It seem like you might be confusing shared infrastructure with
single ip. As others have said, you need a distinct address for each
SSL-enabled httpd or proxy, although they can reside on the same hardware.
A good example of this is the typical configuration for larger server
farms. You find
a) no.
b) each virtual host would need a separate address - you cannot use SSL
with name-based virtual hosts.
Best~
-d
[EMAIL PROTECTED] wrote:
If in my httpd.conf file I have numerous virtual hosts defined with include
files like:
Include /usr/local/apache/conf/conf.d/devl00.conf
Include
ok, with my notes and Aaron's, there *is* something you can do. If you
create the certificate for www.domain.com, you can rewrite HTTPS
requests to something like:
https://www.domain.com/dev100/
https://www.domain.com/dev101/
::tosses 0.02$USD on the table::
-d
Aaron Dalton wrote:
[EMAIL
re-read my previous mail on rewriting the URL.
You *might* want to do something further, like:
http://dev101.domain.com/secure/ gets rewritten to:
https://www.domain.com/dev101/
mod_rewrite is your friend. ok, so it's more like a thug that clubs you
over the head before patting you on the
is, but will be content by just pushing buttons on the front panel of the device. Because of how the device is being deployed, I can even assume that everything can be run under root to simplfy things.
So given that this is not a normal case, any ideas on how to proceed?
Dave Paris [EMAIL PROTECTED] wrote
http://csrc.nist.gov/cryptval/140-1/1401val2007.htm#733
Best~
-d
[EMAIL PROTECTED] wrote:
Does anyone know if the Apache v2.2.x implementation of OpenSSL mod_ssl
is FIPS 140-2 validated? What version of OpenSSL is distributed with the
current version of Apache? Any help is much appreciated…
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Occasionally, /var/spool/clientmqueue can bite you as well. The
filesystem will not show 100% used but you'll be out of inodes. (If
that happens, you'll have loads of fun clearing it out ;-)
Good Luck!
- -dsp
Andy Cravens wrote:
Judging from
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I typically use a SSL-terminating reverse proxy in the DMZ, like Pound,
to terminate the SSL connection at the front door and send the request
back into a private subnet over plain HTTP for IDS/IPS detection,
clicktracking, etc.
Best~
- -dsp
Nikhil
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Mark,
a) you never added the contents of your Location directive (i.e. with
the following Location directives..)
b) you don't specify *why* you need these, particularly given that
you're using IP-based virtual hosts. (i.e. (which we really need))
I use Pound (http://www.apsis.ch/pound/) as an SSL-terminating reverse
proxy .. on commodity hardware, it can handle - at least according to
quotes from the field - up to around 400 conns/sec. It also affords you
some additional firewalling in that you can put the SSL terminating
accelerator
Jeffrey M. Johnson wrote:
I am knew to this list and have spent many hours looking for an answer I
am sure is probably right in front of my face.
knew?! from a .edu address? ::boggle:: alas, I digress.
I have a host that has 40 some virtual hosts associated with it, but
only one of those
First and foremost, if this is a world-accessable server, upgrade your
version of OpenSSL to the most recent available for RH7.3 (I'd also consider
upgrading to RH9.0 while you're at it). 0.9.6b has several security
vulnerabilities outlined at www.openssl.org. Also, use the most current
versions
As I suspected, none of these messages originate from Ralf. Just
checking the original headers on the most recent batch of six I got
overnight...
from cruzeiro (cruzeiro.fisc.wwu.edu [140.160.220.200]) by master.modssl.org
from CLS-TORG1010-27 (torg1010-27.its.vt.edu [128.173.44.191]) by
More likely a faked 'From' address. While possible, it's highly improbable
that the source is actually Ralf's machine. I've routed my copies to
/dev/null so I can't examine the headers to determine if the source address
actually resides in Europe or not.
Kind Regards,
-dsp
-Original
Will the moderator(s) be so kind as to killfile this user? Thanks, we
get enough spam without it bypassing internal filters for important
listservs like modssl-users.
Kind Regards,
-dsp
On Tuesday, Nov 4, 2003, at 10:53 US/Eastern, Kevin Klawon wrote:
image.tiff
Kevin Klawon.vcf
Wonder if this has anything to do with the recent repairs to the ASN.1
subsystem in OpenSSL. http://www.openssl.org/news/secadv_20030930.txt
-dsp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jeffrey Burgoyne
Sent: Wednesday, October 08, 2003 7:04 AM
To:
A couple questions. Is this something like a SSL-protected web interface to
an IMAP server (ref: your mention of port 143)? If so, are you accepting
certain directives which are being passed on to the IMAP server (ref: start
the script on port 143)? If this is the case, it sounds like what
on the server.
I launch the script whith :
?php
exec (nohup ./script.sh /dev/null );
?
The page load successfully but when I follow a link the server didn't
respond.
If I use an other navigator the server respond normally.
Vincent KERAVEC
Dave Paris wrote:
A couple questions
of course, this is assuming the kerberos libs have been installed. :-)
-dsp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Joe Orton
Sent: Tuesday, August 26, 2003 4:27 PM
To: Trevor Morrison
Cc: [EMAIL PROTECTED]
Subject: Re: [Fwd: mod_ssl compile
I was referring to Asynchronous Transfer Mode transport-layer protocol
- typically used on WAN and long-haul links. Really doesn't have
anything to do with SET or other applications.
-d
On Friday, Aug 22, 2003, at 00:51 US/Eastern, Arthur Chan wrote:
Hiya.
How's it going Dave ?
Remember we
http://www.apache-ssl.org/docs.html#CGI
but there is no RFC for SSL envvars that I'm aware of. mod_ssl offers a
more complete list than is shown above. This can be found at:
http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25
since the server is what's setting the environment variable,
there that is willing to submit a serious
response to this I would appreciate it greatly.
Regards,
Ian Newlands
- Original Message -
From: Dave Paris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: Ian Newlands [EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 11:58 AM
Subject: Re: virtual hosting
geeze
On Thursday, Aug 21, 2003, at 21:53 US/Eastern, Ian Newlands wrote:
Dave
Thank you for your reply, it was most enlightening and yes I will
re-assess my future as a human being. Hopefully that statement
somehow makes you feel better about yourself.
[...]
Get over yourself. I went out of my
On Wednesday, Aug 20, 2003, at 00:32 US/Eastern, Arthur Chan wrote:
Well, my eyes did glaze over somewhere betw thermodynamics and mobile
perpetuum ;-)
So does this mean that if I work in a less sophisticated infrastructure
where only 56kbps ppp dialup is available, I can get some incremental
~
-dsp
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Eric Rescorla
Sent: Wednesday, August 20, 2003 11:44 AM
To: [EMAIL PROTECTED]
Subject: Re: configuration question
Cliff Woolley [EMAIL PROTECTED] writes:
On Tue, 19 Aug 2003, Eric Rescorla wrote:
Dave
geeze. is it that time of the month already for this question? seems
like it was just yesterday when it was asked last .. maybe I'm just
thinking of the other 100,000 times it was asked.
in all seriousness, this dead horse has been beaten so many times on
this list there isn't even a carcass
In addition to Owen's salient points about compression working efficiently
on repetitive strings in plaintext/binary data (e.g. whitespace in a Word
document) and not on random data (e.g. encrypted data), some encryption
algorithms can actually be weakened by compressing the resulting data,
giving
Your actual message issue notwithstanding, the versions you're running are
not just old, they've got security flaws and vulnerabilities well documented
at both CERT, apache.org, and openssl.org.
http://www.cert.org/advisories/CA-2002-27.html (Linux, Apache, OpenSSL,
mod_ssl)
Message -
From: Dave Paris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, August 11, 2003 06:16 PM
Subject: Re: high-grade vs low-grade encryption with MD5 and DES
compromised is probably a poor word to use, pointlessly weak is
more accurate. If you're going to use SSL and you're
by those bollocky client
browsers. Netscape and MSIE4 come to mind.
Regards,
Arthur Chan
- Original Message -
From: Dave Paris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, August 11, 2003 07:34 PM
Subject: RE: high-grade vs low-grade encryption with MD5 and DES
The 5 minutes I
compromised is probably a poor word to use, pointlessly weak is
more accurate. If you're going to use SSL and you're dealing with data
that needs to be protected longer than 5 minutes, use 128bit SSL.
-dsp
On Sunday, Aug 10, 2003, at 02:25 US/Eastern, Arthur Chan wrote:
Hi all.
Verisign
Look at the handshake for SSL. During the name to address translation
phase, you wind up with a chicken-egg scenario if more than one name
shares an address.
Not only is it not possible, it'd be a HUGE security flaw if it WERE
possible.
-dsp
On Tuesday, Dec 3, 2002, at 15:34 US/Eastern,
a) you could try surfing the archives of this list since an arguable
10% of the traffic is either this exact question or directly relates to
it.
b) you could use different ports
c) you could use different IPs. they're not *that* rare .. and .. it
could be sanely argued that if you've got
http:// is *NOT* the same thing has https:// .. therefore,
http://host:443 is a standard HTTP request to port 443, it is *NOT* a
HTTPS request.
URL 101 is in session!
protocol://user:pass@host:port/uri
and since http is not the same thing as https, the server is simply
giving you back precisely
David Loszewski wrote:
I have a few small questions that I'm seeking answers for, any help
would be much appreciated:
1. Mod_SSL is working...I type in 'https://192.168.0.1' and it uses the
ssl but when I type in 'http://192.168.0.1:443' it doesn't work, comes
up saying that it can't
Dave,
Unfortunately, those firewall logs are all but worthless as they don't
detail what type of packet is being sent and what the reply is, nor the
source port for the reply. Trying to ascertain what's going on here
without real packet data is akin to looking at railroad tracks and
wondering
[..snip a bunch of sane pondering at completely inexplicable behavior by
third parties..]
The only thing I currently know is that with Apache 2.0 it seems that we
again will have the same SSL/TLS problem as we had three years ago with
Apache 1.3 (means: an unpolished 70% percent solution).
While I can appreciate the "why do we have to pay these mooks?!"
attitude, the reasoning is rather more straightforward.
It seems those making the silly** (imho) arguments have forgotten the
entire reason for a "trusted third party" (in this case, the CA). User
U heads over to site S and wishes
e gist of how it works?
*^*^*^*
Have the courage to take your own thoughts seriously, for they will shape
you. -- Albert Einstein
On Wed, 6 Dec 2000, Dave Paris wrote:
While I can appreciate the "why do we have to pay these mooks?!"
attitude, the reasoning is rather more st
Before blindly screaming "It's broken!", think about *why* you need
suexec first. If you aren't going to use it, then don't bother enabling
it. I run configurations with a heavily modified (for values, not for
additional defines or typedefs) apache_[ver]/src/include/httpd.h. These
typically
[EMAIL PROTECTED] wrote:
/usr/bin/ld: cannot open -lgdbm: No such file or ...
[snip]
+ SSL interface plugin: Vendor DBM (libndbm)
[snip]
--enable-rule=SSL_SDBM
it could be as simple as you don't have gdbm in your path, or you don't have
it installed.
May I politely point out that Win2K is _BETA_.
If something's b0rken, go back to a known, stable platform.
-dsp
-Original Message-
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Thursday, July 01, 1999
nreese wrote:
Tried for 2 weeks to get mod_ssl to work. Im giving up. Im going over to
the dark side and using Commercial Ware. Hopefully someday GNU software
will function.
Hrmm.. you mean like gcc, bison, flex, autoconf, automake, et al.?
GNU software functions just fine,
"Ralf S. Engelschall" wrote:
[...]
Is this SuSE Linux where such problems occured because of
the vendor NDBM library?
This is also a problem on RedHat 6.0. Here's the longterm fix I used...
## notice this is a cp and *not* a mv!!
cp /usr/include/db1/ndbm.h /usr/include/ndbm.h
and apply
nreese wrote:
Im having a lot of problems. First the RSAref library that openssl tells me
to use doesnt exist, rsa is not giving it out anymore.
As I recently pointed out, stick "http://ftpsearch.lycos.com" into a
browser and search for: rsaref20.tar.Z .. there are a plethora of sites
The biggest thing to remember in amidst all this legal light show crap is that
the longer these countries hold down strong encryption, the longer they hold
back widespread Net commerce... commerce that adds jobs, increases the taxable
income of companies and, in the long term, increases the
Have we received any "in print" confirmation from RSA with regards to us using
one license from a commercial package to build and use mod_ssl in the States?
Regards,
dsp
[EMAIL PROTECTED] -+-|-+- [EMAIL PROTECTED]
#include disclaimer.h
The two most oft overlooked motor vehicle laws: Inertia
Just a pondering here, but in the -spirit- of the law (and probably not the
letter), and given the fact that I'm not a lawyer, what if we (US developers)
were to purchase a commercial solution, shelve it, then use that license in our
own (individual) mod_ssl package? We still have only one
48 matches
Mail list logo