headers
jeff sacksteder | 2 Sep 2006 01:50
Picon

problem with dynamic dns

I have an Apache2/ssl server on a dynamic ip address with dns serviced by a dynamic dns provider. The problem is that if the address changes, after the dynamic record gets updated, ssl no longer works.  Any resources for which ssl is mandatory produce only server errors.

Apache seems to cache some sort of dns information in-process on startup. Restarting my httpd proccesses fixes the symptom, but I don't want to restart it every 15 minutes. I'd like to know what is happening and what to do to mitigate this..

Permalink | Reply | 0 comments |
headers
Joe Orton | 4 Sep 2006 10:17
Picon
Favicon

Re: Certificate and CRL Path Validation Error

On Thu, Aug 31, 2006 at 09:17:10AM -0400, Patrick Patterson wrote:
> On Thursday 31 August 2006 09:14, Patrick Patterson wrote:
> 
> > (I'll probably take this over to modssl-devel, but since you asked, I
> > thought that I would bring it up here.)
> >
> 
> Hmm - I thought there WAS a developers mailing list, but apparently I was 
> mistaken - so I guess I have to ask is this the right place to have 
> discussions about the best way to add in the capability for mod_ssl to do 
> full 3280 path validation?

New mod_ssl development generally happens in the httpd 2.x tree, so 
dev <at> httpd.apache.org is where it is discussed.  I don't think Ralf is 
adding new features to mod_ssl 2.8 any more.

Regards,

joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Abdul Rasheed | 5 Sep 2006 17:49
Picon

Proxy Pass with SSL redirect

Hi,

I have an SSL enabled Apache server at the front end and BEA Web logic at the backend. Recently I have installed SSL certificate successfully and I have redirected all http requests to https by adding the following line at httpd.conf file,

<VirtualHost www.mydomain.com:80>
ServerName www.mydomain.com
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]
</VirtualHost>

It works smoothly, but the problem is I can't access the page that is actually located at the back end web logic server, which is accessed using proxy pass. If I access the pages that is on back end server using http it works. Following is the proxy pass portion of httpd.conf file,

<IfModule mod_proxy.c>

ProxyRequests Off

ProxyPass /topup http://192.xxx.xxx.xxx:8080/topup
ProxyPassReverse /topup http://192.xxx.xxx.xxx:8080/topup

</IfModule>

 

My Goal is to forward all http requests to https. Do I really need to install SSL Certificates on the back end server?  Is there any way to accomplish my goal without installing SSL Certificate on the back end server?

 

I hope it's clear and hope to having a solution soon.

Best regards,
A.rasheed

Permalink | Reply | 0 comments |
headers
Michael Goodell | 5 Sep 2006 21:25
Favicon

mod_ssl / Apache 2.2.3 / Windows

We are trying to implement: Windows XP, Apache 2.2.3, mod_ssl and running
into problems.

Question:

Is it possible to do this under Windows without compiling Apache from
source?

We were able to get it to work using Apache 2.0.59 after some wrangling with
OpenSSL and cert creation.
(Had to create the certs on a Unix (FreeBSD) system / OpenSSL install)

I would like to ask if there is a how-to document for mod_ssl / Apache 2.2.3
/ Winderz that covers how to do this successfully.

We keep running into Apache complaining it cannot load / find the mod_ssl.so
module. We have taken the proper steps in adding

LoadModule ssl_module modules/mod_ssl.so to the httpd.conf file and adding
the mod_ssl.so file to the modules directory. But every time we attempt to
start the server it fails with the error cannot load / find the mod_ssl.so
file. Are there other files missing? We have OpenSSL installed and the
libeay32.dll & ssleay32.dll installed in system32 directory.

Is there a precompiled mod_ssl.so available for Windows?

Thanks a lot for any direction.

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Andrew Rosolino | 6 Sep 2006 21:12

Setting Apache as Single Domain not Whole Root.

I currently bought https:// for my site dtdyno.com. The problem is that if you type https:// for my other sites it will forward to http://dtdyno.com.

 

For example:

https://shiftcode.com goes to https://dtdyno.com

https://dtdyno.com goes to https://dtdyno.com

 

I do not want it to-do that for the other domains, only dtdyno.com.

 

Here is my a chunk from my httpd.conf

 

<IfDefine SSL>

<VirtualHost 66.98.242.36:443>

ServerAlias www.dtdyno.com dtdyno.com

BytesLog domlogs/secure2.dtdyno.com-bytes_log

ServerName secure2.dtdyno.com

ScriptAlias /cgi-bin/ /home/dtdyno/public_html/cgi-bin/

ServerAdmin webmaster <at> dtdyno.com

DocumentRoot /home/dtdyno/public_html

User dtdyno

Group dtdyno

SSLEnable

SSLCertificateFile /home/dtdyno/ssl/certs/dtdyno.com.crt

SSLCertificateKeyFile /home/dtdyno/ssl/private/dtdyno.com.key

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

</VirtualHost>

</IfDefine>

-------------------------------------------------------

 

Sincerely,

Andrew Rosolino

ShiftCode.com

 

Permalink | Reply | 0 comments |
headers
Gaydosh, Adam | 6 Sep 2006 21:26
Favicon

RE: Question regarding IfDefine tags

Make sure you have these statements in your httpd.conf:
LoadModule ssl_module modules/mod_ssl.so
<IfModule mod_ssl.c>
    Include conf/ssl.conf
 </IfModule>

As for your ssl.conf, there are couple things that could be tripping you
up, you can try posted a scrubbed version if you'd like, but the first
thing you need to ensure is "SSLEngine on"...also, I have #<IfDefine
SSL> commented out if that is what you were referring too?  When your
service starts, what does the browser return when you access https?  Can
you see that socket actually open e.g. netstat? 

>-----Original Message-----
>From: owner-modssl-users <at> modssl.org 
>[mailto:owner-modssl-users <at> modssl.org] On Behalf Of Robert Denton
>Sent: Tuesday, August 29, 2006 6:16 PM
>To: modssl-users <at> modssl.org
>Subject: Question regarding IfDefine tags
>
>Hello all,
>
>I am hoping someone can clarify this for me:
>
>I am using OpenSSL with Apache2 on windows server.  I do not 
>believe that my ssl.conf file is being read when I start the 
>apache service although it is included by http.conf.
>
>I found a snipet online indicating you either need to start 
>apache with -D SSL, or comment out the IfDefine tags in the 
>ssl.conf.  When I do either of these and restart the apache 
>service, the service will not start.
>
>If I do neither of these things, the service starts but I 
>cannot access pages via https. So my question is two-fold:
>
>1. Why will the service not start when the IfDefine tags are 
>commented out. Is it because apache is now trying to parse the 
>contents of ssl.conf but running into something it doesn't 
>understand? If so, wouldn't this show in error.log?
>
>2. Is there a more appropriate forum or mailing list to take 
>my troubles to?
>
>Thanks!
>
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
>User Support Mailing List                      modssl-users <at> modssl.org
>Automated List Manager                            majordomo <at> modssl.org
>

------------------------------------------------------------
This message and any files transmitted within are intended
solely for the addressee or its representative and may
contain proprietary or confidential information.  If you are
not the intended recipient, notify the sender immediately
and delete this message.  Publication, reproduction,
forwarding, or content disclosure is prohibited without the
consent of the original sender and may be unlawful.

Concurrent Technologies Corporation and its Affiliates.
www.ctc.com  1-800-282-4392
------------------------------------------------------------
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
anurag.jain | 16 Sep 2006 18:28

Re: Welcome to modssl-users

Hi,

I am facing below problem causing performance deterioration:

[Fri Sep 15 15:09:17 2006] [error] mod_ossl: SSL call to NZ function 
nzos_Handshake failed with error 28864 (server apssrv.com:443, client 
xxx.xxx.x.xxx)
[Fri Sep 15 15:09:17 2006] [error] mod_ossl: SSL IO error [Hint: the 
client stop the connection unexpectedly]

Pl suggest how to control it.

Regards,
Anurag Jain

----- Original Message -----
From: majordomo <at> modssl.org
Date: Sunday, September 17, 2006 0:20 am
Subject: Welcome to modssl-users

> --
> 
> Welcome to the modssl-users mailing list!
> 
> Please save this message for future reference.  Thank you.
> 
> If you ever want to remove yourself from this mailing list,
> you can send mail to <majordomo <at> modssl.org> with the following
> command in the body of your email message:
> 
>    unsubscribe modssl-users
> 
> or from another account, besides anurag.jain <at> nucleussoftware.com:
> 
>    unsubscribe modssl-users anurag.jain <at> nucleussoftware.com
> 
> If you ever need to get in contact with the owner of the list,
> (if you have trouble unsubscribing, or have questions about the
> list itself) send email to <owner-modssl-users <at> modssl.org> .
> This is the general rule for most mailing lists when you need
> to contact a human.
> 
> Here's the general information for the list you've subscribed to,
> in case you don't already have it:
> 
> Apache Interface to OpenSSL (mod_ssl)                   
www.modssl.org
> User Support Mailing List                      modssl-
users <at> modssl.org
> Automated List Manager                            
majordomo <at> modssl.org
> 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Mark Leone | 18 Sep 2006 06:47
Picon

Upgraded to Mac OSX Tiger and now apachectl -startssl no longer needed

I finally got around to upgrading my Mac to Tiger. I had to copy my old 
httpd.conf file to the proper directory; but other than that it works fine.

However, apachectl no longer accepts "startssl" as an argument (it 
returns with a "usage" instruction that prescribes start, stop, etc.). 
It works fine with "apachectl start"; but to my surprise the server that 
starts up with this command accepts https requests and sends the cert I 
set up previously.

I could re-build and re-install apache and mod_ssl as I did originally 
before the OS upgrade, but do I need to bother with that? I remember 
that apachectl should require startssl as an argument in order to 
startup the SSL server, so it seems something weird is going on, and I 
wonder if I need to make it behave the way it used to.

-Mark

______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |
headers
Waller, Lonie | 18 Sep 2006 15:40

Certificate issue.

Hello,
 
Was wondering if anyone has seen this error and can help me correcting it? It is for a test box self signed certificate is all I need.
 
Thanks
Lonie
 

HTTP Status 500 -

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:319) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225)

root cause

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174) com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168) com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847) com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106) com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495) com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433) com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815) com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025) com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038) sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402) sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:170) sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:913) sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234) edu.yale.its.tp.cas.util.SecureURL.retrieve(SecureURL.java:70) edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(ServiceTicketValidator.java:278) edu.yale.its.tp.cas.client.filter.CASFilter.getAuthenticatedUser(CASFilter.java:283) edu.yale.its.tp.cas.client.filter.CASFilter.doFilter(CASFilter.java:225)

note The full stack trace of the root cause is available in the Apache Tomcat/5.0.27 logs.

Apache Tomcat/5.0.27

Permalink | Reply | 0 comments |
headers
Sriram, Prashanth Pigileti (STSD | 21 Sep 2006 19:20
Picon
Favicon

mod_ssl and Apache with gSoap

Hi,

   This is regarding using Apache server with mod_ssl and mod_gsoap
modules. I am confused as to who would handle the certificate
verification in such a case where the directive 'SSLVerifyClient' is set
to 2. I understand gSoap has it' own authentication layer for users and
might actually interrupt the usual HTTPS certificate verification
process. Please let me know if any specific configurations can ensure
that mod_ssl would certify clients before allowing access to gSoap web
services.

Thanks in Advance,
Prashanth
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org
Permalink | Reply | 0 comments |

Gmane