Dne Ãt 18. února 2014 10:16:15, Daniel Kahn Gillmor napsal(a):
On 02/18/2014 08:14 AM, Pavel MatÄja wrote:
There is one big risk when someone uses reverse HTTPS proxy with
ServerAlias.
Let say you have on both - backend and proxy servers options:
ServerName www.example.com
I'd like to shoot for a TR sometime next week...
On Feb 4, 2014, at 8:58 AM, Jim Jagielski j...@jagunet.com wrote:
I'd like to TR and release 2.4.8 this month... Let's all take
some time to:
1. See what in trunk should really be backported
2. Test and vote in STATUS backports
Let's
On Wed, Feb 19, 2014 at 8:08 AM, Jim Jagielski j...@jagunet.com wrote:
I'd like to shoot for a TR sometime next week...
I'd like to TR and release 2.4.8 this month... Let's all take
some time to:
1. See what in trunk should really be backported
2. Test and vote in STATUS backports
I hope
On 19/02/2014 15:08, Tom Browder wrote:
On Wed, Feb 19, 2014 at 8:08 AM, Jim Jagielski j...@jagunet.com wrote:
I'd like to shoot for a TR sometime next week...
I'd like to TR and release 2.4.8 this month... Let's all take
some time to:
1. See what in trunk should really be backported
2.
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 15:08, Tom Browder wrote:
I configured httpd-2.4.7 successfully to use mod_ssl:
...
That could be user error. The path /usr/local/ssl/fips-2.0 is the default
install location of the FIPS
As of svn.apache.org/r1527295 standardized DH parameters were added to mod_ssl.
If I understand docs correctly, the bit length is based on the RSA/DSA key.
With the recent support of multiple certificates per VirtualHost it is possible
to use an RSA and ECC certificate.
When using RSA and ECC,
On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 18/02/2014 20:06, Jeff Trawick wrote:
On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson
shen...@opensslfoundation.com
mailto:shen...@opensslfoundation.com wrote:
On 02/02/2014 13:45, Kaspar
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+while (rc) {
+x = SSL_CTX_get0_certificate(ctx);
+if (x) {
+chain = NULL;
+SSL_CTX_get0_chain_certs(ctx,
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+while (rc) {
+x = SSL_CTX_get0_certificate(ctx);
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc =
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
That works for two cases above. If however the on the fly chain building
is
performed it will fail.
Perhaps
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 15:08, Tom Browder wrote:
I configured httpd-2.4.7 successfully to use mod_ssl:
...
That could be user error.
On 19/02/2014 23:54, Tom Browder wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 15:08, Tom Browder wrote:
I configured httpd-2.4.7 successfully to use
Tom, please start a new thread, this is a discuss thread for planning a
2.4.8 release. Thanks.
On Wed, Feb 19, 2014 at 5:54 PM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com
wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 23:54, Tom Browder wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 20/02/2014 00:24, Tom Browder wrote:
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 23:54, Tom Browder wrote:
On Wed, Feb 19, 2014 at 11:21 AM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 10:53 AM, Dr Stephen
Odd, there is something going on here. I am wondering if this fails to
resolve zlib libraries? Also don't concern yourself with the 0.9.7 check,
you met it (=) with 1.0.1. Somehow, it didn't resolve the ssl library
files initially given
adding -L/usr/local/ssl/lib to LDFLAGS
setting LIBS to
On Wed, Feb 19, 2014 at 7:37 PM, William A. Rowe Jr. wmr...@gmail.com wrote:
Odd, there is something going on here. I am wondering if this fails to
I'm sorry for muddying the water.
I originally used the option 'zlib' for configuring openssl-fips and
open ssl. I'm in the process of rebuilding
No, it isn't muddying things, this should just work. So you are building
your own openssl. Are you certain your build of ssl and build of httpd and
apr are using the same 32 or 64 bit memory model? That's one obvious
reason where ld will fail. And the zlib, expat and pcre you resolve to
must
On 20/02/2014 00:24, Tom Browder wrote:
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
..
checking for OpenSSL version = 0.9.7... OK
Well something is wrong there with it indicating OpenSSL version 0.9.7. If
you
intend to use the FIPS 2.0 module
I've noticed that openssl default builds do not necessarily add -lz to the
lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going
to guess you perhaps hadn't installed the zlib1g-dev package?
On Wed, Feb 19, 2014 at 7:09 PM, Dr Stephen Henson
shen...@opensslfoundation.com
On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. wmr...@gmail.com wrote:
I've noticed that openssl default builds do not necessarily add -lz to the
lib/pkgconfig/openssl.pc when they might be needed. In any case I'm going
to guess you perhaps hadn't installed the zlib1g-dev package?
No,
You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc
file to include -lz in Libs: (just after -ldl), and then re-./configure
On Wed, Feb 19, 2014 at 7:52 PM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 8:39 PM, William A. Rowe Jr. wmr...@gmail.com
On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. wmr...@gmail.com wrote:
You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file
to include -lz in Libs: (just after -ldl), and then re-./configure
I'll first see if I can get a good SSL to work. So far no build
problems
On 20/02/2014 02:21, Tom Browder wrote:
On Wed, Feb 19, 2014 at 9:11 PM, William A. Rowe Jr. wmr...@gmail.com wrote:
You could try tweaking the deployed /usr/local/lib/pkgconfig/openssl.pc file
to include -lz in Libs: (just after -ldl), and then re-./configure
I'll first see if I can get a
First insight, did you ./config openssl, or ./config shared? It seems near
impossible to use static openssl. apr-util configure will fail since
pkgconfig isn't consulted properly. httpd configure would also likely fail
for redundant symbols.
Second insight - apr-util version 1.5 includes
On 20/02/2014 02:40, William A. Rowe Jr. wrote:
First insight, did you ./config openssl, or ./config shared? It seems near
impossible to use static openssl. apr-util configure will fail since
pkgconfig
isn't consulted properly. httpd configure would also likely fail for
redundant
On Wed, Feb 19, 2014 at 8:51 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 20/02/2014 02:40, William A. Rowe Jr. wrote:
First insight, did you ./config openssl, or ./config shared? It seems near
impossible to use static openssl. apr-util configure will fail since
On 19/02/2014 17:30, Falco Schwarz wrote:
As of svn.apache.org/r1527295 standardized DH parameters were added to
mod_ssl. If I understand docs correctly, the bit length is based on the
RSA/DSA key. With the recent support of multiple certificates per VirtualHost
it is possible to use an RSA
I believe that Kaspar and Ruediger are still entirely at odds with my
position, but this 'enhancement' should never have been unilaterally
applied as it was to 2.2.26 and must be reverted (even as the feature
is 'fixed' with corrections they have blessed), e.g. the comparison
must be constrained
Can anyone offer background as to why httpd 2.4 branch ./configure likes
checking for OpenSSL... checking for user-provided OpenSSL base
directory... /usr/local/ssl adding -I/usr/local/ssl/include to
CPPFLAGS setting MOD_CFLAGS to -I/usr/local/ssl/include
setting ab_CFLAGS to
On Wed, Feb 19, 2014 at 9:40 PM, William A. Rowe Jr. wmr...@gmail.com wrote:
First insight, did you ./config openssl, or ./config shared? It seems near
No option which I think means static.
impossible to use static openssl. apr-util configure will fail since
pkgconfig isn't consulted
On 20.02.2014 04:06, Dr Stephen Henson wrote:
On 19/02/2014 17:30, Falco Schwarz wrote:
The ECC certificate should in any way be skipped and not taken into account
when setting DH params.
I think that's a consequence of how SSL_get_certificate works. You
On 19.02.2014 20:23, Dr Stephen Henson wrote:
However for that to work it needs application support either explicitly by
using
SSL_CTX_add0_chain_cert or via the use of SSL_CTX_use_cetificate_chain_file
which uses this transparently in OpenSSL 1.0.2. I just checked and httpd
currently
There is no embedded. httpd-2.2 included apr, apr-util. httpd-2.4 by
vote of the PMC excluded apr, apr-util, so you might be imagining
things. Or RM's are doing some goofy things.
On Wed, Feb 19, 2014 at 9:34 PM, Tom Browder tom.brow...@gmail.com wrote:
On Wed, Feb 19, 2014 at 9:40 PM,
35 matches
Mail list logo