RE: 1
-Original Message- From: Barry Smoke [mailto:[EMAIL PROTECTED] Sent: Freitag, 27. August 2004 17:25 To: [EMAIL PROTECTED] Subject: Re: 1 these e-mails look strange, virus? Of course. The spammer is submitting the mails to mail.modssl.org with the From field spoofed to [EMAIL PROTECTED]. I guess the mailer will have to start doing a reverse DNS lookup to verify that incoming mails are really coming from the address they say they are.. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. X-Original-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Received: from sgtulmg01.sabre.com (sgtulmg01.sabre.com [151.193.220.17]) by master.modssl.org (Postfix) with ESMTP id CD65CA8938 for [EMAIL PROTECTED]; Fri, 27 Aug 2004 18:02:42 +0200 (CEST) Received: from unknown (HELO SGNSOLO19151501.com) (10.16.131.25) by sgtulmg01.sabre.com with SMTP; 27 Aug 2004 10:56:31 -0500 X-Ironport-AV: i=3.84,116,1091422800; d=scan'217,208?gif'217,208; a=219635635:sNHT279802964 Date: Fri, 27 Aug 2004 10:57:36 -0600 To: Modssl-users [EMAIL PROTECTED] From: Rse [EMAIL PROTECTED] Subject: 1 Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=eoxkvqogjlpnqfooepkr Sender: [EMAIL PROTECTED] Precedence: bulk Reply-To: [EMAIL PROTECTED] X-Sender: Rse [EMAIL PROTECTED] X-List-Manager: Majordomo [version 1.94.5] X-List-Name: modssl-users X-Mlf-Reason: no-judgement Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 27 Aug 2004 16:04:29.0243 (UTC) FILETIME=[886DF8B0:01C48C4F] --eoxkvqogjlpnqfooepkr Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit --eoxkvqogjlpnqfooepkr Content-Type: application/octet-stream; name=1.gif Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=1.gif --eoxkvqogjlpnqfooepkr--sxibm Rse wrote: __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Possible virus infected user
- Original Message - From: Don Woodward To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 14:44 Subject: Possible virus infected user Modssl list owner and [EMAIL PROTECTED]: Please check [EMAIL PROTECTED] - I have received several dozen e-mail's via the list from this address - each has a price2.zip file attached and the body says new price - I believe this person's computer has a virus and they don't know it. rse is actually Ralf S. Engelschall - the guru who wrote mod_ssl in the first place! However, it's not him sending the mails. The mails are viral spam and if you look into the header, you'll see that they are sent to the list-server from: Received: from office.net (c-24-20-135-99.client.comcast.net [24.20.135.99]) by master.modssl.org (Postfix) with SMTP id 2EBC0A8CD1 for [EMAIL PROTECTED]; Mon, 9 Aug 2004 18:35:50 +0200 (CEST) What it looks like is that this machine is spoofing the MAIL From: field in SMTP when it sends to the list-server (master.modssl.org). To block these, the list-server has to implement a rule whereby it does not accept mail on an external interface which is apparently-from an internal server. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Thanks, Don Woodward __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persnliche Kommunikation. Sie hat keinen Bezug zur Brsen- bzw. Geschftsttigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le prsent e-mail est un message priv et personnel, sans rapport avec l'activit boursire du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The senders company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the senders company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Certificate Problems
Plain text please... If you got an error in the ssl error-log then apache must be running. The invalid method error is exactly that - the HTTP method wasn't GET, POST etc... What request were you making when you got the error? Cross-check the access log for details... It looks like your certificate common name is localhost.localdomain and this doesn't match the ServerName argument which is what the warning is about. The DNS error means that he browser cannot resolve eghapp to an IP address while curl, apparently, can. No idea why - depends on OS, browser version, config etc. (eg, if the browser goes via a proxy, the proxy will not see a local /etc/hosts definition of eghapp). Tip: if you post back, cut'n'paste exact error messages - do not paraphrase as this loses important information. Also, give OS, apache 1.3 or 2 etc. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. -Original Message- From: Richard Skeggs [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 16. Juni 2004 11:07 To: '[EMAIL PROTECTED]' Subject: Certificate Problems I am trying to set up ssl on my server and I have been through what I believe are the correct settings. I can run the command line script 'openssl s_client -connect eghapp:443 -state -debug' I don't appear to get an error message. However when trying to start apache using the startssl switch the following error turns up in the ssl_error_log [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:04 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Jun 15 15:11:07 2004] [warn] RSA server certificate CommonName (CN) `localhost.localdomain' does NOT match server name!? [Tue Jun 15 15:26:34 2004] [error] [client 10.14.1.150] Invalid method in request I have also been able to successfully run the command 'curl https://eghapp'. However when I try to run 'https://eghapp' through the browser I get an error saying that the DNS server cannot be found. On checking the nothing gets written to any of the ssl log files. Does anyone know how I can resolve this? Thanks Richard Skeggs Software Engineer Mobius Management Systems Cavendish House 5 The Avenue Egham Surrey TW20 9AB Tel: +44 (0) 1784 484700 Mobile: + 44 (0) 7971 608315 email: [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [ANNOUNCE] mod_ssl 2.8.18
-Original Message- From: Udo Schweigert [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 27. Mai 2004 17:03 To: [EMAIL PROTECTED] Subject: Re: [ANNOUNCE] mod_ssl 2.8.18 On Thu, May 27, 2004 at 15:21:37 +0200, Ralf S. Engelschall wrote: Changes with mod_ssl 2.8.18 (11-May-2004 to 27-May-2004) *) Fix buffer overflow in SSLOptions +FakeBasicAuth implementation if the Subject-DN in the client certificate exceeds 6KB in length. (CVE CAN-2004-0488). Is that also an issue in apache-2.x? (I wasn't able to find that CVE, so I ask here ;-) The problem was originally identified on apache2 (see http://www.securityfocus.com/bid/10355/) and it has already been patched there. Incidentally, AFAIK there is no vulnerability unless you are using SSLOptions FakeBasicAuth. It's a fairly specialised option so my feeling is that this doesn't urgently affect a whole lot of people... Of course, you should still upgrade just in case some time in the future you do switch that option on. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Best regards Udo -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC CERT, Siemens CERT | Fax: +49 89 636 41166 D-81730 München / Germany| email : [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSL_Util_UUEncode_Binary Stack Buffer Overflow Vulnerability
Greetings, This alert has appeared recently. Is anyone aware of it? http://www.securityfocus.com/bid/10355/info/ There's nothing in CVE, Apache or mod_ssl about it... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
FW: mod ssl freezes when booting up
-Original Message- From: C G [mailto:[EMAIL PROTECTED] Please don't alter the mail header. Keep the messages on-list. Yes the key the is encrypted. When I start apache as root and log on, it asks me for a pass phrase. But when apache tries to start at boot-up it just hangs, no pass-phrase. This is the problem. Apache is waiting for the passphrase but who is it supposed to ask? Check out http://www.modssl.org/docs/2.8/ssl_faq.html#ToC26 Personally, I think there is no point in encrypting the certificate. The reason you do it is to prevent anyone using your cert if they steal it (so they cannot masquerade your site). However, if you have such an insecure machine that there is a risk someone can copy a file which is readable only by root, then you have no business running SSL on it. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Looking at the error log I get the messages: [Tue Apr 20 13:58:06 2004] [error] mod_ssl: Init: Private key not found This isn't good. What do you have for SSLCertificateKeyFile? Does the path exist? Is it readable? Yes is there, and yes it is readable. I presume that apache will start up as root. So that shouldn't be the problem. Someone else suggested that that I make apache boot-up last. I changed S90apache to S99apache. It didn't work. Another suggestion was to try $PATH and $LD_LIBRARY_PATH. I don't think this is the problem as everything is Debian, and I haven't put anything in funny positions. Are there any other suggestions? Thanks for the help Colin _ Find a cheaper internet access deal - choose one to suit you. http://www.msn.co.uk/internetaccess This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
vulnerability in mod_ssl on apache 2
Greetings, Does the DoS vulnerability reported in http://secunia.com/advisories/11092/ affect the mod_ssl-2.8.16-1.3.29 codebase? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL and Virtual hosts
-Original Message- From: Mads Toftum [mailto:[EMAIL PROTECTED] Server Version: Apache/1.3.29 Ben-SSL/1.52 (Debian GNU/Linux) debian versions: apache-ssl 1.3.29.0.1-5 You're asking on the wrong list then - this is the mod_ssl list, while you're running apache-ssl which lives at http://www.apache-ssl.org/ Of course you're right, but since it's a Friday and since this is the number one Frequently Made Mistake on SSL and since it applies equally to apache-ssl, mod_ssl or any other implementation of SSL: You are trying to do name-based virtual-hosting with SSL. You can't. It's not an apache problem, it's a fundamental limitation of the HTTPS protocol. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 for the mod_ssl explanation. Probably apache-ssl will have a similar FAQ. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. vh Mads Toftum -- `Darn it, who spiked my coffee with water?!' - lwall __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Problems with Apache SSL under load
-Original Message- From: Dale Weaver [mailto:[EMAIL PROTECTED] I have Apache 1.3.27 compiled with mod SSL using openssl 0.9.6.g OS=AIX 5.1. The SSL site stops executing CGI scripts when load gets a little high. I checked the process list and found 106 httpd servers running. System loads at the UNIX level were nominal ( 0.8). I get tons of the following error in my error logs: [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar1 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar2 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/register.cgi Might be to do with system resources like file descriptors or semaphores. I'm afraid I don't know where to check these on AIX... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. HTML page responses are still very fast even with the errors. Problem does not occur when number of Apache servers 70. This is not a great deal of load. The hardware is capable of handling a lot more than that. Can someone point me in the right direction? Help is greatly appreciated. Server configs availble on request. Don't want to send large stuff over the list. Thanks. - Dale Weaver [EMAIL PROTECTED] UNIX Systems Administrator(919) 662-3508 Wake Technical Community College fax (919) 662-3504 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Gruppe. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Group. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière du Groupe SWX. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: multiple SSL instances with aliased IPs
-Original Message- From: John [mailto:[EMAIL PROTECTED] I'm stuck... I have an understanding of how apache and ssl works but I am having troubles in finding a way to set up this server. Most of the searches I do seem to point to the fact that virtual name based hosting will not work with multiple ssl. TYhis I understand. Thank goodness... I have a freebsd 4.9-current server running apache+mod_ssl-1.3.29+2.8.16 What I don't know how to do, and I haven't found a link for yet, is to 1. start multiple instances of https, each with its *own config file* This is simple enough; you just run httpd with the -f switch. This allows you to define the config file at run-time. So you'd have something like: ./httpd -f ../conf/ssl_1.conf where ssl_1.conf contains: Listen 192.168.1.1:443 DocumentRoot /path/to/ssl_1/docs SSLCertificateFile /path/to/ssl_cert_1.crt etc.. And repeat for each SSL host. Alternatively, you can do all this in your main instance of apache by using IP-based virtual-Hosts (I'm not sure you're aware of this), eg: Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 DocumentRoot /path/to/ssl_1/docs SSLCertificateFile /path/to/ssl_cert_1.crt etc.. /VirtualHost Listen 192.168.1.2:443 VirtualHost 192.168.1.2:443 DocumentRoot /path/to/ssl_2/docs SSLCertificateFile /path/to/ssl_cert_2.crt etc.. /VirtualHost This won't interfere with your HTTP VHs in the same config (they are all distinct at the TCP/IP layer). 2. make custom ssl certificates *for each SSL server* This is documented, although it's a bit tricky: - first make your own Certificate Authority cert (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC29) - then make a certificate signing request for your site (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC28) and sign it with the CA you made above (ie skip the last bit where you send it to Verisign) Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Each domain name has its own userspace. Can anyone help me here? Thanks -- John - [EMAIL PROTECTED] - http://www.reiteration.net/~jfm For PGP public key finger [EMAIL PROTECTED] or see webpage __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.3.29?
Just to ask the question... Is a mod_ssl_2.8.16-1.3.29 forseen? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Zvi Har'El [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 30. Oktober 2003 09:54 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache 1.3.29? Hi Ralf, If you don't mind, please include a fix which allows the HTTPS env variable to be passed by suexec --- apache_1.3.28/src/support/suexec.c.~20030719062731~ Sat Jul 19 09:27:31 2003 +++ apache_1.3.28/src/support/suexec.c Tue Aug 26 16:49:20 2003 @@ -134,7 +134,7 @@ /* variable name starts with */ HTTP_, #ifdef MOD_SSL -HTTPS_, +HTTPS=, SSL_, #endif This is already included in apache 2 Thanks, Zvi. On Thu, 30 Oct 2003 09:06:52 +0100, Ralf S. Engelschall wrote about Re: apache 1.3.29?: In article [EMAIL PROTECTED] you wrote: Andreas Gietl wrote: On Wednesday 29 October 2003 15:39, Jim Jagielski wrote: i guess there will be a new patch within the next days/hours? I would guess, but that's not my area :) Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've already upgraded mod_ssl to Apache 1.3.29, but I've still to include some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need to hurry here... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- Dr. Zvi Har'El mailto:[EMAIL PROTECTED] Department of Mathematics tel:+972-54-227607 icq:179294841 Technion - Israel Institute of Technology fax:+972-4-8293388 http://www.math.technion.ac.il/~rl/ Haifa 32000, ISRAEL If you can't say somethin' nice, don't say nothin' at all. -- Thumper (1942) Thursday, 4 Heshvan 5764, 30 October 2003, 10:49AM __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apache 1.3.29?
-Original Message- From: Andreas Gietl [mailto:[EMAIL PROTECTED] Mr Engelschall said yesterday on this list: Arggg... I must've missed this... And I was especially looking out for it! my bad... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've already upgraded mod_ssl to Apache 1.3.29, but I've still to include some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need to hurry here... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com Just to ask the question... Is a mod_ssl_2.8.16-1.3.29 forseen? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Zvi Har'El [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 30. Oktober 2003 09:54 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: apache 1.3.29? Hi Ralf, If you don't mind, please include a fix which allows the HTTPS env variable to be passed by suexec --- apache_1.3.28/src/support/suexec.c.~20030719062731~ Sat Jul 19 09:27:31 2003 +++ apache_1.3.28/src/support/suexec.c Tue Aug 26 16:49:20 2003 @@ -134,7 +134,7 @@ /* variable name starts with */ HTTP_, #ifdef MOD_SSL -HTTPS_, +HTTPS=, SSL_, #endif This is already included in apache 2 Thanks, Zvi. On Thu, 30 Oct 2003 09:06:52 +0100, Ralf S. Engelschall wrote about Re: apache 1.3.29?: In article [EMAIL PROTECTED] you wrote: Andreas Gietl wrote: On Wednesday 29 October 2003 15:39, Jim Jagielski wrote: i guess there will be a new patch within the next days/hours? I would guess, but that's not my area :) Yes, there will be a mod_ssl 2.8.16 released today or tomorrow. I've already upgraded mod_ssl to Apache 1.3.29, but I've still to include some other fixes. But 2.8.15 works fine with Apache 1.3.29, so no need to hurry here... Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] -- e-admin internet gmbh Andreas Gietltel +49 941 3810884 Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104 93051 Regensburg mobil +49 171 6070008 PGP/GPG-Key unter http://www.e-admin.de/gpg.html This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Https problems with MSIE
-Original Message- From: Torvald Baade Bringsvor [mailto:[EMAIL PROTECTED] Sent: Donnerstag, 25. September 2003 08:19 To: '[EMAIL PROTECTED]' Subject: Https problems with MSIE Hello. We have a user with MSIE 6.00.2800.1106 who is unable to connect to one of the sites we are hosting (https://www.lindorffd.com). He is using Windows 2000 SP3. I have exactly the same version of browser (6.00.2800.1106) and can confirm I connected successfully about 3 minutes ago. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Have any of you had problems with MSIE 6.0 browsers? I have seen suggestions to disable SSLv3, but wouldnt that adversely affect other users? Any suggestions are welcome. -Torvald __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE:
-Original Message- From: Dave Paris [mailto:[EMAIL PROTECTED] snip... You claim to have spent two MONTHS trying to find what I found in under 10 SECONDS. Er... the difference is that you recognised the problem immediately because you have seen it before. So you knew exactly what to type into Google. If you put yourself in Ian's shoes, he was using the NBVH mechanism for ages and became very familiar with it. He then tried to extend it to SSL, which is a reasonable thing to do, and then was suprised that it didn't work. It is not blindingly obvious, a priori, what the problem is. In that case, it is not so obvious what to type into Google - you might not necessarily realise that the problem is to do with NBVH, especially if that is not the only thing you changed. I am making this comment because I followed a very similar route to Ian in discovering this SSL limitation. In my case, I was tasked by my boss, who is a competent programmer, to set up some NBVHs under SSL. It never occurred to me that my boss could have handed me an impossible task and I spent weeks trying to get it to work. In the end, it was this mailing list which enlightened me. Since then, I've tried to help out on the list, initially by explaining this issue whenever it came up but lately (since others also now do this quite ably), by chipping in whenever some bright spark reckons that he's found a workaround (it's a bit like debunking perpetual motion machine designs). Usually, he's forgotten about authentication and is using the same cert in all VHs... Anyway, the point I'm making is that the original poster is obviously a seasoned hacker (he uses openssl from the command line!) and as such should be welcome on this list and congratulated for using mod_ssl... So could we be a bit friendlier please? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. That doesn't make me one bit of a better person than you... it just says that my mind works in a way that is different from yours. I'd wager there are certain tasks you accomplish quite easily that would take me some effort. It's the way us humans seem to be designed. Every once in awhile, it's a good thing to look at who we are and what we're good at and then review what we've chosen to do in life. Doing a job that meshes well with how you think can be all the difference between looking forward to an rewarding day at the office and a bruised forehead from repeatedly smashing your head against a wall in self-frustration. [ of course, I'm omitting the forehead bruising caused by external influences like PHBs ;-) ] As for the tone of your note .. life's tough, grab a helmet. Kind Regards, -dsp On Thursday, Aug 21, 2003, at 00:05 US/Eastern, Ian Newlands wrote: If I hadn't already exhausted resources I would not have made this post in the first place. I have tried 3 different versions of apache, searched through previous postings, used search engines etc. bought 2 books on apache and have been attempting to get this going for almost 2 months now. I'm glad you're amused by my frustration here. If there is anyone out there that is willing to submit a serious response to this I would appreciate it greatly. Regards, Ian Newlands - Original Message - From: Dave Paris [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Ian Newlands [EMAIL PROTECTED] Sent: Thursday, August 21, 2003 11:58 AM Subject: Re: virtual hosting geeze. is it that time of the month already for this question? seems like it was just yesterday when it was asked last .. maybe I'm just thinking of the other 100,000 times it was asked. in all seriousness, this dead horse has been beaten so many times on this list there isn't even a carcass left to hit at this point. please go dig through the mail list archives to see why name-based virtual hosts don't work with SSL. yes, that's a flippant answer. no, you're not likely to get a reply any more serious. -dsp On Wednesday, Aug 20, 2003, at 22:09 US/Eastern, Ian Newlands wrote: I am currently running about 15 virtual hosts using name based on port 80, and 1 virtual host using SSL. My SSL host is currently working with the following: VirtualHost _default_:443 However I want to change this to the IP based hosting for this host, allowing me to then add more SSL based virtual hosts on this setup, so I tried changing this to the following: VirtualHost 203.xxx.xxx.xxx:443 By doing this my SSL virtual host stops working altogether. I try the following to debug it on a remote machine: # openssl s_client -connect 203.xxx.xxx.xxx:443 CONNECTED(0003) 27604:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:475: I do the exact same thing on the local machine and it responds with a valid SSL response. Can anyone suggest might be
RE: configuration question
-Original Message- From: Henrik Bentel [mailto:[EMAIL PROTECTED] I have a web app which serves both static and non static content, both secure and unsecure(https and http). Now, all my ssl configuration is under my secure virtual host, such that it applies to everything. However, I have quite a bit static content(images, css, javascript.,...) which doesn't need to be very secure. I somewhat only want to secure my dynamic content. To add to Cliff's comment about browsers complaining about the mix of secure an insecure content there is a genuine security reason for *not* doing what you propose. Put yourself in the position of a crook who has gained access to the datastream flowing into your SSL server. As you are probably aware, all encryption ciphers can be cracked by a brute force attack (making repeated attempts at guesssing the key). Hopefully, the time-to-crack will be long, but you don't know how fast the crook's computer is. If he works for the NSA, it might be very fast indeed. If you serve all content via SSL, he has no idea which packets are important and which are just images etc. so he has to crack everything. If you decide to save a teeny bit of processing on the server by encrypting only the important things, he then sees lots of en clair packets (containing image data etc.) which he can safely ignore and only a few occasional nuggets of encrypted data which he can be sure are worth cracking. Thus he can focus his efforts on these. Therefore, you make life easy for the cracker by highlighting the packets that are worth cracking! In other words, the best place to hide a leaf is in the forest. You shouldn't need to worry about the processing load of the SSL encryption. If it is slowing your server, then, frankly, your server is not powerful enough to serve the traffic you have - get more memory, upgrade the chipset, do whatever is necessary to get up to speed. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. But, I don't want to generate absolute URLs on the fly to link to non-secure static content. What I want is to make request to certain urls less secure such that processing is faster. For example, I have a directory called art, which is just a defined alias for a directory. Is there a way to make ssl processing for this directory less restrictive than for the generic requests to the virtual host so that processing is faster? Home someone can help Henrik Bentel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: configuration question
-Original Message- From: Arthur Chan [mailto:[EMAIL PROTECTED] Hi Boyle, I've been debating with myself over whether to encrypt everything, that's a cogent argument you have offered. I have a few questions myself : (1) assuming an openssl encrypted packet is bigger than a plain text one, Why would you assume this? Essentially; encrypted_text = f(plain_text, key) where f() is a mathematical function. I guess the 2nd law of thermodynamics (entropy increases) would tend to cause the output to increase but not necessarily by much. In the simple case of a substitutional cipher, the encrypted text would be precisely the same size as the plain text. would mod_gzip shrink it significantly to warrant the effort? Zipping algorithms work by replacing repetitive sequences in the input with shorter instructions to regenerate them (e.g. 1000 blue pixels - 1 blue pixel x 1000). Compression works best with highly structured input data (bitmaps, WAV files, human language etc). With random data, it can't make much difference and will even cause the file to grow! (try repeatedly zipping a file to see this happening). (2) and would that slow down the client browser display of content ? Unzipping requires the client to have winzip - not a default on a windows client! Probably this would slow the whole thing down. Remember that SSL is well-defined on the web and all recent browsers contain fast and effective SSL software - I would trust it to do its job and not try to re-invent the wheel. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. On the other hand, with these new 1GHz+ P4 desk- and lap-tops around, maybe not. - Original Message - From: Boyle Owen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 19, 2003 04:49 PM Subject: RE: configuration question -Original Message- From: Henrik Bentel [mailto:[EMAIL PROTECTED] I have a web app which serves both static and non static content, both secure and unsecure(https and http). Now, all my ssl configuration is under my secure virtual host, such that it applies to everything. However, I have quite a bit static content(images, css, javascript.,...) which doesn't need to be very secure. I somewhat only want to secure my dynamic content. To add to Cliff's comment about browsers complaining about the mix of secure an insecure content there is a genuine security reason for *not* doing what you propose. Put yourself in the position of a crook who has gained access to the datastream flowing into your SSL server. As you are probably aware, all encryption ciphers can be cracked by a brute force attack (making repeated attempts at guesssing the key). Hopefully, the time-to-crack will be long, but you don't know how fast the crook's computer is. If he works for the NSA, it might be very fast indeed. If you serve all content via SSL, he has no idea which packets are important and which are just images etc. so he has to crack everything. If you decide to save a teeny bit of processing on the server by encrypting only the important things, he then sees lots of en clair packets (containing image data etc.) which he can safely ignore and only a few occasional nuggets of encrypted data which he can be sure are worth cracking. Thus he can focus his efforts on these. Therefore, you make life easy for the cracker by highlighting the packets that are worth cracking! In other words, the best place to hide a leaf is in the forest. You shouldn't need to worry about the processing load of the SSL encryption. If it is slowing your server, then, frankly, your server is not powerful enough to serve the traffic you have - get more memory, upgrade the chipset, do whatever is necessary to get up to speed. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. But, I don't want to generate absolute URLs on the fly to link to non-secure static content. What I want is to make request to certain urls less secure such that processing is faster. For example, I have a directory called art, which is just a defined alias for a directory. Is there a way to make ssl processing for this directory less restrictive than for the generic requests to the virtual host so that processing is faster? Home someone can help Henrik Bentel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss
Flex failure during apache 1.3.28 make
Greetings, I'm trying to compile the new 2.8.15 with apache 1.3.28 but hit a problem when make tries to run flex on the file src/modules/ssl/ssl_expr_scan.l. I'm running Solaris 8 on a Sparc and flex is version 2.4.7. Up until now, I've always regarded flex as one of those mysterious little utilities that developers like to use and I've avoided learning anything at all about it. Why has it suddenly decided to show me how important it is? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. PS Here is the error trace: /tmp/apache_1.3.28 make ...snip... === src/modules/ssl flex -Pssl_expr_yy -s -B ssl_expr_scan.l ssl_expr_scan.l, line 89: bad character: % ssl_expr_scan.l, line 90: unknown error processing section 1 ssl_expr_scan.l, line 90: bad character: % ssl_expr_scan.l, line 91: unknown error processing section 1 *** Error code 1 make: Fatal error: Command failed for target `ssl_expr_scan.c' Current working directory /tmp/apache_1.3.28/src/modules/ssl *** Error code 1 make: Fatal error: Command failed for target `all' Current working directory /tmp/apache_1.3.28/src/modules *** Error code 1 make: Fatal error: Command failed for target `subdirs' Current working directory /tmp/apache_1.3.28/src *** Error code 1 make: Fatal error: Command failed for target `build-std' Current working directory /tmp/apache_1.3.28 *** Error code 1 make: Fatal error: Command failed for target `build' Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Flex failure during apache 1.3.28 make - RESOLVED
Thanks all! Touching the .c files in src/modules/ssl let flex do its work and the make continued without a hitch. I repeated the build with a cleanly untarred distribution and it compiled smoothly. Looking back, my original attempt failed because I set the wrong path for EAPI_MM (I upgraded ocsp-mm at the same time). I did a make clean before relaunching make but that probably doesn't reset time stamps and so that explains why they got mixed up. So the lesson learned is: If make fails, ditch the distro and unpack again... Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED] Sent: Montag, 21. Juli 2003 15:45 To: Mads Toftum Cc: [EMAIL PROTECTED] Subject: Re: Flex failure during apache 1.3.28 make wasn't this an issue with a modssl version a year or two ago? something like the source files in the tarball not having the proper date stamps and as Mad's mentiones, required a touch of a few files to make flex more 'flexable'? Thanks, Ron DuFresne On Mon, 21 Jul 2003, Mads Toftum wrote: On Mon, Jul 21, 2003 at 02:23:22PM +0200, Boyle Owen wrote: Greetings, I'm trying to compile the new 2.8.15 with apache 1.3.28 but hit a problem when make tries to run flex on the file src/modules/ssl/ssl_expr_scan.l. This shouldn't happen unless timestamps were messed up. Try touching src/modules/ssl/ssl_expr_scan.c to make sure its timestamp is newer than the .l file. vh Mads Toftum -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: unknown protocol
-Original Message- From: Tom Bartling [mailto:[EMAIL PROTECTED] If you'd care to post your config or send it directly, I'll have a look and see if there's anything wrong with it. There are several minor problems with your config which, taken together, may be adding up to the confusing behaviour you are seeing. If you work through the following it may improve matters: General Strategy: - Since your server has two IP addresses, use default IP addressing (i.e. listen to all active IPs). - Since you need VirtualHosting, use this throughout (i.e. lose the idea of a main server). - Aim for multiple name-based VHs on port 80 and one single SSL VH on port 443. Details: 1) Don't use Port and Listen. These two directives are very similar and Listen is preferred (Port is deprecated): Remove all Port directives. 2) Don't use domain names in Listens or VHs since this makes your config dependent on DNS. Use default: Listen secure.mintecommerce.com:443 - Listen 443 VirtualHost secure.mintecommerce.com:443 - VirtualHost *:443 (NB - the only thing which should define the SSL VH is the port number). 3) Move main server into first VH container. At the moment, this has only a ServerName - this is odd and I've no idea what apache would do in this case (I guess you expect it to default to the main server - I wouldn't count on it). You can achieve this simply by moving the main DocumentRoot into this VH: VirtualHost * ServerName www.mintecommerce.com DocumentRoot /usr/local/www/data /VirtualHost the other directives can remain outside where they will apply globally as appropriate. 4) To complete the encapsulation of HTTP and HTTPS, add port 80 to all HTTP VHs: VirtualHost * - VirtualHost *:80 (already done this for the SSL VH in (2) above). Now try a restart without SSL and check the name-based VHs all work, including the main server. If that's OK, restart with SSL and test https://www.mintecommerce.com/. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. - Original Message - From: Boyle Owen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 3:31 AM Subject: RE: unknown protocol Plain text please... It looks like you are not succeeding in starting an SSL VH. Looking at your config, there is no obvious error, although I don't know why you put the Listen 80 inside the IfDefine - this would mean that even plain HTTP wouldn't work unless you started with SSL. Just to be clear how it works, apachectl startssl causes the apache control script to execute httpd -DSSL. This starts apache with the environment variable SSL defined. So when apache finds an IfDefine SSL container, it evaluates the condition as true and so reads the directives inside. This is the canonical way of selecting SSL. Of course, you don't need to bother with all of this. If you put the SSL VH outside the IfDefine SSL block (or just remove the IfDefine SSL tags) then the SSL VH and its directives will fire up in a normal apachectl start. You might try this - just make sure you have a single VH on port 443 and a Listen 443 and it should startup. Be careful you don't have a plain HTTP VH on port 443 - it could supersede the SSL VH. To test, what happens if you make a plain HTTP request to port 443 (it shouldn't work!) About the PHP warning - when you recompiled apache to include mod_ssl, it patched the apache API to extend it to allow hooks into the OpenSSL library (EAPI = Extended API). Since the PHP module was compiled before this, it is expecting the standard API. Probably it will continue to work since the EAPI is a superset of the API but you never know if there will be a conflict in some call somewhere (you'll get a seg fault if there is). The safest thing to do is to recompile mod_php against the new API. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Tom Bartling [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 28. Mai 2003 07:51 To: [EMAIL PROTECTED] Subject: unknown protocol Hi, I am new to the list and relatively new to administering SSL, so please forgive me if this is not the right place to ask this question. I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2. Everything seems to have installed okay and I can run apachectl startssl without any problems, but I can't get SSL to actually work. When I try to go the url via https, it immediately displays the dreaded this page cannot be displayed message. When I run apachectl configtest, it spits out the following: apachectl configtest [Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) Syntax OK PHP works without any problems, so I'm not concerned about that at the moment. The manual
RE: unknown protocol
-Original Message- From: Tom Bartling [mailto:[EMAIL PROTECTED] Thanks for the help. When I comment out the IfDefine containers, none of the sites work. If I leave everything the way I have it now except move the Port 443 line outsite the IfDefine containers, http'ing to any of the sites will display the primary site. Commenting out the IfDefine tags means that the directives that they contain will be acted upon. If that changes things, then they can't have been getting activated before. If activating these directives breaks your VirtualHosting setup, then it must have been in error to begin with and was working by accident. If you'd care to post your config or send it directly, I'll have a look and see if there's anything wrong with it. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Any ideas? Thanks, again. Tom - Original Message - From: Boyle Owen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 3:31 AM Subject: RE: unknown protocol Plain text please... It looks like you are not succeeding in starting an SSL VH. Looking at your config, there is no obvious error, although I don't know why you put the Listen 80 inside the IfDefine - this would mean that even plain HTTP wouldn't work unless you started with SSL. Just to be clear how it works, apachectl startssl causes the apache control script to execute httpd -DSSL. This starts apache with the environment variable SSL defined. So when apache finds an IfDefine SSL container, it evaluates the condition as true and so reads the directives inside. This is the canonical way of selecting SSL. Of course, you don't need to bother with all of this. If you put the SSL VH outside the IfDefine SSL block (or just remove the IfDefine SSL tags) then the SSL VH and its directives will fire up in a normal apachectl start. You might try this - just make sure you have a single VH on port 443 and a Listen 443 and it should startup. Be careful you don't have a plain HTTP VH on port 443 - it could supersede the SSL VH. To test, what happens if you make a plain HTTP request to port 443 (it shouldn't work!) About the PHP warning - when you recompiled apache to include mod_ssl, it patched the apache API to extend it to allow hooks into the OpenSSL library (EAPI = Extended API). Since the PHP module was compiled before this, it is expecting the standard API. Probably it will continue to work since the EAPI is a superset of the API but you never know if there will be a conflict in some call somewhere (you'll get a seg fault if there is). The safest thing to do is to recompile mod_php against the new API. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Tom Bartling [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 28. Mai 2003 07:51 To: [EMAIL PROTECTED] Subject: unknown protocol Hi, I am new to the list and relatively new to administering SSL, so please forgive me if this is not the right place to ask this question. I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2. Everything seems to have installed okay and I can run apachectl startssl without any problems, but I can't get SSL to actually work. When I try to go the url via https, it immediately displays the dreaded this page cannot be displayed message. When I run apachectl configtest, it spits out the following: apachectl configtest [Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) Syntax OK PHP works without any problems, so I'm not concerned about that at the moment. The manual says to try: openssl s_client -connect localhost:443 -state -debug As an alternative, it suggests: curl https://localhost/ Both display an error message: SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol So, I'm thinkin' that the problem is in the httpd.conf file. A few things that are in there of importance (excluding comments and all of the other stuff) include: Port 80 IfDefine SSL Listen 80 Listen 443 /IfDefine IfDefine SSL #VirtualHost www.mintecommerce.com:443 #VirtualHost secure.mintecommerce.com:443 #VirtualHost mintecommerce.com:443 #VirtualHost *:443 VirtualHost _default_:443 DocumentRoot /usr/local/www/data ServerName www.mintecommerce.com ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd-error.log TransferLog /var/log/httpd-access.log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key SSLCACertificatePath /usr/local/etc/apache/ssl.crt SSLCARevocationPath /usr/local/etc/apache/ssl.crl SSLVerifyClient require /VirtualHost /IfDefine You can see where I tried different versions
RE: unknown protocol
Plain text please... It looks like you are not succeeding in starting an SSL VH. Looking at your config, there is no obvious error, although I don't know why you put the Listen 80 inside the IfDefine - this would mean that even plain HTTP wouldn't work unless you started with SSL. Just to be clear how it works, apachectl startssl causes the apache control script to execute httpd -DSSL. This starts apache with the environment variable SSL defined. So when apache finds an IfDefine SSL container, it evaluates the condition as true and so reads the directives inside. This is the canonical way of selecting SSL. Of course, you don't need to bother with all of this. If you put the SSL VH outside the IfDefine SSL block (or just remove the IfDefine SSL tags) then the SSL VH and its directives will fire up in a normal apachectl start. You might try this - just make sure you have a single VH on port 443 and a Listen 443 and it should startup. Be careful you don't have a plain HTTP VH on port 443 - it could supersede the SSL VH. To test, what happens if you make a plain HTTP request to port 443 (it shouldn't work!) About the PHP warning - when you recompiled apache to include mod_ssl, it patched the apache API to extend it to allow hooks into the OpenSSL library (EAPI = Extended API). Since the PHP module was compiled before this, it is expecting the standard API. Probably it will continue to work since the EAPI is a superset of the API but you never know if there will be a conflict in some call somewhere (you'll get a seg fault if there is). The safest thing to do is to recompile mod_php against the new API. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Tom Bartling [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 28. Mai 2003 07:51 To: [EMAIL PROTECTED] Subject: unknown protocol Hi, I am new to the list and relatively new to administering SSL, so please forgive me if this is not the right place to ask this question. I am having trouble getting SSL to work. I'm on FreeBSD 4.5 Stable with apache+mod_ssl-1.3.27+2.8.14 and openssl-0.9.7a_2. Everything seems to have installed okay and I can run apachectl startssl without any problems, but I can't get SSL to actually work. When I try to go the url via https, it immediately displays the dreaded this page cannot be displayed message. When I run apachectl configtest, it spits out the following: apachectl configtest [Tue May 27 23:20:56 2003] [warn] Loaded DSO libexec/apache/libphp4.so uses plain Apache 1.3 API, this module might crash under EAPI! (please recompile it with -DEAPI) Syntax OK PHP works without any problems, so I'm not concerned about that at the moment. The manual says to try: openssl s_client -connect localhost:443 -state -debug As an alternative, it suggests: curl https://localhost/ Both display an error message: SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol So, I'm thinkin' that the problem is in the httpd.conf file. A few things that are in there of importance (excluding comments and all of the other stuff) include: Port 80 IfDefine SSL Listen 80 Listen 443 /IfDefine IfDefine SSL #VirtualHost www.mintecommerce.com:443 #VirtualHost secure.mintecommerce.com:443 #VirtualHost mintecommerce.com:443 #VirtualHost *:443 VirtualHost _default_:443 DocumentRoot /usr/local/www/data ServerName www.mintecommerce.com ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd-error.log TransferLog /var/log/httpd-access.log SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key SSLCACertificatePath /usr/local/etc/apache/ssl.crt SSLCARevocationPath /usr/local/etc/apache/ssl.crl SSLVerifyClient require /VirtualHost /IfDefine You can see where I tried different versions of the VirtualHost tag (I did change the ServerName value for each variation). This is a server that hosts several sites, but they all use the same IP, so all of the VirtualHost tags are VirtualHost * ... /VirtualHost This seems to get the job done for the few sites on this one computer, but now I need SSL. I'm at a loss and any help would be appreciated. TIA, Tom Diese E-mail ist eine private und persönliche Kommunikation. Sie hat keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange. This e-mail is of a private and personal nature. It is not related to the exchange or business activities of the SWX Swiss Exchange. Le présent e-mail est un message privé et personnel, sans rapport avec l'activité boursière de la SWX Swiss Exchange This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then
RE: mod_ssl/2.8.13 and php AND Problem with 2.8.13 and Solaris 2.6
Can we bring these threads together? It would seem we have: Burkhard: Apache/1.3.27 mod_gzip/1.3.26.1a PHP/4.3.1 mod_ssl/2.8.13 OpenSSL/0.9.7a QUESTION: What OS? And: Jazz: mod_ssl 2.8.13, OpenSSL 0.9.6i with apache 1.3.27 ... on Solaris 2.6/Sparc QUESTION: using PHP? Both have the same problem, HTTP is OK but HTTPS causes segfault. Any other users experiencing this? Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: two server certificates.
-Original Message- From: kulkarni veena [mailto:[EMAIL PROTECTED] I have one machine which has apache+mod_ssl with a self signed server certificate. is it possible to have another self signed certificate using the same Apache+mod_ssl instance but say a different port? Yes. You simply make two port-based virtualhosts and put the SSLCertificate* directives for cert 1 inside VH 1 and for cert 2 inside VH 2. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. thanks in advance. -veena __ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!!
PLain text please.. Now you have to plough through the mail below to find my comments Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. -Original Message- From: Zampognaro Sergio [mailto:[EMAIL PROTECTED] Sent: Dienstag, 25. Februar 2003 15:05 To: [EMAIL PROTECTED] Subject: Linux Red Hat 7.2 + openSSL 0.9.7 + Apache 1.3.27 + mod_ssl 2.8.1 2 = PROBLEMS!!! Importance: High Sensitivity: Confidential Hi, everything is in the subject! I installed everything following this procedure: $ ./config --prefix=/home/aspco1/openSSL $ make $ make test $ make install # extract the packages $ gzip -d -c apache_1.3.27.tar.gz | tar xvf - $ gzip -d -c mod_ssl-2.8.12-1.3.27.tar.gz | tar xvf - # apply mod_ssl to Apache source tree $ cd /mod_ssl-2.8.12-1.3.27 $ ./configure --with-apache=../apache_1.3.27 $ cd .. # build/install Apache with mod_ssl $ cd apache_1.3.27 $ SSL_BASE=/home/aspco1/openSSL $ ./configure --prefix=/home/aspco1/apache_1.3.27 --enable-module=proxy --enable-module=ssl $ make $ make certificate TYPE=test $ make install $ cd .. # cleanup after work $ rm -rf mod_ssl-2.8.12-1.3.27 $ rm -rf apache_1.3.27 Everything seems to be ok, but when I try to start the web server: $ apachectl start Ouch! ap_mm_create(1048576, /var/run/httpd.mm.22620) failed Error: MM: mm:core: failed to open semaphore file (Permission denied): OS: No such file or directory /usr/sbin/apachectl start: httpd could not be started * Why is apachectl in /usr/sbin/apachectl? This sounds like the default installation that came with RH. Your apachectl and httpd should be in /home/aspco1/apache_1.3.27/bin. What happens if you do /home/aspco1/apache_1.3.27/bin/apachectl startssl? I think this is your MAIN problem... Be certain you are executing the right apache before proceeding! Also, did you install the MM shared memory library (http://www.ossp.org/pkg/lib/mm/)? I don't think it is entirely necessary although I've never installed without it. * Even bad with SSL: $ apachectl startssl usage: /usr/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help) start - start httpd stop - stop httpd restart- restart httpd if running by sending a SIGHUP or start if not running fullstatus - dump a full status screen; requires lynx and mod_status enabled status - dump a short status screen; requires lynx and mod_status enabled graceful - do a graceful restart by sending a SIGUSR1 or start if not running configtest - do a configuration syntax test help - this screen (startssl is not recognized!!!), and finally: $ httpd -l Compiled-in modules: http_core.c mod_so.c suexec: enabled; valid wrapper /usr/sbin/suexec Even if I compiled with --enable-module=proxy --enable-module=ssl options I can't see proxy and ssl modules in the list of compiled-in modules!!! What's happening??? thanks Sergio This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple SSL VirtualHosts in apache
-Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] It's IP and/or port based. But, do remember, if port based then one is server only one cert, and the trouble is making sure the cert is constructed in a fashoin such that hostnames are not contained within the CN and such. In this case, and others can correct me if I'm wrong here, you would need to generate the cert on the IP rather then FDQN. And I'm not sure openssl allows such a cert, but others might well be better clued then I on this smile. A server cert bound to an IP address wouldn't make much sense (not sure if you can even do it). The thing to remember is that SSL is about two things - encryption and authentication. For encryption to work you just need to send the server's public key to the client - the hostname is not important. However, for the authentication aspect, it is essential that the the common name in the server cert matches the FQDN in the client request. Put it another way, you surf to amazon.com and are about to type in your credit card number but then you look inside the server cert and see that it is registered to shady-character.com. Do you still send your card number? This is why browsers always complain when you use a test or self signed certificate if the CN doesn't match the FQDN. So, while you can have an encrypted session with an untrusted server, in the real world it doesn't make much sense to do so. Encryption is sending your money to the bank in an armoured car, authentication is making sure the armoured car actually goes to the bank. Rgds, Owen Boyle Thanks, Ron DuFresne On Wed, 19 Feb 2003, Jack L. Stone wrote: Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't work??? Just getting ready to do a fresh install involvoing vhosts and this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: I believe that I read somewhere that you must have a different ip address for each ssl virtualhost. Ian Moon On Wed, 19 Feb 2003, Boyle Owen wrote: -Original Message- From: Steve Pirk [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 6. Februar 2003 02:02 To: [EMAIL PROTECTED] Subject: Multiple SSL VirtualHosts in apache I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm... Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. VirtualHost 172.16.202.25:7000 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7001 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7002 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost -- Steve (egrep) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality
RE: Multiple SSL VirtualHosts in apache
-Original Message- From: Jack L. Stone [mailto:[EMAIL PROTECTED]] Then, there is the question of a wildcard cert which I understand can be used for several vhosts without setting off alarms on the browser. Search the archives for posts about wildcards - this comes up from time to time and a few weeks ago John Airey gave a good summary of the situation (basically, they're getting harder and harder to get). If there is anyone who would be willing to share with me their httpd.conf setup when using vhosting, I would be forever greatful. It's no mystery - you just need to ensure that the different VHs are distinguished at the TCP/IP layer (i.e. only one VH per IP/port number pair). You cannot use application layer attributes (such as the Host header) to define VHs because the SSL channel must be established before any application layer traffic occurs. Rgds, Owen Boyle Disclaimer: Any disclaimer attached to this message may be ignored. Offlist would be fine if need for privacy. Thanks. It's IP and/or port based. But, do remember, if port based then one is server only one cert, and the trouble is making sure the cert is constructed in a fashoin such that hostnames are not contained within the CN and such. In this case, and others can correct me if I'm wrong here, you would need to generate the cert on the IP rather then FDQN. And I'm not sure openssl allows such a cert, but others might well be better clued then I on this smile. A server cert bound to an IP address wouldn't make much sense (not sure if you can even do it). The thing to remember is that SSL is about two things - encryption and authentication. For encryption to work you just need to send the server's public key to the client - the hostname is not important. However, for the authentication aspect, it is essential that the the common name in the server cert matches the FQDN in the client request. Put it another way, you surf to amazon.com and are about to type in your credit card number but then you look inside the server cert and see that it is registered to shady-character.com. Do you still send your card number? This is why browsers always complain when you use a test or self signed certificate if the CN doesn't match the FQDN. So, while you can have an encrypted session with an untrusted server, in the real world it doesn't make much sense to do so. Encryption is sending your money to the bank in an armoured car, authentication is making sure the armoured car actually goes to the bank. Rgds, Owen Boyle Thanks, Ron DuFresne On Wed, 19 Feb 2003, Jack L. Stone wrote: Please excuse the top post: Ian or anyone, are you sure that a wildcard setup won't work??? Just getting ready to do a fresh install involvoing vhosts and this will become an important issue. Thanks! At 10:02 AM 2.19.2003 -0700, Ian Moon wrote: I believe that I read somewhere that you must have a different ip address for each ssl virtualhost. Ian Moon On Wed, 19 Feb 2003, Boyle Owen wrote: -Original Message- From: Steve Pirk [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 6. Februar 2003 02:02 To: [EMAIL PROTECTED] Subject: Multiple SSL VirtualHosts in apache I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm... Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. VirtualHost 172.16.202.25:7000 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost
RE: Multiple SSL VirtualHosts in apache
-Original Message- From: Steve Pirk [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 6. Februar 2003 02:02 To: [EMAIL PROTECTED] Subject: Multiple SSL VirtualHosts in apache I check the mail archives, but could not find a good answer for this problem I am having. I am building out a dev environment using apache on Solaris. The dev environment needs to run under SSL (to simulate the production environment). I am starting with 4 virtual servers. They all use the same cert file, but are on different ports. The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: [Wed Feb 5 16:45:11 2003] [error] mod_ssl: SSL handshake failed: HTTP spoken on HTTPS port; trying to send HTML error page (OpenSSL library error follows) This looks like you typed http://server:7001/ into the browser. You still need to define https even if you have the port number, i.e. https://server:7001/. Can you confirm that if you do this, you still get an error? Rgds, Owen Boyle [Wed Feb 5 16:45:11 2003] [error] OpenSSL: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request [Hint: speaking HTTP to HTTPS port!?] This is being used in conjunction with an auth package, but the redirect after logging in is https:// Does anyone knnow of a good way to have multiple SSL virtual servers on one apache instance? The way you are doing it is fine. You just have a probelm... Here is a sample of httpd.conf. In this case, port 7000 works, but 7001 and 7002 get the mod_ssl error. VirtualHost 172.16.202.25:7000 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7001 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost VirtualHost 172.16.202.25:7002 DocumentRoot/some/doc/root SSLEngine on SSLCertificateFile/usr/local/apache/certs/my_cert.crt SSLCertificateKeyFile /usr/local/apache/certs/my_cert.key /VirtualHost -- Steve (egrep) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: cgi-bin broken lock
Is any content on the page non-secure? (i.e. all img tags have to be https too). Rgds, Owen Boyle -Original Message- From: Jan Cohen [mailto:[EMAIL PROTECTED]] Sent: Montag, 10. Februar 2003 03:50 To: [EMAIL PROTECTED] Subject: cgi-bin broken lock Hi all, I've got ssl up and running on a test page that calls a script in cgi-bin. Lock is there, everything works. When I parse the info from that page to a script in the cgi-bin, that script creates the https page and some of the ssl functionality seems to work (at least the page is being created). Unfortunately, the script creates a page with a broken lock and I can't figure out why. I don't have access to the httpd.conf, but my host tells me ssl is enabled for the root dn, and that the cgi-bin was added to the ssl section of the httpd.conf. Would anyone have some suggestions I might be able to check out? Thanks for your help, Jan Cohen __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Compiling mod_ssl as a DSO
Just to get things clear, openSSL is a library of functions which is used by (among other things) mod_ssl. So mod_ssl needs to know about openSSL but openSSL doesn't care which application is using it. Your installation paths are a bit idiosyncratic, which is OK as long as you have a clear idea about how everything is inter-related. I was a bit confused reading your posting so I'm suspecting apache is too. Generally, you should proceed as follows (if any of this strikes you as odd, then that might be the problem): - Install openSSL in /path/to/ssl - set SSL_BASE = /path/to/ssl - set LD_RUN_PATH = /usr/lib:/usr/local/lib:/path/to/ssl/lib (this avoids using LD_LIBRARY_PATH) - Unpack apache tar file in (e.g.) /tmp/apache - Unpack mod_ssl tar file in (e.g. /tmp/mod_ssl - in /tmp/mod_ssl, run ./configure --with-apache=/tmp/apache (this patches apache sources) - in /tmp/apache, run ./configure --prefix=/path/to/apache \ --enable-module=so \ --enable-shared=ssl \ --enable-module=ssl - make, make install This should leave libssl.so in /path/to/apache/libexec and /path/to/apache/bin/httpd should start without $LD_LIBRARY_PATH being set. Rgds, Owen Boyle PS - your versions are ancient... Are you sure the latest versions won't work? On the other hand, your versions are so old that -Original Message- From: Simon Donally [mailto:[EMAIL PROTECTED]] Sent: Montag, 10. Februar 2003 13:09 To: [EMAIL PROTECTED] Subject: Compiling mod_ssl as a DSO Hi List Users I am trying to configure Apache to run with ModSSL as a DSO. I am using relatively old versions of software as this particular version of Apache functions on the system. The software versions are as follows Apache 1.3.12 Openssl_0.9.6b Modssl_2.6.6 I have read numerous articles both from the list forum and from articles found from internet searches. I have tried many options to configure Apache to run with SSL as a DSO over a period of a week and to date have not been successful. I have listed the errors I obtain and the steps I follow to compile Apache. I would be most grateful for any advice which may lead to the resolution of this problem. 1) Compile OpenSSL 0.9.6b as a shared object as follows a. make clean b. make test c. make build-shared 2) ./configure \ --enable-module=so --with-apache=/home/sxxx/apache_1.3.12 \ --with-ssl=/home/simon/Openssl-0.9.6b/openssl-0.9.6b \ --prefix=/home/simon/Apache12SO \ --enable-module=ssl 3) cd /home/sxxx/apache_1.3.12 make make certificate make install 4) The entry in the httpd.conf file is as follows IfDefine SSL LoadModule ssl_module libexec/libssl.so /IfDefine * This is the first error I obtain hometop1% apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1: /home/simon/Apache12SO/bin/httpd: fatal: libssl.so.0.9.6: open failed: No such file or directory .//apachectl startssl: httpd could not be started This is resolved by setting the LD_LIBRARY_PATH variable to /usr/local/ssl/lib bash-2.02$ export LD_LIBRARY_PATH:/usr/local/ssl/lib:$LD_LIBRARY_PATH * This is the next error I obtain after having set the LD_LIBRARY_PATH variable to bash-2.02$ apachectl startssl Syntax error on line 208 of /home/simon/Apache12SO/conf/httpd.conf: Cannot load /home/simon/Apache12SO/libexec/libssl.so into server: ld.so.1 : /home/simon/Apache12SO/bin/httpd: fatal: relocation error: file /home/simon/Apache12SO/libexec/libssl.so: symbol ap_user_id: referenced symbol not found .//apachectl startssl: httpd could not be started The next step I tried was * To directly copy libssl.so from Openssl to libexec using libssl.so from Openssl * To set the library path to point to /home/simon/Apache12SO/libexec only bash-2.02$ pwd /reserv/home/simon/Apache12SO/libexec bash-2.02$ ls -lisa total 2472 1188792 drwxr-xr-x 2 simonhtgroup 512 Feb 10 09:03 . 4206942 drwxrwxr-x 12 simonhtgroup 512 Feb 6 16:43 .. 118881 16 -rw-r--r-- 1 simonhtgroup 8153 Feb 7 10:57 httpd.exp 1188932 lrwxrwxrwx 1 simonhtgroup 11 Feb 10 09:03 libssl.so - libssl.so.0 112 lrwxrwxrwx 1 simonhtgroup 15 Feb 10 09:03 libssl.so.0 - libssl.so.0.9.6 118886 1920 -rwxrwxr-x 1 simonhtgroup 970983 Feb 7 12:45 libssl.so.0.9.6 118890 528 -rwxr-xr-x 1 simonhtgroup 256259 Feb 7 10:57 libssl.so.old This didn't work either and generated the following error, I notice that the file libssl.so.old generated when Apache was compiled is
RE: ~ Error Help - CN in certificate not server name or identical to CA!? ~
Please post in plain-text... - Your error: [Hint: Subject CN in certificate not server name or identical to CA!?] means: the Common Name in the certificate is not the same as the ServerName in the URL - e.g. the certificate belongs to www.abcdef.com but you are using it in a server whose URL is www.uvwxyz.com. This makes the browser think your site is impersonating another site and so throws a warning. Where did you get the cert? Is it self-signed? If so, make a new one with the correct server name. Rgds, Owen Boyle PS How did you remove the Reply-To header which normally directs the replies back to the list? This is supposed to be a public mailing list, not your private resource. You are supposed to share the replies with others and allow them to go in the archive. Anyway, I cahnged it back... -Original Message- From: Inderjit S Gabrie [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 10:05 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: ~ Error Help - CN in certificate not server name or identical to CA!? ~ Hi all I am new to the SSL environment, getting a following error, can someone tell me whats going on and how i can resolve thisthsnka in advance...(error output below...) [Tue Jul 2 11:54:00 2002] [error] mod_ssl: SSL handshake failed (server name here:443, client 130.209.164.170) (OpenSSL library error follows) [Tue Jul 2 11:54:00 2002] [error] OpenSSL: error:14094412:SSL routines:SSL3_REA D_BYTES:sslv3 alert bad certificate [Hint: Subject CN in certificate not server name or identical to CA!?] *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~ Inderjit S Gabrie University of Glasgow, Department of MIS, Gilbert Scott Building, Glasgow G12 8QQ Tel: 0141-330-3837 Fax: 0141-330-4953 E-mail: [EMAIL PROTECTED] Web Url: http://www.mis.gla.ac.uk *~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~* The future is here, it's just not evenly distributed yet. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [warn] RSA server certificate CommonName (CN) `yin.*' does NOT match server name!?
-Original Message- From: Aihong Yin [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 11:00 To: [EMAIL PROTECTED] Subject: [warn] RSA server certificate CommonName (CN) `yin.*' does NOT match server name!? Hello all, I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat 7.1). I have created a SSL server certificate using a self-made CA, and am sure that the Common Name in the Server Certificate und ServerName in http.conf file are the same yin.fokus.gmd.de, which is identical with the host address. Really? Are you sure you have the line: ServerName yin.fokus.gmd.de in the SSL VH config? If so, are you sure the certificate's common name is yin.fokus.gmd.de? Don't just say Yes, check it with: openssl x509 -subject -in /path/to/cert then see what CN= is set to. I now start apache with apachect1 startssland get the following message in error_log file, but no errors in the console [Wed Jan 29 08:34:02 2003] [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!? [Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret for digest authentication ... [Wed Jan 29 08:34:03 2003] [notice] Digest: done [Wed Jan 29 08:34:04 2003] [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!? [Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2 configured -- resuming normal operations --- if I try and access the secure site (https://yin.fokus.gmd.de) I get the following error message in browser (but I can start the normal site http://yin.fokus.gmd.de): -- The server's certificate has an invalid signature. You will not be able to connect to this site securely. -- Your domain name is not in public DNS so I suppose you do this locally. Anyway, I suppose it means that the browser cannot verify the certificate authority who signed the cert. If it is self-signed, that is hardly suprising. It should, however, allow you in if you just clikc OK anyway. Rgds, Owen Boyle Thanks a lot for any helps. Best Regards, Aihong Yin. -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!?
PLease post in plain text - my mail client doesn't handle HTML mail... The thing you type into the browser's Location window has to match what's in the cert. Does it? If you are doing all this on a standalone laptop, I doubt it. -Original Message- From: Aihong Yin [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 12:07 To: [EMAIL PROTECTED] Subject: Re: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!? Hello Owen and Toftum, thanks for your mail. Hello all,I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat 7.1).I have created a SSL server certificate using a self-made CA, and am sure thatthe Common Name in the Server Certificate und ServerName in http.conf file arethe same yin.fokus.gmd.de, which is identical with the host address. Really? Are you sure you have the line: ServerName yin.fokus.gmd.dein the SSL VH config? Do you mean that I should configure VirtualHost in the http.conf file? But I think the Virtual Host is used for the case of more than one web site running on a single machine. Is this correct? On my Laptop there is only one web site yin.fokus.gmd.de. I now have tried to configure VirtualHost and it is the same error. If so, are you sure the certificate's common name is yin.fokus.gmd.de?Don't just say Yes, check it with: openssl x509 -subject -in /path/to/certthen see what CN= is set to. I have checked it and They are the same (CN= is set to yin.fokus.gmd.de). I now start apache with apachect1 startssland get the following messagein error_log file, but no errors in the console[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate CommonName (CN)`yin.fokus.gmd.de' does NOT match server name!?[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret for digest authentication ...[Wed Jan 29 08:34:03 2003] [notice] Digest: done[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate CommonName (CN)`yin.fokus.gmd.de' does NOT match server name!?[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2 configured-- resuming normal operations---if I try and access the secure site (https://yin.fokus.gmd.de) I get the following error message in browser(but I can start the normal site http://yin.fokus.gmd.de):--The server's certificate has an invalid signature. You will not be able to connect to this site securely.-- Your domain name is not in public DNS so I suppose you do this locally. You are right. I try this on my laptop for our future projekt. Shoud I use the IP address and not host name in the server certificate? but it is changed frequently. Best Regards, Aihong Yin. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!?
-Original Message- From: Aihong Yin [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 12:47 To: [EMAIL PROTECTED] Subject: Re: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!? Boyle Owen wrote: PLease post in plain text - my mail client doesn't handle HTML mail... The thing you type into the browser's Location window has to match what's in the cert. Does it? Yes, it does. but this error [warn] RSA server certificate CommonName (CN) does NOT match server name!? is given during the HTTPS server start. and the next step is to start the browser. In your httpd.conf you must have a ServerName directive - what is it set to? It must be the same as the common name in the cert. If you are doing all this on a standalone laptop, I doubt it. Could you tell me the reason? what do you mean standalone? The laptop get it's IP address during reboot using DHCP. So how do you access the web site? You must type something into the browser - unless you type yin.fokus.gmd.de, you will get a warning. But how can you type this in? - you would need a local DNS set up to resolve this domain. Do you have this? Is this correct? Best Regards, Aihong Yin. -Original Message- From: Aihong Yin [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 29. Januar 2003 12:07 To: [EMAIL PROTECTED] Subject: Re: [warn] RSA server certificate CommonName (CN) `yin.fokus.gmd.de' does NOT match server name!? Hello Owen and Toftum, thanks for your mail. Hello all,I am trying to setup my server (apache 2.0.43, opensl 0.9.6g on RedHat 7.1).I have created a SSL server certificate using a self-made CA, and am sure thatthe Common Name in the Server Certificate und ServerName in http.conf file arethe same yin.fokus.gmd.de, which is identical with the host address. Really? Are you sure you have the line: ServerName yin.fokus.gmd.dein the SSL VH config? Do you mean that I should configure VirtualHost in the http.conf file? But I think the Virtual Host is used for the case of more than one web site running on a single machine. Is this correct? On my Laptop there is only one web site yin.fokus.gmd.de. I now have tried to configure VirtualHost and it is the same error. If so, are you sure the certificate's common name is yin.fokus.gmd.de?Don't just say Yes, check it with: openssl x509 -subject -in /path/to/certthen see what CN= is set to. I have checked it and They are the same (CN= is set to yin.fokus.gmd.de). I now start apache with apachect1 startssland get the following messagein error_log file, but no errors in the console[Wed Jan 29 08:34:02 2003] [warn] RSA server certificate CommonName (CN)`yin.fokus.gmd.de' does NOT match server name!?[Wed Jan 29 08:34:03 2003] [notice] Digest: generating secret for digest authentication ...[Wed Jan 29 08:34:03 2003] [notice] Digest: done[Wed Jan 29 08:34:04 2003] [warn] RSA server certificate CommonName (CN)`yin.fokus.gmd.de' does NOT match server name!?[Wed Jan 29 08:34:05 2003] [notice] Apache/2.0.43 (Unix) mod_ssl/2.0.43 OpenSSL/0.9.6g DAV/2 configured-- resuming normal operations---if I try and access the secure site (https://yin.fokus.gmd.de) I get the following error message in browser(but I can start the normal site http://yin.fokus.gmd.de):--The server's certificate has an invalid signature. You will not be able to connect to this site securely.-- Your domain name is not in public DNS so I suppose you do this locally. You are right. I try this on my laptop for our future projekt. Shoud I use the IP address and not host name in the server certificate? but it is changed frequently. Best Regards, Aihong Yin. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support
RE: ScriptAlias
You have inconsistent notation and a confused mapping. - Do not put a trailing slash on the alias or the directory. - You should have only one ScriptAlias per CGI directory. - You can match only one directory to each alias (you can have two aliases for one directory). ... it's like buses: Two buses can go to the same destination, but one bus can't go to two destinations :-) PS This has nothing to do with SSL. It is just a config problem with apache. Rgds, Owen Boyle -Original Message- From: Ortiz Ruiz Otoniel Manuel [mailto:[EMAIL PROTECTED]] Sent: Freitag, 24. Januar 2003 19:37 To: [EMAIL PROTECTED] Subject: ScriptAlias I have a problem trying to execute cgis under ssl. (It doesn't find the URL, a kind of problem with the scriptalias). I compiled apache2 with ssl, this are the options that I used. At the bottom there is a fragment of my ssl.conf. Any help will be appreciated OPTIONS: # CC=gcc ./configure --prefix=/web/apache2 --enable-dav --enable-info \ --enable-http --enable-proxy-ftp --enable-proxy-connect --enable-proxy-http \ --enable-proxy --enable-usertrack --enable-headers --enable-expires \ --enable-cern-meta --enable-mime-magic --enable-deflate --enable-case-filter-i n \ --enable-case-filter --enable-ext-filter --enable-example --enable-mem-cache \ --enable-disk-cache --enable-cache --enable-charset-lite \ --enable-echo --enable-file-cache --enable-auth-dbm \ --enable-rewrite --enable-vhost-alias \ --enable-optional-hook-export --enable-optional-hook-import \ --enable-optional-fn-import --enable-optional-fn-export --enable-unique-id \ --enable-cgi --enable-cgid --with-mpm=worker --with-ssl=/usr/local/openssl \ --enable-auth-digest --enable-static-htdigest --enable-ssl SSL.CONF /VirtualHost /IfDefine Alias /otoniel/web/htdocs/labvis/gente/becarios/otoniel ScriptAlias /cgi-bin/ /web/htdocs/labvis/cgi-bin ScriptAlias /cgi-bin /web/htdocs/labvis/cgi-bin ScriptAlias /lab-bin /web/htdocs/labvis/cgi-bin ScriptAlias /garp-bin/ /web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bin/ ScriptAlias /mailman/ /export/home/mailman/cgi-bin/ ScriptAlias /cgi-bin/ /export/home/mailman/cgi-bin ScriptAlias /cgi-mail /export/home/mailman/cgi-bin/ ## Labvis ### ScriptAlias /cgi-bin/ /web/htdocs/labvis/cgi-bin/ ScriptAlias /cgi-bin/ /web/htdocs/labvis/cgi-bin/modelacion ScriptAlias /lab-bin/ /web/htdocs/labvis/cgi-bin/ ScriptAlias /garp-bin/ /web/htdocs/labvis/biodi.sdsc.edu/inicio/cgi-bi n/ ScriptAlias /hjg/ /export/home/hjg/cgi/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Verifying enabled ciphers?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Nearly everything we believe is second hand. For example, less than 500 people have seen the Earth from space, yet the majority of people believe it is round (or an oblate sphere for the pedants). Perhaps. But this is not why we believe it to be round. We know it is a sphere from observations we make on the surface. For instance, ships sailing away from port disappear from the bottom up (Columbus knew that). The main evidence comes from the fact that the angle of elevation of astronomical bodies sighted at the same time in different places varies in a way that can only be explained if we are on the surface of a sphere. In any case, billions of people have seen at first-hand photos of the Earth from space. Are we to assume all photos are always faked? Rgds, Owen Boyle PS I liked your one about Alexander Graham Bell :-) This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Apache-SSL vs mod_ssl
-Original Message- From: rmck [mailto:[EMAIL PROTECTED]] Whats the benefit of mod_ssl compared to Apache-SSL??? One has got mod in its name and the other hasn't :-) I am not expert enough to comment on the two implementations of SSL technology so I restrict myself to the useability differences: Apache-SSL is a monolithic program with the SSL functionality hard-coded into apache. This leads to a large binary. Also, many SSL directives are *required* in the config in order for it to work. mod_ssl allows you to add or remove SSL functionality to an already working apache (assuming you compiled with EAPI and DSO). So you have more flexibility. In a single server set-up, there is probably little to choose from between the two, however, I could imagine a multi-apache environment where you wanted some servers with SSL and some without. mod_ssl would be a good choice there. As far as I can see, there is no difference between Apache-SSL and apache with mod_ssl statically compiled - both lead to a monolithic, SSL-aware binary. Finally, in my experience, mod_ssl tracks apache updates really fast. Usually a new mod_ssl is ready within a day of a new apache version. Apache-SSL tends to be slower and is sometimes a few versions behind Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: sorry all, test
Nope.. It didn't work. We didn't see anything. -Original Message- From: Kyle O'Donnell [mailto:[EMAIL PROTECTED]] Sent: Sonntag, 12. Januar 2003 12:41 To: [EMAIL PROTECTED] Subject: sorry all, test test __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
I believe you can get wildcard certs from Thwate. Check out their site. NB - wildcards are like *.acme.com so www1.acme.com, www2.acme.com etc all work. You cannot get *.*.com to work in any case. Rgds, Owen Boyle -Original Message- From: Barry Smoke [mailto:[EMAIL PROTECTED]] Sent: Montag, 13. Januar 2003 04:23 To: [EMAIL PROTECTED] Subject: RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates) These NBVHs are all derived off the same 3rd-level domain, and thus we can use the same wildcard certificate for each NBVH (users whose browsers don't recognise wildcard certificates need only placate the browser once in most cases). o.k...you have my attention now... wildcard certificate? Can wildcard certificates be purchased, or is this only if you are self signing? I sure would like to buy one certificate, and have all my subdomains on my main domain recognize it without a warning window popping up for internet customers... https://arhosting.com https://www.arhosting.com https://secure.arhosting.com https://www.secure.arhosting.com I would like to cover all of my bases with one certificate... Is this possible? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
-Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Confession: I use NBVHs with SSL (was Re: 2 VirtualHosts with 2 Certificates)
-Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] At the moment, the handshake take place using the first matching vhost on the basis of IP+Port, but evidently Apache then scans the decrypted host header and assigns the correct NBVH. Exactly. The SSL transaction is handled by mod_ssl. The apache core is only used initially to deliver a certificate to the SSL Engine. As you rightly say, given only an IP address and port number, it simply responds with the first cert it finds in a matching VH. Having obtained a cert, mod_ssl establishes the SSL channel with the browser - thereafter, the requests are decrypted and passed en clair to the apache core. So now apache can apply its NBVH algorithm happily. This is using 1.3.x; I haven't tested 2.x yet. It will be the same. This is a feature of the HTTPS layer and is unaffected by what happens in the apache core, which is under HTTPS. My fear is that future apache+modssl code may lock-in the first NBVH that matches on the basis of IP+Port, which would break my scheme. Not likely. Each request is allowed to contain its own Host header. So there is no reason why the server should override it. In any case, there is no mechanism for the server to remember that subsequent requests from a particular client were originally served from a certain VH. HTTPS is an additional onion-layer which entirely encapsulates HTTP so there should be no spillover from one to the other. Rgds, Owen Boyle Regards, James. PS For those of you who were wondering, we use a private CA to issue the wildcard server cert. As someone has already noted, Thawte advertise them as well. Boyle Owen wrote: -Original Message- From: James Collier [mailto:[EMAIL PROTECTED]] I realise I am on thin ice as it would be a reasonable optimisation to assign the final virtual host at an earlier stage than is currently the case with SSL. ^^^ I meant apache+modssl I wouldn't worry too much. Currently, in an SSL transaction, *all* information is regarded as requiring encryption - including the Host header in the original request. So the SSL session has to be established before any traffic takes place. Anything different (e.g. putting the host header in the SSL layer) would be a major revision of the protocol. One of two things will happen first: - IPv6 will take off, creating so many IP addresses that NBVH will be unnecessary and we will revert to one site, one IP. - A new SSL-like protocol will appear which promotes the site name to the SSL layer thus enabling NBVH. Either way, you'll need substantially to upgrade and reconfigure your server so you'll be well aware of the changes. Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: 2 VirtualHosts with 2 Certificates
-Original Message- From: Irving Carrion [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 9. Januar 2003 15:42 To: [EMAIL PROTECTED] Subject: RE: 2 VirtualHosts with 2 Certificates Everyone knows this question will not stop coming... is it possible to return an error message to the user when restarting apache? The trouble is that it is not really an error. - mod_ssl asks apache for the certificate pertaining to the virtual host defined by the request's TCP/IP attributes (IP and port). - Apache uses its standard ruleset (namely: if you have several VHs on the same IP/port, use the first one) to get the cert. - mod_ssl receives the cert and happily does the SSL negotiation. There is nothing illegal in a config which attempts NBVH with SSL VHs so it is difficult to spot the error. Only a suggestion =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of James Barwick Sent: Wednesday, January 08, 2003 4:30 PM To: [EMAIL PROTECTED] Subject: Re: 2 VirtualHosts with 2 Certificates Should have read the MOST FREQUENTLY ASKED FREQUENTLY ASKED QUESTIONS!!! Can't do that. Learn a little more about SSL. It's IP based, not name based. So, you can only have one certificate and one firtual host on 92.35.28.17:443. Sorry...but that's the way it goes. Same question answer number four billion six hundred seventeen million two hundred thirty-four thousand nine hunderd twenty-four! ;) JDB toxshark wrote: i have the apache configured with 2 VirtualHosts on port 443. both VirtualServers have separately CertificateFiles and CertificateKeyFiles. but now if i connect to the VirtualHost2, the Host have the Certificate from the VirtualServer1! both Hosts have now the same Certificate. my httpd.config: ... NameVirtualHost 92.35.28.17:443 VirtualHost 92.35.28.17:443 ServerName domain1.com ServerAlias www.domain1.com DocumentRoot /web1/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl1.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl1.key /VirtualHost VirtualHost 92.35.28.17:443 ServerName domain2.com ServerAlias www.domain2.com DocumentRoot /web2/ SSLEngine on SSLCertificateFile /usr/local/etc/apache/key/ssl2.cert SSLCertificateKeyFile /usr/local/etc/apache/key/ssl2.key /VirtualHost ... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: DoS attack on mod_ssl 2.8.12 ??
There is a major thread running on the openssl list about this very thing (Slapper worm)... Starts here: http://www.mail-archive.com/openssl-users@openssl.org/msg29762.html Rgds, Owen Boyle -Original Message- From: Sergey Strakhov [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 19. Dezember 2002 17:04 To: [EMAIL PROTECTED] Cc: Pedro Nascimento; Greg Davydouski Subject: DoS attack on mod_ssl 2.8.12 ?? Hello, We are experiencing problems with our Win32 Apache 1.3.27 with mod_ssl 2.8.12 + openssl 0.9.6g running on Windows 2000. It is a sort of DoS attack that makes our web site totally inaccessible. One of those attacks was captured with Ethereal. The dump is attached. As you can see, the attack is accomplished through both HTTP (80) and HTTPS (443) ports. First, the connection is opened to the HTTP port and a malformed HTTP/1.1 GET request (with no Host: header) is sent to the HTTP port (probably with an intention to produce a crash described in http://www.cert.org/advisories/CA-2002-27.html or just to determine the host's Server version). The server responds with HTTP/1.1 400 Bad request and closes the connection. After that the attacker starts opening connections to the HTTPS port. One of them is used to send SSLv2 Client Hello request. From this point the web server starts rejecting all incoming connections and the web site stops responding on both HTTP and HTTPS ports. The error log usually contains records like: [..time..] [error] [client ..] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [..time..] [error] Server ran out of threads to serve requests. Consider raising the ThreadsPerChild setting Is this problem related to mod_ssl anyhow? Do you expect any fix for this problem soon? Regards P.S. We have the ThreadsPerChild parameter of httpd.conf set to 10. This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Mod_ssl and apache 2.0.40
It is an obvious loop. Why are you suprised that this loops? Please
provide:
1) Example of incoming URL
2) What you want it to translate to
Rgds,
Owen Boyle
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
Sent: Montag, 16. Dezember 2002 15:32
To: [EMAIL PROTECTED]
Subject: Mod_ssl and apache 2.0.40
Hello,
I install on a PC linux redhat 8.0 a web server apache 2.0.40
and mod ssl
0.9.6b (configuration include in redhat 8.0)
I want to access a directory of my site with ssl. The
directory site pages
have been written in html without ssl.
To avoid the rewritting of all pages, I try to put the
following directives
in /etc/httpd/conf.d/ssl.conf
Location /test
RewriteEngineon
RewriteCond %{HTTPS} !=on
RewriteRule ^/home/httpd/html/telechargement/(.*)$
https://%{SERVER_NAME}/telechargement/$1 [R,L]
/Location
If I test http://machine.site/telechargement/fichier.html. The server
permanently loops .
I obtain the following messages in ssl_access_log :
143.196.30.134 - - [10/Dec/2002:11:00:22 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
143.196.30.134 - - [10/Dec/2002:11:00:23 +0100] GET
/test/compteftp.doc
HTTP/1.1 302 295
I read a lot of archives of the mail and the faq of apache. I have seen
that a lot of solutions for this matter has been
found with apache 1.3.*. So i compile apache_1.3.27 with
mod-ssl_2.8.12 on
the same PC. I test this server with the same config and it works fine.
Does anyone know where the problem is?
Regards
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: POST with mod_ssl intermittently fails with a 405
Your openSSL libs are a bit old - there have been many important code
updates since 0.9.6b. In particular, the most recent update (0.9.6h)
fixed race condition bugs that were causing intermittent failures. Try
an upgrade first, I would advise...
Rgds,
Owen Boyle
-Original Message-
From: Jan-Piet Mens [mailto:[EMAIL PROTECTED]]
Sent: Dienstag, 17. Dezember 2002 16:07
To: [EMAIL PROTECTED]
Subject: POST with mod_ssl intermittently fails with a 405
Hello,
I've got an self-built Apache on a RedHat 7.3 Linux box with
Apache/2.0.43,
mod_ssl/2.0.43, OpenSSL/0.9.6b, PHP/4.2.3 and mod_authzldap 0.22
Every so often a PHP page is called with a POST request to
send data to the
server. The whole server area is protected via the following
settings in
ssl.conf:
Directory /var/www/html/ca
Options Indexes FollowSymLinks ExecCGI
DirectoryIndex index.php index.cgi
SSLOptions FakeBasicAuth ExportCertData CompatEnvVars
StrictRequire StdEnvVars OptRenegotiate
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 4
SSLRequire ( \
%{SSL_CIPHER} !~ m/^(EXP|NULL)/ and \
%{SSL_CLIENT_I_DN_CN} eq my CA )
AuthzLDAPEngine on
AuthzLDAPAuthoritative on
AuthzLDAPServer localhost:389
AuthzLDAPBindDN cn=manager,dc=mydomain,dc=com
AuthzLDAPBindPassword terriblysecret
AuthzLDAPUseCertificate on
AuthzLDAPSetAuthorization on
AuthzLDAPUseSerial on
AuthzLDAPMapBase
ou=AuthzLDAPCertmap,dc=mydomain,dc=com
AuthzLDAPMapScope subtree
AuthzLDAPLogLevel warn
AuthzLDAPCacheConnectionoff
AuthzLDAPCacheSize 0
AuthNameAuthzLDAP
AuthTypeBasic
/Directory
and with the following require in .htaccess of the same directory:
require user CN=Jan-Piet [EMAIL PROTECTED]
GET operations always work perfectly (BTW almost all resources
are .PHP).
Once in a while a POST method is attempted which then
sometimes fails (not
always). When it has failed, subsequent GET methods on
different pages do
not work either. After a certain time which always differs,
the GET will work
and the following POST also.
I've tried changing SSLSessionCache to `shm' and SSLMutex to
`sem' thinking
it had something to do with it, but to no avail. The value of
SSLSessionCacheTimeout
doesn't seem to matter either.
At the time of the failure, the logs have this in them:
error_log:
[Tue Dec 17 15:38:21 2002] [notice] Apache/2.0.43
(Unix) mod_ssl/2.0.43 OpenSSL/0.9.6b PHP/4.2.3 configured --
resuming normal operations
[Tue Dec 17 15:48:08 2002] [error] SSL Re-negotiation
in conjunction with POST method not supported!
hint: try SSLOptions +OptRenegotiate
access_log:
10.0.0.1 - - [17/Dec/2002:15:48:08 +0100] POST
/ca/ra/upd.php HTTP/1.1 405 312
10.0.0.1 - - [17/Dec/2002:15:48:28 +0100] GET
/ca/ra/req.php HTTP/1.1 403 292
10.0.0.1 - CN=Jan-Piet [EMAIL PROTECTED]
[17/Dec/2002:15:49:21 +0100] GET /ca/ra/req.php HTTP/1.1 200 4936
ssl_request_log:
[17/Dec/2002:15:48:08 +0100] 10.0.0.1 TLSv1 RC4-MD5
POST /ca/ra/upd.php HTTP/1.1 312 s_dn=-, issuer=-
The clients are a mixture of Mozilla 1.2 and Internet Explorer 6.0 all
with a client cert issued by my CA. The issue affects both
clients (Netscape
4.5 shows the same)
Can someone help me resolve this, please ?
Thank you very much.
Regards,
-JP
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List
RE: Problem with IP/Port Based (NOT Name Based) virtual hosts.
I don't really understand what can be wrong - your config looks OK and if the logs and docroots are accurate, I don't see how it can be going into the wrong VH. Therefore, you must be mistaken about the certificate files. Are you sure you don't have symlinks or something funny which could allow one server to see the other's certs in place of its own? When you say gets the wrong cert do you mean that you get a browser warning cert does not match FQDN? rgds, Owen Boyle -Original Message- From: Alex Tang [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 10. Dezember 2002 09:57 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Problem with IP/Port Based (NOT Name Based) virtual hosts. Hi there. Thanks for the help. I have some followup comments inline... On Tue, Dec 10, 2002 at 09:04:35AM +0100, Boyle Owen wrote: You must be the first guy to figure this out from the docs! Well done :-) Ha. Thanks. :) However, I'm trying to setup my server (apache 2.0.43, OpenSSL 0.9.7-beta5, RH Linux 7.3) to do IP or Port based virtual hosts. It seems that the server will only ever use the first cert declared. I have the following in my httpd.conf (well, technically a file included by httpd.conf) SSLSessionCache dbm:/var/cache/mod_ssl/scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin VirtualHost 192.168.7.31:443 ServerName A.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/A/error_log CustomLog logs/A/access_log combined SSLEngine on SSLCertificateFile /usr/local/etc/A.Cert SSLCertificateKeyFile /usr/local/etc/A.key DocumentRoot/webdocs/A # other sundry virtual host directory stuff here. /VirtualHost Looks OK... VirtualHost 192.168.7.33:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl ServerName B.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/B/error_log2 CustomLog logs/B/access_log2 combined SSLEngine on SSLCertificateFile /etc/httpd/conf/httpd-cert-3443.cert SSLCertificateKeyFile /etc/httpd/conf/httpd-cert-3443.key DocumentRoot /local/private/OpenCA/httpd/htdocs/pub # other sundry virtual host directory stuff here. /VirtualHost Looks OK too... Like i said, when i startup the server, the first cert (A.Cert) is used for both virtual hosts. Does this seutp look correct? Is there something I missed? Here are a couple more tidbits of info that i've learned...I don't know if any of it is useful though... * All the certs and keys are valid. I've verified it using OpenSSL. * When I get the root page for both virtual hosts, i get the proper page for each server. What exactly do you mean here... Do you mean that: https://A.funkware.com/ - /webdocs/A https://B.funkware.com/ - /local/private/OpenCA/httpd/htdocs/pub or do you mean via HTTP? Sorry about that. I should have been more clear. Your assumption was correct: https://A.funkware.com/ - /webdocs/A https://B.funkware.com/ - /local/private/OpenCA/httpd/htdocs/pub This part of the VirtualHost information is being properly read and used. * If i change the second SSLCertificateFile to a bogus file or something that doesn't exist, the server will not startup (as expected). However, the second cert is still not used. As you say, this is normal - missing files or directories cause apache to abort during startup, long before any network setup is done. Sure. I understand. * If i change the order (putting the VirtualHost declaration for .33 before .31), the behavior is consistant: the httpd-cert-3443.cert is used for both servers. I suspect a DNS or routing problem... I notice you have real .com domain names which implies these sites are available on the internet. However, the IP addresses are on the 192.168.0.0 private network. This implies that you have a firewall and/or router with network address translation between the webserver and the web. Are you sure that, after NAT, A.funkware.com resolves to 192.168.7.31 and that B.funkware.com resolves to 192.168.7.33? I suspect that both FQDNs are resolving to the same internal IP address... You are correct again that I am working behind a firewall using the 192.168.7/24 network. Unfortunately, I know that the FQDNs are correct (i run the DNS). For my testing, I am working completely behind the wall, I am running the client on a machine at 192.168.7.20, and my netmask on all machines is 255.255.255.0, hence all machines are on the same subnet. There is no NAT being done
RE: Problem with IP/Port Based (NOT Name Based) virtual hosts.
See comments.. -Original Message- From: Alex Tang [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 10. Dezember 2002 08:07 To: [EMAIL PROTECTED] Cc: Alex Tang Subject: Problem with IP/Port Based (NOT Name Based) virtual hosts. Hi folks. I've read a bunch about how you can only do virtual hosting using IPs or Ports, not using NBVH. No problem. You must be the first guy to figure this out from the docs! Well done :-) However, I'm trying to setup my server (apache 2.0.43, OpenSSL 0.9.7-beta5, RH Linux 7.3) to do IP or Port based virtual hosts. It seems that the server will only ever use the first cert declared. I have the following in my httpd.conf (well, technically a file included by httpd.conf) SSLSessionCache dbm:/var/cache/mod_ssl/scache SSLSessionCacheTimeout 300 SSLMutex file:logs/ssl_mutex SSLRandomSeed startup builtin SSLRandomSeed connect builtin VirtualHost 192.168.7.31:443 ServerName A.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/A/error_log CustomLog logs/A/access_log combined SSLEngine on SSLCertificateFile /usr/local/etc/A.Cert SSLCertificateKeyFile /usr/local/etc/A.key DocumentRoot/webdocs/A # other sundry virtual host directory stuff here. /VirtualHost Looks OK... VirtualHost 192.168.7.33:443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl ServerName B.funkware.com ServerAdmin [EMAIL PROTECTED] ErrorLoglogs/B/error_log2 CustomLog logs/B/access_log2 combined SSLEngine on SSLCertificateFile /etc/httpd/conf/httpd-cert-3443.cert SSLCertificateKeyFile /etc/httpd/conf/httpd-cert-3443.key DocumentRoot /local/private/OpenCA/httpd/htdocs/pub # other sundry virtual host directory stuff here. /VirtualHost Looks OK too... Like i said, when i startup the server, the first cert (A.Cert) is used for both virtual hosts. Does this seutp look correct? Is there something I missed? Here are a couple more tidbits of info that i've learned...I don't know if any of it is useful though... * All the certs and keys are valid. I've verified it using OpenSSL. * When I get the root page for both virtual hosts, i get the proper page for each server. What exactly do you mean here... Do you mean that: https://A.funkware.com/ - /webdocs/A https://B.funkware.com/ - /local/private/OpenCA/httpd/htdocs/pub or do you mean via HTTP? * If i change the second SSLCertificateFile to a bogus file or something that doesn't exist, the server will not startup (as expected). However, the second cert is still not used. As you say, this is normal - missing files or directories cause apache to abort during startup, long before any network setup is done. * If i change the order (putting the VirtualHost declaration for .33 before .31), the behavior is consistant: the httpd-cert-3443.cert is used for both servers. I suspect a DNS or routing problem... I notice you have real .com domain names which implies these sites are available on the internet. However, the IP addresses are on the 192.168.0.0 private network. This implies that you have a firewall and/or router with network address translation between the webserver and the web. Are you sure that, after NAT, A.funkware.com resolves to 192.168.7.31 and that B.funkware.com resolves to 192.168.7.33? I suspect that both FQDNs are resolving to the same internal IP address... Rgds, Owen Boyle Thanks a bunch. ...alex... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl)
RE: changing certificate
You can't. Otherwise you could change it to www.amazon.com You need a new cert - which might be a problem if it's not self-signed. -Original Message-From: Gilberto Garcia Jr. [mailto:[EMAIL PROTECTED]]Sent: Freitag, 6. Dezember 2002 13:15To: mod sslSubject: changing certificate Hey guys, i have a debian woody 3.0 linux installed at home. When i was installing apache-ssl i made a type mistake, so my ssl domais was wrong. and i need to know how to reconfigure my certificate. ps-the apache home, http://127.0.0.1 doesn´t wanna open, it´s relationed with the certificate error? thx This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company.
RE: how to add multiple SSL cert for each virtual host?
From: Cliff Woolley [mailto:[EMAIL PROTECTED]] But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I'd say it is THE most frequently asked question (but I can't be bothered scanning the archives to prove it :-) The FAQ (http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47) is all very well, but it is rather technical for a newbie and, having been written by someone for whom English is a second language, is not as illuminating as it might be. I had a go a re-writing it a few years ago (http://marc.theaimsgroup.com/?l=apache-modsslm=98559369910170w=2) so maybe we could start there... However, given the tendency of people to read the instructions only if all else fails, putting a warning in the default config sounds like a good idea. Putting an error message in the source-code would be even better! Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: can´t configure mod_ssl
Have you tried? Post your attempted config directives and describe what happened or went wrong and I'm sure someone will respond. -Original Message- From: Gilberto Garcia Jr. [mailto:[EMAIL PROTECTED]] Sent: Freitag, 22. November 2002 13:12 To: mod ssl Subject: can´t configure mod_ssl Hey guys, Can someone explain me how configure mod_ssl on apchache web server? I have installed apache with mod_ssl on a red hat 7.3 thanks This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: can´t configure mod_ssl
You have to describe clearly what you did. - Post the extract of httpd.conf which defines your SSL virtual host - cut'n'paste the command you are using to start apache in SSL - post the *exact* error you receive - post any messages which appear in the ssl_engine_log and/or error_log Then we might be able to help. -Original Message- From: Gilberto Garcia Jr. [mailto:[EMAIL PROTECTED]] Sent: Freitag, 22. November 2002 15:43 To: mod ssl Subject: can´t configure mod_ssl Yes, i´ve tried. I followed a lot of tutorials. i create one certificade at all. But weh i tried $curl https://127.0.0.1/ i got an error. and in most of tutorials i saw httpsd start command, and httpdctl startssl command. but i didint find both of executables om my server. thanks This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring a stand alone SSL enabled apache webserver
I think you're misunderstanding something about how apache and SSL work. It is not that you switch on SSL over all VHs like it was a Romulan Cloaking Device... Rather, SSL (more properly, HTTPS) is a protocol you define for a particular virtual host. This means the SSL directives *must* go inside a VH container. The only exception is if you don't use VHs at all and only have one site which is defined at server config level (i.e. there are no VH containers at all and only one DocumentRoot). Then the SSL directives can be at config level. To put it another way; - Listen directives tell apache which TCP/IP sockets to listen to. - DocumentRoot directives tell apache where to find the start each the site's content. - VHs map Listens to DocumentRoots, i.e. TCP/IP sockets to directories. - The protocol to be used (HTTP or HTTPS) is defined separately for each VH. Rgds, Owen Boyle -Original Message- From: Kent Perrier [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 20. November 2002 14:40 To: [EMAIL PROTECTED] Subject: Re: Configuring a stand alone SSL enabled apache webserver On Tue, 2002-11-19 at 15:53, R. DuFresne wrote: As far as I'm aware, and others can correct me if I'm saying something wrong here, the virtual server directives are optional. The key would be the server root for the ssl based pages to be served, tough enclosing a SERVERROOT directive within the virtual server directives would benefit you in seperation of pages being servered. don't be overly confused by the virtual server directives, they aren't just for VH hosting smile. The question is, how do I turn SSL on outside of a virtual server? The SSLEngine On directive gives me the Illegal attempt to re-initialize SSL for server error. I comment this out, the server starts, I see mod_ssl listed in the error_log when the server starts and the server is listening on port 443, but it will not accept SSL connections. I now have a standard web server running on port 443, not 80. FYI, I don't really want to seperate the pages being server, I need apache to be the front end for a Tomcat based e-commerce application and I am having problems with getting mod_jk working inside the virtual server that hosts the SSL enabled server. I decided to go this route as I thought it would be easer and server resources are not an issue. Kent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: SSL with multiple domains on same server
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] are you saying i can use the same ip and two different port to be able to have more than one vhs under ssl? Certainly. e.g. Listen 192.168.1.1:443 VirtualHost 192.168.1.1:443 ..etc Listen 192.168.1.1:444 VirtualHost 192.168.1.1:444 ..etc The rule is: SSL VHs must be distinct at TCP/IP level (i.e. ip addr and port pair must be distinct). Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[5]: SSL with multiple domains on same server
Great! But do you know why? BindAddress is a deprecated directive which is replaced by Listen. What you have done is said to apache, listen to all active IP addresses. I think the real problem is to do with your NAT (which you didn't mention on your original post). This meant that the IP addresses your browser was using were different from the incoming IP addresses on the apache box. If you had used Listen with the real IPs, it would've worked too. -Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 21. November 2002 11:34 To: [EMAIL PROTECTED] Subject: Re[5]: SSL with multiple domains on same server Hello Boyle, I found the solution : The line BindAddress * need to be uncomment. Now, all works fine :) -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL with multiple domains on same server
You are trying to run two name based VHs under SSL. You cannot do this (see http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47). The problem is that SSL encapsulates HTTP so the SSL session has to be negotiated before any HTTP traffic can be seen. But the hostname is in the HTTP request, so apache cannot decide which VH to use - so it uses the first by default. You need to use separate IPs and/or ports... Rgds, Owen Boyle -Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 20. November 2002 15:25 To: [EMAIL PROTECTED] Subject: SSL with multiple domains on same server Hello. I'm trying to set up Apache with SSL on Windows 2000. It is working but I have some troubles with the certificates. If my Apache server is server.mydomain.com and I want to have two websites with HTTPS. The SSL is well enabled and works fine. It is what I did : * openssl req -config openssl.cnf -new -out -website1.csr - then I put website1.mydomain.com as common name * openssl rsa -in privkey.pem -out website1.key * openssl x509 -in website1.csr -out website1.cert -req -signkey website1.key -days 365 - To have a temporary signed key Then, I did all these operation a second time for the website2. (with website2.mydomain.com as common name for the second .csr) At he end, I have these files : - website1.cert - website1.key - website2.cert - website2.key In httpd.conf I set up both sites : VirtualHost website1.mydomain.com:443 SSLEngine On SSLCertificateFile ssl/website1.cert SSLCertificateKeyFile ssl/website1.key /VirtualHost VirtualHost website2.mydomain.com:443 SSLEngine On SSLCertificateFile ssl/website2.cert SSLCertificateKeyFile ssl/website2.key /VirtualHost website1 and website2 has different IP address And then, my problem apears. In my browser, I can go two both sites with SSL, but both takes the same certificate... Why ? Is there a mismatch between name of the server and names of the websites ? -- Best regards, Ludovic [EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: SSL with multiple domains on same server
-Original Message- From: Ludovic Perard [mailto:[EMAIL PROTECTED]] I'm already using two different IP addresses Then it should work. Are you sure? Try defining the IP addresses explicity to reveal any DNS misconfigurations: Listen 192.168.1.1:443 VH 192.168.1.1:443 ... Listen 192.168.1.2:443 VH 192.168.1.2:443 ... Rgds, Owen Boyle This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring a stand alone SSL enabled apache webserver
You're correct, there's nothing sacred about using a VirtualHost container - if you only want one site... If you do, you just need a single Listen 443 then put all the SSL directive at server config level. Your server will then serve only SSL pages on port 443 and will not respond at all on port 80. The key to defining the pages to serve is DocumentRoot, incidentally. ServerRoot defines where to find the root for logs, conf, bin etc. - i.e. it is usually /usr/local/apache. If you need additional sites (e.g. plain HTTP on port 80) then you need to use VHs. Rgds, Owen Boyle -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: Dienstag, 19. November 2002 22:54 To: Kent Perrier Cc: [EMAIL PROTECTED] Subject: Re: Configuring a stand alone SSL enabled apache webserver As far as I'm aware, and others can correct me if I'm saying something wrong here, the virtual server directives are optional. The key would be the server root for the ssl based pages to be served, tough enclosing a SERVERROOT directive within the virtual server directives would benefit you in seperation of pages being servered. don't be overly confused by the virtual server directives, they aren't just for VH hosting smile. Thanks, Ron DuFresne On 19 Nov 2002, Kent Perrier wrote: Hi all, I am looked in the archives and I have not found anything, so I am asking here. I want to run a different web server on port 443 for SSL traffic (not a virtual server in the configuration file for the server on port 80). Looking at log file, mod_ssl is loaded on start and it is listening on port 443, but the server does not support SSL encrypted traffic. I removed the SSLEngine On directive from the conf file since that only works in a virtual server. How do I make this work? I am running Apache 1.3.27, mod_ssl 2.8.12 0.9.6g FYI, here is my httpd.conf Thanks! Kent ## ## httpd.conf -- Apache HTTP server configuration file ## # # Based upon the NCSA server configuration files originally by Rob McCool. # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See URL:http://www.apache.org/docs/ for detailed information about # the directives. # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # # After this file is processed, the server will look for and process # /usr/local/apache1.3/conf/srm.conf and then /usr/local/apache1.3/conf/access.conf # unless you have overridden these with ResourceConfig and/or # AccessConfig directives here. # # The configuration directives are grouped into three basic sections: # 1. Directives that control the operation of the Apache server process as a # whole (the 'global environment'). # 2. Directives that define the parameters of the 'main' or 'default' server, # which responds to requests that aren't handled by a virtual host. # These directives also provide default values for the settings # of all virtual hosts. # 3. Settings for virtual hosts, which allow Web requests to be sent to # different IP addresses or hostnames and have them handled by the # same Apache server process. # # Configuration and logfile names: If the filenames you specify for many # of the server's control files begin with / (or drive:/ for Win32), the # server will use that explicit path. If the filenames do *not* begin # with /, the value of ServerRoot is prepended -- so logs/foo.log # with ServerRoot set to /usr/local/apache will be interpreted by the # server as /usr/local/apache/logs/foo.log. # ### Section 1: Global Environment # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests it can handle or where it # can find its configuration files. # # # ServerType is either inetd, or standalone. Inetd mode is only supported on # Unix platforms. # ServerType standalone # # ServerRoot: The top of the directory tree under which the server's # configuration, error, and log files are kept. # # NOTE! If you intend to place this on an NFS (or otherwise network) # mounted filesystem then please read the LockFile documentation # (available at URL:http://www.apache.org/docs/mod/core.html#lockfile); # you will save yourself a lot of trouble. # ServerRoot /usr/local/apache1.3 # # The LockFile directive sets the path to the lockfile used when Apache # is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or # USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at # its default value. The main reason for changing it is if the logs # directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL # DISK. The PID of the main server process is automatically appended to #
RE: modssl not running properly
Do you have Listen 443, have you set up an SSL VH, does it say anything in the SSL engine log, error_log etc..? -Original Message- From: Noah Garrett Wallach [mailto:sleek;enabled.com] Sent: Donnerstag, 14. November 2002 17:09 To: [EMAIL PROTECTED] Subject: Re: modssl not running properly okay I used s_client to trace the output - port 443 is just not running - although I am starting apachectl with the startssl switch. # openssl s_client -connect myhostname:443 -state -debug connect: Connection refused connect:errno=61 this is a FreeBSD 4.7 STABLE machine and has Apache 1.3.27 and mod_ssl 2.8.12 what else can I tell you about this machine? - Noah On Wed, 13 Nov 2002, Noah Garrett Wallach wrote: HI, okay I just installed modssl apache on my freeBSD 4.7 STABLE box from the /usr/ports directory. I am not able to go to the secure webserver that I defined in the httpsd.conf file. Anybody want to help me figure out how to cure this issue? - Noah __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ModSSL and VirtualHosts
It's an ingenious attempt and it may seem to work but there is a lot
going on that you might not be aware of. Consider what happens when
someone types https://domain2/; into their browser:
- the browser gets the IP address for domain2 (which is the same IP
address as domain1) and then sends a packet to port 433 at that address
requesting an SSL session.
- the server receives an SSL request on port 443. That's all it gets. So
what VH is it to use? By default, it just looks in the first one - so it
sends domain1.cert.
- the browser gets the cert and opens it. That's funny, thinks the
browser, I asked for domain2, but this cert is for domain1... I'd
better warn my master. So it pops up an alert window warning you that
the certificate does not match the site name. You have to click OK.
- the browser is reassured so continues with the SSL channel setup. It
then requests the webpage from the server.
- the server gets the encrypted request and, since it now has a working
SSL channel, decrypts it. Now it can see inside and get the host header.
So at last it can see that he request is for domain2. So it goes into
the domain2 VH where it hits the rewrite rule! So it sends a redirect
to send the browser to domain2:444.
- The browser gets the redirect and off it goes to domain2:444. This
time there is no ambiguity since there is only one VH. So it gets the
correct cert, sends it to the browser and this time there is no warning
because now the site and cert match.
The point of the story is that you are still using the wrong cert to
set up the initial SSL channel. Unless you define the port in the
original request, there is no way to get the server to identify the
correct VH - it will always use the first one.
To put it another way, you don't really need to bother with the VH on
port 444 - if you don't mind that the session is established with the
domain1 cert, you can just leave it and after the SSL channel is
established name-based VH will work. Alternatively, you can put the
rewrite rule into the domain1 VH (though you need to change it so it
trips on the servername) and dispense with the domain2:443 VH.
The trouble with using the wrong cert is that it is not a general
solution since it violates the authentication aspect of SSL. SSL is not
only about encryption, it is also about ensuring that the site you are
talking to is authentic. Encryption is like sending your money to the
bank in an armoured car. Authentication is making sure the armoured car
really does go to the bank.
Rgds,
Owen Boyle
-Original Message-
From: fred [mailto:fred;skyturn.net]
Sent: Donnerstag, 7. November 2002 18:54
To: [EMAIL PROTECTED]
Subject: Re: ModSSL and VirtualHosts
Hello, I was the first one (of today)
I anderstand your ###!!!???. Its ###:::/??? to repeat ten
times the same
thing. I hope that my answer will help people to configure
multi ssl with one
IP.
Personaly I can not have an other IP so I use the same ip
whith different
port and I use mod Rewrite to redirect to the new port and it
work very well.
ex:
IfDefine SSL
Listen *:80
Listen *:443
Listen *:444
/IfDefine
NameVirtualHost MY_IP:443
VirtualHost MY_IP:443
DocumentRoot /home/web/SSL/dmaine1/htdocs
ServerName domaine1
ServerAdmin root@localhost
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine1.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domaine1.key
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /usr/local/apache/cgi-bin
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
VirtualHost MY_IP:443
DocumentRoot /home/web/SSL/domaine2/htdocs
ServerName domaine2
ServerAdmin root@localhost
RewriteEngine On
RewriteRule ^/(.*)$ https://domaine2:444/$1 [R]
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine2.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/domaine2.key
Files ~ \.(cgi|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
Directory /usr/local/apache/cgi-bin
SSLOptions +StdEnvVars
/Directory
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /usr/local/apache/logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
/VirtualHost
VirtualHost MY_IP:444
DocumentRoot /home/web/SSL/domaine2/htdocs
ServerName domaine2
ServerAdmin root@localhost
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile /usr/local/apache/conf/ssl.crt/domaine2.crt
RE: 2 ssl virtualhosts whith 1 IP
You can't get around the problem with rewrite rules. The essential
problem is that HTTPS encapsulates HTTP. What this means is that when
apache gets an HTTPS request, it has to route it to a virtual host using
*only* its TCP/IP attributes (IP addr and port no). It cannot use any
HTTP attributes (e.g. Host header) since these are encrypted and apache
cannot decrypt the request until it finds a certificate, but the cert is
defined in the VH!
This is the commonest question on mod_ssl - search the archives for
name-based virtual hosts for an ad nauseum discussion...
Rgds,
Owen Boyle
-Original Message-
From: fred [mailto:fred;skyturn.net]
Sent: Donnerstag, 7. November 2002 10:25
To: [EMAIL PROTECTED]
Subject: Re: 2 ssl virtualhosts whith 1 IP
Thank you.
Is it possible to use Rewrite to redirect request from:
https://domaine1.com/something/page.ext?var1=val1var2=val2
to
https://domaine1.com:444/something/page.ext?var1=val1var2=val2
I have try :
RewriteEngine On
RewriteCond %{SERVER_PORT} ^443$
RewriteCond %{SERVER_NAME} ^https://domaine1.com$
RewriteRule ^/$ https://domaine1.com:444 [L,R]
But it doesn't work.
Thank you very mutch for your support.
On Thursday 7 November 2002 10:07, you wrote:
Is it possible to have 2 ssl.crt with 2 virtualhosts with
only one IP ?
Only if u use different ports..
greetings,
josef
Thanks for your support.
__
Apache Interface to OpenSSL (mod_ssl)
www.modssl.org
User Support Mailing List
[EMAIL PROTECTED]
Automated List Manager
[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: ModSSL and VirtualHosts
PLease type SSL name-based virtual hosts into Google and read some of the replies - I can't bear to explain this one again... -Original Message- From: Alex [mailto:alex;damngeek.com] Sent: Donnerstag, 7. November 2002 17:55 To: [EMAIL PROTECTED] Subject: ModSSL and VirtualHosts I think I'm missing a few key points here, so I'm not able to find the answers by myself. Hate to sound like a newbie, but I'm getting a little frustrated. Lets say I have this: VirtualHost * DocumentRoot /usr/local/www/domain1 ServerName domain1.dom /VirtualHost VirtualHost * DocumentRoot /usr/local/www/wwwdomain1 ServerName www.domain1.dom /VirtualHost This works just great, both sites would show up and show the correct directory. I can use the * or the ip address for the VirtualHost, both with the same results. All I can get with the https://... is the default directory saying apache is installed. Now I can change the default directory in the VirtualHost for _default_:443 and it will point to which ever directory I want, with ssl. How do I get https://domain1.dom the same as http://domain1.dom, and https://www.domain1.dom the same as http://www.domain1.dom? Or is it by design only to work with one directory? Oh, and to possibly add to any confusion, this is a freebsd 4.7 box with a private ip (firewalled) with apache+mod_ssl-1.3.27+2.8.12. Any help would be appreciated. Thanks for your time. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ModSSL and VirtualHosts
Sorry. That last post was harsh - it's been a long day. But everyone (including me) who moves into SSL immediately wonders why name-based VHs don't work. You are the second person *today* to ask this... The problem is that the packet is encrypted so apache can't see the Host header so doesn't know what VH to use. But it needs the VH in order to decide on the cert - it's a classic Catch-22. There is no workaround (we had a guy today trying rewrite rules - marks for originality, but no cigar). You have to use separate IPs or ports... Rgds, Owen Boyle -Original Message- From: Alex [mailto:alex;damngeek.com] Sent: Donnerstag, 7. November 2002 17:55 To: [EMAIL PROTECTED] Subject: ModSSL and VirtualHosts I think I'm missing a few key points here, so I'm not able to find the answers by myself. Hate to sound like a newbie, but I'm getting a little frustrated. Lets say I have this: VirtualHost * DocumentRoot /usr/local/www/domain1 ServerName domain1.dom /VirtualHost VirtualHost * DocumentRoot /usr/local/www/wwwdomain1 ServerName www.domain1.dom /VirtualHost This works just great, both sites would show up and show the correct directory. I can use the * or the ip address for the VirtualHost, both with the same results. All I can get with the https://... is the default directory saying apache is installed. Now I can change the default directory in the VirtualHost for _default_:443 and it will point to which ever directory I want, with ssl. How do I get https://domain1.dom the same as http://domain1.dom, and https://www.domain1.dom the same as http://www.domain1.dom? Or is it by design only to work with one directory? Oh, and to possibly add to any confusion, this is a freebsd 4.7 box with a private ip (firewalled) with apache+mod_ssl-1.3.27+2.8.12. Any help would be appreciated. Thanks for your time. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring Multiple Certicates SSL over an unique IP
Yes indeed, although this is a rather limited case of NBVH. -Original Message- From: [EMAIL PROTECTED] [mailto:ueli;heuer.org] Sent: Dienstag, 5. November 2002 10:08 To: [EMAIL PROTECTED] Subject: Re: Configuring Multiple Certicates SSL over an unique IP On Tue, 5 Nov 2002 08:48:58 +0100 Boyle Owen [EMAIL PROTECTED] wrote: No. This is called name-based virtual hosting (NBVH). It works fine for plain HTTP but is impossible under SSL. The reason is that NBVH uses the Host header to find the VH. But in SSL, the connection must be established *before* you get the Host header. So the server cannot decide which VH to use. except you are using a star-certificate, if your certificate is *.foo.bar you can use name-based virtual hosting for following dhosts: www.foo.bar test.foo.bar new.foo.bar ... what-ever.foo.bar Rgds, Owen Boyle -Original Message- From: [EMAIL PROTECTED] [mailto:asom;vetorialnet.com.br] Sent: Montag, 4. November 2002 23:20 To: [EMAIL PROTECTED] Subject: Configuring Multiple Certicates SSL over an unique IP Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes -- The software said it requires Windows 95 or better, so I installed Linux __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring Multiple Certicates SSL over an unique IP
Don't forget: Listen 192.168.1.2:443 Listen 192.168.1.3:443 -Original Message- From: Peter Viertel [mailto:peter.viertel;itaction.co.uk] Sent: Dienstag, 5. November 2002 14:17 To: [EMAIL PROTECTED] Subject: Re: Configuring Multiple Certicates SSL over an unique IP I'm thinking you need to use Virtual Host directives - as others have replied, you already know that NameVirtualHost wont help - so you need to put each virtual host on a different IP. (or different port if no spare IP's_). firstly - configure your operating system to receive all the ip's you want to use - usually via ip-aliases - something you can do in unix and windows, but dont ask me how in windows. an example: your real ip is 192.168.1.2 , and you set up 192.168.1.3 as an extra alias. I'm assuming you started with httpd.conf as provided with mod_ssl - this should have the basic SSL configuration bits. Then in your httpd.conf near the end, in the IfDefine SSL section, create a VHost for each cert/ip you want. VirtualHost 192.168.1.2:443 ServerName www.cert1domain.com SSLCertificateKeyFile conf/ssl.key/cert1.key SSLCertificateFile conf/ssl.crt/cert1.crt SSLEngine on ...other conf... /VirtualHost VirtualHost 192.168.1.3:443 ServerName www.cert2domain.com SSLCertificateKeyFile conf/ssl.key/cert2.key SSLCertificateFile conf/ssl.crt/cert2.crt SSLEngine on ...other conf... /VirtualHost [EMAIL PROTECTED] wrote: Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Configuring Multiple Certicates SSL over an unique IP
No. This is called name-based virtual hosting (NBVH). It works fine for plain HTTP but is impossible under SSL. The reason is that NBVH uses the Host header to find the VH. But in SSL, the connection must be established *before* you get the Host header. So the server cannot decide which VH to use. Rgds, Owen Boyle -Original Message- From: [EMAIL PROTECTED] [mailto:asom;vetorialnet.com.br] Sent: Montag, 4. November 2002 23:20 To: [EMAIL PROTECTED] Subject: Configuring Multiple Certicates SSL over an unique IP Hello, There are some way to configuring the Apache Server to utilize multiple certificates SSL, over an unique ip, once for each virtual domain ? What the Apache configure sintax ? Alex Moraes __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Startup Script
To expand a little on my previous post: When you run a shell-script, it forks a new shell which doesn't usually inherit environment variables from the calling shell. So you have to set any envs in the script. To do this under the standard shell (i.e. /bin/sh) you need two lines: LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib export LD_LIBRARY_PATH Under the tcsh, you'd only need one: setenv LD_LIBRARY_PATH /lib:/usr/lib:/usr/local/lib:/usr/openwin/lib So that's how to get LD_LIBRARY_PATH to work. However, the use of LD_LIBRARY_PATH is generally discouraged for several reasons - it breaks encapsulation by making the execution of a binary dependent on the shell (hence your problem), it invites namespace problems if two libraries in different lib directories have the same name (the binary will load the first it finds on the path), on large projects with lots of development libs, the path can become unfeasibly large, etc. etc. A much cleaner solution is to define the paths when compiling. Thus the binary carries with it the paths to just those directories it needs. To do this, define the CFLAGS environment variable in the shell in which you configure apache, i.e. CFLAGS=-L/lib -R/lib -L/usr/lib -R/usr/lib -L/usr/openwin/lib -R/usr/openwin/lib export CFLAGS ./configure additional options When you run make, you will find that the CFLAGS above will appear on the compile line and the resulting binary will find its libraries from these internal symbols. Compiling is a bit of a black art at times and I don't really understand all of it myself - the advices in this note are just some distillations of my own experiences and things I found when trawling the web.. Rgds, Owen Boyle -Original Message- From: Lawrence Cole [mailto:lmcole;cisco.com] Sent: Mittwoch, 30. Oktober 2002 21:05 To: [EMAIL PROTECTED] Subject: RE: Startup Script Boyle, Thank you for your suggestions. Adding LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib to the startup script does not help. Sourcing root's .profile before running the apachectl startssl command does not help. The LD_LIBRARY_PATH is set in the .profile. So the last thing to try are the -R and -L compile-time option pairs for each library. I have a rookie question to ask. Where do I use these? I can't use them with the .configure or make commands. Do I need to edit the Makefile? Can you give me an example? Regards, Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:owner-modssl-users;modssl.org] On Behalf Of Boyle Owen Sent: Wednesday, October 30, 2002 2:21 AM To: [EMAIL PROTECTED] Subject: RE: Startup Script Quick fix is to put in the startup script: LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib before it tries to start apache.. Better fix is to recompile apache with the additional compile-time options: -L/usr/openwin/lib -R/usr/openwin/lib etc. (one pair for each lib). This should build the paths to the libs into the binary and then you don't need LD_LIBRARY_PATH at all. -Original Message- From: Lawrence Cole [mailto:lmcole;cisco.com] Sent: Mittwoch, 30. Oktober 2002 04:52 To: [EMAIL PROTECTED] Subject: Startup Script Greetings everyone, I realize this situation has come up before, but none of the suggestions I have seen have worked for me. I have created an Apache 1.3.26 / mod_ssl 2.8.10 server. No problems creating it, and no problems starting from the command line. I am however, unable to start automatically at boot using a script in the rc3.d directory. When I try to start it automatically using: #!/bin/sh # # Start SSL-Aware Apache http daemon # echo Start SSL-Aware Apache httpd /opt/apache/bin/apachectl startssl I get the following error: ld.so.1: /opt/apache/bin/httpd: fatal: libexpat.so.0: open failed: No such file or directory Killed /opt/apache/bin/apachectl startssl: httpd could not be started Once the system is booted up the LD_LIBRARY_PATH is /lib:/usr/lib:/usr/local/lib:/usr/openwin/lib, and I can run /opt/apache/bin/apachectl startssl just fine. For automation reasons, I need to boot at startup. Any suggestions? Regards, Lawrence This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise
RE: Startup Script
Quick fix is to put in the startup script: LD_LIBRARY_PATH=/lib:/usr/lib:/usr/local/lib:/usr/openwin/lib before it tries to start apache.. Better fix is to recompile apache with the additional compile-time options: -L/usr/openwin/lib -R/usr/openwin/lib etc. (one pair for each lib). This should build the paths to the libs into the binary and then you don't need LD_LIBRARY_PATH at all. -Original Message- From: Lawrence Cole [mailto:lmcole;cisco.com] Sent: Mittwoch, 30. Oktober 2002 04:52 To: [EMAIL PROTECTED] Subject: Startup Script Greetings everyone, I realize this situation has come up before, but none of the suggestions I have seen have worked for me. I have created an Apache 1.3.26 / mod_ssl 2.8.10 server. No problems creating it, and no problems starting from the command line. I am however, unable to start automatically at boot using a script in the rc3.d directory. When I try to start it automatically using: #!/bin/sh # # Start SSL-Aware Apache http daemon # echo Start SSL-Aware Apache httpd /opt/apache/bin/apachectl startssl I get the following error: ld.so.1: /opt/apache/bin/httpd: fatal: libexpat.so.0: open failed: No such file or directory Killed /opt/apache/bin/apachectl startssl: httpd could not be started Once the system is booted up the LD_LIBRARY_PATH is /lib:/usr/lib:/usr/local/lib:/usr/openwin/lib, and I can run /opt/apache/bin/apachectl startssl just fine. For automation reasons, I need to boot at startup. Any suggestions? Regards, Lawrence This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: ld.so.1: /apache/bin/httpd: fatal: libssl.so.0.9.6: open failed
I suspect that the problem is that /usr/local/ssl is not on your LD_LIBRARY_PATH. For a quick fix, add it. For a better solution (since LD_LIBRARY_PATH is A Bad Thing), recompile with -L/usr/local/ssl -R/usr/local/ssl.. -Original Message- From: Zandi Patrick S TSgt AFRL/IFOSS [mailto:Patrick.Zandi;rl.af.mil] Sent: Mittwoch, 23. Oktober 2002 23:03 To: '[EMAIL PROTECTED]' Subject: ld.so.1: /apache/bin/httpd: fatal: libssl.so.0.9.6: open failed hello folks, --- Got trouble.. here is the details .. anyone see anything.. ./apachectl startssl Syntax error on line 238 of /apache/conf/httpd.conf: Cannot load /apache/libexec/libssl.so into server: ld.so.1: /apache/bin/httpd: fatal: libssl.so.0.9.6: open failed: No such file or directory ./apachectl startssl: httpd could not be started Compile in modssl folder was: ./configure \ --with-apache=../apache_1.3.27 \ --with-ssl=/usr/local/ssl \ $@ Compile in apache folder was: ./configure \ --with-layout=Apache \ --verbose \ --prefix=/apache \ --server-uid=ars \ --server-gid=dba \ --with-perl=/usr/local/perl \ --enable-module=most \ --enable-shared=max \ --enable-rule=SHARED_CORE \ --enable-module=so \ --enable-module=cgi \ --enable-module=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ $@ ---httpd.conf States from line 230 - 245 or so.. 234 LoadModule usertrack_module libexec/mod_usertrack.so 235 LoadModule unique_id_module libexec/mod_unique_id.so 236 LoadModule setenvif_modulelibexec/mod_setenvif.so 237 IfDefine SSL 238 LoadModule ssl_module libexec/libssl.so 239 /IfDefine 240 -- LS of ../libexecis -rw-r--r-- 1 root other 8373 Oct 23 16:25 httpd.exp -rwxr-xr-x 1 root other 22108 Oct 23 16:25 libhttpd.ep -rwxr-xr-x 2 root other 669008 Oct 23 16:25 libhttpd.so -rwxr-xr-x 2 root other 669008 Oct 23 16:25 libhttpd.so.1 -rwxr-xr-x 1 root other 137680 Oct 23 16:25 libproxy.so -rwxr-xr-x 1 root other 276708 Oct 23 16:25 libssl.so -rwxr-xr-x 1 root other 9272 Oct 23 16:25 mod_access.so This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Chicken and Egg
What you see is predictable - your setup appears to work because apache fetches the certificate from the first VH (since it can't tell which VH to use). Once it gets a cert, it can then establish an SSL sssion and so can then see inside the HTTP request. It can then see the Host header and serve up the correct VH. However, this is not a solution for the real world because, as you observe, whenever you request the second VH, apache will use the cert from the first VH and so the browser will report a conflict. The way you have it set up leaves you vulnerable to man-in-the-middle exploits since you have lost the *authentication* aspect of SSL. This is equally as important as encryption. For example, imagine you sent your money to be bank in a armoured car, but the bank turned out just to be a front door... I guess you will say, but it's just a lab setup, I don't care about authentication - well that's fine, but why then do you need encryption? -Original Message- From: Roman Ivanov [mailto:ivanov_r;samsung.ru] Sent: Donnerstag, 24. Oktober 2002 15:06 To: [EMAIL PROTECTED] Subject: Chicken and Egg Hello All! I've just installed modssl. I want to clarify chicken and egg problem for me. I use modssl only for internal purposes so I use 1 self maded certificate on two cites. It is not problem that certificate does not match the site name. I have in httpd.conf: VirtualHost IP:443 ServerName A ...other directives... VirtualHost VirtualHost IP:443 ServerName B ...other directives... /VirtualHost In logs: [...] [warn] Init: SSL server IP/port conflict: A:443 (httpd.conf:...) vs. B:443 (httpd.conf:...) [...] [warn] Init: You should not use name-based virtual hosts in conjunction with SSL!! But https://B works and https://A works too. Q My question is: I didn't meet chicken and egg problem here because I share one certificate between two servers? Am I right? Regards. Roman Ivanov CIS HQ SAMSUNG ELECTRONICS CO., LTD web-master TEL: +7-(095)-7972309 ICQ UIN #8160057 __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: SSL - MS Proxy 2.0 - MSIE6
What spec do you have on the server and client? -Original Message- From: [EMAIL PROTECTED] [mailto:erwin.vogeleer;deltalloydLife.be] Sent: Mittwoch, 23. Oktober 2002 16:09 To: [EMAIL PROTECTED] Subject: SSL - MS Proxy 2.0 - MSIE6 Dear all, I'm using: Apache 1.3.26 mod_ssl: 2.8.10 openSSL: 0.9.6g At the client site I use MSIE6 and I have a MS proxy 2.0. When I enable SSL the connections/communication is very slow. If I disable it, the site works perfect. Does anybody have an idea? thx Erwin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this message in error, please notify the sender urgently and then immediately delete the message and any copies of it from your system. Please also immediately destroy any hardcopies of the message. You must not, directly or indirectly, use, disclose, distribute, print, or copy any part of this message if you are not the intended recipient. The sender's company reserves the right to monitor all e-mail communications through their networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorised to state them to be the views of the sender's company. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Multiple _identical_ servers with different server names
You mean you have one IP address and one FQDN but many physical machines? Then you need a load-balancer. That is, the LB carries the external IP address so all packets are routed initially to it. Then it re-routes the packets to one of the internal servers according to various rules (e.g. randomly, round-robin, based on IP range etc.). There are several complications in an SSL environment: - the LB can't look inside the packets to see any HTTP attributes (such as Host header). It can only work with the IP and port (this is why name-based virtual hosting doesn't work with SSL). - SSL servers usually keep-alive the session so that the session key does not have to be renegotiated for every transaction. Obviously, if you have more than one server, the LB has to make sure that each client always gets the same server on subsequent requests. -Original Message- From: Michael T. Babcock [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 3. Oktober 2002 00:03 To: [EMAIL PROTECTED] Subject: Multiple _identical_ servers with different server names I have a client who wants to host multiple mirrors of the same SSL website that point to the same data; is there any way to do this without consuming additional IPs? Could I have the other names accept on :443 in HTTP mode and redirect?? Thanks for any help. -- Michael T. Babcock C.T.O., FibreSpeed Ltd. http://www.fibrespeed.net/~mbabcock __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Rebuild of Apache REQUIRED to add SSL???
In order to add mod_ssl to apache, you must recompile. The reason is that the apache core code is equipped with an application programming interface (API) which makes it relatively easy for people to write third-party modules and integrate them with apache. However, mod_ssl is a bit special since it needs to call routines in the OpenSSL library. This is not covered by the standard API. So in order to load mod_ssl, you need to extend the API to include openssl hooks. This is done during the configure stage when building apache with mod_ssl - the mod_ssl configure script patches the apache source code to extend the API (hence EAPI). A plain compilation of apache with mod_ssl is not too difficult and should go smoothly on Linux - check out the documentation at the mod_ssl site or http://www.delouw.ch/linux/Apache-Compile-HOWTO/html/apache.htmlfor a user's perspective on it. PS you'd also get to upgrade to 1.3.26 - your version is a bit out-of-date.. -Original Message-From: Tony Libby [mailto:[EMAIL PROTECTED]]Sent: Montag, 30. September 2002 19:59To: [EMAIL PROTECTED]Subject: Rebuild of Apache REQUIRED to add SSL??? Im looking into adding SSL ability to my Apache server. Apache version 1.3.22 running on Red Hat Linux 7.2 MUST I REBUILD THE SERVER? I dont really want to do this as everything is running nicely now. If I have to rebuild, what is the SAFEST way? Thanks for your help! -Tony
RE: Usefull error pages for users
The SSL session is established *before* any HTTP traffic takes place. If the session fails to be set up, the client cannot send any request through to apache, which operates at the HTTP layer. So the server isn't really aware that any request was made and so can't very well generate a response... I think you'd have to hack into the mod_ssl code to achieve this. Rgds, Owen Boyle -Original Message- From: Danny Kruitbosch [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 28. August 2002 11:00 To: modssl-users Subject: Usefull error pages for users Hi, I'm trying to figure out the following: We're using client certs for authentication and the authentication works fine. But when a user connect and isn't able to present his cert of his cert is revoked he gets an 'DNS or server error' (IE 5.5/6.0). I would like to redirect this user to a custom error page saying something intelligent like: Certificate revoked No certificate presented Unable to verify certificate or server specific errors like: CRL expired Unable to verify certificate How can I set this up? (Is there a list of specific error codes SSL uses and can I use the ErrorDocument directive on this. If so where do I find this list of SSL error codes) Thanks, Danny __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: redirecting users part 2
I don't have the time to investigate this fully in the context of SSL but from a
general understanding of how apache combines nested directives like this, I think you
might need to change the order of the Location containers. The rules for combining
directives are a bit complicated and (I have to say) not entirely well-documented. I
think you need to consider the line in sections.html document (look for a link in docs
from the Location doc):
... each group is processed in the order that they appear in the configuration files
...
This would imply that apache loads the rule for /upgrade.html then overrides it with
the rule for /. I am assuming here that order refers to the order in which apache
reads data from the config during startup and not the order in which applies
directives to incoming requests...
Confused? Me too...
Rgds,
Owen Boyle
-Original Message-
From: Jeroen Vriesman [mailto:[EMAIL PROTECTED]]
Sent: Montag, 19. August 2002 12:28
To: [EMAIL PROTECTED]
Subject: redirecting users part 2
Hi,
I'm trying to redirect users who don't have enough encryption
capabilities for 128 bit (see previous mail).
I've tried the following (but it doesn't work):
Add upgrade.html (the text users with old browsers are
supposed to get) to index:
DirectoryIndex index.html index.htm Index.html Index.htm
INDEX.HTML INDEX.HTM upgrade.html
Initiallay allow all strengths:
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SSLv2:+EXP:+eNULL
And then:
Location /upgrade.html
SSLRequire %{SSL_CIPHER_USEKEYSIZE} 128
/Location
Location /
SSLRequire %{SSL_CIPHER_USEKEYSIZE} = 128
/Location
But it doesn't work, any idea why it doesn't work?
Cheers,
Jeroen.
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
RE: http or https but not both?
It sounds like you have misunderstood how to set up the SSL and HTTP sites. Basically, they are two separate port-based virtual hosts... I wrote up some notes on this a few days ago - check out: http://marc.theaimsgroup.com/?l=apache-modsslm=102922483406071w=2 Rgds, Owen Boyle -Original Message- From: Paul F [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 14. August 2002 17:56 To: [EMAIL PROTECTED] Subject: http or https but not both? I have a fresh linux installation with apache + mod_ssl. With the mod_ssl module and AddModule uncommented, I can access https://mysite. BUT NOT http://mysite. Any help appreciated! __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: enabling ssl for a subdirectory of a vhost
From: Justin Georgeson [mailto:[EMAIL PROTECTED]] I have Apache 1.3.17 with mod_ssl. I'm not a real proficient apache admin just yet, so forgive my if I unintentionally omit some crucial point, or use the wrong nomenclature. :) I have a vhost which I would like to add an SSL enabled subdirectory to. http://my.host.com/dir1 https://my.host.com/dir2 Maybe even have http://my.host.com/dir2 redirect to https://my.host.com/dir2. But I have no clue how to do it. I tried adding the SSL directives to the Directory, but that totally didn't work. (apache wouldn't start), but moving the directives outside of that made the whole vhost SSL, and screwed up other things that it's already doing. Congratulations, you've already done the hard part of installing mod_ssl and getting it running with certs and so on. All you need now is to set up your configuration and that is easy once you get the hang of it. The main thing to realise is that HTTPS requests come in on a different port (usually 443) from normal HTTP traffic which uses port 80. Therefore, the simplest thing to do is to create a new port-based virtual host for SSL stuff. Indeed, most SSL directives only work in a virtualhost context (i.e. you can't make them apply in a directory context). Rather than having an SSL subdirectory of your main site, I would recommend you create a separate SSL VH. Start off with the simplest implementation which is something like this: # Define the normal HTTP service on port 80 VirtualHost 192.168.0.1:80 DocumentRoot /home/www/html ...etc. /VirtualHost # Define the SSL service on port 443 VirtualHost 192.168.0.1:443 DocumentRoot /home/www/html/dir1 SSLEngine on ...rest of SSL directives ...etc. /VirtualHost Now, a request to https://my.host.com/ will go straight to /home/www/html/dir1 under SSL, while http://my.host.com/ will continue to serve /home/www/html on plain HTTP. There are a couple of snags with this configuration which you'd need to tidy up: - In the scheme above, /home/www/html/dir1 is still accessible from plain HTTP. A rough-n-ready redirect will help matters (put inside the HTTP-VH): Redirect /dir1 https://my.host.com/ - for belt-and-braces, force SSL-only in this directory (put inside the HTTP-VH): Directory /home/www/html/dir1 SSLRequireSSL /Directory - Be careful also with including things like images in SSL pages if the images are in a non-ssl directory. The browser will usually complain that some of the context is insecure and the user will get a lot of annoying pop-ups. To guard against this, symbolically link the images directory into the SSL directory and then reference it there. E.g. If you have /home/www/html/images, then in /home/www/html/dir1 do: $ ln -s ../images images and then in your dir1 pages do: img src=/images/mypict.gif so that the images look like they are under the SSL document root. This recipe will get you started with SSL. Once you have it running, you can start to play around with other configurations. What you originally requested is possibel, but requires imaginative use of mod_rewrite which is not something you'd want to do on your first apache config :-) Rgds, Owen Boyle. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: apachectl restart problem...
From: Sean M Alderman [mailto:[EMAIL PROTECTED]] Greetings all, I'm curious if anyone has come across issues with starting apache using - # $APACHE_HOME/bin/apachectl startssl and then having apache hang when issuing this - # $APACHE_HOME/bin/apachectl restart I'm running 1.3.26 with the latest mod_ssl on Solaris 8. I don't get any error messages in the logs, and apachectl says that it restarts just fine, but when you point a browser back to the server it does not respond. I can fix it with an apachectl stop;apachectl startssl, but I'm just curious about not being able to do the restart. Restart sends a HUP to apache. I've found that this is sometimes insufficiently forceful to make apache reload certain SSL parameters (e.g. if you change the certificate). However, it should be sufficient for non-SSL edits. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: http and https from same config
From: Svein E. Seldal [mailto:[EMAIL PROTECTED]] Hi guys, I want to run a http server on port 81 which should only be available to the localnet, say 192.168.0.x/24 *and* on https with client certificates from the whole world. No passwords should be used in neither methodes. Now I've got SSL working with the certs, so that's not my question, but how do I configure the virtual host to enforce these access rights? Today I've hacked the problem by running two separate (yet identical) virtual hosts. I want to run http(81) and https from the same virtual host config. Is this possible? I can't think how you would do this. IMHO, what you have already done (far from being a hack) is the correct way to proceed - two virtualhosts with the same DocumentRoot (hence same content) but with different ports. The trouble is the SSLEngine on directive - this has only context in a VH, i.e. you can't make it conditional on an IP range, for instance. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? - Static or DSO? - What browser? Rgds, owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Error message help
See comments, Rgds, Owen Boyle -Original Message- From: Matt Nelson [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 31. Juli 2002 17:01 To: [EMAIL PROTECTED] Subject: RE: Error message help Well I may have figured this out, https is now running, cert was in the wrong place, ..or your SSLCertificateFile directive was pointing to the wrong place :-) ...but https returns the default web page for the apache installation, instead of the real site, which does come up with just http. I think I can figure that out, but if anyone has pointer thanks, and thanks for suffering my dumb questions. Check out your DocumentRoot directive in the SSL virtual host - there should only be one. If there is more than one, apache will use the last one... It is this directive which tells apache where to fetch the content. -- Matt At 09:36 AM 7/31/2002 -0500, you wrote: At 03:56 PM 7/31/2002 +0200, you wrote: From: Matt Nelson [mailto:[EMAIL PROTECTED]] Now, the error I'm getting now that I can't seem to find any help on, in the error_log is: OpenSSL: error:0D06B078:asn1 encoding routines:ASN1_get_object:header too long Unusual.. Do you see anything in the browser? Also: - What versions of apache, mod_ssl, openssl? Apache 1.3.22 OpenSSL 0.9.6 mod_ssl 1.4 Um... If I were you, I'd get apache 1.3.26, OpenSSL 0.9.6e and mod_ssl 2.8.10. That's teh latest mix, also pay attention to the security advisory that was posted to the list today. - Static or DSO? When you compiled apache, did you statically compile in mod_ssl (i.e. --enable-module=ssl) so that the mod_ssl binary gets munged in with the apache binary to produce a big binary *or* did you compile mod_ssl as a shared object which would be loaded dynamically at runtime (DSO = Dynamic Shared Object), i.e. --enable-shared=ssl? Usually, it doesn't make much difference when they're working, but since yours was not working, I thought I'd ask. I'll be honest and say I don't quite understand that question. I'm way more new at this what I wished. I could probably answer that question, if asked in different terms. - What browser? IE, Mozilla, you name it. Just in case it was a funny browser - SSL is as much to do with the client as it is to do with the server so it is essential to verify any problems with several browsers. But you've already done that. Rgds, owen Boyle _ _ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Port-based questions?
See below, Rgds, Owen Boyle From: Jay States [mailto:[EMAIL PROTECTED]] I would like to clear up port-based hosting for mod-ssl: 1. https looks for port 443, but you can change that to any port with modification to the apache configure file and also as long as you specify the port in the url (https;//sample.com:445). Exactly correct. You need to say Listen 445 in the config and define a VH like VirtualHost 192.168.1.1:445. Then you have to use the port in the URL, as you show (to a browser, https means establish an SSL session with the following server; unless the port is specified, use port 443). 2. Mod-ssl does not work for name based hosting... Kind of the other way around: NBVHing doesn't work with SSL. The reason is that SSL encrypts all the contents of the TCP/IP packet so the traffic has to be routed using only TCP/IP attributes, i.e. IP address and Port number. The Host header (which is needed for NBVHing) is an HTTP attribute, i.e. it is inside the packet and so is encrypted so you can't use it to route packets. We must use ports in order for it to work. Yes-ish.. You must distinguish SSL VHs by TCP/IP attributes, i.e. each VH must have a unique IP address:Port pair. 3. Can you specify more than one port to bind https? What if your only have 1 ip address and 10 different domain names. What do you do then? Place the domain names behind you firewall and use a class a,b or c ip addresses? You'd have to use 10 different ports. But you would have to specify the ports in the public URLs. I'm not sure what you're getting at with the FW idea... You can't get away with address translation in the FW adding on the port numbers since the packets are already encrypted when they arrive at the FW. Having said that, I was astonished some months ago when someone reported a hardware gadget which could route SSL traffic by hostname. It is a kind of SSL router which you put between your server and the internet. I don't know how it works - maybe you have to give it your private server keys so it can decrypt the incoming traffic. I've also forgotten what it was called! Search the archives on this list for SSL routers, hardware etc.. Maybe someone else can remember the link to this gadget? 4. If mod-ssl can be placed on more any one port what does the config file look like, I keep getting errors. All the docs I've read said that name-based virtual do not work. Because they don't. They do not say that multiple ports can not be specified. Because they can: Listen 192.168.1.1:445 VirtualHost 192.168.1.1:445 SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. /VirtualHost Listen 192.168.1.1:446 VirtualHost 192.168.1.1:446 SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... DocumentRoot ... etc.. /VirtualHost Note: no need for NameVirtualHost, no need for ServerName. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Virtual Hosting Problem
From: Danalien [mailto:[EMAIL PROTECTED]] As I know, you can only bind one uniqe ip to one SSL virtual host. not quite - see below.. and from what I have read, you can't use name-based SSL virtual host(s) either, as a work around. Mostly right, but with one privisio: You cannot do name-based VHs with SSL but you can have many SSL port-based VHs on ONE IP address.. To understand why - Because in SSL the contents of the TCP/IP packets are encrypted, you can only use external TCP/IP attributes (i.e. IP address and port number) to route the packets. For name-based VHing, you need access to the Host header which is an HTTP attribute (i.e. it is inside the TCP/IP packet). This is visible in plain HTTP but not visible in SSL. (48)Address already in use: make_sock: could not bind to address [::]:447 no listening sockets available, shutting down This usually means that some other process is already using port 447. Check /etc/services for a list of pre-defined ports, also verify that you have completely killed all other instances of apache which may have been blocking the port (ps -ef ¦ grep httpd). Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: modssl and htaccess
From: Michael O'Brien [mailto:[EMAIL PROTECTED]] Can anyone suggest some possible cause to why my htaccess file is being ignored. The contents of my htaccess file is AuthUserFile /apps/apache/bin/.htpasswd AuthGroupFile /dev/null AuthName Restricted Site AuthType Basic Limit GET POST require valid-user /Limit AuthUserFile is supposed to point at the file containing your usernames and passwords. Did you really do: cd /apps/apache/bin ./htpasswd -c .htpasswd username when you were making your password file? (i.e. why call a password file nearly the same as the binary that made it and put it in a bin directory?) I usually have things like: AuthUserFile /home/site/admin/passwords/member_section.pwd Which is a whole lot less confusing... Anyway: Is your htaccess file really called htaccess? Is so, do you have: AccessFileName htaccess because the default is .htaccess and htaccess will not work on its own (all these leading dots are part of the filename, remember). Otherwise, check the error log and post the results. Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: I am having a heck of a time - Please help. -- SOLUTION FOUND !
I'm running solaris 8 and compiled apache/mod_ssl/mm/DSO with no problems *without* SHARED_CORE... I am using gcc 3.0.3. Rgds, Owen Boyle -Original Message- From: Steve Romero [mailto:[EMAIL PROTECTED]] Sent: Mittwoch, 17. Juli 2002 23:45 To: [EMAIL PROTECTED]; '[EMAIL PROTECTED]' Subject: RE: I am having a heck of a time - Please help. -- SOLUTION FOUND ! David, yes I've encountered problems with gcc when building apache as well. I don't know what the problem is I always thought it was a version issue. I use a gcc-2.8.1 package from FSF, and that works. Perhaps I should try compiling a newer version of gcc, and not use the Sunfreeware package. thanks for the research info below. Regards, Steve Romero At 08:45 AM 7/17/2002 -0700, David Loesche wrote: Building Apache with EAPI, DSO enabled, mod_ssl and mm is a very simple task. I do not know why it took so long to figure out. You simply following the instructions in the mod_ssl install documentation (or other helpful documents you can find these all over the web), and your up and running with Apache - EAPI, DSO, mod_ssl, etc. running. WRONG! Not on Solaris 8. It seems that if you build Apache on Solaris 2.6 with gcc 2.95 all is well. Simply following the instructions in the mod_ssl documentation and your done. But it's another story if you are using Solaris 8 (I am not sure about 7 or 9 - I do have time to try it on these). After many hours of frustration and numerous emails I finally decided to try every combination one-by-one to identify which one was the culprit. Initial environment: Solaris 8 Gcc 3.0.3 Apache 1.3.26 Mod_ssl-2.8.10-1.3.26 mm-1.1.3 openssl-0.9.6d The only way this combination works is with -enable-rule=SHARED_CORE. This option forces Apache to export the share symbols so they are available at run time. This takes a 5% performance hit and since the previous build did not have it I assumed I was doing something wrong. So I tried every possible build configuration over and over - No change (I had to use the SHARE_CORE rule). I even tried this on Apache 2.0.39 and 1.3.20 (the previous build version here of Apache). No matter what I did I could not get it to build the same way as the previous version. More work to do... 2nd shot: Solaris 8 Gcc 2.95.3 Apache 1.3.26 Mod_ssl-2.8.10-1.3.26 mm-1.1.3 openssl-0.9.6d EVENTS AND SOLUTION: Same as above. More work to do... Last shot: Solaris 8 Gcc 3.1 Apache 1.3.26 Mod_ssl-2.8.10-1.3.26 mm-1.1.3 openssl-0.9.6d Worked just like all the documentation said it should have and everyone I contacted told me to do (which I had spend over a week reading and trying all these suggestions). As it turns out, either the build from sunfreeware.com for gcc 2.95 3.0.3 have an issue with the loader module, the building of shared libraries, or gcc has an issue. So, if any of you have to do this make sure you have gcc 3.1 or SUN's compiler (I believe SUN's works but did not try it - I guess I'm just stubborn). Later, -Original Message- From: David Loesche Sent: Monday, July 15, 2002 12:07 PM To: '[EMAIL PROTECTED]' Subject: RE: I am having a heck of a time - Please help. I did read the referred document concerning the build phase. I am intrigued by the LD_LIBRARY_PATH suggestion. What would you recommend I set it to? -Original Message- From: Boyle Owen [mailto:[EMAIL PROTECTED]] Sent: Monday, July 15, 2002 12:51 AM To: [EMAIL PROTECTED] Subject: RE: I am having a heck of a time - Please help. Could be to do with your version of openssl lib (check it is reasonably up to date) or with your LD_LIBRARY_PATH environment variable.. Check out http://www.delouw.ch/linux/Apache-Compile-HOWTO/html/apache.html for a good user's summary. Rgds, Owen Boyle -Original Message- From: David Loesche [mailto:[EMAIL PROTECTED]] Sent: Freitag, 12. Juli 2002 20:12 To: '[EMAIL PROTECTED]' Subject: I am having a heck of a time - Please help. I have poured through all the documentation I can find on enabling mod_ssl with Apache 1.3.26 but keep coming up short. If I static link the mod_ssl it works fine but when I try to enable DSO and use it as a shared library I keep getting ap_add_config_define : referenced symbol not found. I have the following config setup for the apache build: #!/bin/ksh SSL_BASE=/usr/local/ssl \ EAPI_MM=../mm-1.1.3 \ EAPI_MM_CORE_PATH=logs/httpd.mm \ LIBS=/usr/lib/libC.so.5 \ CFLAGS=-fPIC \ ./configure--prefix=/opt/apache \ --enable-rule=EAPI \ --enable-module=ssl \ --enable-shared=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --enable-suexec \ --suexec-caller=http I have followed the instructions in the modssl install guide to patch Apache. Please verify the following build for mod_ssl: ./configure--with-apache=../apache_1.3.26
RE: I am having a heck of a time - Please help.
Could be to do with your version of openssl lib (check it is reasonably up to date) or with your LD_LIBRARY_PATH environment variable.. Check out http://www.delouw.ch/linux/Apache-Compile-HOWTO/html/apache.html for a good user's summary. Rgds, Owen Boyle -Original Message- From: David Loesche [mailto:[EMAIL PROTECTED]] Sent: Freitag, 12. Juli 2002 20:12 To: '[EMAIL PROTECTED]' Subject: I am having a heck of a time - Please help. I have poured through all the documentation I can find on enabling mod_ssl with Apache 1.3.26 but keep coming up short. If I static link the mod_ssl it works fine but when I try to enable DSO and use it as a shared library I keep getting ap_add_config_define : referenced symbol not found. I have the following config setup for the apache build: #!/bin/ksh SSL_BASE=/usr/local/ssl \ EAPI_MM=../mm-1.1.3 \ EAPI_MM_CORE_PATH=logs/httpd.mm \ LIBS=/usr/lib/libC.so.5 \ CFLAGS=-fPIC \ ./configure--prefix=/opt/apache \ --enable-rule=EAPI \ --enable-module=ssl \ --enable-shared=ssl \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --enable-suexec \ --suexec-caller=http I have followed the instructions in the modssl install guide to patch Apache. Please verify the following build for mod_ssl: ./configure--with-apache=../apache_1.3.26 \ --with-ssl=/usr/local/ssl \ --with-mm=../mm-1.1.3 If you can help (point me to some documentation) I would be very grateful... David S. Loesche [EMAIL PROTECTED]Yipes Communications, Inc. Main: (415) 901-2000 114 Sansome Street, Suite 1045 Direct:(415) 901-2210 San Francisco, CA 94104 Fax: (415) 901-2201 http://www.yipes.com Yipes is the defining provider of fully scalable bandwidth for businesses. We offer fully managed high-speed Internet and Nationwide LAN-to-LAN services at speeds ranging from 1 Mbps to 1 Gbps, in 1 Mbps increments. Yipes delivers this uniquely flexible service over the first nationwide system of optical IP networks. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: How to access control cgi-bin
From: liangbin li [mailto:[EMAIL PROTECTED]] I install apache httpd server with mod_ssl. I broswer a access controled html file and it calls a programm under cgi-bin directory. Is this what you want to happen? I want to know how I can set up access control with in the cgi-bin's programm? Real access control is done at the server level (HTTP protocol), i.e. a layer below the application like CGI. So you can't control HTTP authentication from CGI. You could use a CGI form to authenticate users and then serve them the CGI output (i.e. have the CGI process all data going to the user). This is a bit laborious and involves writing a mini-webserver in CGI... What's wrong with the built-in authentication scheme? Rgds, Owen Boyle __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: mod_ssl issue, https is not working
Have you created an SSL virtualhost? As well as installing mod_ssl, you laso have to define a virtual host to make use of it. Also, you have to tell the server to listen to port 443, e.g. Listen 192.168.0.1:443 VirtualHost 192.168.0.1:443 ...etc Rgds, owen Boyle -Original Message- From: Payal Suratwala [mailto:[EMAIL PROTECTED]] Sent: Donnerstag, 11. Juli 2002 22:55 To: [EMAIL PROTECTED] Subject: mod_ssl issue, https is not working I have installed Apache-V2.39-compiled with mod_ssl module. I have installed OpenSSL-V-0.9.6c and php4.2.2 on my server. I have created the RSA certificate and Private key and moved them in to the path described in the ssl.conf file. When I do ./apachectl startssl, the ssl starts but when I open netscape to go to the https://servername, it prompts me that I am about to go to the secure website,and I click okay and then it tells me that the website is not found. my http://servername site works, but https://servername does not, so what do I need to do? Why does the https now working? I have looked every where to find information about this and nothing has worked for me so far so, I would really appriciate some help on this issue? Thank You, PayalSuratwala __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
