Re: Certs work, one doesn't, cannot determine why

[Jeff Blaine]

On 11/1/2010 7:14 AM, Joe Orton wrote:

On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:

Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
when logging SSL_CLIENT_VERIFY via CustomLog


Your verbose description of "something goes is not working" is hard to
follow or condense down. Are you saying with the below configuration,
you are seeing the SSLRequire work for all the users but that with the
jblaine cert?


I was originally seeing it work fine for everyone but 1 user
(Simpson Mary B, below).  Now it almost seems somewhat random
in failure.  People who used to succeed are now failing.
I can get in fine (Blaine Charles J.)

Granted, I am messing with all sorts of things trying to get
it work after all this time dead in the water.


It could be an SSLRequire implementation bug but it is hard to tell.  Is
the order of the users within the SSLRequire list significant?


Ah, you mean if I reorder them, does the success/failure
situation change as well?  I don't know, I can try that.

> Why are you matching by the whole S_DN rather than based on
> e.g. S_DN_CN alone?

Why not?  It seems like the more fully correct way to match
for security.  It's documented and supposedly legit/correct.
The cert-extracted DN (reported in log) matches the configured
DN in the ssl.conf file exactly.

I will try the httpd list.

Thanks Joe
Jeff



SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Certs work, one doesn't, cannot determine why

[Joe Orton]

On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
> >Works: SSL via my corporate cert, SSL via 3 other people's
> >corporate certs
> >Fails: 1 person's cert so far, yet is logged as "SUCCESS"
> >when logging SSL_CLIENT_VERIFY via CustomLog

Your verbose description of "something goes is not working" is hard to 
follow or condense down. Are you saying with the below configuration, 
you are seeing the SSLRequire work for all the users but that with the 
jblaine cert?

It could be an SSLRequire implementation bug but it is hard to tell.  Is 
the order of the users within the SSLRequire list significant?  Why are 
you matching by the whole S_DN rather than based on e.g. S_DN_CN alone?

You might be better off trying the httpd users' list:

http://httpd.apache.org/lists.html#http-users

Regards, Joe

> >
> >SetHandler perl-script
> >PerlResponseHandler RT::Mason
> >SSLVerifyClient require
> >
> >SSLRequire %{SSL_CLIENT_S_DN} in { \
> >"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
> >"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
> >"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
> >"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
> >}
> >
> >
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: Specifying the openssl version used with mod_ssl

[Gunner Geller]

Hello all,
Sorry for the delay. We found a work around and quit looking into
the below issue. Thanks to Peter for the static library suggestion and Lee
for the same and for getting me back on the topic. We were able to get
everything working how it should. A note, we are compiling modssl into
apache. We are not using it as a shared object. Here are the key config
options for openssl and apache:

Openssl:

./configure --prefix=/usr/local/ssl --shared

Apache:

./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl 


It is probably a good idea to run a sudo make clean for each installation.
At least it was for us since we re-installed about 50 times.


Thanks again,

Gunner Geller


-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Gregg L. Smith
Sent: Monday, September 13, 2010 12:48 PM
To: modssl-users@modssl.org
Subject: Re: Specifying the openssl version used with mod_ssl

Hello Gunner,

Have you tried
--enable-ssl --with-ssl=/path/to/just/compiled/openssl ?

Regards,

Gregg

Gunner Geller wrote:
>  Hello,
> 
> We are using mac Leopard OS. We have rolled our own Apache(2.2.16)
> separate from the default install. We have also rolled our own OpenSSL to
> the latest version. However when we compile Apache and enable mod_ssl it
> still uses the old OpenSSL version. We can see it in our http headers:
> 
>  
> 
> Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l
> 
>  
> 
> When typing "openssl version" from my account and the root account I get:
> 
> OpenSSL 1.0.0a 1 Jun 2010
> 
> I've seen this in some apache configs:
> 
> --enable-ssl --with-ssl=/usr/local/ssl
> 
> I've tried the above with no success. According to the output I get when
> configuring/making/installing apache it is finding openssl at the above
> directory. The problem is though that the http header stays the same.
> 
>  
> 
> The problem is we can't upgrade the default openssl version on the OS
> without apple providing the update. The outdated version is tripping our
> security scans. Like I said we rolled our owned updated version but cannot
> get apache/mod_ssl to use it. Any help is appreciated.
> 
> Thanks,
> 
>  
> 
> Gunner Geller
> 
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Certs work, one doesn't, cannot determine why

[Jeff Blaine]

Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL.  I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):

...
[Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request 
received for child 4 (server rtdev1.our.org:999)
[Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by 
server configuration: /apps/rtsrv1dev/share/html/favicon.ico
[19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 
/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E 
Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O 
error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0]
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The 
timeout specified has expired: SSL input filter read failed.
[Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: 
Write: SSL negotiation finished successfully
[Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed 
to child 4 with standard shutdown (server rtdev1.our.org:999)


NOTE: "SUCCESS"
NOTE: "SSL negotiation finished successfully"
NOTE: /apps/rtsrv1dev/share/html and all files in it are
  world-readable (644)

Browser shows "Forbidden"

IE 8
and Chrome 6

On 10/15/2010 5:49 PM, Jeff Blaine wrote:

Hi folks. I'm *really* stumped here. If anyone has any
ideas, I would love to hear them. How can I debug this
further? I need more information that Apache + mod_ssl
is giving me right now.

All version information and configuration detail is after
this next paragraph.

Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as "SUCCESS"
when logging SSL_CLIENT_VERIFY via CustomLog

Example:

[15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128
/O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson
Mary B - "GET /index.html HTTP/1.1" 295

[Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to
/apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement
expression not fulfilled (see SSL logfile for more details)

Config Specifics:

OS: RHELv5
Apache: 2.2.3
mod_ssl: 2.2.3-43.el5


ServerName rtdev1.our.org:443

ErrorLog logs/ssl_error443_log
TransferLog logs/ssl_access443_log
LogLevel warn

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key
SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer
SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer
SSLVerifyClient require
SSLVerifyDepth 2

SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire


SSLOptions +StdEnvVars


SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_access443_log \
"%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x"

CustomLog logs/ssl_error443_log \
"%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x
%{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x
%{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x
%{SSL_CLIENT_S_DN_UID}x \"%r\" %b"

DocumentRoot /apps/rtsrv1dev/share/html
AddDefaultCharset UTF-8
PerlRequire "/apps/rtsrv1dev/bin/webmux.pl"
SetHandler default



SetHandler perl-script
PerlResponseHandler RT::Mason
SSLVerifyClient require

SSLRequire %{SSL_CLIENT_S_DN} in { \
"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \
"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \
"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \
"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \
}



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Specifying the openssl version used with mod_ssl

[Gregg L. Smith]

Hello Gunner,

Have you tried
--enable-ssl --with-ssl=/path/to/just/compiled/openssl ?

Regards,

Gregg

Gunner Geller wrote:

 Hello,

We are using mac Leopard OS. We have rolled our own Apache(2.2.16)
separate from the default install. We have also rolled our own OpenSSL to
the latest version. However when we compile Apache and enable mod_ssl it
still uses the old OpenSSL version. We can see it in our http headers:

 


Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l

 


When typing "openssl version" from my account and the root account I get:

OpenSSL 1.0.0a 1 Jun 2010

I've seen this in some apache configs:

--enable-ssl --with-ssl=/usr/local/ssl

I've tried the above with no success. According to the output I get when
configuring/making/installing apache it is finding openssl at the above
directory. The problem is though that the http header stays the same.

 


The problem is we can't upgrade the default openssl version on the OS
without apple providing the update. The outdated version is tripping our
security scans. Like I said we rolled our owned updated version but cannot
get apache/mod_ssl to use it. Any help is appreciated.

Thanks,

 


Gunner Geller




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

[Ulf Wahlqvist]

Thanks,

Why didn't I check that? Well, I made it validate correctly by doing a very 
strange and not usable workaround. I believe something is broken.
I followed your suggestion and posted a more complete entry to the 
us...@httpd.apache.org list. I will file a bug report if no one can point out 
any errors I have made.

/ulfW


-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: den 17 augusti 2010 16:01
To: Ulf Wahlqvist
Cc: modssl-users@modssl.org
Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the 
> certificate sent to the OCSP-responder is the CA-cert, not the 
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing CA 
down to the end-entity client cert with the OCSP responder - this is expected 
behaviour.

The modssl-users@ was used for discussion of mod_ssl for Apache httpd 1.3.  For 
discussion of OCSP in httpd 2.3 I'd recommend us...@httpd.apache.org - file 
bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe

Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache

[Joe Orton]

On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
> I still don't get it. I used Wireshark and found out that the 
> certificate sent to the OCSP-responder is the CA-cert, not the 
> client-cert to be validated! I am clueless.

The code tries to verify each cert in the client cert chain from issuing 
CA down to the end-entity client cert with the OCSP responder - this is 
expected behaviour.

The modssl-users@ was used for discussion of mod_ssl for Apache httpd 
1.3.  For discussion of OCSP in httpd 2.3 I'd recommend 
us...@httpd.apache.org - file bugs if you think the code is buggy.

http://issues.apache.org/bugzilla/

Regards, Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache

[Ulf Wahlqvist]

I still don't get it. I used Wireshark and found out that the certificate sent 
to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am 
clueless.


Online Certificate Status Protocol
tbsRequest
requestList: 1 item
Request
reqCert
hashAlgorithm (SHA-1)
Algorithm Id: 1.3.14.3.2.26 (SHA-1)
issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC86
issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0
serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- THIS 
IS THE SERIALNUMBER FOR THE CA-CERT

/ulfW

PS Is this mailing list active? 
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: OCSP-validation fails - UPDATE

[Ulf Wahlqvist]

I have now verified that if I use openssl directly from command line it will 
verify OK. Apparently there is no need for signing the request.  

>openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile 
>/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text 
>-url http://ocsp.trust.telia.com
.
.
.
.
Response verify OK
/mnt/download/uwcert.cer: good
This Update: Jul 29 10:43:41 2010 GMT
Next Update: Jul 30 10:43:45 2010 GMT

/ulfW



-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On 
Behalf Of Ulf Wahlqvist
Sent: den 27 juli 2010 16:43
To: modssl-users@modssl.org
Subject: OCSP-validation fails

Hi


I'm trying to get Apache to do Client certificate verification with 
OCSP-validation.
It works without OCSP, but OCSP-validation fails when I turn it on.

The error is "OCSP_check_validity:status too old", but that doesn't make sense 
because the clocks are within 2 seconds. 
The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response 
says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time.

 Can there be a problem with comparing timestamps?

A more likely problem might be that the OCSP-responder require a SIGNED 
message, but I don't understand how to get Apache to sign it. Some European 
OCSP-responders seems to accept only signed requests and I'm trying to find out 
if this is one of them.

 Will Apache be able to sign OCSP-requests ( In that case - How do I pass 
the cert/key) ? 

** my config 
*
 

[r...@fedoragui logs]# httpd -v
Server version: Apache/2.3.6 (Unix)
Server built:   Jul 16 2010 15:31:39

[r...@fedoragui logs]# openssl version
OpenSSL 1.0.0a-fips 1 Jun 2010

./configure --enable-ssl


** error_log 
*

[Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 
10.0.2.2:2112] Connection to child 193 established (server 
fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 
9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to 
OCSP responder 'ocsp.trust.telia.com'
[Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] 
ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder 
[Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] 
ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 
26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 
9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response 
header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 
3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: 
Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 
3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: 
Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 
3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: 
Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] 
[debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] 
OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] 
[debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] 
OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 
3053448048] SSL Library Error: error:2707307F:OCSP 
routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] 
[error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate 
Verification: Error (50): application verification failure [Mon Jul 26 
15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] 
SSL library error 1 in handshake (server fedoragui.mydomain.com:443)

/ulfW

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Client certificate do not work / renegociate

[Mario Brandt]

Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.

Solution: use SSLInsecureRenegotiation on


http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation


>From the changelog:
Comprehensive fix of the TLS renegotiation prefix injection attack
when compiled against OpenSSL version 0.9.8m or later. Introduces the
'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet
support the new secure renegotiation protocol.



Mario
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[Rainer Jung]

I updated the patch. The most recent version is now available at

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch

In addition to the v3 version of the patch, it now also contains a 
backport of the SSLInsecureRenegotiation directive introduced in Apache 
httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond.


The patch needs some more testing, but backport was straightforward.

Regards,

Rainer

On 01.01.2010 21:44, Rainer Jung wrote:

On 29.12.2009 22:57, John Lightsey wrote:

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:

On 23.11.2009 18:57, John Lightsey wrote:

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:



Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch


The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?


I received a report of segfaults caused by this patch. They happen when
you have Apache proxy connections to a SSL destination. IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0


Thank you for your feedback and the analysis. I could reproduce this and
have updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch


I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my
tests. The code doesn't try to change/fix renegotiation behaviour for
ssl on the client side when used as a proxy.

As always: feedback welcome!

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majord...@modssl.org

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Which SSL Directives to use?

[Crypto Sal]

On 02/17/2010 02:08 AM, NT984 wrote:

I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
Cert on my site. My existing configuration uses the following directives:

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt

In the Network Solutions instructions, it recommends using the following:
SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key
SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt

In the  http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl
documentation , it states the following:

SSLCertificateChainFile
This should be used alternatively and/or additionally to
SSLCACertificatePath  for explicitly constructing the server certificate
chain which is sent to the browser in addition to the server certificate. It
is especially useful to avoid conflicts with CA certificates when using
client authentication. Because although placing a CA certificate of the
server certificate chain into SSLCACertificatePath  has the same effect for
the certificate chain construction, it has the side-effect that client
certificates issued by this same CA certificate are also accepted on client
authentication.

Example:
SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt

SSLCACertificateFile
This directive sets the all-in-one file where you can assemble the
Certificates of Certification Authorities (CA) whose clients you deal with.
These are used for Client Authentication. Such a file is simply the
concatenation of the various PEM-encoded Certificate files, in order of
preference. This can be used alternatively and/or additionally to
SSLCACertificatePath.

Example
SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt


My question is... should I include both directives in my configuration? Is
there an advantage to doing so?  Now that I am upgrading, do I need to
consider modification of my SSLCipherSuite setting?

Any help would be appreciated.

Thx. nt
   



NT,

You should use SSLCertificateChainFile if you're on Apache2.2. If you're 
on Apache 1.x, then typically you'll want to use SSLCACertificateFile. 
In Apache2, SSLCACertificate file is for Client Authentication, whereas 
in earlier versions it was for CertificateAuthority. Earlier versions of 
Apache 2.0 were able to use both interchangeably. Do not use both at the 
same time. Only if you're doing Client Authentication.


As far as your cipher suite goes... You'll also want to disable MD5 
based ciphers. (Opera 9.x will warn of weak ciphers in use as there are 
a few MD5 based in SSLv3/TLSv1.x)


Hope this helps,

--Sal



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Client Auth with S/MIME certificates - certificate purpose problem

[Yaroslav]

I found a solution, it looks like a dirty hack and making a security 
hole, but it works for our custom purposes. So I don't recommend to use 
this way. Somehow it may be interested for somebody.

It's needed to patch openssl.
In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function
replace

X509_STORE_CTX_set_default(&ctx,
  s->server ? "ssl_client" : "ssl_server");

 by

X509_STORE_CTX_set_default(&ctx, "any");


Yaroslav
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: mod ssl's update for apache 1.3.42?

[William A. Rowe Jr.]

I wouldn't expect an update until it's in sync with the final 0.9.8m from
the group, as a (probably final) update.  Without 0.9.8m finished, due to
an unfinished RFC, it's a bit trickier to move ahead.


On 2/5/2010 6:19 AM, Bernard PREVOSTO wrote:
> The Apache Group is pleased to announce the legacy release of the 1.3.42
> version of the Apache HTTP Server.
> 
> This version of Apache is principally a security release.
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate

[Peter]

I proposed this a while back but never got any responses.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46897

-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Jaz
Sent: Friday, January 22, 2010 9:11 AM
To: modssl-users@modssl.org
Subject: SSLVerifyClient optional redirect or be graceful upon revoked
certificate

When using "SSLVerifyClient optional" is there a way (or are there plans for
this) to redirect when mod_ssl detects a revoked certificate? What about
setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is when no
certificate is installed? In other words, why should the action be any
different for no-certificate and revoked-certificate?

BTW, my application is a wrapper app to self manage private SSL
certificates. The login pre-test is intended for all cases (without cert,
with cert, and revoked cert) and detects by testing
$_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" (This is in a dedicated directory
 carefully designed to eliminate risk from MitM attacks).
This works for the two cases no-cert & valid-cert, but for revoke-cert we
get an ugly hard-stop. For example from Firefox: "SSL peer rejected your
certificate as revoked".

If this isn't appropriate for modssl-users, is rather an apache issue, then
advice for an alternate forum is appreciated. Has it already been
discussed/requested? (searched a lot but didn't find anything)

I would like to build a mod_ssl with both the option to redirect on FAIL
(separate options for no-cert and revoked-cert), and limit
initiate-renegotiation only by server, not by client. Any help is greatly
appreciated.

Thanks. 




__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSLVerifyClient require per directory context

[aaron]

Thanks so much for your tip.  Now I have a much better understanding of
the problem.

Aaron

> Hello,
>
> I faced the same issue.
> Actually, client authentication has been disabled on recent versions. It
> has nothing to do with your configuration.
>
> See (on my blog):
> http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html
> and then :
> http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html
>
> Regards,
>
> --
> Jean-Christophe Baptiste 
>
>
> Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit :
>> I'm trying to go through the most basic tutorials on mod_ssl and I'm
>> having a problem trying to get my server to issue a certificate request
>> for a particular URL.  I'm listing my Apache and OpenSSL version
>> information.
>>
>> # httpd -v
>> Server version: Apache/2.2.14 (Unix)
>> Server built:   Dec  3 2009 10:25:53
>>
>> # openssl version
>> OpenSSL 1.0.0-fips-beta4 10 Nov 2009
>>
>> I've followed the steps of this tutorial:
>>
>> http://www.vanemery.com/Linux/Apache/apache-SSL.html
>>
>> I've also tried to follow the SSL HowTo on the Apache site:
>>
>> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
>>
>> I'll try to get at the heart of the issue.  If I have the following in
>> my
>> ssl.conf file in the VirtualHost section
>>
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>>
>> then everything works as expected.  I have the client certificate
>> installed in my client web browser, and when I click on the link to my
>> https server, which is https://myserver, then it prompts me to get the
>> certificate of the server and confirm a security exception, and also
>> prompts me with a user identification request, at which point I can
>> chose
>> a certificate to identify the client to my server.  I see my index.html
>> page, which has a link to the directory https://myserver/Certneeded.  I
>> can click on this directory and see a list of the files in that
>> directory.
>>
>> However, if I change my ssl.conf in an attempt to "force clients to
>> authenticate using certificates for a particular URL, but still allow
>> arbitrary clients to access the rest of the server", as per the Apache
>> HowTo, then I never get prompted for this "user identification request"
>> to
>> which I can identify my client web browser to the server.
>>
>> In this case, my ssl.conf file changes to the following.
>>
>> SSLVerifyClient none
>> 
>> Options Indexes
>> SSLVerifyClient require
>> SSLVerifyDepth 1
>> 
>>
>> Now, when I click on the link to https://myserver/Certneeded, the client
>> browser just hangs until a timeout is reached, I'm never prompted to
>> present a certificate for identification, and the contents of the
>> directory are not listed.
>>
>> In Wireshark, I see a client hello, followed by a server hello, followed
>> by a change cipher spec, presumably because I was never prompted for an
>> identification certificate by the server within a set time.
>>
>> In the "good" case, when my "SSLVerifyClient require" statement is in
>> the
>> VirtualHost section of the ssl.conf file, in Wireshark, I see a client
>> hello, followed by a server hello, followed by a "certificate, server
>> key
>> exchange, certificate request", which seems to be where the window pops
>> up
>> in my client prompting me with a user identification request.
>>
>> In trying to debug this, I noticed that if I do a hack and revert back
>> to
>> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that
>> both configurations (per-server and per-directory contexts) work as
>> expected.  What might be wrong here?
>>
>> Aaron
>>
>>
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  modssl-users@modssl.org
>> Automated List Managermajord...@modssl.org
>


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSLVerifyClient require per directory context

[Jean-Christophe Baptiste]

Hello,

I faced the same issue.
Actually, client authentication has been disabled on recent versions. It
has nothing to do with your configuration.

See (on my blog):
http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html
and then :
http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html

Regards,

-- 
Jean-Christophe Baptiste 


Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit :
> I'm trying to go through the most basic tutorials on mod_ssl and I'm
> having a problem trying to get my server to issue a certificate request
> for a particular URL.  I'm listing my Apache and OpenSSL version
> information.
> 
> # httpd -v
> Server version: Apache/2.2.14 (Unix)
> Server built:   Dec  3 2009 10:25:53
> 
> # openssl version
> OpenSSL 1.0.0-fips-beta4 10 Nov 2009
> 
> I've followed the steps of this tutorial:
> 
> http://www.vanemery.com/Linux/Apache/apache-SSL.html
> 
> I've also tried to follow the SSL HowTo on the Apache site:
> 
> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html
> 
> I'll try to get at the heart of the issue.  If I have the following in my
> ssl.conf file in the VirtualHost section
> 
> SSLVerifyClient require
> SSLVerifyDepth 1
> 
> then everything works as expected.  I have the client certificate
> installed in my client web browser, and when I click on the link to my
> https server, which is https://myserver, then it prompts me to get the
> certificate of the server and confirm a security exception, and also
> prompts me with a user identification request, at which point I can chose
> a certificate to identify the client to my server.  I see my index.html
> page, which has a link to the directory https://myserver/Certneeded.  I
> can click on this directory and see a list of the files in that directory.
> 
> However, if I change my ssl.conf in an attempt to "force clients to
> authenticate using certificates for a particular URL, but still allow
> arbitrary clients to access the rest of the server", as per the Apache
> HowTo, then I never get prompted for this "user identification request" to
> which I can identify my client web browser to the server.
> 
> In this case, my ssl.conf file changes to the following.
> 
> SSLVerifyClient none
> 
> Options Indexes
> SSLVerifyClient require
> SSLVerifyDepth 1
> 
> 
> Now, when I click on the link to https://myserver/Certneeded, the client
> browser just hangs until a timeout is reached, I'm never prompted to
> present a certificate for identification, and the contents of the
> directory are not listed.
> 
> In Wireshark, I see a client hello, followed by a server hello, followed
> by a change cipher spec, presumably because I was never prompted for an
> identification certificate by the server within a set time.
> 
> In the "good" case, when my "SSLVerifyClient require" statement is in the
> VirtualHost section of the ssl.conf file, in Wireshark, I see a client
> hello, followed by a server hello, followed by a "certificate, server key
> exchange, certificate request", which seems to be where the window pops up
> in my client prompting me with a user identification request.
> 
> In trying to debug this, I noticed that if I do a hack and revert back to
> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that
> both configurations (per-server and per-directory contexts) work as
> expected.  What might be wrong here?
> 
> Aaron
> 
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org


signature.asc
Description: Ceci est une partie de message numériquement signée

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[Rainer Jung]

On 29.12.2009 22:57, John Lightsey wrote:

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:

On 23.11.2009 18:57, John Lightsey wrote:

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:



Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?


I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
 actx = (ap_ctx *) 0x10a26070
 ss = (struct ssl_io_suck_st *) 0x0
 r = (request_rec *) 0x0
 rv = 0
 reneg = 0x0
 c = (conn_rec *) 0x0
#1  0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
 ssl = (SSL *) 0x10a26070
 c = (conn_rec *) 0x0
 s = (server_rec *) 0x0
 rc = 0
 reneg = 0x0
#2  0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
 v1 = (void *) 0x10a25c28
 v2 = (void *) 0x107ccd88
 v3 = 4096
 v_rc = (void *) 0x7fff9869922c
 v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
 rc = 1
#3  0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
 i = 0
 he = (ap_hook_entry *) 0x104f33b0
 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
 rc = 0
#4  0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
 rv = 0


Thank you for your feedback and the analysis. I could reproduce this and 
have updated the patch:


http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch

I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my 
tests. The code doesn't try to change/fix renegotiation behaviour for 
ssl on the client side when used as a proxy.


As always: feedback welcome!

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[John Lightsey]

On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
> On 23.11.2009 18:57, John Lightsey wrote:
> > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:

> Thanks again. I updated the patch:
> 
> http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
> 
> The only changes are in ssl_engine_io.c, where the declaration of "char
> *reneg" is moved 4 times to the beginning of the function. Anything else
> you observed?

I received a report of segfaults caused by this patch.  They happen when
you have Apache proxy connections to a SSL destination.  IE:

RewriteRule ^/(.*) https://other_site.com/$1 [P]

The segfault happens at:

reneg = ap_ctx_get(c->client->ctx, "ssl::reneg");

in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL.


#0  0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275
actx = (ap_ctx *) 0x10a26070
ss = (struct ssl_io_suck_st *) 0x0
r = (request_rec *) 0x0
rv = 0
reneg = 0x0
c = (conn_rec *) 0x0
#1  0x00454f31 in ssl_io_hook_read (fb=0x10a25c28,
buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394
ssl = (SSL *) 0x10a26070
c = (conn_rec *) 0x0
s = (server_rec *) 0x0
rc = 0
reneg = 0x0
#2  0x0049a00f in ap_hook_call_func (ap=0x7fff98699110,
he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649
v1 = (void *) 0x10a25c28
v2 = (void *) 0x107ccd88
v3 = 4096
v_rc = (void *) 0x7fff9869922c
v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0,
v_double = 0, v_ptr = 0x0}
rc = 1
#3  0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read")
at ap_hook.c:382
i = 0
he = (ap_hook_entry *) 0x104f33b0
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fff98699200, reg_save_area = 0x7fff98699140}}
rc = 0
#4  0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88,
nbyte=4096) at buff.c:255
rv = 0


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: error in SSLv2/v3 read client hello A

[Jean-Christophe Baptiste]

I continue talking to myself about it.

Just to let people know that I submitted a bug to openSUSE, because it
took me less than 5 minutes to get a blank Debian virtual machine to
work with the exact same certificates, virtual host configuration and
browser.

There is definitely something weired...


Le mardi 24 novembre 2009 à 17:24 +0100, Jean-Christophe Baptiste a
écrit :
> I am still stack with the same issue :
> 
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> Handshake: start
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> Loop: before accept initialization
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL:
> Write: SSLv3 read client hello A
> [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> Exit: error in SSLv3 read client hello A
> [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
> handshake failed: Not accepted by client!?
> [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
> error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]
> 
> I renewed one more time all my certificates, so I don't think there is
> anything wrong with it.
> My apache configuration hasn't changed :
> 
>  SSLRequireSSL
>  SSLVerifyClient require
>  SSLVerifyDepth 1
>  Order allow,deny
>  allow from All
> 
> 
> And any browser (Firefox, Opera) fail so I don't think it is a browser
> issue.
> Of course, I imported the CA and the client certificate...
> 
> And still no prompt for the client certificate...
> 
> Really no hint ? Could it be a bug in the distro package ?
> 
> Thanks.
> 
> On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste
>  wrote:
> > Hi all,
> > 
> > I have been using client certificate for a while (more than 2 years)
> > successfuly.
> > 
> > But now, after migrating a server, I am stuck with a problem that I have
> > no idea how to handle.
> > I just spent 10 hours googling around and reading the doc without
> > finding any clue.
> > 
> > On my new set-up, the web browser seems to reject the negociation :
> > 
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
> > established (server www.***.net:443)
> > [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> > Handshake: start
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> > Loop: before/accept initialization
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
> > 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows)
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
> >
> +-+
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50
> > 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H  |
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
> >
> +-+
> > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> > Exit: error in SSLv2/v3 read client hello A
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
> > handshake (server www.***.net:443)
> > [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900
> > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> > speaking not SSL to HTTPS port!?
> > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to
> > child 2 with abortive shutdown (server www.***.net:443)
> > 
> > I have tried a bund of different settings. Of course, I re-generated
> > several times all the certificates, from the CA to the client.
> > Both the CA and the client were imported into the web browser.
> > 
> > The mod-ssl settings are in no point different from the previous
> > machine, so am I missing ?
> > 
> > So any help, any hint would be greatly appreciated.
> > 
> > Thank you in advance,
> > 
> > Regards,
> > Jean-Christophe


signature.asc
Description: Ceci est une partie de message numériquement signée

Re: error in SSLv2/v3 read client hello A

[Jean-Christophe Baptiste]

I am still stack with the same issue :

[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
Handshake: start
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
Loop: before accept initialization
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL:
Write: SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]

I renewed one more time all my certificates, so I don't think there is
anything wrong with it.
My apache configuration hasn't changed :

 SSLRequireSSL
 SSLVerifyClient require
 SSLVerifyDepth 1
 Order allow,deny
 allow from All


And any browser (Firefox, Opera) fail so I don't think it is a browser
issue.
Of course, I imported the CA and the client certificate...

And still no prompt for the client certificate...

Really no hint ? Could it be a bug in the distro package ?

Thanks.

On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste
 wrote:
> Hi all,
> 
> I have been using client certificate for a while (more than 2 years)
> successfuly.
> 
> But now, after migrating a server, I am stuck with a problem that I have
> no idea how to handle.
> I just spent 10 hours googling around and reading the doc without
> finding any clue.
> 
> On my new set-up, the web browser seems to reject the negociation :
> 
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2
> established (server www.***.net:443)
> [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL:
> Handshake: start
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL:
> Loop: before/accept initialization
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read
> 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows)
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791):
>
+-+
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50
> 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H  |
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836):
>
+-+
> [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
> Exit: error in SSLv2/v3 read client hello A
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in
> handshake (server www.***.net:443)
> [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> speaking not SSL to HTTPS port!?
> [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to
> child 2 with abortive shutdown (server www.***.net:443)
> 
> I have tried a bund of different settings. Of course, I re-generated
> several times all the certificates, from the CA to the client.
> Both the CA and the client were imported into the web browser.
> 
> The mod-ssl settings are in no point different from the previous
> machine, so am I missing ?
> 
> So any help, any hint would be greatly appreciated.
> 
> Thank you in advance,
> 
> Regards,
> Jean-Christophe

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[Rainer Jung]

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.
> 
> Seems to work fine otherwise.

Thanks again. I updated the patch:

http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch

The only changes are in ssl_engine_io.c, where the declaration of "char
*reneg" is moved 4 times to the beginning of the function. Anything else
you observed?

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[Rainer Jung]

On 23.11.2009 18:57, John Lightsey wrote:
> On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
>> Backport is not totally straightforward, because the original patches
>> use the filter architecture not present in Apache 1.3.
>>
>> Any Feedback on the patch is welcome. Some additional debug output can
>> be activated by using -DRENEG_DEBUG.
>>
> 
> There are a few lines of c99 syntax in this patch (variable declarations
> of "char *reneg" in the middle of code) that cause it to fail with gcc
> 2.95.

Sorry, I forgot to fix those. Thanks for the feedback.

> Seems to work fine otherwise.

Good to know! The more eyes the better.

Regards,

Rainer
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x

[John Lightsey]

On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
> Backport is not totally straightforward, because the original patches
> use the filter architecture not present in Apache 1.3.
> 
> Any Feedback on the patch is welcome. Some additional debug output can
> be activated by using -DRENEG_DEBUG.
> 

There are a few lines of c99 syntax in this patch (variable declarations
of "char *reneg" in the middle of code) that cause it to fail with gcc
2.95.

Seems to work fine otherwise.


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSLRequire problem

[David Rosenstrauch]

On 11/20/2009 04:50 AM, Joe Orton wrote:

On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
Hi.  I'm tearing my hair out over an SSLRequire directive that doesn't  
seem to be working.  Can anyone help?


The directive is actually quite simple:

   # Require SSL over non-obvious port 81 for SVN access
   SSLRequire %{SERVER_PORT} == 81


The port which %{SERVER_PORT} expands to is determined by the settings 
of UseCanonicalPhysicalPort and UseCanonicalName.  For different 
combinations it will depend on either what the client sends in the 
request's Host header, what the ServerName directive is set to in the 
vhost, or what httpd derives as the "canonical" name for the vhost to be 
otherwise.


See docs for more info:

http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname
http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport

Regards, Joe


Huh!  Never heard of those before!

OK, well, I'm still not sure I quite understand the reason why, but 
"UseCanonicalPhysicalPort on" does seem to have fixed the problem.


Thanks much for the help!

DR
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSLRequire problem

[Joe Orton]

On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
> Hi.  I'm tearing my hair out over an SSLRequire directive that doesn't  
> seem to be working.  Can anyone help?
>
> The directive is actually quite simple:
>
># Require SSL over non-obvious port 81 for SVN access
>SSLRequire %{SERVER_PORT} == 81

The port which %{SERVER_PORT} expands to is determined by the settings 
of UseCanonicalPhysicalPort and UseCanonicalName.  For different 
combinations it will depend on either what the client sends in the 
request's Host header, what the ServerName directive is set to in the 
vhost, or what httpd derives as the "canonical" name for the vhost to be 
otherwise.

See docs for more info:

http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname
http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport

Regards, Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Issue setting up a Verisign certificate

[Lou Picciano]

Robin, 

Be sure Verisign's 'root' certificate is installed in your browser's 
certificate store - this is probably already done by default. 

Then, verify what this is pointing to (from your own log file): 
Unable to read server certificate from file 
/etc/apache2/secure.canadaeast.com.public.crt 

Verify that your apache config file doesn't have one of the 'alternate' 
certificate pointer directives activated. Various configurations 'bundle' certs 
together in concatenated form, for example. 

Be sure also that your VerifyDepth is set appropriately... Looks like a depth 
of at least 3 levels to me. 

- Original Message - 
From: "Robin"  
To: modssl-users@modssl.org 
Sent: Monday, July 27, 2009 3:25:53 PM GMT -05:00 US/Canada Eastern 
Subject: Issue setting up a Verisign certificate 

I have generated a CSR, sent it to Verisign and they sent me back a 
cer file that I have renamed to public.crt. As per their support 
instructions I installed their Intermediate CA 
(https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193)
 

My virtualhost configuration is as follows: 

SSLEngine on 
SSLCertificateFile /etc/apache2/public.crt 
SSLCertificateKeyFile /etc/apache2/private.key 
SSLCACertificateFile /etc/apache2/interm.crt 

I am getting this error when trying to start Apache: 

[Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server 
certificate from file /etc/apache2/secure.canadaeast.com.public.crt 
[Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960 
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag 
[Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386 
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 
error 

Any thoughts, because I am at a loss and am not interested in wait on 
how 35 minutes to speak to their support people. 

Thanks! 
__ 
Apache Interface to OpenSSL (mod_ssl) www.modssl.org 
User Support Mailing List modssl-users@modssl.org 
Automated List Manager majord...@modssl.org 

Re: Issue setting up a Verisign certificate

[Victoriano Giralt]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Robin escribió:
| My virtualhost configuration is as follows:
|
|   SSLEngine on
|   SSLCertificateFile /etc/apache2/public.crt
- ^
|   SSLCertificateKeyFile /etc/apache2/private.key
|   SSLCACertificateFile /etc/apache2/interm.crt
I think this does not belong here, but I might be wrong.

| [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server
| certificate from file /etc/apache2/secure.canadaeast.com.public.crt
- ---^
It seems your Apache is looking for the cert in a different file than you
think.

Probably because there is a different virtual host configuration for the
SSL one.
- --
- ---
G & S Sistemas de Informacion, S.L.  | Teléfono:  9 02 01 44 43
Victoriano Giralt| Land line: +34-952-207-241
Torre de San Telmo, 8| Mobile:+34-670-332-720
E-29018 Malaga (Spain)   | http://www.gssi.es/
- ---

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFKbgIWWHlx3l8ZumwRAk81AJ9aINiS57WlUCvEpHLboAsERThPdACfTp2f
DZnobVXEnFsucQbkMINLcXQ=
=SRHR
-END PGP SIGNATURE-
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: modssl - URL's under domain name not found

[Mario Brandt]

Well the AllowOverride manages what you are allowed to configure in
.htacces 

Order deny, allow
deny from all
Allow from 127.0.0.1

This manage who can access these server from where. 
In your case you can only access from 127.0.0.1 aka. localhost your
computer

See the docs  for more details

http://httpd.apache.org/docs/2.2/howto/access.html



Mario



-Original Message-
Got it. Well, almost.

It seems that where my https connection was concerned, I was running
with AllowOverride None, so none of the rewrite directives in the
.htaccess file were being processed.

So I've solved this by 'opening up' my development machine by specifying
on all directories:

AllowOverride All
Order deny, allow
deny from all
Allow from 127.0.0.1

I still don't fully understand, as those are the directives I was
running for my drupal install directory already. Furthermore, the
.htaccess file in that directory was being processed and allowing my
ordinary http URL's to be rewritten properly. Obviously https is
different 'somehow', so any explanations will be welcome.

Meanwhile, I can get on and start playing with ssl on my development
machine
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: modssl - URL's under domain name not found

[glowkeeper]

Got it. Well, almost.

It seems that where my https connection was concerned, I was running with
AllowOverride None, so none of the rewrite directives in the .htaccess file
were being processed.

So I've solved this by 'opening up' my development machine by specifying on
all directories:

AllowOverride All
Order deny, allow
deny from all
Allow from 127.0.0.1

I still don't fully understand, as those are the directives I was running
for my drupal install directory already. Furthermore, the .htaccess file in
that directory was being processed and allowing my ordinary http URL's to be
rewritten properly. Obviously https is different 'somehow', so any
explanations will be welcome.

Meanwhile, I can get on and start playing with ssl on my development machine


Mario Brandt wrote:
> 
> I guess the rewriting is not turned on in the SSL vhost. Else there
> should be a rewriting to a php file which works with PATH_INFO
> 
> You may check that out.
> 
> Mario 
> 
> -Original Message-
> From: owner-modssl-us...@modssl.org
> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
> Sent: Monday, July 20, 2009 10:53 AM
> To: modssl-users@modssl.org
> Subject: RE: modssl - URL's under domain name not found
> 
> 
> The error log says (for example):
> 
> [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not
> exist:
> /Library/WebServer/Documents/drupal/electric-heater-info, referer:
> https://devel.cosyheart.com/
> 
> Actually, my original post is a bit misleading - the content is
> delivered via drupal and a MySQL database, not from a filesystem.
> Furthermore, that database is replicated between the devel' and live
> server (so they are EXACTLY the same), and all works just fine under
> normal http. As I said, ssl also works on the live server, but not on
> the dev machine (other than the home page).
> 
> 
> Mario Brandt wrote:
>> 
>> Hi!
>> What is in your error log about that?
>> 
>> Mario
>> 
>> -Original Message-
>> From: owner-modssl-us...@modssl.org
>> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
>> Sent: Sunday, July 19, 2009 9:38 PM
>> To: modssl-users@modssl.org
>> Subject: modssl - URL's under domain name not found
>> 
>> 
>> I am running modssl under apache 2.2.11 on my development server using
> 
>> mac os x 10.5.
>> 
>> I have created self signed certificates using openssl for this
> machine.
>> 
>> https://devel works just fine.
>> 
>> https://devel/directory generates a 404 file not found error.
>> 
>> https://devel/anotherdirectory/etcetc also generates a 404.
>> 
>> I have a very similar setup on a live server that's running Centos 
>> 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is 
>> working just fine - all URL's resolve properly.
>> 
>> I have tried copying the conf' files on the live and devel' server 
>> line for line, but I don't seem to be able to overcome the error on my
> 
>> development machine.
>> 
>> Does anyone have any idea what the problem on my development machine 
>> might by? Any pointers would be welcome.
>> --
>> View this message in context:
>> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2
>> 45
>> 33884p24533884.html
>> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>> 
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  modssl-users@modssl.org
>> Automated List Managermajord...@modssl.org
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  modssl-users@modssl.org
>> Automated List Managermajord...@modssl.org
>> 
>> 
> 
> --
> View this message in context:
> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245
> 33884p24566061.html
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> __

RE: modssl - URL's under domain name not found

[glowkeeper]

Sounds good - I have checked that I'm loading mod_rewrite.so and tried
"RewriteEngine On" in the ssl vhost on the dev machine - but that didn't
work. So what else do I need to check regarding? I'm also confused why it
should then be working on my live machine when the config' files are almost
identical...

I'm obviously missing something though :)


Mario Brandt wrote:
> 
> I guess the rewriting is not turned on in the SSL vhost. Else there
> should be a rewriting to a php file which works with PATH_INFO
> 
> You may check that out.
> 
> Mario 
> 
> -Original Message-
> From: owner-modssl-us...@modssl.org
> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
> Sent: Monday, July 20, 2009 10:53 AM
> To: modssl-users@modssl.org
> Subject: RE: modssl - URL's under domain name not found
> 
> 
> The error log says (for example):
> 
> [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not
> exist:
> /Library/WebServer/Documents/drupal/electric-heater-info, referer:
> https://devel.cosyheart.com/
> 
> Actually, my original post is a bit misleading - the content is
> delivered via drupal and a MySQL database, not from a filesystem.
> Furthermore, that database is replicated between the devel' and live
> server (so they are EXACTLY the same), and all works just fine under
> normal http. As I said, ssl also works on the live server, but not on
> the dev machine (other than the home page).
> 
> 
> Mario Brandt wrote:
>> 
>> Hi!
>> What is in your error log about that?
>> 
>> Mario
>> 
>> -Original Message-
>> From: owner-modssl-us...@modssl.org
>> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
>> Sent: Sunday, July 19, 2009 9:38 PM
>> To: modssl-users@modssl.org
>> Subject: modssl - URL's under domain name not found
>> 
>> 
>> I am running modssl under apache 2.2.11 on my development server using
> 
>> mac os x 10.5.
>> 
>> I have created self signed certificates using openssl for this
> machine.
>> 
>> https://devel works just fine.
>> 
>> https://devel/directory generates a 404 file not found error.
>> 
>> https://devel/anotherdirectory/etcetc also generates a 404.
>> 
>> I have a very similar setup on a live server that's running Centos 
>> 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is 
>> working just fine - all URL's resolve properly.
>> 
>> I have tried copying the conf' files on the live and devel' server 
>> line for line, but I don't seem to be able to overcome the error on my
> 
>> development machine.
>> 
>> Does anyone have any idea what the problem on my development machine 
>> might by? Any pointers would be welcome.
>> --
>> View this message in context:
>> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2
>> 45
>> 33884p24533884.html
>> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
>> 
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  modssl-users@modssl.org
>> Automated List Managermajord...@modssl.org
>> __
>> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
>> User Support Mailing List  modssl-users@modssl.org
>> Automated List Managermajord...@modssl.org
>> 
>> 
> 
> --
> View this message in context:
> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245
> 33884p24566061.html
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> 
> 

-- 
View this message in context: 
http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566482.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: modssl - URL's under domain name not found

[Mario Brandt]

I guess the rewriting is not turned on in the SSL vhost. Else there
should be a rewriting to a php file which works with PATH_INFO

You may check that out.

Mario 

-Original Message-
From: owner-modssl-us...@modssl.org
[mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
Sent: Monday, July 20, 2009 10:53 AM
To: modssl-users@modssl.org
Subject: RE: modssl - URL's under domain name not found


The error log says (for example):

[Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not
exist:
/Library/WebServer/Documents/drupal/electric-heater-info, referer:
https://devel.cosyheart.com/

Actually, my original post is a bit misleading - the content is
delivered via drupal and a MySQL database, not from a filesystem.
Furthermore, that database is replicated between the devel' and live
server (so they are EXACTLY the same), and all works just fine under
normal http. As I said, ssl also works on the live server, but not on
the dev machine (other than the home page).


Mario Brandt wrote:
> 
> Hi!
> What is in your error log about that?
> 
> Mario
> 
> -Original Message-
> From: owner-modssl-us...@modssl.org
> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
> Sent: Sunday, July 19, 2009 9:38 PM
> To: modssl-users@modssl.org
> Subject: modssl - URL's under domain name not found
> 
> 
> I am running modssl under apache 2.2.11 on my development server using

> mac os x 10.5.
> 
> I have created self signed certificates using openssl for this
machine.
> 
> https://devel works just fine.
> 
> https://devel/directory generates a 404 file not found error.
> 
> https://devel/anotherdirectory/etcetc also generates a 404.
> 
> I have a very similar setup on a live server that's running Centos 
> 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is 
> working just fine - all URL's resolve properly.
> 
> I have tried copying the conf' files on the live and devel' server 
> line for line, but I don't seem to be able to overcome the error on my

> development machine.
> 
> Does anyone have any idea what the problem on my development machine 
> might by? Any pointers would be welcome.
> --
> View this message in context:
> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2
> 45
> 33884p24533884.html
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> 
> 

--
View this message in context:
http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245
33884p24566061.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: modssl - URL's under domain name not found

[glowkeeper]

The error log says (for example):

[Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist:
/Library/WebServer/Documents/drupal/electric-heater-info, referer:
https://devel.cosyheart.com/

Actually, my original post is a bit misleading - the content is delivered
via drupal and a MySQL database, not from a filesystem. Furthermore, that
database is replicated between the devel' and live server (so they are
EXACTLY the same), and all works just fine under normal http. As I said, ssl
also works on the live server, but not on the dev machine (other than the
home page).


Mario Brandt wrote:
> 
> Hi!
> What is in your error log about that?
> 
> Mario 
> 
> -Original Message-
> From: owner-modssl-us...@modssl.org
> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
> Sent: Sunday, July 19, 2009 9:38 PM
> To: modssl-users@modssl.org
> Subject: modssl - URL's under domain name not found
> 
> 
> I am running modssl under apache 2.2.11 on my development server using
> mac os x 10.5.
> 
> I have created self signed certificates using openssl for this machine.
> 
> https://devel works just fine.
> 
> https://devel/directory generates a 404 file not found error.
> 
> https://devel/anotherdirectory/etcetc also generates a 404.
> 
> I have a very similar setup on a live server that's running Centos 5.1,
> apache 2.2.3, modssl and an ssl certificate via Comodo. This is working
> just fine - all URL's resolve properly.
> 
> I have tried copying the conf' files on the live and devel' server line
> for line, but I don't seem to be able to overcome the error on my
> development machine.
> 
> Does anyone have any idea what the problem on my development machine
> might by? Any pointers would be welcome.
> --
> View this message in context:
> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245
> 33884p24533884.html
> Sent from the mod_ssl - Users mailing list archive at Nabble.com.
> 
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Managermajord...@modssl.org
> 
> 

-- 
View this message in context: 
http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566061.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

RE: modssl - URL's under domain name not found

[Mario Brandt]

Hi!
What is in your error log about that?

Mario 

-Original Message-
From: owner-modssl-us...@modssl.org
[mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
Sent: Sunday, July 19, 2009 9:38 PM
To: modssl-users@modssl.org
Subject: modssl - URL's under domain name not found


I am running modssl under apache 2.2.11 on my development server using
mac os x 10.5.

I have created self signed certificates using openssl for this machine.

https://devel works just fine.

https://devel/directory generates a 404 file not found error.

https://devel/anotherdirectory/etcetc also generates a 404.

I have a very similar setup on a live server that's running Centos 5.1,
apache 2.2.3, modssl and an ssl certificate via Comodo. This is working
just fine - all URL's resolve properly.

I have tried copying the conf' files on the live and devel' server line
for line, but I don't seem to be able to overcome the error on my
development machine.

Does anyone have any idea what the problem on my development machine
might by? Any pointers would be welcome.
--
View this message in context:
http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245
33884p24533884.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSL connection between Apache and Tomcat failing

[Lou Picciano]

Iain: 

Wow! Am I glad to hear from you! I've been wrestling with exactly this problem 
- error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was 
beginning to think I was losing my mind. (while we leave that possibility aside 
for the moment(!),) here's what's different about our environment: 

Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 . 
We are using certificate authentication. Seeing this behavior under Firefox 
(Mac); haven't tried it using mobile browsers, though, presumably, you may be 
using a Mozilla-based mobile browser... We've recently upgraded to these 
current versions of Apache and OpenSSL, but the error behavior has not been 
impacted. The incessant prompting for certificate can be interrupted by setting 
Firefox's Advanced-Encryption-When a server requests my certificate-Select one 
automatically option. The above read error persists, however... 

The primary impact is - apparently - that the SSL session is constantly 
re-negotiated for GET of each page element; loading of a single page might 
generate 8-10 prompts for the certificate. We have fiddled with various 
settings for the Renogotiation buffer, including which buffer engine is used, 
its size, etc., all to no avail. Some of the settings result in Apache 
configuration errors, so I wonder if we're into an Apache - or mod_ssl - 'black 
hole' region. 

My quick research on this indicates that others have run into it, some have 
simply ignored it, but none have solved it. 

Hopefully we'll come up with something. Lou 

- Original Message - 
From: "I Emsley (Iain)"  
To: modssl-users@modssl.org 
Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern 
Subject: SSL connection between Apache and Tomcat failing 




I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as 
the backend and am using mod_ssl and mod_proxy to link to the two together in 
Windows server 2003. Normally there isn’t an issue with two servers serving the 
website but recently (and mainly with , it appears, mobile browsers), I’m 
getting the following errors: 

i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 
read finished A 

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: 
Handshake: done 

[Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, 
Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) 

[Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 
bytes from BIO 

Re: Restricting access by arbitrary certificate extension

[Joe Orton]

Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the 
deveopment list for Apache httpd, CC'ed.  (I'm quoting the full mail 
inline for reference of dev@ readers)

On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
>mod_ssl can perform client authentication on certificate in  
> Apache and client authorization on certain certificate extensions. We  
> are setting up CA here and we want to restrict access to certain website  
> by checking the presence of certain certificate extension using its OID.  
> The syntax which mod_ssl is forcing us to use is the following:
>
>
>SSLRequire “some string” in OID(“1.2.3.4…..”)
>
>
> As you can see, we need to match this string exactly in extension’s  
> value. We can encounter problem with this, because this extension may  
> not be listed in openssl list of valid extensions  
> (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,  
> mod_ssl would not be able to match the string because the object of this  
> OID does not have valid NID in openssl. OpenSSL seems incapable of  
> determining the type of arbitrary extension we want to use as  
> restricting factor. Hence, mod_ssl can not even extract its value from  
> certificate.
>Well, I poked around the problem for some time and found no  
> other way than to patch mod_ssl by adding one new function in  
> ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()  
> and ssl_expr_eval_oid() but does not intend to extract the value of  
> certificate extension. I also added some change to ssl_expr_eval_comp(),  
> so if you supply the zero-length word in SSLRequire, it uses my new  
> function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
>
>
>SSLRequire “” in OID(“1.2.3.4…..”)
>
>
>If you are aware of more attractive and “right” way to make  
> it, please acknowledge. My patch for apache-2.2.11 is attached.

I'd rather see a different syntax used for the new semantics, such as:

   SSLRequire has_oid("1.2.3.4")

though I'm not sure whether the SSLRequire parser can cope with that.

Regards, Joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: SSLRequireSSL Ineffective

[Lee Hughes]

Some more info -- if I add this same Directory section to httpd.conf it
works fine and forces https access. It's like the line

Include conf/extra/httpd-ssl.conf

in httpd.conf has no effect -- why would that be?

Thanks-

Lee

Re: Client Verification with sub ca's

[leanmeandonothingmachine]

thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead of just not filling in
the client variables. But I can always do that programmaticaly if I need it.
-- 
View this message in context: 
http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478226.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Client Verification with sub ca's

[leanmeandonothingmachine]

thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead just not filling in the
client variables. But I can always do that programmaticaly if I need it.
-- 
View this message in context: 
http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Client Verification with sub ca's

[Matt Stevenson]

Hi,

Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on 
the client certs issuer field (SSL_CLIENT_I_DN...).

Regards
Matt





- Original Message 
From: leanmeandonothingmachine 
To: modssl-users@modssl.org
Sent: Thursday, March 12, 2009 2:03:07 PM
Subject: Client Verification with sub ca's


I have a self signed ca, with multiple sub-ca's.

root
-sub-ca1
-sub-ca2
-server

I sign client certificates with either -sub-ca1 or -sub-ca2, and use server
to sign certificates for the actual website. So in my apache config, i have
this:

SSLEngine on
SSLOptions +stdEnvVars
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateFile /data/keys/test.crt
SSLCertificateKeyFile /data/keys/test.key
SSLCertificateChainFile /data/keys/chain.pem

SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /data/keys/ca.pem

test.crt is signed by server.
chain.pem contains server and root in that order
ca.pem contains sub-ca2 and root in that order

Everything seems to work fine except for the fact that the website also
excepts client certificates signed by sub-ca1. But I'm trying to restrict
this site to only sub-ca2 clients.

I tried:

1) removing the root from ca.pem, that gives me a "Certificate Verification:
Error (2): unable to get issuer certificate" error.

2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error.

3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification:
Certificate Chain too long (chain has 2 certificates, but maximum allowed
are only 1)" error.

Anyone know how to get apache to only allow clients from one sub-ca but not
others signed by the same root?
-- 
View this message in context: 
http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html
Sent from the mod_ssl - Users mailing list archive at Nabble.com.

__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org



  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Managermajord...@modssl.org

Re: Partitioned CRLs

[Nuno Ponte]

Hi Gilles,

Thanks for your reply! :-)

The CA also offers OCSP, which is obviously the preferred way to
validate certificate status. I am just trying to make sure that there
is support from the "applications world" to such a CRL partitioning
scheme. Wide interoperability is a key goal.

Regards,

   Nuno Ponte


On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles <[EMAIL PROTECTED]> wrote:
> Nuno Ponte a écrit :
>> Hi,
>>
>> We are running a CA that has thousands of revoked certificates,
>> which leads to CRLs of several MBytes.
>>
>> On the next nenewal of the CA, we are thinking of partitioning the
>> CRLs at each X number of issued certificates. The issued certificates
>> will have different CRL Distribution Points (CDP) according to the
>> partitions they are assigned.
>>
>> For example, for X=100, from certificate 1 to certificate 100, the
>> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
>> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.
>>
> CDP is embedded when creating certificate, so it might be possible
> (client side).
>
> Server side, you can stack as many crl as you want into either a single
> file, or a directory (using hashing) and point to it into Apache.
> But you may apply a patch for multiple identical DN handling.
> http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3
>
> Why didn't you implement OCSP into Apache ?
> http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I
> didn't test it anyway)
>
> --
> La Joconde ne sourit pas devant Chuck Norris.
> Gilles CUESTA - Logiciels Libres
> 69139920
>
>
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Partitioned CRLs

[Cuesta Gilles]

Nuno Ponte a écrit :
> Hi,
>
> We are running a CA that has thousands of revoked certificates,
> which leads to CRLs of several MBytes.
>
> On the next nenewal of the CA, we are thinking of partitioning the
> CRLs at each X number of issued certificates. The issued certificates
> will have different CRL Distribution Points (CDP) according to the
> partitions they are assigned.
>
> For example, for X=100, from certificate 1 to certificate 100, the
> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101
> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on.
>   
CDP is embedded when creating certificate, so it might be possible
(client side).

Server side, you can stack as many crl as you want into either a single
file, or a directory (using hashing) and point to it into Apache.
But you may apply a patch for multiple identical DN handling.
http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3

Why didn't you implement OCSP into Apache ?
http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I
didn't test it anyway)

-- 
La Joconde ne sourit pas devant Chuck Norris.
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: unable to start apache with 2 certificates

[Cuesta Gilles]

Jorge Martín Cuervo a écrit :
> I tried with an SSLPassPhraseDialog in every VirtualHost and i get this
> message:
>
> [EMAIL PROTECTED] bin]$ ./apachectl -S
> Syntax error on line 82
> of /home/jmartin/apache22/conf/extra/httpd-ssl.conf:
> SSLPassPhraseDialog cannot occur within  section
>
> "or unciphered key ?" how can i do it? do i need to contact with my
> certificate provider?
>   
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31
Your key may be stored unciphered on your server.

-- 
Pourquoi Pierre Lescure a quitté Canal? parce qu'il pensait créer une 
marionette Chuck Norris dans les Guignols de l'info !!!
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: unable to start apache with 2 certificates

[Jorge Martín Cuervo]

I tried with an SSLPassPhraseDialog in every VirtualHost and i get this
message:

[EMAIL PROTECTED] bin]$ ./apachectl -S
Syntax error on line 82
of /home/jmartin/apache22/conf/extra/httpd-ssl.conf:
SSLPassPhraseDialog cannot occur within  section

"or unciphered key ?" how can i do it? do i need to contact with my
certificate provider?

thanks.


El lun, 20-10-2008 a las 10:32 +0200, Jorge Martín Cuervo escribió:
> Did you try with SSLPassPhraseDialog in each VirtualHost ?
-- 
;-)

Jorge Martin Cuervo
 
Outsourcing Emarketplace
deFacto Powered by Standards
 
email <[EMAIL PROTECTED]>
voice +34 984 832 659
voice +34 660 026 384



DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, 
así 
como el resto de los datos de carácter personal que nos facilite, serán objeto 
de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de 
información comercial y/o personal por vía electrónica. Vd. podrá en cualquier 
momento ejercer el derecho de acceso, rectificación, cancelación y oposición en 
los términos establecidos en la Ley Orgánica de Protección de Datos de Carácter 
Personal (LOPD. 15/1999),  dirigiendo un escrito a C/ Rivero 31 1º Izda. - 
33402 
AVILES (Asturias), o a nuestra dirección de correo electrónico 
([EMAIL PROTECTED]). También informamos que la información incluida en este 
e-mail es CONFIDENCIAL, siendo para uso exclusivo del destinatario arriba 
mencionado. Si Usted lee este mensaje y no es el destinatario indicado, le 
informamos que está totalmente prohibida cualquier utilización, divulgación, 
distribución y/o reproducción de esta comunicación sin autorización expresa en 
virtud de la legislación vigente.  Si ha recibido este mensaje por error, le 
rogamos nos lo notifique inmediatamente por esta misma vía y proceda a su 
eliminación.

This e-mail contains information that will be added to our computerised guest 
data base and will be trated in the strict confidence. If you wish to access, 
correct, oppose or cancel your details, as specified the Law 15/99, December 
13th, please send a certified letter to this effect to DE FACTO STANDARDS, 
S.L.., (C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias) SPAIN). If you read 
this 
message, and is not the destinatary, we informal you that is forbidden anything 
utility, distribution, divulgation or reproduction of this communication 
without 
express authorization, of the present law.  If you received this message for 
mistake, we proud in order to the present law, immediate communication to us, 
and please erase this e-mail

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: unable to start apache with 2 certificates

[Jorge Martín Cuervo]

Hi Cuesta Guilles, thanks for your quickly reply. No i am going to read
the documentation about SSLPassPhraseDialog.

This is my apachectl -S output:

[EMAIL PROTECTED] bin]$ ./apachectl -S
VirtualHost configuration:
213.134.38.66:443  cv.smra.org
(/home/jmartin/apache22/conf/extra/httpd-ssl.conf:266)
213.134.38.54:443  www.smartcv.org
(/home/jmartin/apache22/conf/extra/httpd-ssl.conf:81)
wildcard NameVirtualHosts and _default_ servers:
*:80   is a NameVirtualHost
 default server protean.eu
(/home/jmartin/apache22/conf/httpd.conf:490)
 port 80 namevhost protean.eu
(/home/jmartin/apache22/conf/httpd.conf:490)
 port 80 namevhost madrid.protean.eu
(/home/jmartin/apache22/conf/httpd.conf:506)
 port 80 namevhost portal.protean.eu
(/home/jmartin/apache22/conf/httpd.conf:519)
 port 80 namevhost uk.protean.eu
(/home/jmartin/apache22/conf/httpd.conf:532)
 port 80 namevhost portaldeempleo.curtidora.com
(/home/jmartin/apache22/conf/httpd.conf:545)
 port 80 namevhost ofertasdeempleo.curtidora.com
(/home/jmartin/apache22/conf/httpd.conf:557)
 port 80 namevhost smra.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:572)
 port 80 namevhost gijon.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:580)
 port 80 namevhost esapa.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:588)
 port 80 namevhost curtidora.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:596)
 port 80 namevhost candidato.curtidora.com
(/home/jmartin/apache22/conf/httpd.conf:604)
 port 80 namevhost demo.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:617)
 port 80 namevhost democv.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:624)
 port 80 namevhost fade.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:638)
 port 80 namevhost fadecv.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:645)
 port 80 namevhost flc.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:659)
 port 80 namevhost flccv.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:666)
 port 80 namevhost smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:680)
 port 80 namevhost coiipa.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:708)
 port 80 namevhost coiial.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:715)
 port 80 namevhost colegiado.coiial.net
(/home/jmartin/apache22/conf/httpd.conf:724)
 port 80 namevhost ofertas.coiial.net
(/home/jmartin/apache22/conf/httpd.conf:736)
 port 80 namevhost empleo.coiial.net
(/home/jmartin/apache22/conf/httpd.conf:747)
 port 80 namevhost coiil.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:761)
 port 80 namevhost coiia.smartcv.org
(/home/jmartin/apache22/conf/httpd.conf:768)
 port 80 namevhost smartemployer.org
(/home/jmartin/apache22/conf/httpd.conf:778)
 port 80 namevhost asturiasotrabajas.com
(/home/jmartin/apache22/conf/httpd.conf:792)
 port 80 namevhost asturiasytrabajas.com
(/home/jmartin/apache22/conf/httpd.conf:806)
 port 80 namevhost media.protean.eu
(/home/jmartin/apache22/conf/httpd.conf:820)
 port 80 namevhost protean.es
(/home/jmartin/apache22/conf/httpd.conf:832)
 port 80 namevhost colegios.protean.es
(/home/jmartin/apache22/conf/httpd.conf:846)
 port 80 namevhost opea.protean.es
(/home/jmartin/apache22/conf/httpd.conf:858)
Syntax OK


El lun, 20-10-2008 a las 10:16 +0200, Cuesta Gilles escribió:
> Jorge Martín Cuervo a écrit :
> > Hi all,
> >
> > i have a problem with an apache 2.2.9, maybe this is not the correct
> > mailing list but i am going to ask, my apologizes if this isn't the
> > properly place.
> >
> > I had an instance of apache 2.2.9 with and IP serving contents with the
> > port 80 and 443, we bought a godaddy certificate and all went pretty
> > well, but we needed to install another certificate for other domain in
> > the same machine. I had several domains and all works with vhosts with
> > http, but when i first tried to use several vhosts for secure
> > connections the apache seemed to restart well but stop working. 
> >   
> Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered
> key ?
> Wich is result of httpd -S ?
> 
-- 
;-)

Jorge Martin Cuervo
 
Outsourcing Emarketplace
deFacto Powered by Standards
 
email <[EMAIL PROTECTED]>
voice +34 984 832 659
voice +34 660 026 384



DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, 
así 
como el resto de los datos de carácter personal que nos facilite, serán objeto 
de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de 
información comercial y/o personal por vía electrónica. Vd. podrá en cualquier 
momento ejercer el derecho de acceso, rectificación, cancelación y oposición en 
los términos establecidos en la Ley Orgán

Re: unable to start apache with 2 certificates

[Cuesta Gilles]

Jorge Martín Cuervo a écrit :
> Hi all,
>
> i have a problem with an apache 2.2.9, maybe this is not the correct
> mailing list but i am going to ask, my apologizes if this isn't the
> properly place.
>
> I had an instance of apache 2.2.9 with and IP serving contents with the
> port 80 and 443, we bought a godaddy certificate and all went pretty
> well, but we needed to install another certificate for other domain in
> the same machine. I had several domains and all works with vhosts with
> http, but when i first tried to use several vhosts for secure
> connections the apache seemed to restart well but stop working. 
>   
Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered
key ?
Wich is result of httpd -S ?

-- 
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: X509 variables ..UID

[Michael Ströder]

Peter Sylvester wrote:
> in ssl_engine_vars, there seems to be a problem to me concerning the UID
> field.
> The syntax for the field is a bitstring and not a "text".

Nothing happened since I've filed this bug and raised the issue here:

  https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

It's broken => it should be fixed. Unfortunately no-one cares. :-(

Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Can i use CA signed cert to create client authentication certificates ?

[Matt Stevenson]

Hi,

Asking every time does make it complicated. I can't remember if the firefox 
default is to ask or auto supply (and it has changed behavior between 1/2/3 
AFAIK), I have it as ask every time.

Anyway the ask every time FF behavior isn't very nice for users (auto supply is 
probably fine for most users). FF will also ask for a cert every session ID 
change.

As you know there isn't an ask once option, which would be very nice.  I don't 
think there is much that can be done to "fix" it other than coding up an "ask 
once" option in FF (which I haven't got the time to do :( ).

Anyway you may also want to use/need the "SSLOptions +OptRenegotiate" if you 
have portions of the site that do and don't require client certs. It can help 
greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all 
the time going from non-client cert to client cert areas.


Regards
Matt


- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Thursday, September 25, 2008 9:37:00 AM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Thank you very much Matt .
That solved it :).

I now have "Client Certificate Authentication" working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to "Ask me every time" instead of "auto select client 
certificate" I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading "one" and "one" item(image) on the website.
If i switch to "Auto select certificate" it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient

I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 

Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|-->Create and Sign Apache Cert from SelfSigned CA
|-->Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can 

Re: Can i use CA signed cert to create client authentication certificates ?

[Jan Stian Gabrielli]

Thank you very much Matt .
That solved it :).

I now have "Client Certificate Authentication" working with a CA signed 
certificate and a Self Signed CA which in turn signs client certs.

If i can only ask for a bit more advice regarding this setup ?.
Although I think this problem might be Firefox specific I'm hoping for some 
advice here. 

Internet Explorer handles the client certificates fine, prompts me to select 
certificate on connection to the site and basically just works after that..

But when Firefox is set to "Ask me every time" instead of "auto select client 
certificate" I keep getting the select certificate pop up several(multiple) 
times per page request/load from the SSL secured Apache server.
There is only one certificate in the select from dialog, but it keeps prompting 
me and I can see it loading "one" and "one" item(image) on the website.
If i switch to "Auto select certificate" it works. But it would be nice not 
having the browser present the certificate without it being the users choice. 
And honestly, choosing it once per session per site should be sufficient
 
I should probably mention that the page served up is behind a mod_proxy module. 
But this content should not differ for Firefox, and certificate selection. Or 
does the mod_ssl module prompt for a client certificate for each item loaded ?

I have googled this but can't find any good answers.
Some say it is because of image objects loading. but why. 
 
Best regards

Jan Stian Gabrielli

Original Message ---
Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|-->Create and Sign Apache Cert from SelfSigned CA
|-->Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à 
.+-š‡l²[¬z»&¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Can i use CA signed cert to create client authentication certificates ?

[Matt Stevenson]

Hi,

Basically...

SSLCACertificateFile SelfSignedCA Root Cert (public part)
SSLVerifyClient require or optional
SSLVerifyDepth 1 (default)

and have the setup from the Thwate cert as per normal for the server cert.

Regards
Matt

- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication 
certificates ?

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|-->Create and Sign Apache Cert from SelfSigned CA
|-->Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à 
.+-š‡l²[¬z»&¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Can i use CA signed cert to create client authentication certificates ?

[Jan Stian Gabrielli]

Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a 
selfsigned CA root for client certificates.

Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client certificates.

Createed SelfSignedCA
|-->Create and Sign Apache Cert from SelfSigned CA
|-->Create and Sign Client Cert from SelfSigned CA

How do I incorporate this with a CA (thawte) signed webserver certificate ?.

Best regards

Wizkidnono

Original Message ---
Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?..

Ie.

I have generated a : apache_server.key made a apache_server..csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®


  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
'���iǭ��^�$���l�\0�j��h�,z+�Ƣ�)�.+-��l�[�z�&��,����h��^t���Ƨj��&�j��h�

Re: Can i use CA signed cert to create client authentication certificates ?

[Matt Stevenson]

Sounds like your trying to use the thawte apache cert to sign your client 
certs? The thawte cert won't have the right attributes to sign a client cert 
and then try to use it.

You could use your CA for client certs and Thawte for the server cert.

Regards
Matt



- Original Message 
From: Jan Stian Gabrielli <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Monday, September 22, 2008 7:54:37 PM
Subject: Can i use CA signed cert to create client authentication certificates ?

I am trying to set up apache with mod_ssl , and I have it working with a
Self Signed CA.
But i can not get it to work with a cert created by thawte.com.

Does anyone know if it is possible to do this with a crt signed by a "third"
party where one does not have access to their root ca key ?.

Ie.

I have generated a : apache_server.key made a apache_server.csr and sent
this for signing by thawte.com
Recived a apache_server.crt

Created a client.key and a client.csr
Signed it with my apache_server.key and apache_server.crt

Converted the client.key,crt to a pkcs12 file and imported this into my
browser but i can not make things work.

SSL works fine on the server on pages that does not require SSL client auth.

A I stated earlier, IT works when I create and self sign a CA, but I cant
make it work when I use a 3rd party CA and only have apache_server.key,
apache_server.crt , thawte root cert.

Best regards

Wizkidnono
–œ…â'µêßiÇ­ 
ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨è­Ú&¢j²Éh®



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Authenticating users based on S/MIME certificate

[Matt Stevenson]

Hi,

Have a look at mod_authz_ldap (ldap baseed white listing,
http://authzldap.othello.ch/). Probably far more than you need but it
does things along the same lines and has some nice notes how to do
various bits and pieces.

You can add env vars that you can use php have a look at  SSLOptions 
+StdEnvVars  and +ExportCertData.

Regards
Matt



- Original Message 
From: Gunnar Vestergaard <[EMAIL PROTECTED]>
To: modssl-users@modssl.org
Sent: Sunday, September 21, 2008 12:10:16 AM
Subject: Authenticating users based on S/MIME certificate

Hi. I am an administrator of a user account at an Apache web server. 
Currently the server is running Apache 1.3.37. My hosting provider plans 
on switching to new hardware with possibly new software. So I don't know 
if my web server will be run on Apache 1.3.37 or Apache 2.0.

My goal is to let visitors of my web site authenticate themselves to my 
web server using some certificate, possibly S/MIME certificates.

Now, my current S/MIME certificate for personal e-mail is approved for 
the following purposes:
Email Signer Certificate
Email Recipient Certificate

Is it possible to have such a certificate authenticate its user towards 
an SSL web server? In any case I want to have a limited crowd of users 
seeing a subdirectory of pages without bothering the user with a user 
name/password dialog. Just their personal certificate lets them see 
pages in a certain subdirectory.

As I understand the documentation for PHP, there is no means whereby PHP 
can read and interpret an SSL client certificate. Is that correct?

Gunnar
__
Apache Interface to OpenSSL (mod_ssl)  www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]



  
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Authenticating users based on S/MIME certificate

[Dave Sparks]

Gunnar Vestergaard wrote:

> My goal is to let visitors of my web site authenticate themselves to
> my web server using some certificate, possibly S/MIME certificates.

> As I understand the documentation for PHP, there is no means whereby
> PHP can read and interpret an SSL client certificate. Is that correct?

It's possible to configure Apache 2 to add the client certificate to a 
request header.  From one of my configuration files:


  RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \
^.*(-BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-(%0[Dd])?%0[Aa].*%0[Aa]-END%20\2CERTIFICATE-(%0[Dd])?%0[Aa]).*$
  RewriteRule ^.*$ - [E=CLIENT_CERT:%1]

  RequestHeader unset L-ClientCert

  RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT

The certificate is %-encoded to avoid problems with newline characters. 
 Presumably PHP can use the string in the header to match the 
certificate against a list of known certificates.


The certificate digest would be less unwieldy than the entire 
certificate, but mod_ssl would need some simple changes to make the 
digest available and I would be reluctant to use a hosting provider who 
allowed customers to use a modified mod_ssl.



Dave Sparks

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: SSL_CLIENT_S_DN & SSL_CLIENT_I_DN Formats

[Bolger, Ken]

Hi,
 
I have noticed that the DN components of the SSL_CLIENT_S_DN and
SSL_CLIENT_I_DN
environment variables are separated by the '/' (forward slash) character
rather than
the ',' (comma) separator as required by  RFC2253. 
 
Is the use of the forward slash part of an older standard or is there
another reason for its use?
Is there a setting to change the format?
 
Thanks,
 
Ken Bolger

RE: Error when trying shmcb SSLSessionCache on 64-bit Windows

[Johan Hoogenboezem]

Hi Martin
I tried the short (8.3) version of the directory with no luck. Ah well...
Thanks
Johan 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Johan Hoogenboezem
Sent: 01 September 2008 01:10 PM
To: modssl-users@modssl.org
Cc: [EMAIL PROTECTED]
Subject: RE: Error when trying shmcb SSLSessionCache on 64-bit Windows

Hi Martin
1) I'm still reluctant to use an unofficial build, but its good to know
others are using it.
2) Wow, well spotted with your "(x86)" theory! It also failed with a
relative path: logs/ssl_scache(512000), but depending on how the relative
path is being translated to an absolute path behind the scenes, you might
still be right... I'll try it out as soon as I can and let you know.
Thanks a lot
Johan

-Original Message-
From: Martin Dickau [mailto:[EMAIL PROTECTED] 
Sent: 01 September 2008 12:18 PM
To: [EMAIL PROTECTED]
Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows

I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit 
(AMD64/EM64T) from http://www.blackdot.be/?inc=apache/binaries and am using 
shmcb without any trouble.  You do need to install the VC++ 2005 64-bit 
redistributable runtime.  I am also using the mod_jk build from that site, 
but I could not get the mod_log_rotate to run without crashing and had to 
build that one myself.

That said, the "invalid size" error and the fact that size is passed in 
parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from 
the path as the size.  Have you tried using C:/PROGRA~1/ (or PROGRA~2 --  
whichever it is on your system) instead?

Regards,

Martin

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.169 / Virus Database: 270.6.14/1644 - Release Date: 8/31/2008
4:59 PM

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Error when trying shmcb SSLSessionCache on 64-bit Windows

[Johan Hoogenboezem]

Hi Martin
1) I'm still reluctant to use an unofficial build, but its good to know
others are using it.
2) Wow, well spotted with your "(x86)" theory! It also failed with a
relative path: logs/ssl_scache(512000), but depending on how the relative
path is being translated to an absolute path behind the scenes, you might
still be right... I'll try it out as soon as I can and let you know.
Thanks a lot
Johan

-Original Message-
From: Martin Dickau [mailto:[EMAIL PROTECTED] 
Sent: 01 September 2008 12:18 PM
To: [EMAIL PROTECTED]
Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows

I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit 
(AMD64/EM64T) from http://www.blackdot.be/?inc=apache/binaries and am using 
shmcb without any trouble.  You do need to install the VC++ 2005 64-bit 
redistributable runtime.  I am also using the mod_jk build from that site, 
but I could not get the mod_log_rotate to run without crashing and had to 
build that one myself.

That said, the "invalid size" error and the fact that size is passed in 
parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from 
the path as the size.  Have you tried using C:/PROGRA~1/ (or PROGRA~2 --  
whichever it is on your system) instead?

Regards,

Martin

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Cannot load libssl.so into server: ld.so.1: httpd: fatal: relocation error:

[Xian Xian]

You did not configure your Apache with mod_ssl when you set it up. You need
to rebuild your Apache.

On Thu, Aug 21, 2008 at 1:02 AM, Linda Lee <[EMAIL PROTECTED]> wrote:

> Hi all
>
> *I am using apache 1.3.41 with mod_ssl 2.8.31.  I kept getting the below
> error:
>
> Starting httpd: httpd Syntax error on line 249 of
> /export/home/httpd/conf/httpd.conf:
> Cannot load /export/home/httpd/libexec/libssl.so into server: ld.so.1:
> httpd: fatal: relocation error: file /export/home/httpd/libexec/libssl.so:
> symbol inflateEnd: referenced symbol not found
> FAILED
>
> *In my httpd.conf, line 249 is:
> LoadModule ssl_module libexec/libssl.so
>
> *libssl.so's loation is correct.  It is in /export/home/httpd/libexec/.
>
> Thanks for your help
>
>

Re: redirect port

[Tim Hester]

A few more hours of investigation revealed the solution;

RewriteCond %{HTTP_HOST}   ^www.mydomain.com:8080 [NC]
RewriteRule ^/(.*) https://www.mydomain.com/$1 [L,R=301]

Sorry bout the html mail earlier.

Tim

- Original Message - 
From: Tim Hester

To: modssl-users@modssl.org
Sent: Thursday, July 17, 2008 10:38 AM
Subject: redirect port


I have been using Apache/2.2.3 and Tomcat 5.5 as standalone servers. I'm
adding ssl with mod_jk and mod_proxy_ajp to access tomcat via ssl.

I access my static content and cgi via http://www.mydomain.com/ and use
mod_rewrite in .htaccess to redirect to https. This works fine as desired.

I can access my webapp via http://www.mydomain.com:8080/MyWebApp, and this
is the url users have book marked. This continues to work. I can also access
https://www.mydomain.com/MyWebApp.

What I'd like to do is force a redirect from
http://www.mydomain.com:8080/MyWebApp to https://www.mydomain.com/MyWebApp

Note; tomcat is not under the apache webroot

Any assistance appreciated.

Thanks

Tim 


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

[Robert Uzgalis]

One small comment.  I have tried for years to get off this mailing list.
I have sent my request and it has always been effective, for say a month 
or so,
then I get put back on the mailing list.  And it keeps coming.  My 
solution was
to add it to my spam filter.  It doesn't bother me that way and 
occasionally I drop in

to see what the latest complaint is.

In this case I couldn't agree with the message more.  Perhaps the tone 
is not quite right.
Somebody ought to fix mailing-list software so that once you are off you 
are really gone.
It is true that [EMAIL PROTECTED] ought to ask to be taken off the 
list; but it won't help much I'm afraid.


BUZ

[EMAIL PROTECTED] wrote:

stop stop  sending me
this bs , i have no idea  who are you 
stop !!!

-- Original message from Dave Paris
<[EMAIL PROTECTED]>: --


> It seem like you might be confusing "shared infrastructure" with
> "single ip". As others have said, you need a distinct address
for each
> SSL-enabled httpd or proxy, although they can reside on the same
hardware.
>
> A good example of this is the typical configuration for larger
server
> farms. You find multiple High Availability load balancers in the
DMZ for
> both http and https using something like ha/keepalived for
linux. These
> proxy the incoming request back into private address space. The SSL
> proxies terminate the SSL connection and broker the request on
behalf of
> the user and everything goes to the private address space in
plain http.
> This allows each of the _real_ webservers to achieve better
> performance since the SSL overhead is not present.
>
> While you can use Apache as an SSL-terminating proxy, I find I get
> better performance, lower memory utilization and easier
configuration
> using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I
have
> multiple public IP addresses floating between several hosts and
pound
> binds https to those addresses.
>
> Hope that adds a bit of additional clarity,
> Dave
>
> Cuesta Gilles sent forth:
> > So what about this ?
> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> >
> > This type of certificate (also called /Subject Alternative
Name/ (SAN) )
> > enables to secure not only one website but a large number of
sites (a
> > list of sites) hosted on a shared infrastructure (server with
multiple
> > names, reverse proxy). Ideal to secure multiple brands of a
corporation.
> > One certificate per hardware is required."
> >
> > http://www.tbs-certificats.com/index.html.en
> >
>
__

> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager [EMAIL PROTECTED] 

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

[erika20]

THANK'S 
-- Original message from "Shahadat Hossain" <[EMAIL PROTECTED]>: -- 
you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. 
 
send an email to [EMAIL PROTECTED] address (you can also find it at the bottom of this message) with subject as 'Remove me'.
 
ok?
On Mon, Jul 14, 2008 at 7:10 PM, <[EMAIL PROTECTED]> wrote:



stop stop  sending me 
this bs , i have no idea  who are you 
stop !!!
-- Original message from Dave Paris <[EMAIL PROTECTED]>: -- > It seem like you might be confusing "shared infrastructure" with > "single ip". As others have said, you need a distinct address for each > SSL-enabled httpd or proxy, although they can reside on the same hardware. > > A good example of this is the typical configuration for larger server > farms. You find multiple High Availability load balancers in the DMZ for > both http and https using something like ha/keepalived for linux. These > proxy the incoming request back into private address space. The SSL > proxies terminate the SSL connection and broker the request on behalf of > the user and everything goes to the private address space in plain http. > This allows each of the _real_ webservers to achieve better > performance since the SSL overhead is not present. > > While you can use Apache as an SSL-terminating proxy, I find I get > better performance, lower memory utilization and easier configuration > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have > multiple public IP addresses floating between several hosts and pound > binds https to those addresses. > > Hope that adds a bit of additional clarity, > Dave > > Cuesta Gilles sent forth: > > So what about this ? > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* > > > > This type of certificate (also called /Subject Alternative Name/ (SAN) ) > > enables to secure not only one website but a large number of sites (a > > list of sites) hosted on a shared infrastructure (server with multiple > > names, reverse proxy). Ideal to secure multiple brands of a corporation. > > One certificate per hardware is required." > > > > http://www.tbs-certificats.com/index.html.en > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] 

Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!

[Shahadat Hossain]

you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off
from the list instead of b-shitting.

send an email to [EMAIL PROTECTED] address (you can also find it at the
bottom of this message) with subject as 'Remove me'.

ok?

On Mon, Jul 14, 2008 at 7:10 PM, <[EMAIL PROTECTED]> wrote:

>  stop stop  sending me
> this bs , i have no idea  who are you 
> stop !!!
>
> -- Original message from Dave Paris <[EMAIL PROTECTED]>:
> --
>
>
> > It seem like you might be confusing "shared infrastructure" with
> > "single ip". As others have said, you need a distinct address for each
> > SSL-enabled httpd or proxy, although they can reside on the same
> hardware.
> >
> > A good example of this is the typical configuration for larger server
> > farms. You find multiple High Availability load balancers in the DMZ for
> > both http and https using something like ha/keepalived for linux. These
> > proxy the incoming request back into private address space. The SSL
> > proxies terminate the SSL connection and broker the request on behalf of
> > the user and everything goes to the private address space in plain http.
> > This allows each of the _real_ webservers to achieve better
> > performance since the SSL overhead is not present.
> >
> > While you can use Apache as an SSL-terminating proxy, I find I get
> > better performance, lower memory utilization and easier configuration
> > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have
> > multiple public IP addresses floating between several hosts and pound
> > binds https to those addresses.
> >
> > Hope that adds a bit of additional clarity,
> > Dave
> >
> > Cuesta Gilles sent forth:
> > > So what about this ?
> > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES*
> > >
> > > This type of certificate (also called /Subject Alternative Name/ (SAN)
> )
> > > enables to secure not only one website but a large number of sites (a
> > > list of sites) hosted on a shared infrastructure (server with multiple
> > > names, reverse proxy). Ideal to secure multiple brands of a
> corporation.
> > > One certificate per hardware is required."
> > >
> > > http://www.tbs-certificats.com/index.html.en
> > >
> > __
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager [EMAIL PROTECTED]
>
>

Re: Apache removal of user's access rights

[Gilles Cuesta (Gmail)]

Michael Ströder a écrit :

Beth E. Okun wrote:


We're running Apache with ssl enabled..We're using Basic 
authentication, and if the user browses away from our site and then 
comes back, they are not forced to log on again...it appears that 
these settings are being stored somewhere, or that the connection is 
not being closed..


How about to read about how Basic Authentication works? Or maybe watch 
the traffic with http://livehttpheaders.mozdev.org? Basically the 
browser caches username/password once entered for a HTTP authc realm 
and sends it in the header of every HTTP request. That's the problem 
with HTTP basic authc.

This Apache related, not modssl related.

Whereas, there are technical ways to reproduce an end of session, using 
secondary session_id, just like phpmyadmin.

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Apache removal of user's access rights

[Michael Ströder]

Beth E. Okun wrote:


We're running Apache with ssl enabled..We're using Basic 
authentication, and if the user browses away from our site and then 
comes back, they are not forced to log on again...it appears that 
these settings are being stored somewhere, or that the connection is not 
being closed..


How about to read about how Basic Authentication works? Or maybe watch 
the traffic with http://livehttpheaders.mozdev.org? Basically the 
browser caches username/password once entered for a HTTP authc realm and 
sends it in the header of every HTTP request. That's the problem with 
HTTP basic authc.


Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Dave Paris]

It seem like you might be confusing "shared infrastructure" with 
"single ip".  As others have said, you need a distinct address for each 
SSL-enabled httpd or proxy, although they can reside on the same hardware.


A good example of this is the typical configuration for larger server 
farms. You find multiple High Availability load balancers in the DMZ for 
both http and https using something like ha/keepalived for linux.  These 
proxy the incoming request back into private address space.  The SSL 
proxies terminate the SSL connection and broker the request on behalf of 
the user and everything goes to the private address space in plain http. 
 This allows each of the _real_ webservers to achieve better 
performance since the SSL overhead is not present.


While you can use Apache as an SSL-terminating proxy, I find I get 
better performance, lower memory utilization and easier configuration 
using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have 
multiple public IP addresses floating between several hosts and pound 
binds https to those addresses.


Hope that adds a bit of additional clarity,
Dave

Cuesta Gilles sent forth:

So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."


http://www.tbs-certificats.com/index.html.en


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Eckard Wille]

Eckard Wille schrieb:

Cuesta Gilles schrieb:

"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) 
) enables to secure not only one website but a large number of sites 
(a list of sites) hosted on a shared infrastructure (server with 
multiple names, reverse proxy). Ideal to secure multiple brands of a 
corporation. One certificate per hardware is required."


This only means that one host can have several names by configuring 
ServerName and ServerAlias, but does not enable virtual hosting.


Hi Cuesta,

with some tricks you could achive your goal by using the preconditions 
of mod_rewrite rules. If your ssl proxy has one single host entry with 
such a multi-named cert, it may be possible to rewrite via proxy after 
a look at the host header:


  RewriteEngine on
  RewriteCond %{HTTP_HOST} www.vhost1.com
  RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P]

  RewriteCond %{HTTP_HOST} www.vhost2.com
  RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P]

If this works for you depends also on the backend webapps, for example 
if they are capable of running behind a reverse proxy with a different 
http schema (HTTP<->HTTPS, servername references in html, internal 
redirects...).


Good luck

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Eckard Wille]

Cuesta Gilles schrieb:

"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."


This only means that one host can have several names by configuring 
ServerName and ServerAlias, but does not enable virtual hosting.


Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Cuesta Gilles]

Eckard Wille a écrit :

Cuesta Gilles schrieb:

I thought that using wildcard or multi-cn certificates will work ?


No.


In this case, only one certificate is needeed for a range of Vhost


If you only have one ip this won't make things better because virtual 
hosting is still not possible. Wildcard certs do not enable vHosting 
because the ssl handshake still takes place before the http host 
header can be evaluated. They were offered by CAs to make it easier 
for admins so they wouldn't have to fiddle around with dozens of certs 
and their validity management in a masshosting environment or for 
subdomains.




So what about this ?
"*MULTIPLE CN (SAN) SERVER CERTIFICATES*

This type of certificate (also called /Subject Alternative Name/ (SAN) ) 
enables to secure not only one website but a large number of sites (a 
list of sites) hosted on a shared infrastructure (server with multiple 
names, reverse proxy). Ideal to secure multiple brands of a corporation. 
One certificate per hardware is required."


http://www.tbs-certificats.com/index.html.en

--
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: SSL proxy

[Eckard Wille]

Cuesta Gilles schrieb:

I thought that using wildcard or multi-cn certificates will work ?


No.


In this case, only one certificate is needeed for a range of Vhost


If you only have one ip this won't make things better because virtual 
hosting is still not possible. Wildcard certs do not enable vHosting 
because the ssl handshake still takes place before the http host 
header can be evaluated. They were offered by CAs to make it easier 
for admins so they wouldn't have to fiddle around with dozens of certs 
and their validity management in a masshosting environment or for 
subdomains.


Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[Cuesta Gilles]

Eckard Wille a écrit :

[EMAIL PROTECTED] schrieb:

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to 
set up
the ssl stuff so that this will work, but so far I have not been 
successful.


I have tried to search for this, but the closest I have come is proxy 
to an

ssl server.  I want to have the proxy server do the ssl stuff for me.


Hi,

you can not use SSL with virtual hosting, see 
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47


You'll have to get a dedicated ip for every single ssl host. You could 
play around with one ssl proxy on your single ip with a common name 
and do some rewriting according to an url praefix matching the secure 
parts of your backend virtual hosts; decide yourself if this config 
work is worth it.

I thought that using wildcard or multi-cn certificates will work ?
In this case, only one certificate is needeed for a range of Vhost

--
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: SSL proxy

[Eckard Wille]

[EMAIL PROTECTED] schrieb:

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?

I have worked with virtual host configuration, and I have tried to set up
the ssl stuff so that this will work, but so far I have not been successful.

I have tried to search for this, but the closest I have come is proxy to an
ssl server.  I want to have the proxy server do the ssl stuff for me.


Hi,

you can not use SSL with virtual hosting, see 
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47


You'll have to get a dedicated ip for every single ssl host. You could 
play around with one ssl proxy on your single ip with a common name 
and do some rewriting according to an url praefix matching the secure 
parts of your backend virtual hosts; decide yourself if this config 
work is worth it.


Regards

Eckard
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSL proxy

[mdn teo]

How is it possible? By definition SSL does not allow different host names on
the same IP:PORT.
Or is there something I'm missing?




> -- Forwarded message --
> From: Gilles Cuesta (Gmail) <[EMAIL PROTECTED]>
> Date: Thu, Jul 10, 2008 at 10:38 PM
> Subject: Re: SSL proxy
> To: modssl-users@modssl.org
>
>
> [EMAIL PROTECTED] a écrit :
>
>> I have several web servers currently that all have the same IP, but
>> different host names, and I have an apache that uses mod_proxy to direct
>> requests to the correct internal server to process the request.
>>
>> I would like to use my apache proxy server to provide SSL encryption and
>> decryption, and not have to have each individual server do that.
>>
>> Is that possible?
>>
>>
> Apparently, understanding what you want to do, it's possible.
>
> It might depend on Apache / modssl versions
>
> One of the best way is doing encrypted HTTPS between client and proxy and
> clear HTTP between proxy and real server.
> You can also do encrypted HTTPS between proxy and real server, just adding
> some Apache configuration
>
> .
> __
> Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
> User Support Mailing List  modssl-users@modssl.org
> Automated List Manager[EMAIL PROTECTED]
>
>

Re: SSL proxy

[Gilles Cuesta (Gmail)]

[EMAIL PROTECTED] a écrit :

I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.

I would like to use my apache proxy server to provide SSL encryption and
decryption, and not have to have each individual server do that.

Is that possible?
  

Apparently, understanding what you want to do, it's possible.

It might depend on Apache / modssl versions

One of the best way is doing encrypted HTTPS between client and proxy 
and clear HTTP between proxy and real server.
You can also do encrypted HTTPS between proxy and real server, just 
adding some Apache configuration

.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Friday 27 June 2008, Florian Hackenberger wrote:
> I have another question: Has anyone successfully established a
> connection to an apache/mod_ssl server with client authentication
> using a java client? My client (code below) generates the following
> log (exception at the end) upon execution:

Sorry, please scrap my posting. I made an embarrassing mistake: Instead 
of exporting the client certificate including the public/private 
keypair from the browser and importing that into the keystore, I 
imported the certificate only, without the public/private keypair...

Thanks for your help once again!
Florian

-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Friday 27 June 2008, Joe Orton wrote:
> Yup.  Changing the "SSLVerifyClient require" to:
> SSLVerifyClient optional
> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

Thanks a lot! The workaround worked ;-). Please consider this issue 
solved.

I have another question: Has anyone successfully established a 
connection to an apache/mod_ssl server with client authentication using 
a java client? My client (code below) generates the following log 
(exception at the end) upon execution:

*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
main, WRITE: TLSv1 Handshake, length = 157
SESSION KEYGEN:
PreMaster Secret:
: 03 01 71 CC D3 DC AF 35   A3 A2 70 1C E5 9A 06 
00  ..q5..p.
0010: 1F 8B 18 05 6E 55 69 4E   44 18 D2 E5 0A 57 FB 
D4  nUiNDW..
0020: 71 62 17 14 57 2A FE 8F   4D 5A CF 7A 82 09 31 8C  
qb..W*..MZ.z..1.
CONNECTION KEYGEN:
Client Nonce:
: 48 64 A7 92 45 15 E8 74   E3 75 A7 BD F7 E3 B8 82  
Hd..E..t.u..
0010: 94 D4 1E 75 ED 3D D3 41   0E 5F BA 12 ED 47 E6 
B1  ...u.=.A._...G..
Server Nonce:
: 48 64 A7 92 B5 6D 56 62   6D E3 7B 67 C7 08 78 13  
Hd...mVbm..g..x.
0010: 45 47 5A 93 18 62 D4 E5   75 25 A1 65 F8 DD 85 86  
EGZ..b..u%.e
Master Secret:
: 0C 65 EA 1D A6 E6 FC 3C   AD AA 34 04 C6 82 81 
50  .e.<..4P
0010: 07 78 38 FC B6 04 77 3E   7E 90 BC 24 A9 D3 B1 86  .x8...w>...
$
0020: F9 99 26 1A FD 08 9A C3   E0 32 43 D0 A1 59 21 5C  ..&..2C..Y!
\
Client MAC write Secret:
: D0 7D F1 90 58 AF 0B 43   F7 02 39 0C 0C B2 87 
C3  X..C..9.
Server MAC write Secret:
: 5C AD 45 74 3D 58 96 FB   41 37 72 99 12 D5 BD 3A  
\.Et=X..A7r:
Client write key:
: 38 AE 1A 7E 63 26 C7 7F   9D E2 74 9E D2 12 55 C9  
8...c&t...U.
Server write key:
: 7E 57 BF 54 A7 74 D8 72   72 AC 18 B8 5F 2D F6 
06  .W.T.t.rr..._-..
... no IV used for this cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 17
*** Finished
verify_data:  { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 }
***
main, WRITE: TLSv1 Handshake, length = 32
main, waiting for close_notify or alert: state 3
main, READ: TLSv1 Alert, length = 18
main, RECV TLSv1 ALERT:  fatal, handshake_failure
%% Invalidated:  [Session-3, SSL_RSA_WITH_RC4_128_MD5]
main, called closeSocket()
main, Exception while waiting for close 
javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure
main, handling exception: javax.net.ssl.SSLHandshakeException: Received 
fatal alert: handshake_failure
main, called close()
main, called closeInternal(true)
javax.net.ssl.SSLHandshakeException: Received fatal alert: 
handshake_failure
at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at 
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657)
at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932)
at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435)
at 
com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103)
at 
com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612)
at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808)
at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734)
at 
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197)
at 
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at 
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)
at 
com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)
at 
java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
at java.io.BufferedInputStream.read1
(BufferedInputStream.java:258)
at 
java.io.BufferedInputStream.read(BufferedInputStream.java:317)
at 
sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652)
at 
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000)
at 
com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204)
at java.net.URL.openStream(URL.java:1009)
at URLClient.main(URLClient.java:17)


The server logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?

Has someone experience with java client verification 

Re: SSLVerifyClient applies to parent directory

[Joe Orton]

On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Florian Hackenberger wrote:
> > On Thursday 26 June 2008, Joe Orton wrote:
> > It denies access for what type of request, a directory listing?
> Ok, I think I understood the intention of your question. Accessing a 
> specific file works, but getting the directory listing fails. Would 
> that be a result of apache trying to access the protected directory in 
> oder to read attributes for the listing, causing the certificate 
> verification to kick in?

Yup.  Changing the "SSLVerifyClient require" to:

SSLVerifyClient optional
SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS"

might work around it; you'll still get a client cert request for the 
subrequest, but it should end in a 403 rather than terminating the SSL 
connection.  (That will cause the protected directory to disappear from 
the directory listing, unless you use "IndexOptions ShowForbidden")

Test this carefully though!

joe


__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Friday 27 June 2008, Cuesta Gilles wrote:
> For your issue, two questions:
> - is a VerifyDepth 1 enough for verification chaining ?
It is, however that is not relevant for the problem, because apache 
should not request a client certificate in the first place.

> - No default VerifyClient by default for VirtualHost
> Try adding:


I tried your suggestion, but it does not help unfortunately.

Cheers,
Florian

-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Cuesta Gilles]

Florian Hackenberger a écrit :

On Friday 27 June 2008, Cuesta Gilles wrote:
  

It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.

Thanks, but that is certainly not the problem, as apache creates a 
listing as soon as I remove 'SSLVerifyClient require'.


Cheers,
Florian

  

That seems to point that it's already activated.

For your issue, two questions:
- is a VerifyDepth 1 enough for verification chaining ?
- No default VerifyClient by default for VirtualHost
Try adding:

SSLVerifyClient none

or 



SSLVerifyClient none


Listen 443

   SSLEngine On
   SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
   DocumentRoot "/usr/local/htdocs"

SSLVerifyClient none


SSLVerifyClient require
SSLVerifyDepth 1



--
Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui qui à 
réalisé les traductions dans l'intégralité des épisodes !
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Friday 27 June 2008, Cuesta Gilles wrote:
> It's more an apache specific question; try setting
> Options +Indexes
> in your vhost, allowing directory listing.
Thanks, but that is certainly not the problem, as apache creates a 
listing as soon as I remove 'SSLVerifyClient require'.

Cheers,
Florian

-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Cuesta Gilles]

Florian Hackenberger a écrit :

On Thursday 26 June 2008, Florian Hackenberger wrote:
  

On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?

Ok, I think I understood the intention of your question. Accessing a 
specific file works, but getting the directory listing fails. Would 
that be a result of apache trying to access the protected directory in 
oder to read attributes for the listing, causing the certificate 
verification to kick in?


  


It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.

--
Beaucoup d'hommes ont recherché la boîte de pandore à travers le monde, pendant 
ce temp Chuck Norris l'utilisait pour ranger ses chaussures.
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Thursday 26 June 2008, Florian Hackenberger wrote:
> On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question. Accessing a 
specific file works, but getting the directory listing fails. Would 
that be a result of apache trying to access the protected directory in 
oder to read attributes for the listing, causing the certificate 
verification to kick in?

Cheers,
Florian

-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Gilles Cuesta (Gmail)]

Florian Hackenberger a écrit :

On Thursday 26 June 2008, Cuesta Gilles wrote:
  

Maybe try this:

Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"


SSLVerifyClient require
SSLVerifyDepth 1





Unfortunately it leads to the same result, but thanks for the 
suggestion.


  

Regarding mod_ssl:
"In per-server context it applies to the client authentication process 
used in the standard SSL handshake when a connection is established. "
"In per-directory context it forces a SSL renegotation with the 
reconfigured client verification level after the HTTP request was read 
but before the HTTP response is sent."


So maybe:

Listen 443

   SSLEngine On
   SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
   DocumentRoot "/usr/local/htdocs"


SSLVerifyClient require
SSLVerifyDepth 1



__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Thursday 26 June 2008, Joe Orton wrote:
> It denies access for what type of request, a directory listing?
Yes


-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Joe Orton]

On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
> 
> SSLVerifyClient require
> SSLVerifyDepth 1
> 
> 
> The problem is that apache denies access to:
> https//MYSERVER/directory

It denies access for what type of request, a directory listing?

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Florian Hackenberger]

On Thursday 26 June 2008, Cuesta Gilles wrote:
> Maybe try this:
>
> Listen 443
> 
> SSLEngine On
> SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
> DocumentRoot "/usr/local/htdocs"
>
>   
>   SSLVerifyClient require
>   SSLVerifyDepth 1
>   
> 

Unfortunately it leads to the same result, but thanks for the 
suggestion.

Cheers,
Florian
-- 
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: SSLVerifyClient applies to parent directory

[Cuesta Gilles]

Florian Hackenberger a écrit :

Hi!

First of all: Thanks for your great software, I've used it on several 
server and it proved to be very useful.


I have a little problem with the SSLVerifyClient directive on apache 
2.2.9 with mod_ssl compiled from source on debian etch. I have the 
following directory layout:


/usr/local/htdocs/directory/subdirectory

and the following configuration options (besides the defaults) in 
httpd.conf:


Listen 443

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot "/usr/local/htdocs"



SSLVerifyClient require
SSLVerifyDepth 1


  


Maybe try this:

Listen 443

   SSLEngine On
   SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
   DocumentRoot "/usr/local/htdocs"


SSLVerifyClient require
SSLVerifyDepth 1



--
Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet.
Gilles CUESTA - Logiciels Libres
69139920




signature.asc
Description: OpenPGP digital signature

RE: Need to add/enable/install mod_ssl

[Tan, Liao]

another information: what I see in libexec/ is just "mod_jk.sl", and under 
modules/, just the file httpd.exp.

Ingrid 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT]
Sent: Wednesday, June 18, 2008 5:34 PM
To: modssl-users@modssl.org
Subject: RE: Need to add/enable/install mod_ssl


Dave and All:

Ok, now I know I can try the directives in my apache. 
Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl 
installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the 
paths indicated, not in libexec/, nor in module/.
How do I get those files? 

Thank you.
Ingrid 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David P. Mott
Sent: Wednesday, June 18, 2008 5:22 PM
To: modssl-users@modssl.org
Subject: RE: Need to add/enable/install mod_ssl



I pulled that exact line from my win32 version of Apache 2.2.4.

Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d 
mod_perl/2.0.3 Perl/v5.8.8
Server Built: Jan 9 2007 23:17:20

-Dave


On Wed, 18 Jun 2008, Tan, Liao wrote:

> David,
>
> that was what I thought earlier. But since I´m told this directive is 
> for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ 
> the directive to include to httpd.conf. What I mean is that I think I hv 
> the mod_ssl installed, but not enabled yet, and to enable, if it´s 
> simply adding the directive´s in httpd file, and the exact syntax for 
> version 2.0.
>
> Still searching for the solution.
>
> Thanks
>
> Ingrid
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Need to add/enable/install mod_ssl

[Tan, Liao]

Dave and All:

Ok, now I know I can try the directives in my apache. 
Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl 
installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the 
paths indicated, not in libexec/, nor in module/.
How do I get those files? 

Thank you.
Ingrid 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David P. Mott
Sent: Wednesday, June 18, 2008 5:22 PM
To: modssl-users@modssl.org
Subject: RE: Need to add/enable/install mod_ssl



I pulled that exact line from my win32 version of Apache 2.2.4.

Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d 
mod_perl/2.0.3 Perl/v5.8.8
Server Built: Jan 9 2007 23:17:20

-Dave


On Wed, 18 Jun 2008, Tan, Liao wrote:

> David,
>
> that was what I thought earlier. But since I´m told this directive is 
> for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ 
> the directive to include to httpd.conf. What I mean is that I think I hv 
> the mod_ssl installed, but not enabled yet, and to enable, if it´s 
> simply adding the directive´s in httpd file, and the exact syntax for 
> version 2.0.
>
> Still searching for the solution.
>
> Thanks
>
> Ingrid
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Need to add/enable/install mod_ssl

[Tan, Liao]

David,

 that was what I thought earlier. But since I´m told this directive is for 
Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ the 
directive to include to httpd.conf. What I mean is that I think I hv the 
mod_ssl installed, but not enabled yet, and to enable, if it´s simply adding 
the directive´s in httpd file, and the exact syntax for version 2.0.
 Still searching for the solution.

Thanks

Ingrid 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David P. Mott
Sent: Wednesday, June 18, 2008 5:04 PM
To: modssl-users@modssl.org
Subject: RE: Need to add/enable/install mod_ssl



That doesn't sound right.

Don't you need a statement like this in your httpd.conf file?

   LoadModule ssl_module modules/mod_ssl.so

The statements that you mentioned will do stuff /only/ if the ssl module 
is loaded (that's what IfModule means -- If the Module is Present).

-Dave


On Wed, 18 Jun 2008, Tan, Liao wrote:

> All,
>
> I´m told that having the directives in httpd.conf
>
> 
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> 
>
> means that my apache is configured with mod_ssl (thanks to the guy that told 
> me so!)
>
> Now the question risen up is how do I do to have my https working? As I 
> mentioned below, already have all certificates and their directives 
> configured.
>
> Thanks for your attention.
>
> Ingrid
>
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

RE: Need to add/enable/install mod_ssl

[Tan, Liao]

All,

 I´m told that having the directives in httpd.conf


SSLRandomSeed startup builtin
SSLRandomSeed connect builtin


means that my apache is configured with mod_ssl (thanks to the guy that told me 
so!)

Now the question risen up is how do I do to have my https working? As I 
mentioned below, already have all certificates and their directives configured.

Thanks for your attention.

Ingrid 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT]
Sent: Wednesday, June 18, 2008 12:30 PM
To: modssl-users@modssl.org
Subject: Need to add/enable/install mod_ssl


Hi, experts:

>> Here are the environment configuration:
>> Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4
>> Server: -HP-UX  
>> Tomcat: 4.0

I have a apache already installed (by other team, which doesnt know if there´s 
the module mod_ssl). The final purpose is to secure my current http to https. 
Already have all cerficates, with the directives in the conf files, and still 
the https url doesnt work yet.
I searched over all logs I could find, and didnt found any string "mod_ssl":(. 
So I guess I need to do something to enable, install it. 

Saw in a link that I need to download the source in modssl.org, and other 
installation procedures as well. But the in my case is that I already have 
Apache installed, and need only to add/enable/install the mod_ssl module. Ok, 
now another question to be pointed out:
"Make sure any module for your Apache server is compiled with the 
compiler-flag -DEAPI, or your Webserver might crash or can not be
started. 
Almost all modules I know adds the -DEAPI flag by themself except mod_jserv
and mod_jk"

But my apache installed is mod_jk (my configuration >> Apache/2.0.46 (Unix) 
mod_jk/1.2.4). Should I supppose from this that in my case I dont have the 
DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? 

I keep doing searches over the net, but in case any of you has some hint and 
speed up a little bit on my side, it´ll be helpful.

Im kind of disorientated with all this thing of https. This´s the 1st time i 
get into it. So, ask for your detailed support.

Thank you!
Ingrid 

__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Generic question on CRL use

[Patrick Patterson]

On June 16, 2008 12:46:56 pm Gilles Cuesta wrote:
> 2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
> > Gilles Cuesta wrote:
> >> So, at a time, we have 2 ClientCA with different key and different
> >> validity period, but same DN.
> >
> > This is bad practice. Try searching for "CA key roll-over".
>
> I found docs about it, but proprietary PKI, and couldn't know if this
> feature is implemented ...
>
Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani 
and Stefan Santesson that goes into this. Short answer is - you can do what 
you want, but it's REALLY tricky, and Michael is right - best practice is to 
version your CA's. (so the current one is CA1, the next one is CA2, etc.)

> >> The problem is, when verifying client cert work with both ClientCA
> >> stacked; but when using CRL, old clients work only if CRL is signed by
> >> old ClientCA.
> >
> > Well, you asked for trouble...
> >
> > You could try to add the authorityKeyIdentifier extension to the CRL if
> > it's also present in the CA certs. This could work with some software.
>
> Here we are :D
>
Ummm I think you mean that you want to have, in the CRL DP in the client 
certificate, the crlIssuer field of the CRL DP - problem is that 90% of the 
software out there (Apache included) won't deal with it.

BTW: To handle the case that you are trying to do, there was a patch sent in 
by  Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in 
January/February this year, IIRC. Perhaps you could try that - you'd have to 
do some fairly exotic things to mod_ssl, mind you to get it to work :)

I'm with Michael - stop using the same name each time. Version your CAs.

Have fun.

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Generic question on CRL use

[Michael Ströder]

Gilles Cuesta wrote:

2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:

Gilles Cuesta wrote:

So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.

This is bad practice. Try searching for "CA key roll-over".


I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...


It's not a "feature"! Pretty sure there are docs out there describing 
best practices when conducting a CA key roll-over. One of the best 
practices is to change the subject DN of the CA entity cert.



You could try to add the authorityKeyIdentifier extension to the CRL if it's
also present in the CA certs. This could work with some software.

  X509v3 Authority Key Identifier:
   keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...


Glad you learned so soon that it's better to rework your re-newed sub-CA 
cert. ;-)


Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Generic question on CRL use

[Gilles Cuesta]

2008/6/16 Michael Ströder <[EMAIL PROTECTED]>:
> Gilles Cuesta wrote:
>>
>> So, at a time, we have 2 ClientCA with different key and different
>> validity period, but same DN.
>
> This is bad practice. Try searching for "CA key roll-over".

I found docs about it, but proprietary PKI, and couldn't know if this
feature is implemented ...

>
>> The problem is, when verifying client cert work with both ClientCA
>> stacked; but when using CRL, old clients work only if CRL is signed by
>> old ClientCA.
>
> Well, you asked for trouble...
>
> You could try to add the authorityKeyIdentifier extension to the CRL if it's
> also present in the CA certs. This could work with some software.
>

Here we are :D

apache.crl
Certificate Revocation List (CRL):
Version 2 (0x1)
...
X509v3 Authority Key Identifier:
keyid:B8:85:B4...

apache-caclient.cer
Certificate:
...
Validity
Not Before: Feb 29 12:23:38 2007 GMT
Not After : Feb 29 12:23:58 2011 GMT
...
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
...
X509v3 Subject Key Identifier:
B8:85:B4...
X509v3 Authority Key Identifier:
keyid:56:4D:A9...

apache-caclient-old.cer
Certificate:
...
Validity
Not Before: May 18 14:35:12 2005 GMT
Not After : May 18 14:35:12 2009 GMT
...
   X509v3 extensions:
   X509v3 Key Usage: critical
   Certificate Sign, CRL Sign
...
   X509v3 Subject Key Identifier:
   87:1D:FC...
  X509v3 Authority Key Identifier:
   keyid:56:4D:A9...

But it doesn't work asis, issuing "signature verification error" in
apache error logs ...

Is there something to be modified in Apache/Modssl conf ?

Thank you
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Generic question on CRL use

[Michael Ströder]

Gilles Cuesta wrote:

So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.


This is bad practice. Try searching for "CA key roll-over".


The problem is, when verifying client cert work with both ClientCA
stacked; but when using CRL, old clients work only if CRL is signed by
old ClientCA.


Well, you asked for trouble...

You could try to add the authorityKeyIdentifier extension to the CRL if 
it's also present in the CA certs. This could work with some software.


But my strong recommendation: Fix your 2nd ClientCA cert.

Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: LimitRequestBody 0

[Joe Orton]

On Thu, Jun 05, 2008 at 10:47:25AM -0600, Keith Hellman wrote:
> This sounds a lot like 
>   https://issues.apache.org/bugzilla/show_bug.cgi?id=42625
>   https://issues.apache.org/bugzilla/show_bug.cgi?id=12355
> 
> But I think it is different.  I'm using certificates for authentication
> to all of my pages:
> 
> 
>   # applied to _all_ URLs
>   SSLRequireSSL
> 
>   SSLVerifyClient  require

You should put all this inside the VirtualHost config for the SSL 
vhost(s) in question.  That way you avoid having to do a per-location 
renegotiation and the request body buffering which is necessary in that 
case.

joe
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: LimitRequestBody 0

[Keith Hellman]

Oh yeah, I forgot to mention: everything works AOK if I try using http
instead (hence, I'm posting on the modssl list).
-- 
Keith Hellman #include 
[EMAIL PROTECTED]from disclaimer import standard
[EMAIL PROTECTED]
   -*-
public key @ pgp.mit.edu 9FCF40FD 
Y!M: mcprogramming   AIM/ICQ: 485403897   
 gtalk: [EMAIL PROTECTED]  
   -*-

"We will perhaps eventually be writing only small modules which are identified
by name as they are used to build larger ones, so that devices like
indentation, rather than delimiters, might become feasible for expressing local
structure in the source language."

-- Donald E. Knuth, "Structured Programming with goto Statements", Computing
Surveys, Vol 6 No 4, Dec. 1974


signature.asc
Description: Digital signature

Re: Extracting SSL_CLIENT_S_DN_UID does not work

[Michael Ströder]

Michael Ströder wrote:

Joe Orton wrote:

On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute 
type 'uid' specified for pilotPerson). That seems right to me since 
it's compliant with RFC 4514 which contains a table of short and long 
attribute type names and their OIDs (end of chapter 3).


But now I don't understand the #ifdef-statement mentioned above. From 
my understanding it MUST NOT reference NID_x500UniqueIdentifier. It 
MUST reference NID_userId. To me that looks clearly like a bug in 
mod_ssl.


Changing it would break backwards-compat which is why the #ifdef is 
there (so that the _UID variable refers to the same OID regardless of 
what OpenSSL version si use).


1. I seriously doubt that there are any certs out there which use 
x500UniqueIdentifier in the subject-DN. If yes, then these certs are 
also seriously broken.


2. It's simply broken that attribute type UID in mod_ssl differs from 
OpenSSL here.


Please take note of this Apache issue and consider the patch attached:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]

Re: Extracting SSL_CLIENT_S_DN_UID does not work

[erika20]

DONT SEND ME THIS CRAP THANK'S 
-- Original message from Michael Ströder <[EMAIL PROTECTED]>: -- > Joe, > > many thanks for your response. > > Joe Orton wrote: > > On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote: > >> > >> Maybe I'm overlooking the obvious but it seems that env var > >> SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication. > >> > >> The following env vars displayed in my SSI HTML text are relevant here > >> (obfuscated to protect privacy): > >> > >> SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name > >> SSL_CLIENT_S_DN_UID: (none) > >> > >> Is it caused by UID not being the leaf RDN? > > > > That shouldn'
 t make
 any difference. > > Ok, fine. > > > What versions of OpenSSL and httpd/mod_ssl are you using? > > Actually pre-built RPMs shipped with openSUSE 10.3: > > # rpm -q openssl apache2 > openssl-0.9.8e-45.5 > apache2-2.2.4-70.4 > > Not sure whether these RPMs are based on sources patched by openSUSE. > > > The "UID" DN tag is ambiguous and probably > > maps to something other than what your subject DN uses. > > > > In the current 2.x mod_ssl sources, UID maps to: > > > > #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */ > > { "UID", NID_x500UniqueIdentifier }, > > #else /* old name, OpenSSL < 0.9.7 */ > > { "UID", NID_uniqueIdentifier }, > > #endif > > Hmm, the user ID is already stored by mod_ssl with attribute name "UID" > in env var SSL_CLIENT_S_D
 N. Giv
en that it's OpenSSL 0.9.8 and that the > attribute type seems to be interpreted as UID is it safe to assume that > the cert contains the right OID? > > If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway... > > Ciao, Michael. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED] 

Re: SSL proxy issues

[lwhelan]

Hi, first time mailer but hoping for some good advice from experienced
users.
 
Basically Im looking to implement a solution that will redirect SSL
requests coming into my apache server (listening on 443) and forward
them on to a backend server.
I have reverse proxying setup but I cant seem to get it to work for
https connections.
 
At the moment using the current configuration, below, an http connection
coming into the server on port 80 can be redirected to the https site
configured.
 
But when I click on a login button on that site Im just getting a blank
screen on Firefox, with no errors showing in the logs?
 
Has anyone any ideas, cause Ive been looking into this for hours now?
 
Listen 8080

Listen 443

ServerName F00311.eircom.ie



SSLRandomSeed startup builtin

SSLRandomSeed connect builtin



SSLProxyEngine on

ProxyPass / https://www.365online.com/

ProxyPassReverse / https://www.365online.com/

 

SSLSessionCache "shmcb:d:/Apache2.2/logs/ssl_scache(512000)"

SSLSessionCacheTimeout 300



SSLEngine On

SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

SSLCertificateKeyFile "D:\Apache2.2\conf\security\ca.key"

SSLCertificateFile "D:\Apache2.2\conf\security\ca.crt"

ServerName F00311.eircom.ie

SSLProxyEngine on

ProxyPass / https://www.365online.com/

ProxyPassReverse / https://www.365online.com/

SSLProxyVerify none

SSLProxyProtocol all

SSLProxyCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL



 


***
The information contained in this e-mail and any files transmitted 
with it is confidential and may be subject to legal professional 
privilege. It is intended solely for the use of the addressee(s). 
If you are not the intended recipient of this e-mail, please note 
that any review, dissemination, disclosure, alteration, printing, 
copying or transmission of this e-mail and/or any file transmitted 
with it, is prohibited and may be unlawful. 
If you have received this e-mail by mistake, please promptly 
inform the sender by reply e-mail and delete the material. 
Whilst this e-mail message has been swept for the presence of 
computer viruses, eircom does not, except as required by law, 
represent, warrant and/or guarantee that the integrity 
of this communication has been maintained nor that 
the communication is free of errors, viruses, interception or 
interference. 

eircom Limited. Private Company Limited by Shares. 
Registered in Dublin. Registration Number 98789.
Registered Office - 114 St. Stephen's Green West, Dublin 2.
***

Re: Extracting SSL_CLIENT_S_DN_UID does not work

[Michael Ströder]

Michael Ströder wrote:

Joe Orton wrote:

On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute 
type 'uid' specified for pilotPerson). That seems right to me since 
it's compliant with RFC 4514 which contains a table of short and long 
attribute type names and their OIDs (end of chapter 3).


But now I don't understand the #ifdef-statement mentioned above. From 
my understanding it MUST NOT reference NID_x500UniqueIdentifier. It 
MUST reference NID_userId. To me that looks clearly like a bug in 
mod_ssl.


Changing it would break backwards-compat which is why the #ifdef is 
there (so that the _UID variable refers to the same OID regardless of 
what OpenSSL version si use).


To come around this: How about letting the deployer specify the OIDs in 
httpd.conf? Backwards-compability could be achieved with this.


Ciao, Michael.
__
Apache Interface to OpenSSL (mod_ssl)   www.modssl.org
User Support Mailing List  modssl-users@modssl.org
Automated List Manager[EMAIL PROTECTED]