Re: Certs work, one doesn't, cannot determine why
On 11/1/2010 7:14 AM, Joe Orton wrote: On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote: Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as "SUCCESS" when logging SSL_CLIENT_VERIFY via CustomLog Your verbose description of "something goes is not working" is hard to follow or condense down. Are you saying with the below configuration, you are seeing the SSLRequire work for all the users but that with the jblaine cert? I was originally seeing it work fine for everyone but 1 user (Simpson Mary B, below). Now it almost seems somewhat random in failure. People who used to succeed are now failing. I can get in fine (Blaine Charles J.) Granted, I am messing with all sorts of things trying to get it work after all this time dead in the water. It could be an SSLRequire implementation bug but it is hard to tell. Is the order of the users within the SSLRequire list significant? Ah, you mean if I reorder them, does the success/failure situation change as well? I don't know, I can try that. > Why are you matching by the whole S_DN rather than based on > e.g. S_DN_CN alone? Why not? It seems like the more fully correct way to match for security. It's documented and supposedly legit/correct. The cert-extracted DN (reported in log) matches the configured DN in the ssl.conf file exactly. I will try the httpd list. Thanks Joe Jeff SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \ "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \ "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \ "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \ } __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote: > >Works: SSL via my corporate cert, SSL via 3 other people's > >corporate certs > >Fails: 1 person's cert so far, yet is logged as "SUCCESS" > >when logging SSL_CLIENT_VERIFY via CustomLog Your verbose description of "something goes is not working" is hard to follow or condense down. Are you saying with the below configuration, you are seeing the SSLRequire work for all the users but that with the jblaine cert? It could be an SSLRequire implementation bug but it is hard to tell. Is the order of the users within the SSLRequire list significant? Why are you matching by the whole S_DN rather than based on e.g. S_DN_CN alone? You might be better off trying the httpd users' list: http://httpd.apache.org/lists.html#http-users Regards, Joe > > > >SetHandler perl-script > >PerlResponseHandler RT::Mason > >SSLVerifyClient require > > > >SSLRequire %{SSL_CLIENT_S_DN} in { \ > >"/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \ > >"/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \ > >"/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \ > >"/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \ > >} > > > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: Specifying the openssl version used with mod_ssl
Hello all, Sorry for the delay. We found a work around and quit looking into the below issue. Thanks to Peter for the static library suggestion and Lee for the same and for getting me back on the topic. We were able to get everything working how it should. A note, we are compiling modssl into apache. We are not using it as a shared object. Here are the key config options for openssl and apache: Openssl: ./configure --prefix=/usr/local/ssl --shared Apache: ./configure --with-included-apr --enable-ssl --with-ssl=/usr/local/ssl It is probably a good idea to run a sudo make clean for each installation. At least it was for us since we re-installed about 50 times. Thanks again, Gunner Geller -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Gregg L. Smith Sent: Monday, September 13, 2010 12:48 PM To: modssl-users@modssl.org Subject: Re: Specifying the openssl version used with mod_ssl Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: > Hello, > > We are using mac Leopard OS. We have rolled our own Apache(2.2.16) > separate from the default install. We have also rolled our own OpenSSL to > the latest version. However when we compile Apache and enable mod_ssl it > still uses the old OpenSSL version. We can see it in our http headers: > > > > Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l > > > > When typing "openssl version" from my account and the root account I get: > > OpenSSL 1.0.0a 1 Jun 2010 > > I've seen this in some apache configs: > > --enable-ssl --with-ssl=/usr/local/ssl > > I've tried the above with no success. According to the output I get when > configuring/making/installing apache it is finding openssl at the above > directory. The problem is though that the http header stays the same. > > > > The problem is we can't upgrade the default openssl version on the OS > without apple providing the update. The outdated version is tripping our > security scans. Like I said we rolled our owned updated version but cannot > get apache/mod_ssl to use it. Any help is appreciated. > > Thanks, > > > > Gunner Geller > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Certs work, one doesn't, cannot determine why
Still trying to solve this, I stood up a separate brand-spanking-new Apache 2.2.17 from source with builtin SSL. I am using the same Apache SSL config as quoted below. I experience the following failure (further context is in my quoted message below): ... [Tue Oct 19 16:20:42 2010] [info] Subsequent (No.2) HTTPS request received for child 4 (server rtdev1.our.org:999) [Tue Oct 19 16:20:42 2010] [error] [client 1xx.xx.9.45] client denied by server configuration: /apps/rtsrv1dev/share/html/favicon.ico [19/Oct/2010:16:20:42 -0400] 1xx.xx.9.45 on TLSv1 AES128-SHA 128 /O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J. SUCCESS 3 369E Blaine Charles J. - "GET /favicon.ico HTTP/1.1" 213 [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_io.c(1900): OpenSSL: I/O error, 5 bytes expected to read on BIO#1c2e8170 [mem: 1c2f98b0] [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] (70007)The timeout specified has expired: SSL input filter read failed. [Tue Oct 19 16:20:47 2010] [debug] ssl_engine_kernel.c(1884): OpenSSL: Write: SSL negotiation finished successfully [Tue Oct 19 16:20:47 2010] [info] [client 1xx.xx.9.45] Connection closed to child 4 with standard shutdown (server rtdev1.our.org:999) NOTE: "SUCCESS" NOTE: "SSL negotiation finished successfully" NOTE: /apps/rtsrv1dev/share/html and all files in it are world-readable (644) Browser shows "Forbidden" IE 8 and Chrome 6 On 10/15/2010 5:49 PM, Jeff Blaine wrote: Hi folks. I'm *really* stumped here. If anyone has any ideas, I would love to hear them. How can I debug this further? I need more information that Apache + mod_ssl is giving me right now. All version information and configuration detail is after this next paragraph. Works: SSL via my corporate cert, SSL via 3 other people's corporate certs Fails: 1 person's cert so far, yet is logged as "SUCCESS" when logging SSL_CLIENT_VERIFY via CustomLog Example: [15/Oct/2010:09:53:38 -0400] 1xx.xx.160.92 on TLSv1 RC4-MD5 128 /O=our.org/OU=People/UID=mbs/CN=Simpson Mary B SUCCESS 3 452E Simpson Mary B - "GET /index.html HTTP/1.1" 295 [Fri Oct 15 09:53:38 2010] [error] [client 1xx.xx.160.92] access to /apps/rtsrv1dev/share/html/index.html failed, reason: SSL requirement expression not fulfilled (see SSL logfile for more details) Config Specifics: OS: RHELv5 Apache: 2.2.3 mod_ssl: 2.2.3-43.el5 ServerName rtdev1.our.org:443 ErrorLog logs/ssl_error443_log TransferLog logs/ssl_access443_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:SSLv3:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCertificateKeyFile /apps/rtsrv1dev/PKI/rtdev1.key SSLCertificateChainFile /apps/rtsrv1dev/PKI/rtdev1-signed.cer SSLCACertificateFile /apps/rtsrv1dev/PKI/MITRE-cert-bundle.cer SSLVerifyClient require SSLVerifyDepth 2 SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire SSLOptions +StdEnvVars SSLOptions +StdEnvVars SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_access443_log \ "%h - - %t \"%r\" %{HTTPS}x %{SSL_PROTOCOL}x" CustomLog logs/ssl_error443_log \ "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_S_DN}x %{SSL_CLIENT_VERIFY}x %{SSL_CLIENT_M_VERSION}x %{SSL_CLIENT_M_SERIAL}x %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_UID}x \"%r\" %b" DocumentRoot /apps/rtsrv1dev/share/html AddDefaultCharset UTF-8 PerlRequire "/apps/rtsrv1dev/bin/webmux.pl" SetHandler default SetHandler perl-script PerlResponseHandler RT::Mason SSLVerifyClient require SSLRequire %{SSL_CLIENT_S_DN} in { \ "/O=our.org/OU=people/UID=jblaine/CN=Blaine Charles J.", \ "/O=our.org/OU=people/UID=mloveless/CN=Laveless Marc W.", \ "/O=our.org/OU=people/UID=mbs/CN=Simpson Mary B", \ "/O=our.org/OU=people/UID=bcietta/CN=Cietta Barbara A." \ } __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Specifying the openssl version used with mod_ssl
Hello Gunner, Have you tried --enable-ssl --with-ssl=/path/to/just/compiled/openssl ? Regards, Gregg Gunner Geller wrote: Hello, We are using mac Leopard OS. We have rolled our own Apache(2.2.16) separate from the default install. We have also rolled our own OpenSSL to the latest version. However when we compile Apache and enable mod_ssl it still uses the old OpenSSL version. We can see it in our http headers: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.7l When typing "openssl version" from my account and the root account I get: OpenSSL 1.0.0a 1 Jun 2010 I've seen this in some apache configs: --enable-ssl --with-ssl=/usr/local/ssl I've tried the above with no success. According to the output I get when configuring/making/installing apache it is finding openssl at the above directory. The problem is though that the http header stays the same. The problem is we can't upgrade the default openssl version on the OS without apple providing the update. The outdated version is tripping our security scans. Like I said we rolled our owned updated version but cannot get apache/mod_ssl to use it. Any help is appreciated. Thanks, Gunner Geller __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache
Thanks, Why didn't I check that? Well, I made it validate correctly by doing a very strange and not usable workaround. I believe something is broken. I followed your suggestion and posted a more complete entry to the us...@httpd.apache.org list. I will file a bug report if no one can point out any errors I have made. /ulfW -Original Message- From: Joe Orton [mailto:jor...@redhat.com] Sent: den 17 augusti 2010 16:01 To: Ulf Wahlqvist Cc: modssl-users@modssl.org Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote: > I still don't get it. I used Wireshark and found out that the > certificate sent to the OCSP-responder is the CA-cert, not the > client-cert to be validated! I am clueless. The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert with the OCSP responder - this is expected behaviour. The modssl-users@ was used for discussion of mod_ssl for Apache httpd 1.3. For discussion of OCSP in httpd 2.3 I'd recommend us...@httpd.apache.org - file bugs if you think the code is buggy. http://issues.apache.org/bugzilla/ Regards, Joe
Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache
On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote: > I still don't get it. I used Wireshark and found out that the > certificate sent to the OCSP-responder is the CA-cert, not the > client-cert to be validated! I am clueless. The code tries to verify each cert in the client cert chain from issuing CA down to the end-entity client cert with the OCSP responder - this is expected behaviour. The modssl-users@ was used for discussion of mod_ssl for Apache httpd 1.3. For discussion of OCSP in httpd 2.3 I'd recommend us...@httpd.apache.org - file bugs if you think the code is buggy. http://issues.apache.org/bugzilla/ Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: OCSP-validation fails - Wrong cert passed to OCSP by Apache
I still don't get it. I used Wireshark and found out that the certificate sent to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am clueless. Online Certificate Status Protocol tbsRequest requestList: 1 item Request reqCert hashAlgorithm (SHA-1) Algorithm Id: 1.3.14.3.2.26 (SHA-1) issuerNameHash: 3183A656588CA87A8D663E5721EF4BC860D9EC86 issuerKeyHash: 7C2E39233244E80F4E66F20D28FE40BEC2B6E2A0 serialNumber : 0x1bd40ed434d1da15a6003015024da46c <- THIS IS THE SERIALNUMBER FOR THE CA-CERT /ulfW PS Is this mailing list active? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: OCSP-validation fails - UPDATE
I have now verified that if I use openssl directly from command line it will verify OK. Apparently there is no need for signing the request. >openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile >/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text >-url http://ocsp.trust.telia.com . . . . Response verify OK /mnt/download/uwcert.cer: good This Update: Jul 29 10:43:41 2010 GMT Next Update: Jul 30 10:43:45 2010 GMT /ulfW -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Ulf Wahlqvist Sent: den 27 juli 2010 16:43 To: modssl-users@modssl.org Subject: OCSP-validation fails Hi I'm trying to get Apache to do Client certificate verification with OCSP-validation. It works without OCSP, but OCSP-validation fails when I turn it on. The error is "OCSP_check_validity:status too old", but that doesn't make sense because the clocks are within 2 seconds. The client (Apache) says "Mon Jul 26 15:50:06.488292 2010" and the response says "Mon, 26 Jul 2010 13:50:05 GMT" which is the same time. Can there be a problem with comparing timestamps? A more likely problem might be that the OCSP-responder require a SIGNED message, but I don't understand how to get Apache to sign it. Some European OCSP-responders seems to accept only signed requests and I'm trying to find out if this is one of them. Will Apache be able to sign OCSP-requests ( In that case - How do I pass the cert/key) ? ** my config * [r...@fedoragui logs]# httpd -v Server version: Apache/2.3.6 (Unix) Server built: Jul 16 2010 15:31:39 [r...@fedoragui logs]# openssl version OpenSSL 1.0.0a-fips 1 Jun 2010 ./configure --enable-ssl ** error_log * [Mon Jul 26 15:50:05.782378 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Connection to child 193 established (server fedoragui.mydomain.com:443) [Mon Jul 26 15:50:06.461652 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(79): [client 10.0.2.2:2112] connecting to OCSP responder 'ocsp.trust.telia.com' [Mon Jul 26 15:50:06.466167 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(105): [client 10.0.2.2:2112] sending request to OCSP responder [Mon Jul 26 15:50:06.488292 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Date: Mon, 26 Jul 2010 13:50:05 GMT [Mon Jul 26 15:50:06.493946 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Server: Apache [Mon Jul 26 15:50:06.494352 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Length: 1264 [Mon Jul 26 15:50:06.494828 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Connection: close [Mon Jul 26 15:50:06.495071 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(209): [client 10.0.2.2:2112] OCSP response header: Content-Type: application/ocsp-response [Mon Jul 26 15:50:06.495303 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(252): [client 10.0.2.2:2112] OCSP response: got 1264 bytes, 1264 total [Mon Jul 26 15:50:06.498272 2010] [debug] [pid 9164:tid 3053448048] ssl_util_ocsp.c(235): [client 10.0.2.2:2112] OCSP response: got EOF [Mon Jul 26 15:50:06.500184 2010] [error] [pid 9164:tid 3053448048] SSL Library Error: error:2707307F:OCSP routines:OCSP_check_validity:status too old [Mon Jul 26 15:50:06.504012 2010] [error] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] Certificate Verification: Error (50): application verification failure [Mon Jul 26 15:50:06.504430 2010] [info] [pid 9164:tid 3053448048] [client 10.0.2.2:2112] SSL library error 1 in handshake (server fedoragui.mydomain.com:443) /ulfW __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client certificate do not work / renegociate
Hi, That is not a bug, it is a feature! With the TLS renegotiation there is a theoretical man-in-the-middle-attack possible. To prevent that the developers decided to deactivate the TLS renegotiation. Solution: use SSLInsecureRenegotiation on http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslinsecurerenegotiation >From the changelog: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol. Mario __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
I updated the patch. The most recent version is now available at http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch In addition to the v3 version of the patch, it now also contains a backport of the SSLInsecureRenegotiation directive introduced in Apache httpd 2.2.15 in combination with OpenSSL 0.9.8m and beyond. The patch needs some more testing, but backport was straightforward. Regards, Rainer On 01.01.2010 21:44, Rainer Jung wrote: On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Which SSL Directives to use?
On 02/17/2010 02:08 AM, NT984 wrote: I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL Cert on my site. My existing configuration uses the following directives: SSLEngine on SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2 SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.cert SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCACertificateFile /etc/apache2/ssl.crt/my.blah.com.intermediate.crt In the Network Solutions instructions, it recommends using the following: SSLCertificateFile /etc/apache2/ssl.crt/my.blah.com.crt SSLCertificateKeyFile /etc/apache2/ssl.key/my.blah.com.key SSLCertificateChainFile /etc/apache2/ssl.crt/Apache_Plesk_Install.txt In the http://httpd.apache.org/docs/2.0/mod/mod_ssl.html apache mod_ssl documentation , it states the following: SSLCertificateChainFile This should be used alternatively and/or additionally to SSLCACertificatePath for explicitly constructing the server certificate chain which is sent to the browser in addition to the server certificate. It is especially useful to avoid conflicts with CA certificates when using client authentication. Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction, it has the side-effect that client certificates issued by this same CA certificate are also accepted on client authentication. Example: SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt SSLCACertificateFile This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath. Example SSLCACertificateFile /usr/local/apache2/conf/ssl.crt/ca-bundle-client.crt My question is... should I include both directives in my configuration? Is there an advantage to doing so? Now that I am upgrading, do I need to consider modification of my SSLCipherSuite setting? Any help would be appreciated. Thx. nt NT, You should use SSLCertificateChainFile if you're on Apache2.2. If you're on Apache 1.x, then typically you'll want to use SSLCACertificateFile. In Apache2, SSLCACertificate file is for Client Authentication, whereas in earlier versions it was for CertificateAuthority. Earlier versions of Apache 2.0 were able to use both interchangeably. Do not use both at the same time. Only if you're doing Client Authentication. As far as your cipher suite goes... You'll also want to disable MD5 based ciphers. (Opera 9.x will warn of weak ciphers in use as there are a few MD5 based in SSLv3/TLSv1.x) Hope this helps, --Sal __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Auth with S/MIME certificates - certificate purpose problem
I found a solution, it looks like a dirty hack and making a security hole, but it works for our custom purposes. So I don't recommend to use this way. Somehow it may be interested for somebody. It's needed to patch openssl. In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function replace X509_STORE_CTX_set_default(&ctx, s->server ? "ssl_client" : "ssl_server"); by X509_STORE_CTX_set_default(&ctx, "any"); Yaroslav __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: mod ssl's update for apache 1.3.42?
I wouldn't expect an update until it's in sync with the final 0.9.8m from the group, as a (probably final) update. Without 0.9.8m finished, due to an unfinished RFC, it's a bit trickier to move ahead. On 2/5/2010 6:19 AM, Bernard PREVOSTO wrote: > The Apache Group is pleased to announce the legacy release of the 1.3.42 > version of the Apache HTTP Server. > > This version of Apache is principally a security release. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: SSLVerifyClient optional redirect or be graceful upon revoked certificate
I proposed this a while back but never got any responses. https://issues.apache.org/bugzilla/show_bug.cgi?id=46897 -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of Jaz Sent: Friday, January 22, 2010 9:11 AM To: modssl-users@modssl.org Subject: SSLVerifyClient optional redirect or be graceful upon revoked certificate When using "SSLVerifyClient optional" is there a way (or are there plans for this) to redirect when mod_ssl detects a revoked certificate? What about setting $_SERVER["SSL_CLIENT_VERIFY"] == "FAIL" just as it is when no certificate is installed? In other words, why should the action be any different for no-certificate and revoked-certificate? BTW, my application is a wrapper app to self manage private SSL certificates. The login pre-test is intended for all cases (without cert, with cert, and revoked cert) and detects by testing $_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" (This is in a dedicated directory carefully designed to eliminate risk from MitM attacks). This works for the two cases no-cert & valid-cert, but for revoke-cert we get an ugly hard-stop. For example from Firefox: "SSL peer rejected your certificate as revoked". If this isn't appropriate for modssl-users, is rather an apache issue, then advice for an alternate forum is appreciated. Has it already been discussed/requested? (searched a lot but didn't find anything) I would like to build a mod_ssl with both the option to redirect on FAIL (separate options for no-cert and revoked-cert), and limit initiate-renegotiation only by server, not by client. Any help is greatly appreciated. Thanks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLVerifyClient require per directory context
Thanks so much for your tip. Now I have a much better understanding of the problem. Aaron > Hello, > > I faced the same issue. > Actually, client authentication has been disabled on recent versions. It > has nothing to do with your configuration. > > See (on my blog): > http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html > and then : > http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html > > Regards, > > -- > Jean-Christophe Baptiste > > > Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : >> I'm trying to go through the most basic tutorials on mod_ssl and I'm >> having a problem trying to get my server to issue a certificate request >> for a particular URL. I'm listing my Apache and OpenSSL version >> information. >> >> # httpd -v >> Server version: Apache/2.2.14 (Unix) >> Server built: Dec 3 2009 10:25:53 >> >> # openssl version >> OpenSSL 1.0.0-fips-beta4 10 Nov 2009 >> >> I've followed the steps of this tutorial: >> >> http://www.vanemery.com/Linux/Apache/apache-SSL.html >> >> I've also tried to follow the SSL HowTo on the Apache site: >> >> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html >> >> I'll try to get at the heart of the issue. If I have the following in >> my >> ssl.conf file in the VirtualHost section >> >> SSLVerifyClient require >> SSLVerifyDepth 1 >> >> then everything works as expected. I have the client certificate >> installed in my client web browser, and when I click on the link to my >> https server, which is https://myserver, then it prompts me to get the >> certificate of the server and confirm a security exception, and also >> prompts me with a user identification request, at which point I can >> chose >> a certificate to identify the client to my server. I see my index.html >> page, which has a link to the directory https://myserver/Certneeded. I >> can click on this directory and see a list of the files in that >> directory. >> >> However, if I change my ssl.conf in an attempt to "force clients to >> authenticate using certificates for a particular URL, but still allow >> arbitrary clients to access the rest of the server", as per the Apache >> HowTo, then I never get prompted for this "user identification request" >> to >> which I can identify my client web browser to the server. >> >> In this case, my ssl.conf file changes to the following. >> >> SSLVerifyClient none >> >> Options Indexes >> SSLVerifyClient require >> SSLVerifyDepth 1 >> >> >> Now, when I click on the link to https://myserver/Certneeded, the client >> browser just hangs until a timeout is reached, I'm never prompted to >> present a certificate for identification, and the contents of the >> directory are not listed. >> >> In Wireshark, I see a client hello, followed by a server hello, followed >> by a change cipher spec, presumably because I was never prompted for an >> identification certificate by the server within a set time. >> >> In the "good" case, when my "SSLVerifyClient require" statement is in >> the >> VirtualHost section of the ssl.conf file, in Wireshark, I see a client >> hello, followed by a server hello, followed by a "certificate, server >> key >> exchange, certificate request", which seems to be where the window pops >> up >> in my client prompting me with a user identification request. >> >> In trying to debug this, I noticed that if I do a hack and revert back >> to >> an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that >> both configurations (per-server and per-directory contexts) work as >> expected. What might be wrong here? >> >> Aaron >> >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Managermajord...@modssl.org > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLVerifyClient require per directory context
Hello, I faced the same issue. Actually, client authentication has been disabled on recent versions. It has nothing to do with your configuration. See (on my blog): http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html and then : http://www.phocean.net/2010/01/09/ssltls-rfc-updated-against-cve-2009-3555.html Regards, -- Jean-Christophe Baptiste Le mardi 19 janvier 2010 à 16:53 -0600, aa...@cs.wisc.edu a écrit : > I'm trying to go through the most basic tutorials on mod_ssl and I'm > having a problem trying to get my server to issue a certificate request > for a particular URL. I'm listing my Apache and OpenSSL version > information. > > # httpd -v > Server version: Apache/2.2.14 (Unix) > Server built: Dec 3 2009 10:25:53 > > # openssl version > OpenSSL 1.0.0-fips-beta4 10 Nov 2009 > > I've followed the steps of this tutorial: > > http://www.vanemery.com/Linux/Apache/apache-SSL.html > > I've also tried to follow the SSL HowTo on the Apache site: > > http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html > > I'll try to get at the heart of the issue. If I have the following in my > ssl.conf file in the VirtualHost section > > SSLVerifyClient require > SSLVerifyDepth 1 > > then everything works as expected. I have the client certificate > installed in my client web browser, and when I click on the link to my > https server, which is https://myserver, then it prompts me to get the > certificate of the server and confirm a security exception, and also > prompts me with a user identification request, at which point I can chose > a certificate to identify the client to my server. I see my index.html > page, which has a link to the directory https://myserver/Certneeded. I > can click on this directory and see a list of the files in that directory. > > However, if I change my ssl.conf in an attempt to "force clients to > authenticate using certificates for a particular URL, but still allow > arbitrary clients to access the rest of the server", as per the Apache > HowTo, then I never get prompted for this "user identification request" to > which I can identify my client web browser to the server. > > In this case, my ssl.conf file changes to the following. > > SSLVerifyClient none > > Options Indexes > SSLVerifyClient require > SSLVerifyDepth 1 > > > Now, when I click on the link to https://myserver/Certneeded, the client > browser just hangs until a timeout is reached, I'm never prompted to > present a certificate for identification, and the contents of the > directory are not listed. > > In Wireshark, I see a client hello, followed by a server hello, followed > by a change cipher spec, presumably because I was never prompted for an > identification certificate by the server within a set time. > > In the "good" case, when my "SSLVerifyClient require" statement is in the > VirtualHost section of the ssl.conf file, in Wireshark, I see a client > hello, followed by a server hello, followed by a "certificate, server key > exchange, certificate request", which seems to be where the window pops up > in my client prompting me with a user identification request. > > In trying to debug this, I noticed that if I do a hack and revert back to > an earlier RPM version of openssl, openssl-0.9.8g-11.fc10.i386.rpm, that > both configurations (per-server and per-directory contexts) work as > expected. What might be wrong here? > > Aaron > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org signature.asc Description: Ceci est une partie de message numériquement signée
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 29.12.2009 22:57, John Lightsey wrote: On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: On 23.11.2009 18:57, John Lightsey wrote: On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 Thank you for your feedback and the analysis. I could reproduce this and have updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v3.patch I tested with and without SSL_EXPERIMENTAL_PROXY and it worked for my tests. The code doesn't try to change/fix renegotiation behaviour for ssl on the client side when used as a proxy. As always: feedback welcome! Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote: > On 23.11.2009 18:57, John Lightsey wrote: > > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: > Thanks again. I updated the patch: > > http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch > > The only changes are in ssl_engine_io.c, where the declaration of "char > *reneg" is moved 4 times to the beginning of the function. Anything else > you observed? I received a report of segfaults caused by this patch. They happen when you have Apache proxy connections to a SSL destination. IE: RewriteRule ^/(.*) https://other_site.com/$1 [P] The segfault happens at: reneg = ap_ctx_get(c->client->ctx, "ssl::reneg"); in ssl_io_suck_read() because SSL_get_app_data(ssl) returns NULL. #0 0x00454bb5 in ssl_io_suck_read (ssl=0x10a26070, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:275 actx = (ap_ctx *) 0x10a26070 ss = (struct ssl_io_suck_st *) 0x0 r = (request_rec *) 0x0 rv = 0 reneg = 0x0 c = (conn_rec *) 0x0 #1 0x00454f31 in ssl_io_hook_read (fb=0x10a25c28, buf=0x107ccd88 "UserDir", len=4096) at ssl_engine_io.c:394 ssl = (SSL *) 0x10a26070 c = (conn_rec *) 0x0 s = (server_rec *) 0x0 rc = 0 reneg = 0x0 #2 0x0049a00f in ap_hook_call_func (ap=0x7fff98699110, he=0x104f33b0, hf=0x105059c0) at ap_hook.c:649 v1 = (void *) 0x10a25c28 v2 = (void *) 0x107ccd88 v3 = 4096 v_rc = (void *) 0x7fff9869922c v_tmp = {v_char = 0 '\0', v_int = 0, v_long = 0, v_float = 0, v_double = 0, v_ptr = 0x0} rc = 1 #3 0x004982db in ap_hook_call (hook=0x4bbb5a "ap::buff::read") at ap_hook.c:382 i = 0 he = (ap_hook_entry *) 0x104f33b0 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fff98699200, reg_save_area = 0x7fff98699140}} rc = 0 #4 0x0046af22 in ap_read (fb=0x10a25c28, buf=0x107ccd88, nbyte=4096) at buff.c:255 rv = 0 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: error in SSLv2/v3 read client hello A
I continue talking to myself about it. Just to let people know that I submitted a bug to openSUSE, because it took me less than 5 minutes to get a blank Debian virtual machine to work with the exact same certificates, virtual host configuration and browser. There is definitely something weired... Le mardi 24 novembre 2009 à 17:24 +0100, Jean-Christophe Baptiste a écrit : > I am still stack with the same issue : > > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: > Handshake: start > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: > Loop: before accept initialization > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: > Write: SSLv3 read client hello A > [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: > Exit: error in SSLv3 read client hello A > [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation > handshake failed: Not accepted by client!? > [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O > error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] > > I renewed one more time all my certificates, so I don't think there is > anything wrong with it. > My apache configuration hasn't changed : > > SSLRequireSSL > SSLVerifyClient require > SSLVerifyDepth 1 > Order allow,deny > allow from All > > > And any browser (Firefox, Opera) fail so I don't think it is a browser > issue. > Of course, I imported the CA and the client certificate... > > And still no prompt for the client certificate... > > Really no hint ? Could it be a bug in the distro package ? > > Thanks. > > On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste > wrote: > > Hi all, > > > > I have been using client certificate for a while (more than 2 years) > > successfuly. > > > > But now, after migrating a server, I am stuck with a problem that I have > > no idea how to handle. > > I just spent 10 hours googling around and reading the doc without > > finding any clue. > > > > On my new set-up, the web browser seems to reject the negociation : > > > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2 > > established (server www.***.net:443) > > [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: > > Handshake: start > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: > > Loop: before/accept initialization > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read > > 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows) > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791): > > > +-+ > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50 > > 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H | > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836): > > > +-+ > > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: > > Exit: error in SSLv2/v3 read client hello A > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in > > handshake (server www.***.net:443) > > [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900 > > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > speaking not SSL to HTTPS port!? > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to > > child 2 with abortive shutdown (server www.***.net:443) > > > > I have tried a bund of different settings. Of course, I re-generated > > several times all the certificates, from the CA to the client. > > Both the CA and the client were imported into the web browser. > > > > The mod-ssl settings are in no point different from the previous > > machine, so am I missing ? > > > > So any help, any hint would be greatly appreciated. > > > > Thank you in advance, > > > > Regards, > > Jean-Christophe signature.asc Description: Ceci est une partie de message numériquement signée
Re: error in SSLv2/v3 read client hello A
I am still stack with the same issue : [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: Handshake: start [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: Loop: before accept initialization [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: Exit: error in SSLv3 read client hello A [Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation handshake failed: Not accepted by client!? [Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0] I renewed one more time all my certificates, so I don't think there is anything wrong with it. My apache configuration hasn't changed : SSLRequireSSL SSLVerifyClient require SSLVerifyDepth 1 Order allow,deny allow from All And any browser (Firefox, Opera) fail so I don't think it is a browser issue. Of course, I imported the CA and the client certificate... And still no prompt for the client certificate... Really no hint ? Could it be a bug in the distro package ? Thanks. On Mon, 23 Nov 2009 01:29:30 +0100, Jean-Christophe Baptiste wrote: > Hi all, > > I have been using client certificate for a while (more than 2 years) > successfuly. > > But now, after migrating a server, I am stuck with a problem that I have > no idea how to handle. > I just spent 10 hours googling around and reading the doc without > finding any clue. > > On my new set-up, the web browser seems to reject the negociation : > > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection to child 2 > established (server www.***.net:443) > [Sun Nov 22 22:51:36 2009] [info] Seeding PRNG with 656 bytes of entropy > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1875): OpenSSL: > Handshake: start > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1883): OpenSSL: > Loop: before/accept initialization > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1858): OpenSSL: read > 11/11 bytes from BIO#7f35d1213840 [mem: 7f35d1218f00] (BIO dump follows) > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1791): > +-+ > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1830): | : 4f 50 > 54 49 4f 4e 53 20-2a 20 48 OPTIONS * H | > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_io.c(1836): > +-+ > [Sun Nov 22 22:51:36 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL: > Exit: error in SSLv2/v3 read client hello A > [Sun Nov 22 22:51:36 2009] [info] [client ::1] SSL library error 1 in > handshake (server www.***.net:443) > [Sun Nov 22 22:51:36 2009] [info] SSL Library Error: 336027900 > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > speaking not SSL to HTTPS port!? > [Sun Nov 22 22:51:36 2009] [info] [client ::1] Connection closed to > child 2 with abortive shutdown (server www.***.net:443) > > I have tried a bund of different settings. Of course, I re-generated > several times all the certificates, from the CA to the client. > Both the CA and the client were imported into the web browser. > > The mod-ssl settings are in no point different from the previous > machine, so am I missing ? > > So any help, any hint would be greatly appreciated. > > Thank you in advance, > > Regards, > Jean-Christophe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 23.11.2009 18:57, John Lightsey wrote: > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: >> Backport is not totally straightforward, because the original patches >> use the filter architecture not present in Apache 1.3. >> >> Any Feedback on the patch is welcome. Some additional debug output can >> be activated by using -DRENEG_DEBUG. >> > > There are a few lines of c99 syntax in this patch (variable declarations > of "char *reneg" in the middle of code) that cause it to fail with gcc > 2.95. > > Seems to work fine otherwise. Thanks again. I updated the patch: http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch The only changes are in ssl_engine_io.c, where the declaration of "char *reneg" is moved 4 times to the beginning of the function. Anything else you observed? Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On 23.11.2009 18:57, John Lightsey wrote: > On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: >> Backport is not totally straightforward, because the original patches >> use the filter architecture not present in Apache 1.3. >> >> Any Feedback on the patch is welcome. Some additional debug output can >> be activated by using -DRENEG_DEBUG. >> > > There are a few lines of c99 syntax in this patch (variable declarations > of "char *reneg" in the middle of code) that cause it to fail with gcc > 2.95. Sorry, I forgot to fix those. Thanks for the feedback. > Seems to work fine otherwise. Good to know! The more eyes the better. Regards, Rainer __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: [PATCH] Backport patch for CVE-2009-3555 from Apache 2.x
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote: > Backport is not totally straightforward, because the original patches > use the filter architecture not present in Apache 1.3. > > Any Feedback on the patch is welcome. Some additional debug output can > be activated by using -DRENEG_DEBUG. > There are a few lines of c99 syntax in this patch (variable declarations of "char *reneg" in the middle of code) that cause it to fail with gcc 2.95. Seems to work fine otherwise. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLRequire problem
On 11/20/2009 04:50 AM, Joe Orton wrote: On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote: Hi. I'm tearing my hair out over an SSLRequire directive that doesn't seem to be working. Can anyone help? The directive is actually quite simple: # Require SSL over non-obvious port 81 for SVN access SSLRequire %{SERVER_PORT} == 81 The port which %{SERVER_PORT} expands to is determined by the settings of UseCanonicalPhysicalPort and UseCanonicalName. For different combinations it will depend on either what the client sends in the request's Host header, what the ServerName directive is set to in the vhost, or what httpd derives as the "canonical" name for the vhost to be otherwise. See docs for more info: http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport Regards, Joe Huh! Never heard of those before! OK, well, I'm still not sure I quite understand the reason why, but "UseCanonicalPhysicalPort on" does seem to have fixed the problem. Thanks much for the help! DR __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLRequire problem
On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote: > Hi. I'm tearing my hair out over an SSLRequire directive that doesn't > seem to be working. Can anyone help? > > The directive is actually quite simple: > ># Require SSL over non-obvious port 81 for SVN access >SSLRequire %{SERVER_PORT} == 81 The port which %{SERVER_PORT} expands to is determined by the settings of UseCanonicalPhysicalPort and UseCanonicalName. For different combinations it will depend on either what the client sends in the request's Host header, what the ServerName directive is set to in the vhost, or what httpd derives as the "canonical" name for the vhost to be otherwise. See docs for more info: http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalname http://httpd.apache.org/docs/2.2/mod/core.html#usecanonicalphysicalport Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Issue setting up a Verisign certificate
Robin, Be sure Verisign's 'root' certificate is installed in your browser's certificate store - this is probably already done by default. Then, verify what this is pointing to (from your own log file): Unable to read server certificate from file /etc/apache2/secure.canadaeast.com.public.crt Verify that your apache config file doesn't have one of the 'alternate' certificate pointer directives activated. Various configurations 'bundle' certs together in concatenated form, for example. Be sure also that your VerifyDepth is set appropriately... Looks like a depth of at least 3 levels to me. - Original Message - From: "Robin" To: modssl-users@modssl.org Sent: Monday, July 27, 2009 3:25:53 PM GMT -05:00 US/Canada Eastern Subject: Issue setting up a Verisign certificate I have generated a CSR, sent it to Verisign and they sent me back a cer file that I have renamed to public.crt. As per their support instructions I installed their Intermediate CA (https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR193) My virtualhost configuration is as follows: SSLEngine on SSLCertificateFile /etc/apache2/public.crt SSLCertificateKeyFile /etc/apache2/private.key SSLCACertificateFile /etc/apache2/interm.crt I am getting this error when trying to start Apache: [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server certificate from file /etc/apache2/secure.canadaeast.com.public.crt [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jul 27 16:05:07 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error Any thoughts, because I am at a loss and am not interested in wait on how 35 minutes to speak to their support people. Thanks! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org
Re: Issue setting up a Verisign certificate
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Robin escribió: | My virtualhost configuration is as follows: | | SSLEngine on | SSLCertificateFile /etc/apache2/public.crt - ^ | SSLCertificateKeyFile /etc/apache2/private.key | SSLCACertificateFile /etc/apache2/interm.crt I think this does not belong here, but I might be wrong. | [Mon Jul 27 16:05:07 2009] [error] Init: Unable to read server | certificate from file /etc/apache2/secure.canadaeast.com.public.crt - ---^ It seems your Apache is looking for the cert in a different file than you think. Probably because there is a different virtual host configuration for the SSL one. - -- - --- G & S Sistemas de Informacion, S.L. | Teléfono: 9 02 01 44 43 Victoriano Giralt| Land line: +34-952-207-241 Torre de San Telmo, 8| Mobile:+34-670-332-720 E-29018 Malaga (Spain) | http://www.gssi.es/ - --- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org iD8DBQFKbgIWWHlx3l8ZumwRAk81AJ9aINiS57WlUCvEpHLboAsERThPdACfTp2f DZnobVXEnFsucQbkMINLcXQ= =SRHR -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Well the AllowOverride manages what you are allowed to configure in .htacces Order deny, allow deny from all Allow from 127.0.0.1 This manage who can access these server from where. In your case you can only access from 127.0.0.1 aka. localhost your computer See the docs for more details http://httpd.apache.org/docs/2.2/howto/access.html Mario -Original Message- Got it. Well, almost. It seems that where my https connection was concerned, I was running with AllowOverride None, so none of the rewrite directives in the .htaccess file were being processed. So I've solved this by 'opening up' my development machine by specifying on all directories: AllowOverride All Order deny, allow deny from all Allow from 127.0.0.1 I still don't fully understand, as those are the directives I was running for my drupal install directory already. Furthermore, the .htaccess file in that directory was being processed and allowing my ordinary http URL's to be rewritten properly. Obviously https is different 'somehow', so any explanations will be welcome. Meanwhile, I can get on and start playing with ssl on my development machine __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Got it. Well, almost. It seems that where my https connection was concerned, I was running with AllowOverride None, so none of the rewrite directives in the .htaccess file were being processed. So I've solved this by 'opening up' my development machine by specifying on all directories: AllowOverride All Order deny, allow deny from all Allow from 127.0.0.1 I still don't fully understand, as those are the directives I was running for my drupal install directory already. Furthermore, the .htaccess file in that directory was being processed and allowing my ordinary http URL's to be rewritten properly. Obviously https is different 'somehow', so any explanations will be welcome. Meanwhile, I can get on and start playing with ssl on my development machine Mario Brandt wrote: > > I guess the rewriting is not turned on in the SSL vhost. Else there > should be a rewriting to a php file which works with PATH_INFO > > You may check that out. > > Mario > > -Original Message- > From: owner-modssl-us...@modssl.org > [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper > Sent: Monday, July 20, 2009 10:53 AM > To: modssl-users@modssl.org > Subject: RE: modssl - URL's under domain name not found > > > The error log says (for example): > > [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not > exist: > /Library/WebServer/Documents/drupal/electric-heater-info, referer: > https://devel.cosyheart.com/ > > Actually, my original post is a bit misleading - the content is > delivered via drupal and a MySQL database, not from a filesystem. > Furthermore, that database is replicated between the devel' and live > server (so they are EXACTLY the same), and all works just fine under > normal http. As I said, ssl also works on the live server, but not on > the dev machine (other than the home page). > > > Mario Brandt wrote: >> >> Hi! >> What is in your error log about that? >> >> Mario >> >> -Original Message- >> From: owner-modssl-us...@modssl.org >> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper >> Sent: Sunday, July 19, 2009 9:38 PM >> To: modssl-users@modssl.org >> Subject: modssl - URL's under domain name not found >> >> >> I am running modssl under apache 2.2.11 on my development server using > >> mac os x 10.5. >> >> I have created self signed certificates using openssl for this > machine. >> >> https://devel works just fine. >> >> https://devel/directory generates a 404 file not found error. >> >> https://devel/anotherdirectory/etcetc also generates a 404. >> >> I have a very similar setup on a live server that's running Centos >> 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is >> working just fine - all URL's resolve properly. >> >> I have tried copying the conf' files on the live and devel' server >> line for line, but I don't seem to be able to overcome the error on my > >> development machine. >> >> Does anyone have any idea what the problem on my development machine >> might by? Any pointers would be welcome. >> -- >> View this message in context: >> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 >> 45 >> 33884p24533884.html >> Sent from the mod_ssl - Users mailing list archive at Nabble.com. >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Managermajord...@modssl.org >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Managermajord...@modssl.org >> >> > > -- > View this message in context: > http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 > 33884p24566061.html > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > __
RE: modssl - URL's under domain name not found
Sounds good - I have checked that I'm loading mod_rewrite.so and tried "RewriteEngine On" in the ssl vhost on the dev machine - but that didn't work. So what else do I need to check regarding? I'm also confused why it should then be working on my live machine when the config' files are almost identical... I'm obviously missing something though :) Mario Brandt wrote: > > I guess the rewriting is not turned on in the SSL vhost. Else there > should be a rewriting to a php file which works with PATH_INFO > > You may check that out. > > Mario > > -Original Message- > From: owner-modssl-us...@modssl.org > [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper > Sent: Monday, July 20, 2009 10:53 AM > To: modssl-users@modssl.org > Subject: RE: modssl - URL's under domain name not found > > > The error log says (for example): > > [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not > exist: > /Library/WebServer/Documents/drupal/electric-heater-info, referer: > https://devel.cosyheart.com/ > > Actually, my original post is a bit misleading - the content is > delivered via drupal and a MySQL database, not from a filesystem. > Furthermore, that database is replicated between the devel' and live > server (so they are EXACTLY the same), and all works just fine under > normal http. As I said, ssl also works on the live server, but not on > the dev machine (other than the home page). > > > Mario Brandt wrote: >> >> Hi! >> What is in your error log about that? >> >> Mario >> >> -Original Message- >> From: owner-modssl-us...@modssl.org >> [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper >> Sent: Sunday, July 19, 2009 9:38 PM >> To: modssl-users@modssl.org >> Subject: modssl - URL's under domain name not found >> >> >> I am running modssl under apache 2.2.11 on my development server using > >> mac os x 10.5. >> >> I have created self signed certificates using openssl for this > machine. >> >> https://devel works just fine. >> >> https://devel/directory generates a 404 file not found error. >> >> https://devel/anotherdirectory/etcetc also generates a 404. >> >> I have a very similar setup on a live server that's running Centos >> 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is >> working just fine - all URL's resolve properly. >> >> I have tried copying the conf' files on the live and devel' server >> line for line, but I don't seem to be able to overcome the error on my > >> development machine. >> >> Does anyone have any idea what the problem on my development machine >> might by? Any pointers would be welcome. >> -- >> View this message in context: >> http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 >> 45 >> 33884p24533884.html >> Sent from the mod_ssl - Users mailing list archive at Nabble.com. >> >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Managermajord...@modssl.org >> __ >> Apache Interface to OpenSSL (mod_ssl) www.modssl.org >> User Support Mailing List modssl-users@modssl.org >> Automated List Managermajord...@modssl.org >> >> > > -- > View this message in context: > http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 > 33884p24566061.html > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > > -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566482.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
I guess the rewriting is not turned on in the SSL vhost. Else there should be a rewriting to a php file which works with PATH_INFO You may check that out. Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Monday, July 20, 2009 10:53 AM To: modssl-users@modssl.org Subject: RE: modssl - URL's under domain name not found The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: > > Hi! > What is in your error log about that? > > Mario > > -Original Message- > From: owner-modssl-us...@modssl.org > [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper > Sent: Sunday, July 19, 2009 9:38 PM > To: modssl-users@modssl.org > Subject: modssl - URL's under domain name not found > > > I am running modssl under apache 2.2.11 on my development server using > mac os x 10.5. > > I have created self signed certificates using openssl for this machine. > > https://devel works just fine. > > https://devel/directory generates a 404 file not found error. > > https://devel/anotherdirectory/etcetc also generates a 404. > > I have a very similar setup on a live server that's running Centos > 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is > working just fine - all URL's resolve properly. > > I have tried copying the conf' files on the live and devel' server > line for line, but I don't seem to be able to overcome the error on my > development machine. > > Does anyone have any idea what the problem on my development machine > might by? Any pointers would be welcome. > -- > View this message in context: > http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp2 > 45 > 33884p24533884.html > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > > -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
The error log says (for example): [Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist: /Library/WebServer/Documents/drupal/electric-heater-info, referer: https://devel.cosyheart.com/ Actually, my original post is a bit misleading - the content is delivered via drupal and a MySQL database, not from a filesystem. Furthermore, that database is replicated between the devel' and live server (so they are EXACTLY the same), and all works just fine under normal http. As I said, ssl also works on the live server, but not on the dev machine (other than the home page). Mario Brandt wrote: > > Hi! > What is in your error log about that? > > Mario > > -Original Message- > From: owner-modssl-us...@modssl.org > [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper > Sent: Sunday, July 19, 2009 9:38 PM > To: modssl-users@modssl.org > Subject: modssl - URL's under domain name not found > > > I am running modssl under apache 2.2.11 on my development server using > mac os x 10.5. > > I have created self signed certificates using openssl for this machine. > > https://devel works just fine. > > https://devel/directory generates a 404 file not found error. > > https://devel/anotherdirectory/etcetc also generates a 404. > > I have a very similar setup on a live server that's running Centos 5.1, > apache 2.2.3, modssl and an ssl certificate via Comodo. This is working > just fine - all URL's resolve properly. > > I have tried copying the conf' files on the live and devel' server line > for line, but I don't seem to be able to overcome the error on my > development machine. > > Does anyone have any idea what the problem on my development machine > might by? Any pointers would be welcome. > -- > View this message in context: > http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 > 33884p24533884.html > Sent from the mod_ssl - Users mailing list archive at Nabble.com. > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Managermajord...@modssl.org > > -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp24533884p24566061.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
RE: modssl - URL's under domain name not found
Hi! What is in your error log about that? Mario -Original Message- From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper Sent: Sunday, July 19, 2009 9:38 PM To: modssl-users@modssl.org Subject: modssl - URL's under domain name not found I am running modssl under apache 2.2.11 on my development server using mac os x 10.5. I have created self signed certificates using openssl for this machine. https://devel works just fine. https://devel/directory generates a 404 file not found error. https://devel/anotherdirectory/etcetc also generates a 404. I have a very similar setup on a live server that's running Centos 5.1, apache 2.2.3, modssl and an ssl certificate via Comodo. This is working just fine - all URL's resolve properly. I have tried copying the conf' files on the live and devel' server line for line, but I don't seem to be able to overcome the error on my development machine. Does anyone have any idea what the problem on my development machine might by? Any pointers would be welcome. -- View this message in context: http://www.nabble.com/modssl---URL%27s-under-domain-name-not-found-tp245 33884p24533884.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSL connection between Apache and Tomcat failing
Iain: Wow! Am I glad to hear from you! I've been wrestling with exactly this problem - error on: OpenSSL: read 5/5 bytes from BIO - for a few weeks now; was beginning to think I was losing my mind. (while we leave that possibility aside for the moment(!),) here's what's different about our environment: Apache/2.2.11 (Unix - Solaris SPARC) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9 . We are using certificate authentication. Seeing this behavior under Firefox (Mac); haven't tried it using mobile browsers, though, presumably, you may be using a Mozilla-based mobile browser... We've recently upgraded to these current versions of Apache and OpenSSL, but the error behavior has not been impacted. The incessant prompting for certificate can be interrupted by setting Firefox's Advanced-Encryption-When a server requests my certificate-Select one automatically option. The above read error persists, however... The primary impact is - apparently - that the SSL session is constantly re-negotiated for GET of each page element; loading of a single page might generate 8-10 prompts for the certificate. We have fiddled with various settings for the Renogotiation buffer, including which buffer engine is used, its size, etc., all to no avail. Some of the settings result in Apache configuration errors, so I wonder if we're into an Apache - or mod_ssl - 'black hole' region. My quick research on this indicates that others have run into it, some have simply ignored it, but none have solved it. Hopefully we'll come up with something. Lou - Original Message - From: "I Emsley (Iain)" To: modssl-users@modssl.org Sent: Friday, July 17, 2009 8:56:23 AM GMT -05:00 US/Canada Eastern Subject: SSL connection between Apache and Tomcat failing I’ve got a website which uses Apache 2.2 as the front end with Tomcat 5.5.23 as the backend and am using mod_ssl and mod_proxy to link to the two together in Windows server 2003. Normally there isn’t an issue with two servers serving the website but recently (and mainly with , it appears, mobile browsers), I’m getting the following errors: i Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1760): OpenSSL: Loop: SSLv3 read finished A [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_kernel.c(1756): OpenSSL: Handshake: done [Fri Jul 17 09:52:29 2009] [info] Connection: Client IP: 130.246.76.83, Protocol: TLSv1, Cipher: DHE-RSA-AES256-SHA (256/256 bits) [Fri Jul 17 09:52:29 2009] [debug] ssl_engine_io.c(1817): OpenSSL: read 5/5 bytes from BIO
Re: Restricting access by arbitrary certificate extension
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail inline for reference of dev@ readers) On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote: >mod_ssl can perform client authentication on certificate in > Apache and client authorization on certain certificate extensions. We > are setting up CA here and we want to restrict access to certain website > by checking the presence of certain certificate extension using its OID. > The syntax which mod_ssl is forcing us to use is the following: > > >SSLRequire “some string” in OID(“1.2.3.4…..”) > > > As you can see, we need to match this string exactly in extension’s > value. We can encounter problem with this, because this extension may > not be listed in openssl list of valid extensions > (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, > mod_ssl would not be able to match the string because the object of this > OID does not have valid NID in openssl. OpenSSL seems incapable of > determining the type of arbitrary extension we want to use as > restricting factor. Hence, mod_ssl can not even extract its value from > certificate. >Well, I poked around the problem for some time and found no > other way than to patch mod_ssl by adding one new function in > ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() > and ssl_expr_eval_oid() but does not intend to extract the value of > certificate extension. I also added some change to ssl_expr_eval_comp(), > so if you supply the zero-length word in SSLRequire, it uses my new > function instead of ssl_expr_eval_oid(). So, the new syntax is like this: > > >SSLRequire “” in OID(“1.2.3.4…..”) > > >If you are aware of more attractive and “right” way to make > it, please acknowledge. My patch for apache-2.2.11 is attached. I'd rather see a different syntax used for the new semantics, such as: SSLRequire has_oid("1.2.3.4") though I'm not sure whether the SSLRequire parser can cope with that. Regards, Joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: SSLRequireSSL Ineffective
Some more info -- if I add this same Directory section to httpd.conf it works fine and forces https access. It's like the line Include conf/extra/httpd-ssl.conf in httpd.conf has no effect -- why would that be? Thanks- Lee
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead of just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478226.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
thanks that works, a little tricky if you want to use SSLVerifyClient optional, as it 403s everything in that case instead just not filling in the client variables. But I can always do that programmaticaly if I need it. -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22478223.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Client Verification with sub ca's
Hi, Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on the client certs issuer field (SSL_CLIENT_I_DN...). Regards Matt - Original Message From: leanmeandonothingmachine To: modssl-users@modssl.org Sent: Thursday, March 12, 2009 2:03:07 PM Subject: Client Verification with sub ca's I have a self signed ca, with multiple sub-ca's. root -sub-ca1 -sub-ca2 -server I sign client certificates with either -sub-ca1 or -sub-ca2, and use server to sign certificates for the actual website. So in my apache config, i have this: SSLEngine on SSLOptions +stdEnvVars SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /data/keys/test.crt SSLCertificateKeyFile /data/keys/test.key SSLCertificateChainFile /data/keys/chain.pem SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /data/keys/ca.pem test.crt is signed by server. chain.pem contains server and root in that order ca.pem contains sub-ca2 and root in that order Everything seems to work fine except for the fact that the website also excepts client certificates signed by sub-ca1. But I'm trying to restrict this site to only sub-ca2 clients. I tried: 1) removing the root from ca.pem, that gives me a "Certificate Verification: Error (2): unable to get issuer certificate" error. 2) removing the root from ca.pem adding sub-ca2 to chain.pem, same error. 3) changing SSLVerifyDepth to 1, that give me a "Certificate Verification: Certificate Chain too long (chain has 2 certificates, but maximum allowed are only 1)" error. Anyone know how to get apache to only allow clients from one sub-ca but not others signed by the same root? -- View this message in context: http://www.nabble.com/Client-Verification-with-sub-ca%27s-tp22469681p22469681.html Sent from the mod_ssl - Users mailing list archive at Nabble.com. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Managermajord...@modssl.org
Re: Partitioned CRLs
Hi Gilles, Thanks for your reply! :-) The CA also offers OCSP, which is obviously the preferred way to validate certificate status. I am just trying to make sure that there is support from the "applications world" to such a CRL partitioning scheme. Wide interoperability is a key goal. Regards, Nuno Ponte On Tue, Oct 21, 2008 at 11:04 AM, Cuesta Gilles <[EMAIL PROTECTED]> wrote: > Nuno Ponte a écrit : >> Hi, >> >> We are running a CA that has thousands of revoked certificates, >> which leads to CRLs of several MBytes. >> >> On the next nenewal of the CA, we are thinking of partitioning the >> CRLs at each X number of issued certificates. The issued certificates >> will have different CRL Distribution Points (CDP) according to the >> partitions they are assigned. >> >> For example, for X=100, from certificate 1 to certificate 100, the >> CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 >> to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. >> > CDP is embedded when creating certificate, so it might be possible > (client side). > > Server side, you can stack as many crl as you want into either a single > file, or a directory (using hashing) and point to it into Apache. > But you may apply a patch for multiple identical DN handling. > http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 > > Why didn't you implement OCSP into Apache ? > http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I > didn't test it anyway) > > -- > La Joconde ne sourit pas devant Chuck Norris. > Gilles CUESTA - Logiciels Libres > 69139920 > > > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Partitioned CRLs
Nuno Ponte a écrit : > Hi, > > We are running a CA that has thousands of revoked certificates, > which leads to CRLs of several MBytes. > > On the next nenewal of the CA, we are thinking of partitioning the > CRLs at each X number of issued certificates. The issued certificates > will have different CRL Distribution Points (CDP) according to the > partitions they are assigned. > > For example, for X=100, from certificate 1 to certificate 100, the > CDP would be http://myca.com/crl/myca-0001.crl, from certificate 101 > to 200 the CDP would be http://myca.com/crl/myca-0002.crl, and so on. > CDP is embedded when creating certificate, so it might be possible (client side). Server side, you can stack as many crl as you want into either a single file, or a directory (using hashing) and point to it into Apache. But you may apply a patch for multiple identical DN handling. http://marc.info/?l=apache-httpd-dev&m=120350484626015&q=p3 Why didn't you implement OCSP into Apache ? http://sitola.fi.muni.cz/%7Etauceti/?download=ocsp_apache_2.2.patch (I didn't test it anyway) -- La Joconde ne sourit pas devant Chuck Norris. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : > I tried with an SSLPassPhraseDialog in every VirtualHost and i get this > message: > > [EMAIL PROTECTED] bin]$ ./apachectl -S > Syntax error on line 82 > of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: > SSLPassPhraseDialog cannot occur within section > > "or unciphered key ?" how can i do it? do i need to contact with my > certificate provider? > http://www.modssl.org/docs/2.8/ssl_faq.html#ToC31 Your key may be stored unciphered on your server. -- Pourquoi Pierre Lescure a quitté Canal? parce qu'il pensait créer une marionette Chuck Norris dans les Guignols de l'info !!! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: unable to start apache with 2 certificates
I tried with an SSLPassPhraseDialog in every VirtualHost and i get this message: [EMAIL PROTECTED] bin]$ ./apachectl -S Syntax error on line 82 of /home/jmartin/apache22/conf/extra/httpd-ssl.conf: SSLPassPhraseDialog cannot occur within section "or unciphered key ?" how can i do it? do i need to contact with my certificate provider? thanks. El lun, 20-10-2008 a las 10:32 +0200, Jorge Martín Cuervo escribió: > Did you try with SSLPassPhraseDialog in each VirtualHost ? -- ;-) Jorge Martin Cuervo Outsourcing Emarketplace deFacto Powered by Standards email <[EMAIL PROTECTED]> voice +34 984 832 659 voice +34 660 026 384 DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así como el resto de los datos de carácter personal que nos facilite, serán objeto de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de información comercial y/o personal por vía electrónica. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgánica de Protección de Datos de Carácter Personal (LOPD. 15/1999), dirigiendo un escrito a C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias), o a nuestra dirección de correo electrónico ([EMAIL PROTECTED]). También informamos que la información incluida en este e-mail es CONFIDENCIAL, siendo para uso exclusivo del destinatario arriba mencionado. Si Usted lee este mensaje y no es el destinatario indicado, le informamos que está totalmente prohibida cualquier utilización, divulgación, distribución y/o reproducción de esta comunicación sin autorización expresa en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos nos lo notifique inmediatamente por esta misma vía y proceda a su eliminación. This e-mail contains information that will be added to our computerised guest data base and will be trated in the strict confidence. If you wish to access, correct, oppose or cancel your details, as specified the Law 15/99, December 13th, please send a certified letter to this effect to DE FACTO STANDARDS, S.L.., (C/ Rivero 31 1º Izda. - 33402 AVILES (Asturias) SPAIN). If you read this message, and is not the destinatary, we informal you that is forbidden anything utility, distribution, divulgation or reproduction of this communication without express authorization, of the present law. If you received this message for mistake, we proud in order to the present law, immediate communication to us, and please erase this e-mail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: unable to start apache with 2 certificates
Hi Cuesta Guilles, thanks for your quickly reply. No i am going to read the documentation about SSLPassPhraseDialog. This is my apachectl -S output: [EMAIL PROTECTED] bin]$ ./apachectl -S VirtualHost configuration: 213.134.38.66:443 cv.smra.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:266) 213.134.38.54:443 www.smartcv.org (/home/jmartin/apache22/conf/extra/httpd-ssl.conf:81) wildcard NameVirtualHosts and _default_ servers: *:80 is a NameVirtualHost default server protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost protean.eu (/home/jmartin/apache22/conf/httpd.conf:490) port 80 namevhost madrid.protean.eu (/home/jmartin/apache22/conf/httpd.conf:506) port 80 namevhost portal.protean.eu (/home/jmartin/apache22/conf/httpd.conf:519) port 80 namevhost uk.protean.eu (/home/jmartin/apache22/conf/httpd.conf:532) port 80 namevhost portaldeempleo.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:545) port 80 namevhost ofertasdeempleo.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:557) port 80 namevhost smra.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:572) port 80 namevhost gijon.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:580) port 80 namevhost esapa.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:588) port 80 namevhost curtidora.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:596) port 80 namevhost candidato.curtidora.com (/home/jmartin/apache22/conf/httpd.conf:604) port 80 namevhost demo.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:617) port 80 namevhost democv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:624) port 80 namevhost fade.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:638) port 80 namevhost fadecv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:645) port 80 namevhost flc.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:659) port 80 namevhost flccv.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:666) port 80 namevhost smartcv.org (/home/jmartin/apache22/conf/httpd.conf:680) port 80 namevhost coiipa.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:708) port 80 namevhost coiial.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:715) port 80 namevhost colegiado.coiial.net (/home/jmartin/apache22/conf/httpd.conf:724) port 80 namevhost ofertas.coiial.net (/home/jmartin/apache22/conf/httpd.conf:736) port 80 namevhost empleo.coiial.net (/home/jmartin/apache22/conf/httpd.conf:747) port 80 namevhost coiil.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:761) port 80 namevhost coiia.smartcv.org (/home/jmartin/apache22/conf/httpd.conf:768) port 80 namevhost smartemployer.org (/home/jmartin/apache22/conf/httpd.conf:778) port 80 namevhost asturiasotrabajas.com (/home/jmartin/apache22/conf/httpd.conf:792) port 80 namevhost asturiasytrabajas.com (/home/jmartin/apache22/conf/httpd.conf:806) port 80 namevhost media.protean.eu (/home/jmartin/apache22/conf/httpd.conf:820) port 80 namevhost protean.es (/home/jmartin/apache22/conf/httpd.conf:832) port 80 namevhost colegios.protean.es (/home/jmartin/apache22/conf/httpd.conf:846) port 80 namevhost opea.protean.es (/home/jmartin/apache22/conf/httpd.conf:858) Syntax OK El lun, 20-10-2008 a las 10:16 +0200, Cuesta Gilles escribió: > Jorge Martín Cuervo a écrit : > > Hi all, > > > > i have a problem with an apache 2.2.9, maybe this is not the correct > > mailing list but i am going to ask, my apologizes if this isn't the > > properly place. > > > > I had an instance of apache 2.2.9 with and IP serving contents with the > > port 80 and 443, we bought a godaddy certificate and all went pretty > > well, but we needed to install another certificate for other domain in > > the same machine. I had several domains and all works with vhosts with > > http, but when i first tried to use several vhosts for secure > > connections the apache seemed to restart well but stop working. > > > Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered > key ? > Wich is result of httpd -S ? > -- ;-) Jorge Martin Cuervo Outsourcing Emarketplace deFacto Powered by Standards email <[EMAIL PROTECTED]> voice +34 984 832 659 voice +34 660 026 384 DE FACTO STANDARDS, S.L., le informa que su dirección de correo electrónico, así como el resto de los datos de carácter personal que nos facilite, serán objeto de tratamiento automatizado en nuestros ficheros, con la finalidad del envío de información comercial y/o personal por vía electrónica. Vd. podrá en cualquier momento ejercer el derecho de acceso, rectificación, cancelación y oposición en los términos establecidos en la Ley Orgán
Re: unable to start apache with 2 certificates
Jorge Martín Cuervo a écrit : > Hi all, > > i have a problem with an apache 2.2.9, maybe this is not the correct > mailing list but i am going to ask, my apologizes if this isn't the > properly place. > > I had an instance of apache 2.2.9 with and IP serving contents with the > port 80 and 443, we bought a godaddy certificate and all went pretty > well, but we needed to install another certificate for other domain in > the same machine. I had several domains and all works with vhosts with > http, but when i first tried to use several vhosts for secure > connections the apache seemed to restart well but stop working. > Did you try with SSLPassPhraseDialog in each VirtualHost ? or unciphered key ? Wich is result of httpd -S ? -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: X509 variables ..UID
Peter Sylvester wrote: > in ssl_engine_vars, there seems to be a problem to me concerning the UID > field. > The syntax for the field is a bitstring and not a "text". Nothing happened since I've filed this bug and raised the issue here: https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 It's broken => it should be fixed. Unfortunately no-one cares. :-( Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Hi, Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. As you know there isn't an ask once option, which would be very nice. I don't think there is much that can be done to "fix" it other than coding up an "ask once" option in FF (which I haven't got the time to do :( ). Anyway you may also want to use/need the "SSLOptions +OptRenegotiate" if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Thursday, September 25, 2008 9:37:00 AM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Thank you very much Matt . That solved it :). I now have "Client Certificate Authentication" working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to "Ask me every time" instead of "auto select client certificate" I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading "one" and "one" item(image) on the website. If i switch to "Auto select certificate" it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can
Re: Can i use CA signed cert to create client authentication certificates ?
Thank you very much Matt . That solved it :). I now have "Client Certificate Authentication" working with a CA signed certificate and a Self Signed CA which in turn signs client certs. If i can only ask for a bit more advice regarding this setup ?. Although I think this problem might be Firefox specific I'm hoping for some advice here. Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. But when Firefox is set to "Ask me every time" instead of "auto select client certificate" I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading "one" and "one" item(image) on the website. If i switch to "Auto select certificate" it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? I have googled this but can't find any good answers. Some say it is because of image objects loading. but why. Best regards Jan Stian Gabrielli Original Message --- Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à .+-š‡l²[¬z»&¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨èÂÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Hi, Basically... SSLCACertificateFile SelfSignedCA Root Cert (public part) SSLVerifyClient require or optional SSLVerifyDepth 1 (default) and have the setup from the Thwate cert as per normal for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Tuesday, September 23, 2008 1:39:16 PM Subject: Re: Can i use CA signed cert to create client authentication certificates ? Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à .+-š‡l²[¬z»&¡Û,–Šà ëh™«^t¸¬´Æ§j«™¨èÂÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Can i use CA signed cert to create client authentication certificates ?
Ok. This seems like a viable solution. Ie. I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. Can you point me in a direction of how i make this work in apache ?. I already have a setup with a Selfsigned CA working for client certificates. Createed SelfSignedCA |-->Create and Sign Apache Cert from SelfSigned CA |-->Create and Sign Client Cert from SelfSigned CA How do I incorporate this with a CA (thawte) signed webserver certificate ?. Best regards Wizkidnono Original Message --- Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?.. Ie. I have generated a : apache_server.key made a apache_server..csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] '���iǭ��^�$���l�\0�j��h�,z+�Ƣ�)�.+-��l�[�z�&��,����h��^t���Ƨj��&�j��h�
Re: Can i use CA signed cert to create client authentication certificates ?
Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. You could use your CA for client certs and Thawte for the server cert. Regards Matt - Original Message From: Jan Stian Gabrielli <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Monday, September 22, 2008 7:54:37 PM Subject: Can i use CA signed cert to create client authentication certificates ? I am trying to set up apache with mod_ssl , and I have it working with a Self Signed CA. But i can not get it to work with a cert created by thawte.com. Does anyone know if it is possible to do this with a crt signed by a "third" party where one does not have access to their root ca key ?. Ie. I have generated a : apache_server.key made a apache_server.csr and sent this for signing by thawte.com Recived a apache_server.crt Created a client.key and a client.csr Signed it with my apache_server.key and apache_server.crt Converted the client.key,crt to a pkcs12 file and imported this into my browser but i can not make things work. SSL works fine on the server on pages that does not require SSL client auth. A I stated earlier, IT works when I create and self sign a CA, but I cant make it work when I use a 3rd party CA and only have apache_server.key, apache_server.crt , thawte root cert. Best regards Wizkidnono –œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Authenticating users based on S/MIME certificate
Hi, Have a look at mod_authz_ldap (ldap baseed white listing, http://authzldap.othello.ch/). Probably far more than you need but it does things along the same lines and has some nice notes how to do various bits and pieces. You can add env vars that you can use php have a look at SSLOptions +StdEnvVars and +ExportCertData. Regards Matt - Original Message From: Gunnar Vestergaard <[EMAIL PROTECTED]> To: modssl-users@modssl.org Sent: Sunday, September 21, 2008 12:10:16 AM Subject: Authenticating users based on S/MIME certificate Hi. I am an administrator of a user account at an Apache web server. Currently the server is running Apache 1.3.37. My hosting provider plans on switching to new hardware with possibly new software. So I don't know if my web server will be run on Apache 1.3.37 or Apache 2.0. My goal is to let visitors of my web site authenticate themselves to my web server using some certificate, possibly S/MIME certificates. Now, my current S/MIME certificate for personal e-mail is approved for the following purposes: Email Signer Certificate Email Recipient Certificate Is it possible to have such a certificate authenticate its user towards an SSL web server? In any case I want to have a limited crowd of users seeing a subdirectory of pages without bothering the user with a user name/password dialog. Just their personal certificate lets them see pages in a certain subdirectory. As I understand the documentation for PHP, there is no means whereby PHP can read and interpret an SSL client certificate. Is that correct? Gunnar __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Authenticating users based on S/MIME certificate
Gunnar Vestergaard wrote: > My goal is to let visitors of my web site authenticate themselves to > my web server using some certificate, possibly S/MIME certificates. > As I understand the documentation for PHP, there is no means whereby > PHP can read and interpret an SSL client certificate. Is that correct? It's possible to configure Apache 2 to add the client certificate to a request header. From one of my configuration files: RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \ ^.*(-BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-(%0[Dd])?%0[Aa].*%0[Aa]-END%20\2CERTIFICATE-(%0[Dd])?%0[Aa]).*$ RewriteRule ^.*$ - [E=CLIENT_CERT:%1] RequestHeader unset L-ClientCert RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT The certificate is %-encoded to avoid problems with newline characters. Presumably PHP can use the string in the header to match the certificate against a list of known certificates. The certificate digest would be less unwieldy than the entire certificate, but mod_ssl would need some simple changes to make the digest available and I would be reluctant to use a hosting provider who allowed customers to use a modified mod_ssl. Dave Sparks __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: SSL_CLIENT_S_DN & SSL_CLIENT_I_DN Formats
Hi, I have noticed that the DN components of the SSL_CLIENT_S_DN and SSL_CLIENT_I_DN environment variables are separated by the '/' (forward slash) character rather than the ',' (comma) separator as required by RFC2253. Is the use of the forward slash part of an older standard or is there another reason for its use? Is there a setting to change the format? Thanks, Ken Bolger
RE: Error when trying shmcb SSLSessionCache on 64-bit Windows
Hi Martin I tried the short (8.3) version of the directory with no luck. Ah well... Thanks Johan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Hoogenboezem Sent: 01 September 2008 01:10 PM To: modssl-users@modssl.org Cc: [EMAIL PROTECTED] Subject: RE: Error when trying shmcb SSLSessionCache on 64-bit Windows Hi Martin 1) I'm still reluctant to use an unofficial build, but its good to know others are using it. 2) Wow, well spotted with your "(x86)" theory! It also failed with a relative path: logs/ssl_scache(512000), but depending on how the relative path is being translated to an absolute path behind the scenes, you might still be right... I'll try it out as soon as I can and let you know. Thanks a lot Johan -Original Message- From: Martin Dickau [mailto:[EMAIL PROTECTED] Sent: 01 September 2008 12:18 PM To: [EMAIL PROTECTED] Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit (AMD64/EM64T) from http://www.blackdot.be/?inc=apache/binaries and am using shmcb without any trouble. You do need to install the VC++ 2005 64-bit redistributable runtime. I am also using the mod_jk build from that site, but I could not get the mod_log_rotate to run without crashing and had to build that one myself. That said, the "invalid size" error and the fact that size is passed in parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from the path as the size. Have you tried using C:/PROGRA~1/ (or PROGRA~2 -- whichever it is on your system) instead? Regards, Martin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.6.14/1644 - Release Date: 8/31/2008 4:59 PM __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Error when trying shmcb SSLSessionCache on 64-bit Windows
Hi Martin 1) I'm still reluctant to use an unofficial build, but its good to know others are using it. 2) Wow, well spotted with your "(x86)" theory! It also failed with a relative path: logs/ssl_scache(512000), but depending on how the relative path is being translated to an absolute path behind the scenes, you might still be right... I'll try it out as soon as I can and let you know. Thanks a lot Johan -Original Message- From: Martin Dickau [mailto:[EMAIL PROTECTED] Sent: 01 September 2008 12:18 PM To: [EMAIL PROTECTED] Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit (AMD64/EM64T) from http://www.blackdot.be/?inc=apache/binaries and am using shmcb without any trouble. You do need to install the VC++ 2005 64-bit redistributable runtime. I am also using the mod_jk build from that site, but I could not get the mod_log_rotate to run without crashing and had to build that one myself. That said, the "invalid size" error and the fact that size is passed in parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from the path as the size. Have you tried using C:/PROGRA~1/ (or PROGRA~2 -- whichever it is on your system) instead? Regards, Martin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Cannot load libssl.so into server: ld.so.1: httpd: fatal: relocation error:
You did not configure your Apache with mod_ssl when you set it up. You need to rebuild your Apache. On Thu, Aug 21, 2008 at 1:02 AM, Linda Lee <[EMAIL PROTECTED]> wrote: > Hi all > > *I am using apache 1.3.41 with mod_ssl 2.8.31. I kept getting the below > error: > > Starting httpd: httpd Syntax error on line 249 of > /export/home/httpd/conf/httpd.conf: > Cannot load /export/home/httpd/libexec/libssl.so into server: ld.so.1: > httpd: fatal: relocation error: file /export/home/httpd/libexec/libssl.so: > symbol inflateEnd: referenced symbol not found > FAILED > > *In my httpd.conf, line 249 is: > LoadModule ssl_module libexec/libssl.so > > *libssl.so's loation is correct. It is in /export/home/httpd/libexec/. > > Thanks for your help > >
Re: redirect port
A few more hours of investigation revealed the solution; RewriteCond %{HTTP_HOST} ^www.mydomain.com:8080 [NC] RewriteRule ^/(.*) https://www.mydomain.com/$1 [L,R=301] Sorry bout the html mail earlier. Tim - Original Message - From: Tim Hester To: modssl-users@modssl.org Sent: Thursday, July 17, 2008 10:38 AM Subject: redirect port I have been using Apache/2.2.3 and Tomcat 5.5 as standalone servers. I'm adding ssl with mod_jk and mod_proxy_ajp to access tomcat via ssl. I access my static content and cgi via http://www.mydomain.com/ and use mod_rewrite in .htaccess to redirect to https. This works fine as desired. I can access my webapp via http://www.mydomain.com:8080/MyWebApp, and this is the url users have book marked. This continues to work. I can also access https://www.mydomain.com/MyWebApp. What I'd like to do is force a redirect from http://www.mydomain.com:8080/MyWebApp to https://www.mydomain.com/MyWebApp Note; tomcat is not under the apache webroot Any assistance appreciated. Thanks Tim __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!
One small comment. I have tried for years to get off this mailing list. I have sent my request and it has always been effective, for say a month or so, then I get put back on the mailing list. And it keeps coming. My solution was to add it to my spam filter. It doesn't bother me that way and occasionally I drop in to see what the latest complaint is. In this case I couldn't agree with the message more. Perhaps the tone is not quite right. Somebody ought to fix mailing-list software so that once you are off you are really gone. It is true that [EMAIL PROTECTED] ought to ask to be taken off the list; but it won't help much I'm afraid. BUZ [EMAIL PROTECTED] wrote: stop stop sending me this bs , i have no idea who are you stop !!! -- Original message from Dave Paris <[EMAIL PROTECTED]>: -- > It seem like you might be confusing "shared infrastructure" with > "single ip". As others have said, you need a distinct address for each > SSL-enabled httpd or proxy, although they can reside on the same hardware. > > A good example of this is the typical configuration for larger server > farms. You find multiple High Availability load balancers in the DMZ for > both http and https using something like ha/keepalived for linux. These > proxy the incoming request back into private address space. The SSL > proxies terminate the SSL connection and broker the request on behalf of > the user and everything goes to the private address space in plain http. > This allows each of the _real_ webservers to achieve better > performance since the SSL overhead is not present. > > While you can use Apache as an SSL-terminating proxy, I find I get > better performance, lower memory utilization and easier configuration > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have > multiple public IP addresses floating between several hosts and pound > binds https to those addresses. > > Hope that adds a bit of additional clarity, > Dave > > Cuesta Gilles sent forth: > > So what about this ? > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* > > > > This type of certificate (also called /Subject Alternative Name/ (SAN) ) > > enables to secure not only one website but a large number of sites (a > > list of sites) hosted on a shared infrastructure (server with multiple > > names, reverse proxy). Ideal to secure multiple brands of a corporation. > > One certificate per hardware is required." > > > > http://www.tbs-certificats.com/index.html.en > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED]
Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!
THANK'S -- Original message from "Shahadat Hossain" <[EMAIL PROTECTED]>: -- you know what, You are a f***en idiot. if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. send an email to [EMAIL PROTECTED] address (you can also find it at the bottom of this message) with subject as 'Remove me'. ok? On Mon, Jul 14, 2008 at 7:10 PM, <[EMAIL PROTECTED]> wrote: stop stop sending me this bs , i have no idea who are you stop !!! -- Original message from Dave Paris <[EMAIL PROTECTED]>: -- > It seem like you might be confusing "shared infrastructure" with > "single ip". As others have said, you need a distinct address for each > SSL-enabled httpd or proxy, although they can reside on the same hardware. > > A good example of this is the typical configuration for larger server > farms. You find multiple High Availability load balancers in the DMZ for > both http and https using something like ha/keepalived for linux. These > proxy the incoming request back into private address space. The SSL > proxies terminate the SSL connection and broker the request on behalf of > the user and everything goes to the private address space in plain http. > This allows each of the _real_ webservers to achieve better > performance since the SSL overhead is not present. > > While you can use Apache as an SSL-terminating proxy, I find I get > better performance, lower memory utilization and easier configuration > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have > multiple public IP addresses floating between several hosts and pound > binds https to those addresses. > > Hope that adds a bit of additional clarity, > Dave > > Cuesta Gilles sent forth: > > So what about this ? > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* > > > > This type of certificate (also called /Subject Alternative Name/ (SAN) ) > > enables to secure not only one website but a large number of sites (a > > list of sites) hosted on a shared infrastructure (server with multiple > > names, reverse proxy). Ideal to secure multiple brands of a corporation. > > One certificate per hardware is required." > > > > http://www.tbs-certificats.com/index.html.en > > > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED]
Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!!
you know what, You are a f***en idiot. if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. send an email to [EMAIL PROTECTED] address (you can also find it at the bottom of this message) with subject as 'Remove me'. ok? On Mon, Jul 14, 2008 at 7:10 PM, <[EMAIL PROTECTED]> wrote: > stop stop sending me > this bs , i have no idea who are you > stop !!! > > -- Original message from Dave Paris <[EMAIL PROTECTED]>: > -- > > > > It seem like you might be confusing "shared infrastructure" with > > "single ip". As others have said, you need a distinct address for each > > SSL-enabled httpd or proxy, although they can reside on the same > hardware. > > > > A good example of this is the typical configuration for larger server > > farms. You find multiple High Availability load balancers in the DMZ for > > both http and https using something like ha/keepalived for linux. These > > proxy the incoming request back into private address space. The SSL > > proxies terminate the SSL connection and broker the request on behalf of > > the user and everything goes to the private address space in plain http. > > This allows each of the _real_ webservers to achieve better > > performance since the SSL overhead is not present. > > > > While you can use Apache as an SSL-terminating proxy, I find I get > > better performance, lower memory utilization and easier configuration > > using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have > > multiple public IP addresses floating between several hosts and pound > > binds https to those addresses. > > > > Hope that adds a bit of additional clarity, > > Dave > > > > Cuesta Gilles sent forth: > > > So what about this ? > > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* > > > > > > This type of certificate (also called /Subject Alternative Name/ (SAN) > ) > > > enables to secure not only one website but a large number of sites (a > > > list of sites) hosted on a shared infrastructure (server with multiple > > > names, reverse proxy). Ideal to secure multiple brands of a > corporation. > > > One certificate per hardware is required." > > > > > > http://www.tbs-certificats.com/index.html.en > > > > > __ > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > User Support Mailing List modssl-users@modssl.org > > Automated List Manager [EMAIL PROTECTED] > >
Re: Apache removal of user's access rights
Michael Ströder a écrit : Beth E. Okun wrote: We're running Apache with ssl enabled..We're using Basic authentication, and if the user browses away from our site and then comes back, they are not forced to log on again...it appears that these settings are being stored somewhere, or that the connection is not being closed.. How about to read about how Basic Authentication works? Or maybe watch the traffic with http://livehttpheaders.mozdev.org? Basically the browser caches username/password once entered for a HTTP authc realm and sends it in the header of every HTTP request. That's the problem with HTTP basic authc. This Apache related, not modssl related. Whereas, there are technical ways to reproduce an end of session, using secondary session_id, just like phpmyadmin. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache removal of user's access rights
Beth E. Okun wrote: We're running Apache with ssl enabled..We're using Basic authentication, and if the user browses away from our site and then comes back, they are not forced to log on again...it appears that these settings are being stored somewhere, or that the connection is not being closed.. How about to read about how Basic Authentication works? Or maybe watch the traffic with http://livehttpheaders.mozdev.org? Basically the browser caches username/password once entered for a HTTP authc realm and sends it in the header of every HTTP request. That's the problem with HTTP basic authc. Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
It seem like you might be confusing "shared infrastructure" with "single ip". As others have said, you need a distinct address for each SSL-enabled httpd or proxy, although they can reside on the same hardware. A good example of this is the typical configuration for larger server farms. You find multiple High Availability load balancers in the DMZ for both http and https using something like ha/keepalived for linux. These proxy the incoming request back into private address space. The SSL proxies terminate the SSL connection and broker the request on behalf of the user and everything goes to the private address space in plain http. This allows each of the _real_ webservers to achieve better performance since the SSL overhead is not present. While you can use Apache as an SSL-terminating proxy, I find I get better performance, lower memory utilization and easier configuration using Pound ( http://www.apsis.ch/pound/ ). Using keepalived, I have multiple public IP addresses floating between several hosts and pound binds https to those addresses. Hope that adds a bit of additional clarity, Dave Cuesta Gilles sent forth: So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille schrieb: Cuesta Gilles schrieb: "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." This only means that one host can have several names by configuring ServerName and ServerAlias, but does not enable virtual hosting. Hi Cuesta, with some tricks you could achive your goal by using the preconditions of mod_rewrite rules. If your ssl proxy has one single host entry with such a multi-named cert, it may be possible to rewrite via proxy after a look at the host header: RewriteEngine on RewriteCond %{HTTP_HOST} www.vhost1.com RewriteRule ^/(.*) www.internal.http.vhost1.com/$1 [P] RewriteCond %{HTTP_HOST} www.vhost2.com RewriteRule ^/(.*) www.internal.http.vhost2.com/$1 [P] If this works for you depends also on the backend webapps, for example if they are capable of running behind a reverse proxy with a different http schema (HTTP<->HTTPS, servername references in html, internal redirects...). Good luck Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Cuesta Gilles schrieb: "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." This only means that one host can have several names by configuring ServerName and ServerAlias, but does not enable virtual hosting. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. So what about this ? "*MULTIPLE CN (SAN) SERVER CERTIFICATES* This type of certificate (also called /Subject Alternative Name/ (SAN) ) enables to secure not only one website but a large number of sites (a list of sites) hosted on a shared infrastructure (server with multiple names, reverse proxy). Ideal to secure multiple brands of a corporation. One certificate per hardware is required." http://www.tbs-certificats.com/index.html.en -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
Cuesta Gilles schrieb: I thought that using wildcard or multi-cn certificates will work ? No. In this case, only one certificate is needeed for a range of Vhost If you only have one ip this won't make things better because virtual hosting is still not possible. Wildcard certs do not enable vHosting because the ssl handshake still takes place before the http host header can be evaluated. They were offered by CAs to make it easier for admins so they wouldn't have to fiddle around with dozens of certs and their validity management in a masshosting environment or for subdomains. Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
Eckard Wille a écrit : [EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. I thought that using wildcard or multi-cn certificates will work ? In this case, only one certificate is needeed for a range of Vhost -- Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSL proxy
[EMAIL PROTECTED] schrieb: I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? I have worked with virtual host configuration, and I have tried to set up the ssl stuff so that this will work, but so far I have not been successful. I have tried to search for this, but the closest I have come is proxy to an ssl server. I want to have the proxy server do the ssl stuff for me. Hi, you can not use SSL with virtual hosting, see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 You'll have to get a dedicated ip for every single ssl host. You could play around with one ssl proxy on your single ip with a common name and do some rewriting according to an url praefix matching the secure parts of your backend virtual hosts; decide yourself if this config work is worth it. Regards Eckard __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSL proxy
How is it possible? By definition SSL does not allow different host names on the same IP:PORT. Or is there something I'm missing? > -- Forwarded message -- > From: Gilles Cuesta (Gmail) <[EMAIL PROTECTED]> > Date: Thu, Jul 10, 2008 at 10:38 PM > Subject: Re: SSL proxy > To: modssl-users@modssl.org > > > [EMAIL PROTECTED] a écrit : > >> I have several web servers currently that all have the same IP, but >> different host names, and I have an apache that uses mod_proxy to direct >> requests to the correct internal server to process the request. >> >> I would like to use my apache proxy server to provide SSL encryption and >> decryption, and not have to have each individual server do that. >> >> Is that possible? >> >> > Apparently, understanding what you want to do, it's possible. > > It might depend on Apache / modssl versions > > One of the best way is doing encrypted HTTPS between client and proxy and > clear HTTP between proxy and real server. > You can also do encrypted HTTPS between proxy and real server, just adding > some Apache configuration > > . > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager[EMAIL PROTECTED] > >
Re: SSL proxy
[EMAIL PROTECTED] a écrit : I have several web servers currently that all have the same IP, but different host names, and I have an apache that uses mod_proxy to direct requests to the correct internal server to process the request. I would like to use my apache proxy server to provide SSL encryption and decryption, and not have to have each individual server do that. Is that possible? Apparently, understanding what you want to do, it's possible. It might depend on Apache / modssl versions One of the best way is doing encrypted HTTPS between client and proxy and clear HTTP between proxy and real server. You can also do encrypted HTTPS between proxy and real server, just adding some Apache configuration . __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Florian Hackenberger wrote: > I have another question: Has anyone successfully established a > connection to an apache/mod_ssl server with client authentication > using a java client? My client (code below) generates the following > log (exception at the end) upon execution: Sorry, please scrap my posting. I made an embarrassing mistake: Instead of exporting the client certificate including the public/private keypair from the browser and importing that into the keystore, I imported the certificate only, without the public/private keypair... Thanks for your help once again! Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Joe Orton wrote: > Yup. Changing the "SSLVerifyClient require" to: > SSLVerifyClient optional > SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" Thanks a lot! The workaround worked ;-). Please consider this issue solved. I have another question: Has anyone successfully established a connection to an apache/mod_ssl server with client authentication using a java client? My client (code below) generates the following log (exception at the end) upon execution: *** ServerHelloDone *** Certificate chain *** *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 main, WRITE: TLSv1 Handshake, length = 157 SESSION KEYGEN: PreMaster Secret: : 03 01 71 CC D3 DC AF 35 A3 A2 70 1C E5 9A 06 00 ..q5..p. 0010: 1F 8B 18 05 6E 55 69 4E 44 18 D2 E5 0A 57 FB D4 nUiNDW.. 0020: 71 62 17 14 57 2A FE 8F 4D 5A CF 7A 82 09 31 8C qb..W*..MZ.z..1. CONNECTION KEYGEN: Client Nonce: : 48 64 A7 92 45 15 E8 74 E3 75 A7 BD F7 E3 B8 82 Hd..E..t.u.. 0010: 94 D4 1E 75 ED 3D D3 41 0E 5F BA 12 ED 47 E6 B1 ...u.=.A._...G.. Server Nonce: : 48 64 A7 92 B5 6D 56 62 6D E3 7B 67 C7 08 78 13 Hd...mVbm..g..x. 0010: 45 47 5A 93 18 62 D4 E5 75 25 A1 65 F8 DD 85 86 EGZ..b..u%.e Master Secret: : 0C 65 EA 1D A6 E6 FC 3C AD AA 34 04 C6 82 81 50 .e.<..4P 0010: 07 78 38 FC B6 04 77 3E 7E 90 BC 24 A9 D3 B1 86 .x8...w>... $ 0020: F9 99 26 1A FD 08 9A C3 E0 32 43 D0 A1 59 21 5C ..&..2C..Y! \ Client MAC write Secret: : D0 7D F1 90 58 AF 0B 43 F7 02 39 0C 0C B2 87 C3 X..C..9. Server MAC write Secret: : 5C AD 45 74 3D 58 96 FB 41 37 72 99 12 D5 BD 3A \.Et=X..A7r: Client write key: : 38 AE 1A 7E 63 26 C7 7F 9D E2 74 9E D2 12 55 C9 8...c&t...U. Server write key: : 7E 57 BF 54 A7 74 D8 72 72 AC 18 B8 5F 2D F6 06 .W.T.t.rr..._-.. ... no IV used for this cipher main, WRITE: TLSv1 Change Cipher Spec, length = 17 *** Finished verify_data: { 150, 113, 105, 3, 36, 96, 160, 52, 133, 8, 145, 137 } *** main, WRITE: TLSv1 Handshake, length = 32 main, waiting for close_notify or alert: state 3 main, READ: TLSv1 Alert, length = 18 main, RECV TLSv1 ALERT: fatal, handshake_failure %% Invalidated: [Session-3, SSL_RSA_WITH_RC4_128_MD5] main, called closeSocket() main, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure main, called close() main, called closeInternal(true) javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1657) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:932) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1435) at com.sun.net.ssl.internal.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:103) at com.sun.net.ssl.internal.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:612) at com.sun.net.ssl.internal.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:808) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:734) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:197) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746) at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75) at java.io.BufferedInputStream.fill(BufferedInputStream.java:218) at java.io.BufferedInputStream.read1 (BufferedInputStream.java:258) at java.io.BufferedInputStream.read(BufferedInputStream.java:317) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:687) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:652) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000) at com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl.getInputStream(HttpsURLConnectionOldImpl.java:204) at java.net.URL.openStream(URL.java:1009) at URLClient.main(URLClient.java:17) The server logs the following error: [error] Re-negotiation handshake failed: Not accepted by client!? Has someone experience with java client verification
Re: SSLVerifyClient applies to parent directory
On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote: > On Thursday 26 June 2008, Florian Hackenberger wrote: > > On Thursday 26 June 2008, Joe Orton wrote: > > It denies access for what type of request, a directory listing? > Ok, I think I understood the intention of your question. Accessing a > specific file works, but getting the directory listing fails. Would > that be a result of apache trying to access the protected directory in > oder to read attributes for the listing, causing the certificate > verification to kick in? Yup. Changing the "SSLVerifyClient require" to: SSLVerifyClient optional SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" might work around it; you'll still get a client cert request for the subrequest, but it should end in a 403 rather than terminating the SSL connection. (That will cause the protected directory to disappear from the directory listing, unless you use "IndexOptions ShowForbidden") Test this carefully though! joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Cuesta Gilles wrote: > For your issue, two questions: > - is a VerifyDepth 1 enough for verification chaining ? It is, however that is not relevant for the problem, because apache should not request a client certificate in the first place. > - No default VerifyClient by default for VirtualHost > Try adding: I tried your suggestion, but it does not help unfortunately. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Friday 27 June 2008, Cuesta Gilles wrote: It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. Thanks, but that is certainly not the problem, as apache creates a listing as soon as I remove 'SSLVerifyClient require'. Cheers, Florian That seems to point that it's already activated. For your issue, two questions: - is a VerifyDepth 1 enough for verification chaining ? - No default VerifyClient by default for VirtualHost Try adding: SSLVerifyClient none or SSLVerifyClient none Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient none SSLVerifyClient require SSLVerifyDepth 1 -- Chuck Norris comprend Lassie et Flipper le dauphin. C'est d'ailleurs lui qui à réalisé les traductions dans l'intégralité des épisodes ! Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
On Friday 27 June 2008, Cuesta Gilles wrote: > It's more an apache specific question; try setting > Options +Indexes > in your vhost, allowing directory listing. Thanks, but that is certainly not the problem, as apache creates a listing as soon as I remove 'SSLVerifyClient require'. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Thursday 26 June 2008, Florian Hackenberger wrote: On Thursday 26 June 2008, Joe Orton wrote: It denies access for what type of request, a directory listing? Ok, I think I understood the intention of your question. Accessing a specific file works, but getting the directory listing fails. Would that be a result of apache trying to access the protected directory in oder to read attributes for the listing, causing the certificate verification to kick in? It's more an apache specific question; try setting Options +Indexes in your vhost, allowing directory listing. -- Beaucoup d'hommes ont recherché la boîte de pandore à travers le monde, pendant ce temp Chuck Norris l'utilisait pour ranger ses chaussures. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Florian Hackenberger wrote: > On Thursday 26 June 2008, Joe Orton wrote: > It denies access for what type of request, a directory listing? Ok, I think I understood the intention of your question. Accessing a specific file works, but getting the directory listing fails. Would that be a result of apache trying to access the protected directory in oder to read attributes for the listing, causing the certificate verification to kick in? Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : On Thursday 26 June 2008, Cuesta Gilles wrote: Maybe try this: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 Unfortunately it leads to the same result, but thanks for the suggestion. Regarding mod_ssl: "In per-server context it applies to the client authentication process used in the standard SSL handshake when a connection is established. " "In per-directory context it forces a SSL renegotation with the reconfigured client verification level after the HTTP request was read but before the HTTP response is sent." So maybe: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Joe Orton wrote: > It denies access for what type of request, a directory listing? Yes -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote: > > SSLVerifyClient require > SSLVerifyDepth 1 > > > The problem is that apache denies access to: > https//MYSERVER/directory It denies access for what type of request, a directory listing? joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
On Thursday 26 June 2008, Cuesta Gilles wrote: > Maybe try this: > > Listen 443 > > SSLEngine On > SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem > DocumentRoot "/usr/local/htdocs" > > > SSLVerifyClient require > SSLVerifyDepth 1 > > Unfortunately it leads to the same result, but thanks for the suggestion. Cheers, Florian -- DI Florian Hackenberger [EMAIL PROTECTED] www.hackenberger.at __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: SSLVerifyClient applies to parent directory
Florian Hackenberger a écrit : Hi! First of all: Thanks for your great software, I've used it on several server and it proved to be very useful. I have a little problem with the SSLVerifyClient directive on apache 2.2.9 with mod_ssl compiled from source on debian etch. I have the following directory layout: /usr/local/htdocs/directory/subdirectory and the following configuration options (besides the defaults) in httpd.conf: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 Maybe try this: Listen 443 SSLEngine On SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem DocumentRoot "/usr/local/htdocs" SSLVerifyClient require SSLVerifyDepth 1 -- Chuck Norris était champion de CounterStrike avant que l'on n'invente Internet. Gilles CUESTA - Logiciels Libres 69139920 signature.asc Description: OpenPGP digital signature
RE: Need to add/enable/install mod_ssl
another information: what I see in libexec/ is just "mod_jk.sl", and under modules/, just the file httpd.exp. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 5:34 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > David, > > that was what I thought earlier. But since I´m told this directive is > for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ > the directive to include to httpd.conf. What I mean is that I think I hv > the mod_ssl installed, but not enabled yet, and to enable, if it´s > simply adding the directive´s in httpd file, and the exact syntax for > version 2.0. > > Still searching for the solution. > > Thanks > > Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
Dave and All: Ok, now I know I can try the directives in my apache. Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the paths indicated, not in libexec/, nor in module/. How do I get those files? Thank you. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:22 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl I pulled that exact line from my win32 version of Apache 2.2.4. Server Version: Apache/2.2.4 (Win32) mod_ssl/2.2.4 OpenSSL/0.9.8d mod_perl/2.0.3 Perl/v5.8.8 Server Built: Jan 9 2007 23:17:20 -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > David, > > that was what I thought earlier. But since I´m told this directive is > for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ > the directive to include to httpd.conf. What I mean is that I think I hv > the mod_ssl installed, but not enabled yet, and to enable, if it´s > simply adding the directive´s in httpd file, and the exact syntax for > version 2.0. > > Still searching for the solution. > > Thanks > > Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
David, that was what I thought earlier. But since I´m told this directive is for Apache 1.x, and not Apache 2.0 (which is mine), I wonder how differ the directive to include to httpd.conf. What I mean is that I think I hv the mod_ssl installed, but not enabled yet, and to enable, if it´s simply adding the directive´s in httpd file, and the exact syntax for version 2.0. Still searching for the solution. Thanks Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David P. Mott Sent: Wednesday, June 18, 2008 5:04 PM To: modssl-users@modssl.org Subject: RE: Need to add/enable/install mod_ssl That doesn't sound right. Don't you need a statement like this in your httpd.conf file? LoadModule ssl_module modules/mod_ssl.so The statements that you mentioned will do stuff /only/ if the ssl module is loaded (that's what IfModule means -- If the Module is Present). -Dave On Wed, 18 Jun 2008, Tan, Liao wrote: > All, > > I´m told that having the directives in httpd.conf > > > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > > > means that my apache is configured with mod_ssl (thanks to the guy that told > me so!) > > Now the question risen up is how do I do to have my https working? As I > mentioned below, already have all certificates and their directives > configured. > > Thanks for your attention. > > Ingrid > __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
RE: Need to add/enable/install mod_ssl
All, I´m told that having the directives in httpd.conf SSLRandomSeed startup builtin SSLRandomSeed connect builtin means that my apache is configured with mod_ssl (thanks to the guy that told me so!) Now the question risen up is how do I do to have my https working? As I mentioned below, already have all certificates and their directives configured. Thanks for your attention. Ingrid -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Tan, Liao [CMB-IT] Sent: Wednesday, June 18, 2008 12:30 PM To: modssl-users@modssl.org Subject: Need to add/enable/install mod_ssl Hi, experts: >> Here are the environment configuration: >> Web server: Apache/2.0.46 (Unix) mod_jk/1.2.4 >> Server: -HP-UX >> Tomcat: 4.0 I have a apache already installed (by other team, which doesnt know if there´s the module mod_ssl). The final purpose is to secure my current http to https. Already have all cerficates, with the directives in the conf files, and still the https url doesnt work yet. I searched over all logs I could find, and didnt found any string "mod_ssl":(. So I guess I need to do something to enable, install it. Saw in a link that I need to download the source in modssl.org, and other installation procedures as well. But the in my case is that I already have Apache installed, and need only to add/enable/install the mod_ssl module. Ok, now another question to be pointed out: "Make sure any module for your Apache server is compiled with the compiler-flag -DEAPI, or your Webserver might crash or can not be started. Almost all modules I know adds the -DEAPI flag by themself except mod_jserv and mod_jk" But my apache installed is mod_jk (my configuration >> Apache/2.0.46 (Unix) mod_jk/1.2.4). Should I supppose from this that in my case I dont have the DEAPI??? Not sure on what to do now. How will I check if it has DEAPI? I keep doing searches over the net, but in case any of you has some hint and speed up a little bit on my side, it´ll be helpful. Im kind of disorientated with all this thing of https. This´s the 1st time i get into it. So, ask for your detailed support. Thank you! Ingrid __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Generic question on CRL use
On June 16, 2008 12:46:56 pm Gilles Cuesta wrote: > 2008/6/16 Michael Ströder <[EMAIL PROTECTED]>: > > Gilles Cuesta wrote: > >> So, at a time, we have 2 ClientCA with different key and different > >> validity period, but same DN. > > > > This is bad practice. Try searching for "CA key roll-over". > > I found docs about it, but proprietary PKI, and couldn't know if this > feature is implemented ... > Check the IETF PKIX mailing list. There is a thread there by Santosh Chokhani and Stefan Santesson that goes into this. Short answer is - you can do what you want, but it's REALLY tricky, and Michael is right - best practice is to version your CA's. (so the current one is CA1, the next one is CA2, etc.) > >> The problem is, when verifying client cert work with both ClientCA > >> stacked; but when using CRL, old clients work only if CRL is signed by > >> old ClientCA. > > > > Well, you asked for trouble... > > > > You could try to add the authorityKeyIdentifier extension to the CRL if > > it's also present in the CA certs. This could work with some software. > > Here we are :D > Ummm I think you mean that you want to have, in the CRL DP in the client certificate, the crlIssuer field of the CRL DP - problem is that 90% of the software out there (Apache included) won't deal with it. BTW: To handle the case that you are trying to do, there was a patch sent in by Erwann ABALEA from Keynectis to the OpenSSL Users mailing list in January/February this year, IIRC. Perhaps you could try that - you'd have to do some fairly exotic things to mod_ssl, mind you to get it to work :) I'm with Michael - stop using the same name each time. Version your CAs. Have fun. -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Generic question on CRL use
Gilles Cuesta wrote: 2008/6/16 Michael Ströder <[EMAIL PROTECTED]>: Gilles Cuesta wrote: So, at a time, we have 2 ClientCA with different key and different validity period, but same DN. This is bad practice. Try searching for "CA key roll-over". I found docs about it, but proprietary PKI, and couldn't know if this feature is implemented ... It's not a "feature"! Pretty sure there are docs out there describing best practices when conducting a CA key roll-over. One of the best practices is to change the subject DN of the CA entity cert. You could try to add the authorityKeyIdentifier extension to the CRL if it's also present in the CA certs. This could work with some software. X509v3 Authority Key Identifier: keyid:56:4D:A9... But it doesn't work asis, issuing "signature verification error" in apache error logs ... Glad you learned so soon that it's better to rework your re-newed sub-CA cert. ;-) Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Generic question on CRL use
2008/6/16 Michael Ströder <[EMAIL PROTECTED]>: > Gilles Cuesta wrote: >> >> So, at a time, we have 2 ClientCA with different key and different >> validity period, but same DN. > > This is bad practice. Try searching for "CA key roll-over". I found docs about it, but proprietary PKI, and couldn't know if this feature is implemented ... > >> The problem is, when verifying client cert work with both ClientCA >> stacked; but when using CRL, old clients work only if CRL is signed by >> old ClientCA. > > Well, you asked for trouble... > > You could try to add the authorityKeyIdentifier extension to the CRL if it's > also present in the CA certs. This could work with some software. > Here we are :D apache.crl Certificate Revocation List (CRL): Version 2 (0x1) ... X509v3 Authority Key Identifier: keyid:B8:85:B4... apache-caclient.cer Certificate: ... Validity Not Before: Feb 29 12:23:38 2007 GMT Not After : Feb 29 12:23:58 2011 GMT ... X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: B8:85:B4... X509v3 Authority Key Identifier: keyid:56:4D:A9... apache-caclient-old.cer Certificate: ... Validity Not Before: May 18 14:35:12 2005 GMT Not After : May 18 14:35:12 2009 GMT ... X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign ... X509v3 Subject Key Identifier: 87:1D:FC... X509v3 Authority Key Identifier: keyid:56:4D:A9... But it doesn't work asis, issuing "signature verification error" in apache error logs ... Is there something to be modified in Apache/Modssl conf ? Thank you __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Generic question on CRL use
Gilles Cuesta wrote: So, at a time, we have 2 ClientCA with different key and different validity period, but same DN. This is bad practice. Try searching for "CA key roll-over". The problem is, when verifying client cert work with both ClientCA stacked; but when using CRL, old clients work only if CRL is signed by old ClientCA. Well, you asked for trouble... You could try to add the authorityKeyIdentifier extension to the CRL if it's also present in the CA certs. This could work with some software. But my strong recommendation: Fix your 2nd ClientCA cert. Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: LimitRequestBody 0
On Thu, Jun 05, 2008 at 10:47:25AM -0600, Keith Hellman wrote: > This sounds a lot like > https://issues.apache.org/bugzilla/show_bug.cgi?id=42625 > https://issues.apache.org/bugzilla/show_bug.cgi?id=12355 > > But I think it is different. I'm using certificates for authentication > to all of my pages: > > > # applied to _all_ URLs > SSLRequireSSL > > SSLVerifyClient require You should put all this inside the VirtualHost config for the SSL vhost(s) in question. That way you avoid having to do a per-location renegotiation and the request body buffering which is necessary in that case. joe __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: LimitRequestBody 0
Oh yeah, I forgot to mention: everything works AOK if I try using http instead (hence, I'm posting on the modssl list). -- Keith Hellman #include [EMAIL PROTECTED]from disclaimer import standard [EMAIL PROTECTED] -*- public key @ pgp.mit.edu 9FCF40FD Y!M: mcprogramming AIM/ICQ: 485403897 gtalk: [EMAIL PROTECTED] -*- "We will perhaps eventually be writing only small modules which are identified by name as they are used to build larger ones, so that devices like indentation, rather than delimiters, might become feasible for expressing local structure in the source language." -- Donald E. Knuth, "Structured Programming with goto Statements", Computing Surveys, Vol 6 No 4, Dec. 1974 signature.asc Description: Digital signature
Re: Extracting SSL_CLIENT_S_DN_UID does not work
Michael Ströder wrote: Joe Orton wrote: On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote: Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type 'uid' specified for pilotPerson). That seems right to me since it's compliant with RFC 4514 which contains a table of short and long attribute type names and their OIDs (end of chapter 3). But now I don't understand the #ifdef-statement mentioned above. From my understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST reference NID_userId. To me that looks clearly like a bug in mod_ssl. Changing it would break backwards-compat which is why the #ifdef is there (so that the _UID variable refers to the same OID regardless of what OpenSSL version si use). 1. I seriously doubt that there are any certs out there which use x500UniqueIdentifier in the subject-DN. If yes, then these certs are also seriously broken. 2. It's simply broken that attribute type UID in mod_ssl differs from OpenSSL here. Please take note of this Apache issue and consider the patch attached: https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Extracting SSL_CLIENT_S_DN_UID does not work
DONT SEND ME THIS CRAP THANK'S -- Original message from Michael Ströder <[EMAIL PROTECTED]>: -- > Joe, > > many thanks for your response. > > Joe Orton wrote: > > On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote: > >> > >> Maybe I'm overlooking the obvious but it seems that env var > >> SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication. > >> > >> The following env vars displayed in my SSI HTML text are relevant here > >> (obfuscated to protect privacy): > >> > >> SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name > >> SSL_CLIENT_S_DN_UID: (none) > >> > >> Is it caused by UID not being the leaf RDN? > > > > That shouldn' t make any difference. > > Ok, fine. > > > What versions of OpenSSL and httpd/mod_ssl are you using? > > Actually pre-built RPMs shipped with openSUSE 10.3: > > # rpm -q openssl apache2 > openssl-0.9.8e-45.5 > apache2-2.2.4-70.4 > > Not sure whether these RPMs are based on sources patched by openSUSE. > > > The "UID" DN tag is ambiguous and probably > > maps to something other than what your subject DN uses. > > > > In the current 2.x mod_ssl sources, UID maps to: > > > > #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */ > > { "UID", NID_x500UniqueIdentifier }, > > #else /* old name, OpenSSL < 0.9.7 */ > > { "UID", NID_uniqueIdentifier }, > > #endif > > Hmm, the user ID is already stored by mod_ssl with attribute name "UID" > in env var SSL_CLIENT_S_D N. Giv en that it's OpenSSL 0.9.8 and that the > attribute type seems to be interpreted as UID is it safe to assume that > the cert contains the right OID? > > If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway... > > Ciao, Michael. > __ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List modssl-users@modssl.org > Automated List Manager [EMAIL PROTECTED]
Re: SSL proxy issues
Hi, first time mailer but hoping for some good advice from experienced users. Basically Im looking to implement a solution that will redirect SSL requests coming into my apache server (listening on 443) and forward them on to a backend server. I have reverse proxying setup but I cant seem to get it to work for https connections. At the moment using the current configuration, below, an http connection coming into the server on port 80 can be redirected to the https site configured. But when I click on a login button on that site Im just getting a blank screen on Firefox, with no errors showing in the logs? Has anyone any ideas, cause Ive been looking into this for hours now? Listen 8080 Listen 443 ServerName F00311.eircom.ie SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLSessionCache "shmcb:d:/Apache2.2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLEngine On SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateKeyFile "D:\Apache2.2\conf\security\ca.key" SSLCertificateFile "D:\Apache2.2\conf\security\ca.crt" ServerName F00311.eircom.ie SSLProxyEngine on ProxyPass / https://www.365online.com/ ProxyPassReverse / https://www.365online.com/ SSLProxyVerify none SSLProxyProtocol all SSLProxyCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL *** The information contained in this e-mail and any files transmitted with it is confidential and may be subject to legal professional privilege. It is intended solely for the use of the addressee(s). If you are not the intended recipient of this e-mail, please note that any review, dissemination, disclosure, alteration, printing, copying or transmission of this e-mail and/or any file transmitted with it, is prohibited and may be unlawful. If you have received this e-mail by mistake, please promptly inform the sender by reply e-mail and delete the material. Whilst this e-mail message has been swept for the presence of computer viruses, eircom does not, except as required by law, represent, warrant and/or guarantee that the integrity of this communication has been maintained nor that the communication is free of errors, viruses, interception or interference. eircom Limited. Private Company Limited by Shares. Registered in Dublin. Registration Number 98789. Registered Office - 114 St. Stephen's Green West, Dublin 2. ***
Re: Extracting SSL_CLIENT_S_DN_UID does not work
Michael Ströder wrote: Joe Orton wrote: On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote: Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type 'uid' specified for pilotPerson). That seems right to me since it's compliant with RFC 4514 which contains a table of short and long attribute type names and their OIDs (end of chapter 3). But now I don't understand the #ifdef-statement mentioned above. From my understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST reference NID_userId. To me that looks clearly like a bug in mod_ssl. Changing it would break backwards-compat which is why the #ifdef is there (so that the _UID variable refers to the same OID regardless of what OpenSSL version si use). To come around this: How about letting the deployer specify the OIDs in httpd.conf? Backwards-compability could be achieved with this. Ciao, Michael. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]