Nabble - mod_ssl

tag:www.nabble.com,2006:forum-380 Nabble - mod_ssl 2008-10-10T13:03:34Z mod_ssl provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols. mod_ssl home is <a href="http://www.modssl.org/" target="_top" rel="nofollow">here</a>. tag:www.nabble.com,2006:post-19925184 Jean-Pierre Guilloteau est absent. 2008-10-10T13:03:34Z 2008-10-10T13:03:34Z jpguilloteau <br>I will be out of the office starting Fri 10/10/08 and will not return until <br>Mon 27/10/08. <br><br>Je répondrai à votre message dès mon retour. <br>Cordialement. <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19925184&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19925184&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19920735 Re: X509 variables ..UID 2008-10-10T08:38:20Z 2008-10-10T08:38:20Z Michael Ströder Peter Sylvester wrote: <br>> in ssl_engine_vars, there seems to be a problem to me concerning the UID <br>> field. <br>> The syntax for the field is a bitstring and not a "text". <br><br>Nothing happened since I've filed this bug and raised the issue here: <br><br>  <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45107" target="_top" rel="nofollow">https://issues.apache.org/bugzilla/show_bug.cgi?id=45107</a><br><br>It's broken => it should be fixed. Unfortunately no-one cares. :-( <br><br>Ciao, Michael. <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19920735&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19920735&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19919949 X509 variables ..UID 2008-10-10T07:49:54Z 2008-10-10T07:49:54Z Peter Sylvester-3 in ssl_engine_vars, there seems to be a problem to me concerning the UID <br>field. <br>The syntax for the field is a bitstring and not a "text". <br><br><br><br>static const struct { <br>    char *name; <br>    int   nid; <br>} ssl_var_lookup_ssl_cert_dn_rec[] = { <br>    { "C",     NID_countryName            }, <br>    { "ST",    NID_stateOrProvinceName    }, /* officially    (RFC2156) */ <br>    { "SP",    NID_stateOrProvinceName    }, /* compatibility (SSLeay)  */ <br>    { "L",     NID_localityName           }, <br>    { "O",     NID_organizationName       }, <br>    { "OU",    NID_organizationalUnitName }, <br>    { "CN",    NID_commonName             }, <br>    { "T",     NID_title                  }, <br>    { "I",     NID_initials               }, <br>    { "G",     NID_givenName              }, <br>    { "S",     NID_surname                }, <br>    { "D",     NID_description            }, <br>#if SSL_LIBRARY_VERSION >= 0x00907000 <br>    { "UID",   NID_x500UniqueIdentifier   }, <br>#else <br>    { "UID",   NID_uniqueIdentifier       }, <br>#endif <br>    { "Email", NID_pkcs9_emailAddress     }, <br>    { NULL,    0                          } <br>}; <br><br><br>-- <br><br><<a href="http://www.edelweb.fr" target="_top" rel="nofollow">http://www.edelweb.fr</a>> <br>*Edel/W/eb* Peter SYLVESTER <br>Consultant Sécurité des Systèmes d'Information <br>----------------------------------------------------------- <br>EdelWeb - Groupe ON-X <br>15, quai de Dion-Bouton <br>F-92816 Puteaux Cedex <br>Tel : +33.1.40.99.14.14 / Fax : +33.1.40.99.99.58 <br>www.edelweb.fr <<a href="http://www.edelweb.fr" target="_top" rel="nofollow">http://www.edelweb.fr</a>> / www.on-x.com <<a href="http://www.on-x.com" target="_top" rel="nofollow">http://www.on-x.com</a>> <br>----------------------------------------------------------- <br>To verify the message signature, see edelpki.edelweb.fr <br><<a href="http://edelpki.edelweb.fr/" target="_top" rel="nofollow">http://edelpki.edelweb.fr/</a>> <br>Cela vous permet de charger le certificat de l'autorité de racine <br><<a href="http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der" target="_top" rel="nofollow">http://edelpki.edelweb.fr/cacerts/EdelPKI-ca.der</a>>; <br>die Liste mit zurückgerufenen Zertifikaten finden Sie da auch. <br><br><br><br /> <div class="small"><br/><img src="http://www.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (5K) <a href="http://www.nabble.com/attachment/19919949/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19843625 Embedded purposes 2008-10-06T11:32:45Z 2008-10-06T11:32:45Z Gunnar P. Vestergaard If a user is trying to authenticate himself with an SSL web server, he <br>needs to present a valid personal certificate, I understand. But what if <br>the purpose of the client certificate is not valid? I mean, for one <br>user's certificate, Mozilla SeaMonkey reports: "This certificate has <br>been verified for the following uses: Email Signer Certificate and Email <br>Recipient Certificate". Will an SSL web server accept such a client <br>certificate for authenticating an SSL web connection? <br><br>Gunnar Vestergaard <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19843625&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19843625&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19692550 Re: Can i use CA signed cert to create client authentication certificates ? 2008-09-26T10:02:15Z 2008-09-26T10:02:15Z Matt032 Hi, <br><br>Asking every time does make it complicated. I can't remember if the firefox default is to ask or auto supply (and it has changed behavior between 1/2/3 AFAIK), I have it as ask every time. <br><br>Anyway the ask every time FF behavior isn't very nice for users (auto supply is probably fine for most users). FF will also ask for a cert every session ID change. <br><br>As you know there isn't an ask once option, which would be very nice.  I don't think there is much that can be done to "fix" it other than coding up an "ask once" option in FF (which I haven't got the time to do :( ). <br><br>Anyway you may also want to use/need the "SSLOptions +OptRenegotiate" if you have portions of the site that do and don't require client certs. It can help greatly with IE. Sometimes IE goes a little funny and renegotiates sessions all the time going from non-client cert to client cert areas. <br><br><br>Regards <br>Matt <br><br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=0" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=1" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Thursday, September 25, 2008 9:37:00 AM <br>Subject: Re: Can i use CA signed cert to create client authentication certificates ? <br><br>Thank you very much Matt . <br>That solved it :). <br><br>I now have "Client Certificate Authentication" working with a CA signed certificate and a Self Signed CA which in turn signs client certs. <br><br>If i can only ask for a bit more advice regarding this setup ?. <br>Although I think this problem might be Firefox specific I'm hoping for some advice here. <br><br>Internet Explorer handles the client certificates fine, prompts me to select certificate on connection to the site and basically just works after that.. <br><br>But when Firefox is set to "Ask me every time" instead of "auto select client certificate" I keep getting the select certificate pop up several(multiple) times per page request/load from the SSL secured Apache server. <br>There is only one certificate in the select from dialog, but it keeps prompting me and I can see it loading "one" and "one" item(image) on the website. <br>If i switch to "Auto select certificate" it works. But it would be nice not having the browser present the certificate without it being the users choice. And honestly, choosing it once per session per site should be sufficient <br><br>I should probably mention that the page served up is behind a mod_proxy module. But this content should not differ for Firefox, and certificate selection. Or does the mod_ssl module prompt for a client certificate for each item loaded ? <br><br>I have googled this but can't find any good answers. <br>Some say it is because of image objects loading. but why. <br><br>Best regards <br><br>Jan Stian Gabrielli <br><br>Original Message ----------------------- <br>Hi, <br><br>Basically... <br><br>SSLCACertificateFile SelfSignedCA Root Cert (public part) <br>SSLVerifyClient require or optional <br>SSLVerifyDepth 1 (default) <br><br>and have the setup from the Thwate cert as per normal for the server cert. <br><br>Regards <br>Matt <br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=2" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=3" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Tuesday, September 23, 2008 1:39:16 PM <br>Subject: Re: Can i use CA signed cert to create client authentication certificates ? <br><br>Ok. This seems like a viable solution. <br>Ie. <br>I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. <br><br>Can you point me in a direction of how i make this work in apache ?. <br>I already have a setup with a Selfsigned CA working for client certificates. <br><br>Createed SelfSignedCA <br>|-->Create and Sign Apache Cert from SelfSigned CA <br>|-->Create and Sign Client Cert from SelfSigned CA <br><br>How do I incorporate this with a CA (thawte) signed webserver certificate ?. <br><br>Best regards <br><br>Wizkidnono <br><br>Original Message ----------------------- <br>Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. <br><br>You could use your CA for client certs and Thawte for the server cert. <br><br>Regards <br>Matt <br><br><br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=4" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=5" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Monday, September 22, 2008 7:54:37 PM <br>Subject: Can i use CA signed cert to create client authentication certificates ? <br><br>I am trying to set up apache with mod_ssl , and I have it working with a <br>Self Signed CA. <br>But i can not get it to work with a cert created by thawte.com. <br><br>Does anyone know if it is possible to do this with a crt signed by a "third" <br>party where one does not have access to their root ca key ?.. <br><br>Ie. <br><br>I have generated a : apache_server.key made a apache_server..csr and sent <br>this for signing by thawte.com <br>Recived a apache_server.crt <br><br>Created a client.key and a client.csr <br>Signed it with my apache_server.key and apache_server.crt <br><br>Converted the client.key,crt to a pkcs12 file and imported this into my <br>browser but i can not make things work. <br><br>SSL works fine on the server on pages that does not require SSL client auth. <br><br>A I stated earlier, IT works when I create and self sign a CA, but I cant <br>make it work when I use a 3rd party CA and only have apache_server.key, <br>apache_server.crt , thawte root cert. <br><br>Best regards <br><br>Wizkidnono <br>Ã¢â‚¬â€œÃ…â€œÃ¢â‚¬Â¦ÃƒÂ¢'Ã‚ÂµÃƒÂªÃƒÅ¸iÃƒâ€¡Ã‚Â ÃƒÂª^Ã¯Â¿Â½$Ã¢â‚¬Â¹Ã…Â¡Ã¢â‚¬Â¡lÃ‚Â²\0Ãƒâ€šjÃ‚Â²Ãƒâ€°hÃ‚Â®,zÃ‚Â´Ã‚Â®Ã‚Â¦Ã…Â¡+Ã‚Â´Ãƒâ€ Ã‚Â¢Ã¢â‚¬â€œ)Ãƒ .+-Ã…Â¡Ã¢â‚¬Â¡lÃ‚Â²[Ã‚Â¬zÃ‚Â»&Ã‚Â¡Ãƒâ€º,Ã¢â‚¬â€œÃ… Ãƒ ÃƒÂ«hÃ¢â€žÂ¢Ã‚Â«^tÃ‚Â¸Ã‚Â¬Ã‚Â´Ãƒâ€ Ã‚Â§jÃ‚Â«Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ¨Ã‚ÂÃƒÅ¡&Ã‚Â¢jÃ‚Â²Ãƒâ€°hÃ‚Â® <br><br><br>      <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                  www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=6" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=7" target="_top" rel="nofollow">majordomo@...</a> <br>â€“Å“â€¦Ã¢'ÂµÃªÃŸiÃ‡Â Ãª^ï¿½$â€¹Å¡â€¡lÂ²\0Ã‚jÂ²Ã‰hÂ®,zÂ´Â®Â¦Å¡+Â´Ã†Â¢â€“)Ã .+-Å¡â€¡lÂ²[Â¬zÂ»&Â¡Ã›,â€“Å Ã Ã«hâ„¢Â«^tÂ¸Â¬Â´Ã†Â§jÂ«â„¢Â¨Ã¨ÂÃš&Â¢jÂ²Ã‰hÂ® <br><br><br>      <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=8" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=9" target="_top" rel="nofollow">majordomo@...</a> <br>–œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® <br><br><br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=10" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19692550&i=11" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19634162 Re: Can i use CA signed cert to create client authentication certificates ? 2008-09-23T11:36:51Z 2008-09-23T11:36:51Z Matt032 Hi, <br><br>Basically... <br><br>SSLCACertificateFile SelfSignedCA Root Cert (public part) <br>SSLVerifyClient require or optional <br>SSLVerifyDepth 1 (default) <br><br>and have the setup from the Thwate cert as per normal for the server cert. <br><br>Regards <br>Matt <br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=0" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=1" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Tuesday, September 23, 2008 1:39:16 PM <br>Subject: Re: Can i use CA signed cert to create client authentication certificates ? <br><br>Ok. This seems like a viable solution. <br>Ie. <br>I use an approved CA signed cert to verify the site auhtentisity, and i use a selfsigned CA root for client certificates. <br><br>Can you point me in a direction of how i make this work in apache ?. <br>I already have a setup with a Selfsigned CA working for client certificates. <br><br>Createed SelfSignedCA <br>|-->Create and Sign Apache Cert from SelfSigned CA <br>|-->Create and Sign Client Cert from SelfSigned CA <br><br>How do I incorporate this with a CA (thawte) signed webserver certificate ?. <br><br>Best regards <br><br>Wizkidnono <br><br>Original Message ----------------------- <br>Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. <br><br>You could use your CA for client certs and Thawte for the server cert. <br><br>Regards <br>Matt <br><br><br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=2" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=3" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Monday, September 22, 2008 7:54:37 PM <br>Subject: Can i use CA signed cert to create client authentication certificates ? <br><br>I am trying to set up apache with mod_ssl , and I have it working with a <br>Self Signed CA. <br>But i can not get it to work with a cert created by thawte.com. <br><br>Does anyone know if it is possible to do this with a crt signed by a "third" <br>party where one does not have access to their root ca key ?.. <br><br>Ie. <br><br>I have generated a : apache_server.key made a apache_server..csr and sent <br>this for signing by thawte.com <br>Recived a apache_server.crt <br><br>Created a client.key and a client.csr <br>Signed it with my apache_server.key and apache_server.crt <br><br>Converted the client.key,crt to a pkcs12 file and imported this into my <br>browser but i can not make things work. <br><br>SSL works fine on the server on pages that does not require SSL client auth. <br><br>A I stated earlier, IT works when I create and self sign a CA, but I cant <br>make it work when I use a 3rd party CA and only have apache_server.key, <br>apache_server.crt , thawte root cert. <br><br>Best regards <br><br>Wizkidnono <br>â€“Å“â€¦Ã¢'ÂµÃªÃŸiÃ‡Â Ãª^ï¿½$â€¹Å¡â€¡lÂ²\0Ã‚jÂ²Ã‰hÂ®,zÂ´Â®Â¦Å¡+Â´Ã†Â¢â€“)Ã .+-Å¡â€¡lÂ²[Â¬zÂ»&Â¡Ã›,â€“Å Ã Ã«hâ„¢Â«^tÂ¸Â¬Â´Ã†Â§jÂ«â„¢Â¨Ã¨ÂÃš&Â¢jÂ²Ã‰hÂ® <br><br><br>      <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                  www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=4" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=5" target="_top" rel="nofollow">majordomo@...</a> <br>–œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® <br><br><br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=6" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19634162&i=7" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19615744 Re: Can i use CA signed cert to create client authentication certificates ? 2008-09-22T13:19:05Z 2008-09-22T13:19:05Z Matt032 Sounds like your trying to use the thawte apache cert to sign your client certs? The thawte cert won't have the right attributes to sign a client cert and then try to use it. <br><br>You could use your CA for client certs and Thawte for the server cert. <br><br>Regards <br>Matt <br><br><br><br>----- Original Message ---- <br>From: Jan Stian Gabrielli <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19615744&i=0" target="_top" rel="nofollow">stian@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19615744&i=1" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Monday, September 22, 2008 7:54:37 PM <br>Subject: Can i use CA signed cert to create client authentication certificates ? <br><br>I am trying to set up apache with mod_ssl , and I have it working with a <br>Self Signed CA. <br>But i can not get it to work with a cert created by thawte.com. <br><br>Does anyone know if it is possible to do this with a crt signed by a "third" <br>party where one does not have access to their root ca key ?. <br><br>Ie. <br><br>I have generated a : apache_server.key made a apache_server.csr and sent <br>this for signing by thawte.com <br>Recived a apache_server.crt <br><br>Created a client.key and a client.csr <br>Signed it with my apache_server.key and apache_server.crt <br><br>Converted the client.key,crt to a pkcs12 file and imported this into my <br>browser but i can not make things work. <br><br>SSL works fine on the server on pages that does not require SSL client auth. <br><br>A I stated earlier, IT works when I create and self sign a CA, but I cant <br>make it work when I use a 3rd party CA and only have apache_server.key, <br>apache_server.crt , thawte root cert. <br><br>Best regards <br><br>Wizkidnono <br>–œ…â'µêßiÇ ê^�$‹š‡l²\0Âj²Éh®,z´®¦š+´Æ¢–)à.+-š‡l²[¬z»&¡Û,–Šàëh™«^t¸¬´Æ§j«™¨èÚ&¢j²Éh® <br><br><br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19615744&i=2" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19615744&i=3" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19613946 Re: Authenticating users based on S/MIME certificate 2008-09-22T11:36:53Z 2008-09-22T11:36:53Z Matt032 Hi, <br><br>Have a look at mod_authz_ldap (ldap baseed white listing, <br><a href="http://authzldap.othello.ch/" target="_top" rel="nofollow">http://authzldap.othello.ch/</a>). Probably far more than you need but it <br>does things along the same lines and has some nice notes how to do <br>various bits and pieces. <br><br>You can add env vars that you can use php have a look at  SSLOptions +StdEnvVars  and +ExportCertData. <br><br>Regards <br>Matt <br><br><br><br>----- Original Message ---- <br>From: Gunnar Vestergaard <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=0" target="_top" rel="nofollow">post@...</a>> <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=1" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Sunday, September 21, 2008 12:10:16 AM <br>Subject: Authenticating users based on S/MIME certificate <br><br>Hi. I am an administrator of a user account at an Apache web server. <br>Currently the server is running Apache 1.3.37. My hosting provider plans <br>on switching to new hardware with possibly new software. So I don't know <br>if my web server will be run on Apache 1.3.37 or Apache 2.0. <br><br>My goal is to let visitors of my web site authenticate themselves to my <br>web server using some certificate, possibly S/MIME certificates. <br><br>Now, my current S/MIME certificate for personal e-mail is approved for <br>the following purposes: <br>Email Signer Certificate <br>Email Recipient Certificate <br><br>Is it possible to have such a certificate authenticate its user towards <br>an SSL web server? In any case I want to have a limited crowd of users <br>seeing a subdirectory of pages without bothering the user with a user <br>name/password dialog. Just their personal certificate lets them see <br>pages in a certain subdirectory. <br><br>As I understand the documentation for PHP, there is no means whereby PHP <br>can read and interpret an SSL client certificate. Is that correct? <br><br>Gunnar <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                  www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=2" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=3" target="_top" rel="nofollow">majordomo@...</a> <br><br><br><br>      <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=4" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19613946&i=5" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19605391 Re: Authenticating users based on S/MIME certificate 2008-09-22T03:38:49Z 2008-09-22T03:38:49Z Dave Sparks-2 Gunnar Vestergaard wrote: <br><br> > My goal is to let visitors of my web site authenticate themselves to <br> > my web server using some certificate, possibly S/MIME certificates. <br><br> > As I understand the documentation for PHP, there is no means whereby <br> > PHP can read and interpret an SSL client certificate. Is that correct? <br><br>It's possible to configure Apache 2 to add the client certificate to a <br>request header.  From one of my configuration files: <br><br>   RewriteCond ${ESC:%{SSL:SSL_CLIENT_CERT}} \ <br>^.*(-----BEGIN%20(X509%20|TRUSTED%20|)CERTIFICATE-----(%0[Dd])?%0[Aa].*%0[Aa]-----END%20\2CERTIFICATE-----(%0[Dd])?%0[Aa]).*$ <br>   RewriteRule ^.*$ - [E=CLIENT_CERT:%1] <br><br>   RequestHeader unset L-ClientCert <br><br>   RequestHeader set L-ClientCert %{CLIENT_CERT}e env=CLIENT_CERT <br><br>The certificate is %-encoded to avoid problems with newline characters. <br>  Presumably PHP can use the string in the header to match the <br>certificate against a list of known certificates. <br><br>The certificate digest would be less unwieldy than the entire <br>certificate, but mod_ssl would need some simple changes to make the <br>digest available and I would be reluctant to use a hosting provider who <br>allowed customers to use a modified mod_ssl. <br><br><br>     Dave Sparks <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19605391&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19605391&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19589935 Authenticating users based on S/MIME certificate 2008-09-20T16:10:16Z 2008-09-20T16:10:16Z Gunnar P. Vestergaard Hi. I am an administrator of a user account at an Apache web server. <br>Currently the server is running Apache 1.3.37. My hosting provider plans <br>on switching to new hardware with possibly new software. So I don't know <br>if my web server will be run on Apache 1.3.37 or Apache 2.0. <br><br>My goal is to let visitors of my web site authenticate themselves to my <br>web server using some certificate, possibly S/MIME certificates. <br><br>Now, my current S/MIME certificate for personal e-mail is approved for <br>the following purposes: <br>Email Signer Certificate <br>Email Recipient Certificate <br><br>Is it possible to have such a certificate authenticate its user towards <br>an SSL web server? In any case I want to have a limited crowd of users <br>seeing a subdirectory of pages without bothering the user with a user <br>name/password dialog. Just their personal certificate lets them see <br>pages in a certain subdirectory. <br><br>As I understand the documentation for PHP, there is no means whereby PHP <br>can read and interpret an SSL client certificate. Is that correct? <br><br>Gunnar <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19589935&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19589935&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19536924 Truncated response via mod_proxy 2008-09-17T10:10:45Z 2008-09-17T10:10:45Z Kogelheide, Ryan LCS:EX <html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=Content-Type content="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 11 (filtered medium)"> </head> <body lang=EN-CA link=blue vlink=purple> <div class=Section1> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>I’m trying to debug an issue with a client getting a truncated response via mod_proxy and mod_ssl on apache 2.0.63. The client software is SQLAnywhere, and they are trying to get a response from a backend web service running under IIS6. If they make the request directly against the origin server via SSL or port 80, it works. If they query via the reverse-proxy on port 80, it works. On SSL via the reverse-proxy the results are truncated (only part of the XML is returned).<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>This reverse-proxy serves hundreds of vhosts and thousands of clients a day. This is the only vhost + client with a problem.<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>Using wireshark, we can see that the rproxy is sending an encrypted alert 21 and then client is sending an SSL alert 21 and closing the connection. <o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>I’ve set Apache’s LogLevel to debug, and I can see the incoming SSL handshake and the request, and I can see the mod_proxy working, but I don’t see a detailed trace of the response going back (even though a partial response is sent). The access log says that the whole response is returned. Is there some special command to trace the response?<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>Regards,<o:p></o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; font-family:Arial'>Ryan<o:p></o:p></span></font></p> <p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19498912 SSL works from server command line, but not from outside server. Weird! 2008-09-15T11:53:46Z 2008-09-15T11:53:46Z John Fox-7 Hi, folks. <br><br>I've run across a wierd problem -- https/SSL works fine when accessed <br>from the machine running httpd, but is unavailable from all others. <br><br>Software versions: Apache 1.3.37/mod_ssl-2.8.28-1.3.37/OpenSSL 0.9.8b <br><br>Running 'http' on port 8118, 'https' on port 8119 <br><br>I get positive results from openssl's "s_client" when I connect to <br>8119 from the server's command line: <br><br>  $ openssl s_client -connect webdev-gold:8119 <br>  CONNECTED(00000003) <br>  depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's <br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19498912&i=0" target="_top" rel="nofollow">Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddress=foo@...</a> <br>  verify error:num=18:self signed certificate <br>  verify return:1 <br>  depth=0 /C=US/ST=Oregon/L=Medford/O=Musey's <br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19498912&i=1" target="_top" rel="nofollow">Pal/OU=WebDev/CN=webdev-gold.musiciansfriend.com/emailAddress=foo@...</a> <br>  < SNIP > <br>  New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA <br>  Server public key is 1024 bit <br>  Compression: NONE <br>  Expansion: NONE <br>  SSL-Session: <br>      Protocol  : TLSv1 <br>      Cipher    : DHE-RSA-AES256-SHA <br>      Session-ID: <br>9D8989B47E6EE3546426AFC100348052D900956A40E0C33AAB41019D71CF515E <br>      Session-ID-ctx: <br>      Master-Key: <br>EF1AC496532EE1B8EF0F63988AB7CED1F05F9EAB8675DD76DC54A6DC6E91410C12B9808C8567B803838137B79089591C <br>      Key-Arg   : None <br>      Krb5 Principal: None <br>      Start Time: 1221497972 <br>      Timeout   : 300 (sec) <br>      Verify return code: 18 (self signed certificate) <br>  --- <br><br>To verify this a bit further, I (again, from the server's command <br>line) made use of the 'lynx' browswer to attempt accessing https on <br>port 8119 -- this worked, as well. <br><br>Next thing I tried was running the same "s_client" command from my <br>workstation's command line: <br>(openssl version 0.9.8g)) <br><br>  $ openssl s_client -connect webdev-gold:8119 -state -debug <br>  CONNECTED(00000003) <br>  SSL_connect:before/connect initialization <br>  write to 0x80c1340 [0x80c22f8] (124 bytes => 124 (0x7C)) <br>  0000 - 80 7a 01 03 01 00 51 00-00 00 20 00 00 39 00 00   .z....Q... ..9.. <br>  0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............ <br>  0020 - 00 00 33 00 00 32 00 00-2f 00 00 07 05 00 80 03   ..3..2../....... <br>  0030 - 00 80 00 00 05 00 00 04-01 00 80 00 00 15 00 00   ................ <br>  0040 - 12 00 00 09 06 00 40 00-00 14 00 00 11 00 00 08   ......@......... <br>  0050 - 00 00 06 04 00 80 00 00-03 02 00 80 78 79 d0 f1   ............xy.. <br>  0060 - 49 80 86 36 2c 4a 72 b0-9a 3d 73 a6 d7 2e e9 78   I..6,Jr..=s....x <br>  0070 - 05 4e 73 b7 84 12 ea 38-18 b1 41 c2               .Ns....8..A. <br>  SSL_connect:SSLv2/v3 write client hello A <br>  read from 0x80c1340 [0x80c7858] (7 bytes => 7 (0x7)) <br>  0000 - 3c 21 44 4f 43 54 59                              <!DOCTY <br>  SSL_connect:error in SSLv2/v3 read server hello A <br>  16389:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown <br>protocol:s23_clnt.c:583: <br><br><br>And the corresponding entry from the server's error log: <br>  [Mon Sep 15 10:04:30 2008] [error] [client 172.16.70.182] Invalid <br>method in request \\x80t\\x01\\x03\\x01 <br><br><br>Seems to be working from the server, but not from outside it.  So I <br>thought I'd best be sure that I wasn't doing <br>something silly like listening only on the loopback address or something: <br><br>  tcp        0      0 0.0.0.0:8118                0.0.0.0:* <br>       LISTEN <br>  tcp        0      0 0.0.0.0:8119                0.0.0.0:* <br>       LISTEN <br><br>Which I think proves that httpd isn't confining itself to a single <br>network interface. <br><br>I've spent a couple of hours googling on this, and discovered that <br>while the the error shown in the Apache log excerpt is quite common, <br>the situation I'm describing is not.  Any insights, thoughts, and <br>suggestions would be appreciated, as I feel I've taken this as far as <br>I can on my own. <br><br>I am attaching the relevant httpd.conf file -- in gzipped format -- on <br>the chance it may prove helpful. <br><br>Thank you. <br><br>-John <br><br /> <div class="small"><br/><img src="http://www.nabble.com/images/icon_attachment.gif" > <strong>sample_httpd.conf.gz</strong> (2K) <a href="http://www.nabble.com/attachment/19498912/0/sample_httpd.conf.gz" target="_top">Download Attachment</a></div><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19423495 RE: SSL_CLIENT_S_DN & SSL_CLIENT_I_DN Formats 2008-09-10T14:28:11Z 2008-09-10T14:28:11Z Bolger, Ken <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=us-ascii"> <META content="MSHTML 6.00.6000.16705" name=GENERATOR></HEAD> <BODY> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>Hi,</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008></SPAN></STRONG></SPAN> </DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>I have noticed that the DN components of the SSL_CLIENT_S_DN and SSL_CLIENT_I_DN</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>environment variables are separated by the '/' (forward slash) character rather than</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>the ',' (comma) separator as required by  RFC2253. </SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008></SPAN></STRONG></SPAN> </DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>Is the use of the forward slash part of an older standard or is there another reason for its use?</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>Is there a setting to change the format?</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008></SPAN></STRONG></SPAN> </DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>Thanks,</SPAN></STRONG></SPAN></DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008></SPAN></STRONG></SPAN> </DIV> <DIV><SPAN style="FONT-SIZE: 8pt; COLOR: navy; FONT-FAMILY: Arial; mso-fareast-font-family: 'Times New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-AU; mso-bidi-language: AR-SA"><STRONG><SPAN class=151591821-10092008>Ken Bolger</SPAN></STRONG></SPAN></DIV></BODY></HTML> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19313097 Some help with ssl 2008-09-04T08:27:26Z 2008-09-04T08:27:26Z V H-2 <html> <head> </head> <body class='hmmessage'>I've been trying to secure an apache sever with ssl but I keep the following error after I enter my attributes - can anyone help. Thanks:<BR>  <BR> <FONT color=#800000>Error adding attribute<BR>3556:error:0D0BF041:asn1 encoding routines:ASN1_item_dup:malloc failure:.\crypto<BR>\asn1\a_dup.c:104: problems making Certificate Request</FONT><BR>  <BR> See the full print out of the command I issued below:<BR>  <BR> C:\Program Files\Apache Software Foundation\Apache2.2\bin>openssl req -config .\<BR><FONT face="">openssl.cnf</FONT> -new -out myserver.csr<BR> <BR>Loading 'screen' into random state - done<BR>Generating a 1024 bit RSA private key<BR>...........................................++++++<BR>.......++++++<BR>writing new private key to 'privkey.pem'<BR>Enter PEM pass phrase:<BR>Verifying - Enter PEM pass phrase:<BR>-----<BR>You are about to be asked to enter information that will be incorporated<BR>into your certificate request.<BR>What you are about to enter is what is called a Distinguished Name or a DN.<BR>There are quite a few fields but you can leave some blank<BR>For some fields there will be a default value,<BR>If you enter '.', the field will be left blank.<BR>-----<BR>.<BR> .<BR> .<BR> .<BR> A challenge password []:vj150<BR>Error adding attribute<BR>3556:error:0D0BF041:asn1 encoding routines:ASN1_item_dup:malloc failure:.\crypto<BR>\asn1\a_dup.c:104: problems making Certificate Request<BR> C:\Program Files\Apache Software Foundation\Apache2.2\bin><BR><br /><hr />Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie. <a href='http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008' target='_new' rel="nofollow">Learn Now</a></body> </html><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19264163 RE: Error when trying shmcb SSLSessionCache on 64-bit Windows 2008-09-01T22:03:10Z 2008-09-01T22:03:10Z Johan Hoogenboezem Hi Martin <br>I tried the short (8.3) version of the directory with no luck. Ah well... <br>Thanks <br>Johan <br><br>-----Original Message----- <br>From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=0" target="_top" rel="nofollow">owner-modssl-users@...</a> [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=1" target="_top" rel="nofollow">owner-modssl-users@...</a>] <br>On Behalf Of Johan Hoogenboezem <br>Sent: 01 September 2008 01:10 PM <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=2" target="_top" rel="nofollow">modssl-users@...</a> <br>Cc: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=3" target="_top" rel="nofollow">mdickau@...</a> <br>Subject: RE: Error when trying shmcb SSLSessionCache on 64-bit Windows <br><br>Hi Martin <br>1) I'm still reluctant to use an unofficial build, but its good to know <br>others are using it. <br>2) Wow, well spotted with your "(x86)" theory! It also failed with a <br>relative path: logs/ssl_scache(512000), but depending on how the relative <br>path is being translated to an absolute path behind the scenes, you might <br>still be right... I'll try it out as soon as I can and let you know. <br>Thanks a lot <br>Johan <br><br>-----Original Message----- <br>From: Martin Dickau [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=4" target="_top" rel="nofollow">mdickau@...</a>] <br>Sent: 01 September 2008 12:18 PM <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=5" target="_top" rel="nofollow">hoogenbj@...</a> <br>Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows <br><br>I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit <br>(AMD64/EM64T) from <a href="http://www.blackdot.be/?inc=apache/binaries" target="_top" rel="nofollow">http://www.blackdot.be/?inc=apache/binaries</a> and am using <br>shmcb without any trouble.  You do need to install the VC++ 2005 64-bit <br>redistributable runtime.  I am also using the mod_jk build from that site, <br>but I could not get the mod_log_rotate to run without crashing and had to <br>build that one myself. <br><br>That said, the "invalid size" error and the fact that size is passed in <br>parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from <br>the path as the size.  Have you tried using C:/PROGRA~1/ (or PROGRA~2 --   <br>whichever it is on your system) instead? <br><br>Regards, <br><br>Martin <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=6" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=7" target="_top" rel="nofollow">majordomo@...</a> <br>No virus found in this incoming message. <br>Checked by AVG - <a href="http://www.avg.com" target="_top" rel="nofollow">http://www.avg.com</a>  <br>Version: 8.0.169 / Virus Database: 270.6.14/1644 - Release Date: 8/31/2008 <br>4:59 PM <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=8" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19264163&i=9" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19252890 RE: Error when trying shmcb SSLSessionCache on 64-bit Windows 2008-09-01T04:09:58Z 2008-09-01T04:09:58Z Johan Hoogenboezem Hi Martin <br>1) I'm still reluctant to use an unofficial build, but its good to know <br>others are using it. <br>2) Wow, well spotted with your "(x86)" theory! It also failed with a <br>relative path: logs/ssl_scache(512000), but depending on how the relative <br>path is being translated to an absolute path behind the scenes, you might <br>still be right... I'll try it out as soon as I can and let you know. <br>Thanks a lot <br>Johan <br><br>-----Original Message----- <br>From: Martin Dickau [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19252890&i=0" target="_top" rel="nofollow">mdickau@...</a>] <br>Sent: 01 September 2008 12:18 PM <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19252890&i=1" target="_top" rel="nofollow">hoogenbj@...</a> <br>Subject: Re: Error when trying shmcb SSLSessionCache on 64-bit Windows <br><br>I am using an unofficial 2.2.9 native on Windows Server 2003 64-bit <br>(AMD64/EM64T) from <a href="http://www.blackdot.be/?inc=apache/binaries" target="_top" rel="nofollow">http://www.blackdot.be/?inc=apache/binaries</a> and am using <br>shmcb without any trouble.  You do need to install the VC++ 2005 64-bit <br>redistributable runtime.  I am also using the mod_jk build from that site, <br>but I could not get the mod_log_rotate to run without crashing and had to <br>build that one myself. <br><br>That said, the "invalid size" error and the fact that size is passed in <br>parentheses as "(512000)" makes me wonder if it is reading the "(x86)" from <br>the path as the size.  Have you tried using C:/PROGRA~1/ (or PROGRA~2 --   <br>whichever it is on your system) instead? <br><br>Regards, <br><br>Martin <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19252890&i=2" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19252890&i=3" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19251739 Error when trying shmcb SSLSessionCache on 64-bit Windows 2008-09-01T02:41:48Z 2008-09-01T02:41:48Z Johan Hoogenboezem Hi All <br>I'm running Apache 2.2.9 on Windows Server 2003 (64-bit version) in a <br>production environment with mod_ssl configured. The only type of <br>SSLSessionCache I am able to use is dbm. If I try the memory-based cache <br>(shmcb, shmht or just shm), I get this error: <br><br>Syntax error on line 62 of C:/Program Files (x86)/Apache Software <br>Foundation/Apache2.2/conf/extra/httpd-ssl.conf: <br>SSLSessionCache: Invalid argument: size has to be >= 8192 bytes <br><br>Their is nothing wrong with the way the argument is set. This is what the <br>line looks like: <br><br>SSLSessionCache        "shmcb:C:/Program Files (x86)/Apache Software <br>Foundation/Apache2.2/logs/ssl_scache(512000)" <br><br>I tried different argument values to no avail. <br><br>I realize their is no official version of httpd for 64-bit Windows. I found <br>an unofficial one, but that one doesn't work at all. It appears to have <br>other issues. Besides, I'd rather use a production-ready, offical version <br>even if it is 32-bit. <br><br>Any comments will be greatly appreciated <br><br>Regards <br><br>Johan Hoogenboezem <br><br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19251739&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19251739&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19091462 Re: Cannot load libssl.so into server: ld.so.1: httpd: fatal: relocation error: 2008-08-21T06:29:45Z 2008-08-21T06:29:45Z Xian Xian <div dir="ltr">You did not configure your Apache with mod_ssl when you set it up. You need to rebuild your Apache.<br><br><div class="gmail_quote">On Thu, Aug 21, 2008 at 1:02 AM, Linda Lee <span dir="ltr"><<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19091462&i=0" target="_top" rel="nofollow">n2kcn29@...</a>></span> wrote:<br> <blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><div> <div>Hi all</div> <div> </div> <div>*I am using apache <span style="border-bottom: 1px dashed rgb(0, 102, 204);">1.3.41</span> with mod_ssl <span style="border-bottom: 1px dashed rgb(0, 102, 204);">2.8.31</span>.  I kept getting the below error:</div> <div> </div> <div>Starting httpd: httpd <span style="border-bottom: 1px dashed rgb(0, 102, 204);">Syntax error</span> on line 249 of /export/home/httpd/conf/httpd.conf:<br>Cannot load /export/home/httpd/libexec/libssl.so into server: <a href="http://ld.so/" target="_blank" rel="nofollow"><span><font color="#0000ff">ld.so</font></span></a>.1: httpd: fatal: relocation error: file /export/home/httpd/libexec/libssl.so: symbol inflateEnd: referenced symbol not found<br> FAILED</div> <div> </div> <div>*In my httpd.conf, line 249 is:  </div> <div>LoadModule ssl_module         libexec/libssl.so</div> <div> </div> <div>*libssl.so's loation is correct.  It is in /export/home/httpd/libexec/.</div> <div> </div> <div>Thanks for your help</div></div></div><br> </div></blockquote></div><br></div> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19082488 Cannot load libssl.so into server: ld.so.1: httpd: fatal: relocation error: 2008-08-20T22:02:52Z 2008-08-20T22:02:52Z Linda Lee-3 <html><head></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV> <DIV>Hi all</DIV> <DIV> </DIV> <DIV>*I am using apache <SPAN class=yshortcuts id=lw_1219294819_0 style="CURSOR: hand; BORDER-BOTTOM: #0066cc 1px dashed">1.3.41</SPAN> with mod_ssl <SPAN class=yshortcuts id=lw_1219294819_1 style="CURSOR: hand; BORDER-BOTTOM: #0066cc 1px dashed">2.8.31</SPAN>.  I kept getting the below error:</DIV> <DIV> </DIV> <DIV>Starting httpd: httpd <SPAN class=yshortcuts id=lw_1219294819_2 style="CURSOR: hand; BORDER-BOTTOM: #0066cc 1px dashed">Syntax error</SPAN> on line 249 of /export/home/httpd/conf/httpd.conf:<BR>Cannot load /export/home/httpd/libexec/libssl.so into server: <A href="http://ld.so/" target=_blank rel="nofollow"><SPAN class=yshortcuts id=lw_1219294819_3><FONT color=#0000ff>ld.so</FONT></SPAN></A>.1: httpd: fatal: relocation error: file /export/home/httpd/libexec/libssl.so: symbol inflateEnd: referenced symbol not found<BR>FAILED</DIV> <DIV> </DIV> <DIV>*In my httpd.conf, line 249 is:  </DIV> <DIV>LoadModule ssl_module         libexec/libssl.so</DIV> <DIV> </DIV> <DIV>*libssl.so's loation is correct.  It is in /export/home/httpd/libexec/.</DIV> <DIV> </DIV> <DIV>Thanks for your help</DIV></DIV></div><br> </body></html><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-19082458 Cannot load /export/home/httpd/libexec/libssl.so into server: ld.so.1: 2008-08-20T21:57:31Z 2008-08-20T21:57:31Z Linda Lee-3 MIME-Version: 1.0 <br>Content-Type: multipart/alternative; boundary="0-1715676727-1219294651=:94206" <br><br>--0-1715676727-1219294651=:94206 <br>Content-Type: text/plain; charset=iso-8859-1 <br>Content-Transfer-Encoding: quoted-printable <br><br>=0A=0A=0A=0AHi all=0A=A0=0A*I am using apache 1.3.41 with mod_ssl 2.8.31.= <br>=A0 I kept getting the below error:=0A=A0=0AStarting httpd: httpd Syntax er= <br>ror on line 249 of /export/home/httpd/conf/httpd.conf:=0ACannot load /expor= <br>t/home/httpd/libexec/libssl.so into server: ld.so.1: httpd: fatal: relocati= <br>on error: file /export/home/httpd/libexec/libssl.so: symbol inflateEnd: ref= <br>erenced symbol not found=0AFAILED=0A=A0=0A*In my httpd.conf, line 249 is:= <br>=A0 =0ALoadModule ssl_module=A0=A0=A0=A0=A0=A0=A0=A0 libexec/libssl.so=0A= <br>=A0=0A*libssl.so's loation is correct.=A0 It is=A0in /export/home/httpd/lib= <br>exec/.=0A=A0=0AThanks for your help=0A=0A=0A       <br>--0-1715676727-1219294651=:94206 <br>Content-Type: text/html; charset=us-ascii <br><br><html><head><style type="text/css"></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV><BR></DIV> <br><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR> <br><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <br><DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <br><DIV>Hi all</DIV> <br><DIV> </DIV> <br><DIV>*I am using apache 1.3.41 with mod_ssl 2.8.31.  I kept getting the below error:</DIV> <br><DIV> </DIV> <br><DIV>Starting httpd: httpd Syntax error on line 249 of /export/home/httpd/conf/httpd.conf:<BR>Cannot load /export/home/httpd/libexec/libssl.so into server: <A href="<a href="http://ld.so/" target="_top" rel="nofollow">http://ld.so/</a>" target=_blank>ld.so</A>.1: httpd: fatal: relocation error: file /export/home/httpd/libexec/libssl.so: symbol inflateEnd: referenced symbol not found<BR>FAILED</DIV> <br><DIV> </DIV> <br><DIV>*In my httpd.conf, line 249 is:  </DIV> <br><DIV>LoadModule ssl_module         libexec/libssl.so</DIV> <br><DIV> </DIV> <br><DIV>*libssl.so's loation is correct.  It is in /export/home/httpd/libexec/.</DIV> <br><DIV> </DIV> <br><DIV>Thanks for your help</DIV> <br><DIV> </DIV> <br><DIV><BR><BR> </DIV></DIV><BR></DIV></DIV></div><br> <br><br>      </body></html> <br>--0-1715676727-1219294651=:94206-- <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19082458&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19082458&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18550285 Fips compliant mod_ssl module availability 2008-07-19T17:40:41Z 2008-07-19T17:40:41Z Sean Coleman I need to implement a FIPS 140 compliant version of mod_ssl. Is there a <br>patch file or a distribution of mod_ssl <br>currently available for download which can be used in conjunction with <br>the fips compliant libopenssl? <br><br>I found a link to a patch file for modssl in a message sent earlier in <br>2008 but the link doesn't work. The link was <br>found in this thread: <br><a href="http://www.mail-archive.com/openssl-users@openssl.org/msg52290.html" target="_top" rel="nofollow">http://www.mail-archive.com/openssl-users@.../msg52290.html</a> The <br>actual link <br>posted was <br><a href="http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/" target="_top" rel="nofollow">http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/</a>[EMAIL <br>PROTECTED]/bugzilla/%3e <br><br>Has this patch been obsoleted? <br><br>I also found an entire distribution tree for a FIPS compliant httpd <br>server at <br><a href="http://svn.apache.org/repos/asf/httpd/sandbox/gaithersburg" target="_top" rel="nofollow">http://svn.apache.org/repos/asf/httpd/sandbox/gaithersburg</a>. What is the <br>status of this code? Is this code <br>available somewhere for download to be used to provide a FIPS compliant <br>mod_ssl module? <br><br>Thank you, <br><br>Sean Coleman <br><br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18550285&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18550285&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18540214 stop sending me this stuff please !!!!!!!!!!! 2008-07-18T18:17:06Z 2008-07-18T18:17:06Z erika20 <html>  <head></head> <body>  <DIV></DIV> <DIV><FONT color=#ff0000 size=7>stop sendig me this </FONT></DIV> <DIV><FONT color=#ff0000 size=7>stuff please !!!!</FONT></DIV> <DIV><FONT color=#ff0000 size=7>take me out of your mailing list !!! thanks </FONT></DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message from Frederic Heem <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18540214&i=0" target="_top" rel="nofollow">frederic.heem@...</a>>: -------------- <BR><BR><div class='shrinkable-quote'><BR>> Hi, <BR>> Valgrind has found a problem related to an overlapping memcpy in mod_ssl <BR>> (Apache/2.2.9 (Unix)), here is the output: <BR>> <BR>> ==18546== Thread 5: <BR>> ==18546== Source and destination overlap in memcpy(0x425E0E8, 0x425E10E, <BR>> 141) <BR>> ==18546== at 0x4007A42: memcpy (mc_replace_strmem.c:402) <BR>> ==18546== by 0x446C464: ssl_io_input_read (in <BR>> /usr/local/apache2/modules/mod_ssl.so) <BR>> ==18546== by 0x446C781: ssl_io_filter_input (in <BR>> /usr/local/apache2/modules/mod_ssl.so) <BR>> ==18546== by 0x8068DB5: ap_rgetline_core (in <BR>> /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x80690CE: ap_get_mime_headers_core (in <BR>> /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x80696FC: ap_read_request (in /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x80799DA: ap_process_http_connection (in <BR>> /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x8076CEC: ap_run_process_connection (in <BR>> /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x807FFD3: worker_thread (in /usr/local/apache2/bin/httpd) <BR>> ==18546== by 0x4057603: dummy_worker (in <BR>> /usr/local/apache2/lib/libapr-1.so.0.3.0) <BR>> ==18546== by 0x8E145A: start_thread (in /lib/libpthread-2.5.so) <BR>> ==18546== by 0x71323D: clone (in /lib/libc-2.5.so) <BR>> <BR>> This happens when an axis2 client sends a https request. <BR>> Let me know if you need more information. <BR>> Frederic Heem <BR>> <BR>> <BR>> <BR>> ______________________________________________________________________________ <BR>> <BR>> --- NOTICE --- <BR>> <BR>> This email and any attachments are confidential and are intended for the <BR>> addressee only. If you have received this message by mistake, please contact <BR>> us immediately and then delete the message from your system. You must not <BR>> copy, distribute, disclose or act upon the contents of this email. Personal <BR>> and corporate data submitted will be used in a correct, transparent and lawful <BR>> manner. The data collected will be processed in paper or computerized form for <BR>> the performance of contractual and lawful obligations as well as for the <BR>> effective management of business relationship. The data processor is Telsey <BR>> S.p.A. The data subject may exercise all the rights set forth in art. 7 of <BR>> Law by Decree 30.06.2003 n. 196 as reported in the following url <BR>> http://www.telsey.com/privacy.asp. <BR>> <BR>> ______________________________________________________________________________ <BR>> 798t8RfNa6Dl8Ilf <BR>> ______________________________________________________________________ <BR>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org <BR>> User Support Mailing List <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18540214&i=1" target="_top" rel="nofollow">modssl-users@...</a> <BR>> Automated List Manager <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18540214&i=2" target="_top" rel="nofollow">majordomo@...</a> </BLOCKQUOTE>  </body> </html> </div><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18533749 overlapping memcpy 2008-07-18T10:05:04Z 2008-07-18T10:05:04Z frederic heem Hi, <br>Valgrind has found a problem related to an overlapping memcpy in mod_ssl <br>(Apache/2.2.9 (Unix)), here is the output: <br><br>==18546== Thread 5: <br>==18546== Source and destination overlap in memcpy(0x425E0E8, 0x425E10E, <br>141) <br>==18546==    at 0x4007A42: memcpy (mc_replace_strmem.c:402) <br>==18546==    by 0x446C464: ssl_io_input_read (in <br>/usr/local/apache2/modules/mod_ssl.so) <br>==18546==    by 0x446C781: ssl_io_filter_input (in <br>/usr/local/apache2/modules/mod_ssl.so) <br>==18546==    by 0x8068DB5: ap_rgetline_core (in <br>/usr/local/apache2/bin/httpd) <br>==18546==    by 0x80690CE: ap_get_mime_headers_core (in <br>/usr/local/apache2/bin/httpd) <br>==18546==    by 0x80696FC: ap_read_request (in /usr/local/apache2/bin/httpd) <br>==18546==    by 0x80799DA: ap_process_http_connection (in <br>/usr/local/apache2/bin/httpd) <br>==18546==    by 0x8076CEC: ap_run_process_connection (in <br>/usr/local/apache2/bin/httpd) <br>==18546==    by 0x807FFD3: worker_thread (in /usr/local/apache2/bin/httpd) <br>==18546==    by 0x4057603: dummy_worker (in <br>/usr/local/apache2/lib/libapr-1.so.0.3.0) <br>==18546==    by 0x8E145A: start_thread (in /lib/libpthread-2.5.so) <br>==18546==    by 0x71323D: clone (in /lib/libc-2.5.so) <br><br>This happens when an axis2 client sends a https request. <br>Let me know if you need more information. <br>Frederic Heem <br><br><br><br>______________________________________________________________________________ <br><br>--- NOTICE --- <br><br>This  email  and  any  attachments  are  confidential and are intended for the <br>addressee  only.  If you have received this message by mistake, please contact <br>us  immediately and  then  delete the message from your system.   You must not <br>copy, distribute, disclose  or  act upon the contents of this email.  Personal <br>and corporate data submitted will be used in a correct, transparent and lawful <br>manner. The data collected will be processed in paper or computerized form for <br>the  performance  of  contractual  and  lawful  obligations as well as for the <br>effective  management of business relationship.   The data processor is Telsey <br>S.p.A.   The  data  subject may exercise all the rights set forth in art. 7 of <br>Law  by  Decree  30.06.2003  n.  196   as   reported   in  the  following  url <br><a href="http://www.telsey.com/privacy.asp" target="_top" rel="nofollow">http://www.telsey.com/privacy.asp</a>. <br><br>______________________________________________________________________________ <br>798t8RfNa6Dl8Ilf <br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18533749&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18533749&i=1" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18517881 Re: redirect port 2008-07-17T14:03:25Z 2008-07-17T14:03:25Z Tim Hester A few more hours of investigation revealed the solution; <br><br> RewriteCond %{HTTP_HOST}   ^www.mydomain.com:8080 [NC] <br> RewriteRule ^/(.*) <a href="https://www.mydomain.com/$1" target="_top" rel="nofollow">https://www.mydomain.com/$1</a> [L,R=301] <br><br>Sorry bout the html mail earlier. <br><br>Tim <br><br>----- Original Message ----- <br>From: Tim Hester <br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18517881&i=0" target="_top" rel="nofollow">modssl-users@...</a> <br>Sent: Thursday, July 17, 2008 10:38 AM <br>Subject: redirect port <br><br><br>I have been using Apache/2.2.3 and Tomcat 5.5 as standalone servers. I'm <br>adding ssl with mod_jk and mod_proxy_ajp to access tomcat via ssl. <br><br>I access my static content and cgi via <a href="http://www.mydomain.com/" target="_top" rel="nofollow">http://www.mydomain.com/</a> and use <br>mod_rewrite in .htaccess to redirect to https. This works fine as desired. <br><br>I can access my webapp via <a href="http://www.mydomain.com:8080/MyWebApp" target="_top" rel="nofollow">http://www.mydomain.com:8080/MyWebApp</a>, and this <br>is the url users have book marked. This continues to work. I can also access <br><a href="https://www.mydomain.com/MyWebApp" target="_top" rel="nofollow">https://www.mydomain.com/MyWebApp</a>. <br><br>What I'd like to do is force a redirect from <br><a href="http://www.mydomain.com:8080/MyWebApp" target="_top" rel="nofollow">http://www.mydomain.com:8080/MyWebApp</a> to <a href="https://www.mydomain.com/MyWebApp" target="_top" rel="nofollow">https://www.mydomain.com/MyWebApp</a><br><br>Note; tomcat is not under the apache webroot <br><br>Any assistance appreciated. <br><br>Thanks <br><br>Tim <br><br>______________________________________________________________________ <br>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org <br>User Support Mailing List                      <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18517881&i=1" target="_top" rel="nofollow">modssl-users@...</a> <br>Automated List Manager                            <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18517881&i=2" target="_top" rel="nofollow">majordomo@...</a> <br><p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18511440 redirect port 2008-07-17T08:38:11Z 2008-07-17T08:38:11Z Tim Hester <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=windows-1252"> <META content="MSHTML 6.00.2900.3354" name=GENERATOR> </HEAD> <BODY bgColor=#ffffff> <DIV>I have been using Apache/2.2.3 and Tomcat 5.5 as standalone servers. I'm <BR>adding ssl with mod_jk and mod_proxy_ajp to access tomcat via ssl.<BR><BR>I access my static content and cgi via <A href="" target="_top" rel="nofollow">http://www.mydomain.com/</A> and use <BR>mod_rewrite in .htaccess to redirect to https. This works fine as desired.<BR><BR>I can access my webapp via <A href="" target="_top" rel="nofollow">http://www.mydomain.com:8080/MyWebApp</A>, and this <BR>is the url users have book marked. This continues to work. I can also access <BR><A href="" target="_top" rel="nofollow">https://www.mydomain.com/MyWebApp</A>.<BR><BR>What I'd like to do is force a redirect from <BR><A href="" target="_top" rel="nofollow">http://www.mydomain.com:8080/MyWebApp</A> to <A href="" target="_top" rel="nofollow">https://www.mydomain.com/MyWebApp</A><BR><BR>Note; tomcat is not under the apache webroot<BR><BR>Any assistance appreciated.<BR><BR>Thanks<BR><BR>Tim<BR></DIV></BODY></HTML> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18452185 Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!! 2008-07-14T13:13:22Z 2008-07-14T13:13:22Z Robert Uzgalis <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=UTF-8" http-equiv="Content-Type"> <title></title> </head> <body bgcolor="#ffffff" text="#000000"> One small comment. I have tried for years to get off this mailing list.<br> I have sent my request and it has always been effective, for say a month or so,<br> then I get put back on the mailing list. And it keeps coming. My solution was<br> to add it to my spam filter. It doesn't bother me that way and occasionally I drop in<br> to see what the latest complaint is.<br> <br> In this case I couldn't agree with the message more. Perhaps the tone is not quite right.<br> Somebody ought to fix mailing-list software so that once you are off you are really gone.<br> It is true that <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18452185&i=0" target="_top" rel="nofollow">erika20@...</a> ought to ask to be taken off the list; but it won't help much I'm afraid.<br> <br> BUZ<br> <br> <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18452185&i=1" target="_top" rel="nofollow">erika20@...</a> wrote: <blockquote cite="mid:071420081810.22034.487B9684000ACF8F0000561222218675169B0A02D2089B9A019C04040A0DBFCFCD0E05079D0A@att.net" type="cite">  <div><font size="7">stop </font><font color="#cc0000"><font size="7">stop</font> <font size="7">sending me </font></font></div> <div><font color="#cc0000" size="7">this bs , i have no idea who are you !!!!</font></div> <div><font color="#cc0000" size="7">stop !!!!!!!!!!!!!!!</font></div> <blockquote style="border-left: 2px solid rgb(16, 16, 255); padding-left: 5px; margin-left: 5px;">-------------- Original message from Dave Paris <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18452185&i=2" target="_top" rel="nofollow">dparis@...</a>: -------------- <br> <br> <br> > It seem like you might be confusing "shared infrastructure" with <br> > "single ip". As others have said, you need a distinct address for each <br> > SSL-enabled httpd or proxy, although they can reside on the same hardware. <br> > <br> > A good example of this is the typical configuration for larger server <br> > farms. You find multiple High Availability load balancers in the DMZ for <br> > both http and https using something like ha/keepalived for linux. These <br> > proxy the incoming request back into private address space. The SSL <br> > proxies terminate the SSL connection and broker the request on behalf of <br> > the user and everything goes to the private address space in plain http. <br> > This allows each of the _real_ webservers to achieve better <br> > performance since the SSL overhead is not present. <br> > <br> > While you can use Apache as an SSL-terminating proxy, I find I get <br> > better performance, lower memory utilization and easier configuration <br> > using Pound ( <a class="moz-txt-link-freetext" href="http://www.apsis.ch/pound/" target="_top" rel="nofollow">http://www.apsis.ch/pound/</a> ). Using keepalived, I have <br> > multiple public IP addresses floating between several hosts and pound <br> > binds https to those addresses. <br> > <br> > Hope that adds a bit of additional clarity, <br> > Dave <br> > <br> > Cuesta Gilles sent forth: <br> > > So what about this ? <br> > > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* <br> > > <br> > > This type of certificate (also called /Subject Alternative Name/ (SAN) ) <br> > > enables to secure not only one website but a large number of sites (a <br> > > list of sites) hosted on a shared infrastructure (server with multiple <br> > > names, reverse proxy). Ideal to secure multiple brands of a corporation. <br> > > One certificate per hardware is required." <br> > > <br> > > <a class="moz-txt-link-freetext" href="http://www.tbs-certificats.com/index.html.en" target="_top" rel="nofollow">http://www.tbs-certificats.com/index.html.en</a> <br> > > <br> > ______________________________________________________________________ <br> > Apache Interface to OpenSSL (mod_ssl) <a class="moz-txt-link-abbreviated" href="http://www.modssl.org" target="_top" rel="nofollow">www.modssl.org</a> <br> > User Support Mailing List <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18452185&i=3" target="_top" rel="nofollow">modssl-users@...</a> <br> > Automated List Manager <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18452185&i=4" target="_top" rel="nofollow">majordomo@...</a> </blockquote>  </blockquote> <br> </body> </html> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18451226 Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!! 2008-07-14T12:24:46Z 2008-07-14T12:24:46Z erika20 <html>  <head></head> <body>  <DIV></DIV> <DIV>THANK'S </DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message from "Shahadat Hossain" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=0" target="_top" rel="nofollow">shahadat9612@...</a>>: -------------- <BR><BR> <DIV>you know what, You are a f***en idiot.</DIV> <DIV>if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. </DIV> <DIV> </DIV> <DIV>send an email to <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=1" target="_top" rel="nofollow">majordomo@...</a> address (you can also find it at the bottom of this message) with subject as 'Remove me'.</DIV> <DIV> </DIV> <DIV>ok?<BR><BR></DIV> <DIV class=gmail_quote>On Mon, Jul 14, 2008 at 7:10 PM, <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=2" target="_top" rel="nofollow">erika20@...</a>> wrote:<BR> <BLOCKQUOTE class=gmail_quote style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <DIV> <DIV></DIV> <DIV><FONT size=7>stop </FONT><FONT color=#cc0000><FONT size=7>stop</FONT>  <FONT size=7>sending me </FONT></FONT></DIV> <DIV><FONT color=#cc0000 size=7>this bs , i have no idea  who are you !!!!</FONT></DIV> <DIV><FONT color=#cc0000 size=7>stop !!!!!!!!!!!!!!!</FONT></DIV> <BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message from Dave Paris <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=3" target="_top" rel="nofollow">dparis@...</a>>: -------------- <BR><BR><div class='shrinkable-quote'><BR>> It seem like you might be confusing "shared infrastructure" with <BR>> "single ip". As others have said, you need a distinct address for each <BR>> SSL-enabled httpd or proxy, although they can reside on the same hardware. <BR>> <BR>> A good example of this is the typical configuration for larger server <BR>> farms. You find multiple High Availability load balancers in the DMZ for <BR>> both http and https using something like ha/keepalived for linux. These <BR>> proxy the incoming request back into private address space. The SSL <BR>> proxies terminate the SSL connection and broker the request on behalf of <BR>> the user and everything goes to the private address space in plain http. <BR>> This allows each of the _real_ webservers to achieve better <BR>> performance since the SSL overhead is not present. <BR>> <BR>> While you can use Apache as an SSL-terminating proxy, I find I get <BR>> better performance, lower memory utilization and easier configuration <BR>> using Pound ( <A href="http://www.apsis.ch/pound/" target=_blank rel="nofollow">http://www.apsis.ch/pound/</A> ). Using keepalived, I have <BR>> multiple public IP addresses floating between several hosts and pound <BR>> binds https to those addresses. <BR>> <BR>> Hope that adds a bit of additional clarity, <BR>> Dave <BR>> <BR>> Cuesta Gilles sent forth: <BR>> > So what about this ? <BR>> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* <BR>> > <BR>> > This type of certificate (also called /Subject Alternative Name/ (SAN) ) <BR>> > enables to secure not only one website but a large number of sites (a <BR>> > list of sites) hosted on a shared infrastructure (server with multiple <BR>> > names, reverse proxy). Ideal to secure multiple brands of a corporation. <BR>> > One certificate per hardware is required." <BR>> > <BR>> > <A href="http://www.tbs-certificats.com/index.html.en" target=_blank rel="nofollow">http://www.tbs-certificats.com/index.html.en</A> <BR>> > <BR>> ______________________________________________________________________ <BR>> Apache Interface to OpenSSL (mod_ssl) <A href="http://www.modssl.org/" target=_blank rel="nofollow">www.modssl.org</A> <BR>> User Support Mailing List <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=4" target="_top" rel="nofollow">modssl-users@...</a> <BR>> Automated List Manager <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18451226&i=5" target="_top" rel="nofollow">majordomo@...</a> </BLOCKQUOTE></DIV></BLOCKQUOTE></DIV></div></BLOCKQUOTE>  </body> </html> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18450988 Re: wrong e-mail !!!!!!!!!!!!!!!!!!!!!!! 2008-07-14T12:13:05Z 2008-07-14T12:13:05Z Shahadat Hossain <div>you know what, You are a f***en idiot.</div> <div>if you do not want to receive these emails, just get your name taken off from the list instead of b-shitting. </div> <div> </div> <div>send an email to <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18450988&i=0" target="_top" rel="nofollow">majordomo@...</a> address (you can also find it at the bottom of this message) with subject as 'Remove me'.</div> <div> </div> <div>ok?<br><br></div> <div class="gmail_quote">On Mon, Jul 14, 2008 at 7:10 PM, <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18450988&i=1" target="_top" rel="nofollow">erika20@...</a>> wrote:<br> <blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid"> <div> <div></div> <div><font size="7">stop </font><font color="#cc0000"><font size="7">stop</font>  <font size="7">sending me </font></font></div> <div><font color="#cc0000" size="7">this bs , i have no idea  who are you !!!!</font></div> <div><font color="#cc0000" size="7">stop !!!!!!!!!!!!!!!</font></div> <blockquote style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">-------------- Original message from Dave Paris <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18450988&i=2" target="_top" rel="nofollow">dparis@...</a>>: -------------- <br> <br><br>> It seem like you might be confusing "shared infrastructure" with <br>> "single ip". As others have said, you need a distinct address for each <br>> SSL-enabled httpd or proxy, although they can reside on the same hardware. <br> > <br>> A good example of this is the typical configuration for larger server <br>> farms. You find multiple High Availability load balancers in the DMZ for <br>> both http and https using something like ha/keepalived for linux. These <br> > proxy the incoming request back into private address space. The SSL <br>> proxies terminate the SSL connection and broker the request on behalf of <br>> the user and everything goes to the private address space in plain http. <br> > This allows each of the _real_ webservers to achieve better <br>> performance since the SSL overhead is not present. <br>> <br>> While you can use Apache as an SSL-terminating proxy, I find I get <br>> better performance, lower memory utilization and easier configuration <br> > using Pound ( <a href="http://www.apsis.ch/pound/" target="_blank" rel="nofollow">http://www.apsis.ch/pound/</a> ). Using keepalived, I have <br>> multiple public IP addresses floating between several hosts and pound <br>> binds https to those addresses. <br> > <br>> Hope that adds a bit of additional clarity, <br>> Dave <br>> <br>> Cuesta Gilles sent forth: <br>> > So what about this ? <br>> > "*MULTIPLE CN (SAN) SERVER CERTIFICATES* <br>> > <br> > > This type of certificate (also called /Subject Alternative Name/ (SAN) ) <br>> > enables to secure not only one website but a large number of sites (a <br>> > list of sites) hosted on a shared infrastructure (server with multiple <br> > > names, reverse proxy). Ideal to secure multiple brands of a corporation. <br>> > One certificate per hardware is required." <br>> > <br>> > <a href="http://www.tbs-certificats.com/index.html.en" target="_blank" rel="nofollow">http://www.tbs-certificats.com/index.html.en</a> <br> > > <br>> ______________________________________________________________________ <br>> Apache Interface to OpenSSL (mod_ssl) <a href="http://www.modssl.org/" target="_blank" rel="nofollow">www.modssl.org</a> <br>> User Support Mailing List <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18450988&i=3" target="_top" rel="nofollow">modssl-users@...</a> <br> > Automated List Manager <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=18450988&i=4" target="_top" rel="nofollow">majordomo@...</a> </blockquote></div></blockquote></div><br> <p>From forum: <a href="http://www.nabble.com/mod_ssl---Users-f381.html" embed="fixTarget[381]" target="_top" >mod_ssl - Users</a></p> tag:www.nabble.com,2006:post-18449708 wrong e-mail !!!!!!!!!!!!!!!!!!!!!!! 2008-07-14T11:10:12Z 2008-07-14T11:10:12Z erika20 <html>  <head></head> <body>  <DIV></DIV> <DIV><FONT size=7>stop </FONT><FONT color=#cc0000><FONT size=7>stop</FONT>  <FONT size=7>sending me </FONT></FONT></DIV> <DIV><FONT color=#cc0000 size=7>this bs , i have no idea  who are you !!!!</FONT></DIV> <DIV><FONT color=#cc0000 size=7>stop !!!!!!!!!!!!!!!</FONT></DIV> <BLOCKQUOTE style=&quo