ssl question
I installed openSSL with mod_ssl, and I can access my site using https://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated.
RE: ssl question
Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If youare not releasing thisweb app to the public you could simply install thecertificate andyou shouldn't get the message again. Good luck, Vincent MontuoroSolution EngineerRequestLevel 12 461 Bourke StreetMelbourne Vic 3000Email: [EMAIL PROTECTED]Office: +61 3 8628 2764Mobile: 0408 005 979 -Original Message-From: Mike Boyer [mailto:[EMAIL PROTECTED]]Sent: Wednesday, 31 July 2002 4:57 AMTo: [EMAIL PROTECTED]Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated.
openssl0.9.6e ok with mod_ssl 2.8.10?
Hi, will there be a new version of mod_ssl for the security fixed openssl 0.9.6e and openssl-engine 0.9.6e or is it safe to use mod_ssl 2.8.10. If there will be a new version: is there an expected release date/time? Thanks for any answers! Rainer Jung kippdata informationstechnologie GmbH Bornheimer Straße 33a D-53111 Bonn Germany Tel.: +49/228/98549-0 Fax: +49/228/98549-50 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: openssl0.9.6e ok with mod_ssl 2.8.10?
On Wed, Jul 31, 2002 at 11:40:42AM +0200, Rainer Jung wrote: Hi, will there be a new version of mod_ssl for the security fixed openssl 0.9.6e and openssl-engine 0.9.6e or is it safe to use mod_ssl 2.8.10. It should be safe to use mod_ssl 2.8.10. The API of openssl did not change when upgrading from 0.9.6d to 0.9.6e, so no update for mod_ssl is required. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
apachectl restart problem...
Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system Windows is like naming an automobile Wheels. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: openssl0.9.6e ok with mod_ssl 2.8.10?
Hi, yes, there is a new version of mm available on http://www.ossp.org/pkg/lib/mm/ ( Status: Stable Version: 1.2.1 (28-Jul-2002) ) The advisory is here: http://www.openpkg.org/security/OpenPKG-SA-2002.007-mm.html Kind regards, Bert Courtin -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 2:14 PM To: Rainer Jung Cc: [EMAIL PROTECTED] Subject: Re: openssl0.9.6e ok with mod_ssl 2.8.10? If I read the advisories correctly, the problem was related to opsnssl code. so, recompiling apache/mod-ssl with the new or patched openssl sources should fix that issue. the other question though is, since there were additional advisories related to mm, and apache 1.3.X/mod-ssl requires mm for proper compilation and functioning, if there is a new mm package or patch available. Thanks, Ron dufresne On Wed, 31 Jul 2002, Rainer Jung wrote: Hi, will there be a new version of mod_ssl for the security fixed openssl 0.9.6e and openssl-engine 0.9.6e or is it safe to use mod_ssl 2.8.10. If there will be a new version: is there an expected release date/time? Thanks for any answers! Rainer Jung kippdata informationstechnologie GmbH Bornheimer Straße 33a D-53111 Bonn Germany Tel.: +49/228/98549-0 Fax: +49/228/98549-50 email: [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl question
But I did a self-signed cert for testing purposes. Shouldn't that work? -- Matt At 04:34 PM 7/31/2002 +1000, you wrote: Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If you are not releasing this web app to the public you could simply install the certificate and you shouldn't get the message again. Good luck, Vincent Montuoro Solution Engineer Request Level 12 461 Bourke Street Melbourne Vic 3000 Email: [EMAIL PROTECTED] Office:+61 3 8628 2764 Mobile: 0408 005 979 -Original Message- From: Mike Boyer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 4:57 AM To: [EMAIL PROTECTED] Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.comhttps://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl question
No, because your browser does not have the signing authority in its list of trusted / root CAs. There are three options, but really only two are practical. The first would be to just import the certificate the first time you see this pop up and you can do that by clicking on View certificate when you get the pop up (I'm talking IE here). The second option would be to purchase and use a cert from a CA which is in your browsers list of trusted/root CA (someone like verisign). You can get the list by clicking on Tools-Internet options-The content tab-Certificates button-Trusted Root Certification Authorites tab. The third option would be to become a CA on that list by paying MS big bucks and setting your own company to do it (not what I would call viable :-). -Noah -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: RE: ssl question But I did a self-signed cert for testing purposes. Shouldn't that work? -- Matt At 04:34 PM 7/31/2002 +1000, you wrote: Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If you are not releasing this web app to the public you could simply install the certificate and you shouldn't get the message again. Good luck, Vincent Montuoro Solution Engineer Request Level 12 461 Bourke Street Melbourne Vic 3000 Email: [EMAIL PROTECTED] Office:+61 3 8628 2764 Mobile: 0408 005 979 -Original Message- From: Mike Boyer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 4:57 AM To: [EMAIL PROTECTED] Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.comhttps://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apachectl restart problem...
From: Sean M Alderman [mailto:[EMAIL PROTECTED]] Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. Restart sends a HUP to apache. I've found that this is sometimes insufficiently forceful to make apache reload certain SSL parameters (e.g. if you change the certificate). However, it should be sufficient for non-SSL edits. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https from same config
From: Svein E. Seldal [mailto:[EMAIL PROTECTED]] Hi guys, I want to run a http server on port 81 which should only be available to the localnet, say 192.168.0.x/24 *and* on https with client certificates from the whole world. No passwords should be used in neither methodes. Now I've got SSL working with the certs, so that's not my question, but how do I configure the virtual host to enforce these access rights? Today I've hacked the problem by running two separate (yet identical) virtual hosts. I want to run http(81) and https from the same virtual host config. Is this possible? I can't think how you would do this. IMHO, what you have already done (far from being a hack) is the correct way to proceed - two virtualhosts with the same DocumentRoot (hence same content) but with different ports. The trouble is the SSLEngine on directive - this has only context in a VH, i.e. you can't make it conditional on an IP range, for instance. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ssl question
But I'm never even getting a response on the browser, httpd is never even starting due to this error. I thought I had it corrected this morning, the log kept complaining about not finding the cert, I worked with that for a while, then came back to the same error. Frustrating, but I'm not giving up just yet. I'd like someone to take a look at my httpd.conf and tell me if I'm got something wrong there, or just what the problem can be. I've tried to follow the docs as close as I can, but obviously I've missed something. -- Matt At 09:23 AM 7/31/2002 -0400, you wrote: No, because your browser does not have the signing authority in its list of trusted / root CAs. There are three options, but really only two are practical. The first would be to just import the certificate the first time you see this pop up and you can do that by clicking on View certificate when you get the pop up (I'm talking IE here). The second option would be to purchase and use a cert from a CA which is in your browsers list of trusted/root CA (someone like verisign). You can get the list by clicking on Tools-Internet options-The content tab-Certificates button-Trusted Root Certification Authorites tab. The third option would be to become a CA on that list by paying MS big bucks and setting your own company to do it (not what I would call viable :-). -Noah -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 31, 2002 9:14 AM To: [EMAIL PROTECTED] Subject: RE: ssl question But I did a self-signed cert for testing purposes. Shouldn't that work? -- Matt At 04:34 PM 7/31/2002 +1000, you wrote: Mike, The reasoning behind that message is that you haven't purchased a certificate from a valid certificate store. The bought my companies at verisign.com. If you are not releasing this web app to the public you could simply install the certificate and you shouldn't get the message again. Good luck, Vincent Montuoro Solution Engineer Request Level 12 461 Bourke Street Melbourne Vic 3000 Email: [EMAIL PROTECTED] Office:+61 3 8628 2764 Mobile: 0408 005 979 -Original Message- From: Mike Boyer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 31 July 2002 4:57 AM To: [EMAIL PROTECTED] Subject: ssl question I installed openSSL with mod_ssl, and I can access my site using https://blah.comhttps://blah.com and I get a popup box telling me about a security issue and if I want to accept this. When I have visited other sites that are secure, it dosent ask me to accept anything. In my certificate it says its not part of the CA trusted root stores. Any help would be appreciated. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? - Static or DSO? - What browser? Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 - Static or DSO? I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
Well I may have figured this out, https is now running, cert was in the wrong place, but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 - Static or DSO? I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apachectl restart problem...
I thought it might be something like that, but typically when I've run into this, I've made a change to a http virtual host, and all the other virtual hosts ssl or not, are then not accessible. Maybe apache needs a better way to reload configs for virtual hosts (such that it doesn't bother anything else)...but that's not a topic for this list. :) Thanks for the response. On Wed, 2002-07-31 at 09:48, Boyle Owen wrote: From: Sean M Alderman [mailto:[EMAIL PROTECTED]] Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. Restart sends a HUP to apache. I've found that this is sometimes insufficiently forceful to make apache reload certain SSL parameters (e.g. if you change the certificate). However, it should be sufficient for non-SSL edits. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Sean M. Alderman ITRACK Systems Analyst PACE/NCI - NASA Glenn Research Center (216) 433-2795 Calling a windowed operating system Windows is like naming an automobile Wheels. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apachectl restart problem...
reloads dont work if your keys are encrypted - is this the case here? i have happliy sent a sig USR1 to an ssl apache setup each night for two years - and never a problem - only goes awry if a cert or key changes. Sean M Alderman wrote: I thought it might be something like that, but typically when I've run into this, I've made a change to a http virtual host, and all the other virtual hosts ssl or not, are then not accessible. Maybe apache needs a better way to reload configs for virtual hosts (such that it doesn't bother anything else)...but that's not a topic for this list. :) Thanks for the response. On Wed, 2002-07-31 at 09:48, Boyle Owen wrote: From: Sean M Alderman [mailto:[EMAIL PROTECTED]] Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. Restart sends a HUP to apache. I've found that this is sometimes insufficiently forceful to make apache reload certain SSL parameters (e.g. if you change the certificate). However, it should be sufficient for non-SSL edits. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
See comments, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Rgds, owen Boyle _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though, and soon. Thanks much -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
MM doesn't work now with 0.9.6e
I just installed the newest version of openssl and recompiled mm, mod_ssl, mod_perl, and apache. Now when I start apache I get an error from my httpd.conf file about the SSLSessionCache option. The error is: SSLSessionCache: shared memory cache not useable on this platform Well, it was with openssl 0.9.6c. I didn't do anything different in my installation steps which were: install openssl configure mm with disable-shared make configure mod_ssl --with-apache=../apache_1.3.26 install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install Without the shared option in the config file, apache starts just fine, but it won't work with: SSLSessionCacheshm:/usr/local/apache/logs/ssl/ssl_scache(512000) It worked before. What did I break? Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, Matt Nelson wrote: At 06:02 PM 7/31/2002 +0200, you wrote: See comments, Ditto, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) Yup, but dang I was confused on where it went. Everything I've read said put it somewhere different. Error logs are you friends. ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. Yeah I found that right after I wrote that. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. I'll do that. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I didn't compile, I used everything stock from the Caldera 3.11 server install. A bad idea now I know, if I'd done it on my own or recompiled, I'd know which it was, among other things. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Yeah... See I do try, I hate being a clueless newbie, or at least acting like one. I always try to cover the bases myself, so I don't get RTFM responses. I'm sure I'll have some other questions, though, and soon. Thanks much -- Matt __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED]
Re: MM doesn't work now with 0.9.6e
configure mod_ssl --with-apache=../apache_1.3.26 Seems like you need to supply mod_ssl with all of the configure directives you show below for apache, and then when it comes time to compile apache, you just run the auto-generated config.status script. At least that worked for me using the same versions you are using (under Red Hat Linux). Of course, I don't have mod_perl, so that may make a difference... install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: MM doesn't work now with 0.9.6e
I'm an idiot. I set the EAPI_MM variable as MM_EAPI. Dyslexia gets you every time. Thanks Dave Dave Lowenstein Programmer/Analyst Instructional Technology Services San Diego State University (619)594-0270 http://www-rohan.sdsu.edu/dept/its On Wed, 31 Jul 2002, David Wall wrote: configure mod_ssl --with-apache=../apache_1.3.26 Seems like you need to supply mod_ssl with all of the configure directives you show below for apache, and then when it comes time to compile apache, you just run the auto-generated config.status script. At least that worked for me using the same versions you are using (under Red Hat Linux). Of course, I don't have mod_perl, so that may make a difference... install mod_perl (perl Makefile.PL APACHE_SRC=../apache_1.3.26/src DO_HTTPD=0 USE_APACI=1 PREP_HTTPD=1 EVERYTHING=1) set SSL_BASE and EAPI_MM variables to ../openssl0.9.6e and ../mm-1.2.1 configure and install apache: ./configure --enable-module=proxy --enable-module=so --activate-module=src/modules/perl/libperl.a --enable-module=perl --enable-rule=SHARED_CORE --enable-module=ssl make make certificate make install David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Apache on Win2000
I've had difficulties in the past recompiling apache, modssl and openSSL on a Windows server, can someone please upload the new openSSL_0.9.6e,Mod_SSL_2.8.10, apache 1.26 aware zip please to modsll contribution page? eg Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6e-Win32.zip (actually i think all i need is the following files ssleay32.dll and libeay32.dll to get OpenSSL upgraded) If anyone has any sure method of compiling on Windows server please inform. Kind thanks Vince __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Help configuring Virutal Hosts
To anyone - I am attempting to setup Apache-SSL on a large server where most access is thru normal port 80 communications but I have three VirtualHosts that require port 443 SSL communications. We have our certificate (via Thawte). I've tried the port and SSLEnable/SSLDisable directives inside the VH definitions but it hangs our server Any thoughts? Nick Burke GSFC/NASA [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
PRNG errors
Hello everyone. I just upgraded my OpenSSL yesterday from 9.6c to 9.6e, then recompiled my mod_ssl-2.8.10-1.3.26 and Apache on OpenBSD 3.0. Everything seemed to go fine, but now all my https request are unable to connect. According to all the docs I've seen the error message suggest changing the SSLRandomSeed setting in the httpd.conf, however I've tried various setting, see the new value for the Seeding PRNG line in the log, but the handshake still fails with the same error message. Can anyone suggest anything else that maybe the issue. Thanks, benn From httpd.conf # Pseudo Random Number Generator (PRNG): SSLRandomSeed startup builtin SSLRandomSeed connect builtin From ssl_engine_log [31/Jul/2002 09:49:00 30490] [info] Connection to child 3 established (server www.host.com:443, client 127.0.0.1) [31/Jul/2002 09:49:00 30490] [info] Seeding PRNG with 1160 bytes of entropy [31/Jul/2002 09:49:00 30490] [error] SSL handshake failed (server www.host.com:443, client 127.0.0.1) (OpenSSL library error follows) [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:24064064:random number generator:SSLEAY_RAND_BYTES:PRNG not seeded [31/Jul/2002 09:49:00 30490] [error] OpenSSL: error:1409B005:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:bad asn1 object header __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
HTPASSWD Utility
The htpasswd.exe utility in Apache_2.0.39-Mod_SSL-OpenSSL-0.9.6d-Win32.zip aborts with an error message when you try to add or update a password. It responds with The process cannot access the file because it is being used by another process. I thought perhaps that Apache had not closed the password file when it was started, so I stopped the tasks related to Apache and tried it again. Same result. I'm running the server on a PC with Windows XP Professional OS. I downloaded and unzipped htpasswd.exe from the Apache_2.0.37-dev_mod_ssl_2.0.37_dev_OpenSSL-0.9.6c-WIN32.zip file and it works like it used to in earlier versions. Any ideas?
Re: HTPASSWD Utility
On Wed, Jul 31, 2002 at 12:59:20PM -0500, Cagle Larence G Contr 96 CG/SCTOA wrote: The htpasswd.exe utility in Apache_2.0.39-Mod_SSL-OpenSSL-0.9.6d-Win32.zip aborts with an error message when you try to add or update a password. It responds with The process cannot access the file because it is being used by another process. I thought perhaps that Apache had not closed the password file when it was started, so I stopped the tasks related to Apache and tried it again. Same result. I'm running the server on a PC with Windows XP Professional OS. I downloaded and unzipped htpasswd.exe from the Apache_2.0.37-dev_mod_ssl_2.0.37_dev_OpenSSL-0.9.6c-WIN32.zip file and it works like it used to in earlier versions. The htpasswd.exe utility on Windows has known bugs that have been fixed for 2.0.40 You can use previous versions like the one you mention, they are ok. Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
