RE: MM doesn't work now with 0.9.6e - Security related Bug in mm mm-1.2.1
Hi there, did you notice that there is a security bug in mm version 1.2.1 as well which was announced on Jul 30 2002? Have a look here: Advisory: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html (CERT ID 2002-453dcert). You can get the latest version of mm here: http://www.ossp.org/pkg/lib/mm/ Kind regards, B. Courtin -Original Message- From: David Lowenstein [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 10:33 PM To: [EMAIL PROTECTED] Subject: MM doesn't work now with 0.9.6e I just installed the newest version of openssl and recompiled mm, mod_ssl, mod_perl, and apache. Now when I start apache I get an error from my httpd.conf file about the SSLSessionCache option. The error is: SSLSessionCache: shared memory cache not useable on this platform Well, it was with openssl 0.9.6c. I didn't do anything different in my installation steps which were: install openssl configure mm with disable-shared make configure mod_ssl --with-apache=../apache_1.3.26 install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install Without the shared option in the config file, apache starts just fine, but it won't work with: SSLSessionCacheshm:/usr/local/apache/logs/ssl/ssl_scache(512000) It worked before. What did I break? Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, Matt Nelson wrote: At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though
MM doesn't work now with 0.9.6e
I just installed the newest version of openssl and recompiled mm, mod_ssl, mod_perl, and apache. Now when I start apache I get an error from my httpd.conf file about the SSLSessionCache option. The error is: SSLSessionCache: shared memory cache not useable on this platform Well, it was with openssl 0.9.6c. I didn't do anything different in my installation steps which were: install openssl configure mm with disable-shared make configure mod_ssl --with-apache=../apache_1.3.26 install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install Without the shared option in the config file, apache starts just fine, but it won't work with: SSLSessionCacheshm:/usr/local/apache/logs/ssl/ssl_scache(512000) It worked before. What did I break? Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, Matt Nelson wrote: At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though, and soon. Thanks much -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED]
Re: MM doesn't work now with 0.9.6e
configure mod_ssl --with-apache=../apache_1.3.26 Seems like you need to supply mod_ssl with all of the configure directives you show below for apache, and then when it comes time to compile apache, you just run the auto-generated config.status script. At least that worked for me using the same versions you are using (under Red Hat Linux). Of course, I don't have mod_perl, so that may make a difference... install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MM doesn't work now with 0.9.6e
I'm an idiot. I set the EAPI_MM variable as MM_EAPI. Dyslexia gets you every time. Thanks Dave Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, David Wall wrote: configure mod_ssl --with-apache=../apache_1.3.26 Seems like you need to supply mod_ssl with all of the configure directives you show below for apache, and then when it comes time to compile apache, you just run the auto-generated config.status script. At least that worked for me using the same versions you are using (under Red Hat Linux). Of course, I don't have mod_perl, so that may make a difference... install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]