Re: Problems with creating own CA
Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? Sasa STUPAR wrote: Well, the thing is that just adding ...-config openssl.cnf... was enough. now it works. Thanx Long, Liesheng a écrit: Do .csr first, then do .crt Try the following commands, add your path if needed: 1. openssl req -config openssl.cnf -new -key ca.key -out ca.csr 2. openssl x509 -extfile openssl.conf -days 365 -signkey ca.key \ -in ca.csr -req -out ca.crt -Original Message- From: Sasa STUPAR [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 28, 2002 11:50 AM To: [EMAIL PROTECTED] Subject: Re: Problems with creating own CA One thing, if I try to use directly with the command openssl req -new -x509 -days 365 -key ca.key -out ca.crt I get back error like before with also that it canot load config info. Any idea ? Maurizio Marini a écrit: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 28 November 2002 05:01 pm, Sasa STUPAR wrote: They are already uncommented. Here is attached my config file. I've: commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 commonName_default = iris.dev.datalogica.com it seems u lack this: commonName_default = your_fqdn - -- Maurizio Marini GSM +39-335-8259739 Altamura: +39-080-3105228 Fax +39-080-3105228 Pesaro: +39-0721-54277 Fax +39-0721-415055 -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE95kMq4Q/49nIJTlwRAi2VAJwLwvjSjLUXjj/x9L0I3PWLF6lRLQCfaTxG STINIYzTZ0FPIeYy3o5MKNg= =t8N+ -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with creating own CA
Ok I have made a server certificate and a client certificate. I have configured apache and ssl.conf with everything necesary BUT when I try to conect to myserver:443 it tells me connection has been refused. Any idea ? Maurizio Marini wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 03 December 2002 03:22 pm, Sasa STUPAR wrote: OK, so creating a certifikate is done. How do I sign it ? I am using windows but I have read in the documents to use sign.sh in mod-perl. Ok but I am not having Linux anywhere near me. So what can I do ? try a self-signed openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout server.key -out server.crt - -- Maurizio Marini -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE97NB24Q/49nIJTlwRAu9MAJwP7waOwN/J2dYSzL4L9RkHNjpRrwCfTI65 M0p49MjvotSa30mCfOFLL30= =P32L -END PGP SIGNATURE- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
(Hopefully) easy SSL question
I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
Is this directive the same thing as if mod_ssl.c? Thanks! - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: Justin Williams [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 2:19 PM Subject: Re: (Hopefully) easy SSL question under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
What?!?!?! Are you absolutely sure about this? SSL certs are based on the Domain Name,,, NOT the IP address. It stands to reason that it would be possible for virtual hosts/domains to have their own certs. Perhaps modssl doesn't support it, but I think that in theory it's possible. - hawk At 10:24 AM 12/03/2002, you wrote: Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
shrug I have that statement coming after the IfDefine SSL directive (meaning it's defined within that IfDefine SSL//IfDefine). Of course, and I dont't state my conf file is the cleanest of meanest, I have 3 such openings and closings of like this: IfDefine SSL /IfDefine IfDefine SSL /IfDefine IfDefine SSL /IfDefine This happens to be the first such set if IfDefine SSL directives: IfDefine SSL Listen domain.com:80 Listen domain.com:443 ... /IfDefine Damn, now I have to go cleanup things one of these days smile. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: Is this directive the same thing as if mod_ssl.c? Thanks! - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: Justin Williams [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 2:19 PM Subject: Re: (Hopefully) easy SSL question under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
Look at the handshake for SSL. During the name to address translation phase, you wind up with a chicken-egg scenario if more than one name shares an address. Not only is it not possible, it'd be a HUGE security flaw if it WERE possible. -dsp On Tuesday, Dec 3, 2002, at 15:34 US/Eastern, Hack Hawk wrote: What?!?!?! Are you absolutely sure about this? SSL certs are based on the Domain Name,,, NOT the IP address. It stands to reason that it would be possible for virtual hosts/domains to have their own certs. Perhaps modssl doesn't support it, but I think that in theory it's possible. - hawk At 10:24 AM 12/03/2002, you wrote: Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: (Hopefully) easy SSL question
In the if mod_ssl.c, I spotted more than a couple of Listen statements. Any time I added IP:443 in there, Apache pitched a hissy fit. So, I ended up taking a slightly different route. I set up two entries in the .conf: IP1:80 no SSL info IP1:443 SSL info IP2:80 no SSL info IP2:443 SSL info Apache stopped complaining, and the domains are listening on both ports... - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: Justin Williams [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 3:43 PM Subject: Re: (Hopefully) easy SSL question shrug I have that statement coming after the IfDefine SSL directive (meaning it's defined within that IfDefine SSL//IfDefine). Of course, and I dont't state my conf file is the cleanest of meanest, I have 3 such openings and closings of like this: IfDefine SSL /IfDefine IfDefine SSL /IfDefine IfDefine SSL /IfDefine This happens to be the first such set if IfDefine SSL directives: IfDefine SSL Listen domain.com:80 Listen domain.com:443 ... /IfDefine Damn, now I have to go cleanup things one of these days smile. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: Is this directive the same thing as if mod_ssl.c? Thanks! - Original Message - From: R. DuFresne [EMAIL PROTECTED] To: Justin Williams [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 2:19 PM Subject: Re: (Hopefully) easy SSL question under the IfDefine SSL directive, list each port to listen on with the: Listen domain.com:80 Listen domain.com:443 ... /IfDefine see if that corrects matters for you. Thanks, Ron DuFresne On Tue, 3 Dec 2002, Justin Williams wrote: I have openssl and mod_ssl on a server running Apache. On independent IPs, I have three websites. One is listening *only* on port 443, and works just fine. The other two need to listen on both 80 and 443, but I have only been able to get them to listen on one port at a time. If I add the directive: SSLEngine on, then port 80 stops listening (more accuarately, it complains that I didn't type in https:). If I remove that directive, then port 443 stops listening. Page cannot be found. Is there some other directive I need to use? Thanks!! Justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: how to add multiple SSL cert for each virtual host?
At 12:49 PM 12/03/2002, Shawn Syms wrote: Hawk: Here is more info on why did doesn't work: http://www.ensim.com/support/sxc/faqs/4.10.html Aha. That makes sense to me. I noticed this discussion because I was considering doing this sort of thing in the next month or two. Damn! Now I have to provide IP addresses for virtual sites that require this support. :( Thanks for the heads up though. - hawk --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Hack Hawk [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 3:35 PM To: [EMAIL PROTECTED] Subject: RE: how to add multiple SSL cert for each virtual host? What?!?!?! Are you absolutely sure about this? SSL certs are based on the Domain Name,,, NOT the IP address. It stands to reason that it would be possible for virtual hosts/domains to have their own certs. Perhaps modssl doesn't support it, but I think that in theory it's possible. - hawk At 10:24 AM 12/03/2002, you wrote: Multiple SSL certs for name-based virtual hosts aren't possible based upon the way SSL is designed. Each site requiring a separate cert must have it's own IP address. --- Shawn Syms | Systems Administrator Infinet Communications | [EMAIL PROTECTED] --- -Original Message- From: Thomas Sandor [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 1:20 PM To: [EMAIL PROTECTED] Subject: how to add multiple SSL cert for each virtual host? hi everyone, I have an apache 2.0.40 installed on a RedHat 7.2 box, complied with ssl (openssl 0.9.6g). Till now I had only one domain for which apache should use SSL cert files (crt, key), but for our next project I have to add another SSL cert file a specific domain. I have NameVirtualHost 12.34.56.78 and have a list of virtualhost/ for each of our domain, using ServerNamed base aliases, but for the ssl conf it ain't works. In my ssl.conf in short looks like this: NameVirtualHost 12.34.56.78:443 VirtualHost 12.34.56.78:443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:443 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost The problem is that apache does not serve domain2 cert files for domain2, it uses the first declaration for every https://domainX.com invoke. Does anyone know how to tell apache to uses specific SSL cert I'd like to define for each of my virtualhosts? Thanks in advance for any help. Regards, Thomas __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Please help !!!!
Hi ! I have configured Apache 2.0.43 with mod_ssl and I have created CA and client certificates but now I cannot acces my ssl server https://myserver;. What have I made wrong? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
On Tue, 3 Dec 2002, Dave Paris wrote: Not only is it not possible With the current state of the SSL protocol such as it is, this is correct-- it's not possible. it'd be a HUGE security flaw if it WERE possible. Well, not necessarily... all that you would need is for the client to tell the server which host it *thought* it was contacting, and then the server would know which vhost to serve the request with and therefore which certificate to present. That would require the SSL protocol to have the equivalent of HTTP's Host: header. From there, as long as the certificate can be verified as authentic, there's no more risk than there would be if there was a one-to-one mapping between IP and hostname as the current SSL protocol requires. But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I wonder if we can't find a better way to document this? Anyone have any ideas? I'd say un-hiding it from the FAQ page would be a good start... it's a prominent question, give the answer a more prominent location. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
Perhaps including it in the defauly httpd.conf file underr the VirtualHost directives as commentary might help? # General setup for the virtual host # ...name based VHing does not work, you need to...to get this to # ...work...if you ask this in the modssl-users list, you might #well be berated for failing to read documentation... Perhaps putting the information in the README as well as in the INSTALL docs, tthus putting it in as many places as possible might help? Thanks, Ron DuFresne P.S. this is of course not limiting adding it to the list footer grin: Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] ...name based VHing does not work, you need to...to get this to ...work...if you ask this in the modssl-users list, you might #well be berated for failing to read documentation... On Tue, 3 Dec 2002, Cliff Woolley wrote: [SNIP] But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I wonder if we can't find a better way to document this? Anyone have any ideas? I'd say un-hiding it from the FAQ page would be a good start... it's a prominent question, give the answer a more prominent location. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Getting error in error log that was similar to slapper worm
Hello -- I am running the Covalent release of apache 1.3.27, which has 0.9.6g of OpenSSL. I am getting the following error in my error_log along with the apache service crashing,(The exact same error happenright as the slapper worm became prevalent): [Mon Dec 2 16:18:17 2002] [error] [client 193.2.210.39] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /accept_mutex_on: No space left on device [Mon Dec 2 16:18:25 2002] [alert] Child 8390 returned a Fatal error... Apache is exiting! [Mon Dec 2 16:41:47 2002] [notice] jrApache[init] JRun 3.0 3.00.3664 Apache module - May 19 2000 13:00:51[Mon Dec 2 16:41:50 2002] [warn] pid file /usr/local/apache1.3/logs/httpsd.pid overwritten -- Unclean shutdown of previous Apache run?[Mon Dec 2 16:41:50 2002] [notice] jrApache[init] JRun 3.0 3.00.3664 Apache module - May 19 2000 13:00:51[Mon Dec 2 16:41:51 2002] [notice] Apache/1.3.27 (Unix) secured_by_Covalent/1.6.0 configured -- resuming normal operations[Mon Dec 2 16:41:51 2002] [notice] Accept mutex: sysvsem (Default: sysvsem) I thought it was the slapper worm causing the server to crash.I have plenty of room onalldisk partitions (includingthe root)and things look normal when running an ipcs. Has anyone seen this before or know what might be going wrong? This is the first time it has happen after upgrading to 1.3.27 with 0.9.6g. Thanks, KevinK
RE: how to add multiple SSL cert for each virtual host?
Aha. That makes sense to me. I noticed this discussion because I was considering doing this sort of thing in the next month or two. Damn! Now I have to provide IP addresses for virtual sites that require this support. :( Might not something like this work? It gives you name based virtual hosts for the http part... NameVirtualHost 12.34.56.78:80 VirtualHost 12.34.56.78:80 ServerName domain1.com Redirect / https://domain1.com:1443 /VirtualHost VirtualHost 12.34.56.78:80 ServerName domain2.com Redirect / https://domain2.com:1444 /VirtualHost VirtualHost 12.34.56.78:1443 ServerName domain1.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain1.crt SSLCertificateKeyFile somewhere/ssl.key/domain1.key /VirtualHost VirtualHost 12.34.56.78:1444 ServerName domain2.com CustomLog ... ErrorLog ... SSLEngine on SSLCertificateFile /somewhere/ssl.crt/domain2.crt SSLCertificateKeyFile somewhere/ssl.key/domain2.key /VirtualHost I've just written this from the top of my head, so I don;t know if I didn't make any syntax errors. But I'll have to try this out someday here, as I'm going to run into the same problem as you are now. Greetings, Krist __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]