headers
Ringaby Anders | 6 Feb 2004 18:09
Picon

symmetric or asymmetric ?


Hello !

I am one of many mod-ssl beginners, and I have two questions.

1. The modssl web site refers to the SSL cryptography algorithm
   as being conventional, or symmetric. But mod-ssl uses public
   and private keys, which are known as parts of asymmetric
   cryptography. Any explanation ?

2. I copied a mod-ssl-enhanced apache-2.0.48 installation to
   another machine, replaced the certificate file ( server.crt )
   with another certificate ( but same file name ), and made
   some small changes in httpd.conf and ssl.conf. Of course,
   this did not work. Is there any way that I can generate a
   new private key ( server.key file ) according to the
   public key in the new certificate file ? Or should I remove
   everything and install again, the proper way ?

Regards

Anders

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 3 comments |
headers
Daniel Lopez | 6 Feb 2004 18:35

Re: symmetric or asymmetric ?


> 1. The modssl web site refers to the SSL cryptography algorithm
>    as being conventional, or symmetric. But mod-ssl uses public
>    and private keys, which are known as parts of asymmetric
>    cryptography. Any explanation ?

Asymmetric cryptography is used to agree and exchange keys for symmetric
cryptography (much faster)

> 2. I copied a mod-ssl-enhanced apache-2.0.48 installation to
>    another machine, replaced the certificate file ( server.crt )
>    with another certificate ( but same file name ), and made
>    some small changes in httpd.conf and ssl.conf. Of course,
>    this did not work. Is there any way that I can generate a
>    new private key ( server.key file ) according to the
>    public key in the new certificate file ? Or should I remove
>    everything and install again, the proper way ?

"it did not work" does not tell us much :) Which errors did you get?
What did you change? What is the current conf?

Since you are just starting with mod_ssl, I suggest reinstalling from
scratch rather than trying to figure out what may be going wrong.
You can find detailed information on how SSL works (symm/asymm.,
certificates, etc.) and how to get Apache 2 + mod_ssl working on a chapter I
have online at 

http://www.apacheworld.org/ty24/site.chapter17.html

Cheers
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mads Toftum | 6 Feb 2004 21:26
Picon

Re: symmetric or asymmetric ?

On Fri, Feb 06, 2004 at 06:09:45PM +0100, Ringaby Anders wrote:
> 
> 
> Hello !
> 
> I am one of many mod-ssl beginners, and I have two questions.
> 
> 
> 1. The modssl web site refers to the SSL cryptography algorithm
>    as being conventional, or symmetric. But mod-ssl uses public
>    and private keys, which are known as parts of asymmetric
>    cryptography. Any explanation ?
> 
mod_ssl uses both - if you want the details, read:
http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html

> 2. I copied a mod-ssl-enhanced apache-2.0.48 installation to
>    another machine, replaced the certificate file ( server.crt )
>    with another certificate ( but same file name ), and made
>    some small changes in httpd.conf and ssl.conf. Of course,
>    this did not work. Is there any way that I can generate a
>    new private key ( server.key file ) according to the
>    public key in the new certificate file ? Or should I remove
>    everything and install again, the proper way ?
> 
There's nothing that should keep the keys from working on different
machines, so chances are that it is either the installation or the
configuration that failed.

vh
(Continue reading)

Permalink | Reply | 0 comments |
headers
R McIntosh | 8 Feb 2004 00:26

Re: apache ssl handshake timeout on ie6 and windows 2000

I believe I have found the solution.   Apparently, it was a bug 
introduced in SP1 and now fixed in SP4 for windows 2000:

    http://support.microsoft.com/default.aspx?kbid=305217

Thanks,
-R

R McIntosh wrote:

> Hello OpenSSL and ModSSL users,
>
> I am running apache-1.3.29, mod_ssl-2.8.16-1.3.29, and openssl 0.9.7c.
>
> Users at a specific lan on the internet accessing our cgi application 
> sometimes lock at some random place in our application.   Once this 
> happens, it will lock up again at the same page if the quit their 
> browser and try again.  They are running a patched ie6 on windows 
> 2000.   We only have this problem with this one client's site.
>
> Here is the error from my log file:
>
> [Tue Dec 30 08:19:10 2003] [error] mod_ssl: SSL handshake timed out 
> (client X.X.X.X, server www.partnersmith.com:443)
>
> The ssl-engine log has no additional information. 
> When the connection does work, it uses Protocol: SSLv3, Cipher: 
> RC4-MD5 (128/128 bits)
>
> I have the usual stuff for ie in my httpd.conf:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rory Chisholm | 10 Feb 2004 14:13
Picon

Expired CA Certificate

This isn't totally modssl related but maybe someone knows the answer.

I'm using OpenSCEP with openssl. My CA Certificate has just expired.
Now since our VPN sees very little use (only one important user) I'd like 
to re-issue
the x509 CA certificate with the same key but different attributes (a later 
expiry date).

Can this be done without re-generating every certificate ever issued from 
scratch ? The
real question here is do x509 certificates that have been signed by a CA 
certificate store a
hash of the CA certificate based solely on the CA's key or based on the 
full CA certificate including
it's attributes ?

Has anyone had any experience doing this ?

			Thanks for any help,

					Rory Chisholm

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 1 comment |
headers
Shea Janet B CRBE | 10 Feb 2004 15:09
Picon

FW: SSL stopped working

Second try - this apparently did not make it to the list yesterday. And - an update:

SSL works some of the time - could this point to a lack of entropy? I am using egd-0.9 since this is a Solaris 7 machine.

Janet Shea

>  -----Original Message-----
> From: 	Shea Janet B CRBE  
> Sent:	Monday, February 09, 2004 15:30
> To:	'modssl-users <at> modssl.org'
> Subject:	SSL stopped working
> 
> I had SSL working on my site on Friday. Today, everytime I try to access it via SSL, I receive "This page
cannot be displayed".
> In Apache's error log, I get the following entry for each attempt:
> 
> [Mon Feb  9 08:08:55 2004] [error] mod_ssl: SSL handshake failed (server scribe.
> dt.navy.mil:443, client xxx.xxx.xxx.xxx) (OpenSSL library error follows)
> [Mon Feb  9 08:08:55 2004] [error] OpenSSL:error:1408F455:SSL routines:SSL3_GET
> _RECORD:decryption failed or bad record mac
> 
> I have tried researching this in the archives, but so far, I have not found anything I can use.
> 
> Where do I look to fix this error?
> 
> The software:
>     Solaris 7
>     Apache 1.3.29
>     mod_ssl-2.18.16-1.3.29
>     openssl-0.9.6l
(Continue reading)

Permalink | Reply | 0 comments |
headers
Florian Yanez | 10 Feb 2004 23:04

RE: Expired CA Certificate

We recently had a problem with our Verisign Intermediate CA Certificate.
This link (https://www.verisign.com/support/site/caReplacement.html) points
to how they said to fix the problem.  Your case may be similar.

Florian Yanez
Manager of Technical Systems
Helzberg Diamond Shops, Inc.
fdyanez <at> helzberg.com
816-627-1253

-----Original Message-----
From: owner-modssl-users <at> modssl.org
[mailto:owner-modssl-users <at> modssl.org]On Behalf Of Rory Chisholm
Sent: Tuesday, February 10, 2004 7:14 AM
To: modssl-users <at> modssl.org
Subject: Expired CA Certificate

This isn't totally modssl related but maybe someone knows the answer.

I'm using OpenSCEP with openssl. My CA Certificate has just expired.
Now since our VPN sees very little use (only one important user) I'd like
to re-issue
the x509 CA certificate with the same key but different attributes (a later
expiry date).

Can this be done without re-generating every certificate ever issued from
scratch ? The
real question here is do x509 certificates that have been signed by a CA
certificate store a
hash of the CA certificate based solely on the CA's key or based on the
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Eggleston | 12 Feb 2004 15:30

force mod_ssl to choose 3DES over RC4 ciphers?

Hello all,

I would like our secure server to default to 3DES 168-bit high
encryption for SSL sessions, but with the ability to fall back to 128-
bit RC4 _only_ if the client doesn't support 3DES. My current cipher-
spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my
version of OpenSSL, equates to:

EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-
MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5

Is it possible to construct a cipher-spec string that will make
Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are
'offered' by the client (most clients seem to offer RC4 ciphers before
3DES ones in the 'Client Hello').

It seems that unless I completely disable RC4 on the server, it always
gets chosen ahead of 3DES :-( This is my first post here so thanks in
advance for any help.

Kind Regards, 

 

 

 
Daniel Eggleston 
Senior Network Developer 
Boxing Orange Ltd
(Continue reading)

Permalink | Reply | 5 comments |
headers
Ringaby Anders | 12 Feb 2004 16:15
Picon

variable lookup failed for /opt/apache-2.0.48/conf::private_key


Hello !

Can anyone help me with this one ?

When the sign.sh script runs the following command:

openssl ca -config /opt/apache-2.0.48/conf/ca.config -out $CERT -infiles $CSR

Then I get this error message:

variable lookup failed for /opt/apache-2.0.48/conf::private_key

The private key file is there, and everything, but still ....

Any changes I try to make to the config files ca.config or openssl.cnf
does not make things any better, and no crt-file is created.

What am I doing wrong ?

Regards

Anders

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
(Continue reading)

Permalink | Reply | 0 comments |
headers
Lutz Jaenicke | 12 Feb 2004 16:28
Picon

Re: force mod_ssl to choose 3DES over RC4 ciphers?

On Thu, Feb 12, 2004 at 02:30:06PM -0000, Daniel Eggleston wrote:
> Hello all,
> 
> I would like our secure server to default to 3DES 168-bit high
> encryption for SSL sessions, but with the ability to fall back to 128-
> bit RC4 _only_ if the client doesn't support 3DES. My current cipher-
> spec for the SSLCipherSuite directive is 'HIGH:MEDIUM' which, with my
> version of OpenSSL, equates to:
> 
> EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-
> MD5:RC4-SHA:RC4-MD5:RC2-CBC-MD5:RC4-MD5
> 
> Is it possible to construct a cipher-spec string that will make
> Apache/mod_ssl choose a 3DES cipher when both RC4 and 3DES are
> 'offered' by the client (most clients seem to offer RC4 ciphers before
> 3DES ones in the 'Client Hello').
> 
> It seems that unless I completely disable RC4 on the server, it always
> gets chosen ahead of 3DES :-( This is my first post here so thanks in
> advance for any help.

There is no such way by modifying the cipher suite.
The server always chooses the first ciphersuite supported by the server
according to the list sent by the client.
OpenSSL 0.9.7 does support an option to change this behaviour such that
the server's preferences are used, but to my best knowledge there is no
switch in mod_ssl to set this flag.

Best regards,
	Lutz
(Continue reading)

Permalink | Reply | 4 comments |

Gmane