Re: A method to enable secure non-HTTP protocols
Nice :) Apache 2 protocol modules should allow you to do this without having to patch the server (using filters), as in Apache 2 HTTP is just another protocol module that can be inserted or removed. In Apache 2 mod_ssl itself is implemented as a filter On Mon, Jul 26, 2004 at 06:22:55PM +0200, Pablo Royo Moreno wrote: For some years, we have been in my company running a secure non-http file transfer system. Nowadays, with more and more system administrators allowing secure incoming connections only trough 443 port , that system doesn´t work, because it does not speak HTTP and 443 port is usually already used by web servers, so we cant use it for our systems. So there is no solution, if system admin does not open another port, except to use 443 port. Now we have made a mod_ssl patch to allow non-HTTP secure incoming connections to be deciphered and forwarded to a selected server, configured in conf file, while also serving HTTP in the usual way. I´m not sure if this can be done in any other way with Apache modules, but it works and its all i need. The patch is in http://spipe.sourceforge.net If you see documentation, you will see there are some other interesting (I think) use cases to create secure pipes from one web server to another. Hope it will be of help to someone in the same situation. If not, just consider it a more or less summer academic experiment. Thank you __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Encryption and weblogic module
client (a)- Apache -(b) Weblogic If the client connects to Apache using SSL, (a) will be encrypted but (b) will not (unless you can configure mod_wl to use SSL, which I dont believe you can). the assumption is that (b) is occurring over a private, trusted network. If you need to encrypt (b) I would suggest either setting up a VPN or using Apache as a reverse proxy with SSL (the weblogic protocol in modern versions is basically HTTP with a couple of extra headers) cheers Daniel Hello everyone. I am quite new to ssl, so I have a question. While a connection between a pc client and a web server is encrypted, I do not know if the connection that may result thereafter is encrypted too, that is, if ssl.conf contain an entry that look like this: Location /xx/xxx/*yyy* SetHandler weblogic-handler WebLogicCluster host1.dom.dom.se:9,host2.dom.dom.se:9 ErrorPage /xx/xxx/xxx/xxx/errpage.html /Location Is the data that is sent and received between the webserver and host1/2.dom.dom.se also encrypted, and is there a way to check that ? Or is the question about encryption something that (in this case) the weblogic module (that Apache uses) is responsible for ? Regards Anders -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Encryption and weblogic module
But that module is for when Apache has been compiled with SSL (EAPI patches) does not provide SSL support. Weblogic used to provide an ssl version of the mod_wl module, I think it was named mod_wl_ssl. Obtaining the correct mod_wl_ssl may be dependent on which version of weblogic and apache are being used. We have run this configuration on Apache 1.x client -- FireWall -- Apache -- Firewall --- Weblogic only port 443 mod_wl_ssl port is configurable David __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: symmetric or asymmetric ?
1. The modssl web site refers to the SSL cryptography algorithm as being conventional, or symmetric. But mod-ssl uses public and private keys, which are known as parts of asymmetric cryptography. Any explanation ? Asymmetric cryptography is used to agree and exchange keys for symmetric cryptography (much faster) 2. I copied a mod-ssl-enhanced apache-2.0.48 installation to another machine, replaced the certificate file ( server.crt ) with another certificate ( but same file name ), and made some small changes in httpd.conf and ssl.conf. Of course, this did not work. Is there any way that I can generate a new private key ( server.key file ) according to the public key in the new certificate file ? Or should I remove everything and install again, the proper way ? it did not work does not tell us much :) Which errors did you get? What did you change? What is the current conf? Since you are just starting with mod_ssl, I suggest reinstalling from scratch rather than trying to figure out what may be going wrong. You can find detailed information on how SSL works (symm/asymm., certificates, etc.) and how to get Apache 2 + mod_ssl working on a chapter I have online at http://www.apacheworld.org/ty24/site.chapter17.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Apache 2.x SSL failing -- no listening sockets available, shutting down
Hello, I have attempted several times on 2 platforms to install and run Apache SSL. Linux PPC and Linux Redhat8.0 [...] I wondered, of course, if some mod_ssl package is requried in the mod structure, but found no documentation for Apache 2.x to that effect anywhere I looked. Take a look at http://www.apacheworld.org/ty24/, in the secure server chapter for detailed instructions on how to get Apache 2 working with SSL Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Using ssl/mod_ssl on non-apache HTTP server
Take a look at the code of Webmin, it uses a Perl based webserver that can use SSL if available. http://www.webmin.com I have a chapter online introducing the main SSL concepts, it is focused on apache but it should be useful for the basics: http://www.apacheworld.org/ty24/ then, for the programming side of things, this is a good book: http://www.amazon.com/exec/obidos/tg/detail/-/059600270X As a reference book, I found this one invaluable: http://www.amazon.com/exec/obidos/tg/detail/-/0201615983 Cheers Daniel Hi - I'm new to ssl/mod_ssl so please forgive me if this post is out in left field. I have a new contract to develop secure TCP/IP communication between many customer sites. I have prototyped a non-secure HTTP server/client system written in Perl. My client likes it - but he demands high- level security. In my years of web programming, there has always been the 'security' guy around to take care of these 'details' for me, but now I am him... :) I have been plowing through the Openssl, Perl modules (Net::SSLeay, etc.) documentation, but it's slow going and it hasn't 'clicked' yet for me. Do any of you have suggestions of other resources that might help me? HOWTOs, FAQs, Articles, Books, anything? Aloha = Beau. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: new to Apache-SSL world needs help
At this point I have to customize http.conf and ssl.conf files.
Could you send me an example of such files already modified? I need to
understand what I must change.
You can take a look at
http://apacheworld.org/ty24/site.chapter17.html
for building instructions and example minimal configuration.
Notice that you also need to pass --enable-ssl whem building,
that should crete a sample ssl.conf file in the conf directory
Cheers
Daniel
On Wed, Jan 29, 2003 at 02:43:06PM +0100, Zampognaro Sergio wrote:
Hi all,
I need to migrate a web site from http to secure https. Mine is a Digital
UNIX V4.0F (Rev. 1229) server.
I downloaded following packages:
- openssl-0.9.7
- httpd-2.0.44
1) openssl installation - steps performed:
./config --prefix=/home/aspprod/aspapp/mySSL/openSSL
make
I got this warnings on stderr:
ar: Warning: creating ../libcrypto.a
ar: Warning: creating ../libssl.a
make test
On stderr I got this messages contained in attached fiel:
errore3.txt
make install
I got this messages on stderr:
./pod2mantest: pod2man: not found
pod2man does not work properly ('BasicTest' failed). Looking for
another pod2man ...
No working pod2man found. Consider installing a new version.
As a workaround, we'll use a bundled old copy of pod2man.pl.
First of all do you think all this warnings are fatal for my openssl
installation?
2) apache2 installation - steps performed:
./configure --prefix=/home/aspprod/aspapp/mySSL/apache2
--with=/home/aspprod/aspapp/mySSL/openSSL
make
I got a lot of warnings on stderr!
make install
At this point I have to customize http.conf and ssl.conf files.
Could you send me an example of such files already modified? I need to
understand what I must change.
thanks in advance!
Sergio
SchlumbergerSema
ing. Sergio Zampognaro
System Integration - SMA
Via Antiniana 2A - 80078 Pozzuoli (NA) - ITALY
Mobile*+39 335 131 54 26
Phone * +39 081 6103 483
Fax 6 +39 081 6103 200
e-mail * [EMAIL PROTECTED]
This email is confidential and intended solely for the use of the individual
to whom it is addressed. Any views or opinions presented are solely those of
the author and do not necessarily represent those of SchlumbergerSema SpA.
If you are not the intended recipient, be advised that you have received
this email in error and that any use, dissemination, forwarding, printing,
or copying of this email is strictly prohibited.
If you have received this email in error please notify the SchlumbergerSema
Helpdesk, by telephone on +39.0125.810500 or by e-mail on
[EMAIL PROTECTED]
test BN_add
test BN_sub
test BN_lshift1
test BN_lshift (fixed)
test BN_lshift
test BN_rshift1
test BN_rshift
test BN_sqr
test BN_mul
test BN_div
test BN_div_recp
test BN_mod
test BN_mod_mul
test BN_mont
test BN_mod_exp
test BN_exp
test BN_kronecker
..++
test BN_mod_sqrt
.
.
.
.
.
.
.
.
...
.
.
.
...
.
..
.
...
.
...
.
.
...
.
bc does not work properly ('SunOStest' failed). Looking for another bc ...
/usr/bin/bc does not work properly ('SunOStest' failed). Looking for another bc ...
No working bc found. Consider installing GNU bc.
0 tests passed
Generating a 512 bit RSA private key
.
writing new private key to 'testkey.pem'
-
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) [AU]:AU
State or Province Name (full name) [Queensland]:
Locality Name (eg, city) []:Brisbane
Organization Name (eg, company) []:CryptSoft Pty Ltd
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:Eric Young
Email Address []:[EMAIL PROTECTED]
verify OK
test generation of DSA parameters
.++*
...++..+...++.+..+..
+++*
seed
D5014E4B 60EF2BA8 B6211B40 62BA3224 E0427DD3
counter=105 h=2
P:
00:8d:f2:a4:94:49:22:76:aa:3d:25:75:9b:b0:68:
69:cb:ea:c0:d8:3a:fb:8d:0c:f7:cb:b8:32:4f:0d:
Re: Apache-SSL vs mod_ssl
Whats the benefit of mod_ssl compared to Apache-SSL??? mod_ssl is derived originally from Apache SSL mod_ssl is more widely used than Apache SSL Apache SSL supports Apache 1.x mod_ssl supports Apache 1.x and 2.x Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Mod_ssl in apache 2.X
For mod_ssl on Apache 2.0 you may want to check also the secure server chapter I have online, which contains step by step instructions http://www.apacheworld.org/ty24/ Best regards Daniel Hi! Im not here to quarrel with you kid. Im here to get some help, and your insults are not helping very much. I thought this was the modssl-users list for people with not-so-much-expert-knowledge and not the linux-experts-with-nolife mailinglist. Im working under time pressure and cannot afford reading old documentation all day and then guess how the latter versions work (but of course I have read most of the old documentation anyway...). If I understand the example below I could rewrite it: CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-ssl=shared ? ... and load mod_ssl.so dynamically with Loadmodule latter on? Right? (Of course its right.. ;) ) Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. You call me lazy and think you know me after one email, that's cute. ;) I was asking a question and not hiring you or anybody else for a job. You even didnt have to answer. Im not demanding anything. (This is the first time I ask a usergroup a question at all, silly.) The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks Right, I and other developers still havnt all day, thats why it exists user-groups to ask someone who already knows and perhaps have some time over for an clear answer. If I had some time over myself I would be happy to contribute with some quick-start-(dummy)-tutorials, because it's needed. Setting up Apache2 with SSL must be one of the most common configurations... Perhaps I will contribute in not-so-distance-future. ;) Regards /Johan -Original Message- From: R. DuFresne [mailto:[EMAIL PROTECTED]] Sent: den 4 december 2002 16:53 To: Johan Bryssling Cc: [EMAIL PROTECTED] Subject: Re: Mod_ssl in apache 2.X Didn't read any of the documentation in that tarball did ya? INSTALL [SNIP] For a short impression of what possibilities you have, here is a typical example which configures Apache for the installation tree /sw/pkg/apache with a particular compiler and flags plus the two additional modules mod_rewrite and mod_speling for later loading through the DSO mechanism: $ CC=pgcc CFLAGS=-O2 \ ./configure --prefix=/sw/pkg/apache \ --enable-rewrite=shared \ --enable-speling=shared The easiest way to find all of the configuration flags for Apache 2.0 is to run ./configure --help. [SNIP] The new apache is not the best as far as documentation concerns, certainly not up to the documentation that the older apache with or without mod-ssl integration, but, there is info to be gleened, if one looks. How about the apache web pages, read that at all? Now you have to do some work on your own, you can't expect others to do it all for you and remain lazy. Thanks, Ron DuFresne On Wed, 4 Dec 2002, Johan Bryssling wrote: Hi! I have a couple of questions: If mod_ssl is included in apache2.x why doesnt it show up in the modulelist when I use: % httpd -l ? If it's not included when I default compile (using the INSTALL-file instructions), how do I know how to compile in the mod_ssl into the apache (if this is my first time)? Where do I find information about these things, I certanly dont install apache at a regulary basis.. ;-) I noted a default config file for SSL (I also found an include into the httpd.config-file) and used the command: %httpd -DSSL -k start .. but it(apache) couldnt find the mod_ssl.. Why? If it's included I shouldnt bother or?... Something I missed? All help will be appricated. Thanks... /Johan ps. Thinking of using Apache 1.3.7 instead due to the extended source of good documentation... __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] -- ~~ admin senior security consultant: sysinfo.com http://sysinfo.com Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart testing, only testing, and damn good at it too! __ Apache Interface to OpenSSL (mod_ssl)
Re: certificate problems
Just installed our new Verisign cert on our apache box but are having two problems with it: 1. The person who generated the key that was sent to verisign used the wrong common name so the secure URL we use doesn't match the URL on the cert, throwing up a warning screen...any way around this other than starting over with a new cert? Unfortunately no, you will need to get a new one or move your secure pages to that domain. 2. Whenever we start httpd we are promoted for a password for ssl to start, which doesn't work for us as httpd restarts itself ever night. Our old cert never did this, is this something new? The key is encrypted, so in case anyone broke into your server, the attacker would not be able to simply take your certificate and key and impersonate you. He would also need that passphrase. The way of doing this is to decrypt the key : # ./usr/local/ssl/install/bin/openssl rsa -in www.example.com.key \ -out www.example.com.key.unsecure (more info at http://www.apacheworld.org/ty24/site.chapter17.html) mod_ssl also has a directive so you can have a script provide that phrase automatically. It is convenient, but not really any more secure, see the How can I get rid of the pass-phrase dialog at Apache startup time? entry at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod-ssl for apache 2.0.x - wasn't compiled
[Questions] 1. Where can I explore further about mod_ssl on Apache-2.0.x ? Any link? I have a detailed chapter online just on that : http://www.apacheworld.org/ty24/ 2. Where can I download mod_ssl for Apache-2.0.39? (In case, the default ssl module in Apache 2.0.39 is not recommended.) the one that comes with apache is fine Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Prblems understanding on how to install mod_ssl!
For detailed instructions on running mod_ssl for Apache 2 you can checkout a chapter I have online: http://www.apacheworld.org/ty24/site.chapter17.html It includes details on how to build openssl and use the openssl command line tool to generate your certificate and key Cheers Daniel On Thu, Oct 24, 2002 at 03:47:32PM -0500, [EMAIL PROTECTED] wrote: The INSTALL file when I untar mod_ssl says: Configure and build the SSL library: ./config make make test but it does not says to install nor does it gives you the instruction to do: make install Do I have to do this step. Then what is server.key and server.crt What step of which program generates them and where does it put them. Once again the INSTALL file says if your server (which server? apache is not installed yet) has certificates allreaty provide the path else run make certificate! Run certificate where? Thanx in advance Dino __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSLProxy* directives
The Apache documentation (www.apache.org) describes SSLProxy* as part of mod_ssl. Why isn't there any information about SSLProxy* on www.modssl.org? (Probably Ralf Engelschall can explain this.) Because nobody wrote it :( I was the one who wrote it for Apache 2, based on some stuff we had for Covalent SSL Is this Apache 2.0 feature available in Apache 1.3 too? I think so, you need to compile with SSL_EXPERIMENTAL flag. But I do not think it worked very well Doug MacEachern rewrote a big part of it to work more cleanly in Apache 2.0 I think the current documentation of SSLProxyMachineCertificateFile is at least misleading. Please correct and submit a patch to [EMAIL PROTECTED] :) Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL Accelerators
On Fri, Aug 02, 2002 at 10:29:58AM -0700, David Lowenstein wrote: Can anyone out there recommend an affordable ssl accelerator that will work with a sun enterprise 420? I'm interested in either a pci card or a standalone unit. Unfortunately I'm about to launch a website under ssl and we really don't know just how much that's going to hamper performance. Also, any performance tuning tips for ssl would be appreciated (for apache webserver with mod_perl and bea weblogic) My first advice would be to compile openssl with assembly optimizations on, and make sure you configure session caching in the mod_ssl side. Have you considered having dedicated boxes doing the ssl, serving static content, and reverse proxying to the real servers? That will also reduce the load in Apache, since each request ties a process and in turn that child has a expensive Perl interpreter embedded, whether it is serving static content or not. (I am assuming you are using 1.3 here) Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: SSL V3.0
On Thu, Aug 01, 2002 at 11:16:22PM -0500, Austin Gonyou wrote: Does mod SSL support SSL v3.0? Haven't investigated this yet, but thought I'd ask here first. Yes it does, it is right there, in the front page for www.modssl.org Nothing to investigate :) Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: HTPASSWD Utility
On Wed, Jul 31, 2002 at 12:59:20PM -0500, Cagle Larence G Contr 96 CG/SCTOA wrote: The htpasswd.exe utility in Apache_2.0.39-Mod_SSL-OpenSSL-0.9.6d-Win32.zip aborts with an error message when you try to add or update a password. It responds with The process cannot access the file because it is being used by another process. I thought perhaps that Apache had not closed the password file when it was started, so I stopped the tasks related to Apache and tried it again. Same result. I'm running the server on a PC with Windows XP Professional OS. I downloaded and unzipped htpasswd.exe from the Apache_2.0.37-dev_mod_ssl_2.0.37_dev_OpenSSL-0.9.6c-WIN32.zip file and it works like it used to in earlier versions. The htpasswd.exe utility on Windows has known bugs that have been fixed for 2.0.40 You can use previous versions like the one you mention, they are ok. Cheers Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: mod_ssl newbie
For that you do not want SSL. Checkout: http://httpd.apache.org/docs-2.0/howto/auth.html For an introduction to SSL and Apache, you can check out a chapter I have online : http://apacheworld.org/ty24/site.chapter17.html Cheers Daniel On Tue, Jul 30, 2002 at 02:37:14PM -0500, Henning, Brian wrote: Hello, I am new to the ssl world. Right now I am running w2k with apache 1.3.23 web server. I downloaded the mod_ssl package from the website. I changed the port on my apache web server to 443. On a high level what do i need to do to create a secure web server? I guess my real problem is i don't know what ssl does for me. What i am looking for is something that can password protect the files on my server. I want to let specific people to access my site and that is it. They must have a password to use it. Is mod_ssl what i want or should i be looking else where? thanks for any input, brian __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Thu, Jul 25, 2002 at 10:14:22AM -0500, David Iungerich wrote: Daniel, Does your book or somewhere else give the specifics of what all I need to do When the book was released, Doug (who sits 2 cubicles next to me :) had not yet cleaned up and ported that functionality, so I mention it but could not give any specifics. to get this done. If so I'll go buy it, or wherever I need to look. I've got to get this thing implemented today. At this point, I'm thinking I'll strip off the Apache 1.3.23 that came with Suse and install Apache 2.0. Bear in mind with all of this, that I'm new to Apache and Linux, so any specifics you can provide on what ALL is need to implment this would be greatly appreciated. Yesterday I submitted a patch to the Apache docs@ mailing list documenting those directives. I can try and help you with the setup, first step is to get Apache compiled with SSL support and understand how to generate certificates: http://www.apacheworld.org/ty24/site.chapter17.html and the mod_ssl docs/tutorial at apache.org For the SSLProxy* directives these docs are old and for raven ssl, but apply for the most part http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Cheers Daniel Thanks again, David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 5:49 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: Thanks Daniel. What all is needed as adjustments to my conf file? As I understood it, there was an issue with Apach taking an http POST reqest and encrypting it with a given cert, then sending it along via https. If you could tell me exactly what I need version-wise and what to add/change in a standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with encrypting it with a given cert. I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfi gure.php#1138492 Hope it helps Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
On Wed, Jul 24, 2002 at 05:45:15PM -0500, David Iungerich wrote: Thanks Daniel. What all is needed as adjustments to my conf file? As I understood it, there was an issue with Apach taking an http POST reqest and encrypting it with a given cert, then sending it along via https. If you could tell me exactly what I need version-wise and what to add/change in a standard conf file, I'd greatly appreciate it. I am not sure I understand what you mean with encrypting it with a given cert. I am guessing it means that your client must present a specific client certificate to the remote server. This SSL functionality was present in mod_ssl versions for 1.3 if you compiled with SSL_EXPERIMENTAL flag, but was not working very well. Apache 2.0 includes robust support for that functionality (thanks to Doug MacEachern of mod_perl fame) and I recommend you use that. The directive you want is SSLProxyMachineCertificateFile, for specifying the client certificate(s) to present to the remote server. It is not documented currently on the Apache project, but take a look at : http://www.covalent.net/support/docs/faststart/2.0.0/userguide/html/sslconfigure.php#1138492 Hope it helps Daniel -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Daniel Lopez Sent: Wednesday, July 24, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: Re: http to https forward yes, that is correct. I meant http to https. So, there is no way to do this with existing mods? I have to use something else? Java or Python program? Anyone already have anything? You can already do it with Apache 2, and I am pretty sure you can do it with Apache 1.3 too. The directives are just not documented, I am working on a patch for the docs. But you are able to do SSLProxyEngine on ProxyPass / https://some.host.com And you can also use other SSLProxy* directives like SSLProxyVerify, etc. Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: http to https forward
Quoting David Iungerich [EMAIL PROTECTED]: I need to implement Apache as an https to http forwarder. I belive I need to use ProxyPass or Redirect, but am having difficulty figuring out the correct configuration. Just to clarify, I think you mean http to https forwarder, as in your subject; Apache forwards https to http without any problems. But for http to https, your problem isn't configuration; Apache+mod_ssl doesn't have the code for initiation of HTTPS connections. I've looked! Everybody told me it wouldn't work, I didn't believe them, I couldn't make it work, I read the code, it's not there! The only product I know of that might be able to do this is IBM EdgeServer, and possibly Netscape. Have to say I don't like EdgeServer and I have no experience of Netscape. Is there no-one around who'd like to code this? There are quite a few people who want to use Apache to initiate HTTPS connections. I don't have the time / coding skills. Um, no, you can already do it SSLProxyEngine on ProxyPass / https://some.other.host Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Distributed Session Cache
How far along is the mod_ssl port to Apache 2? It is basically done, already bundled with Apache itself as a regular module Has anyone hacked up a distributed session cache? The closest I know of is for Apache-SSL, which Ben Laurie mentioned at one of the Apachecons: http://anoncvs.aldigital.co.uk/splash/ based on http://spread.org Some discussion on this: http://marc.theaimsgroup.com/?l=apache-modsslm=99055320101822w=2 Daniel -- Teach Yourself Apache 2 -- http://apacheworld.org/ty24/ __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
Re: Question about SSL for Apache 2.x
Dear SSL companies, we are university students team from Czech Republic and we provide some expert system based on Apache web server, but now we have some problem about SSL. Now we can install on our server Apache 2.x version but we need for this wersion some SSL support. When we inspect your pages, we get informations about versions for Apache 1.3.x. And we have a question if will be some available version for Apache 2.x or we need to install some older version. mod_ssl is already included with Apache 2. For instructions on getting mod_ssl working with 2.0, you can checkout http://www.apacheworld.org/ty24/site.chapter17.html Cheers Daniel __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
