I forgot to add the frightening result of following test (like doctor telling you that you've leukemia) : [ssl]# openssl s_client -connect localhost:443 -state -debug CONNECTED(00000003) SSL_connect:before/connect initialization write to 0809D018 [0809D060] (124 bytes => 124 (0x7C)) 0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 16 00 00 .z....Q... ..... 0010 - 13 00 00 0a 07 00 c0 00-00 66 00 00 05 00 00 04 .........f...... 0020 - 03 00 80 01 00 80 08 00-80 00 00 65 00 00 64 00 ...........e..d. 0030 - 00 63 00 00 62 00 00 61-00 00 60 00 00 15 00 00 .c..b..a..`..... 0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08 [EMAIL PROTECTED] 0050 - 00 00 06 00 00 03 04 00-80 02 00 80 c9 59 35 e7 .............Y5. 0060 - c1 f3 05 15 5b ba 68 1d-76 e1 b5 a0 bf 82 f8 36 ....[.h.v......6 0070 - d9 3c 79 71 a6 5f e1 11-b6 32 ea c8 .<yq._...2.. SSL_connect:SSLv2/v3 write client hello A read from 0809D018 [080A25C0] (7 bytes => 7 (0x7)) 0000 - 3c 21 44 4f 43 54 59 <!DOCTY SSL_connect:error in SSLv2/v3 read server hello A 3751:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:460: [ssl]# Guess it is off topic now...
[EMAIL PROTECTED] wrote: > > Hi All. > TCPDUMP-ing the login for NYTimes.com as a control group I can certainly > see USERID and PASSWORD (and other things) eg. > ... > Referer: http://www.nytimes.com/auth/login > Accept-Language: en-us > Content-Type: application/x-www-form-urlencoded > Accept-Encoding: gzip, deflate > User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows 98) > Host: www.nytimes.com > Content-Length: 84 > Connection: Keep-Alive > Cache-Control: no-cache > Cookie: RMID; tpopunder_orbitz23a-nyt4; NYT-S; nyt-d; > tpopunder_orbitz23-nyt4; spopunder; > NYT_GR=3f3069f9-eD5iDGvcR1EwqdL/n8+qGA > is_continue=true&URI=&OQ=&USERID=niemand&PASSWORD=geheimnis&log=Log+In&SAVEOPTION=YES� > 1?&(r) > ... > After enabling httpd with mod_ssl, the TCPDUMP from the following client > browsers are mostly NOT human-readable : > * Mozilla > * MSIE5 > * Nescape 6.2 > * Netspcae 7.1 (which is the bee in the bonnet) > They all present the login dialogue box and the "untrusted self-signed > certificate" screen. > Therefore it might be a bug with 7.1, which seemingly does not report an > embedded secure link from an unsecured page as such eg. from > http:/my.first.do which as a link to https://my.secure.dom > However,in 7.1, if I key in the URL https://my.secure.dom (ie without > going through http://my.first.dom), the lock closes and one can view the > certificate info by clicking on it. > > I assume this is how it works : > Step 1: certificate presented, accepts and ecrypt input from client > browser > Step 2: transmit to mod_ssl enabled Apache2 server > Step 3: Off to Tomcat courtesy of following bits of code : > ... > <VirtualHost 192.168.1.3:443> > ServerName my.dom.com > ServerAdmin [EMAIL PROTECTED] > DocumentRoot /home/king/public_html > ErrorLog /usr/local/apache2/logs/king_error.log > CustomLog /usr/local/apache2/logs/king_access.log common > <IfModule mod_ssl.c> > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile /path/to/ssl/server.crt > SSLCertificateKeyFile /path/to/server.key > </IfModule> > JkExtractSSL on > JkHTTPSIndicator HTTPS > JkSESSIONIndicator SSL_SESSION_ID > JkCIPHERIndicator SSL_CIPHER > JkCERTSIndicator SSL_CLIENT_CERT > JkMount /dom ajp13 > JkMount /dom/* ajp13 > </VirtualHost> > ... > Step 4 : FIX ME - does Apache2 unecrypt content before passing on to > Tomcat ??? > Step 5 : FIX ME - does Tomcat pass db data back to Apache2 and the data > get encrypted there ??? > > If anyone out there has similar or diff experience, please share it. > > Ralph Einfeldt wrote: > > > > One way to verify this, is to use a packet sniffer > > and watch the pakets that are exchanged bewenn server > > and browser. > > > > Under linux you can use tcpdump. > > http://www.tcpdump.org/ > > > > > > tcpdump has also a windows brother (or sister): > > http://windump.polito.it/ > > > > Under linux and windows you can use ethereal: > > http://www.ethereal.com/ > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 05, 2003 9:17 AM > > > To: [EMAIL PROTECTED] > > > Subject: Off topic : any tools for testing mod_ssl/OpenSSL ??? > > > > > > > > > Hi All. > > > I have got my Apache mod_ssl/OpenSSL talking with Tomcat nicely using > > > MSIE5, Netscape 6.2 and Mozilla. > > > On Netscape 7.1, it says I am transmiting in clear text for all to see > > > AFTER logging in and accepting the certificate !?! SOmehow I > > > doubt that, > > > I think it is telling me fips. > > > Are there any tools to tes whether the transmission is in clear text ? > > > TIA :-) > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
