Re: Performance Tuning on Apache 1.3.24 with mod_ssl 2.8.8

Hi,

On Fri, 31 May 2002, Cliff Woolley wrote:

> On Fri, 31 May 2002, Geoff Thorpe wrote:
>
> > oh yeah, there's also that security problem with modssl that I mentioned
> > ages ago - AFAIK this still hasn't been changed in modssl and *may* not
> > yet have changed in apache 2.0 either. Ralf or David, please correct me
> > if I'm wrong;
> > http://marc.theaimsgroup.com/?l=apache-modssl&m=99717585106420&w=2
>
> This was fixed in 2.0 as of 2.0.25 but is not yet fixed in 1.3's modssl.

Ah, thanks for the update on that. I mentioned this problem a couple of
times *ages* ago, including private mail to Ralf, but it seemed very few
people seemed to regard it as "an issue". I'm glad Apache 2.0 has taken it
seriously. Ralf, would it be possible to get it similarly incorporated
into the 1.3.* tree? Please?

Cheers,
Geoff

--

-- 
Geoff Thorpe, geoff(at)geoffthorpe(dot)net

2000 years on, it's a different empire but the same
zealots and the same attrocities.

______________________________________________________________________

solais2.5.5

certificate doesn't apply to ie

hi gyu's;

i've some strange experience using the (latest) openssl (0.9.6c) library.
first:
i build openssl 0.9.6b on a solaris 7 box. the library is used with 
apache 1.3.17 and modssl 2.8.0. the creation of a self-signed 
certificate was done according chapter 6 of the mod-ssl handbook. there 
are no problems. the certificate is accepted by all incarnations of ie 
and sure all the mozilla-types (ns 4.x->mozilla).
second:
i want to upgrade the apache installation to 1.3.24 with modssl 2.8.8 
and openssl 0.9.6c. the build was done on a solaris 8 box. the creation 
of the self-signed certificate was done the same way described above. no 
problems in the creation process. but after installing the certificates 
on the server they where accepted only by the mozilla-types (ns 4.x-> 
mozilla) and opera browsers. all types of ie are not able to use this 
certificate. i get their stupid error-page with zero-information  . 
there is no error message in the logs, only in the 'ssl_engine_log' that 
a connection was established.
then i tried using a certificate build with the openssl installation on 
the solaris 7 box. after i installed this on the apache_modssl on the 
solaris 8 box also the ie-browser are able to establish a working https 
connection.
now i'm a little bit surprised, why the newer library creates certs 
which are not able for use with ie but the older one does. where is my 
mistake? :-\

any help will be appreciated.

cu.

-- 

mit freundlichem Gruß /
best regards

Maik Hertha

--------------------------------------------------- h+h
EBSP Anwenderbetreuung, +49 5361 9-74950
Volkswagen AG / Brieffach 1721 / D-38436 Wolfsburg
http://ebsp.wob.vw.de              
maik.hertha <at> volkswagen.de
---------------------------------------------------
hartmann+hertha
it (beratung / entwicklung / support)
http://www.hartmann-hertha.de
mhertha <at> hartmann-hertha.de
--------------------------------------------------- h+h

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

mod_ssl for 2.0.x (Win)

I'm searching for mod_ssl.so (binary) for Apache 2.0.36 on Win2k.

Could someone help me?

cu.
Andre

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Internet Explorer and 3DES

I am having a problem with mod_ssl and Internet Explorer 6.0. I have set 
mod_ssl to only allow 3DES CipherSuites (SSLCipherSuite 3DES:!MD5). All 
browsers handle this fine except Internet Explorer, which only works if RC4 
is enabled. When the user views the page, they see a "Cannot find server" 
message. I have checked the output of ssldump, and see that the 
client/server negotiate a cipher suite (SSL_RSA_WITH_3DES_EDE_CBC_SHA). 
After ChangeCipherSpec the client closes the connection then reestablishes 
it. When it is reestablished, it gets to application_data, but the user 
never see's this. Can anyone point me in the right direction on solving this?

Matthew J. Fanto
matthew.j.fanto <at> nist.gov
Computer Security Division
National Institute of Standards and Technology (NIST)

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

mod_ssl-2.8.8-1.3.24

Running  make in apache 1.3.24 gave a compile-error in
apache_1.3.24/src/modules/ssl/ssl_engine_vars.c
The  compiler pointed  at the line:
{ "UID",   NID_uniqueIdentifier       },

at  the struct  listed below.
I  could not see,  how to cure.   Therefore I   applied "..." and it
worked.
Can  somebody tell me the  correct cure?
(linux-2.2.17,  apache-1.3.24,  mod_ssl-2.8.8-1.3.24,
openssl-0.9.7-beta1)

Please mail me direct.
Thanks a lot.

Ekk.

static const struct {
    char *name;
    int  nid;
} ssl_var_lookup_ssl_cert_dn_rec[] = {
    { "C",     NID_countryName            },
    { "ST",    NID_stateOrProvinceName    }, /* officially    (RFC2156)
*/
    { "SP",    NID_stateOrProvinceName    }, /* compatibility (SSLeay)
*/
    { "L",     NID_localityName           },
    { "O",     NID_organizationName       },
    { "OU",    NID_organizationalUnitName },
    { "CN",    NID_commonName             },
    { "T",     NID_title                  },
    { "I",     NID_initials               },
    { "G",     NID_givenName              },
    { "S",     NID_surname                },
    { "D",     NID_description            },
    { "UID",   "NID_uniqueIdentifier"       }, /*Ekk :...mit "" bei NID_
gehts, aber .....,!!!! */
    { "Email", NID_pkcs9_emailAddress     },
    { NULL,    0                          }
};

RES: Internet Explorer and 3DES

wheredi i find sign.sh
in the opensslpackage?
> ----- Mensagem original -----
> De:		Matthew J. Fanto [SMTP:mfanto <at> nist.gov]
> Enviada em:		domingo, 2 de junho de 2002 15:20
> Para:		modssl-users <at> modssl.org
> Assunto:		Internet Explorer and 3DES
> 
> I am having a problem with mod_ssl and Internet Explorer 6.0. I have
> set 
> mod_ssl to only allow 3DES CipherSuites (SSLCipherSuite 3DES:!MD5).
> All 
> browsers handle this fine except Internet Explorer, which only works
> if RC4 
> is enabled. When the user views the page, they see a "Cannot find
> server" 
> message. I have checked the output of ssldump, and see that the 
> client/server negotiate a cipher suite
> (SSL_RSA_WITH_3DES_EDE_CBC_SHA). 
> After ChangeCipherSpec the client closes the connection then
> reestablishes 
> it. When it is reestablished, it gets to application_data, but the
> user 
> never see's this. Can anyone point me in the right direction on
> solving this?
> 
> 
> Matthew J. Fanto
> matthew.j.fanto <at> nist.gov
> Computer Security Division
> National Institute of Standards and Technology (NIST)
> 
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users <at> modssl.org
> Automated List Manager                            majordomo <at> modssl.org
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: mod_ssl-2.8.8-1.3.24

On Mon, 3 Jun 2002, Ekkehard Ellmann LRT1 wrote:

> Running  make in apache 1.3.24 gave a compile-error in
> apache_1.3.24/src/modules/ssl/ssl_engine_vars.c
> The  compiler pointed  at the line:
> { "UID",   NID_uniqueIdentifier       },
>
> (linux-2.2.17,  apache-1.3.24,  mod_ssl-2.8.8-1.3.24,
> openssl-0.9.7-beta1)

Many changes have occurred between OpenSSL 0.9.6 and 0.9.7.  mod_ssl is
unlikely to work with 0.9.7 at the moment, even if this were fixed.  Stick
with 0.9.6 for now.

--Cliff

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: mod_ssl-2.8.8-1.3.24

Hi,

On Mon, 3 Jun 2002, Cliff Woolley wrote:

> On Mon, 3 Jun 2002, Ekkehard Ellmann LRT1 wrote:
>
> > Running  make in apache 1.3.24 gave a compile-error in
> > apache_1.3.24/src/modules/ssl/ssl_engine_vars.c
> > The  compiler pointed  at the line:
> > { "UID",   NID_uniqueIdentifier       },
> >
> > (linux-2.2.17,  apache-1.3.24,  mod_ssl-2.8.8-1.3.24,
> > openssl-0.9.7-beta1)
>
> Many changes have occurred between OpenSSL 0.9.6 and 0.9.7.  mod_ssl is
> unlikely to work with 0.9.7 at the moment, even if this were fixed.  Stick
> with 0.9.6 for now.

Ummm ... I had generally been using 0.9.7-dev CVS with mod_ssl without any
great grief for some time. I would go so far as to guess what the problem
is ... modssl's (auto)configuration script does a couple of regexp checks
on the openssl version to tweak building. I remember thinking the choice
of filtering was odd, and it's quite possible that the version being
interpreted from the beta release is confusing the config checks.

At a guess, the UID issue is probably one where Ralf has a fallback
implementation in modssl for older versions of openssl that didn't have
it. Was the compiler/linker warning about conflicting definitions between
openssl libs and modssl? If so, try checking out the "configure" script
where it attempts to parse the openssl version. I can't look at this right
now but if you can't get it sorted feel free to mail me back in a day or
two and perhaps I will have time. Basically you'd want modssl to convince
itself that the beta is the same sort of thing as "0.9.7-dev".

OTOH: It might be something else different altogether 

Cheers,
Geoff

--

-- 
Geoff Thorpe, geoff(at)geoffthorpe(dot)net

2000 years on, it's a different empire but the same
zealots and the same attrocities.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: mod_ssl-2.8.8-1.3.24

On Mon, 3 Jun 2002, Geoff Thorpe wrote:

> Ummm ... I had generally been using 0.9.7-dev CVS with mod_ssl without any
> great grief for some time.

Hm.  Okay, well, you're luckier than the httpd committer who tried it.
:)  At least with Apache 2.0, many things have been rumored to break under
the stock mod_ssl with OpenSSL 0.9.7-dev.  YMMV.  Of course my
recommendation to stick with 0.9.6 for now stands.  :)

<shrug>

--Cliff

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org