Issue setting up apache mod proxy over SSL connection for gevent socketio server
I am running my gevent socketio server on port 8081. My django website is running on port 8443 through https which is accessed by user from port 8080. I want to use proxy SSL connection for socketio server through mod_proxy. Below is what I am trying but when I access socketio URL , it gives me internal server error **Below do not work** my configuration in apache File : httpd.conf VirtualHost *:8080 ServerName myserver Redirect permanent / https://myserver:8443/ /VirtualHost File : conf/extra/httpd-ssl.conf Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin VirtualHost *:8443 DocumentRoot /nobackup/drokade/Installations/release_test/client ServerName myserver ServerSignature On ServerAdmin y...@example.com ErrorLog /nobackup/drokade/Installations/release_test/3rdparty/apache/logs/error_log TransferLog /nobackup/drokade/Installations/release_test/3rdparty/apache/logs/access_log SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES SSLHonorCipherOrder on SSLCertificateFile /nobackup/drokade/Installations/release_test/server.crt SSLCertificateKeyFile /nobackup/drokade/Installations/release_test/server.key FilesMatch \.(cgi|shtml|phtml|php)$ SSLOptions +StdEnvVars /FilesMatch Directory /nobackup/drokade/Installations/release_test/3rdparty/apache/cgi-bin SSLOptions +StdEnvVars /Directory BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog /nobackup/drokade/Installations/release_test/3rdparty/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b SSLProxyEngine On ProxyRequests off Proxy * Order deny,allow Allow from all /Proxy ProxyPass /socket.io http://myserver:8081/ retry=0 ProxyPassReverse /socket.io http://myserver:8081/ ProxyPreserveHost on ProxyTimeout 1200 /VirtualHost below is how I am starting my gevent socket server. hkeyfile=intracer_root_dir+os.path.sep+'server.key' hcertfile=intracer_root_dir+os.path.sep+'server.crt' # Loop forever for the events sio_server = SocketIOServer( (myserver,8081), MyApp(), policy_server=False,).serve_forever() Also below is how I am accessing the URL in the HTML page var sock_url=http://myserver:8080;; socket = io.connect(sock_url); Now when I try as below , I am able to access my socketio server though I have to accept exception twice: my configuration in apache File : httpd.conf VirtualHost *:8080 ServerName myserver Redirect permanent /socket.io https://myserver:8081/ Redirect permanent / https://myserver:8443/ /VirtualHost VirtualHost *:8081 DocumentRoot /nobackup/drokade/Installations/release_rtt/client ServerName myserver ServerAlias myserver Directory /nobackup/drokade/Installations/release_rtt/3rdparty/apache/cgi-bin Options All AllowOverride All Order allow,deny Allow from all /Directory ProxyRequests off Proxy * Order deny,allow Allow from all /Proxy ProxyPass /socket.io https://myserver:8081/ retry=0 ProxyPassReverse /socket.io https://myserver:8081/ ProxyPreserveHost on ProxyTimeout 1200 LogLevel debug AllowEncodedSlashes on /VirtualHost File : conf/extra/httpd-ssl.conf Listen 8443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl.crl SSLPassPhraseDialog builtin VirtualHost *:8443 DocumentRoot /nobackup/drokade/Installations/release_test/client ServerName myserver ServerSignature On ServerAdmin y...@example.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES SSLHonorCipherOrder on SSLCertificateFile /nobackup/drokade/Installations/release_test/server.crt SSLCertificateKeyFile /nobackup/drokade/Installations/release_test/server.key FilesMatch \.(cgi|shtml|phtml|php)$ SSLOptions +StdEnvVars /FilesMatch Directory /nobackup/drokade/Installations/release_test/3rdparty/apache/cgi-bin SSLOptions +StdEnvVars /Directory BrowserMatch .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 /VirtualHost below is how I am starting my gevent socket server. hkeyfile= /nobackup/drokade/Installations/release_test/server.key hcertfile= /nobackup/drokade/Installations/release_test/server.crt # Loop forever for the events sio_server = SocketIOServer( (myserver,8081), MyApp(), policy_server=False, keyfile=hkeyfile, certfile=hcertfile).serve_forever() Also below is how I am accessing the URL in the HTML page var sock_url=http://myserver:8080;; socket = io.connect(sock_url); Below are logs from apache server when I use mod_proxy. [Wed Jun 11 08:00:36 2014] [debug] ssl_engine_io.c(1875): +-+ [Wed Jun
Re: Re : Re: Re : Re: 2 Server certificates
Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Re : Re: Re : Re: 2 Server certificates
Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Regards. - Original Message - From: nicolas@free.fr To: openssl-users@openssl.org Date: Fri, 13 Jun 2014 02:02:51 +0200 (CEST) Subject: Re : Re: Re : Re: 2 Server certificates Hi, sorry for the first answer, I didn't read in details :-/ looking at your certificate chain, you are in fact trying to validate a certificate issued by RapidSSL using pit-ca --- Certificate chain 0 s:/serialNumber=abcu8WWhYjl3NQaipWsZh5eFlY3Giv71/OU=GT82566018/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=secure.payerspot.com i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA -BEGIN CERTIFICATE- ... -END CERTIFICATE- 1 s:/C=US/O=Caradas/OU=PIT/CN=pit-ca i:/C=US/O=Caradas/OU=PIT/CN=pit-root this at least explains why it fails... however, you didn't indicate how you set up the first chain, if there is any (looks like not here) My guess is you should just add all your certificates (CAs and Roots) using only X509_STORE_add_cert, since the verification function tries to recompose the chain by itself you can also create a single chain containing all your certificates (both CAs and Roots, in any order) once again the verification should be done transparently let me know if it works, or if you already tried - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@strong-data.com À: openssl-users@openssl.org Envoyé: Thu, 12 Jun 2014 16:39:23 +0200 (CEST) Objet: Re: Re : Re: 2 Server certificates Hi Nico, As described in OpenSSL documentation the 2 functions are equivalent: SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. SSL_CTX_add_client_CA() adds the CA name extracted from cacert to the list of CAs sent to the client when requesting a client certificate for ctx. The problem may be solved by sending two certificates to the client and it will check which one to verify regarding the CA issued the server certificate. SSL_CTX_load_verify_locations can't help because the certificates are stored in blob not in files. Regards __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re : 2 Server certificates
Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a well-known CA (for example one included in your browser) if it's private, it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: [SPAM?] Re : 2 Server certificates
https://www.openssl.org/docs/ssl/SSL_load_client_CA_file.html Load names of CAs from file and use it as a client CA list: SSL_CTX *ctx; STACK_OF(X509_NAME) *cert_names; ... cert_names = SSL_load_client_CA_file(/path/to/CAfile.pem); if (cert_names != NULL) SSL_CTX_set_client_CA_list(ctx, cert_names); else error_handling(); The PKI used for a server certificate is not the same as the one used for client certficates. - a server has a certificate (issued by whatever PKI) - a server can request that a client presents a certificate in order to do so, the protocol requires to send a list of issuers (of client certificats). There is no relation between client certs and the server cert. On 06/13/2014 12:15 PM, nicolas@free.fr wrote: Hi, the fact is a server can only send a single certificate, however this one can be signed by multiple CAs on the other side, a client have (in general) a list of trusted CAs, not a single one so there are two options : - either each client knows the two CAs, then the server can send a certificate signed by any of them - or each client knows only about its own CA, then the server must send a certificate signed by both CAs (note that this is symmetrical, the server verify client certificate the same way) I've never heard about a server with multiple certificates, at least not with SSL/TLS protocols... concerning the list of trusted CAs sent by the server to the client, it comes from the fact that a client can have multiple certificates, for different servers that can use their own CA so it allows a client to choose the good certificate to send to a specific server concerning the server, if it's in public access it uses a certificate issued by a well-known CA (for example one included in your browser) if it's private, it can use its own CA or even a self-signed certificate, and the client has to recover the trusted certificates by itself (this happens the first time you connect to a SSH server for which you have no certificate, or on some websites) hope I made it clear good luck! - Mail d'origine - De: Hafedh TRIMECHE hafedh.trime...@gmail.com À: openssl-users@openssl.org Envoyé: Fri, 13 Jun 2014 10:22:46 +0200 (CEST) Objet: Re: Re : Re: Re : Re: 2 Server certificates Hi Nicolas, pit-ca issued another certificate to a client wanting to connect to the same server identified by secure.payerspot.com. I'm looking for a solution allowing two clients to connect to the same server using certificates issued by different CAs. In this case the client forces the server verification by requesting its certificate. So the two server certificates must be sent to each client . Cetificate chain1 (issued by CA1) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Cetificate chain2 (issued by CA2) 0 s: i: BEGIN CERTIFICATE- -END CERTIFICATE- Can two certificates be presented to a client which will identify the chained certificate to be verified ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/2-Server-certificates-tp50872p50937.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Authority Key ID Extension
Hi, I am looking for advice for an application using openssl, but it's not an openssl problem. We have a situation where an external company has provided us with authentication certificates from a subCA and we have all the cert's back up to the root - openssl verify works fine. Another application we use refuses to accept the subCA certificate - it is throwing an error because there is no subject and serial number in the Authority Key ID Extension, though there is a [valid] key ID. It is my assertion that the issuer name / serial name are optional within this extension so the application stating that this certificate is invalid is incorrect (though they may have further reasons for requiring this if they can't handle KID's, but I think they can). rfc5280 4.2.1.1. Authority Key Identifier The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a certificate. This extension is used where an issuer has multiple signing keys (either due to multiple concurrent key pairs or due to changeover). The identification MAY be based on either the key identifier (the subject key identifier in the issuer's certificate) or the issuer name and serial number. Any opinions would be greatly appreciated. Regards, Carl __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Authority Key ID Extension
On Fri, Jun 13, 2014, Carl Young wrote: Hi, I am looking for advice for an application using openssl, but it's not an openssl problem. We have a situation where an external company has provided us with authentication certificates from a subCA and we have all the cert's back up to the root - openssl verify works fine. Another application we use refuses to accept the subCA certificate - it is throwing an error because there is no subject and serial number in the Authority Key ID Extension, though there is a [valid] key ID. It is my assertion that the issuer name / serial name are optional within this extension so the application stating that this certificate is invalid is incorrect (though they may have further reasons for requiring this if they can't handle KID's, but I think they can). I agree. At least one of keyid and issuer+serial must be present but issuer+serial is not mandatory. Also from RFC5280: AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifierOPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } -- authorityCertIssuer and authorityCertSerialNumber MUST both -- be present or both be absent Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Authority Key ID Extension
Yes, it's definitely optional. The most common keyIdentifier's that I have seen are based, well, on the key :) /r$ -- Principal Security Engineer Akamai Technologies, Cambridge, MA IM: rs...@jabber.me; Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Donation from VT Enterprise
Yesterday I received a check and a very nice letter from Victor Olex of VT Enterprise LLC (http://vtenterprise.com/). The check was a donation to the OpenSSL project of the proceeds of a T-shirt sale campaign they planned and conducted (http://www.slashdb.com/blog-news/). It was in the amount of 2^11+2^8 dollars ($2,304). Thank you Victor and VT Enterprise! -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com gpg/pgp key: http://openssl.com/docs/0xCE69424E.asc __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: 1.0.2 VC-WIN32 build failure?
Tried again using the 20140613 snapshot and it's now working. Thanks for committing the fix yesterday. On 06/12/2014 11:35 AM, John Foley wrote: Using the 201406012 snapshot on the 1.0.2 branch, I'm seeing an error while trying to build for the VC-WIN32 target. The compiler is VS2010. Can anyone confirm this is the correct build procedure? perl Configure VC-WIN32 ms\do_nasm.bat nmake -f ms\ntdll.mak The error is: cl /Fotmp32dll\cryptlib.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c .\crypto\cryptlib.c cryptlib.c C:\temp\102\openssl-1.0.2-stable-SNAP-20140612\tmp32dll\e_os.h(62) : fatal error C1083: Cannot open include file: 'openssl/opensslconf.h': No such file or directory NMAKE : fatal error U1077: 'c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\cl.EXE' : return code '0x2' Stop. Also of interest, the following error occurred during the Configure script: C:\temp\102\openssl-1.0.2-stable-SNAP-20140612perl util\mkdef.pl 32 libeay 1ms\libeay32.def Warning: BUF_strnlen does not have a number assigned Warning: X509_VERIFY_PARAM_set_hostflags does not have a number assigned __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Building in a engine implementation at buildtime
I have following engine implementation (Android keystore) which can be loaded successfully thru command line: openssl engine - dynamic -pre SO_PATH:/system/lib/ssl/engines/libkeystore.so -pre ID:keystore -pre LOAD How to build in this ENGINE implementation thru build process? so that it can be loaded dynamically thru ENGINE_load_dynamic() API? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Building in a engine implementation at buildtime
I have following engine implementation (Android keystore) which can be loaded successfully thru command line: openssl engine - dynamic -pre SO_PATH:/system/lib/ssl/engines/libkeystore.so -pre ID:keystore -pre LOAD How to build in this ENGINE implementation thru build process? so that it can be loaded dynamically thru ENGINE_load_dynamic() API? Thanks __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org