On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Your verbose description of something goes is not
On 11/1/2010 7:14 AM, Joe Orton wrote:
On Tue, Oct 19, 2010 at 04:35:49PM -0400, Jeff Blaine wrote:
Works: SSL via my corporate cert, SSL via 3 other people's
corporate certs
Fails: 1 person's cert so far, yet is logged as SUCCESS
when logging SSL_CLIENT_VERIFY via CustomLog
Your verbose
for each installation.
At least it was for us since we re-installed about 50 times.
Thanks again,
Gunner Geller
-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Gregg L. Smith
Sent: Monday, September 13, 2010 12:48 PM
To: modssl
Still trying to solve this, I stood up a separate
brand-spanking-new Apache 2.2.17 from source with builtin
SSL. I am using the same Apache SSL config as quoted below.
I experience the following failure (further context is in
my quoted message below):
...
[Tue Oct 19 16:20:42 2010] [info]
Hello Gunner,
Have you tried
--enable-ssl --with-ssl=/path/to/just/compiled/openssl ?
Regards,
Gregg
Gunner Geller wrote:
Hello,
We are using mac Leopard OS. We have rolled our own Apache(2.2.16)
separate from the default install. We have also rolled our own OpenSSL to
the latest
any errors I have made.
/ulfW
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: den 17 augusti 2010 16:01
To: Ulf Wahlqvist
Cc: modssl-users@modssl.org
Subject: Re: OCSP-validation fails - Wrong cert passed to OCSP by Apache
On Tue, Aug 17, 2010 at 12:47:26PM +0200
I still don't get it. I used Wireshark and found out that the certificate sent
to the OCSP-responder is the CA-cert, not the client-cert to be validated! I am
clueless.
Online Certificate Status Protocol
tbsRequest
requestList: 1 item
Request
reqCert
On Tue, Aug 17, 2010 at 12:47:26PM +0200, Ulf Wahlqvist wrote:
I still don't get it. I used Wireshark and found out that the
certificate sent to the OCSP-responder is the CA-cert, not the
client-cert to be validated! I am clueless.
The code tries to verify each cert in the client cert chain
I have now verified that if I use openssl directly from command line it will
verify OK. Apparently there is no need for signing the request.
openssl ocsp -issuer /usr/local/apache2/conf/SITHS_CA_v3.cer -CAfile
/usr/local/apache2/conf/SITHS_CA_v3.cer -cert /mnt/download/uwcert.cer -text
-url
Hi,
That is not a bug, it is a feature! With the TLS renegotiation there
is a theoretical man-in-the-middle-attack possible. To prevent that
the developers decided to deactivate the TLS renegotiation.
Solution: use SSLInsecureRenegotiation on
I updated the patch. The most recent version is now available at
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_31-1_3_41-v4.patch
In addition to the v3 version of the patch, it now also contains a
backport of the SSLInsecureRenegotiation directive introduced in Apache
On 02/17/2010 02:08 AM, NT984 wrote:
I am converting from a Verisign SSL Certificate to a Network Solutions EV SSL
Cert on my site. My existing configuration uses the following directives:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXP:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2
SSLCertificateFile
I found a solution, it looks like a dirty hack and making a security
hole, but it works for our custom purposes. So I don't recommend to use
this way. Somehow it may be interested for somebody.
It's needed to patch openssl.
In 'openssl/ssl/ssl_cert.c' file, in 'ssl_verify_cert_chain' function
I wouldn't expect an update until it's in sync with the final 0.9.8m from
the group, as a (probably final) update. Without 0.9.8m finished, due to
an unfinished RFC, it's a bit trickier to move ahead.
On 2/5/2010 6:19 AM, Bernard PREVOSTO wrote:
The Apache Group is pleased to announce the
I proposed this a while back but never got any responses.
https://issues.apache.org/bugzilla/show_bug.cgi?id=46897
-Original Message-
From: owner-modssl-us...@modssl.org [mailto:owner-modssl-us...@modssl.org]
On Behalf Of Jaz
Sent: Friday, January 22, 2010 9:11 AM
To:
Thanks so much for your tip. Now I have a much better understanding of
the problem.
Aaron
Hello,
I faced the same issue.
Actually, client authentication has been disabled on recent versions. It
has nothing to do with your configuration.
See (on my blog):
Hello,
I faced the same issue.
Actually, client authentication has been disabled on recent versions. It
has nothing to do with your configuration.
See (on my blog):
http://www.phocean.net/2009/11/28/openssl-cve-2009-3555-security-fix-and-mod_ssl-client-authentication-breakage.html
and then :
On 29.12.2009 22:57, John Lightsey wrote:
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
On 23.11.2009 18:57, John Lightsey wrote:
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Thanks again. I updated the patch:
On Mon, 2009-11-23 at 22:12 +0100, Rainer Jung wrote:
On 23.11.2009 18:57, John Lightsey wrote:
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Thanks again. I updated the patch:
http://people.apache.org/~rjung/patches/cve-2009-3555_mod_ssl_2_8_21-1_3_41-v2.patch
The only changes
): OpenSSL:
Write: SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [debug] ssl_engine_kernel.c(1912): OpenSSL:
Exit: error in SSLv3 read client hello A
[Tue Nov 24 16:56:15 2009] [error] [client 194.2.193.253] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 24 16:56:23 2009
] Re-negotiation
handshake failed: Not accepted by client!?
[Tue Nov 24 16:56:23 2009] [debug] ssl_engine_io.c(1869): OpenSSL: I/O
error, 5 bytes expected to read on BIO#7f313d364fc0 [mem: 7f313d8641a0]
I renewed one more time all my certificates, so I don't think there is
anything wrong
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Backport is not totally straightforward, because the original patches
use the filter architecture not present in Apache 1.3.
Any Feedback on the patch is welcome. Some additional debug output can
be activated by using -DRENEG_DEBUG.
On 23.11.2009 18:57, John Lightsey wrote:
On Sun, 2009-11-22 at 01:21 +0100, Rainer Jung wrote:
Backport is not totally straightforward, because the original patches
use the filter architecture not present in Apache 1.3.
Any Feedback on the patch is welcome. Some additional debug output can
On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
seem to be working. Can anyone help?
The directive is actually quite simple:
# Require SSL over non-obvious port 81 for SVN access
SSLRequire
On 11/20/2009 04:50 AM, Joe Orton wrote:
On Thu, Nov 19, 2009 at 03:19:00PM -0500, David Rosenstrauch wrote:
Hi. I'm tearing my hair out over an SSLRequire directive that doesn't
seem to be working. Can anyone help?
The directive is actually quite simple:
# Require SSL over non-obvious
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robin escribió:
| My virtualhost configuration is as follows:
|
| SSLEngine on
| SSLCertificateFile /etc/apache2/public.crt
- ^
| SSLCertificateKeyFile /etc/apache2/private.key
| SSLCACertificateFile
which works with PATH_INFO
You may check that out.
Mario
-Original Message-
From: owner-modssl-us...@modssl.org
[mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
Sent: Monday, July 20, 2009 10:53 AM
To: modssl-users@modssl.org
Subject: RE: modssl - URL's under domain
Well the AllowOverride manages what you are allowed to configure in
.htacces
Order deny, allow
deny from all
Allow from 127.0.0.1
This manage who can access these server from where.
In your case you can only access from 127.0.0.1 aka. localhost your
computer
See the docs for more details
Hi!
What is in your error log about that?
Mario
-Original Message-
From: owner-modssl-us...@modssl.org
[mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
Sent: Sunday, July 19, 2009 9:38 PM
To: modssl-users@modssl.org
Subject: modssl - URL's under domain name not found
I
The error log says (for example):
[Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not exist:
/Library/WebServer/Documents/drupal/electric-heater-info, referer:
https://devel.cosyheart.com/
Actually, my original post is a bit misleading - the content is delivered
via drupal and a
: Monday, July 20, 2009 10:53 AM
To: modssl-users@modssl.org
Subject: RE: modssl - URL's under domain name not found
The error log says (for example):
[Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File does not
exist:
/Library/WebServer/Documents/drupal/electric-heater-info, referer:
https
...@modssl.org
[mailto:owner-modssl-us...@modssl.org] On Behalf Of glowkeeper
Sent: Monday, July 20, 2009 10:53 AM
To: modssl-users@modssl.org
Subject: RE: modssl - URL's under domain name not found
The error log says (for example):
[Mon Jul 20 09:40:21 2009] [error] [client 127.0.0.1] File
error persists, however...
The primary impact is - apparently - that the SSL session is constantly
re-negotiated for GET of each page element; loading of a single page might
generate 8-10 prompts for the certificate. We have fiddled with various
settings for the Renogotiation buffer, including
Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the
deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail
inline for reference of dev@ readers)
On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
mod_ssl can perform client authentication
Hi,
Same setup as works with both subCAs. Use the SSLRequire directive. Restrict on
the client certs issuer field (SSL_CLIENT_I_DN...).
Regards
Matt
- Original Message
From: leanmeandonothingmachine leanmeandonothingmach...@gmail.com
To: modssl-users@modssl.org
Sent: Thursday,
thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead just not filling in the
client variables. But I can always do that programmaticaly if I need it.
--
View this message in context:
thanks that works, a little tricky if you want to use SSLVerifyClient
optional, as it 403s everything in that case instead of just not filling in
the client variables. But I can always do that programmaticaly if I need it.
--
View this message in context:
Nuno Ponte a écrit :
Hi,
We are running a CA that has thousands of revoked certificates,
which leads to CRLs of several MBytes.
On the next nenewal of the CA, we are thinking of partitioning the
CRLs at each X number of issued certificates. The issued certificates
will have
Hi Gilles,
Thanks for your reply! :-)
The CA also offers OCSP, which is obviously the preferred way to
validate certificate status. I am just trying to make sure that there
is support from the applications world to such a CRL partitioning
scheme. Wide interoperability is a key goal.
Jorge Martín Cuervo a écrit :
Hi all,
i have a problem with an apache 2.2.9, maybe this is not the correct
mailing list but i am going to ask, my apologizes if this isn't the
properly place.
I had an instance of apache 2.2.9 with and IP serving contents with the
port 80 and 443, we bought
Hi Cuesta Guilles, thanks for your quickly reply. No i am going to read
the documentation about SSLPassPhraseDialog.
This is my apachectl -S output:
[EMAIL PROTECTED] bin]$ ./apachectl -S
VirtualHost configuration:
213.134.38.66:443 cv.smra.org
Jorge Martín Cuervo a écrit :
I tried with an SSLPassPhraseDialog in every VirtualHost and i get this
message:
[EMAIL PROTECTED] bin]$ ./apachectl -S
Syntax error on line 82
of /home/jmartin/apache22/conf/extra/httpd-ssl.conf:
SSLPassPhraseDialog cannot occur within VirtualHost section
or
I tried with an SSLPassPhraseDialog in every VirtualHost and i get this
message:
[EMAIL PROTECTED] bin]$ ./apachectl -S
Syntax error on line 82
of /home/jmartin/apache22/conf/extra/httpd-ssl.conf:
SSLPassPhraseDialog cannot occur within VirtualHost section
or unciphered key ? how can i do it? do
Peter Sylvester wrote:
in ssl_engine_vars, there seems to be a problem to me concerning the UID
field.
The syntax for the field is a bitstring and not a text.
Nothing happened since I've filed this bug and raised the issue here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
It's
- Original Message
From: Jan Stian Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Thursday, September 25, 2008 9:37:00 AM
Subject: Re: Can i use CA signed cert to create client authentication
certificates ?
Thank you very much Matt .
That solved it :).
I now have Client
Gabrielli [EMAIL PROTECTED]
To: modssl-users@modssl.org
Sent: Tuesday, September 23, 2008 1:39:16 PM
Subject: Re: Can i use CA signed cert to create client authentication
certificates ?
Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i
Ok. This seems like a viable solution.
Ie.
I use an approved CA signed cert to verify the site auhtentisity, and i use a
selfsigned CA root for client certificates.
Can you point me in a direction of how i make this work in apache ?.
I already have a setup with a Selfsigned CA working for client
Gunnar Vestergaard wrote:
My goal is to let visitors of my web site authenticate themselves to
my web server using some certificate, possibly S/MIME certificates.
As I understand the documentation for PHP, there is no means whereby
PHP can read and interpret an SSL client certificate. Is
Hi,
Have a look at mod_authz_ldap (ldap baseed white listing,
http://authzldap.othello.ch/). Probably far more than you need but it
does things along the same lines and has some nice notes how to do
various bits and pieces.
You can add env vars that you can use php have a look at SSLOptions
Sounds like your trying to use the thawte apache cert to sign your client
certs? The thawte cert won't have the right attributes to sign a client cert
and then try to use it.
You could use your CA for client certs and Thawte for the server cert.
Regards
Matt
- Original Message
Hi,
I have noticed that the DN components of the SSL_CLIENT_S_DN and
SSL_CLIENT_I_DN
environment variables are separated by the '/' (forward slash) character
rather than
the ',' (comma) separator as required by RFC2253.
Is the use of the forward slash part of an older standard or is there
the scenes, you might
still be right... I'll try it out as soon as I can and let you know.
Thanks a lot
Johan
-Original Message-
From: Martin Dickau [mailto:[EMAIL PROTECTED]
Sent: 01 September 2008 12:18 PM
To: [EMAIL PROTECTED]
Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit
: RE: Error when trying shmcb SSLSessionCache on 64-bit Windows
Hi Martin
1) I'm still reluctant to use an unofficial build, but its good to know
others are using it.
2) Wow, well spotted with your (x86) theory! It also failed with a
relative path: logs/ssl_scache(512000), but depending on how
You did not configure your Apache with mod_ssl when you set it up. You need
to rebuild your Apache.
On Thu, Aug 21, 2008 at 1:02 AM, Linda Lee [EMAIL PROTECTED] wrote:
Hi all
*I am using apache 1.3.41 with mod_ssl 2.8.31. I kept getting the below
error:
Starting httpd: httpd Syntax error
A few more hours of investigation revealed the solution;
RewriteCond %{HTTP_HOST} ^www.mydomain.com:8080 [NC]
RewriteRule ^/(.*) https://www.mydomain.com/$1 [L,R=301]
Sorry bout the html mail earlier.
Tim
- Original Message -
From: Tim Hester
To: modssl-users@modssl.org
Sent:
you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off
from the list instead of b-shitting.
send an email to [EMAIL PROTECTED] address (you can also find it at the
bottom of this message) with subject as 'Remove me'.
ok?
On Mon, Jul 14,
THANK'S
-- Original message from "Shahadat Hossain" [EMAIL PROTECTED]: --
you know what, You are a f***en idiot.
if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting.
send an email to [EMAIL PROTECTED]
One small comment. I have tried for years to get off this mailing list.
I have sent my request and it has always been effective, for say a month
or so,
then I get put back on the mailing list. And it keeps coming. My
solution was
to add it to my spam filter. It doesn't bother me that way
Michael Ströder a écrit :
Beth E. Okun wrote:
We're running Apache with ssl enabled..We're using Basic
authentication, and if the user browses away from our site and then
comes back, they are not forced to log on again...it appears that
these settings are being stored somewhere,
[EMAIL PROTECTED] schrieb:
I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.
I would like to use my apache proxy server to provide SSL
Eckard Wille a écrit :
[EMAIL PROTECTED] schrieb:
I have several web servers currently that all have the same IP, but
different host names, and I have an apache that uses mod_proxy to direct
requests to the correct internal server to process the request.
I would like to use my apache proxy
Cuesta Gilles schrieb:
I thought that using wildcard or multi-cn certificates will work ?
No.
In this case, only one certificate is needeed for a range of Vhost
If you only have one ip this won't make things better because virtual
hosting is still not possible. Wildcard certs do not
Eckard Wille a écrit :
Cuesta Gilles schrieb:
I thought that using wildcard or multi-cn certificates will work ?
No.
In this case, only one certificate is needeed for a range of Vhost
If you only have one ip this won't make things better because virtual
hosting is still not possible.
Cuesta Gilles schrieb:
*MULTIPLE CN (SAN) SERVER CERTIFICATES*
This type of certificate (also called /Subject Alternative Name/ (SAN) )
enables to secure not only one website but a large number of sites (a
list of sites) hosted on a shared infrastructure (server with multiple
names, reverse
Eckard Wille schrieb:
Cuesta Gilles schrieb:
*MULTIPLE CN (SAN) SERVER CERTIFICATES*
This type of certificate (also called /Subject Alternative Name/ (SAN)
) enables to secure not only one website but a large number of sites
(a list of sites) hosted on a shared infrastructure (server with
It seem like you might be confusing shared infrastructure with
single ip. As others have said, you need a distinct address for each
SSL-enabled httpd or proxy, although they can reside on the same hardware.
A good example of this is the typical configuration for larger server
farms. You find
Beth E. Okun wrote:
We're running Apache with ssl enabled..We're using Basic
authentication, and if the user browses away from our site and then
comes back, they are not forced to log on again...it appears that
these settings are being stored somewhere, or that the connection is
On Thursday 26 June 2008, Florian Hackenberger wrote:
On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question. Accessing a
specific file works, but getting the directory listing fails.
Florian Hackenberger a écrit :
On Thursday 26 June 2008, Florian Hackenberger wrote:
On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question. Accessing a
specific file works, but
On Friday 27 June 2008, Cuesta Gilles wrote:
It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.
Thanks, but that is certainly not the problem, as apache creates a
listing as soon as I remove 'SSLVerifyClient require'.
Cheers,
Florian Hackenberger a écrit :
On Friday 27 June 2008, Cuesta Gilles wrote:
It's more an apache specific question; try setting
Options +Indexes
in your vhost, allowing directory listing.
Thanks, but that is certainly not the problem, as apache creates a
listing as soon as I remove
On Friday 27 June 2008, Cuesta Gilles wrote:
For your issue, two questions:
- is a VerifyDepth 1 enough for verification chaining ?
It is, however that is not relevant for the problem, because apache
should not request a client certificate in the first place.
- No default VerifyClient by
On Fri, Jun 27, 2008 at 08:40:43AM +0200, Florian Hackenberger wrote:
On Thursday 26 June 2008, Florian Hackenberger wrote:
On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?
Ok, I think I understood the intention of your question.
logs the following error:
[error] Re-negotiation handshake failed: Not accepted by client!?
Has someone experience with java client verification or can someone
formulate an educated guess what the problem could be? I have the
cacert root certificate imported at the server side
(SSLCACertificateFile
On Friday 27 June 2008, Florian Hackenberger wrote:
I have another question: Has anyone successfully established a
connection to an apache/mod_ssl server with client authentication
using a java client? My client (code below) generates the following
log (exception at the end) upon execution:
Florian Hackenberger a écrit :
Hi!
First of all: Thanks for your great software, I've used it on several
server and it proved to be very useful.
I have a little problem with the SSLVerifyClient directive on apache
2.2.9 with mod_ssl compiled from source on debian etch. I have the
following
On Thursday 26 June 2008, Cuesta Gilles wrote:
Maybe try this:
Listen 443
VirtualHost *:443
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot /usr/local/htdocs
Location /directory/subdirectory
SSLVerifyClient require
On Thu, Jun 26, 2008 at 05:55:45PM +0200, Florian Hackenberger wrote:
Directory /usr/local/htdocs/directory/subdirectory
SSLVerifyClient require
SSLVerifyDepth 1
/Directory
The problem is that apache denies access to:
https//MYSERVER/directory
It denies access for what
On Thursday 26 June 2008, Joe Orton wrote:
It denies access for what type of request, a directory listing?
Yes
--
DI Florian Hackenberger
[EMAIL PROTECTED]
www.hackenberger.at
__
Apache Interface to OpenSSL (mod_ssl)
Florian Hackenberger a écrit :
On Thursday 26 June 2008, Cuesta Gilles wrote:
Maybe try this:
Listen 443
VirtualHost *:443
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/acoveo.com.pem
DocumentRoot /usr/local/htdocs
Location /directory/subdirectory
All,
I´m told that having the directives in httpd.conf
IfModule ssl_module
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
/IfModule
means that my apache is configured with mod_ssl (thanks to the guy that told me
so!)
Now the question risen up is how do I do to have my https
?
Thank you.
Ingrid
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of David P. Mott
Sent: Wednesday, June 18, 2008 5:22 PM
To: modssl-users@modssl.org
Subject: RE: Need to add/enable/install mod_ssl
I pulled that exact line from my win32 version
Subject: RE: Need to add/enable/install mod_ssl
Dave and All:
Ok, now I know I can try the directives in my apache.
Althought by the directives SSLRandomSeed it´s indicating I have the mod_ssl
installed, I checked and the files mod_ssl.so and mod_ssl.c are not in the
paths indicated
Gilles Cuesta wrote:
So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.
This is bad practice. Try searching for CA key roll-over.
The problem is, when verifying client cert work with both ClientCA
stacked; but when using CRL, old clients work
2008/6/16 Michael Ströder [EMAIL PROTECTED]:
Gilles Cuesta wrote:
So, at a time, we have 2 ClientCA with different key and different
validity period, but same DN.
This is bad practice. Try searching for CA key roll-over.
I found docs about it, but proprietary PKI, and couldn't know if this
On Thu, Jun 05, 2008 at 10:47:25AM -0600, Keith Hellman wrote:
This sounds a lot like
https://issues.apache.org/bugzilla/show_bug.cgi?id=42625
https://issues.apache.org/bugzilla/show_bug.cgi?id=12355
But I think it is different. I'm using certificates for authentication
to all of my
Oh yeah, I forgot to mention: everything works AOK if I try using http
instead (hence, I'm posting on the modssl list).
--
Keith Hellman #include disclaimer.h
[EMAIL PROTECTED]from disclaimer import standard
[EMAIL PROTECTED]
Michael Ströder wrote:
Joe Orton wrote:
On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute
type 'uid' specified for pilotPerson). That seems right to me since
it's compliant with RFC 4514 which contains a table
Hi, first time mailer but hoping for some good advice from experienced
users.
Basically Im looking to implement a solution that will redirect SSL
requests coming into my apache server (listening on 443) and forward
them on to a backend server.
I have reverse proxying setup but I cant seem to get
DONT SEND ME THIS CRAP THANK'S
-- Original message from Michael Ströder [EMAIL PROTECTED]: -- Joe, many thanks for your response. Joe Orton wrote: On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote: Maybe I'm overlooking the obvious but it
Joe Orton wrote:
On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type
'uid' specified for pilotPerson). That seems right to me since it's
compliant with RFC 4514 which contains a table of short and long
Michael Ströder wrote:
Joe Orton wrote:
On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute
type 'uid' specified for pilotPerson). That seems right to me since
it's compliant with RFC 4514 which contains a table
On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote:
HI!
(Re-sent since my message through gmane didn't come through.)
Maybe I'm overlooking the obvious but it seems that env var
SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication.
The following env vars
On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
In the current 2.x mod_ssl sources, UID maps to:
#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ UID, NID_x500UniqueIdentifier },
#else /* old name, OpenSSL 0.9.7 */
{ UID,
Joe Orton wrote:
On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
In the current 2.x mod_ssl sources, UID maps to:
#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ UID, NID_x500UniqueIdentifier },
#else /* old name, OpenSSL 0.9.7 */
{ UID,
On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Ströder wrote:
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type
'uid' specified for pilotPerson). That seems right to me since it's
compliant with RFC 4514 which contains a table of short and long attribute
type names
On Mon, Apr 14, 2008 at 10:13 AM, John Minson [EMAIL PROTECTED] wrote:
I have to re-create mod_ssl 2.8.1 for an old version of apache (1.3.19) and
even though I have it/they compiled I'm confused about 2 things .
I have several servers with various kevels of apache and mod_ssl.
The mod_ssl
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
modssl is built into the 2.x.x apache versions. your consultant must be
asking you to upgrade full apache versions.
the 1.3.x apache tree still has a separate modssl base to add and build
off of. This should not be a concern for you since
Possibly use a RewriteRule or something of the sort?
RewriteEngine On
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} ^www\.mydomain\.com$
RewriteCond %{SERVER_PORT} ^443$
RewriteRule ^(.*) https://www.mydomain.com/$1 [R=301,L]
I've not tested that, and I doub't it's spot on but hopefully
The rewriterule can be explointed on unpatched Apache. If you're
doing this, make certain you're working with the current patch.
Otherwise, use an application layer redirector/load balancer.
Walt
On 3/31/08, Glyn Astill [EMAIL PROTECTED] wrote:
Possibly use a RewriteRule or something of the
1 - 100 of 9305 matches
Mail list logo