Hi!
I received this answer to my question:
mod_log_confighttp://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
Is this module also the one in charge of creating the access log file if it
does not exist?
What I need to do is to create an extra file to sotre the modifiers of the
On 27/03/14 16:45, Daniel Kahn Gillmor wrote:
Do we have a robust, free tool that, given a single X.509 EE cert, can
do automagic fetching and trying of all combinations of these things and
produce a reasonable PEM-encoded SSLCertificateChainFile on stdout?
If we had such a tool, then the detec
On 27/03/14 17:11, Emilia Kasper wrote:
Right. So this particular case could be handled by carefully
constructing the shortest possible chain from all AIA information
available (system store, p7c, crt).
In that particular case, yes, I suppose so. However, our "older"
AddTrust/UTN roots have
On Thu, Mar 27, 2014 at 5:36 PM, Miguel Villarreal
wrote
> What module of Apache write to the access log file? I mean, which one open
> the file and write the log?
mod_log_config
http://httpd.apache.org/docs/current/mod/mod_log_config.html#customlog
Hello.
What module of Apache write to the access log file? I mean, which one open the
file and write the log?
Thank you!
Miguel Antonio
Hello.
What module of Apache write to the access log file? I mean, which one open the
file and write the log?
Thank you!
Miguel Antonio
Hello all,
I have been doing some testing on the results of httpd restart with
configuration errors.
This gave me some interesting results.
For these tests I build httpd trunk with APR trunk on Linux using the
following configure:
$ ./configure --prefix=/home/mrumph/apache25 --with-included-a
Daniel Kahn Gillmor wrote:
> On 03/27/2014 12:37 PM, Rob Stradling wrote:
>> On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
>>> it doesn't even need to fetch the certificate itself, it could just make
>>> the big noisy error log say "you
>>> should fetch the cert from and append it to
>>> "
>>
Hi Rob!
On Thu, Mar 27, 2014 at 5:29 PM, Rob Stradling wrote:
> On 26/03/14 15:29, Emilia Kasper wrote:
>
>> Wow, thanks for all the great feedback!
>>
>> On Wed, Mar 26, 2014 at 2:47 PM, Daniel Kahn Gillmor wrote:
>>
>
>
> This is a pretty perverse situation, though, and perhaps the answer
On 27/03/14 14:04, Daniel Kahn Gillmor wrote:
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
As I said, I have low faith in admin intervention.. According to SSL pulse,
6% of Alexa top 200K sites serve an incomplete chain. You'd think they'd
notice.
I share your skepticism, but to be fair, mos
On 03/27/2014 12:37 PM, Rob Stradling wrote:
> On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
>
>> it doesn't even need to fetch the certificate itself, it could just make
>> the big noisy error log say "you should fetch the cert from and
>> append it to "
>
> is supposed to be DER-encoded rathe
On 26/03/14 16:46, Daniel Kahn Gillmor wrote:
it doesn't even need to fetch the certificate itself, it could just make
the big noisy error log say "you should fetch the cert from and
append it to "
is supposed to be DER-encoded rather than Base64-encoded, so
the user would need to convert i
On 26/03/14 15:29, Emilia Kasper wrote:
Wow, thanks for all the great feedback!
On Wed, Mar 26, 2014 at 2:47 PM, Daniel Kahn Gillmor wrote:
This is a pretty perverse situation, though, and perhaps the answer is
that CA X just shouldn't do that kind of weird/chained reissuance over
Hi,
I want to re-raise an issue that I last saw referenced back in 2005,
here:
http://mail-archives.apache.org/mod_mbox/httpd-dev/200507.mbox/%3C42CBE6B4.80305%40web.turner.com%3E
(or at least I couldn't find anything more recent in the mailing list
archives).
Namely, the issue is that mod_p
On 27/03/2014 13:01, Emilia Kasper wrote:
>
>
>
> On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson
> mailto:shen...@opensslfoundation.com>> wrote:
>
> On 26/03/2014 13:38, Emilia Kasper wrote:
> >
> > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
> > mailto:shen...@openss
On 03/27/2014 09:27 AM, Emilia Kasper wrote:
> HPKP can never work this way. Pin validation is always done on top of
> normal TLS validation and can only invalidate an otherwise valid connection
> and never the other way around. Otherwise I could trivially hijack
> connections by pinning sites to a
On Wed, Mar 26, 2014 at 5:46 PM, Daniel Kahn Gillmor
wrote:
> On 03/26/2014 11:29 AM, Emilia Kasper wrote:
> > Cross-signing happens all the time but afaik the other way around, i.e.,
> an
> > intermediate Y' corresponding to a _newer_ root cert Y is cross-signed by
> > some _older_ root cert Z. S
On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson <
shen...@opensslfoundation.com> wrote:
> On 26/03/2014 13:38, Emilia Kasper wrote:
> >
> > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
> > mailto:shen...@opensslfoundation.com>>
> wrote:
> >
> >
> > If the server is correctly configure
On 03/27/2014 01:38 PM, Nick Kew wrote:
> On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote:
>
>> You can't log a warning or strip the newline;
>> 1) it's a const char* so magical things will happen if you edit it(?)
>> 2) we don't have a pool handy to make a new string without the newline
>>
On Thu, 2014-03-27 at 13:21 +0100, Daniel Gruno wrote:
> You can't log a warning or strip the newline;
> 1) it's a const char* so magical things will happen if you edit it(?)
> 2) we don't have a pool handy to make a new string without the newline
> or log an error.
>
> As I said in the commit ms
On 03/27/2014 01:24 PM, Jeff Trawick wrote:
>
> Just remove it?
>
> And what about other control characters such as \r, or generally any
> character/byte sequence that is not valid here?
>
>
(My mail server is refusing my emails atm, so I'm not sure whether this
gets through *crosses fingers*)
On Thu, Mar 27, 2014 at 8:21 AM, Daniel Gruno wrote:
> On 03/27/2014 01:15 PM, Nick Kew wrote:
> > On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> >> FYI, I have implemented some restrictions and alterations to mod_lua, to
> >> prevent HTTP Response Splitting in cases where users fail to
On Thu, Mar 27, 2014 at 8:06 AM, Daniel Gruno wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to
> prevent HTTP Response Splitting in cases where users fail to properly
> check their output or think mod_lua takes care of everything all by itself.
>
> This is not a s
On 03/27/2014 01:15 PM, Nick Kew wrote:
> On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
>> FYI, I have implemented some restrictions and alterations to mod_lua, to
>> prevent HTTP Response Splitting in cases where users fail to properly
>> check their output or think mod_lua takes care of
On Thu, 2014-03-27 at 13:06 +0100, Daniel Gruno wrote:
> FYI, I have implemented some restrictions and alterations to mod_lua, to
> prevent HTTP Response Splitting in cases where users fail to properly
> check their output or think mod_lua takes care of everything all by itself.
Hmmm ...
> > +
FYI, I have implemented some restrictions and alterations to mod_lua, to
prevent HTTP Response Splitting in cases where users fail to properly
check their output or think mod_lua takes care of everything all by itself.
This is not a security flaw in mod_lua itself, but rather a scripting
accident
26 matches
Mail list logo
