Cockup in X509_cmp_current_time?
This code is used to calculate an offset from UTC: offset=((str[1]-'0')*10+(str[2]-'0'))*60; offset+=(str[3]-'0')*10+(str[4]-'0'); if (*str == '-') offset= -offset; which, unless I'm losing it, calculates the offset in minutes. But it should be in seconds, so the line below: X509_gmtime_adj(atm,-offset); should be: X509_gmtime_adj(atm,-offset*60); no? Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm http://www.apache-ssl.org/ben.html Y19100 no-prize winner! http://www.ntk.net/index.cgi?back=2000/now0121.txt __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Cockup in X509_cmp_current_time?
ben which, unless I'm losing it, calculates the offset in minutes. But it ben should be in seconds, so the line below: ben benX509_gmtime_adj(atm,-offset); ben ben should be: ben benX509_gmtime_adj(atm,-offset*60); ben ben no? Looks like you're quite right. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PERL Module Problem...
Hi all, I have a problem while writing a PERL module. When I want to issue an openssl command (that requires input) the following code (which works in common PERL programs) does not pass the required input to openssl so it waits for user input: open(FD, "|$command" ) || return; ## Send Password print FD "$passwd\n"; ## Send Confirmation Password print FD "$passwd\n"; close(FD); Where command is, for example: /usr/local/ssl/bin/openssl genrsa -des3 -out priv.key 512 The output I get is: Generating RSA private key, 512 bit long modulus ... . e is 65537 (0x10001) Enter PEM pass phrase: but it should not hang asking for passwd as I pass it to openssl with the print command. What's wrong here in ?? C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: PERL Module Problem...
madwolf I have a problem while writing a PERL module. When I want to issue an madwolf openssl command (that requires input) the following code (which works madwolf in common PERL programs) does not pass the required input to openssl madwolf so it waits for user input: madwolf madwolfopen(FD, "|$command" ) || return; madwolf ## Send Password madwolf print FD "$passwd\n"; madwolf madwolf ## Send Confirmation Password madwolf print FD "$passwd\n"; madwolf close(FD); [...] madwolf but it should not hang asking for passwd as I pass it to openssl with madwolf the print command. What's wrong here in ?? What's wrong is that you assume OpenSSL takes password input from standard input. This is not the case. Instead, a separate handle to the TTY is opened, and that is used as password input. Under Unix, the file used is "/dev/tty". Under DOS, it's "con", and under VMS it's "TT:". In the current snapshot of OpenSSL, there's a new parameter that gives you the possibility to give the password on the command line to most utilities that need it, called -passin, -passout, -passin and -envpassin. Check it out. BTW, I wonder if there shouldn't be a mechanism to get the password from stdin as well. '-passin -' or yet another switch, like '-pipepassin'? '-passin' has a real danger if you consider what 'ps' gives as output... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Richard Levitte - VMS Whacker wrote: What's wrong is that you assume OpenSSL takes password input from standard input. This is not the case. Instead, a separate handle to the TTY is opened, and that is used as password input. Under Unix, the file used is "/dev/tty". Under DOS, it's "con", and under VMS it's "TT:". In the current snapshot of OpenSSL, there's a new parameter that gives you the possibility to give the password on the command line to most utilities that need it, called -passin, -passout, -passin and -envpassin. Check it out. Most utilities? I thought all the ones where it was useful were covered. Have I missed one? BTW, I wonder if there shouldn't be a mechanism to get the password from stdin as well. '-passin -' or yet another switch, like '-pipepassin'? '-passin' has a real danger if you consider what 'ps' gives as output... Yes thats why I added a warning to every man page about it. On some OSes or setups its quite safe though. Is there any circumstances where the environment isn't safe? I believe extra privs are normally needed to read another users processes environment. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PERL Module Problem...
Is there any circumstances where the environment isn't safe? I thought it was readily available on all BSD-derived Unices. viz: haggis 71 uname ; who ; echo i am `who am i` ; ps -wwe -tp1 BSD/OS salzrttyp0 Feb 10 14:58 (camstig) bowe ttyp1 Feb 7 08:36 (taco) i am salzr ttyp0 Feb 10 14:58 (camstig) PID TT STAT TIME COMMAND 276 p1 Is+0:00.72 TERM=vt100 LINEMODE=real HOME=/usr/home/bowe LOGNAME=b owe SHELL=/bin/tcsh USER=bowe PATH=/bin:/usr/bin:/usr/contrib/bin:/usr/X11/bin - tcsh (tcsh) haggis 72 __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
drh Most utilities? I thought all the ones where it was useful were drh covered. Have I missed one? I don't think enc has it... At least I couldn't find it when I looked 20 minutes ago... drh Is there any circumstances where the environment isn't safe? I believe drh extra privs are normally needed to read another users processes drh environment. Not really, except under certain circumstances (some or most shells combined with rather special characters in the password), using environment variables is klunky, to say the best... Also, if you want to be paranoid, environment space does not go away for the duration of the process' life, so if there's a way to read process memory, there's a higher likelyhood that you can find a password through the environment that process carries around (after all, the environment is not hard to find, at all, just look for "USER=" or something like that, and you'll probably find the rest of it around that point). In such cases, it is a lot safer to read in a password in a string in a hopefully less easy to find place in process memory and immediately zero that piece of memory after the password has been used. I would trust passwords passed over stdin before anything passed in the command line or environment, any time. Not that stdin is perfect either, mind you, but still... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Dr Stephen Henson [EMAIL PROTECTED] writes: Is there any circumstances where the environment isn't safe? I believe extra privs are normally needed to read another users processes environment. Under DEC Unixen you can read anyone's environment without any extra privs (ps -wwae or a variant thereof, depending on which vintage of OS you're on). Peter. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Dr Stephen Henson wrote: Is there any circumstances where the environment isn't safe? I believe extra privs are normally needed to read another users processes environment. ps on Linux shows environments, but not being a Linux expert, I couldn't say how that access is controlled. Cheers, Ben. -- SECURE HOSTING AT THE BUNKER! http://www.thebunker.net/hosting.htm http://www.apache-ssl.org/ben.html Y19100 no-prize winner! http://www.ntk.net/index.cgi?back=2000/now0121.txt __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Random number generation
Without user input you have a problem if your OS doesn't provide a random device. There is librand, a random number package based on event interval variations, from Matt Blaze, Jack Lacy, and Don Mitchell available at: ftp://ftp.research.att.com/dist/mab/librand.shar Nicolas Roumiantzeff. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PERL Module Problem...
Is there any circumstances where the environment isn't safe? I believe extra privs are normally needed to read another users processes environment. Yes, some oses dump core that is world readable and has env info in the core file. Mike __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PERL Module Problem...
Enclosed is a sample of a module that I am working on, hope this helps... Hopefully outlook wont kill it. It is not meant to necessarily portable to other platforms, but just an example and hopefully some input. Mike -Original Message- From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] Sent: Friday, February 11, 2000 12:53 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: PERL Module Problem... madwolf I have a problem while writing a PERL module. When I want to issue an madwolf openssl command (that requires input) the following code (which works madwolf in common PERL programs) does not pass the required input to openssl madwolf so it waits for user input: madwolf madwolf open(FD, "|$command" ) || return; madwolf ## Send Password madwolf print FD "$passwd\n"; madwolf madwolf ## Send Confirmation Password madwolf print FD "$passwd\n"; madwolf close(FD); [...] madwolf but it should not hang asking for passwd as I pass it to openssl with madwolf the print command. What's wrong here in ?? What's wrong is that you assume OpenSSL takes password input from standard input. This is not the case. Instead, a separate handle to the TTY is opened, and that is used as password input. Under Unix, the file used is "/dev/tty". Under DOS, it's "con", and under VMS it's "TT:". In the current snapshot of OpenSSL, there's a new parameter that gives you the possibility to give the password on the command line to most utilities that need it, called -passin, -passout, -passin and -envpassin. Check it out. BTW, I wonder if there shouldn't be a mechanism to get the password from stdin as well. '-passin -' or yet another switch, like '-pipepassin'? '-passin' has a real danger if you consider what 'ps' gives as output... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] Certificate.pm
RE: help needed: apache+OpenSSL+modssl+bsafe on NT
-BEGIN PGP SIGNED MESSAGE- ApacheModuleSSL.dll is installed under the module directory. When i run apache.exe -l to list the compiled in modules I get this output, Thats okay to this point. Should i be specifiying the ApacheModuleSSL.dll in LoadModule in httpd.conf ? is it supported on NT ? There should be a LoadModule directive like this one: IfDefine SSL LoadModule ssl_module modules/ApacheModuleSSL.dll /IfDefine As i see from your config you use the SSL define. This means, you have to start Apache with apache -D SSL to enable mod_ssl and OpenSSL Good luck. Daniel __ The OpenSA Project http://www.opensa.org/ Daniel S. Reichenbach [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 6.5.3 for non-commercial use http://www.pgp.com iQEVAwUBOKR/N71mYxV2qld3AQEptggAuj4Sd0uE31kp5hyKycAvyvLnkq18s/Jj jYty6LCXuXLtIREsMWYhFDLgDlXDfu6L21tcq19k78jbOe1YJjb/Ah6Q1jR0RWnE /AgnjrGumPlIkEcGNiqzlXYiobK6myCRJ0wqIZvdwl2NCM0Viz5PwQFZV7CKF91a yNxgT07TmoU2+HnZzFgnDseKbElCj5QKc7n2/Umo8wM15iToOMnGGxpGl2sxgnf1 zhz9DIRNXbRijwnaaYqQ5tnasDutfplOJwDzmO8GdpVxloxjDA592HANLSsP+2cG dGEsuSTfgPeF3AzseYf+beerpPmGf6a8E2hP9+I1s3w2Qh1NaMKYIw== =lweu -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
OK. I'm convinced environment isn't always safe. I'll redo the options to allow several choices. I.e. 1. Command line. 2. Environment. 3. Standard input. Any other suggestions e.g from a file or fd? Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Richard Levitte - VMS Whacker [EMAIL PROTECTED]: [...] I would trust passwords passed over stdin before anything passed in the command line or environment, any time. Not that stdin is perfect either, mind you, but still... Environment variables must usually be considered public. PGP evaluates a PGPPASSFD environment variable and reads from the named file descriptor; with this approach, you don't have to send passwords and actual data through the same pipe. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: quick question..
Erik Aronesty [EMAIL PROTECTED]: I have an app working very well... *except* i now want (need?) to accurately determine if it's "ok to write" (will not block) or "ok to read". Without SSL, I could do this with a select().. however a select() is clearly not correct when using SSL. Set the sockets to non-blocking mode. Then you can just attempt the I/O operation you want to perform; if it does not complete, you can use SSL_get_error() to find what you should select() for before trying again. See the SSL_get_error() man page at www.openssl.org/docs. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Buffer overflows in OpenSSL 0.9.4 on Windows
Remo Inverardi [EMAIL PROTECTED]: I'm using OpenSSL 0.9.4, compiled with Visual C++ 6.0 on a Windows [...] I've got the buffer overflows and some leeks. I have found some memory leaks since, but what I thought were buffer overflows turned out to be harmless because the dangerously-looking function was never called with unsafe parameters. Can you locate the apparent buffer overflows? Which data structures, which functions are involved? __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: PERL Module Problem...
SalzR I thought it was readily available on all BSD-derived Unices. viz: SalzR haggis 71 uname ; who ; echo i am `who am i` ; ps -wwe -tp1 SalzR BSD/OS SalzR salzrttyp0 Feb 10 14:58 (camstig) SalzR bowe ttyp1 Feb 7 08:36 (taco) SalzR i am salzr ttyp0 Feb 10 14:58 (camstig) SalzR PID TT STAT TIME COMMAND SalzR 276 p1 Is+0:00.72 TERM=vt100 LINEMODE=real HOME=/usr/home/bowe [...] Even worse (read: easier) than I thought... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Thanks to all who sent me their help. I found it very singular that using inside a cgi script the code works... :-D I will investigate deeply ... (If I have time to ... ) C'you, Massimiliano Pala ([EMAIL PROTECTED]) S/MIME Cryptographic Signature
Re: help needed: apache+OpenSSL+modssl+bsafe on NT
On Fri, Feb 11, 2000 at 01:04:09PM -0800, vijay karthik wrote: ... I ran the command, openssl verify mycertificatename ... error 20 at 0 depth lookup:unable to get local issuer certificate Seems this one goes to "top 10 of FAQ" Any idea on what the problem could be ? Trusted self-sined root cert should be available as "hashname".0 yours, Vadim __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
From: Dr Stephen Henson [EMAIL PROTECTED] drh 1. Command line. drh 2. Environment. drh 3. Standard input. drh drh Any other suggestions e.g from a file or fd? Hmm. There's no need to have the password in a file, that can as well be piped in ('cat passwdfile | openssl x509 -passstdin ...' to take a Unixly example, and yes, there's a way to do that on VMS as well). However, a choice of FD (if something other than stdin) could be fancy. For inspiration, you can do that with PGP 2.6.3 by putting the fd number in the environment variable FD (surprise! :-)). Another way might be to declare the fd through yet another parameter. However, I'm not sure I see the absolute need for that kind of fanciness... -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
From: [EMAIL PROTECTED] (Bodo Moeller) bmoeller PGP evaluates a PGPPASSFD That was the name! bmoeller environment variable and reads from the named file bmoeller descriptor; with this approach, you don't have to send bmoeller passwords and actual data through the same pipe. Good point. I take back what I said earlier, since there seems to be a good reason. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
Richard Levitte - VMS Whacker wrote: Hmm. There's no need to have the password in a file, that can as well be piped in ('cat passwdfile | openssl x509 -passstdin ...' to take a Unixly example, and yes, there's a way to do that on VMS as well). Yes but there's windoze to consider as well... I wish it could be ignored too. However, a choice of FD (if something other than stdin) could be fancy. For inspiration, you can do that with PGP 2.6.3 by putting the fd number in the environment variable FD (surprise! :-)). Another way might be to declare the fd through yet another parameter. However, I'm not sure I see the absolute need for that kind of fanciness... I'm thinking of redoing this so its handled another way. Since there are no releases with -passsin, -envpassin I'm free to break it :-) Maybe something like -pass{in,out} source:arg which would have things like... password:hello env:ENV_PASSWD fd:5 file:mypasswdfile.txt All routed through a single app_get_passwd() function which should tidy this all up a bit. Currenly all the apps are redundantly doing the same thing. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
From: Dr Stephen Henson [EMAIL PROTECTED] drh Richard Levitte - VMS Whacker wrote: drh drh drh Hmm. There's no need to have the password in a file, that can as well drh be piped in ('cat passwdfile | openssl x509 -passstdin ...' to take a drh Unixly example, and yes, there's a way to do that on VMS as well). drh drh Yes but there's windoze to consider as well... I wish it could be drh ignored too. Uhmm, so pipes are out of the question in windoze? Seriously? What about redirection? I'm pretty sure I've seen examples of both... drh Maybe something like drh drh -pass{in,out} source:arg drh drh which would have things like... drh drh password:hello drh env:ENV_PASSWD drh fd:5 drh file:mypasswdfile.txt Is a colon really the best choice? In Windows/DOS and VMS, a colon is an inherent and important part of the file spec. (probably more in VMS than in Windows/DOS...) Apart from that, I like the idea. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-161 43 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PERL Module Problem...
drh Richard Levitte - VMS Whacker wrote: drh drh drh Hmm. There's no need to have the password in a file, that can as well drh be piped in ('cat passwdfile | openssl x509 -passstdin ...' to take a drh Unixly example, and yes, there's a way to do that on VMS as well). drh drh Yes but there's windoze to consider as well... I wish it could be drh ignored too. Uhmm, so pipes are out of the question in windoze? Seriously? What about redirection? I'm pretty sure I've seen examples of both... And why can't pipes be used in Windows? drh Maybe something like drh drh -pass{in,out} source:arg drh drh which would have things like... drh drh password:hello drh env:ENV_PASSWD drh fd:5 drh file:mypasswdfile.txt Is a colon really the best choice? In Windows/DOS and VMS, a colon is an inherent and important part of the file spec. (probably more in VMS than in Windows/DOS...) Apart from that, I like the idea. Using a colon in this context should not be a problem since the first colon is the tag separator. After that the colon can be part of the filename. Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2 The Kermit Project * Columbia University 612 West 115th St #716 * New York, NY * 10025 http://www.kermit-project.org/k95.html * [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
help needed: apache+OpenSSL+modssl+bsafe on NT
Hi ! I am trying to run apache+modssl+openssl+bsafe on NT. I was able to build the openssl libraries and Apache.exe(with ssl module:mod_ssl) I ran the binary "Apache.exe" and i see the apache server listening on normal port(8080).(I see no error message while startup) But i dont see the SSL-aware Apache server(port#8443) up! There are no ssl related error logs in the logs directory ! ApacheModuleSSL.dll is installed under the module directory. When i run apache.exe -l to list the compiled in modules I get this output, http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c Should i be specifiying the ApacheModuleSSL.dll in LoadModule in httpd.conf ? is it supported on NT ? When i access the normal port thru browser it shows the normal installation success page: "The SSL/TLS-aware Apache webserver was successfully installed on this website ... .. " I have got a certificate and the location of the cert file is correctly specified in httpd.conf. The error_log is clean. Can someone tell me where the problem could be ? How should i proceed debugging this problem ? Thanks Vijay -- httpd.conf === ## ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # ServerType standalone ServerRoot "c:\apache" PidFile c:\apache\logs\httpd.pid ClearModuleList AddModule mod_env.c AddModule mod_log_config.c AddModule mod_mime.c AddModule mod_negotiation.c #AddModule mod_status.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_so.c AddModule mod_setenvif.c IfDefine SSL AddModule mod_ssl.c /IfDefine Port 8080 IfDefine SSL Listen 8080 Listen 8443 /IfDefine DocumentRoot "c:\apache\htdocs" ErrorLog c:\apache\logs\error_log LogLevel warn LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %s %b" common LogFormat "%{Referer}i - %U" referer LogFormat "%{User-agent}i" agent CustomLog c:\apache\logs\access_log common ServerSignature On IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 SSLMutex file:c:\apache\logs\ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog c:\apache\logs\ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL VirtualHost _default_:8443 DocumentRoot "c:\apache\htdocs" ServerName pc.xyz.com ServerAdmin [EMAIL PROTECTED] ErrorLog c:\apache\logs\error_log TransferLog c:\apache\logs\access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile c:\apache\conf\ssl.crt\verisign.crt SSLCertificateKeyFile c:\apache\conf\ssl.key\verisign.key CustomLog c:\apache\logs\ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" /VirtualHost /IfDefine __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: help needed: apache+OpenSSL+modssl+bsafe on NT
The httpd.conf was taken from unix and Ifdefine SSL was failing hence the modules were not getting loaded. I removed the IfDefine from httpd.conf. (thats the reason we give -DSSL in commandline to start httpd on Unix ?) Now the apache with modssl/openssl is running when i start apache.exe. Eventhough the apache server is now listening on SSL port i dont get any response back!(no failures in ssl_error_log file) The browser hangs with "contacted: waiting for reply" message! any pointers on what to check to find out the problem? thanks vijay --- vijay karthik [EMAIL PROTECTED] wrote: Hi ! I am trying to run apache+modssl+openssl+bsafe on NT. I was able to build the openssl libraries and Apache.exe(with ssl module:mod_ssl) I ran the binary "Apache.exe" and i see the apache server listening on normal port(8080).(I see no error message while startup) But i dont see the SSL-aware Apache server(port#8443) up! There are no ssl related error logs in the logs directory ! ApacheModuleSSL.dll is installed under the module directory. When i run apache.exe -l to list the compiled in modules I get this output, http_core.c mod_so.c mod_mime.c mod_access.c mod_auth.c mod_negotiation.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_userdir.c mod_alias.c mod_env.c mod_log_config.c mod_asis.c mod_imap.c mod_actions.c mod_setenvif.c mod_isapi.c Should i be specifiying the ApacheModuleSSL.dll in LoadModule in httpd.conf ? is it supported on NT ? When i access the normal port thru browser it shows the normal installation success page: "The SSL/TLS-aware Apache webserver was successfully installed on this website ... .. " I have got a certificate and the location of the cert file is correctly specified in httpd.conf. The error_log is clean. Can someone tell me where the problem could be ? How should i proceed debugging this problem ? Thanks Vijay -- httpd.conf === ## ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # ServerType standalone ServerRoot "c:\apache" PidFile c:\apache\logs\httpd.pid ClearModuleList AddModule mod_env.c AddModule mod_log_config.c AddModule mod_mime.c AddModule mod_negotiation.c #AddModule mod_status.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_so.c AddModule mod_setenvif.c IfDefine SSL AddModule mod_ssl.c /IfDefine Port 8080 IfDefine SSL Listen 8080 Listen 8443 /IfDefine DocumentRoot "c:\apache\htdocs" ErrorLog c:\apache\logs\error_log LogLevel warn LogFormat "%h %l %u %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %s %b" common LogFormat "%{Referer}i - %U" referer LogFormat "%{User-agent}i" agent CustomLog c:\apache\logs\access_log common ServerSignature On IfDefine SSL AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl /IfDefine IfModule mod_ssl.c SSLPassPhraseDialog builtin SSLSessionCacheTimeout 300 SSLMutex file:c:\apache\logs\ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin SSLLog c:\apache\logs\ssl_engine_log SSLLogLevel info /IfModule IfDefine SSL VirtualHost _default_:8443 DocumentRoot "c:\apache\htdocs" ServerName pc.xyz.com ServerAdmin [EMAIL PROTECTED] ErrorLog c:\apache\logs\error_log TransferLog c:\apache\logs\access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLCertificateFile c:\apache\conf\ssl.crt\verisign.crt SSLCertificateKeyFile c:\apache\conf\ssl.key\verisign.key CustomLog c:\apache\logs\ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" /VirtualHost /IfDefine __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: help needed: apache+OpenSSL+modssl+bsafe on NT
Eventhough the openssl complains for the certificate, it doesnt seem to to mean much. Because i tried the same certificate on my Unix installation(same setup:apache/modssl/bsafe) it worked very fine. And still the openssl tool on unix complained. probably the error shown by the tool is not related to the problem i am seeing. The fact that the dummy certs work fine but not verisign certs should give some lead to which component the problem could lie in. (could it be in mod_ssl/openssl/bsafe patch?) Any guesses? thanks vijay --- vijay karthik [EMAIL PROTECTED] wrote: Hi ! The apache server is working with the dummy certs but not the verisign cert. I ran the command, openssl verify mycertificatename i got the following error verisign.crt: /C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc .xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate I dont have any trust points installed on my apache server(which i hope is not needed) Any idea on what the problem could be ? thanks Vijay --- vijay karthik [EMAIL PROTECTED] wrote: The httpd.conf was taken from unix and Ifdefine SSL was failing hence the modules were not getting loaded. I removed the IfDefine from httpd.conf. (thats the reason we give -DSSL in commandline to start httpd on Unix ?) __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: help needed: apache+OpenSSL+modssl+bsafe on NT
This is what i found out... Once i start the apache.exe from commandline, it asks for the passphrase for the private key. I enter it and it says the server has started. But it seems like it is not started. I had put logtype=debug in httpd.conf and followed the trace in the ssl_error_log. The trace shows that it asks for the passphrase again even after entering it once before.So i went ahead and entered my passphrase again in commandline(even though it didnt ask for it) and everything seems to work fine...I was able to see the response. I checked out with the openssl tool. once you enter the passphrase first time, the s_client module still seem to wait for server hello. When i enter the passphrase again, i see all the messages (server hello/certificate etc) in the opentool output. (...and now i know why my dummy cert worked fine, because i didnt give a passphrase to protect my private key for the dummy cert) Thanks Vijay --- vijay karthik [EMAIL PROTECTED] wrote: Eventhough the openssl complains for the certificate, it doesnt seem to to mean much. Because i tried the same certificate on my Unix installation(same setup:apache/modssl/bsafe) it worked very fine. And still the openssl tool on unix complained. probably the error shown by the tool is not related to the problem i am seeing. The fact that the dummy certs work fine but not verisign certs should give some lead to which component the problem could lie in. (could it be in mod_ssl/openssl/bsafe patch?) Any guesses? thanks vijay --- vijay karthik [EMAIL PROTECTED] wrote: Hi ! The apache server is working with the dummy certs but not the verisign cert. I ran the command, openssl verify mycertificatename i got the following error verisign.crt: /C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc .xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate I dont have any trust points installed on my apache server(which i hope is not needed) Any idea on what the problem could be ? thanks Vijay --- vijay karthik [EMAIL PROTECTED] wrote: The httpd.conf was taken from unix and Ifdefine SSL was failing hence the modules were not getting loaded. I removed the IfDefine from httpd.conf. (thats the reason we give -DSSL in commandline to start httpd on Unix ?) __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: help needed: apache+OpenSSL+modssl+bsafe on NT
Hi ! The apache server is working with the dummy certs but not the verisign cert. I ran the command, openssl verify mycertificatename i got the following error verisign.crt: /C=US/ST=california/L=location/O=xyzInc/OU=test/CN=Mypc .xyz.com error 20 at 0 depth lookup:unable to get local issuer certificate I dont have any trust points installed on my apache server(which i hope is not needed) Any idea on what the problem could be ? thanks Vijay --- vijay karthik [EMAIL PROTECTED] wrote: The httpd.conf was taken from unix and Ifdefine SSL was failing hence the modules were not getting loaded. I removed the IfDefine from httpd.conf. (thats the reason we give -DSSL in commandline to start httpd on Unix ?) __ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]