/help on getting apache_1.3.22 running with mod_proxy and mod_ssl-2.8.5-1.3.22 running on Solaris8? I can get either working but not together, when I compile with either option I lose the other. I guess my question is how to compile them together properly that's if they work together. Thanks in advance, Jaime Dalisay Systems Consultant Basis100 Inc. http://www.basis100.com 33 Yonge Street, Suite 900 Toronto, Ontario, CANADA M5E 1G4 Tel: 416-364-6085 x153 Fax: 416-364-5237 This communication is intended only for the use of the individual or entity to whom/which it is addressed, and information contained in this communication is privileged and confidential. If the receiver of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us at the above telephone number (so that we may correct our internal records) and delete this communication without making a copy of it. Thank you.
Re: apache mod_proxy mod_ssl?
On Fri, Dec 21, 2001 at 11:02:54AM -0500, Jaime Dalisay wrote: Hi All, Has anyone have done/suggestions/help on getting apache_1.3.22 running with mod_proxy and mod_ssl-2.8.5-1.3.22 running on Solaris8? I can get either working but not together, when I compile with either option I lose the other. I guess my question is how to compile them together properly that's if they work together. Use method a) from the INSTALL document and where it says [...more APACI options...] just use --enable-module=proxy vh Mads Toftum -- With a rubber duck, one's never alone. -- The Hitchhiker's Guide to the Galaxy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache with Mod_SSL and multiple certificates
Hi - My apache system is running 1.3.20 with mod_ssl 2.8.4. I have one NIC in the system, does anyone install multiple digital certificates on the single NIC? If so, please advise how, what is the trade off? Thanks for any information. - Ming Yu - System Engineer - APL __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache with Mod_SSL and multiple certificates
At 10:27 AM -0500 11/2/01, Yu, Ming wrote: Hi - My apache system is running 1.3.20 with mod_ssl 2.8.4. I have one NIC in the system, does anyone install multiple digital certificates on the single NIC? If so, please advise how, what is the trade off? Thanks for any information. Depends on what you mean. If you mean can you have multiple SSL sites on a system with a single NIC, the answer is yes, assuming you are using IP-based virtual hosts (name based will NOT work). -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ A society that will trade a little liberty for a little order will lose both and deserve neither __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache with Mod_SSL and multiple certificates
I have one NIC in the system with Static IP address, How do I create multiple virtual sites, and each site has its own digital certificate. Can any one give me an example. Thanks in advance. - Ming -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 02, 2001 10:46 AM To: [EMAIL PROTECTED] Subject: Re: Apache with Mod_SSL and multiple certificates At 10:27 AM -0500 11/2/01, Yu, Ming wrote: Hi - My apache system is running 1.3.20 with mod_ssl 2.8.4. I have one NIC in the system, does anyone install multiple digital certificates on the single NIC? If so, please advise how, what is the trade off? Thanks for any information. Depends on what you mean. If you mean can you have multiple SSL sites on a system with a single NIC, the answer is yes, assuming you are using IP-based virtual hosts (name based will NOT work). -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ A society that will trade a little liberty for a little order will lose both and deserve neither __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache with Mod_SSL and multiple certificates
If this is a unix system look at multihoming your NIC. This can be done via multiple ifconfig commands. However, If these are to be a publically accessible sites then these IP addresses must map through to your external internet connection. If these are internal addresses, you should probably get them recorded in your internal dns. Why all this trouble? With SSL everything is encrypted. The only way an SSL server can get the correct certificate is to use the IP address and then use the certificate on that IP address. David Marshall -Original Message- From: Yu, Ming [mailto:[EMAIL PROTECTED]] Sent: Friday, November 02, 2001 10:21 AM To: '[EMAIL PROTECTED]' Subject: RE: Apache with Mod_SSL and multiple certificates I have one NIC in the system with Static IP address, How do I create multiple virtual sites, and each site has its own digital certificate. Can any one give me an example. Thanks in advance. - Ming -Original Message- From: Jim Jagielski [mailto:[EMAIL PROTECTED]] Sent: Friday, November 02, 2001 10:46 AM To: [EMAIL PROTECTED] Subject: Re: Apache with Mod_SSL and multiple certificates At 10:27 AM -0500 11/2/01, Yu, Ming wrote: Hi - My apache system is running 1.3.20 with mod_ssl 2.8.4. I have one NIC in the system, does anyone install multiple digital certificates on the single NIC? If so, please advise how, what is the trade off? Thanks for any information. Depends on what you mean. If you mean can you have multiple SSL sites on a system with a single NIC, the answer is yes, assuming you are using IP-based virtual hosts (name based will NOT work). -- === Jim Jagielski [|] [EMAIL PROTECTED] [|] http://www.jaguNET.com/ A society that will trade a little liberty for a little order will lose both and deserve neither __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Autostart apache /w mod_ssl from init.d ?
Hello, I am new to this mailing list, and I have browsed through the mail archives and I can't seem to find an answer y/n to my question. I run Debian 2.2 and I have finally gotten everything setup with mod_ssl and apache and everything appears to be running quite happily. My only question is this: I noticed that when I started the binary 'perlhttpdctl startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass phrase which I entered and all is well, but what happens when I reboot this server? I am not always physically at the machine when it is rebooted or powered down/up and I was wondering if there was a way I could automate this through /etc/init.d (rc startup scripts)? If this question has already been addressed, I am sorry I must have missed it in the archives. Thanks in advance. - Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Autostart apache /w mod_ssl from init.d ?
Simply do not create a PEM pass phrase, when you compile Apache. Greetings, Alex --- Dave [EMAIL PROTECTED] schrieb: Hello, I am new to this mailing list, and I have browsed through the mail archives and I can't seem to find an answer y/n to my question. I run Debian 2.2 and I have finally gotten everything setup with mod_ssl and apache and everything appears to be running quite happily. My only question is this: I noticed that when I started the binary 'perlhttpdctl startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass phrase which I entered and all is well, but what happens when I reboot this server? I am not always physically at the machine when it is rebooted or powered down/up and I was wondering if there was a way I could automate this through /etc/init.d (rc startup scripts)? If this question has already been addressed, I am sorry I must have missed it in the archives. Thanks in advance. - Dave __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Autostart apache /w mod_ssl from init.d ?
Dave wrote: when I started the binary 'perlhttpdctl startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass phrase which I entered and all is well, but what happens when I reboot this server? I am not always physically at the machine when it is rebooted or powered down/up and I was wondering if there was a way I could automate this through /etc/init.d (rc startup scripts)? This whole idea of the pass-phrase is a bit debatable... The idea is that even if a bad guy steals your certificate and sets up a fake version of your site on his own server, he still can't start it up and impersonate your site. If you are pretty sure no-one can steal your certificate, do you really need a pass-phrase? If you don't need it, you can remove it; http://www.modssl.org/docs/2.3/ssl_faq.html#ToC25 Another approach is to have a script that echoes the pass-phrase at boot (described in the above FAQ). Personally, I think that is a pointless exercise since the script needs to know the pass-phrase and if a hacker can get your certificate, he can get the script... Some people keep the script on a floppy which they insert manually at boot - in which case they might as well type in the pass-phrase. I prefer to protect my machine from intrusion so no-one can look at any files that they're not supposed to. Rgds (starting another flame-war..), Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Autostart apache /w mod_ssl from init.d ?
A further approach is to have another machine monitor the webserver from inside a firewall or over a serial cable and on a reboot it will log in over ssh and do the pass phrase thing... Sean Owen Boyle wrote: Dave wrote: when I started the binary 'perlhttpdctl startssl' (mod_perl is compiled in as well), I was prompted for my PEM pass phrase which I entered and all is well, but what happens when I reboot this server? I am not always physically at the machine when it is rebooted or powered down/up and I was wondering if there was a way I could automate this through /etc/init.d (rc startup scripts)? Another approach is to have a script that echoes the pass-phrase at boot (described in the above FAQ). Personally, I think that is a pointless exercise since the script needs to know the pass-phrase and if a hacker can get your certificate, he can get the script... Some people keep the script on a floppy which they insert manually at boot - in which case they might as well type in the pass-phrase. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Autostart apache /w mod_ssl from init.d ?
I prefer to protect my machine from intrusion so no-one can look at any files that they're not supposed to. Rgds (starting another flame-war..), Owen Boyle. I couldn't agree more, except I think that it is possible to purchase separate cards that store the pass-phrase on them (eg Ncipher cards). But as you say, keeping your machine protected from the bad guys is always a good idea. - John Airey Internet systems support officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] - NOTICE: The information contained in this email and any attachments is confidential and may be legally privileged. If you are not the intended recipient you are hereby notified that you must not use, disclose, distribute, copy, print or rely on this email's content. If you are not the intended recipient, please notify the sender immediately and then delete the email and any attachments from your system. RNIB has made strenuous efforts to ensure that emails and any attachments generated by its staff are free from viruses. However, it cannot accept any responsibility for any viruses which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl
We do need 2 Virtual Host-Directives for HTTP HTTPS (as we talked about this in this list before). So it's simpler to just to use: Redirect / https://%(HTTP_HOST)/ This needs the mod_alias which is compiled in by default. GreetingX, Alex --- ___cliff rayman___ [EMAIL PROTECTED] schrieb: if u have compiled in mod_rewrite, i believe the code below will do what you want. i have not tested it here however. check out the following documentation. http://httpd.apache.org/docs/mod/mod_rewrite.html http://httpd.apache.org/docs/misc/rewriteguide.html - snip RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule ^(.+) https://%(HTTP_HOST)$1 [R,L] - snip Janakiraman Mohanaraman wrote: Hi: I am using mod_ssl and openssl in Linux platform for the first time. I was unable to locate documentation regarding the following and am not sure if this is do-able or not. I was trying to setup a directory on my server in such a way that all URL calls to that directory use SSL. Even if the URL entered in the browser is http://..., I would like to change that to https://...:443 automatically. The documentation in mod-ssl indicated that I use the SSLRequireSSL flag for the directory to require SSL to access this directory. However, I was able to access this directory in http. I am using Apache 1.3.20, mod_ssl 2.8.4, openssl-0.9.6b in Linux 7.1 platform. I am looking for resolving 2 issues: a) Apache / mod_ssl Configuration to ensure that calls to a specific directory (say, /usr/apache/test/ssl) always use SSL; b) If user tries to access this directory in using http, automatically change that to https. Can someone shed light on whether this is do-able and if so how? -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Do You Yahoo!? Gesendet von Yahoo! Mail - http://mail.yahoo.de __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache and mod_ssl
Hi: I am using mod_ssl and openssl in Linux platform for the first time. I was unable to locate documentation regarding the following and am not sure if this is do-able or not. I was trying to setup a directory on my server in such a way that all URL calls to that directory use SSL. Even if the URL entered in the browser is http://..., I would like to change that to https://...:443 automatically. The documentation in mod-ssl indicated that I use the SSLRequireSSL flag for the directory to require SSL to access this directory. However, I was able to access this directory in http. I am using Apache 1.3.20, mod_ssl 2.8.4, openssl-0.9.6b in Linux 7.1 platform. I am looking for resolving 2 issues: a) Apache / mod_ssl Configuration to ensure that calls to a specific directory (say, /usr/apache/test/ssl) always use SSL; b) If user tries to access this directory in using http, automatically change that to https. Can someone shed light on whether this is do-able and if so how? Thanks in advance for your help, MJ. * Janakiraman Mohanaraman (MJ) Mgr, Software Development Enterprise Management Business Unit Cisco Systems Inc, 170, W.Tasman Dr. San Jose, CA - 95134. (408) 527-7730 * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl
if u have compiled in mod_rewrite, i believe the code below will do what you want. i have not tested it here however. check out the following documentation. http://httpd.apache.org/docs/mod/mod_rewrite.html http://httpd.apache.org/docs/misc/rewriteguide.html - snip RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule ^(.+) https://%(HTTP_HOST)$1 [R,L] - snip Janakiraman Mohanaraman wrote: Hi: I am using mod_ssl and openssl in Linux platform for the first time. I was unable to locate documentation regarding the following and am not sure if this is do-able or not. I was trying to setup a directory on my server in such a way that all URL calls to that directory use SSL. Even if the URL entered in the browser is http://..., I would like to change that to https://...:443 automatically. The documentation in mod-ssl indicated that I use the SSLRequireSSL flag for the directory to require SSL to access this directory. However, I was able to access this directory in http. I am using Apache 1.3.20, mod_ssl 2.8.4, openssl-0.9.6b in Linux 7.1 platform. I am looking for resolving 2 issues: a) Apache / mod_ssl Configuration to ensure that calls to a specific directory (say, /usr/apache/test/ssl) always use SSL; b) If user tries to access this directory in using http, automatically change that to https. Can someone shed light on whether this is do-able and if so how? -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl
Thanks for your prompt response! MJ. At 04:48 PM 8/22/2001 -0700, you wrote: if u have compiled in mod_rewrite, i believe the code below will do what you want. i have not tested it here however. check out the following documentation. http://httpd.apache.org/docs/mod/mod_rewrite.html http://httpd.apache.org/docs/misc/rewriteguide.html - snip RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule ^(.+) https://%(HTTP_HOST)$1 [R,L] - snip Janakiraman Mohanaraman wrote: Hi: I am using mod_ssl and openssl in Linux platform for the first time. I was unable to locate documentation regarding the following and am not sure if this is do-able or not. I was trying to setup a directory on my server in such a way that all URL calls to that directory use SSL. Even if the URL entered in the browser is http://..., I would like to change that to https://...:443 automatically. The documentation in mod-ssl indicated that I use the SSLRequireSSL flag for the directory to require SSL to access this directory. However, I was able to access this directory in http. I am using Apache 1.3.20, mod_ssl 2.8.4, openssl-0.9.6b in Linux 7.1 platform. I am looking for resolving 2 issues: a) Apache / mod_ssl Configuration to ensure that calls to a specific directory (say, /usr/apache/test/ssl) always use SSL; b) If user tries to access this directory in using http, automatically change that to https. Can someone shed light on whether this is do-able and if so how? -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] * Janakiraman Mohanaraman (MJ) Mgr, Software Development Enterprise Management Business Unit Cisco Systems Inc, 170, W.Tasman Dr. San Jose, CA - 95134. (408) 527-7730 * __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache and mod_ssl
Janakiraman Mohanaraman wrote: At 04:48 PM 8/22/2001 -0700, you wrote: if u have compiled in mod_rewrite, i believe the code below will do what you want. i have not tested it here however. check out the following documentation. http://httpd.apache.org/docs/mod/mod_rewrite.html http://httpd.apache.org/docs/misc/rewriteguide.html - snip RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule ^(.+) https://%(HTTP_HOST)$1 [R,L] in particular for the directories /tst/ssl and /tst/ssl2 RewriteEngineon RewriteCond %{HTTPS} !=on RewriteRule ^/test/ssl/(.+) https://%(HTTP_HOST)/tst/ssl/$1 [R,L] RewriteCond %{HTTPS} !=on RewriteRule ^/test/ssl2/(.+) https://%(HTTP_HOST)/tst/ssl2/$1 [R,L] i wanted to make sure this was clear. - snip Janakiraman Mohanaraman wrote: I was trying to setup a directory on my server in such a way that all URL calls to that directory use SSL. Even if the URL entered in the browser is http://..., I would like to change that to https://...:443 automatically. -- ___cliff [EMAIL PROTECTED]http://www.genwax.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Missing symbol _llasgremu (Apache 1.3.20/mod_ssl-2.8.4/openssl-0.9.6b
Attempting to do a startup with /opt/apache/bin/apachectl startssl results in the following complaint: Syntax error on line 238 of /opt/apache/conf/httpd.conf Cannot load /opt/apache/libexc/libssl.so into server: dynamic linker: /opt/apache/bin/httpd: relocation error: symbol not found: _llasgremu; referenced from: /opt/apache/libexec/libssl.so /opt/apache/bin/apachectl startssl: httpd could not be started Line 238 of httpd.conf points, of course, to: IfDefine SSL LoadModule ssl_module libexec/libssl.so /IfDefine libssl.so is in /opt/apache/libexec, where it should be - and that same directory contains all the .so modules one would expect to see. Therefore, I have assumed there was nothing wrong in the dynamic build process, and the problem is one of this missing _llasgremu symbol/element, whatever that might be. I have not before had a problem in building apache/openssl/mod_ssl. I was simply updating the software base we are usining. Not a good idea here? Platform is UnixWare 7.1.1 (unixware-7-pentium) which has been stable as hell in the past. Can anyone give me help? Thanks! George Walsh, Managing Director, DSC Directional Services Corp Travel Seewise Pacific Corp Vancouver, Canada -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Your favorite stores, helpful shopping tools and great gift ideas. Experience the convenience of buying online with Shop@Netscape! http://shopnow.netscape.com/ Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Fine-tuning Apache and mod_ssl
Currently, running Apache 1.3.12 + mod_ssl 2.6.3. I'm currently looking for ways to fine-tune our e-commerce site to handle SSL transaction. Everytime a SSL connection is made, it takes ages to load the page. Ie. loading the shopping cart in secure mode. Is there any tweaks under httpd.conf which is worth editing ? All my settings are default when Apache and mod_ssl is installed. Any help will be very much appreciated. - ronnie - This email had been checked by Asiatravelmart.com's Virus Scanner. Please email any questions to [EMAIL PROTECTED] Title: Fine-tuning Apache and mod_ssl Currently, running Apache 1.3.12 + mod_ssl 2.6.3. I'm currently looking for ways to fine-tune our e-commerce site to handle SSL transaction. Everytime a SSL connection is made, it takes ages to load the page. Ie. loading the shopping cart in secure mode. Is there any tweaks under httpd.conf which is worth editing ? All my settings are default when Apache and mod_ssl is installed. Any help will be very much appreciated. - ronnie -
Re: Fine-tuning Apache and mod_ssl
On Tue, Jul 10, 2001 at 06:00:22PM +0800, Thum Chee Weng, Ronnie wrote: Currently, running Apache 1.3.12 + mod_ssl 2.6.3. I'm currently looking for ways to fine-tune our e-commerce site to handle SSL transaction. Everytime a SSL connection is made, it takes ages to load the page. Ie. loading the shopping cart in secure mode. Is there any tweaks under httpd.conf which is worth editing ? All my settings are default when Apache and mod_ssl is installed. Any help will be very much appreciated. Using a shared memory cache for session caching could speed up things quite a lot. See http://www.modssl.org/docs/2.8/ssl_reference.html#ToC5 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Fine-tuning Apache and mod_ssl
what would be a good figure to start using shm ? Default figure is 512000. I've 2GB RAM on my web server - ronnie - -Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 6:46 PM To: [EMAIL PROTECTED] Subject: Re: Fine-tuning Apache and mod_ssl On Tue, Jul 10, 2001 at 06:00:22PM +0800, Thum Chee Weng, Ronnie wrote: Currently, running Apache 1.3.12 + mod_ssl 2.6.3. I'm currently looking for ways to fine-tune our e-commerce site to handle SSL transaction. Everytime a SSL connection is made, it takes ages to load the page. Ie. loading the shopping cart in secure mode. Is there any tweaks under httpd.conf which is worth editing ? All my settings are default when Apache and mod_ssl is installed. Any help will be very much appreciated. Using a shared memory cache for session caching could speed up things quite a lot. See http://www.modssl.org/docs/2.8/ssl_reference.html#ToC5 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This email had been checked by Asiatravelmart.com's Virus Scanner. Please email any questions to [EMAIL PROTECTED] Title: RE: Fine-tuning Apache and mod_ssl what would be a good figure to start using shm ? Default figure is 512000. I've 2GB RAM on my web server - ronnie - -Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 6:46 PM To: [EMAIL PROTECTED] Subject: Re: Fine-tuning Apache and mod_ssl On Tue, Jul 10, 2001 at 06:00:22PM +0800, Thum Chee Weng, Ronnie wrote: Currently, running Apache 1.3.12 + mod_ssl 2.6.3. I'm currently looking for ways to fine-tune our e-commerce site to handle SSL transaction. Everytime a SSL connection is made, it takes ages to load the page. Ie. loading the shopping cart in secure mode. Is there any tweaks under httpd.conf which is worth editing ? All my settings are default when Apache and mod_ssl is installed. Any help will be very much appreciated. Using a shared memory cache for session caching could speed up things quite a lot. See http://www.modssl.org/docs/2.8/ssl_reference.html#ToC5 vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Fine-tuning Apache and mod_ssl
On Tue, Jul 10, 2001 at 07:20:41PM +0800, Thum Chee Weng, Ronnie wrote: what would be a good figure to start using shm ? Default figure is 512000. That depends on your OS and how busy your site is - check the output of make test when you build mm. I usually default mine to 1MB on solaris. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Fine-tuning Apache and mod_ssl
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum On Tue, Jul 10, 2001 at 07:20:41PM +0800, Thum Chee Weng, Ronnie wrote: what would be a good figure to start using shm ? Default figure is 512000. That depends on your OS and how busy your site is - check the output of make test when you build mm. I usually default mine to 1MB on solaris. I usually use 1MB as well on my servers. But if it takes forever to load a page even while the server is not under load, I doubt that this is the problem. Check the setting HostnameLookups, it should be Off. -Dave __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Fine-tuning Apache and mod_ssl
I usually use 1MB as well on my servers. But if it takes forever to load a page even while the server is not under load, I doubt that this is the problem. Check the setting HostnameLookups, it should be Off. I have noticed a pretty strange phenomenon that sounds similar to what you are experiencing. I am using Netscape Communicator 4.5 on a Windows NT 4 system, just FYI. On occasion, when I attempt to load secure pages hosted by my Red Hat/Apache server, it takes a very long time for them to load. I discovered a trick, though. I keep another browser window open to a simple web page out there. When I notice the big SSL lag occurring, I Alt-tab over to the other window and hit Refresh. The SSL page in the primary window immediately begins to load also, as if there was some sort of TCP/IP lockup that got cleared by my refreshing the other browser window. The other browser window need not even be pointed to a secure page nor does it have to be pointed to my own server. This trick even works when I switch to my Netscape mail reader and tell it to get the mail. Right away, the SSL page begins to load. Weird. Vik Nokhoudian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache problem mod_ssl 2.8.2
hi! with browser do you use? some ie have problems with apache. you can manage it in the config-file. i need more info. We are currently using apache 1.3.19 with mod_ssl 2.8.2. We have noticed between mod_ssl 2.8.1 and 2.8.2 more Page cannot be displayed in 2.8.2. We have no trace in apache logs. It is clearly linked to our use of SSL. Can anyone help us finding how to set up some trace to be able to understand what is wrong. Michael Ott - - Siemens AG - IS IT PS 51 ERL - - Werner-von-Siemens-Strasse 60 - - 91050 Erlangen- - Tel. +49 91 31 7 42 0 54 - - [EMAIL PROTECTED] - - __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache and mod_ssl
On Fri, Jun 02, 2000 at 07:29:14PM -0500, Dave wrote: I have been trying for the past couple of days to get apache and ssl(http://www.modssl.org and http://www.apache-ssl.org) to work. I have tried them both. Netscape hangs when I try to connect to https://localhost but works without security at http://localhost:443. This looks strange - almost as if you have somehow turned off the SSLEngine for your port 443 vhost. Apache alone without ssl works great. I used the default httpd.conf file that came with ssl and changing only path names and have made all the certificates and keys. Could you try setting SSLLogLevel to debug and then check the logfile for any hints about what is wrong. You may want to make sure that you've gone through a build procedure more or less like http://www.modssl.org/example/ vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache problem mod_ssl 2.8.2
Look at the SSLSessionCache option in your config file. My bet is that is is not there. What I had to do to get it working distills down to this (with much help and appreciation to those on this list that helped) was to add the following (I use a \ where my mail program wraps the lines): SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLSessionCache dbm:/var/log/httpd/ssl_scache SSLSessionCacheTimeout 300 There is more than one way to handle the SSLSessionCache itself, just FYI. I hope this helps. -Albert C. Gilles Gros wrote: Hi, We are currently using apache 1.3.19 with mod_ssl 2.8.2. We have noticed between mod_ssl 2.8.1 and 2.8.2 more Page cannot be displayed in 2.8.2. We have no trace in apache logs. It is clearly linked to our use of SSL. Can anyone help us finding how to set up some trace to be able to understand what is wrong. Thanks Gilles __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache problem mod_ssl 2.8.2
Oh, Thank you for the answer it helps a lot. Can I get some explanation on what the SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 force-response-1.0 means. Gilles. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of ACroft Sent: Friday, April 27, 2001 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Apache problem mod_ssl 2.8.2 Look at the SSLSessionCache option in your config file. My bet is that is is not there. What I had to do to get it working distills down to this (with much help and appreciation to those on this list that helped) was to add the following (I use a \ where my mail program wraps the lines): SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLSessionCache dbm:/var/log/httpd/ssl_scache SSLSessionCacheTimeout 300 There is more than one way to handle the SSLSessionCache itself, just FYI. I hope this helps. -Albert C. Gilles Gros wrote: Hi, We are currently using apache 1.3.19 with mod_ssl 2.8.2. We have noticed between mod_ssl 2.8.1 and 2.8.2 more Page cannot be displayed in 2.8.2. We have no trace in apache logs. It is clearly linked to our use of SSL. Can anyone help us finding how to set up some trace to be able to understand what is wrong. Thanks Gilles __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache problem mod_ssl 2.8.2
To my understanding (and anyone who can correct me if I am wrong, please do), some versions of Microsoft Internet Explorer (MSIE) have problems with using the HTTP/1.1 protocol with SSL. What this command does is to turn off keepalive facility and force HTTP/1.0 responses (rather than HTTP/1.1 responses) when the browser (User-Agent) is a version of MSIE. If you would like more information on this, you might try the following page from the mod_ssl FAQ: http://www.modssl.org/docs/2.8/ssl_faq.html#ToC49 Hope this helps. -Albert C. Gilles Gros wrote: Oh, Thank you for the answer it helps a lot. Can I get some explanation on what the SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 force-response-1.0 means. Gilles. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of ACroft Sent: Friday, April 27, 2001 6:56 AM To: [EMAIL PROTECTED] Subject: Re: Apache problem mod_ssl 2.8.2 Look at the SSLSessionCache option in your config file. My bet is that is is not there. What I had to do to get it working distills down to this (with much help and appreciation to those on this list that helped) was to add the following (I use a \ where my mail program wraps the lines): SetEnvIf User-Agent .*MSIE.* nokeepalive \ ssl-unclean-shutdown downgrade-1.0 force-response-1.0 SSLSessionCache dbm:/var/log/httpd/ssl_scache SSLSessionCacheTimeout 300 There is more than one way to handle the SSLSessionCache itself, just FYI. I hope this helps. -Albert C. Gilles Gros wrote: Hi, We are currently using apache 1.3.19 with mod_ssl 2.8.2. We have noticed between mod_ssl 2.8.1 and 2.8.2 more Page cannot be displayed in 2.8.2. We have no trace in apache logs. It is clearly linked to our use of SSL. Can anyone help us finding how to set up some trace to be able to understand what is wrong. Thanks Gilles __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: remote admin of apache with mod_ssl
I am by no means the expert, but if you have a key file (I think it's the key file!) on your server, then that can contain your passphrase. And you won't be prompted. If it is an *encrypted* key file, then you need a passphrase to unlock the key, and *then* you get prompted. -Dan I finalizing things and getting ready to compile apache 1.3.19 with mod_ssl (2.8.2) and openssl and put it in place on a solaris 8 sun server. My problem is that I work on this server remotely. 99% of the time. So, when I have to reboot or re-initialize the web server, it will stop and wait for the input of the ssl passphrase, right?. (I'm assuming it will since my old linux box does this with it's apache-ssl server). Is there an alternate way to pass the passphrase to apache? is there a way around this? I'm new enough to unix/solaris not to know some of the simpler things... :) donovan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: remote admin of apache with mod_ssl
Is there an alternate way to pass the passphrase to apache? Try to use expect. If you are going to use a script that contains the password, then you might as well put the password in a file. mod_ssl can exec a program so your "script" is as easy as #! /bin/sh echo secret_password __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: remote admin of apache with mod_ssl
Hello ! On Sat, 14 Apr 2001, Brenda Donovan wrote: So, when I have to reboot or re-initialize the web server, it will stop and wait for the input of the ssl passphrase, right?. (I'm assuming it will since my old linux box does this with it's apache-ssl server). Is there an alternate way to pass the passphrase to apache? is there a way around this? Try to use expect. It's a beautiful language to automate tasks. There was a little script in Linux Journal which fulfil your needs. It was written to pass the passphrase to Apache-SSL. expect homepage: http://expect.nist.gov Bye, Ago ps.: if I found the paper at home I will post the script to the list __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
remote admin of apache with mod_ssl
I finalizing things and getting ready to compile apache 1.3.19 with mod_ssl (2.8.2) and openssl and put it in place on a solaris 8 sun server. My problem is that I work on this server remotely. 99% of the time. So, when I have to reboot or re-initialize the web server, it will stop and wait for the input of the ssl passphrase, right?. (I'm assuming it will since my old linux box does this with it's apache-ssl server). Is there an alternate way to pass the passphrase to apache? is there a way around this? I'm new enough to unix/solaris not to know some of the simpler things... :) donovan __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache with mod_ssl / openssl
Hi- Does anyone know where I can find the binary for the latest Apache with mod_ssl and openssl for SCO 5.0.5? Scott Trowbridge, VPInformation Resources mailto: [EMAIL PROTECTED]Web: www.hsmc-ul.com
Re: Apache with mod_ssl / openssl
FWIW Scott: I am a UnixWare7.1.1 user. It took me awhile to learn the value of doing so, but I grew weary of SCO not keeping up to date with either Apache or Sendmail, so I have removed their distributions of each and built them from source with very little trouble. The one problem I did experience was with entropy. UnixWare does not provide a /dev/random function . and so I was continually being stalled by the lack of sufficient entropy to serve SSL calls. If that is a problem in your o/s as well, then prngd will relieve all suffering in that regard with minimum fuss. Regards, George Walsh, Managing Director, DSC Directional Service Corp Travel Seewise Pacific Corp Vancouver, Canada [EMAIL PROTECTED] wrote: Hi- Does anyone know where I can find the binary for the latest Apache with mod_ssl and openssl for SCO 5.0.5? Scott Trowbridge, VP Information Resources mailto: [EMAIL PROTECTED] Web: www.hsmc-ul.com -- George Walsh, Managing Director, Travel Seewise Pacific Corp Vancouver Canada __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]