We can't really answer this question without knowing whether the server name
in the certificate matches your hostname.
If it does, and if you have paid full price for the certificate, then they
cannot normally legally withhold it as it would be your property. However,
there might well be some
This is a question which is probably best answered by Ralf, however a
response to this list would be useful to all current active members, with an
update to the www.modssl.org.uk
What is the position regarding support for countries that the US governments
restricts 128bit encryption, eg Iraq and
Oops. I meant www.modssl.org!
John
-Original Message-
From: Airey, John [mailto:[EMAIL PROTECTED]]
Sent: 28 September 2000 10:38
To: Modssl-Users (E-mail)
Subject: mod-ssl support for US restricted countries?
This is a question which is probably best answered by Ralf, however
Worse than that, have you seen what version of Apache-mod_ssl is running at
www.modssl.org:
Apache/1.3.6 (Unix) mod_perl/1.20 mod_ssl/2.3.5 OpenSSL/0.9.3a DAV/0.9.8
Is this the "mechanics car" syndrome I wonder? In the UK we have an saying
to never to buy a car from a car mechanic (because
Here's my 0.02$ worth on this.
Oh no, not the coke song!
Seriously though, I have to say that there are a number of postings to this
list that fall into the RTFM category, especially when it comes to the SSL
chicken and egg problem (please don't ask!). If I could get commission for
every
I think you misunderstand the answer. You can use a 128bit key on your
server, but the end users will probably be connecting using a 40bit browser.
So they won't be getting the maximum level of encryption available.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute
I would suggest you remove apache with
rpm -e apache
and then install the open-ssl and apache-mod_ssl rpm files from
http://www.modssl.org/contrib
The rpms definitely work. We are using them ourselves!
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
There are two ways to solve this.
1. Buy a certificate for each site you are securing, ie each specific
hostname.
2. Buy a wildcard certificate from Thawte. This is only cost effective for 5
or more sites.
It doesn't matter whether the hostname is an A or CNAME type record in your
DNS, but I'd
There's no difference between using a wildcard cert compared to any other.
So you need just SSLCertificateFile and SSLCertificateKeyFile lines to point
to the certificate and key respectively. I then match servername to the name
of the host I'm serving. I don't even know if it's necessary, but
Your OSs implementation of the "nobody" account is poor perhaps? This is
mentioned in the Apache documentation, ie
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run
I hope my posting at least served as a warning to anyone on the list who
might consider posting .csr's, .crt's or .key's!
I can't vouch for the German version of IIS, but I actually do all the
certificate creation with openssl, eg the csr and key and then import it
back into IIS. I wouldn't
I'm probably wrong about this, but I suspect that the load-balancing of
SSL/TLS is the source of your problems.
When an SSL/TLS connection is created, the connection between the server and
the client. The other two servers will know nothing about the session.
Unless the load balancer itself
Schreier
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]Im Auftrag von Airey, John
Gesendet am: Freitag, 14. Juli 2000 15:16
An: '[EMAIL PROTECTED]'
Betreff: RE: Can I create a Server Certificate for MS IIS4.0 with
mod_ssl
I would recommend that you try
then Netscape
is messing everyone about. This stuff is hard enough as it is!
John
-Original Message-
From: James H. Cloos Jr. [mailto:[EMAIL PROTECTED]]
Sent: 12 July 2000 18:58
To: [EMAIL PROTECTED]
Subject: Re: msie AGAIN
"John" == Airey, John [EMAIL PROTECTED] writes:
John You
You will find that all versions of Netscape since 4.72 support 128bit
encryption out of the box.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL
[EMAIL PROTECTED] ([EMAIL PROTECTED])
Senior Knowledge Engineer, Computas, http://www.computas.com
Telefon: +47 67 83 10 00 Fax: +47 67 83 10 01
-Original Message-
From: Airey, John [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 12, 2000 11:48 AM
To: '[EMAIL PROTECTED]'
Subject: RE: msie
I've just been informed by Thawte that there are a number of problems with
IE5 and wildcard certificates. I'm looking into the details now and will
post them to this list for everyone's benefit.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
I've been discussing the issue of the problem with wildcard certificates and
IE5 with Damien Morrison of Thawte's technical support.
He informs me that as far as he knows, Windows 2000 with IE5 does not accept
wildcard certificates. Basically, wildcard certificates weren't acceptable
to IE3 (in
Well done to the pair of you!
I trust you've set him up an email address already? They learn fast these
days!
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848
Read the apxs manual page for full details on using modules with Apache.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
-Original
When you add the virtual hosts, use VirtualHost IP:80 to specify the
correct port.
Everything else should be OK as you undoubtedly have the IP number on your
machine and routable to it.
John
-Original Message-
From: LeRoy C. Miller III [mailto:[EMAIL PROTECTED]]
Sent: 18 June 2000
Slightly longer answer. The process is owned by root. The httpd binary
switches to another user on start-up, after reading SSL Certificates etc.
This user owns all the child processes.
I believe there are security issues in being able to change the ownership of
a process already started.
-
A user redirect in the head a web page at http://www/mydomain.com/michel
such as
META HTTP-EQUIV="refresh" CONTENT="1; URL=https://www/mydomain.com/michel"
Would achieve this (redirecting after 1 second). However, the secure
document root would have to be different!
I don't think (AFAIK)
I'll be glad as well. That's my birthday.
There are some who think that if they restrict encryption they'll stop crime
that way. Now if just making something illegal stopped people breaking the
law, the world would be a different place. It doesn't, and that's why we
need the encryption in the
I think I understand what you are trying to achieve. I've had a similar
problem before.
Access www.safeplace.com using it's IP address instead on the machine that
is doing the proxying and see if that is correct. If so use
VirtualHost www.foobar.com:443
SSLEngine on
Title:
I take
it you are suggesting using https for the outside frame, and http for the inside
frames?
First
of all, why would you want to mix http and https? I haven't tested this, but
even if a warning doesn't come up, some users will cotton on to your "smoke and
mirrors" of security.
I have a query which I realise is a borderline mod_ssl query.
I want to rotate logs every month just after midnight at the beginning of
each month, using cron. I have two servers I wish to do this on. One has 26
files open for logs and the other has 12 files log files open. This includes
the
There is a patch at
http://www.microsoft.com/windows/ie/security/schannel.asp
Which says "The version of Internet Explorer 5.01 that is released on the
Web contains an incorrect internal key in the Schannel.dll file. This may
cause programs and services on your computer that use Secure Socket
That doesn't sound simple to me! You'd either have to do it as either a
multi-pass for each virtual host, or parse the log file once to give several
output files. You'd also have to write the name of the virtual host into
every log file entry, which I don't believe is done by default. Seems like
www.sunsite.dk/RFC ?
John
-Original Message-
From: Gianni Mariani [mailto:[EMAIL PROTECTED]]
Sent: 23 May 2000 04:06
To: [EMAIL PROTECTED]
Subject: Re: rfc2817 (Upgrading to TLS Within HTTP/1.1)
can someone point me to rfc2817 -
http://www.ietf.org/rfc/rfc2817.txt brings up a 404
customers
out there get a box popping up because of that wildcard cert I would want
nothing to do with it.
Jamie
At 10:45 AM 5/19/00 +0100, Airey, John wrote:
Look at it this way, if you have more than 5 SSL sites, you would be best
advised to use a wildcard. Unless of course you have money
Sorry to say this but this page is somewhat out of date. I have no
difficulty with IE and wildcard certificates. Some versions issue a warning
about it being a wildcard, and some don't. However, from IE3.02 onwards they
work fine. For security reasons if nothing else you shouldn't use anything
It looks to me like you downloaded the cert in the incorrect format for
Apache-mod_ssl. Try going back to the thawte site and download again.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733
The page
http://www.thawte.com/certs/server/keygen/mod_ssl.html
Informs you not only that Thawte support wildcard certificates (we have one
from them) but how to set it up with Apache-mod_ssl.
Just follow the links for SSL Certs and buying an SSL cert.
John
-Original Message-
From:
Does anyone know whether it is possible to have some form of clustering
involving two Apache-mod_ssl servers separated by a WAN link?
I want to be able to amend pages on the nearest server and have those pages
automatically updated on the remote server.
Am I asking too much?
-
John Airey
The page
http://www.thawte.com/certs/server/keygen/mod_ssl.html
Informs you not only that Thawte support wildcard certificates (we have one
from them) but how to set it up with Apache-mod_ssl.
Just follow the links for SSL Certs and buying an SSL cert.
John
-Original Message-
From:
Sorry to say this but this page is somewhat out of date. I have no
difficulty with IE and wildcard certificates. Some versions issue a warning
about it being a wildcard, and some don't. However, from IE3.02 onwards they
work fine. For security reasons if nothing else you shouldn't use anything
Nearly right! What you have stated applies to all secure servers, not just
Apache-mod_ssl.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
Once again the chicken and egg problem is not properly understood. SSL
virtual hosts MUST be IP based. It has nothing to do with DNS being hacked.
In a nutshell, the SSL connection must be set up before the http 1.1 headers
stating which host is required are sent. Therefore, you cannot have
You mean there's actually a product that competes with Apache? Where is this
product?
I think Apache is brilliant, but that's because more work has gone into
maintaining it than any other web server. IIS has a long way to go to catch
up!
-
John Airey
Internet Systems Support Officer, ITCSD,
This is completely off topic for this list. The answer is in the Apache
documentation.
However, all you need to change is "error document" in your httpd.conf file
eg
ErrorDocument 500 /500.htm
Or whatever number of error you are referring to. In the above example, the
file 500.htm in your
Type httpd -l
To show what modules are compiled. I believe that mod_so.c comes as part of
the "JOE AVERAGE" installation. If you have that, you can use apxs to add
modules to Apache-mod_ssl. Having said that, I've yet to get an added module
working!
John
-Original Message-
From: Diana
Have you tried the following line?
route add -host 255.255.255.255 dev eth0
If you don't have the above line anywhere on startup (eg /etc/rc.d/rc.local)
then the chances are your dhcp server will have unpredictable success.
"255.255.255.255" is the broadcast address used by dhcp to send and
Sorry, I should have said that you use Key Manager on NT to export your key
(Key/Export Key), although this exports both the key and certificate
together in a file format that you can't (AFAIK) convert to Apache format.
John
-Original Message-
From: Eric Collins [mailto:[EMAIL
I don't believe you can do this. You can convert an Apache certificate to
IIS using the command
openssl rsa -in apache.key -out iis.key -outform NET
I think you'll have to buy another cert, and then convert this one to run on
IIS as above when your IIS cert expires. then copy the above key onto
Could you post your httpd.conf file so we can see more information? It's
probably because you don't have a virtual host section for http and the
server will default to https if ssl support is included.
John
At 12:36 PM 4/17/2000 -0700, you wrote:
I did a fresh install of RedHat 6.2
compiled and
Have you checked that you don't have more than one "ScriptAlias" directive
in httpd.conf?
I would suggest that you try using a different cgi directory for https, copy
the script into it and try again.
Personally, I would keep separate cgi directories for the normal and secure
sites, simply so
Yesterday one of our Apache web servers crashed. This is quite historic as
it has never crashed in normal operation in three years!
This appeared in the SSL Engine log ten minutes before the crash
[05/Apr/2000 12:37:57 21895] [info] Connection to child 10 established
(server
There are two ways of doing this. Either obtain a starred certificate for
every site in your domain. For example, we have a starred certificate named
*.rnib.org.uk. If Verisign don't do starred certificates then Thawte do.
Some browsers cannot use them, but they are mainly less than IE3 and
Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).
This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say -
I reposted one today by mistake as well. Sorry folks!
John
-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: 28 March 2000 10:13
To: [EMAIL PROTECTED]
Subject: Re: duplicate message timewarp
On Mon, Mar 27, 2000, Steve Fairhead wrote:
Any particular
Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).
This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say -
Oh, I forgot to mention, you'll need to use two different IP numbers and
therefore do not need the NameVirtualHost parameter at all (my servers work
fine without it).
This is to do with a chicken and egg problem with SSL which has been
discussed on this list several times. Suffice it to say -
The VirtualHost default settings refer to all virtual hosts. You don't need
to copy it all out.
This is all you need as a minimum for each virtual secure host
VirtualHost secure:443
SSLEngine on
SSLCertificateFile /etc/httpd/conf/ssl.crt/certificate.crt
This would be useful for testing or internal use, but granted, it would be
seriously dodgy in a production machine.
John
-Original Message-
From: Gunther Schadow [mailto:[EMAIL PROTECTED]]
Sent: 20 March 2000 20:56
To: [EMAIL PROTECTED]
Subject: Issue: unresonable SSLVerifyDepth policy!
I already have a system like this working already!
John
-Original Message-
From: Blair Lowe [mailto:[EMAIL PROTECTED]]
Sent: 16 March 2000 18:01
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Name based virtual hosts
Just some crazy ideas:
1. Have the webserver behing the
I'm sorry I was mistaken. What I've set up takes a number of requests to
real IP numbers and maps them to the same IP number. This is the total
opposite of what is needed here.
Must be the Monday morning blues.
John
-Original Message-
From: Blair Lowe [mailto:[EMAIL PROTECTED]]
Sent:
You'll find the working version of apxs in the apache-mod_ssl-devel rpm. I
spent ages looking it, and even emailed Ralph directly before I found this
out! I have to say that the location of apxs for users of compiled rpm's is
not that clear.
John
-Original Message-
From: Lewis Bergman
Too right Ralf. The next thing we'll have is people asking if bugs can be
put back into the code! I can imagine the posting "there was this really
useful bug in ..."
John
-Original Message-
From: Ralf S. Engelschall [mailto:[EMAIL PROTECTED]]
Sent: 08 March 2000 10:02
To: [EMAIL
-Original Message-
From: Karl Denninger [mailto:[EMAIL PROTECTED]]
Sent: 03 March 2000 15:39
To: [EMAIL PROTECTED]
Subject: Re: Certificate questions...
Hi John,
On Fri, Mar 03, 2000 at 10:06:19AM -, Airey, John wrote:
Assuming we are talking about Thawte's server test
Assuming we are talking about Thawte's server test certificates, they are
only for use for one month. Using them helps you to understand how to
install a real certificate without running the risk of destroying it (a very
real risk with NT!)
They are not intended for production use. Thawte's own
server.key = Your server's private key. Guard this with your life!
server.crt = Certificate signed by a certification authority.
server.csr = Certificate signing request. This contains your server key and
is used to request your server.crt from a certification authority. Guard
this with your
I want to proxy http to http and https to https (I have my reasons!)
Which is better, to use mod_rewrite for http
VirtualHost http:80
ProxyRequests On
RewriteEngine on
RewriteRule ???
/VirtualHost
or the following
VirtualHost http:80
SSLEngine Off
I should have mentioned. It's a bad idea to have your password files under
your Document Root. Store them outside of it for security, although this
isn't why you are having a problem.
In the previous configuration I sent, the "order deny,allow" etc statements
aren't strictly necessary, but are
Undoubtedly they do. Or they'll use multiple machines. My own ISP used to
have hundreds of IP numbers on IIS3 (Idiotic Internet Server?) before
upgrading to IIS4. Now they use a single IP number for all http sites. Not
sure what they do for secure sites.
John
-Original Message-
From:
Your configuration is too complex. Try this instead
Directory "/export/users/vekraft/apache/www"
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from all
AuthName "Web Developers Only Please"
AuthType Basic
Please ignore this suggestion. The Apache documentation states that
AllowOverride '...controls which options the .htaccess files in directories
can override. Can also be "All", or any combination of "Options",
"FileInfo","AuthConfig", and "Limit" '. It can also be "None".
From a practical
Could you give me a configuration example of
web client --HTTPS-- proxy (apache) --HTTPS-- httpd internal
If you have this working already please? I've not been able to make it work.
The Apache documentation appears to say that ProxyPass only supports http.
John
-Original Message-
Isn't discussion allowed under the US Constitution First Amendment, the
right to free speech, which certainly includes printed text? Therefore the
EAR restrictions don't and can't apply to it?
I think I'm right. Anyone else hazard an answer?
John
-Original Message-
From: Daniel S.
PROTECTED]]
Sent: 26 January 2000 11:15
To: [EMAIL PROTECTED]
Subject: Re: I want to have my cake and eat it!
"Airey, John" wrote:
1. I want to be able to have users who access to systems over the internet
authenticated using TACACS+. I've been down the route of trying to get a
Ci
Do I have to recompile Apache-mod_ssl in order to use a module that is not
part of the basic distribution (eg an authentication module), or is there a
proper way to do this?
I'm currently using RPM's with Redhat Linux 6.0 because I prefer the
simplicity of installation. However, I'm prepared to
I use the following virtual host configuration to connect certain users over
the Internet (real names of systems and IPs have been changed)
# Proxy to security (security measure)
VirtualHost security:443
ServerAdmin [EMAIL PROTECTED]
ServerName security.rnib.org.uk
Can anyone tell me if it is possible to use TACACS+ authentication to a web
site over a secure link using apache-mod_ssl?
I'm currently using Redhat 6.0 with apache-mod_ssl-1.3.9.2.4.9-0.6.0 and
openssl-0.9.4-1
Many thanks.
-
John Airey
Systems Engineer, iSys, Royal National Institute for the
73 matches
Mail list logo
