Apache + Tomcat with SSL
Hi: I am using Apache 1.3.26 with JBoss ... it is working fine. Now I have installed SSL Certificates on my Servers and wondering how to configure Apache for SSL? Should I install mod_ssl or Apache-SSL? Are both these same ? which one is recommended? Thanks! _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Error (Apache + mod_ssl)
Hi: My Apache is NOT working.the log file shows: [Fri Nov 15 15:35:57 2002] [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [Fri Nov 15 15:35:57 2002] [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib I am using Apache 1.3.27, mod_ssl 2.8.11 on IBM AIX 5.1 box. _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache + mod_ssl - Install/config
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. SO, I got mod_ssl from the site and installed it using #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later when I check if my APACHE was configured for SSL by using: # ./httpd -l Compiled-in modules: http_core.c mod_env.c mod_log_config.c mod_mime.c mod_negotiation.c mod_status.c mod_include.c mod_autoindex.c mod_dir.c mod_cgi.c mod_asis.c mod_imap.c mod_actions.c mod_userdir.c mod_alias.c mod_access.c mod_auth.c mod_so.c mod_setenvif.c suexec: disabled; invalid wrapper /kit/bin/suexec # As Seen above, MOD_SSL Module is NOT LISTED above. When I Installed/configured (as shown above) I did not receive any ERROR - but still could NOT see if MOD_SSL was configured? Any suggestions/hints _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
PRNG Error - /dev/random not avail
I am using IBM AIX System and DO NOT have /dev/random device. How do I set random pool to /dev/random? Also, on my IBM AIX box I have installed EGD /var/run/egd-pool Any related info? Thanks! _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache + mod_ssl (OpenSSL Error)
Hi Experts! I want to INSTALL and CONFIGURE my APACHE 1.3.27 for SSL. I am using IBM AIX box. So, I got mod_ssl from the IBM site and installed it in following way(after READing INSTALL file for 2 hrs;-( #pwd /opt/freeware/src/packages/SOURCES/mod_ssl-2.8.11-1.3.27 # ./configure --with-apache=../apache_1.3.27 --with-ssl=/Downloads/openssl-0.9.6g --with-crt=/usr/local/ssl/bin/cert.cer --with-key=/usr/local/ssl/bin/private.key --prefix=/kit --enable-shared=ssl #cd .. #cd apache_1.3.27 #make #make certificate #make install This DOCUMENTATION was given in README file in the above directory. Later, I start my APACHE for SSL as shown below and get ERROR: #./apachectl startssl ./apachectl startssl: httpd could not be started So, I finally READ the LOG file error_log and checked it shows: [error] mod_ssl: Init: Failed to generate temporary 512 bit RSA private key (OpenSSL library error follows) [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [error] OpenSSL: error:04069003:rsa routines:RSA_generate_key:BN lib Do you know what this error would be? I have already installed EGD entrophy and is it stored in /dev/egd-pool Any links/pointers on this is appreciated. Thanks! _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: SSL Config on Tomcat (443 or 8443)
) at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:481) at java.lang.reflect.Method.invoke(Native Method) + nested throwable: java.lang.NullPointerException at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:74) at org.jboss.web.catalina.security.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:57) -- All, I want to do is to use my Tomcat Application using SSL Certificates. It works using http://www.hari.com:8080/hari/register.jsp; BUT NOT when I try https://...; Can anyone of you please help me out on this? THANKS! From: L Nehring [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSL Config on Tomcat (443 or 8443) Date: Wed, 13 Nov 2002 12:21:19 -0700 Hari, You'll probably want to edit Tomcat's server.xml and add/modify a couple Connector specifications inside the Service spec, such as the following. (Now, I'm using Tomcat 4.0.6 with JBoss 3.0.4, so for me this file is actually the $JBOSS_HOME/server/default/deploy/tomcat4-service.xml file.) You'll probably want to get the documentation and more help on the Apache Jakarta website and the JBoss website for stuff like this. Note that you could change all the port 8080's to 80 and the port 8433's to 443, but then you'll need to run Tomcat as root. For myself, I prefer to use the JK2 connector with Apache2.40+ and keep Tomcat (and apps like it) away from listening on ports on any interface other than localhost. Security patches for Apache come out quicker than for the other stuff. !-- A HTTP Connector on port 8080 -- Connector className = org.apache.catalina.connector.http.HttpConnector port = 8080 redirectPort=8443 minProcessors = 3 maxProcessors = 10 enableLookups = true acceptCount = 10 debug = 0 connectionTimeout = 6 / !-- SSL/TLS Connector configuration using the SSL domain keystore -- Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 scheme=https secure=true Factory className=org.jboss.web.catalina.security.SSLServerSocketFactory securityDomainName=java:/jaas/TomcatSSL clientAuth=false protocol = TLS/ /Connector Hope this helps. r, Lance Manoj Kithany wrote: Hi Experts: My Apache+SSL is working now - thanks to you all. I checked it using https://www.hari.com. However, I have a small Application which contains JSP+Servlets which calls Oracle DB via JDBC. This application is working fine when I type http://www.hari.com:8080/hari/index.jsp but when I try HTTPS as https://www.hari.com:8080/hari/index.jsp it does'nt work - ie page does'nt shows up. I know that HTTPS listens to port 443 and my Application(Tomcat+JBoss) listens to port 8080 - so how do I integrate both the ports to work together? Any useful information on above is appreciated. THANKS! HARI _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache+SSL Not working ---OpenSSL Error?
Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Apache+SSL Not working ---OpenSSL Error?
Hi Tim: THANKS for your email. What is TEST SERVER Program? To make sure that this is an openssl issue, and not your apache configuration, or the hardware that you are using (I noticed the ssl_engine_log), try running the test server program that is with the openssl distribution. Regards, Tim --- Manoj Kithany [EMAIL PROTECTED] wrote: Hi Experts: I have Apache(with SSL) on my IBM AIX Box. I installed it using RPM. When I run my APACHE as ssl using: ./apachectl startssl I get following error: -- # ./apachectl startssl ./apachectl startssl: httpd could not be started # -- So, when I check following LOG files - I have following: Filename: error_log [Tue Nov 12 10:04:37 2002] [error] mod_ssl: Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [Tue Nov 12 10:04:37 2002] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Filename: ssl_engine_log [12/Nov/2002 10:04:37 28132] [info] Server: Apache/1.3.27, Interface: mod_ssl/2.8.11, Library: OpenSSL/0.9.6e [12/Nov/2002 10:04:37 28132] [info] Init: 1st startup round (still not detached) [12/Nov/2002 10:04:37 28132] [info] Init: Initializing OpenSSL library [12/Nov/2002 10:04:37 28132] [info] Init: Loading certificate private key of SSL-aware server www.kithany.com:443 [12/Nov/2002 10:04:37 28132] [error] Init: Unable to read server certificate from file /usr/local/ssl/bin/public.csr (OpenSSL library error follows) [12/Nov/2002 10:04:37 28132] [error] OpenSSL: error:0D09F007:asn1 encoding routines:d2i_X509:expecting an asn1 sequence Do anyone of you Experts know what is the above ERROR for and how to remove that? THANKS! _ Add photos to your e-mail with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR!!!!
Hi Mr. Erwann: THANKS for your reply. I checked the url before I posted my query to this List. I am bit confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? Can you/anyone please help? THANKS! Manoj G. Kithany [EMAIL PROTECTED] 10/31/02 09:31AM On Thu, 31 Oct 2002, Manoj Kithany wrote: I installing OPENSSL and when running I get following ERROR - wonder why: -- # ./openssl req -new -nodes -keyout private.key -out public.csr Using configuration from /usr/local/ssl/openssl.cnf unable to load 'random state' This means that the random number generator has not been seeded with much random data. Generating a 1024 bit RSA private key 22664:error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded:md_rand.c:501:You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html 22664:error:04069003:rsa routines:RSA_generate_key:BN lib:rsa_gen.c:182: # -- I am using IBM AIX System. Any information on above...? Yes, just point your browser to the link given in the error messages: http://www.openssl.org/support/faq.html -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - Un forum peut rTpondre a plusieurs besoins a la fois Ici, le groupe des dTbutants dTpasse en nombre le groupe des utilisateur middle-class ce qui provoque inTvitablement des tensions. -+- EF - Guide du Neuneu d'Usenet - La lutte des middle classes -+- __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: PRNG not seeded ERROR!!!!
Thanks Erwann: I checked my System and have installed PRNG. I checked it by using: # ps -ef | grep prng root 47354 6518 0 14:13:01 - 0:03 /opt/freeware/sbin/prngd -f /dev/egd-pool -m 666 # But still when I run OPENSSL.command it gives me same error PRNG not seeded - wonder why! THANKS! Erwann ABALEA [EMAIL PROTECTED] 10/31/02 11:03AM On Thu, 31 Oct 2002, Manoj Kithany wrote: THANKS for your reply. I checked the url before I posted my query to this List. I am bit Sorry if I offended you. You didn't specify in your first post that you checked the URL, and since this question is in the FAQ, that means it is asked a *lot* of times. :) confused - should I need to install EGD or PRNG? I checked my IBM Server and could'nt find /dev/random? No, you don't have a /dev/random device entry. I don't use AIX (only Linux or Solaris), so I can only speculate. Why don't you install prngd and either do: - set the random pool to the default (something like /var/run/egd-pool), but you'll have to specify the option -rand /var/run/egd-pool or an equivalent to every program using the OpenSSL library - set the random pool to /dev/random, so everyone will be able to use this random pool - set the random pool to ~/.rnd, but it will be easily usable only to one particular user, while the others will have to use the -rand ... equivalent - set the random pool to the default, and set the RANDFILE environment variable so that it points to the good pool One of these things should work... -- Erwann ABALEA [EMAIL PROTECTED] - RSA PGP Key ID: 0x2D0EABD5 - The secret of success is knowing who to blame for your failures. Demotivators, 2001 calendar __ OpenSSL Project http://www.openssl.org User Support Mailing List[EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]