Public Primary Certification Authority - G2
Verisign Class 4 Public Primary Certification Authority - G2
Verisign/RSA Commercial CA
Verisign/RSA Secure Server CA
Ralf S. Engelschall
[
visual c++ enterprise?
Anyone should work, I think.
Although I'm not an expert in M$ products...
Ralf S. Engelschall
[EMAIL PROTECTED]
it to be a
very stable version which successfully passed all my tests. The corresponding
CHANGES entries for this new version are appended.
As always, you can grab it from:
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S
"
>
> So it's seeing a request for "%" from https, but not http ?
> Hints appreciated.
As the FAQ explains, such errors usually indicate that you're speaking HTTPS
to a port where HTTP is spoken only. Make sure "SSLEngine on&
t this situation. And it says that you need to enable
experimental stuff to make it running.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
d_ssl. At least we've
not changed anything related to the CN handling, except that the server
received a few additional warnings messages for the logfile if it detects some
inconsistencies. So I think you should check your certs and browser cert
caches instead.
ent myself and it worked fine with the latest mod_ssl snapshot.
So please start over with these newer versions.
Ralf S. Engelschall
[EMAIL PROTECTED]
er else unusual situations
occured. So I guess 2.4.6 is ready to be kicked out the next days.
Ralf S. Engelschall
[EMAIL PROTECTED]
art of EAPI and for EAPI you've to
recompile Apache. So, yes, for MM you've to recompile Apache.
Ralf S. Engelschall
[EMAIL PROTECTED]
On Tue, Oct 19, 1999, Mike Klinkert wrote:
> On Tue, 19 Oct 1999, Ralf S. Engelschall wrote:
>
> > So, while I'm busy with moving this week, please take the chance and fetch the
> > latest snapshot from ftp://ftp.modssl.org/snapshot/ and try it out. It should
> >
onfigured v2.4.5...
Yes, as you can see MM is present only in the first variant.
If you do it manually you've to use EAPI_MM=../mm-1.0.9 there, too.
And BTW, please use a more recent MM version.
27;s a definete thumbs up from here.
Ah, sounds good. Thanks for the feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
I'm busy with moving this week, please take the chance and fetch the
latest snapshot from ftp://ftp.modssl.org/snapshot/ and try it out. It should
be very stable. Please give feedback whether it works fine or fails horrible
until Friday.
Thanks.
et has a timing problem. Or mod_jserv or
whatever you're using...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
SSL_EXPERIMENTAL to get POST working correctly. If you already
have the experimental code enabled, I've currently no clue why it doesn't
work.
Ralf S. Engelschall
> certificate, or is it true for a VeriSign certificate also? if
> so, what CA cert is it that we should add?
For GIDs you should use the newer SSLCertificateChain directive to configure
the whole CA chain, including the intermediate CA Versign uses. The browser
has to know
ssions will be considered; no product-specific
sales or marketing sessions, please. Course material will be made
available to the public after the Conference.
Ken Coar
ApacheCon 2000 Chair
=
ix=/beaker/yzc/apache --enable-module=most --enable-module=so
Ah, here is your problem. Because mod_ssl is not present, you've
to enable EAPI manually, of course. Use --enable-rule=EAPI here, too.
Ralf S. Engelschall
On Fri, Oct 08, 1999, Ralf S. Engelschall wrote:
> [..]
> > That said, if you blindly type in the password, the server
> > starts no problem, so it's easy to make it workable,
> > if a little ugly.
> >
> > If I manage to produce a shippable patch, I'l
red properly?
Compare your httpd.conf with httpd.conf-dist as provided by mod_ssl. The
contained SSL configuration works fine. Take over this one.
Ralf S. Engelschall
[EMA
. But read the README.Patents document in the mod_ssl
distribution for a few hints...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
7;s Apache-SSL and not mod_ssl.
So you should start browsing on http://www.apache-ssl.org/
for documentation.
Ralf S. Engelschall
[EMAIL PROTECTED]
that the posted Win32-pass-phrase-dialog patch worked as expected...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
dering
> if this is normal or not.
As their [info] tag cleary indicate, they are just informal messages about the
stage into which mod_ssl is. They are normal, yes. Real problems are never
reported with [info], they are either [error] or [warn]. Your problems are
definetely not related to the
_DEBUG. But ordinary permission problems
> should definitely NOT trigger an abort().
There are more abort()s, but not from me (EAPI), of course.
I usually use abort() only in special situations...
On Tue, Oct 05, 1999, EKR wrote:
> "Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
> > On Sun, Oct 03, 1999, Eric Rescorla wrote:
> > Yes, someone else also reported that the pass phrase dialog doesn't work
> > correctly under Win32. But I canno
reful look at
the Apache INSTALL document, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apac
r patch for 2.4.6. Thanks for your help.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Ap
ny idea how?
That should be easy. Just use ProxyPass or RewriteRule with flag [P] on the
SSL-aware of the Apache/mod_ssl server. Read the mod_proxy
and/or mod_rewrite documentation for details.
Ralf S.
g with APXS (EXPERTS ONLY)" in the mod_ssl INSTALL
documents for a few hints.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
s either a different problem or related to some
other module (PHP, mod_perl, etc.).
> Has anyone else experienzed this / found a fix or is
> this time to fire up the debugger?
Fire up the debugger and find out the location of the segfault, please.
On Tue, Oct 05, 1999, EKR wrote:
> "Ralf S. Engelschall" <[EMAIL PROTECTED]> writes:
> > On Sun, Oct 03, 1999, Eric Rescorla wrote:
> > Yes, someone else also reported that the pass phrase dialog doesn't work
> > correctly under Win32. But I canno
.
>
> Looks like I'll have to deal with this "etc/patch.tar" separately:
> (1). firstly importing it together with rest of the source tree,
> (2). "cvs remove" it; (3). "cvs add -kb" it again; (4). moving
> the tag for th
feedback whether it works for you. Thanks for your efforts.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Index: ssl_engine_io.c
==
On Mon, Oct 04, 1999, Cliff Woolley wrote:
> >>> "Ralf S. Engelschall" <[EMAIL PROTECTED]> 10/04/99 03:40AM >>>
> >Yes, someone else also reported that the pass phrase dialog doesn't
> work
> >correctly under Win32. But I cannot fix it
h.tar file
into CVS. CVS is aware of binary files. Just make sure keywords are not
expanded by later doing a "cvs admin -kb" on it. That's all and doesn't harm.
Ralf S. Engelschall
[EMAIL PROTEC
this EAPI?
Sure, everything is documented ;)
See pkg.eapi/README.EAPI in the mod_ssl distribution.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
Win32-*only* bugs is maximum low-priority on my TODO list, of course.
So if you want the dialog fixed for Win32, you have to help me in finding out
the problem. Where are the Win32 hackers under us? Can someone help us here
and provide a patch to make the dialog working
convinience reasons only.
Apache-SSL doesn't require EAPI, because it uses its own "EAPI", i.e.
Apache-SSL ships with its own patches for the Apache API (these patches just
have no stand-alone name and are considered an integral part of Apache-SSL,
but the ide
BTW, do you use `SSLOptions +ExportCertChain'?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
tly always have to suspend hacking because of learning) ;)
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
icitly doesn't prevent
us from receiving problem reports of people who insist to not read the
documentation carefully enough :-(
You would be surprised that I guess that 50% of all problem reports could be
avoided by the submitter if he first would have read the documentation more
carefull
nel versions.
Just use mod_ssl 2.4.5 and your problems should be gone.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
e to
generate a DSA based certificate ("make certificate ALGO=DSA" is your friend)
and reference this instead or (better) in addition to the RSA cert/key pair.
Then the DH ciphers magically start to work ;)
Ralf S. Engelschall
er... ;)
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.4.5 (28-Sep-1999 to 01-Oct-1999)
*) Now ``make certificate'' displays a warning message if one generate
it. At least not until"
| echo " you also generate an additional RSA based certificate/key pair"
| echo " and configure them in parallel."
Ralf S. Engelschall
[EMAIL PROTECTED]
m to crash.
Errr.. the patch.exe wasn't changed for over one year:
-rw-r--r-- 1 rse wheel 96256 Oct 21 1998 patch.exe
So something else has to be broken for you, but not this program. Perhaps
you've messed up the distribut
g else. But ok, now
> >that it works be happy... I just wanted to say that I cannot fix anything in
> >this Makefile because it is not broken IMO ;)
>
> Two things:
>
> 1. Not sure what you mean by "top-level".
I meant the top-level Ma
n, but that's even better. I just wanted
to make sure it works also for someone _not_ running the _latest_ glibc. And
your version seems to be not one of the latest ;) Fine. Thanks for the
feedback.
Ralf S. Engelschall
2.4.5 which is released in a few hours).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)
andomSeed connect file:/dev/urandom 512
In other words: Add a byte count to the reading stops (which is required here
because your /dev/urandom seems no to send an EOF).
Ralf S. Engelschall
machine without patching.
Ah, fine. Even with an older glibc it now works. Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
the SSLv2 ciphers which should still work.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
built as a DSO.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ss
Instead I would
say you should then first check OpenSSL, shouldn't you? At least I've not
changed any Win32 stuff recently, so I currently still cannot image why
mod_ssl should now fail such horribly under Win32...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Suppor
On Thu, Sep 30, 1999, Mehul N. Sanghvi wrote:
> Definatley confirmed ... the 19990930 snapshot compiled cleanly
> without any problems.
Fine. BTW, which glibc version are you using?
Ralf S. Engelschall
tc.). Without such details
they could only give you the answer "Yes, it works fine if it's done
correctly.". Not very useful for you, right? So do yourself a favor and
describe your problems in more detail to them or you'll need a lot more days
until you've your ser
,
please. I'll wait for your success or failure stories before I release
2.4.5. Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschal
embedded
shell script finds a reasonable "openssl" or "ssleay" program in your $PATH.
So either your $PATH was broken or you messed up something else. But ok, now
that it works be happy... I just wanted to say that I cannot fix anything in
this Makefile because i
hat they meant,
> but I'm not a guru yet...
No, you don't have to worry about this. These are harmless messages from
older/stricter "ar" versions which want shorter filenames. Just ignore it.
You'll see the messages in lots of other
the above is useless, because it just adds another useless indirection
internally. With the above the data flows first through HTTP into mod_proxy
and then via HTTPS to the client, so the data is still encrypted and
additionally all you received is more load and increased request time on the
serv
On Wed, Sep 29, 1999, Michael Richardson wrote:
> >>>>> "Ralf" == Ralf S Engelschall <[EMAIL PROTECTED]> writes:
> Ralf> With a stock RH 6.0? Now I'm confused. I've tried 2.4.4 with such a
> Ralf> platform and it worked fine, bec
lesystem and
check every cert which stays around.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ss
have any idea to help me... write me !
Please look inside the mailing list archives. There is a posting from me with
subject "[IMPORTANT] mod_ssl 2.4.4 and Linux"...
Ralf S. Engelschall
[EMAIL PROT
; This way it would be possible to separate the log entries from different
> concurrent processes and assign them to a particular client (ip).
Yes, a reasonable suggestion. And now already implemented for mod_ssl 2.4.5.
Thanks for your feedback, Matthias.
Ralf S.
XT_IDEA_128_CBC_WITH_MD5 /*IDEA-CBC-MD5*/, 128, 128 },
>
> instead of
>
> { SSL3_TXT_RSA_IDEA_128_SHA /*IDEA-CBC-MD5*/, 128, 128 },
Ops, good catch. Thanks for the patch. Now fixed for 2.4.5.
Ralf S. Enge
On Tue, Sep 28, 1999, Jeff Johnson wrote:
> On Tue, Sep 28, 1999 at 09:36:01PM +0200, Ralf S. Engelschall wrote:
> > incompatible type for the forth argument. Hmmm... seems like I've to try
> > it now myself on a Linux box to make it running. As a workaround, just
&g
. I've tried 2.4.4 with such a platform
and it worked fine, because 6.0 is not broken. And others confirmed this, too.
Can it be that you have RH 6.0 but an older glibc 2.0? How is semctl(2)
defined in your headers?
od'
Use mod_ssl 2.4.4 with the patch posted in
"[IMPORTANT] mod_ssl 2.4.4 and Linux".
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
Use --enable-rule=SSL_SDBM, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ss
r and upgrade to a better Linux version (or
even better: to FreeBSD ;).
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
On Tue, Sep 28, 1999, Ralf S. Engelschall wrote:
> On Tue, Sep 28, 1999, Magnus Stenman wrote:
>
> > 2.4.3 compiled OK on my redhat 5.2 box, but 2.4.4 barfs:
> >
> > gcc -c -I../../../../mm-1.0.11 -I../../os/unix -I../../include -O2 -m486
>-fno-strength-reduce
>
1 rse wheel 5 Sep 28 21:40 4b136f34.0 -> x.crt
So it seems like a local problem for you and I've no clue what's the problem
is. Perhaps you've CRLFs in the file or other invisible things?
Ralf S. Engelschall
the forth argument. Hmmm... seems like I've to try
it now myself on a Linux box to make it running. As a workaround, just
remove line 260 in mod_ssl.h.
Ralf S. Engelschall
[E
On Tue, Sep 28, 1999, Martin Kraemer wrote:
> Oops -- I fixed only one of them locations. Here's an updated patch.
Now already included in the released mod_ssl 2.4.4. Thanks.
Hell, we're lightning fast today... ;)
Ralf S
Linux community.
CHANGES entry follows.
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.4.4 (27-Sep-1999 to 28-Sep-1999)
*) Fixed the `
struct seminfo *__buf; /* buffer for IPC_INFO */
> + };
> +
> +
> +#endif
So this patch works, but I propose a more portable solution which doesn't
suffer from namespace conflicts on platforms where semun _is_ defined (like
*BSD). The patch I propose for 2.
ne _DOES_ understand
x509v3 certs, of course. Hmmm... can you post your certificate (not the key,
only the cert, of course) so we can have a more closer look at this particular
cert and to find out why the hash isn't created?
Ralf S.
mod_ssl 2.4.3 - the usual amount of bugfixes and cleanups for the 2.4 series.
For more details see the appended CHANGES extract below.
As always you can find the tarball on:
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Greetings,
Ralf S
d for target `target_static'
>
> I'm using Solaris 7 on SPARC if that matters. Thanks in advance for any
> help,
This can be caused by a too restrictive environment of the user building the
stuff. Check the limits for the user (in Bash enter `limits').
mmand 'getversign domain < tempfile'
> [...]
"getverisign" was from Stronghold, not from SSLeay.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschal
.6.1.4.1.311.10.3.3
or more symbolically:
extendedKeyUsage = msSGC,nsSGC
I've upgraded the gid-mkcert.sh script now for mod_ssl 2.4.3.
Ralf S. Engelschall
[EMAIL PROTECTED]
se subscribers. Let's see... Sorry for the
inconviniences, but one usually cannot do anything against those situations
except to try to remove those subscribers.
Ralf S. Engelschall
libexec/libssl.so file (under DSO situation).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl)
tp://www.modssl.org/docs/
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Inter
nt to set options only for
mod_ssl, you've to either edit src/modules/ssl/Makefile or (the cleaner way
before configuring) src/modules/ssl/libssl.module.
Ralf S. Engelschall
[E
gt;
> Which format should I ask for if they don't officially support
> apache+mod_ssl but will be compatible?
Ask them for the "Stronghold format"...
Ralf S. Engelschall
ld be useful if you could at least say with what error it fails... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
takes into account that these
are mainly scripting modules (which are always popular), it's very interesting
that mod_ssl is already ranked such high...
Greetings,
Ralf S. Engelschall
[
usage of sign.sh):
``[...] a script named sign.sh is distributed with
the mod_ssl distribution (subdir pkg.contrib/) [...]''
Ralf S. Engelschall
[EMAIL PROTECTED]
l
> instead of:
>/bin/apachectl start
> since SSL needs to be defined.
>
> I think it will be very helpful to the newbies if this was
> documented somewhere, perhaps the FAQ.
> [...]
I've added this to the FAQ now. Thanks for the hint.
at they get directly from us probably
> trust us as it is? yes, no?
As long as your customers trust your custom CA there is no difference to a
"real third party CA". At least for SSL there is no difference. It's just what
your clients trust more.
arch engine and inform you about this
facility others will certainly use on you
Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
works without rsaref, ask on the OpenSSL mailing lists for more hints
about OpenSSL+RSAref. There are certainly a few US citizens who can give
you a hint.
Ralf S. Engelschall
[EMAIL PROTECTED]
allow servlet access to SSL session
> and client certificate parameters?
I don't know, but the client cert ingredients are available through the CGI
environment, so if mod_jserv can access this environment you should be able to
access the stuff.
g --prefix or your installtion is
broken. Either take the openssl.cnf from the distribution and load it manually
via "-config " or reinstall OpenSSL.
Ralf S. Engelschall
lso does not
exists, but one the two has to exist). See in config.log _why_ sysconf is not
found and try to fix this.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
ease complain again.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
Works fine for me. And the permissions on the filesystem are correct, too.
Try again, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
501 - 600 of 1522 matches
Mail list logo
