Re: firefox 2 (but not 1.5) hangs with https

On Thu, Nov 30, 2006 at 21:00:49 +0000 (+0000), adrian wrote:
[snip]
> The gaps are as long as KeepAliveTimeout is set to in apache.conf
> (15sec normally) if I change it to 5 seconds then the gaps also drop to
> 5 seconds.  The file in question is always a flash (.swf) file, the
> request times I see are like this:

I think that bit was sheer luck, it seems to be unrelated (which makes
more sense since I've turned KA off to try and debug what's going on.

I've changed all my browser settings down to the bare minimum - no
persistent connections, 1 connection at once, no pipelining etc.

What I can see is after the initial syn, syn/ack, ack from the
browser, there is a typically just under 15s wait until it sends
Client Hello.

I wondered if this was due to lack of entropy so I've symlinked
/dev/random to /dev/urandom temporarily (no help), and I've tried
wiggling the mouse around (not sure where firefox gets randomness
from).  This hasn't helped either.

OTOH I'm suprised no-one else has seen this, but since the file in
question is .swf fetched via javascript, maybe that's why?   Trying a
dummy page with just 50 images on it, the client hello is always
instantaneous.

Very puzzling (well to me at least )

Adrian 

Re: SSL access from my apache.

Re: SSL access from my apache.

On Sun, Dec  3, 2006 at 22:43:27 -0800 (-0800), Yvo van Doorn wrote:
> You'll probably have better luck going to the httpd users mailing 
> list
> (found at http://httpd.apache.org) as opposed to this one as this 
> mod_ssl is
> developed for apache 1.x not apache 2.x

Ah, many thanks!

Adrian 
--

-- 
Adrian Bridgett - adrian <at> smop.co.uk
GPG key available on public key servers
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: How to notified application server that ssl session has expired.

Nobody to help me?
Claude
----- Original Message ----- 
From: "Claude Libois" <claude.libois <at> guest.minfin.fed.be>
To: <modssl-users <at> modssl.org>
Sent: Monday, November 20, 2006 4:07 PM
Subject: How to notified application server that ssl session has expired.

> Hello
> For our project we have integrated an electronical identity card( eID) 
> authentication. This card contains a certificate that is used to establish 
> an ssl two ways connection with our apache 2.0.54. This certificate is 
> validated by an OCSP server.
> When ssl connections is established, user's certificate is forwarded to a 
> J2EE application server (weblogic) which create it's own security context 
> throug a JAAS LoginModule.
> Our problem is that we have to (we don't have the choice)  unloged user 
> when ssl session has expired.
> So my problem is to notify weblogic that ssl session has expired.
> My first idea was to save SSL_SESSION_ID in my J2EE Principal and then 
> compare this id with the current ssl session id of the request.
> So if the current id is different than the id obtained during the 
> authentication process then the user is unloged.
> However, it seems that when I configure a virtualhost in ssl one 
> ways(SSLVerifyClient none) with a per-directory ssl two ways, sometimes my 
> ssl session is renewed and
> my ssl session id is different. If I configure two-ways at virtualhost 
> level this doesn't happen.
> Is there a problem for apache to maintains ssl session if we change the 
> ssl type?
> I read on an older post that we can't rely on SSL_SESSION_ID to know if 
> ssl has expired but I don't see any other way to notify my application 
> server.
> Any suggestion?
>
> Here is my ssl.conf.For information I have specific application apart from 
> the main application which is responsible of the authentication.
>
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl    .crl
> SSLSessionCache        shmcb:logs/ssl_scache(512000)
> SSLSessionCacheTimeout  300
> SSLMutex  file:/home/apache-2.0.54/logs/ssl_mutex
> SLRandomSeed startup builtin
> <VirtualHost *:443>
>      ServerName host
>      ServerAlias host
>      DocumentRoot "/home/apache-2.0.54/htdocs"
>      SSLEngine on
>      SSLCipherSuite -ALL:SSLv3+HIGH:-aNULL!EXPORT56:RC4+RSA
>      SSLProtocol -ALL +SSLv3 +TLSv1
>      # Server Certificate:
>      SSLCertificateFile 
> /home/apache-2.0.54/conf/ssl/certificate/server/host.cert
>      # Server Private Key:
>      SSLCertificateKeyFile 
> /home/apache-2.0.54/conf/ssl/certificate/server/privkey.key
>      SSLCertificateChainFile 
> "/home/apache-2.0.54/conf/ssl/certificate/chain/chain.pem
>      SSLOptions +StrictRequire +StdEnvVars +ExportCertData
>      RequestHeader add SSL_SESSION_ID "%{SSL_SESSION_ID}e"
>      SetEnvIf User-Agent ".*MSIE.*" ssl-unclean-shutdown
>      SSLVerifyClient  none
>      SSLCACertificateFile 
> "/home/weblogic/apache-2.0.54/conf/ssl/certificate/trusted_certificate/client-trusted-list.pem"
>    #Application that does the authentication
>    <Location /Authentication>
>      SetHandler weblogic-handler
>     WebLogicCluster host:7001
>    </Location>
>    #main application that needs authentication
>    <Location /WebAppTestAuthentication>
>      SetHandler weblogic-handler
>     WebLogicCluster host:7001
>    </Location>
>    #Two-ways connection is only established when calling this struts 
> action
>      <Location /Authentication/logineID.do >
>      SSLVerifyClient require
>      RequestHeader add WL-Proxy-SSL "true"
>      RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e"
>      RequestHeader add SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
>      Allow from all
>       </Location>
>
>    </VirtualHost>
>
>
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
> User Support Mailing List                      modssl-users <at> modssl.org
> Automated List Manager                            majordomo <at> modssl.org
> 

----------------------------------------------------------------
- Disclaimer: http://www.minfin.fgov.be/disclaimer.htm
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Mod_ssl_error

Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

mod_ssl for apache 2.x?

Hi,

Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 everywhere?

Is there any other ssl solution to apache 2.x?

Thanks,
Bahadir
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: mod_ssl for apache 2.x?

On Fri, Dec 29, 2006 at 08:31:32PM +0000, Bahadir Balban wrote:
> Does mod_ssl work on Apache 2.x? Why does it say mod_ssl is for 1.3 
> everywhere?

Because the version of mod_ssl you find at modssl.org is only for 1.3.
> 
> Is there any other ssl solution to apache 2.x?
> 
--enable-ssl when configuring apache 2 - mod_ssl is included in the
apache httpd-2.x source.

vh

Mads Toftum
--

-- 
http://soulfood.dk
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

beyond basic authentication

Hi,

In apache documentation I only see references to "basic
authentication" be it with hashing or with a dbm file.

In windows asp.net also mentioned is a "forms-based authentication",
which I believe can also be implemented on apache. Is there a
walkthrough guide for anything beyond basic authentication on apache?

For example, how could I serve content based on username, how could I
send passwords in encrypted form? How could I make use of signed
cookies, maintain a session with the same user, etc. Any books to
cover such web development recipes using apache? Preferably using
mod_python?

Thanks,
Bahadir
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

Re: beyond basic authentication

Quoth Bahadir Balban at 12/30/2006 08:16 AM...

> For example, how could I serve content based on username, how could I
> send passwords in encrypted form? How could I make use of signed
> cookies, maintain a session with the same user, etc. Any books to
> cover such web development recipes using apache? Preferably using
> mod_python?

All you need to do is to maintain state, either by using cookies
(easiest) or by getting your software to maintain persistent variables
through the query string (messy).

As this is the modssl list, I am assuming that you are doing this
through an SSL connection.  Passwords, therefore, would be encrypted
along with the rest of the data.

So, you send the encrypted user name and password and - if OK - set a
cookie that contains the user name and a hash (MD5,SHA1,etc) of the user
name and a secret string provided by the server.  (Or just the user name
and a hash of the user name and password that can be checked every time
you change page.)

You would need to either a) know that your clients can all accept
cookies, such as in an intranet situation, b) have a fall-back mechanism
to work when cookies are not available or c) disclaim that your system
will not work without cookies.  You may be able to get away with this,
but check up on your local accessibility laws (if any).

One thing to always bear in mind is that - except in an intranet
situation - you cannot assume anything of the user agent.  If you do
anything clever using JavaScript, say to create a name/password hash
client-side, always provide a means of fallback in case  the method
(JavaScript, etc), is not available.

So, you don't really need to involve Apache in the equation, as your
scripted solution (mod_python, etc) can take care of this.  PHP is
rather clever in this respect in that it can look after session
variables [to preserve state] for you.  I have written similar
mechanisms in Perl, but prefer the PHP solution as it is easier.

At the end of the day, personally, I use basic authentication + SSL for
all my applications.  The only disadvantage is the restriction of one
SSL virtual host per IP address/port.

Hope this gives you some ideas.

Cheers

M

--

-- 
Matthew Smith
IT Consultancy & Web Application Development
Business: http://www.kbc.net.au/
Personal: http://www.smiffysplace.com/
LinkedIn: http://www.linkedin.com/in/smiffy
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org

apache segfaults on startup after specifying the certificate file and key

Hi all,
I am running freebsd 6.1 and apache 2.2.0_7
I am new to SSL and have configured a self-signed certificate  
according to http://slacksite.com/apache/certificate.html
I placed the .crt and .pem files in /usr/local/etc/apache22 and set  
the .pem file readable only by root
When I start up apache it gives a segmentation fault and stops.
When set the logging option in httpd.conf to debug.
The log file shows the following before the seg fault:

[Sat Dec 30 00:48:27 2006] [info] Init: Seeding PRNG with 136 bytes  
of entropy
[Sat Dec 30 00:48:27 2006] [info] Loading certificate & private key  
of SSL-aware server
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_pphrase.c(469):  
unencrypted RSA private key - pass phrase not required
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary RSA  
private keys (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Generating temporary DH  
parameters (512/1024 bits)
[Sat Dec 30 00:48:27 2006] [info] Init: Initializing (virtual)  
servers for SSL
[Sat Dec 30 00:48:27 2006] [info] Configuring server for SSL protocol
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(405): Creating  
new SSL context (protocols: SSLv2, SSLv3, TLSv1)
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(601):  
Configuring permitted SSL ciphers [ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH: 
+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL]
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(729):  
Configuring RSA server certificate
[Sat Dec 30 00:48:27 2006] [warn] RSA server certificate CommonName  
(CN) `mail.reoins.com' does NOT match server name!?
[Sat Dec 30 00:48:27 2006] [debug] ssl_engine_init.c(768):  
Configuring RSA server private key
[Sat Dec 30 00:48:27 2006] [info] Server: Apache/2.2.0, Interface:  
mod_ssl/2.2.0, Library: OpenSSL/0.9.8a
[Sat Dec 30 00:48:27 2006] [info] mod_unique_id: using ip addr  
209.163.210.42

Thanks for any help or suggestions.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users <at> modssl.org
Automated List Manager                            majordomo <at> modssl.org