Re: Please help with http - https redirection
Are these IP-based virtual hosts or name-based virtual hosts? See http://httpd.apache.org/docs/2.0/vhosts/name-based.html --Cliff On 10/15/07, Bernard Barton [EMAIL PROTECTED] wrote: In my main httpd.conf file, I have numerous include files which include virtual hosts like so: Include /usr/local/apache/conf/conf.d/devl00.conf Include /usr/local/apache/conf/conf.d/devl01.conf Include /usr/local/apache/conf/conf.d/devl02.conf So if I access http://devl02.mydomain.com/ then I see the virtual host defined in devl02.conf, etc. In the devl02.conf file, I have enabled SSL. I CAN access the secure site https://devl02.mydomain.com/. However, when I now access the non-secure site of http://devl02.mydomain.com, the main server web site is displayed, and not the virtual host. What I'm trying to do is a RedirectPermanent / https://cj-devl02.mydomain.net/ But when I do this I get errors that I posted previously about cookies not being enabled. So I guess the questions is, having the Include statements above, and knowing that each include file like devl08.conf is a virtual host container with SSL enabled, how do I redirect from the port 80 version to the SSL enabled port 443 version like: http://cj-devl02.mydomain.net/ -- https://cj-devl02.mydomain.net/ FYI, I've tried including .conf files, and also pasting the contents of my .conf files into an email, but they evidently are rejected by the mailing list. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL
You don't have to patch anything. It's already in there.Just add --enable-ssl to the ./configure command line arguments.--CliffOn 11/10/06, kbajwa [EMAIL PROTECTED] wrote: Cliff: You are all right. This is my first try to build a server, so I need further help. I have downloaded the latest Apache version 'httpd-2.2.3'. I am at the point where I need to patch it with 'mod_ssl" module. Can you guide me how to patch 'httpd-2.2.3' with the latest version of 'mod_ssl-2.2.828-1.3.37'? Thanks in advance. Kirt -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Cliff Woolley Sent: Tuesday, November 07, 2006 5:05 PM To: modssl-users@modssl.org Subject: Re: Mod_SSL What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build. --Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AM To: modssl-users@modssl.org Subject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Mod_SSL
What this person is getting at is that the reason you can't find a mod_ssl patch for Apache 2.x is that mod_ssl comes pre-bundled with Apache 2.x. Just enable it when you run configure on the apache build.--Cliff On 11/7/06, Kong, Yi - HPL [EMAIL PROTECTED] wrote: You add ssl arguement when you configure the apache From: kbajwa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 07, 2006 10:22 AMTo: modssl-users@modssl.orgSubject: Mod_SSL My first posting! I am installing Apache-2.2.3 and would like to install mod_ssl. I notice that current/latest version of mos_ssl is for Apache-1.x.x version. Is there any way (with a patch) to install the latest version of mod_ssl on Apache-2.x.x?
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I understand your confusion. In my post I masked out the first twonumbers of the IP-addresses.But we do have 4 VirtualHosts on 4 different IP-addresses. As it turnedout (see a previous post), our problem was caused by a misconfigured reverse DNS. I'm glad you figured it out, but it's still a little bit unclear to me why the DNS should have had any effect. The NameVirtualHost directives in the config snippet you posted are extraneous and should be removed. I wonder if you'd gotten rid of those if the problem would have gone away regardless of DNS. Hmm... --Cliff
Re: Apache sends wrong certificate
On 5/30/06, Frank van Beek [EMAIL PROTECTED] wrote: I checked a couple of pages on VirtualHosts in the Apache documentation.As far as I can see in the examples in most of them there aNameVirtualHost for every VirtualHost, even when it's running on adifferent port. See the examples here: http://httpd.apache.org/docs/2.0/vhosts/examples.htmlAll of the examples on that page that use NameVirtualHost are actually *doing* name-based virtual hosting, which is where you have multiple virtual hosts with the same IP/port combination (thus the only thing that distinguishes them is their name, as given in the Host: HTTP header). You're doing IP-based virtual hosting, not named-based virtual hosting. (You only have one virtual host per IP/port combination.) Thus you don't need NameVirtualHost. If you scroll down in the page you gave, you'll see an example of IP-based virtual hosting, and note that it does *not* include any NameVirtualHost directives. Hope this helps,--Cliff
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/20/06, Ken Chen [EMAIL PROTECTED] wrote: [Thu Apr 20 17:04:46 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/Oerror, 5 bytes expected to read on BIO#81d53d8 [mem: 81eeef8]Just like it sounds from the message, this error occurs when the call to SSL_read() in ssl_io_input_read() fails with the system returning an error of ETIMEUP. While of course it's possible that something is getting stuck somewhere and thus it is taking a really long time and subsequently times out, my first inclination is to say that your global Timeout value is simply set too low. See http://httpd.apache.org/docs/2.0/mod/core.html#timeoutWhat value do you have set there?
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/19/06, Ken Chen [EMAIL PROTECTED] wrote: Now seems when uploading big file has problem in ssl.When I upload a3K image file, it's ok.But when I upload a 35K image file.Itfailed.Ah, I see. Is there any place to set the cache/buffer?Or I have to setSSLSessionCache and SSLSessionCacheTimeout?You should set the session cache anyway (failing to do so will result in a major drop in performance), but this should have no effect on the particular problem you're describing. By the way, I don't understand why to use openssl s_client and issue aGET request?I am uploading file.Isn't it a POST request?Can you have a brief sample how to test?It was unclear to me from your original message that *any* https was working, so I was trying to just give you the most basic test to try. I didn't realize you could upload small files successfully. Did you turn on the ssl debug log and look at the spot in the large file upload where it failed?--Cliff
Re: Failed uploading file to Appache HTTP Server after using SSL
On 4/18/06, Ken Chen [EMAIL PROTECTED] wrote: 1.If users access our server via https:// through the webserver, it fails to upload.Backend source encounteredNullPointerException when accessing the FileItem requested.2.But if users access our server via http://... through the web server, there is no that problem.Hence I think there should be something wrong with the request parsing through https.Any advice/clue to check where or how to solve it is greatlyappreciated. Thanks in advance. A couple of suggestions: (1) turn on debug logging in mod_ssl... this will give you a byte-by-byte dump of the SSL transaction in the log file. (2) try connecting to your https server with openssl s_client and then issuing a GET request by hand. That can often be instructive. --Cliff
Re: undefined symbol: RSA_generate_key
On 2/7/06, Gordon Ross [EMAIL PROTECTED] wrote: I've got a Linux box with OpenSSL 0.9.8a installed (configured with threads, zlib shared) I then configured and installed Apache 2.0.55 with SSL support (configure --enable-ssl --enable-mods-shared=all) When I try and start Apache, (httpd -D SSL) I get the error: Cannot load (path)/mod_ssl.so into server (path)/mod_ssl.so: undefined symbol: RSA_Generate_keyIt's highly likely this is the same problem described by me long long ago on this forum related to X509_free being undefined. Take a look at this: http://www.mail-archive.com/modssl-users@modssl.org/msg14344.htmlThe short short version is that you should try recompiling apache with --enable-ssl=static .--Cliff
Re: SSLPassPhraseDialog several certificates
On 1/30/06, Konstantin N. Bezruchenko [EMAIL PROTECTED] wrote: Because we already have password-protected certificates, and as i know we cant remove password protection from existing certificate. That's not correct. Your certificate is not password protected... your private key is. And you can definitely remove the password from the private key. From the OpenSSL documentation: To remove the pass phrase on an RSA private key: openssl rsa -in key.pem -out keyout.pem To remove the pass phrase on a DSA private key: openssl dsa -in key.pem -out keyout.pem Hope this helps. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Is it possible to not force SSL on port:443?
On 10/14/05, Pigeon [EMAIL PROTECTED] wrote: I am helping someone develop a product, and for the next little bit he will need to access port 443 with out the communication being encrypted (aka he could telnet to it if he wanted). But in the very near future, he will want to make 443 encrypted.. Is it possible to not force encryption on port443? Sure... you just tell Apache to listen on that port and don't turn the SSLEngine on. :) Or are you asking how to make it *optional*? You can do that too -- as long as SSLRequireSSL isn't set, it should work. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Fwd: How to allow only certain Certificates
Helps if I send this from the address that is actually subscribed to the list... resending -- Forwarded message -- From: Cliff Woolley Date: Oct 12, 2005 7:41 AM Subject: Re: How to allow only certain Certificates To: modssl-users@modssl.org On 10/12/05, Dr. Harry Knitter [EMAIL PROTECTED] wrote: how can I restrict access to my Apache to owners of certain individual certificates? Sounds like a good case for FakeBasicAuth combined with Require User. http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions Hope this helps, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Fwd: How to allow only certain Certificates
On 10/14/05, Dr. Harry Knitter [EMAIL PROTECTED] wrote: Thanks, however, I´d prefer something like the Unique Subject Identifyer or perhaps the Fingerprints. DNs can be faked easy. Not if you require your own CA as the issuing authority using SSLCACertificateFile and SSLRequire, they can't... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Environment variables question
I simply would like to know what is the meaning of the following variables Examples: SSL_CLIENT_S_DN_T SSL_CLIENT_S_DN_I There's a nice table of these at http://www.covalent.net/resource/documentation/ers/2.0.0/productguide/html/proxymodule.html . I had to dig pretty good to find that, though. I've never seen them before. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: configure SSL session timeout
I know the SSL session timeout param can be configured by the directive SSLSessionCacheTimeout. Is there any setting or API for the browser or client application to configure the SSL session timeout param and override the server's one such that each application can configure their timeout period of the SSL connection according to their requirement? Nope... not that I know of. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: make certificate hangs
make certificate is largely deprecated at this point, as far as I'm concerned... it doesn't even ship with Apache 2.0 + mod_ssl. The expiration could be considered a bug in Apache 1.3's mod_ssl, but IMO the best thing for you to do is to follow the steps in the mod_ssl documentation for creating your own self-signed certificate using openssl by hand. The documentation isn't perfect, but that route is still probably the best option right now that I know of. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Re:
Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down However the key information really is missing. So it looks like this may be a problem in the fedora httpd configuration tool, because the key information definitely is there in the virtual host configuration in the gui, it's just not getting saved for some reason. Okay... although I don't think we've yet found a good explanation for why you're getting the message you're getting. Perhaps duplicate Listen statements? __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re:
It really does sound like there's something else listening on port 443: Starting httpd: (98)Address already in use: make_sock: could not bind to address my IP address:443 no listening sockets available, shutting down That's usually what this message means. You said: Oh, and there isn't anything else listening to port 443: /sbin/fuser -4 -n udp 443 gives a null result. ... except that it's tcp, not udp, that we care about here. As for your httpd.conf, it looks sort of close, although the VirtualHost my ip address:443 block needs to have the SSL certificate and key configuration directives as well as some other stuff (see the example httpd.conf that comes with mod_ssl), and the VirtualHost *:80 block should NOT contain SSLEngine on. Hope this helps, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
Also.. I ahve heard about ssl session key caching, anyone know how much this will improve things? Session caching is more or less essential for any kind of reasonable SSL performance. Disabling the session cache will hurt your SSL perf by perhaps as much as an order of magnitude (roughly speaking -- it's been a long time since I benchmarked it). --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl and how to reduce overhead
On 9/26/05, Phil Ehrens [EMAIL PROTECTED] wrote: Pigeon wrote: (The reason I say 10k concurrent is because we have an update system (sorta like windows update).. and as soon as we tell their computer to update, we have 10k boxes saying give me the file!) I think I agree with the guy who said this thread has pretty much been asked and answered at this point, but I figured I'd just throw in one more little nugget for you to think about. It sounds to me from the limited information above that you're causing your own problem here by instructing 10k-100k clients to update themselves with some multi-megabyte patch file simultaneously. This is obviously a huge amount of bandwidth, but it doesn't seem obvious to me that it would be a huge amount of bandwidth on a 24/7 basis... rather it would come in bursts _at times specified by you_. This to me begs for a software engineering effort rather than a sysadmin/netadmin effort; if you can get the clients to wait some random length of time after receiving the update available notification prior to requesting the update, your number of concurrent accesses will drop dramatically. Alternatively, if you have more control over the server-side code than the client-side code, you could publish the update available notification TO the clients a handful at a time rather than all at the same time. Hope this helps, and best of luck... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Two different physical hosts + IPs, one cert
The certificate refers to the host by name, not by IP address. So as long as the two hosts have exactly the same FQDN, then you should be fine. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: preventing client certs to be used by multiple users??
On 8/31/05, Conrad Friedrich [EMAIL PROTECTED] wrote: Is there a way to prevent users (that got a client ssl-certificate (pkcs12) for accessing my server) from giving their certs away to others and in that way enabling unwanted users access to my site? The client certificate acts as the user's identity. If the user gives away his/her identity or the identity is stolen, then someone else can authenticate to the server using that identity, and that's just the way it is. This is no different than a username/password means of establishing user identity, really, except that the user has perhaps better ways to protect a client certificate than he does a username/password. If the user intentionally gives away the certificate, there's nothing you can do about it. Or if there is no elegant solution, maybe someone knows how apache (or a log analyzer etc.) can inform me if two different IPs have tried to connect simultaneously using the same certificate? I haven't seen any such tool but that doesn't mean there isn't one out there. Anybody else heard of such a thing? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: undefined symbol: X509_free
On 8/29/05, Toney Samuel [EMAIL PROTECTED] wrote: I am getting this error cluster1:/usr/local/apache2/bin # ./apachectl startssl Syntax error on line 234 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: /usr/local/apache2/modules/mod_ssl.so: undefined symbol: X509_free This is a long-outstanding bug in the Apache build process. It's easy to work around. Please refer to http://www.mail-archive.com/modssl-users@modssl.org/msg14344.html . Thanks! Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache starts, SSL site unavailable
On Tue, 21 Jun 2005, Jon August wrote: Hi, I'm switching from Stronghold to Apache 2.0.54 with mod_ssl enabled. When I start apache, everything appears to work except the SSL site. There's some sort of warning about the cache. mod_ssl.c is listed as a compiled in module, and there's an: Include conf/ssl.conf in the httpd.conf Any suggestions would be greatly appreciated. Are you starting httpd with the -D SSL command line argument? If not, then the entire block of configuration directives inside the IfDefine SSL container in your config file will be ignored. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Apache starts, SSL site unavailable
On Tue, 21 Jun 2005, Jon August wrote: Can I just remove the IfDefine tags? or is that not recommended? Yes, feel free. My understanding is that the only reason it's in there in the first place is to try to make it clear that SSL isn't something you can have work directly out of the box... you have to go and generate yourself a private key and certificate request and so forth. Unfortunately it has the side-effect of getting in the way sometimes, so it's a lesser-of-two-evils situation I suppose. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 25 Dec 2004, Adolfo Bello wrote: It just doesn't work in Apache 2.0.x. Use Apache 1.3.x. That doesn't sound like very good advice... if something is broken in Apache 2.0.x, we should just fix it. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: Client Authentication POST Problem
On Sat, 25 Dec 2004, Adolfo Bello wrote: I heartily agree. Unfortunately, I've been waiting for more than a year for this problem to be fixed in Apache 2.0.x :-( This bug was opened on 2002-09-06 http://nagoya.apache.org/bugzilla/show_bug.cgi?id=12355 Usually the trick to getting something really done around here is to keep reminding somebody until it really gets their attention. :) Anyway I'll forward this on to [EMAIL PROTECTED], and maybe we'll get a taker. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: seg fault in apache in AIX
On Mon, 29 Mar 2004 [EMAIL PROTECTED] wrote: I'm getting the following output from a test of https on my apache server using modssl. I can't easily rebuild it. I'm hoping someone has an idea how to get more info without recompiling the server... You're gonna have to give us more than that. :) For starters: - Apache version, mod_ssl version, OpenSSL version? - session cache settings? - using client certificates or revocation lists? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: seg fault in apache in AIX
On Mon, 29 Mar 2004 [EMAIL PROTECTED] wrote: I wish I had the info but I didn't build it. I switched back to an earlier version of the executable and it works fine. [Looong story] You don't need to be the one who built it. You can get the version numbers just by asking Apache. telnet to port 80 and issue a HEAD request, something like this: - $ telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. HEAD / HTTP/1.0 Host: localhost HTTP/1.1 200 OK Date: Mon, 29 Mar 2004 21:55:24 GMT Server: Apache/1.3.29 (Unix) PHP/4.3.5 mod_ssl/2.8.16 OpenSSL/0.9.7d Connection: close Content-Type: text/html Connection closed by foreign host. - You can find out what the session cache, client cert, and CRL settings are just by looking in the config file. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: Re[2]: rse has beagle-a virus ?
On Mon, 1 Mar 2004, Hunt,Keith A wrote: Well now, this wins the award for the silliest rant I've heard for a while. I mean really, Dave... get a grip. Seriously. Not to mention that my primary email address is [EMAIL PROTECTED] But you know, feel free to block me if you like. All the less stuff for me to worry about. ;) hehe. Here's a revolutionary little idea... if you don't like spam and email worms... how about (gasp) installing SpamAssassin and some antivirus software. :-P --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Replacing an SSL certificate
On Thu, 18 Dec 2003, Huw Jenkins wrote: I've just replaced an SSL certificate (on a Mac OS 10.2 machine) and restarted apache however it's still not recognising the new certificates (still seeing the old one). I've not been asked for the passphrase either. What's the command for getting apache to re read the SSL certificates? What kind of restart did you do? Try stopping and starting again rather than doing a plain restart or a graceful restart. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problems with Apache SSL under load
On Thu, 11 Dec 2003, Andreas Gietl wrote: [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar1 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/navbar2 [Thu Dec 11 06:00:00 2003] [error] [client ] (11)Resource temporarily unavailable: couldn't spawn child process: /usr/local/apache/sslcgi/register.cgi for executing a cgi apache has to fork a new child process. But forking seems to fail. Maybe because of an RLIMIT_NPROC you have on your apache or because the server has reached a totel process limit. Yes, I concur, this sounds like the most likely cause. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache warning: Connection refused: connect to listener
On Mon, 29 Sep 2003, Alex Hart wrote: I just installed Apache/2.0.47 (Unix) mod_ssl/2.0.47 OpenSSL/0.9.7b in my server (freebsd 4.8) and everything seems to be working fine. I have apache configured to serve both secure and insecure pages. However, I keep getting the following line in my error log file (thousands of times): [Wed Sep 24 12:51:15 2003] [warn] (61)Connection refused: connect to listener I have thousands of these warnings now in just a couple of days. I can't figure out any pattern to them. I get this warning even when I don't have any activity going on with the web server. It also happens if I don't have any SSL virtual hosts set up. I notice no problems with any web pages, secure or not. When I recompile apache without mod_ssl, the warning goes away. I've scoured the Internet but I can't find a thing about this warning. Does anyone have any idea about why this is happening? Okay, here's a couple of things for you to check on to help me track down what's going on (I'm cc'ing [EMAIL PROTECTED] in case anybody else has guesses). 1) Is your server compiled with -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT? 2) Which MPM are you using? You can find out the answers to both of these by running ./httpd -V from /usr/local/apache2/bin or wherever your httpd binary is installed. For example: [EMAIL PROTECTED]:/root/apache/test/bin# ./httpd -V Server version: Apache/2.1.0-dev Server built: Aug 12 2003 16:43:24 Server's Module Magic Number: 20030213:1 Architecture: 32-bit Server compiled with -D APACHE_MPM_DIR=server/mpm/worker -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D HTTPD_ROOT=/root/apache/test -D SUEXEC_BIN=/root/apache/test/bin/suexec -D DEFAULT_SCOREBOARD=logs/apache_runtime_status -D DEFAULT_ERRORLOG=logs/error_log -D AP_TYPES_CONFIG_FILE=conf/mime.types -D SERVER_CONFIG_FILE=conf/httpd.conf Thanks, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: ap_http_method(r) not working
On Thu, 25 Sep 2003, Ken Kittlitz wrote: #define ap_http_method(r) (((r)-ctx != NULL ap_ctx_get((r)-ctx, ap::http::method) != NULL) ? ((char *)ap_ctx_get((r)-ctx, ap::http::method)) : http) always returns the defalt http. ap_default_port suffers a similar problem. The Apache I'm running is a 1.3 version obtained from an 'apache-ssl' Debian package. It handles HTTPS request just fine, but you'd never guess that from calling ap_http_method :-/ The binary's compile settings are below. Any help would be appreciated. Thanks! /usr/sbin/apache-ssl -V Server version: Apache/1.3.27 Ben-SSL/1.48 (Unix) Debian GNU/Linux Server built: Jun 26 2003 16:53:19 Server's Module Magic Number: 19990320:13 Server compiled with -D EAPI -D HAVE_MMAP ... Why in the world would Debian ship an Apache-SSL package with EAPI support??? Maybe it's for backward binary compatibility with an older Debian distro that used mod_ssl? Anyway, certainly the reason this is not working right is that Apache-SSL (aka Ben-SSL) (as opposed to mod_ssl, which is the one supported by this mailing list) does not use EAPI at all, so it would not be calling the appropriate EAPI hooks at the right time to get those ctx variables set. Start from scratch with a stock Apache build (and get 1.3.28 while you're at it), and install mod_ssl from www.modssl.org. Then your EAPI will work right. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: configuration question
On Wed, 20 Aug 2003, Henrik Bentel wrote: Now, all my ssl configuration is under my secure virtual host, such that it applies to everything. However, I have quite a bit static content(images, css, javascript.,...) which doesn't need to be very secure. I somewhat only want to secure my dynamic content. If I understand your question correctly, what you're wanting is to have some web page that's served up with https, but to have the images on that page be served by regular http. You could do that, but every browser I know of will throw a security warning in that case. You can't mix secure and non-secure content in the same document. Does that answer your question? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: File Acknowledgement
On Tue, 19 Aug 2003, Nauman, Ahmed [IT] wrote: How can we know at server side in apache that a GET or PUT request has been received and it was failed or successfull ? Can we get somehow the response code so that some script and/or tool at Server side can delete/archive the file which have been retrieved by the client in some specific folders?. Is there any industry standard for such file acknowledgement. If it were me, I'd just write a CGI script to do this... as for how you know for certain that the client received the entire response, that's a bit tricky. The http response code (even if it's 200 OK) doesn't tell you what happened on the client end. The client never sends an acknowledgement response code. Apache internally knows whether it finished sending or not, but it's hard to get at that information except by directly accessing the internal structures from a module. Perhaps the easiest way is to have the client request some other URL after it gets the full document (javascript redirect?), and have that second URL be your acknowledgement and trigger to delete the file. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: configuration question
On Tue, 19 Aug 2003, Eric Rescorla wrote: Dave Paris [EMAIL PROTECTED] writes: In addition to Owen's salient points about compression working efficiently on repetitive strings in plaintext/binary data (e.g. whitespace in a Word document) and not on random data (e.g. encrypted data), some encryption algorithms can actually be weakened by compressing the resulting data, giving a cryptanalyzer clues to the inner workings of the algorithm. No reasonable encryption algorithm will be weakened this way. I agree. I'm guessing what he meant is that some encryption algorithms are weakened if their /input/ is pre-compressed by some known algorithm. If the cleartext is in some known format, it might possibly be easier to recover it from the ciphertext. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: configuration question
On Wed, 20 Aug 2003, Arthur Chan wrote: But I want Netscape to load my certificate as an Authority for our testing purposes. How does one go about doing that, both in Netscape and MSIE5 ? Google knows everything... an I'm feeling lucky for installing CA certificate yields: http://www.pseudonym.org/ssl/ssl_ca.html Which explains how to do just that. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: FRUSTRATION : SSL throws SSL23_GET_SERVER_HELLO error
On Fri, 8 Aug 2003, Arthur Chan wrote: [ssl] # openssl s_client -connect localhost:443 -state -debug still throws this sticky error : SSL_connect:error in SSLv2/v3 read server hello A 1565:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: You have multiple problems conspiring against you here. Problem #1: your OpenSSL doesn't have the error messages loaded so you're getting a rather non-descriptive error message. No big deal, it just means you have to look harder to find out what the error means. Problem #2: SSL23_GET_SERVER_HELLO:unknown protocol: - now I bet if you looked at the debug dump you'd see something very similar to: - 3c 21 44 4f 43 54 59 !DOCTY which was mentioned in one of those links the other guy sent you. It's telling you that that's what it received from the server. You'll notice that !DOCTY is the first few bytes of a standard html page unencrypted. So this tells you that your web server is in fact speaking plain HTTP on port 443 rather than HTTPS. You probably do not have SSLEngine on for that virtual host. Problem #3: You mentioned trying to get name-based vhosts to work with SSL. You must realize that this doesn't work right in the general case. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#vhosts2 . Hope this helps. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: building shared libraries with OpenSSL
On Tue, 17 Jun 2003, Percy Rotteveel wrote: I've read your article regarding: building shared libraries with OpenSSL (http://www.mail-archive.com/[EMAIL PROTECTED]/msg15745.html). The instructions are very clear and very helpful. When I execute make build-shared, I get the following error message: ld: fatal: relocations remain against allocatable but non-writable sections collect2: ld returned 1 exit status *** Error code 1 make: Fatal error: Command failed for target `do_solaris-shared' Do you have any clue what is wrong and how to solve it? In advance, thank you so much! With kind regards, Percy I've had somebody else running Solaris report the same thing to me. Unfortunately I've not had any experience building OpenSSL on Solaris... I've only done it on Linux. Maybe somebody else on the modssl-users list has, so I'm cc:ing this to the list... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Vitual Hosts not working with SSL
On Sun, 8 Jun 2003, ComCity wrote: I'm very confused about the Virtual Host configuration in Apache 2.0stuff that use to work seems like it doesn't and I gotta think thats because I don't know what I'm doing. ;) Can you be more specific about what it's (not) doing? Other than the fact that the snippet you sent in omitted certain important SSL directives (which are probably present elsewhere in your config file if it worked under Apache 1.3), the config looks okay to me, at least in terms of NBVH vs. IPBVH. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Possible mod_ssl bug (ssl_io_input_read)
On Fri, 6 Jun 2003, Barry Brachman wrote: I am developing a new Apache 2.0 module and I have encountered what I think to be a bug in mod_ssl. I have been unable to find any reports of a similar problem. I think this is because I am using AP_MODE_SPECULATIVE, which is I have forwarded this on to [EMAIL PROTECTED], which is where development discussions for mod_ssl for Apache 2.0.x occur. I'll try to forward back any relevant replies if I have time, but I suggest you subscribe to that list to listen for them yourself. Thanks for your report! --Cliff --- Cliff Woolley [EMAIL PROTECTED] Apache HTTP Server Project __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Possible mod_ssl bug (ssl_io_input_read) (fwd)
-- Forwarded message -- Date: Fri, 06 Jun 2003 17:59:50 -0700 From: Justin Erenkrantz [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Possible mod_ssl bug (ssl_io_input_read) (fwd) The suggested API change to char_buffer_read is incorrect. The filter_ctx should not be passed to char_buffer_read. The possibility I'd propose is just to set buffer-length to 0 when it is exhausted and keep buffer-value unchanged in this case (it's overwritten on char_buffer_write, so it will not append to the old buffer - its value is inconsequential once its length is 0). The AP_MODE_SPECULATIVE case in ssl_io_input_read could easily be modified to handle this by not adjusting buffer-value. That seems like it should solve the problem and do it in a cleaner fashion (and save cycles!). Yet, I wonder why AP_MODE_SPECULATIVE is being used. Its purpose is very narrow - it should only be used to support HTTP pipelining and only asking for one byte. Only connection-level filters will implement this mode - so any request-level filter transformations won't be applied (i.e. mod_deflate if the request body is inflated). If you want to intercept the read data, then it needs to be an input filter not an AP_MODE_SPECULATIVE call. -- justin __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: httpsd doesn't start
On Thu, 13 Mar 2003, Mike Burkhouse wrote: I stop httpd and run apachectl startssl with no complaints, but only httpd starts, not httpsd, and nothing gets logged. I have no idea how to track down what has gone wrong. Can anyone offer any suggestions where to look? There's no such thing as httpsd under Apache 2.0.x. That's an Apache-SSL-ism, and Apache2 uses mod_ssl. HTTP and HTTPS are served by the same daemon process(es). --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Help on Apache 2.0.43 + SSL installation
I'm cc:ing the users list so that the response is in the archives in case anyone else has a similar problem. On Sat, 8 Mar 2003, Kitty Ko wrote: How are you? I read accross one of your email replay on the binding shared libraries with OpenSSL on the interent, and that's how I got your email address. I have encounter problems while installing SSL + APACHE. I am wondering if you can give me some hits. I have successfully completed installing Tomcat 4.0.6 + Apache 2.0.43 on the Unix box. Buy I can't have SSL installed. FYI. I build apache and open ssl form source. After I extracted the openssl-0.9.7, I did the following: # cd openssl-0.9.7 # ./config --prefix=/depot/ssl/install --openssldir=/depot/ssl/install/openssl # make However, once I get into make build-shared, i got the following errors: ld:fetal: relocations remain against allocatable but non-writable sections colletc2: ld returned 1 exit status make: ***[do-solars-shared] Error 1 My questions are: 1. how to fix this compile error Hmmm... well honestly I'm not all that familiar with linker problems on Solaris. I have heard a number of people report problems getting the shared library build of openssl to work on Solaris, though that's about as much insight as I can offer. The option to use both a static openssl and a static mod_ssl remains, of course, and at this point sounds like your best option. 2. how do i know if I compiled mod_ssl statically or dynamicelly? httpd -l will list all the statically-compiled modules. I build the apache by the following command: # ./configure --with-layout=Apache --prefix=/depot/apache2 --enable-mods-shared=most --enable-ssl=shared ^^^ ...though this right here tells me you've built it as shared, since that's what that means. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTPS environment variable is set after .htacces is parsed
On Mon, 10 Mar 2003, Domenico Andreoli wrote: order deny,allow deny from all allow from 127.0.0.1 SSLRequireSSL after some thinking at it, i see you answer is not suitable for my needs. indeed, your mandates the use of SSL, while mine allowed access from localhost *or* SSL. Okay then, do this: order deny,allow deny from all allow from 127.0.0.1 SSLRequireSSL Satisfy any --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: shmcb access violation with openssl 0.9.6i
I've passed this on to the apache dev list. --Cliff On Tue, 4 Mar 2003, Edward Wong wrote: Hello All, I've been able to consistantly reproduce a GPF on Apache service shutdown using Openssl 0.9.6i, and Apache 2.0.44. Swapping to an older version of Openssl (0.9.6g) resolved the GPF. To reproduce, simply download and build OpenSSL 0.9.6i and Apache 2.0.44. Be sure to configure ssl to use the shmcb ssl session caching. Launch apache as a service and browse to the server using SSL. Then try to stop the apache service. During shutdown, Apache will GPF. Oddly, if you don't browse to the webserver using SSL, Apache will not GPF on shutdown. If it helps, the call stack looks as follows: NTDLL! 77f51baa() NTDLL! 77f7561d() apr_file_write(apr_file_t * 0x005e91c8, const void * 0x0006dd6c, unsigned int * 0x0006dd58) line 316 apr_file_puts(const char * 0x0006dd6c, apr_file_t * 0x005e91c8) line 441 log_error_core(const char * 0x6fd1d948, int 117, int 4, int 720006, const server_rec * 0x00602700, const request_rec * 0x, apr_pool_t * 0x, const char * 0x6fd1d924, char * 0x0006fdd0) line 543 ap_log_error(const char * 0x6fd1d948, int 117, int 4, int 720006, const server_rec * 0x00602700, const char * 0x6fd1d924) line 561 + 37 bytes ssl_mutex_on(server_rec * 0x00602700) line 118 + 28 bytes ssl_scache_shmcb_remove(server_rec * 0x00602700, unsigned char * 0x00689dd8, int 32) line 476 + 9 bytes ssl_scache_remove(server_rec * 0x00602700, unsigned char * 0x00689dd8, int 32) line 158 + 17 bytes ssl_callback_DelSessionCacheEntry(ssl_ctx_st * 0x00645240, ssl_session_st * 0x00689d90) line 1722 + 17 bytes timeout(ssl_session_st * 0x00689d90, timeout_param_st * 0x0006fe6c) line 602 + 18 bytes lh_doall_arg(lhash_st * 0x006453d0, void (void)* 0x1001a516 timeout(ssl_session_st *, timeout_param_st *), void * 0x0006fe6c) line 290 + 13 bytes SSL_CTX_flush_sessions(ssl_ctx_st * 0x00645240, long 0) line 619 + 18 bytes SSL_CTX_free(ssl_ctx_st * 0x00645240) line 1259 + 11 bytes ssl_init_ctx_cleanup(modssl_ctx_t * 0x0064ef68) line 1197 + 21 bytes ssl_init_ctx_cleanup_server(modssl_ctx_t * 0x0064ef68) line 1213 + 9 bytes ssl_init_ModuleKill(void * 0x0030c458) line 1249 + 12 bytes run_cleanups(cleanup_t * * 0x0030a5d0) line 1976 + 13 bytes apr_pool_destroy(apr_pool_t * 0x0030a5c0) line 755 + 12 bytes apr_pool_destroy(apr_pool_t * 0x00308588) line 752 + 12 bytes destroy_and_exit_process(process_rec * 0x00308618, int 0) line 247 main(int 3, const char * const * 0x003024a8) line 658 + 11 bytes mainCRTStartup() line 338 + 17 bytes KERNEL32! 77e814c7() The error in log_error_core is: [Mon Mar 03 12:43:04 2003] [warn] (OS 6)The handle is invalid. : Failed to acquire global mutex lock. Is this a known issue? Is there something that I'm missing? Other than changing from DBM to SHMCB, I have stock conf files. Thanks in Advance, Edward Wong Connectivity Software Hewlett-Packard Company _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Illegal attempt to re-initialise SSL for server
On Sat, 1 Mar 2003, Domenico Andreoli wrote: CUT HERE -- # ... SSLEngine on SSLCertificateFile /etc/apache/ssl.crt/server.crt SSLCertificateKeyFile /etc/apache/ssl.key/server.key VirtualHost _default_:* /VirtualHost # ... CUT HERE -- It ought to look like this: VirtualHost foo:443 SSLEngine on SSLCertificateFile ... SSLCertificateKeyFile ... /VirtualHost Note that your use of the certificate and key across all virtual hosts, whether by putting it in the server-wide config or by putting it in VirtualHost _default_:*, won't generally work. Your clients will get errors when they try to browse to your site if the hostname doesn't match the one stored in the certificate, for example. You should have a different certificate/key pair for every hostname on which you wish to run SSL. And of course each of those virtual hosts needs to be on a unique IP:port pair--no name-based virtual hosting. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Illegal attempt to re-initialise SSL for server
On Sat, 1 Mar 2003, Domenico Andreoli wrote: ps: may i quote your message? i'd like to include your reply to who reported the original problem (debian bug report #169083). Sure! It's a public list after all. :) --Cliff - Cliff Woolley Apache HTTP Server Project Apache Software Foundation __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTTPS environment variable is set after .htacces is parsed
On Sat, 1 Mar 2003, Domenico Andreoli wrote: dunno, bug submitter used it. shouldn't it work anyway? Environment variables are, as a rule, set late in the process because the use of them has a relatively large performance penalty. They're really only there for communicating with CGI scripts and the like. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RSA WebAgent5.1 and Apache 1.3.26 not 1.3.27?
On Tue, 18 Feb 2003, Ron Rough wrote: I would like fo get the technical reason for this. I know of someone who installed the WebAgent.tar file from your web site and it worked with the latest versions of Apache and mod_ssl. WebAgent.tar would have been downloaded from http://www.rsasecurity.com/go/apacheagent/, not from http://www.modssl.org/. If you're having a problem with WebAgent, contact RSA, not the mod_ssl group. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Pass Phrase
On Thu, 20 Feb 2003, Glenn E. May wrote: I recently installed mod-ssl on a new web server. Unfortunately, in my haste to get the machine up and running, I cannot remember the pass phrase that I used. I have tried making a de-install, and re-installing, however I am unable to bypass this. When you reinstall, it leaves your old private key/certificate in place intentionally (it would suck to have them be overwritten! :). If you want to delete them and start over, you have to do it yourself. Delete the ssl.* subdirectories of your Apache conf directory and redo the entire generate-private-key-then-get-certificate process from scratch. Of course you realize that if you already bought a real certificate from a CA to go with your old private key that you're going to have to get a new one (and different CA's have different reissue policies). --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to run apache in https only ?
On Sun, 23 Feb 2003, Jay Moore wrote: I want to run Apache so it responds only to https on port 443; http requests are to be simply ignored. I thought I knew how to do this, but then read something about using mod_rewrite which gave me a headache. Is there a simple how-to describing how to run your server so it responds only to https over port 443? Sure. See the SSLRequireSSL directive. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL_connect:error
On Fri, 21 Feb 2003, sleek wrote: SSL_connect:SSLv2/v3 write client hello A read from 0808D4C0 [080A6000] (7 bytes = 7 (0x7)) - 3c 21 44 4f 43 54 59 !DOCTY ^ Because your server is speaking http, not https. Make sure the SSLEngine is turned on for your ssl vhost. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Multiple SSL VirtualHosts in apache
On Wed, 5 Feb 2003, Steve Pirk wrote: They all use the same cert file, but are on different ports. I'm not so sure you can do that. But anyway, assuming for a second that you can: The problem I am running into is that only the first VirtualHost works. Requests to subsequent ports result in a mod_ssl:error:HTTP-request error. Here is the error_log entry: Interesting. What version of Apache is this? If 1.3.x, what version of mod_ssl? The mod_ssl:error:HTTP-request thing is supposed to be purely internal; if it ever leaks out to the client, something is screwed up. I found some odd cases a while back where you could set up redirections in an odd way and it would do that, but I've forgotten the details and would have to dig them up. What redirects are you doing? Any rewriterules? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mass ip virtual host mod_ssl?
On Wed, 19 Feb 2003, Ray a PowerWeb Tech wrote: but some of the domains have SSL, and it doesn't seem like this will cover it as is. how do i setup a folder for keys that will be used? ie /www/certs/%0.key or does it automagicly pick the correct key for the ip/domain? i'm hoping to get it so that by droping files into the correct places, our customer will be able to add/remove domains without having to have the ability to restart apache (as its on windows, he would need nearly total control of the machine to do this) Nope, sorry, you can't do that. You have to have real virtual hosts set up for each SSL vhost; mod_vhost_alias won't cut it. That's not to mention the fact that changing or adding SSL keys/certs requires restarting Apache anyway to reinitialize OpenSSL. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Select non-SSL'ing
On Fri, 31 Jan 2003, Cory 'G' Watson wrote: I have the disallowing of HTTP fixed, but I can't find a way to ALLOW http for the directories I need. I've searched the archives and googled pretty hard, but not found what I am looking for. I'd think some creative uses of RewriteRules could get you what you want pretty easily. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Can't get to Https but http://address:443 works?????
On Fri, 31 Jan 2003, Vince Montuoro wrote: i can't get back to https://theaddress, only http://theaddress:443 works??? You probably don't have SSLEngine on in your SSL vhost. Right now, the client and server are both speaking HTTP, not HTTPS... the fact that it's over port 443 and not port 80 is irrelevant. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache-SSL vs mod_ssl
On Wed, 22 Jan 2003, rmck wrote: Whats the benefit of mod_ssl compared to Apache-SSL??? Bells and whistles that you may or may not need. Suggest you look over the list of supported configuration directives for each to see which one better fits your site. Note that Apache 2.0 includes mod_ssl as part of the standard distribution. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: building shared libraries with OpenSSL
On Thu, 9 Jan 2003, Tai Do wrote: I'm trying to get Apache2 working on Solaris 8. I have the following error and saw that your answer on the mailing list work. I was wondering if you can help me out with it because I'm not too sure what to do. Syntax error on line 234 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/mod_ssl.so into server: ld.so.1: /usr/local/apache2/bin/httpd: fatal: relocation error: file /usr/local/apache2/modules/mod_ssl.so: symbol X509_INFO_free: referenced symbol not found. Here is the answer you posted: Yes, it's a fairly frequently asked question. The problem is that you've built a shared mod_ssl against a static OpenSSL (ie, libssl.a and libcrypto.a instead of .so). That won't work because the way the build system currently works, OpenSSL is linked into httpd, not mod_ssl. httpd doesn't need the symbols from the OpenSSL libraries, so the static linker throws them away, meaning they're no longer available when mod_ssl is dynamically linked at runtime. Solution: use a shared OpenSSL. I was wondering how I use a shared OpenSSL. I was wondering if you can point me to where I can find steps to do this or show me how. I'm CC:'ing this to the modssl-users list, since I'm sure somebody else out there probably has the same question. It's kind of annoying, because the shared library support in OpenSSL is experimental, which in practice just means that the Makefile is non-intuitive. I just ran through it again to make sure I got all the steps right... here's what you do. I'm going to assume that you have the static version of OpenSSL installed in /usr/local/lib in this example... just fix the path to match where OpenSSL gets installed on your machine. So let's say you've installed OpenSSL previously, but it's the static version, so you have /usr/local/lib/libssl.a and /usr/local/lib/libcrypto.a . Remove those. Go back to the OpenSSL source directory and do the following: ./config make make build-shared mv libssl.so* /usr/local/lib mv libcrypto.so* /usr/local/lib ldconfig (note: do NOT run make install, or it will remove all your shared libraries and install the static ones, and you'll have to start over again. :-) That ought to do it. I recommend doing a search on your filesystem for other, older copies of libssl* and libcrypto* that might be hanging around, as sometimes copies get put in strange places and you want to be sure to only have one: the most recent. Hope that helps... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Spurious SSL handshake interrupt
On Mon, 6 Jan 2003, Raj Mettai wrote: I am running apache 2.0.39 with mod_ssl module on solaris 8. connected to tomcat 4.1.12. I am getting lot of Spurious SSL handshake interrupt errors in ssl_error.log file. All my https calls have become drastically slow. Any clues on this error please, it's a production website... [Mon Jan 06 13:09:36 2003] [error] Spurious SSL handshake interrupt [Hint: Usually just one of those OpenSSL confusions!?] I don't remember for sure because it's been a while, but I want to say that something related to this message was fixed in mod_ssl after 2.0.39 was released. 2.0.44 should be coming out sometime soon... give that one a try when it's released and let me know if you still see the problem. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: A bug in table_adjust function that causes a core dump
On Thu, 5 Dec 2002, Bernd Steinert wrote: on November 11 Kirill Shirkov reported a bug in the table_adjust function that causes core dumps. He described how the core dumps can be reproduced. Some colleague of mine confirmed this behaviour. I must have missed the patch... can someone repost it for me (and CC: me and Ralf on it), and put [PATCH] at the beginning of the subject line of the message. 1. Is Shirkovs code change going to be integrated in the offical code? Sure... I just need a copy of it. 2. When can some fix be expected in CVS? 3. When can it be expected to be seen in some offical release? I can handle the commit to the 2.0.x series... but it's up to Ralf to have it incorporated into the next release for 1.3.x. Thanks, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: how to add multiple SSL cert for each virtual host?
On Tue, 3 Dec 2002, Dave Paris wrote: Not only is it not possible With the current state of the SSL protocol such as it is, this is correct-- it's not possible. it'd be a HUGE security flaw if it WERE possible. Well, not necessarily... all that you would need is for the client to tell the server which host it *thought* it was contacting, and then the server would know which vhost to serve the request with and therefore which certificate to present. That would require the SSL protocol to have the equivalent of HTTP's Host: header. From there, as long as the certificate can be verified as authentic, there's no more risk than there would be if there was a one-to-one mapping between IP and hostname as the current SSL protocol requires. But please, people, this is SUCH a frequently asked question. Definitely one of the top three. I wonder if we can't find a better way to document this? Anyone have any ideas? I'd say un-hiding it from the FAQ page would be a good start... it's a prominent question, give the answer a more prominent location. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
distributing encryption software (fwd)
Because so many of you have asked, here is the answer. --Cliff -- Forwarded message -- Date: Sat, 19 Oct 2002 02:56:40 -0700 From: Roy T. Fielding [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: distributing encryption software Ryan asked for a clarification about whether or not we have the ability to redistribute SSL binaries for win32. Last year, the board hired a lawyer to give us an opinion on whether we can distribute encryption software, or hooks to such software. The exact opinion we got back is, unfortunately, not online, but it is essentially the same (with less detail) as the one given to Debian and visible at http://debian.org/legal/cryptoinmain. Basically, we have the right to distribute encryption software in source or executable form if we also distribute that same software as open source for free to the public, provided we first notify the U.S. authorities once per new encryption-enabled product. This is sufficient for Debian because they distribute the source code to everything in Debian within a single repository. Note, however, that we do not do the same for OpenSSL. Not only is OpenSSL not in our CVS, but it isn't normally distributed by us at all, and the authors of OpenSSL aren't likely to want us to distribute it because doing so pollutes the recipients rights with U.S. crypto controls whereas they could simply grab the same distribution from the origin and not be polluted. I think that Bill Rowe at one point requested that we seek out a lawyer's opinion on this specific matter, but that was not followed through by the board because we already know the legal aspects. The issue isn't legal -- it is social. We can download a released version of OpenSSL, compile it, and make both available from our website provided we first notify the BXA as described in the Debian opinion above. However, it is still preferable for our users to get the DLL themselves, from a distribution outside the U.S., and avoid having to maintain our distribution of OpenSSL up-to-date. I think a reasonable and defensible compromise would be to make it part of the win32 installation script -- to select no SSL or, if SSL is selected, to guide/automate the user in downloading an appropriate DLL from some other site. Besides, that would allow the user to pick some other SSL library, such as one of the optimized ones available commercially that may already be installed on their system. There is such a thing as being too concerned about ease of installation. Finally, it should also be noted that the exception for Apache ONLY applies to non-commercial distributions. Any commercial distribution, even if it is simply Apache slapped onto a CD and sold for a buck, remains subject to the old US export controls that everyone hates, and must be approved via a separate process. Roy __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache core
On Wed, 16 Oct 2002, Lance Uyehara wrote: I am running apache 1.3.22 and mod_ssl-2.8.5-1.3.22, and have had a few cores recently. They all have the same backtrace: You're probably being probed by the openssl worm. You need to upgrade to all the latest versions, as there are a number of remotely exploitable flaws in the versions you have. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: This combination is *NOT* officially supported
On Tue, 1 Oct 2002, hunter wrote: This code segment is from mod_ssl... Correct. I have enabled SSL on only one of my Windows boxes. It has never logged this message but the version is Apache 2.0.40 - OpenSSL 0.9.6g. ...mod_ssl is integrated into Apache 2. mod_ssl is not officially supported on Apache 1.3 on win32. mod_ssl *is* officially supported on Apache 2.0 on win32. And under 1.3, it's not that it won't work, it's just that the author (Ralf) makes no guarantees that it will. :) It's that simple. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Crypto Export restrictions (was: Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6g-Win32.zip)
On Wed, 25 Sep 2002, Ken C wrote: From what I've seen a permit may be required, for export / downloads to non-US locations. Hosting servers may need to have the ability to deny downloads to locations that shouldn't have it. (don't ask me, I'm just reading this stuff) While it has relaxed, it still appears to be full of red tape. That sounds about like my understanding, yeah. Note also that the rules for binary distributions are different from those of source distributions for some reason. Sheesh. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6g-Win32.zip
On Wed, 25 Sep 2002, hunter wrote: My server is managing and there have been fairly frequent downloads -- I am not concerned yet. I will have to remove the files if it looks as though I will exceed my upload limit. My original concerns are probably unwarranted. Why not just upload it to the contrib area at modssl.org? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
[ATTN RALF] Re: Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6g-Win32.zip
On Wed, 25 Sep 2002, hunter wrote: I am open to any suggestions. I sent Ralf a note but he has not replied. I should have sent a note to you ... :-) I don't have any more access to modssl.org than you do, unfortunately... :-/ If it were apache.org, that would be another matter. But there's a reason we can't distribute crypto binaries from apache.org -- if we could, we would. Guess we wait for Ralf to check up on the contrib area. Thanks, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6g-Win32.zip
On Wed, 25 Sep 2002, Ken Campney wrote: If you'd like, I'd be more than happy to host the file for download on my network If you're in the states, you have to watch out for export restrictions... other than that, fine by me. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Version number
On Fri, 20 Sep 2002 [EMAIL PROTECTED] wrote: I've just upgraded OpenSSL 0.9.6d to 0.9.6g on FreeBSD, but Apache says that it's running OpenSSL 0.9.6a! Where is this version number and how to change it? to get it right, you should recomplie apache and php to show the correct version numbers. i've had the same problem and that's how i fixed it. Just to be absolutely clear, this is not just a matter of showing the correct version number. If it shows the wrong version number, that's because that wrong version is the one actually being used by Apache!! It's probably a matter of the old version having been statically linked into Apache, so even after you upgrade OpenSSL, Apache still needs to be relinked with it. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.0.35 - ssl fails silently?
On Mon, 2 Sep 2002, Paul English wrote: I'm working with a new setup of 2.0.35 under Linux, and having First of all, why 2.0.35 on a new setup? 2.0.36 was the first full release (back in April). 2.0.40 is the current release. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Start-up error
On Wed, 21 Aug 2002, Shah, Kishor (Kishor) wrote: [Wed Aug 21 09:52:02 2002] [error] Init: Failed to generate temporary 512 bit RSA private key My environment is, Solaris 2.8, Apache 2.0.40 with mod_ssl, OpenSSL 0.96g. Try using prngd. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: version?
On Wed, 21 Aug 2002, Pandora Fawcett wrote: why don't i see a mod_ssl version for apache 2.039? Because you haven't looked in the right place. mod_ssl comes bundled with Apache 2.0; it's no longer a separate product. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Problem starting Apache (yes I have read the FAQs!)
On Tue, 20 Aug 2002 [EMAIL PROTECTED] wrote: The FAQ refers to the SSLRandomSeed directive; this is set in the httpd.conf file as SSLRandomSeed startup builtin SSLRandomSeed connect builtin (As I'm running on Tru64 I don't have the option of using /dev/random) Try using prngd ... http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html Hope this helps, Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: can't load /usr/local/apache2/modules/mod_ssl.sointoserver/usr/local/apache2/modules/mod_ssl.so undefined symbol x509_free
On Mon, 19 Aug 2002, Venkat Reddy Valluri wrote: As you told I checked the directory /usr/local/lib for libcrypto.so and libssl.so, but I found out only libcrypto.a and libssl.a, can you please let me know how to configure openssl to get these modules shared like libcrypto.so and libssl.so Frankly it's always been a bit of a pain for me. The default Makefile doesn't seem to behave quite right. You can try this: make build-shared But then you have to install them by hand because the $(SHARED_LIBS) variable has no value in the default Makefile so make install doesn't see them. Alternatively, you can edit the Makefile as follows: --- Makefile2002-03-17 20:03:36.0 -0500 +++ Makefile.new2002-08-19 12:44:49.0 -0400 @@ -183,7 +183,7 @@ LIBS= libcrypto.a libssl.a SHARED_CRYPTO=libcrypto$(SHLIB_EXT) SHARED_SSL=libssl$(SHLIB_EXT) -SHARED_LIBS= +SHARED_LIBS=libcrypto$(SHLIB_EXT) libssl$(SHLIB_EXT) SHARED_LIBS_LINK_EXTS=.so.$(SHLIB_MAJOR) .so GENERAL=Makefile and then run: make clean make make install and it should just work. I think. Haven't tried it recently. :) Let me know how it goes. And if anybody else out there knows something about this that I'm missing (which is possible), please speak up. :-] --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_sll virtual hosts
On Sat, 17 Aug 2002, Ron Ridley wrote: Try something like this using IP based virtual hosts: Each one of your virtual hosts can have different SSL key material it points to. # This section only goes in the conf file once - Port 80 ServerName domain.com NameVirtualHost x.x.x.x #- Domain.com - VirtualHost x.x.x.x:443 Um, if I'm following this discussion correctly, I believe this advice is mistaken. NameVirtualHost's can *NOT* be used with SSL. Every name-based vhost would in reality get the certificate of the first one listed in the config file. Please see http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#ToC47 . --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: How to upload to contribute section ?
On Thu, 15 Aug 2002, Andre Schild wrote: I have binaries for apache 2.0.40 with openssl 0.9.6e. For which OS? Just curious. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Thu, 8 Aug 2002, Cliff Woolley wrote: Upgrade to 0.9.6e. Make that 0.9.6f, released today. :) --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Fri, 9 Aug 2002, Cliff Woolley wrote: Make that 0.9.6f, released today. :) That's what I get for not reading all of my email before responding to any of it. 0.9.6g was also released today. Sigh. :) __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Fri, 9 Aug 2002, Cliff Woolley wrote: That's what I get for not reading all of my email before responding to any of it. 0.9.6g was also released today. Sigh. :) I guess today was the day for releases. Apache 2.0.40 is now out as well. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Fri, 9 Aug 2002, R. DuFresne wrote: Any word on if this compiles on those older linux kernels as the previous release was a total dud in that realm? Probably no change. But FWIW, I believe one of our developers tried it on an older kernel and it worked fine for him... if you could provide access to a box it fails on to one of the core dev team, that might help. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.039
On Fri, 9 Aug 2002 [EMAIL PROTECTED] wrote: Do you know what different between 0.9.6b and 0.9.6e Among other things, there are important security fixes in 0.9.6e (for remotely exploitable bugs in 0.9.6d and earlier versions). Upgrade to 0.9.6e. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
On Tue, 16 Jul 2002, Alex Moon wrote: Could the mirror sites not host ssl enabled version as they are not in the US as they are in the Uk, Austrailia etc? The way our mirroring system works, the mirrors do an rsync of www.apache.org/dist. So they can't have files on their sites that aren't on the main sites (or at least not for long), since rsync would delete those files. Additionally, it requires somebody outside the US do actually do the compiling and uploading -- and all our Win32 guys (who are committers and thus allowed to create official binaries) are in the US. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Websphere application server
On Tue, 16 Jul 2002, arcean wrote: my probleme is : i don't have the source code of the websphere plugin ... do you know a way to use mod_ssl without compiling apache or compiling apache to perfectly support the old way DSO module ?? You'll have to either get IBM to provide you with an EAPI-compiled WebSphere DSO or set up two copies of Apache, one SSL and one non-SSL. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache Websphere application server
On Tue, 16 Jul 2002, arcean wrote: yes i've think about this (when i was testing) but the point is : I need to provide Https pages with Websphere and i need to use Apache as front server a friend of me has opened a Ticket with IBM ... i pray to have a EAPI mod_app_server in return ... If that doesn't work out, you can just configure it [with rewriterules or with proxypassreverse] so that the SSL-aware Apache will act as a reverse proxy for the non-SSL websphereized Apache. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RAND function using OpenSSL 0.9.7
On Mon, 15 Jul 2002, Frederic DONNAT wrote: I try using OpenSSL0.9.7 with a crypto accelerator and it works fine for asymetric and symetric stuff, but it fails when trying to use ENGINE random (rand engine is not used, everything is done with classic software random). Don't you have to compile mod_ssl with SSL_EXPERIMENTAL_ENGINE or something like that? Did you do that? Or are you even talking about mod_ssl here? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: RAND function using OpenSSL 0.9.7 (A Solution)
On Mon, 15 Jul 2002, Geoff Thorpe wrote: I change a function call and it works fine now. I do not know if this is the real way to solve my problem but this provide a solution. In file pkg.modssl/ssl_engine_int.c: move ssl_init_Engine(s, p); function call before ssl_init_SSLLibrary(); function call instead of after. In fact if you want to use ENGINE default functionnalities you muste set ENGINE before everything. That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must be seeding the PRNG, and thus initialising the set-on-first-use pointer in openssl to a default RAND_METHOD. Do you want to post a patch to the list? Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify for me that the following fixes Apache 2.0's mod_ssl, I'll commit it. --Cliff Index: ssl_engine_init.c === RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v retrieving revision 1.102 diff -u -d -r1.102 ssl_engine_init.c --- ssl_engine_init.c 8 Jul 2002 17:43:33 - 1.102 +++ ssl_engine_init.c 15 Jul 2002 20:22:13 - @@ -266,6 +266,11 @@ } +#ifdef SSL_EXPERIMENTAL_ENGINE +/* SSL external crypto device (engine) support */ +ssl_init_Engine(base_server, p); +#endif + ssl_init_SSLLibrary(base_server); #if APR_HAS_THREADS @@ -290,13 +295,6 @@ if (ssl_tmp_keys_init(base_server)) { return !OK; } - -/* - * SSL external crypto device (engine) support - */ -#ifdef SSL_EXPERIMENTAL_ENGINE -ssl_init_Engine(base_server, p); -#endif /* * initialize the mutex handling __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_SSL for Windows 2000/NT/XP
On Tue, 16 Jul 2002, Brendan Lloyd wrote: And last but not least: can anyone clarify what the state of Apache 2.0 is with regards to OpenSSL/mod_ssl? I've read in some places that Apache 2.0 supports/includes these, but then when I went to download the Windows binary distribution it had the suffix no_ssl? Source distributions of Apache 2.0 include mod_ssl. Binary distributions are a different story, but only because of ambiguities surrounding the (IMHO silly) export restrictions of the US government. We know we're allowed to export *source* for strong encryption software... but whether we're able to legally distribute *binaries* of strong encryption software is unclear. So we don't. Of course, that's more of a burden on our Windows users than on our Unix users, since the former tend to rely on binaries and the latter tend to roll their own since they tend to have the compilation tools on hand. The solution, as has been pointed out, is that somebody outside the US contributed binaries for mod_ssl for Apache 2.0 on Win32 and uploaded them to www.modssl.org/contrib, which is physically located in Germany, as opposed to www.apache.org, which is physically located in the western US. Sigh. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Distributed Session Cache
On Fri, 12 Jul 2002, John Milton wrote: How far along is the mod_ssl port to Apache 2? Done, for all intents and purposes. AFAIK, the only big still-missing functionality is the per-directory POST renegotiations. Has anyone hacked up a distributed session cache? Not that I'm aware of. But somebody out there might have one I suppose... anybody? Would a dbm session cache over NFS work? Hmmm... probably not. For one thing, it would be slow. For another, files are typically not lockable over NFS. With multiple writers I'd think it would be pretty easy to corrupt the dbm. But I'm not positive. Try it and see what happens I guess. Did the old Apache-SSL ssl_gcache ever work as a DSC? How did ssl_gcache deal with security/integrity of the cache? You'd probably have to ask the Apache-SSL guys on that one. Is this problem even worse: Does the client throw away it's current session key every time it gets a different session key from the web server? It's supposed to, yes. I see that there is a great deal of work on distributed shared memory (mostly for parallel computing). Has anyone put one of these solutions under mm? Don't think so. And anyway, Apache 2.0's mod_ssl doesn't use mm. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: URGENT: need mod_ssl rpm to work with RedHat's apache_1.3.22rpm on RH6.2
On Sat, 13 Jul 2002, Shaun T. Erickson wrote: The problem is that this causes all the httpd processes to seg fault, which they don't, if the module isn't loaded. It would be helpful if you could tell us *where* it was segfaulting. Please see http://httpd.apache.org/dev/debugging.html for information on how to generate a backtrace for us. Thanks, --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RE: trouble getting set up
On Sat, 13 Jul 2002, [iso-8859-2] Jan ©kola wrote: Yes problem is that you need Win32 utilities ,awk' and ,bison'... Download them somewhere put in directory in PATH and try compile again... Right. See also http://apr.apache.org/compiling_win32.html . --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: apache 2.0.39 + mod_ssl.so
On Thu, 11 Jul 2002, Sauer, Adrian wrote: ...this error occurs during start with -DSSL: Cannot load /opt/apache_2.0.39/modules/mod_ssl.so into server: /opt/apache_2.0.39/modules/mod_ssl.so: undefined symbol: X509_free This is a frequently asked question. Please see (among other places): http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8034 --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
SSLLog's demise (was Re: freebsd SSLCryptoDevice)
On Wed, 10 Jul 2002, Mads Toftum wrote: flame mode Which is a really bad move IMHO - debugging with mod_ssl was very good, and easy to use, but now with 2.0 it has been hacked into something much less usable. Making the loglevel tie in with the general loglevel, you get debugging info from two places at once, that it _very_ rarely makes sense to debug together. FWIW, I was in the camp that totally agrees with this sentiment. The decision to get rid of it was by no means unanimous. Feel free to start a grassroots petition to get it added back in again. :) If the users want it back, the users want it back... --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: freebsd SSLCryptoDevice
On Tue, 9 Jul 2002, Geoff Thorpe wrote: Can you ensure you've got a decent debugging level set (eg. perhaps SSLLogLevel info) and post the last few lines of the error log when Note that there's no such thing as a separate SSLLog/SSLLogLevel in Apache 2.0 anymore -- it's all lumped in with the regular error_log. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: I'm hoping someone on the list might have some experience with multiple IP based virtual hosts and generating CSRs for ssl certs for each host. Something has me thinking that if I run the commans from the mod_ssl faq, I'll get several CSRs for the same host (either local or the main hostname). That shouldn't be, certs are hostname specific right? Anyway, if anyone would be so kind as to pass me a clue. The commands in the FAQ should be okay. When you run openssl and ask it to generate a CSR, it will prompt you for various things, one of which is Common Name (CN) -- enter the hostname with which the certificate should be associated there, and that's all you should have to do. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Quickie on Certrificate Requests (combined with virtual hosts)...
On 1 Jul 2002, Sean M Alderman wrote: Cool, thanks!... So I've done that, I needed to use the make certificate instead of the openssh commands because of the lack of a /dev/random on Solaris 8 (I don't know why make is able to do make it happen when I can't). Anyway, each time I run it it generates a new server.key file, I need to keep each of these right?...perhaps name them based on the virtual host each are for? Yes, exactly right. Dunno why the make certificate thing works when the openssl commands directly don't -- probably just some configuration issues. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...? (fwd)
[[ None of my emails from this evening seem to have actually gone out (misconfig on my end, I think), so here's this again. Sorry if it's a dupe. ]] -- Forwarded message -- Date: Fri, 28 Jun 2002 02:24:29 -0400 (EDT) From: Cliff Woolley [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: SSLCryptoDevice: works as a static, not as a DSO...? On Fri, 28 Jun 2002, Cliff Woolley wrote: To ask a silly question, you are *loading* the DSO, right? And you have SSL_EXPERIMENTAL_ENGINE defined in both cases? I guess I didn't read your first email carefully enough; I see you already mentioned that you do have the appropriate AddModule and LoadModule lines in the DSO case. Double-check that, though, as that and the SSL_EXPERIMENTAL_ENGINE things are the only possible reasons you'd get that message. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLCryptoDevice: works as a static, not as a DSO...?
On Fri, 28 Jun 2002, R. DuFresne wrote: I was thinking, and perhaps wrongly for versions prior to apache 2, that modules required openssl be shared, but, earlier mod-ssl based versions I do not think were so limited, being how they were built with ssl support. Right. That's not a restriction in 1.3 as far as I know. Just 2.0 (due to libtool). For 2.0, if you want a shared mod_ssl, use a shared OpenSSL, and if you want a static mod_ssl, use a static OpenSSL. 1.3 should be a bit more flexible there. We'll get around to fixing that in 2.0 one of these days. :-/ --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: compiling apache2039
On Tue, 25 Jun 2002, Jeff Landers wrote: Even with just a ./configure I have many parse and symbol errors in the config.log when I conifgure apache2039 although it exits with a zero. Is that OK or do I need to work with someone to resolve these errors. That's totally normal. These errors are how autoconf determines which features your compiler, linker, and system headers/libraries support. If it compiles and links, that's a yes, the feature is available. If it fails to compile and link that's just a no, the feature is not available. But a particular feature not being available is not usually fatal. The messages configure prints on stdout would tell you if it was a fatal condition. In other words: ignore config.log unless you encounter a fatal condition and need to find out exactly what happened. --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]