Re: svn commit: r1866035 - /httpd/httpd/branches/2.4.x/STATUS
On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote: > Hey there, Joe; No idea how I didn't detect this much sooner. I have >access to hardware security modules with PKCS11 interfaces for key >operations and would be happy to put this through it's paces. The >2.5 docs are fairly light (note, this 2.4 patch seems to be missing >docs) on how to test this out. Pointers appreciated if you have a >working recipe. That would be awesome. The stuff I'm not really sure about & could use better docs is: a) how to identify the right PKCS#11 URI for the key/cert objects, and b) how to set up the OpenSSL pkcs11 engine correctly so this works On recent Fedora/RHEL (b) works OOTB but I imagine this may take some effort on other systems or from-scratch builds. For testing locally I used a USB smartcard reader, setting up the card following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC If you can store a cert & private key on the token, mod_ssl will use both, but I think not all HSMs can store the cert, so you can load that from a PEM file if required and list the key only as a pkcs11: URI in SSLCertificateKeyFile. Beyond that it should "just work" if you configure per the mod_ssl docs, running "p11tool --list-tokens" listed the URI for the token, and I used: SSLCertificateFile "pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C9540200;token=Joe%20Orton%20%28OpenSC%20Card%29" Regards, Joe > > On 2019/08/28 12:15:02 jor...@apache.org wrote: > > Author: jorton > > Date: Wed Aug 28 12:15:01 2019 > > New Revision: 1866035 > > > > URL: http://svn.apache.org/viewvc?rev=1866035=rev > > Log: > > Proposed mod_ssl PKCS#11 cert/key support. > > > > Modified: > > httpd/httpd/branches/2.4.x/STATUS > > > > Modified: httpd/httpd/branches/2.4.x/STATUS > > URL: > > http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035=1866034=1866035=diff > > == > > --- httpd/httpd/branches/2.4.x/STATUS (original) > > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 > > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > >rpluem says: -1 for now. See further discussion at > > https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 > > > > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 URLs via > > the > > + OpenSSL pkcs11 engine. Includes related minor cleanups and > > + simplification to mod_ssl internals. > > + trunk patch: http://svn.apache.org/r1830819 > > + http://svn.apache.org/r1830912 > > + http://svn.apache.org/r1830913 > > + http://svn.apache.org/r1830927 > > + http://svn.apache.org/r1831168 > > + http://svn.apache.org/r1831173 > > + http://svn.apache.org/r1835240 > > + http://svn.apache.org/r1835242 > > + http://svn.apache.org/r1835615 > > + 2.4.x patch: http://people.apache.org/~jorton/mod_ssl_pkcs11.patch > > + +1: jorton, > > + > > PATCHES/ISSUES THAT ARE BEING WORKED > >[ New entries should be added at the START of the list ] > > > > > > > > > -- > Daniel Ruggeri
Re: svn commit: r1866035 - /httpd/httpd/branches/2.4.x/STATUS
On February 7, 2020 4:59:39 AM CST, Joe Orton wrote: >On Thu, Feb 06, 2020 at 07:52:18AM -0600, Daniel Ruggeri wrote: >> Hey there, Joe; No idea how I didn't detect this much sooner. I have >>access to hardware security modules with PKCS11 interfaces for key > >>operations and would be happy to put this through it's paces. The >>2.5 docs are fairly light (note, this 2.4 patch seems to be >missing >>docs) on how to test this out. Pointers appreciated if you have a >>working recipe. > >That would be awesome. The stuff I'm not really sure about & could use > >better docs is: > >a) how to identify the right PKCS#11 URI for the key/cert objects, and >b) how to set up the OpenSSL pkcs11 engine correctly so this works > >On recent Fedora/RHEL (b) works OOTB but I imagine this may take some >effort on other systems or from-scratch builds. > >For testing locally I used a USB smartcard reader, setting up the card >following https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC > >If you can store a cert & private key on the token, mod_ssl will use >both, but I think not all HSMs can store the cert, so you can load that > >from a PEM file if required and list the key only as a pkcs11: URI in >SSLCertificateKeyFile. > >Beyond that it should "just work" if you configure per the mod_ssl >docs, >running "p11tool --list-tokens" listed the URI for the token, and I >used: > >SSLCertificateFile >"pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=0001C9540200;token=Joe%20Orton%20%28OpenSC%20Card%29" > >Regards, Joe Sweet - this is a good starting point. I'll also get in touch with the manufacturer to see if there are any gotchas to worry about. For all I know, it may be a non-starter with this particular gear. Hopefully more to come soon! -- Daniel Ruggeri > >> >> On 2019/08/28 12:15:02 jor...@apache.org wrote: >> > Author: jorton >> > Date: Wed Aug 28 12:15:01 2019 >> > New Revision: 1866035 >> > >> > URL: http://svn.apache.org/viewvc?rev=1866035=rev >> > Log: >> > Proposed mod_ssl PKCS#11 cert/key support. >> > >> > Modified: >> > httpd/httpd/branches/2.4.x/STATUS >> > >> > Modified: httpd/httpd/branches/2.4.x/STATUS >> > URL: >http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1866035=1866034=1866035=diff >> > >== >> > --- httpd/httpd/branches/2.4.x/STATUS (original) >> > +++ httpd/httpd/branches/2.4.x/STATUS Wed Aug 28 12:15:01 2019 >> > @@ -160,6 +160,21 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: >> >rpluem says: -1 for now. See further discussion at >> > >https://bz.apache.org/bugzilla/show_bug.cgi?id=63503 >> > >> > + *) mod_ssl: Add support for loading certs & keys from PKCS#11 >URLs via the >> > + OpenSSL pkcs11 engine. Includes related minor >cleanups and >> > + simplification to mod_ssl internals. >> > + trunk patch: http://svn.apache.org/r1830819 >> > + http://svn.apache.org/r1830912 >> > + http://svn.apache.org/r1830913 >> > + http://svn.apache.org/r1830927 >> > + http://svn.apache.org/r1831168 >> > + http://svn.apache.org/r1831173 >> > + http://svn.apache.org/r1835240 >> > + http://svn.apache.org/r1835242 >> > + http://svn.apache.org/r1835615 >> > + 2.4.x patch: >http://people.apache.org/~jorton/mod_ssl_pkcs11.patch >> > + +1: jorton, >> > + >> > PATCHES/ISSUES THAT ARE BEING WORKED >> >[ New entries should be added at the START of the list ] >> > >> > >> > >> > >> -- >> Daniel Ruggeri
Passed: apache/httpd#295 (2.4.x - 0aae442)
Build Update for apache/httpd - Build: #295 Status: Passed Duration: 6 mins and 54 secs Commit: 0aae442 (2.4.x) Author: Ruediger Pluem Message: * Vote and promote git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1873740 13f79535-47bb-0310-9956-ffa450edef68 View the changeset: https://github.com/apache/httpd/compare/e11b24d47e14...0aae44271e21 View the full build log and details: https://travis-ci.org/apache/httpd/builds/647347827?utm_medium=notification_source=email -- You can unsubscribe from build emails from the apache/httpd repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=69847_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Re: Help regarding an issue with Apache Tomcat
This list is for Apache HTTPD. You can find support for Tomcat here: http://tomcat.apache.org/lists.html#tomcat-users - Y Sent from a device with a very small keyboard and hyperactive autocorrect. On Fri, Feb 7, 2020, 2:35 AM Cheeneebash, P. wrote: > Hello, > > We need help regarding an issue with Apache Tomcat. > > > > For security reasons, we have had to modify the configuration of our > > Siebel Application (Siebel Click through Daemon and Siebel Email Sending > > Daemon) to use tomcat 7.0.86 instead of 7.0.14. > > After the modification, we have restarted our applications and we can > > see in the log files that they are using the version 7.0.86. However, > > while testing using 'myurl:8080/manager/status', it is still pointing to > > the 7.0.14 version. > > > > Can you please assist ? > > > > Please find the attached screenshot. > > > > Thanks and Regards/Cordialement > > > > Pritish Cheeneebash > > Application Development Analyst > > Accenture > > Office: +230 40 25 451 > > > > [image: Picture 16] > > > > -- > > This message is for the designated recipient only and may contain > privileged, proprietary, or otherwise confidential information. If you have > received it in error, please notify the sender immediately and delete the > original. Any other use of the e-mail by you is prohibited. Where allowed > by local law, electronic communications with Accenture and its affiliates, > including e-mail and instant messaging (including content), may be scanned > by our systems for the purposes of information security and assessment of > internal compliance with Accenture policy. Your privacy is important to us. > Accenture uses your personal data only in compliance with data protection > laws. For further information on how Accenture processes your personal > data, please see our privacy statement at > https://www.accenture.com/us-en/privacy-policy. > > __ > > www.accenture.com >
Re: 2.4.next coming?
On Thu, Feb 6, 2020 at 8:54 AM Daniel Ruggeri wrote: > > Hi, all. It's been a few months since we've rolled a release and there are a > few bug fixes that seem like A Good Thing to get out there. > > Thoughts on rolling soon-ish? > > As always, I volunteer to either RM or mentor someone new through the RM > process. +1 and thanks!