at the same
time (sometimes even some time before ;) a corresponding mod_ssl version is
available which applies cleanly to the current Apache state. So the fact that
EAPI needs adjusting is not important for end users. I take care of this all
the time. But as it looks, the chances are high that
good SSL intro) followed by the various SSL HowTo documents you can find
on the website under Related->HowTo. For installing SSL on your NT-based
Apache server follow either INSTALL.W32 yourself or look at www.opensa.org.
ople would have problems upgrading or
often destroy their configurations and keys. "make install" even displayed
messages like "PRESERVING foo bar" to explicitly inform you about this ;)
Ralf S. Enge
one cannot
use dummy certs at all...
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Ap
I wish you a Merry Christmas, dear mod_ssl user.
And as the opportunity arises, let me thank you
for your long-term loyalty and support.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED
tually based on the same code in OpenSSL
which is used under "openssl rsa". So it makes me wondering why the same
piece of code should accept your pass phrase just once and then never
again. As a last chance, keep in mind that you at least can also remove
the pass phrase at all (consult th
approach is. What is the
opinion of others on this topic?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
ogging for mod_ssl you can achieve with
"SSLLogLevel debug" as the the documentation explains.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
cript to add -DNO_IDEA flag to SSL_CFLAGS in apache/src/modules/Makefile
> and apache/src/modules/ssl/Makefile - how do i do that?
Try to use the following APACI configuration line:
$ CFLAGS="-DNO_IDEA" ./configure [...]
7;SSLVerifyClient require') ?
Inside the mod_ssl's distribution, under pkg.contrib/, you can find a
script named cca.sh. That's what I use for test purposed. But you can
use it also for real to create your client certs.
hort: just upgrade to 2.4.9 and the variable exists for you.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
u an answer.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.mods
://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.4.10 (24-Nov-1999 to 08-Jan-2000
nssl"" line
in the script. Then just run "cca.sh init" it and it will interactively
create your CA certificate and key. Then run "cca.sh gen" once or
multiple times to generate your client certs. That's all.
Ralf S. E
ver keys and obtain new server certs?
No.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interfac
ssed
up something with your httpd.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apa
distribution tarball and/or
go to www.opensa.org.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
O which answers your questions:
http://www.apache.org/docs/dso.html
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
ns
> and when you build the server. Ralf: consider adding this to the FAQ?
It was still not in the FAQ, but "make certificate" already gave a big
fat warning message. Seems like people ignore those warnings ;) I've now
added an entry to the FAQ, too. Tha
efault is disabled for
| performance reasons, because the information extraction step is a rather
| expensive operation. So one usually enables this option for CGI and SSI
| requests only.
Yours,
Ralf S. Engelsch
ome people here might also understand your native language,
the communication language on this mailing list is English _only_. Thanks.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.
gt; illegal to run mod_ssl for any other reason than
> evaluation until September, in the USA. Is this true?
This an US-citizen should answer, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
f available) or the built-in random source.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
t; ** as gcc. The above error message from your compiler
> ** will also provide a clue.
> [...]
>
> Any ideas would be appreciated...
Your problem seems to be that the some libraries cannot be found or
you're using some compiler flags your compiler doesn't understand. Go
ks.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Changes with mod_ssl 2.5.0 (08-Jan-2000 to 22-Jan-2000)
*) Switched the old "POST for HTTPS" support code from
defined(
On Sat, Jan 22, 2000, Dan Parsons wrote:
> When will a modssl patch for Apache-1.3.11 be available?
Be patient, be patient, please. I'm at work and not on escape.
And, yes, mod_ssl 2.5.0 for Apache 1.3.11 is now available...
Ralf S. Eng
also have to rebuilt Apache, of course. But not just because of
mod_ssl... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engels
d anything wrong with
> line 96 in ssl_util_ssl.h...
Line 96 is certainly correct, you'll not find a syntax error there. The
problem is more that some things in this line are not defined. I expect
that your OpenSSL header files do not provide some things. But I've no
clue what this
On Tue, Jan 25, 2000, Simon Buchanan wrote:
> Could someone tell me if these are useable with mod ssl or is it better
> to get Stronghold?
You can use GIDs with mod_ssl, of course.
Read the README.GlobalID document for details.
Ralf S. Engel
;httpd" binary as "httpd -l" and you see the list of
modules which are statically built in. For a list of DSO-based modules
just perform a "find . -name "*.so" -print" in the installation area.
Ralf S. Engelschall
n a special tagged
way (see also README.GlobalID).
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL
er rename them manually in the
EAPI source or you can rename them via additional #defines before
including ap_hook.h (or alternatively before including the informix
header) and #undefs behind.
Ralf S. Engelsc
only called by
OpenSSL if there is actually a client certificate which has to be
verified. So I guess you're just testing without client certs.
Ralf S. Engelschall
[EMAIL PROTECTED]
ia:
sc->pPrivateKey[SSL_AIDX_RSA]
where sc is the server config variable from ssl_callback_SSLVerify.
(btw, the DSA private key stuff can be found via SSL_AIDX_DSA). It is
not encrypted and can be directly accessed via OpenSSL's EVP functions.
See the mod_ssl source code for mo
without SSL.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
U
see INSTALL document).
> With Apache now saying that have new security patches that will
> be incorporated into the next Apache release--is it best to just wait
> a bit for the next version of Apache before upgrading Apache and
> modssl ?
Yes, then I recommend you to wait fo
th mod_ssl
or even OpenSSL. So you should post this instead to the PHP support
mailing lists, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
to a solution of how to setup the proxy server or send
> me a example configuration?
The error messages indicate that you're speaking HTTPS to a port where
no HTTPS is spoken. There only HTTP is spoken which leads to those
errors. Make sure your Listen and sections match and that
"
directive into this section. Or
add it to a place _outside_ of all sections.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
an char * Can i return directly an int?
Sure, you can directly return an int, too. Just declare the function as
AP_HOOK_SIG2(int,ptr) and make sure "result" is an int.
Ralf S. Eng
the following procedure:
So you can't use --with-apxs the first time. BTW, EAPI is distributed
with mod_ssl, so you can't find it on www.apache.org.
Ralf S. Engelschall
[EMAIL PROTE
ded patch. With
this patch it compiled fine against both OpenSSL 0.9.4 and the latest
snapshot. Thanks for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
Inde
me the problem was already solved in the meantime.
Thanks for your understanding.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
_
vestigating again and by utilizing
dedicated support resources (Documentation, FAQs, Mailing Lists, Newsgroups,
etc.). Should your problems then still remain, feel free to contact me again.
Otherwise I'll assume the problem was already solved in the meantime.
Thanks for your underst
se
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER);
Thanks for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
.
> I mean, will mod_ssl installation slow down
> all Apache processes?
No, not noticeable. Or more correct: mod_ssl slows down the Apache
processes not more than every other additionally activated module.
Ralf S. Engelschall
e SSL with this Apache version (especially because of security
reasons you should consider to upgrade to 1.3.12).
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
On Fri, Feb 25, 2000, drew wrote:
> does anyone have information about getting ones CA cert installed into
> Microsoft and Netscapes Browsers, ie becoming a fully qualified CA
Start reading at www.modssl.org under Related->HowTo, please.
this Stronghold derived stuff over one year ago) and your complains to
me (who merged this into mod_ssl and perhaps broke it this way ;).
Yours,
Ralf S. Engelschall
[EMAIL PROT
ent Certificate, or
what you see if you would run
$ openssl x509 -noout -text -in client.crt | grep Subject:
SSL_CLIENT_I_DN
The DN of the Issuer in the Client Certificate
what you see if you would run
$ openssl x509 -noout -text -in client.crt | grep Issuer:
r use a Win32 development
environment myself, I'm always very carefully when comitting any changes
to not break non-Unix platforms. Can it be that any OpenSSL header
changes cause this?
Ralf S. Engelschall
[EMAIL PRO
gives the diff between 2.4.10 and
2.6.0"), etc.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
ction). After that it compiles fine.
> #ifdef WIN32
> #include
> #endif
>
> These additions work also with vc++ 5.0
Ok, I've added these lines to mod_ssl.h for 2.6.1.
Ralf S. Engelschall
/mm/lib -lmm
| -lcrypt
| rse@en1:/e/modssl/src/mod_ssl/pkg.mod_ssl/pkg.contrib/sxnet
| :>
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
US crypto/export problems. Now its because
Apache 1.3 is closed for features and for Apache 2.0 EAPI was partially
and politically replaced by something different.
Ralf S. Engelschall
[EMAIL PROTECTED]
nce to.
> >
> > Problem is, those RPMs contain some errors, an invalid serial number,
> > no changelog, etc
> > (and as far as I've seen aren't ANNOUNCed yet.)
> >
> > Could you please replace them with the ones I built?
her stuff
more priority in the past (mainly because anything non-Unix related is
always low-priority for me ;). So, please excuse that you have to remind
me the third time. Would you please so kind and post to modssl-users
again (as a single all-in-one
l
seeding source now gathers more entropy.
> [...]
> Since 0.9.5 includes support for EGD, Ralf should consider including a
> SSLRandomSeed startup egd:/path/to/egd-socket
> feature into mod_ssl.
Now done. egd:/path/to/socket source is now supported in 2
mod_ssl 2.6.1 is now available. It provides mainly PRNG changes, but
also a few other fixes and cleanups.
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED
de re-injects it, too.
Look for the function ssl_io_suck_read().
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interfa
gt; How could I resolve this problem?
Files to patch on "nmake /f Makefile.nt"? No, the make procedure does
not patch anything. I think you've not correctly applied mod_ssl+EAPI to
your Apache source tree. Check this first, please.
Create a $HOME/.rnd file with some random contents and try again.
Additionally: "make certificate" actually tries to find some files to
seed the PRNG: /var/log/messages /var/adm/messages /kernel /vmunix
/vmlinuz /etc/hosts /etc/resolv.conf. Can it be that Rhapsody has none
of them?
c.) I've
contributed to the wu-ftpd community in the last years. So if you want
my stuff just install the official wu-ftpd 2.6.0 and you get the same
FTP server functionality as on ftp.modssl.org.
Ralf S. Engelschall
pache source tree. So if such errors occur this _could_ be my fault in
releasing buggy software, but in 99.9% of the time it means the end user
just has not applied mod_ssl correctly to the Apache source tree. The
only compile time errors I expect are problems related to vendor header
conflicts o
x2'
> Stop.
> """
357 only exists once in ApacheCore.def. Are you really sure you're using Apache
1.3.12 and mod_ssl 2.6.0 and that your source tree isn't at an older state?
ecially because the ctx stuff is an
EAPI thing and not a mod_ssl thing.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
an now cause problems for apache as of 1.3.11.
Yes, you're right: the check is too weak. I've fixed this now to check
for "*\ -h \*" (and similar for -q and -v) at the last alternative.
Thanks for your feedback.
nt on a
Solaris 2.8 box (both SPARC and x86 CPU) where at least a C compiler and
debugger is available for me. Can anyone provide me such Solaris 2.8
access for a few days? Please contact me if you can help out. Thanks.
Yours,
Ralf
iguring
the whole Apache+mod_ssl+OpenSSL webserver? AFAIK there is no GUI which
also supports SSL, but I'm not up-to-date with the available GUIs.
Ralf S. Engelschall
[EMAIL PROTECTED]
ome months ago. Look in the modssl-users mailing list archives for
the code.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
yptation algorithm(s).
>
> How can I solve this problem? Is there any way to load on the broswe some
> encryption algorithms?
I guess this applies also to you:
http://www.modssl.org/docs/2.5/ssl_faq.html#cipher-shared
Ralf S. Engelschall
remembered server certs and restart your browser.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
re is no
> change in this behaviour.
Have you just "restarted" Apache or stopped and started it? Because this
can happen if you add a certificate/key pair to a new virtual host and
just restart the server.
Ralf S. Eng
Ralf & Daniela
^*tnH*" Engelschall
Visit us at www.engelschall.com...
(wedding pictures coming in a few days ;)
Greetings,
Ralf S. Engelschall
[EMAIL PROTECTED]
On Tue, Feb 22, 2000, varma chintalapati wrote:
> Can we use modssl in USA for commercial use.Can
> we get the RSA patent.Could you explain in detail.
http://www.modssl.org/source/exp/mod_ssl/pkg.mod_ssl/README.Patents
Ralf S. Engel
very
closely, watch for errors and not proceed if any occur.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface
unny combination... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to
e mod_ssl user manual carefully.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to Op
12
because in a PKCS12 file the certificate and the private key is
contained (because the browser has to know the private key, too).
Ralf S. Engelschall
[EMAIL PROTECTED
Before I switch the CVS source repository, import Apache 1.3.12 and
start the mod_ssl 2.6 series, I've flushed all pending bugfixes to
provide you a maximum stable last mod_ssl 2.5 version.
Yours,
Ralf S. Engels
e. But if you have any patches
at hand, let us know about them, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
pache+modssl server (check it via
`httpd -l'), you can use the apxs command to build third-party modules
into DSO's which then can be loaded via LoadModule from httpd.conf.
Ralf S. Engelschall
[EMAIL PROTECTED
r the error, read http://www.openssl.org/support/faq.html#6
and especially upgrade to mod_ssl 2.6, please.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
ured for me. Now I can reproduce it too,
of course. Thanks for discovering this subtle problem. The actual error
was that it is bogus to use the context entry at all for the proxy
stuff. There is no reason for this. The appended patch fixes this and
will be comitted for mod_ssl 2.6.2. Thanks for yo
And another round to make mod_ssl 2.6 as stable as it can be: version 2.6.2.
It provides important bugfixes and a new ca-bundle.crt file for client
authentication.
http://www.modssl.org/source/
ftp://ftp.modssl.org/source/
Yours,
Ralf S. Engelschall
te and correct, but I guess the user
seems to have used --with-ssl= instead of
--with-ssl=.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
___
.4 and
0.9.5. Seems we have a major problem introduced between 0.9.4 and 0.9.5,
because the IE4-related problem reports grow...
Ralf S. Engelschall
[EMAIL PROTECTED]
hy you want to
stick with Apache 1.3.9 and not use 1.3.12? But if you really want 2.6.2
to run with 1.3.9, it would be possible, of course. But you've to fiddle
around yourself with the source tree and merge mod_ssl into it manually.
Ralf S.
does anybody has an ApacheModuleJServ.dll already compiled with this
> option?
The option is /DEAPI for the underpriviledged... ;)
Ralf S. Engelschall
[EMAIL PROTECTED]
re the cipher suite is involved) _only_.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interf
r 7 17:42:46 2000] [error] mod_ssl: Init: Failed to generate
> temporary 512 bit RSA private key
FAQ: http://www.modssl.org/docs/2.6/ssl_faq.html#entropy
Ralf S. Engelschall
or 2.6.3. Thanks for your feedback.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Ap
strong ciphers (use "openssl ciphers -v" to find the cipher spec string)
and/or SSLRequire and check the cipher bits with it.
Ralf S. Engelschall
[EMAIL PROTECTED]
www
e a $HOME/.rnd with some initial garbage in it ("cp
/var/log/messages $HOME/.rnd").
Ralf S. Engelschall
[EMAIL PROTECTED]
ore that you either build httpd incorrectly
(i.e. without SSL) or built mod_ssl as a DSO and forget to load it later
(i.e. no "LoadModule" directive in your httpd.conf).
Ralf S. Engelschall
[EMAIL
y just adding a "ProxyPass / http://origin/" to the
HTTPS on proxy.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
l look" through your
httpd.conf was perhaps not carefully enough, because I guess your
problem is that you forgot to additionally adjust the
sections to match the Listen directives. Check this first, please.
Ralf S. Engelschall
h blocks. If you used /dev/random,
use /dev/urandom. If none exists, use the builtin seeding source instead.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
please.
Yours,
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
__
Apache Interface to O
S proxy support by using
--enable-rule=SSL_EXPERIMENTAL. Then you've a few additional
SSLProxy directives available which are similar to SSL for the
HTTPS proxy situation and which can be used for verifying the backend
server.
201 - 300 of 1522 matches
Mail list logo