This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: apache https (SSL)
From: "Greg Wright" <redhat_list@mail.com>
Date: Wed, 14 Jun 2000 02:34:18 +1000
REPLY SEPARATOR ***********
On 13/06/00 at 8:57 Adv. Systems Design wrote:
>Hello:
>
>Used to be that getting a https server (or an SSH rpm)
>was as easy as going to replay...I am finding out that
>replay is now some vcr-type device, and I gather that
>SSH is no longer free...thus openSSH...
>
>How about an HTTPS server? Anyone know of a howto or
>RPM that provide such a service (http over SSL)?
>
>Pointers or help appreciated!
>
Replay is now zedz.net , I have a SSL rpm up there, or maybe its
been replaced now, Gordon M has one as well AFAIK ftp.eburg. ?? org
com net see the archives to be sure. I can send a 1.3.9 RPM if reqd ,
message me privately if you cannot find elsewhere.
Regards
Greg Wright
IT Consultant Sydney Australia
===
Subject: Re: apache https (SSL)
From: "Adv. Systems Design" <asd_2000@yahoo.com>
Date: Tue, 13 Jun 2000 20:20:48 -0700 (PDT)
Jason Costomiris <jcostom@jasons.org> wrote:
> On Tue, Jun 13, 2000 at 06:37:26PM +0200, Bernhard Rosenkraenzer wrote:
>
> : > How about an HTTPS server? Anyone know of a howto or
> : > RPM that provide such a service (http over SSL)?
> ftp://ftp.redhat.de/pub/rh-addons/security/current/
>
> Bero, et al. have done a wonderful job with this
> stuff, however, you may
> find that their pre-built stuff doesn't fit every
> need exactly, leaving
> you to go back to the source. For situations like
> that, I've got a howto
> that helps.
>
> http://www.jasons.org/modssl.php
>
> Coming soon: integration of the php-4.0.0 rpm I've
> been testing.
Well, well...ask and you shall receive! This is
exactly what I wanted to implement (apache, ssl, php,
mysql, rh6.2). I did find the apache-ssl-1.3.6_1.35-3
rpms in contrib but I am getting a nasty seg fault
(11) every time I try to connect to the https
server...guess I will look into mod_ssl...btw, I have
php4 working and its humming along nicely...
===
Subject: Re: apache https (SSL)
From: "Michael J. McGillick" <mike@universe.ne.mediaone.net>
Date: Wed, 14 Jun 2000 08:17:40 -0400 (EDT)
I was getting a segfault as well when installing apache-ssl-1.3.9. Try
downloading the source and rebuilding on your machine:
rpm -ba apache-ssl.spec
Also, make sure that your httpsd.conf is configured correctly. This seems
to have done the trick for me.
===
Subject: Re: apache https (SSL)
From: "Adv. Systems Design" <asd_2000@yahoo.com>
Date: Wed, 14 Jun 2000 12:51:44 -0700 (PDT)
Where did you get the 1.3.9. spec file? Can you use
the 1.3.6 spec file to build a 1.3.9 rpm? I've been
meaning to learn more about RPM, but I just cant seem
to find the time.
===
Subject: [OFF-TOPIC] Apache-SSL Question
From: "Michael J. McGillick" <mike@universe.ne.mediaone.net>
Date: Thu, 15 Jun 2000 08:27:53 -0400 (EDT)
Good Morning:
I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in
setting up virtual domains so that at least 2 of the domains I host can
take advantage of the secure connection. Under regular Apache, I would go
in and set up the following:
NameVirtualHost 24.218.83.113 <--- (My IP Address)
<VirtualHost 24.218.83.113>
ServerAdmin root@universe.ne.mediaone.net
DocumentRoot /home/httpsd/software-specialists.net
ServerName www.software-specialists.net
ErrorLog software-specialists.net-error_log
CustomLog software-specialists.net-access_log common
</VirtualHost>
<VirtualHost 24.218.83.113>
ServerAdmin root@universe.ne.mediaone.net
DocumentRoot /home/httpsd/american-pastime.com
ServerName www.american-pastime.com
ErrorLog american-pastime.com-error_log
CustomLog american-pastime.com-access_log common
</VirtualHost>
I did the same in the httpsd.conf for Apache-SSL. Well, I seem to be
missing something here, because when I try to restart httpsd, I get an
error message referring to something about the certificate. I'm pretty
sure that this indicates that I need a certificate for each site.
Is there a way to use one certificate (I'm using a fake one right now,
until I get this set up) for each virtual domain I want to set up, or does
each domain need it's own certificate? In either event, has anyone ever
done this, or know the steps to set this up?
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
From: Charles Galpin <cgalpin@lighthouse-software.com>
Date: Thu, 15 Jun 2000 08:48:03 -0400 (EDT)
On Thu, 15 Jun 2000, Michael J. McGillick wrote:
> Good Morning:
>
> I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in
> setting up virtual domains so that at least 2 of the domains I host can
> take advantage of the secure connection. Under regular Apache, I would go
> in and set up the following:
>
> NameVirtualHost 24.218.83.113 <--- (My IP Address)
You cannot do this with name based virtual hosting. You need a seperate IP
for each domain you want to have a certificate for.
===
Subject: RE: [OFF-TOPIC] Apache-SSL Question
From: "Brian Wright" <bdw@Aturna.com>
Date: Thu, 15 Jun 2000 10:01:08 -0700
Michael J. McGillick [mailto:mike@universe.ne.mediaone.net] wrote:
> I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in
> setting up virtual domains so that at least 2 of the domains I host can
> take advantage of the secure connection. Under regular Apache, I would go
> in and set up the following:
>
> NameVirtualHost 24.218.83.113 <--- (My IP Address)
>
> <VirtualHost 24.218.83.113>
> ServerAdmin root@universe.ne.mediaone.net
> DocumentRoot /home/httpsd/software-specialists.net
> ServerName www.software-specialists.net
> ErrorLog software-specialists.net-error_log
> CustomLog software-specialists.net-access_log common
> </VirtualHost>
>
> <VirtualHost 24.218.83.113>
> ServerAdmin root@universe.ne.mediaone.net
> DocumentRoot /home/httpsd/american-pastime.com
> ServerName www.american-pastime.com
> ErrorLog american-pastime.com-error_log
> CustomLog american-pastime.com-access_log common
> </VirtualHost>
>
> I did the same in the httpsd.conf for Apache-SSL. Well, I seem to be
> missing something here, because when I try to restart httpsd, I get an
> error message referring to something about the certificate. I'm pretty
> sure that this indicates that I need a certificate for each site.
>
> Is there a way to use one certificate (I'm using a fake one right now,
> until I get this set up) for each virtual domain I want to set up, or does
> each domain need it's own certificate? In either event, has anyone ever
> done this, or know the steps to set this up?
Each domain needs it's own certificate, I believe. :( They base it on the
domain name, not the IP address. Thawte.com is a good place to go get info
on that.
BTW, where did you get the Apache-SSL? Did you use an RPM?
===
Subject: RE: [OFF-TOPIC] Apache-SSL Question
From: "Greg Wright" <redhat_list@mail.com>
Date: Fri, 16 Jun 2000 03:36:54 +1000
*********** REPLY SEPARATOR ***********
On 15/06/00 at 10:01 Brian Wright wrote:
>Hi, Mike!
>Each domain needs it's own certificate, I believe. :( They
>base it on the domain name, not the IP address. Thawte.com
>is a good place to go get info on that.
Thats true, but what Charles pointed out is correct, you cannot do multiple
domains on one IP with SSL , you can do virtual hosting ok, just get IP's
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
>From: Gordon Messmer <yinyang@eburg.com>
>Date: Thu, 15 Jun 2000 11:22:14 -0700
"Michael J. McGillick" wrote:
> Is there a way to use one certificate (I'm using a fake one right now,
> until I get this set up) for each virtual domain I want to set up, or does
> each domain need it's own certificate? In either event, has anyone ever
> done this, or know the steps to set this up?
Nope, every domain needs it's own certificate. I've included a shell
script that will help you easily generate certificates using openssl.
Read it :)
Because the HTTP request is made _after_ the SSL session is negotiated,
you'll have to run your hosts on different IP's (as others pointed out)
OR different ports. Choose whichever you think will work for you. You
can specify a port number in the <VirtualHost ...> tag, along with the
IP.
filename="Generate_SSL_Certificate"
#!/bin/sh
#
# This is a self documenting shell script. It is intended that you read
# this file before executing it.
# There are a few things that should be checked further:
# 1) This script creates new private keys for every CSR. As far as I know,
# you can create any number of CSR's using the same key. Are there any
# advantages/disadvantages to creating news keys for each certificate?
# Should we be reusing keys?
# 2) This script unencrypts the private key so that apache can use it.
# Does apache-ssl need the key to function? If not, we can avoid
# keeping an unencrypted key around, and avoid specifying that file
# in apache's configs.
#
# This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>,
# so that we can keep an archival copy of all certificates, and related
# files.
# Once finished, the certificate should be placed in /usr/local/ssl/certs,
# and the private key (unencrypted) should be in /usr/local/ssl/private
#
# All of the files in /usr/local/ssl/private should be mode 0400, and owned
# by root. Apache will read them as root, before it drops root permissions.
# The original keys should also be mode 0400 and owned by root.
#
PATH=$PATH:/usr/local/ssl/bin
#
# Give the domain name as the first argument to this script.
#
DOMAIN=$1
[ "$DOMAIN" = "" ] && {
echo "No domain given"
exit 1
}
#
# If you wish to have an organization's name attached to this certificate,
# then it should be the second argument to this script.
# Because SSL does not require this field, no default is given. However,
# Thawte may require an organization's name to be attached to a certificate,
# so this script SHOULD be called as:
# ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>"
#
ORG=$2
[ "$ORG" = "" ] && {
echo "No organization name given, using \".\""
ORG="."
}
EMAIL=$3
[ "$EMAIL" = "" ] && {
echo "No email address given, using support@eburg.com"
EMAIL=support@eburg.com
}
#
# The first step in generating a certificate is to generate a CSR, or
# certificate request. This step will also generate an encrypted,
# private key, called privkey.pem. Don't lose this file, or the
# password used to encrypt the key. That would be bad.
#
openssl req -new > ${DOMAIN}.csr <<EOF
US
Washington
Ellensburg
${ORG}
.
${DOMAIN}
${EMAIL}
EOF
#
# Now, we remove the password (unencrypt) from the domain's private key.
# The resulting key is used by apache.
#
openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key
#
# Finally, use the CSR (certificate request) and our own private key to
# create a "self signed" certificate. This certificate can be used
# until a certificate signed by a known authority (eg Thawte) is
# available.
#
openssl x509 -in ${DOMAIN}.csr \
-out ${DOMAIN}.cert \
-req -signkey \
${DOMAIN}.cert.key -days 365
#
# I'm renaming this file for consitancy.
#
mv privkey.pem $DOMAIN.privkey.pem
#
# We should now have the following files:
# DOMAIN.privkey.pem The PEM encrypted private key
# DOMAIN.key The unencrypted private key used by apache
# DOMAIN.csr The certificate request used by Thawte
# DOMAIN.cert The certificate that we signed
#
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
>From: Brian Ashe <brian@dee-web.com>
>Date: Thu, 15 Jun 2000 14:42:01 -0400
>
Hi Michael,
1) Each domain must have its own certificate.
2) Each domain that does not use SSL must be specified as such. (Turn SSL
off for that domain)
3) Any domain that will provide both regular and SSL connections must have a
virtual host set up for each listening on the appropriate port.
4) I cannot confirm or deny the single IP address theory, as I have not
tried it. But I do have some trouble believing it since the ServerName
directive is what gets matched against the certificate and the certificate
has no knowledge of the IP it came from. I could be wrong, it wouldn't be
the first time. But you will probably have to be quite creative about your
Virtual hosting directives to get things working. I would suggest hacking at
it a little before giving up. Especially since @Home is not likely to give
you additional IP addresses just so you can go against their service policy.
5) For the proper set up and directives that you need to use you should go
to www.apache-ssl.org. I would help you out on the directives but I use
mod_ssl and they have different directives, so you are on your own there.
===
Subject: RE: [OFF-TOPIC] Apache-SSL Question
From: "Michael J. McGillick" <mike@universe.ne.mediaone.net>
Date: Thu, 15 Jun 2000 15:16:01 -0400 (EDT)
Brian:
Ti took the work done by Greg Wright and some others on the
apache-ssl-1.3.9.src.rpm and went in to make the customizations so it
would build a the apache-ssl-1.3.12.i386.rpm. So far, it seems to work
pcorrectly. It even installs the apache-ssl stuff in it's own directory,
httpsd instead of overwriting the httpd stuff. I actually have both
apache and apache-ssl running at the same time, with separate html
directories for each.
What I'm really stuck on is getting php to work with apache-ssl. I have
absolutely no problems getting it to work with the regular apache. I
downloaded the newest php4 source, read through the install instructions
for building a DSO of libphp4.so, and it built with no problems. I
included 4 flags:
--with-apxs
--with-pgsql
--with-apache=/usr/include
--with-openssl
It built with no error messages, and I see libphp4.so in the
/usr/include/apache directory. I first tried loading this into regular
apache, and it works beautifully. I then try loading it into apache-ssl,
and I get the following error message when trying to restart the daemon:
Starting httpsd: Syntax error on line 248 of /etc/httpsd/conf/httpsd.conf:
API module structure `php4_module' in file /usr/lib/apache/libphp4.so is
garbled - perhaps this is not an Apache module DSO?
Any ideas? Anyone else seen this before? Am I missing something from the
compile that needs to be included so it knows how to talk correctly
toapache-ssl? The source for apache is the stock apache-1.3.12 source
from www.apache.org, and the ssl source is from www.apache-ssl.org.
Any clues, hints, suggestions would be greatly appreciated. :)
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
From: Charles Galpin <cgalpin@lighthouse-software.com>
Date: Fri, 16 Jun 2000 08:14:54 -0400 (EDT)
perhaps if I explain my experience with this, it will help
On Thu, 15 Jun 2000, Brian Ashe wrote:
>
> 4) I cannot confirm or deny the single IP address theory, as I have not
> tried it. But I do have some trouble believing it since the ServerName
> directive is what gets matched against the certificate and the certificate
> has no knowledge of the IP it came from. I could be wrong, it wouldn't be
> the first time. But you will probably have to be quite creative about your
> Virtual hosting directives to get things working. I would suggest hacking at
> it a little before giving up. Especially since @Home is not likely to give
> you additional IP addresses just so you can go against their service policy.
Lets say you have two domains, a.com and b.com using name based virtual
hosting.
If the user first visits a.com, they will get given the a.com cert. When
they go to site b.com, they will not be offered a new cert as the browser
thinks they are the same (same IP).
If they stop their browser, and then go to b.com first, they will pick up
the b.com cert, and then when they visit a.com, just like above, they will
not get given the a.com cert.
So if you can live with this behaviour, then fine, but this not the same
as the behaviour you would get with seperate IPs. I consider this not
working properly. Every other aspect of name based virtual hosting is
identical to the ip based counterpart except this...
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
From: "Greg Wright" <redhat_list@mail.com>
Date: Fri, 16 Jun 2000 22:57:40 +1000
REPLY SEPARATOR ***********
On 16/06/00 at 8:14 Charles Galpin wrote:
>perhaps if I explain my experience with this, it will help
>
>On Thu, 15 Jun 2000, Brian Ashe wrote:
>>
>> 4) I cannot confirm or deny the single IP address theory, as I have not
>> tried it. But I do have some trouble believing it since the ServerName
>> directive is what gets matched against the certificate and the
certificate
>> has no knowledge of the IP it came from. I could be wrong, it wouldn't
be
>> the first time. But you will probably have to be quite creative about
your
>> Virtual hosting directives to get things working. I would suggest
hacking at
>> it a little before giving up. Especially since @Home is not likely to
give
>> you additional IP addresses just so you can go against their service
policy.
>
>Lets say you have two domains, a.com and b.com using name based virtual
>hosting.
>
>If the user first visits a.com, they will get given the a.com cert. When
>they go to site b.com, they will not be offered a new cert as the browser
>thinks they are the same (same IP).
>
>If they stop their browser, and then go to b.com first, they will pick up
>the b.com cert, and then when they visit a.com, just like above, they will
>not get given the a.com cert.
>
>So if you can live with this behaviour, then fine, but this not the same
>as the behaviour you would get with seperate IPs. I consider this not
>working properly. Every other aspect of name based virtual hosting is
>identical to the ip based counterpart except this...
>
Here is another reason, if you intend getting positiones on
a search engine, IP's are also needed, even with the normal
Apache, reason...because the search engine crawlers can tell
its a virt host and will not rate it highly, or at all
possibly. I have taken the word of some people in the
hosting industry on this. I cannot give specifics on engines
Anyway, it gets down to if you have IP's or not, if you are
using SSL in a serious way like for submission of Credit
cards etc, I would suggest using the IP and correct cert
method, in fact as Charles has pointed out, most people
place the importance on the certificate being correct (
myself I was always more concerned about the SSL connection,
but then again I understand the certificate warnings) so it
gets down to the end user....again ;-)
===
Subject: Re[2]: [OFF-TOPIC] Apache-SSL Question
From: Brian Ashe <brian@dee-web.com>
Date: Fri, 16 Jun 2000 15:47:01 -0400
Hi Charles,
Thanks for the insight. I can see how that makes sense.
So here's another one for you... (this is just curiosity)
What if you set up the virtual hosts to use alternate port?
ie. a.com 10.10.10.1:4400
b.com 10.10.10.1:4500
This should fix the problem you were describing, but does leave us with a
new one, which is that now people behind firewalls may not be able to use
the secure connection due to those ports being non-standard.
Now can the redirect directive be used to compensate for this?
ie. redirect http://a.com:443 http://a.com:4400
Or would this need to be mapped for each file instead?
This may not be the exact syntax, but I hope you see what I am after here.
===
Subject: Re: Re[2]: [OFF-TOPIC] Apache-SSL Question
From: Charles Galpin <cgalpin@lighthouse-software.com>
Date: Fri, 16 Jun 2000 21:45:55 -0400 (EDT)
On Fri, 16 Jun 2000, Brian Ashe wrote:
> Thanks for the insight. I can see how that makes sense.
>
> So here's another one for you... (this is just curiosity)
>
> What if you set up the virtual hosts to use alternate port?
> ie. a.com 10.10.10.1:4400
> b.com 10.10.10.1:4500
> This should fix the problem you were describing, but does leave us with a
> new one, which is that now people behind firewalls may not be able to use
> the secure connection due to those ports being non-standard.
I *think* this might work, but don't have the time to try. Yes non
standard ports may pose problems to some.
>
> Now can the redirect directive be used to compensate for this?
> ie. redirect http://a.com:443 http://a.com:4400
> Or would this need to be mapped for each file instead?
>
> This may not be the exact syntax, but I hope you see what I am after here.
nope, this won't help. Aftet the redirect you are back to the above
problem again :)
===
Subject: Re: [OFF-TOPIC] Apache-SSL Question
From: Charles Galpin <cgalpin@lighthouse-software.com>
Date: Fri, 16 Jun 2000 21:49:49 -0400 (EDT)
> Here is another reason, if you intend getting positiones on a search engine
> , IP's are also needed, even with the normal Apache, reason...because the
> search engine crawlers can tell its a virt host and will not rate it
> highly, or at all possibly. I have taken the word of some people in the
> hosting industry on this. I cannot give specifics on engines
interesting. can anyone else confirm this? I'm about to get my hands ona
32 block of ip's and might consider using some of them if this is true.
> Anyway, it gets down to if you have IP's or not, if you are using SSL in a
> serious way like for submission of Credit cards etc, I would suggest using
> the IP and correct cert method, in fact as Charles has pointed out, most
> people place the importance on the certificate being correct ( myself I
> was always more concerned about the SSL connection, but then again I
> understand the certificate warnings) so it gets down to the end
> user....again ;-)
I agree 100%
===
Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP
From: Chuck Mead <chuck@moongroup.com>
Date: Tue, 19 Oct 1999 14:48:34 -0400 (EDT)
On Tue, 19 Oct 1999, Kevin Diffily said:
KD>I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I
KD>am a little uncertain as to how to proceed. I am waiting for Red
KD>Hat's Secure Server to arrive since I ordered it this morning. Has
KD>anyone installed this yet and does it include all of the above?
Yes.
KD>In general how does one install additions to Apache with rpms?
You won't need to change anything just install the rpm's you want and enable
the modules in httpd.conf.
KD>It seems as if there are a lot of packages out there that have some of
KD>the additions; ie apache-ssl-***.rpm but then where do you go from
KD>there if you want to add additional functionality?
You won't be adding anything to the SWS. There are built in limitations with
SWS as it is a commercial product. On the flip side of that I think you'll
find that it has everything you could imagine already included.
KD>Direct assistance or links would be very much appreciated?
===
Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP
From: Eric Wood <eric@interplas.com>
Date: Tue, 19 Oct 1999 15:22:40 -0400
Kevin Diffily <kdiffily@webpageweaver.com> wrote:
>I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I
>am a little uncertain as to how to proceed.
Right, install the apache-ssl and config that and get that working for plain
html pages.
Next, you have to recompile the mod_php rpm package to include mysql support
(--with-mysql). RH doesn't compile that in because MySQL isn't GPL'd. So
you have to get the SRPM of mod_php. Get all the MySQL RPM (include the
devel package) and install them. Edit mod_php's spec file to add
the --with-mysql option. Rebuild that rpm and install it. Edit Apache's
srm.conf and httpd.conf files to enable the mod_php package.
That should get you started.
===
Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP
From: Chuck Mead <chuck@moongroup.com>
Date: Tue, 19 Oct 1999 15:40:24 -0400 (EDT)
On Tue, 19 Oct 1999, Eric Wood said:
EW>
EW>-----Original Message-----
EW>From: Kevin Diffily <kdiffily@webpageweaver.com>
EW>To: redhat-list@redhat.com <redhat-list@redhat.com>
EW>Date: Tuesday, October 19, 1999 2:19 PM
EW>Subject: Apache with SSL, MySQL, Mod Perl, and PHP
EW>
EW>
EW>>I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I
EW>>am a little uncertain as to how to proceed.
EW>
EW>Right, install the apache-ssl and config that and get that working for plain
EW>html pages.
SWS is not apache-ssl. The rpm name is secureweb. Though the source rpm is
available, "besafe" (besafe is required to work with the RSA stuff) is not,
so don't try to rebuild it.
EW>Next, you have to recompile the mod_php rpm package to include mysql support
EW>(--with-mysql). RH doesn't compile that in because MySQL isn't GPL'd. So
EW>you have to get the SRPM of mod_php. Get all the MySQL RPM (include the
EW>devel package) and install them. Edit mod_php's spec file to add
EW>the --with-mysql option. Rebuild that rpm and install it. Edit Apache's
EW>srm.conf and httpd.conf files to enable the mod_php package.
SWS 3.1 is based on apache 1.3.9 and it doesn't use srm.conf anymore though
srm.conf is still present. Everything you'll need to address should be in
the httpd.conf file.
I hope that with the two of us answering it's not too confusing...
===
Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP
From: Eric Wood <eric@interplas.com>
Date: Tue, 19 Oct 1999 16:58:15 -0400
My whole dicussion is not using SWS.... that's the reason I didn't QUOTE
IT!!!!!
===
Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP
From: Jason Costomiris <jcostom@jasons.org>
Date: Tue, 19 Oct 1999 17:22:35 -0400
On Tue, Oct 19, 1999 at 02:19:47PM -0400, Kevin Diffily wrote:
: I would like to install Apache with SSL, MySQL, Mod Perl, and PHP.
I did it today.
The RH Secure Server is a fine product if your goal is to get up and running
fast with minimal headaches. My goal was to get up and running with a config
that works for me.
I started by grabbing the apache-mod_ssl SRPM from ftp.replay.com.
I unpacked the src.rpm and verified the md5 checksums of the files
contained in that archive. Then I did an rpm -ba <file>.spec and built
the RPMs. After that was done, I installed them with rpm -Uvh.
Next I grabbed the MySQL src.rpm from www.mysql.com for 3.22.27
http://www.mysql.com/Downloads/MySQL-3.22/MySQL-3.22.27-1.src.rpm
rpm --rebuild on that one. I then installed the MySQL, MySQL-devel and
MySQL-client packages.
Next up was PHP. I started by grabbing the mod_php3-3.0.9 SRPM from
the RH6 updates. I hacked the .spec file a bit to remove PostgreSQL
support, added MySQL support, and in the process removed a config
patch that was specific to 3.0.9 and replaced the 3.0.9 distribution
with PHP 3.0.12. Yet again, rpm -ba, then installed mod_php3,
mod_php3-imap, and mod_php3-manual.
I didn't do mod_perl, but it shouldn't be all that difficult for you to get
done. :-)
===
Subject: Apache+SSL
From: Ingo Luetkebohle <ingo@devconsult.de>
Date: Fri, 12 Nov 1999 17:09:35 +0100 (CET)
Hoi,
would it be possible for RedHat to distribute Apache with the patches from
Apache+SSL or mod_ssl already included, and have just the SSL module as a
drop-in, available from Replay? That way, one would not have to recompile
Apache in order to get SSL.
===
Subject: Re: Apache+SSL
From: Ingo Luetkebohle <ingo@devconsult.de>
Date: Fri, 12 Nov 1999 17:49:29 +0100 (CET)
On Fri, 12 Nov 1999, Ingo Luetkebohle wrote:
> would it be possible for RedHat to distribute Apache with the patches from
> Apache+SSL or mod_ssl already included, and have just the SSL module as a
> drop-in, available from Replay? That way, one would not have to recompile
> Apache in order to get SSL.
*cough* Forget it. I just found ftp://ftp.redhat.de/pub/rh-addons/security/
"Livin' in a free world" ;-)
---Ingo Luetkebohle / 21st Century Digital Boy
===
Subject: Re: Apache+SSL
From: "James M. Rogers" <jrogers@visnetinc.com>
Date: Fri, 12 Nov 1999 09:23:34 -0800
Probably not,
This would probably still violate some sort of patent that RSA has covering
public key encrytion. Probably best to avoid for now til the RSA patent
expires and some other companies successfully win a court case against RSA.
Also it would make it difficult to export out of the US, you know how the
government feels about those foreigners having any sort of strong
encryption... Not that they aren't smart enough to figure out strong
encryption on their own... ;)
--
Imagine a simple cypher where all R's are turned into N's...
Who is RSA now?
===
Subject: Re: Apache+SSL
From: "Edward S. Marshall" <emarshal@xnet.com>
Date: Fri, 12 Nov 1999 14:21:01 -0600 (CST)
On Fri, 12 Nov 1999, Ingo Luetkebohle wrote:
> would it be possible for RedHat to distribute Apache with the patches from
> Apache+SSL or mod_ssl already included, and have just the SSL module as a
> drop-in, available from Replay? That way, one would not have to recompile
> Apache in order to get SSL.
Export restrictions would stop them, and it would cut into their sales of
RedHat Secure Web Server (or whatever it's called :-).
However, the EAPI patch (a slight extention of the Apache module API)
isn't too much to ask for, methinks. That makes it possible to build your
own mod_ssl (since mod_ssl relies on it) without specifically adding any
encryption-related material to the distribution.
There is the "binary modules" argument (vendors who ship binary modules
designed to work with stock Apache 1.3.9 won't work with a version of
Apache with the EAPI patches), but it's a red herring; even Allaire is
shipping enough source with their ColdFusion module now to facilitate
relinking it in the event of a slight API modification.
===
Subject: Re: Apache+SSL
From: "H. Peter Anvin" <hpa@transmeta.com>
Date: Fri, 12 Nov 1999 12:44:29 -0800
"James M. Rogers" wrote:
>
> Probably not,
>
> This would probably still violate some sort of patent that RSA has covering
> public key encrytion. Probably best to avoid for now til the RSA patent
> expires and some other companies successfully win a court case against RSA.
> Also it would make it difficult to export out of the US, you know how the
> government feels about those foreigners having any sort of strong
> encryption... Not that they aren't smart enough to figure out strong
> encryption on their own... ;)
>
The generic public key encryption patent has already expired. That's
why gpg uses DSS/Diffie-Hellman, it's completely patent free. The
actual RSA patent (which is valid only inside the US) expires next year.
===
Subject: Apache+SSL compilation error
From: Enrico Morelli <morelli@CERM.UNIFI.IT>
Date: Wed, 17 Nov 1999 16:54:17 +0100 (CET)
Dear all,
I had download apache-ssl-1.3.3-1.28-0.src.rpm, SSLeay-0_9_0b-3_i386.rpm
and openssl-0.9.4.tar.gz .
When I try to compile the compilation stops with the following errors:
gcc -c -I../../os/unix -I../../include -I/usr/local/ssl/include
-DLINUX=2 -DUSE_HSREGEX -DAPACHE_SSL `../../apaci` apache_ssl.c
apache_ssl.c: In function `SSLCheckCipher':
apache_ssl.c:251: warning: assignment discards `const' from pointer target
type
apache_ssl.c: In function `SSLFixups':
apache_ssl.c:397: warning: assignment discards `const' from pointer target
type
apache_ssl.c: In function `GetPrivateKey':
apache_ssl.c:960: too few arguments to function `PEM_read_RSAPrivateKey'
apache_ssl.c: In function `GetCertificateAndKey':
apache_ssl.c:1051: too few arguments to function `PEM_read_X509'
apache_ssl.c:1071: warning: passing arg 2 of
`SSL_CTX_set_tmp_rsa_callback' from incompatible pointer type
make[4]: *** [apache_ssl.o] Error 1
make[3]: *** [all] Error 1
make[2]: *** [subdirs] Error 1
make[2]: Leaving directory `/usr/src/redhat/SOURCES/apache_1.3.3/src'
make[1]: *** [build-std] Error 2
make[1]: Leaving directory `/usr/src/redhat/SOURCES/apache_1.3.3'
make: *** [build] Error 2
Any suggestion?
===
Subject: Re: Apache SSL and OpenSSl RPMs
From: Jason Costomiris <jcostom@jasons.org>
Date: Mon, 15 Nov 1999 22:57:28 -0500
On Mon, Nov 15, 1999 at 02:07:14PM -0500, Michael J. McGillick wrote:
: Anyone know where I can pick up the Apache-SSL-1.3.9 and OpenSSL-0.9.4
: RPMs? Anyone know if they exist yet?
Just the other day I did this very thing, well, almost this very thing.
I went to ftp.replay.com, and grabbed:
/pub/crypto/redhat/SRPMS/openssl-0.9.3a-3.src.rpm
/pub/crypto/redhat/SRPMS/apache-mod_ssl-1.3.6.2.3.0-0.src.rpm
I took the openssl, and rebuilt it and installed it "as-is". I grabbed
the apache_1.3.9.tar.gz source from www.apache.org, and then grabbed
the mod_ssl 2.4.8 sources from www.modssl.org.
I unpacked the apache-mod_ssl SRPM, and hacked a bit on the .spec file,
remove the no-longer needed patches, and putting the version numbers in
the spec file up to reflect the 1.3.9 apache, and 2.4.8 mod_ssl. It built
pretty easily.
After that, I grabbed the php3 3.0.12 SRPM from RH6.1, got rid of the
PostgreSQL support, added in support for MySQL, SNMP, PDFlib, and the
CyberCash MCK. That rebuilt pretty easily too.
I've found the mod_ssl code to be a bit more stable overall, compared with
Apache-SSL. More features, as well..
===