RE: Apache-SSL vs mod_ssl
-Original Message- From: rmck [mailto:[EMAIL PROTECTED]] Whats the benefit of mod_ssl compared to Apache-SSL??? One has got mod in its name and the other hasn't :-) I am not expert enough to comment on the two implementations of SSL technology so I restrict myself to the useability differences: Apache-SSL is a monolithic program with the SSL functionality hard-coded into apache. This leads to a large binary. Also, many SSL directives are *required* in the config in order for it to work. mod_ssl allows you to add or remove SSL functionality to an already working apache (assuming you compiled with EAPI and DSO). So you have more flexibility. In a single server set-up, there is probably little to choose from between the two, however, I could imagine a multi-apache environment where you wanted some servers with SSL and some without. mod_ssl would be a good choice there. As far as I can see, there is no difference between Apache-SSL and apache with mod_ssl statically compiled - both lead to a monolithic, SSL-aware binary. Finally, in my experience, mod_ssl tracks apache updates really fast. Usually a new mod_ssl is ready within a day of a new apache version. Apache-SSL tends to be slower and is sometimes a few versions behind Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
problems with WebTV
Hello... We are having SSL problems with WebTV clients. Static pages seem to work, but POSTs seem to break with the following SSL error: [Thu Jan 23 11:18:01 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) [Thu Jan 23 11:18:01 2003] [error] OpenSSL: error:1407609C:lib(20):func(118):reason(156) What voodoo do I need to adjust for this 0.01% of the market browser? ;) Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_gzip/1.3.26.1a PHP/4.3.0 mod_ssl/2.8.12 OpenSSL/0.9.6b -- Christopher McCrory The guy that keeps the servers running [EMAIL PROTECTED] http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Verifying enabled ciphers?
How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Thanks, -- Steve Chadsey [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Verifying enabled ciphers?
On Thu, Jan 23, 2003 at 07:10:26PM -0700, Steve Chadsey wrote: How can I verify the ciphers enabled by my webserver? The reason I ask is because I have been informed by a third-party security auditor that my server allows anonymous authentication, allows cleartext communication, and supports weak encryption. I am unable to verify any of these claims on my own. Here is my information Apache: 1.3.27 mod_ssl: mod_ssl/2.8.12-1.3.27 openssl: openssl-0.9.6g OS: Solaris 8 Here are my relevant SSL directives from httpd.conf: SSLEngine on SSLCipherSuite HIGH:MEDIUM:!ADH SSLProtocol all -SSLv2 According to /usr/local/ssl/bin/openssl ciphers -v 'HIGH:MEDIUM:!ADH' the supported ciphers for my server are: EDH-RSA-DES-CBC3-SHASSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHASSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 IDEA-CBC-SHASSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 IDEA-CBC-MD5SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 But apparently I am also supporting: ADH-DES-CBC-SHA DES-CBC-SHA EDH-DSS-DES-CBC-SHA EDH-RSA-DES-CBC-SHA EXP1024-DES-CBC-SHA EXP1024-DHE-DSS-DES-CBC-SHA EXP1024-DHE-DSS-RC4-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EXP1024-RC4-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 NULL-MD5 NULL-SHA Is the security auditor full of it? How can I verify their results from an external machine (they've scanned the network from an external box)? Try to connect using openssl s_client -connect hostname:443 -cipher ADH-DES-CBC-SHA to see, if it really succeeds. With respect to your seetings it better should not. Unfortunately the server-info handler does not list the enabled ciphers for crosschecking. The SSLv3/TLSv1 specification says that the client has to list its supported ciphers, so from the protocol side of view the only option indeed is to test connections with the ciphers in question. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]