This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: Re: apache https (SSL) From: "Greg Wright" <redhat_list@mail.com> Date: Wed, 14 Jun 2000 02:34:18 +1000 REPLY SEPARATOR *********** On 13/06/00 at 8:57 Adv. Systems Design wrote: >Hello: > >Used to be that getting a https server (or an SSH rpm) >was as easy as going to replay...I am finding out that >replay is now some vcr-type device, and I gather that >SSH is no longer free...thus openSSH... > >How about an HTTPS server? Anyone know of a howto or >RPM that provide such a service (http over SSL)? > >Pointers or help appreciated! > Replay is now zedz.net , I have a SSL rpm up there, or maybe its been replaced now, Gordon M has one as well AFAIK ftp.eburg. ?? org com net see the archives to be sure. I can send a 1.3.9 RPM if reqd , message me privately if you cannot find elsewhere. Regards Greg Wright IT Consultant Sydney Australia === Subject: Re: apache https (SSL) From: "Adv. Systems Design" <asd_2000@yahoo.com> Date: Tue, 13 Jun 2000 20:20:48 -0700 (PDT) Jason Costomiris <jcostom@jasons.org> wrote: > On Tue, Jun 13, 2000 at 06:37:26PM +0200, Bernhard Rosenkraenzer wrote: > > : > How about an HTTPS server? Anyone know of a howto or > : > RPM that provide such a service (http over SSL)? > ftp://ftp.redhat.de/pub/rh-addons/security/current/ > > Bero, et al. have done a wonderful job with this > stuff, however, you may > find that their pre-built stuff doesn't fit every > need exactly, leaving > you to go back to the source. For situations like > that, I've got a howto > that helps. > > http://www.jasons.org/modssl.php > > Coming soon: integration of the php-4.0.0 rpm I've > been testing. Well, well...ask and you shall receive! This is exactly what I wanted to implement (apache, ssl, php, mysql, rh6.2). I did find the apache-ssl-1.3.6_1.35-3 rpms in contrib but I am getting a nasty seg fault (11) every time I try to connect to the https server...guess I will look into mod_ssl...btw, I have php4 working and its humming along nicely... === Subject: Re: apache https (SSL) From: "Michael J. McGillick" <mike@universe.ne.mediaone.net> Date: Wed, 14 Jun 2000 08:17:40 -0400 (EDT) I was getting a segfault as well when installing apache-ssl-1.3.9. Try downloading the source and rebuilding on your machine: rpm -ba apache-ssl.spec Also, make sure that your httpsd.conf is configured correctly. This seems to have done the trick for me. === Subject: Re: apache https (SSL) From: "Adv. Systems Design" <asd_2000@yahoo.com> Date: Wed, 14 Jun 2000 12:51:44 -0700 (PDT) Where did you get the 1.3.9. spec file? Can you use the 1.3.6 spec file to build a 1.3.9 rpm? I've been meaning to learn more about RPM, but I just cant seem to find the time. === Subject: [OFF-TOPIC] Apache-SSL Question From: "Michael J. McGillick" <mike@universe.ne.mediaone.net> Date: Thu, 15 Jun 2000 08:27:53 -0400 (EDT) Good Morning: I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in setting up virtual domains so that at least 2 of the domains I host can take advantage of the secure connection. Under regular Apache, I would go in and set up the following: NameVirtualHost 24.218.83.113 <--- (My IP Address) <VirtualHost 24.218.83.113> ServerAdmin root@universe.ne.mediaone.net DocumentRoot /home/httpsd/software-specialists.net ServerName www.software-specialists.net ErrorLog software-specialists.net-error_log CustomLog software-specialists.net-access_log common </VirtualHost> <VirtualHost 24.218.83.113> ServerAdmin root@universe.ne.mediaone.net DocumentRoot /home/httpsd/american-pastime.com ServerName www.american-pastime.com ErrorLog american-pastime.com-error_log CustomLog american-pastime.com-access_log common </VirtualHost> I did the same in the httpsd.conf for Apache-SSL. Well, I seem to be missing something here, because when I try to restart httpsd, I get an error message referring to something about the certificate. I'm pretty sure that this indicates that I need a certificate for each site. Is there a way to use one certificate (I'm using a fake one right now, until I get this set up) for each virtual domain I want to set up, or does each domain need it's own certificate? In either event, has anyone ever done this, or know the steps to set this up? === Subject: Re: [OFF-TOPIC] Apache-SSL Question From: Charles Galpin <cgalpin@lighthouse-software.com> Date: Thu, 15 Jun 2000 08:48:03 -0400 (EDT) On Thu, 15 Jun 2000, Michael J. McGillick wrote: > Good Morning: > > I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in > setting up virtual domains so that at least 2 of the domains I host can > take advantage of the secure connection. Under regular Apache, I would go > in and set up the following: > > NameVirtualHost 24.218.83.113 <--- (My IP Address) You cannot do this with name based virtual hosting. You need a seperate IP for each domain you want to have a certificate for. === Subject: RE: [OFF-TOPIC] Apache-SSL Question From: "Brian Wright" <bdw@Aturna.com> Date: Thu, 15 Jun 2000 10:01:08 -0700 Michael J. McGillick [mailto:mike@universe.ne.mediaone.net] wrote: > I'm running Apache-SSL 1.3.12 on my machine at home. I'm interested in > setting up virtual domains so that at least 2 of the domains I host can > take advantage of the secure connection. Under regular Apache, I would go > in and set up the following: > > NameVirtualHost 24.218.83.113 <--- (My IP Address) > > <VirtualHost 24.218.83.113> > ServerAdmin root@universe.ne.mediaone.net > DocumentRoot /home/httpsd/software-specialists.net > ServerName www.software-specialists.net > ErrorLog software-specialists.net-error_log > CustomLog software-specialists.net-access_log common > </VirtualHost> > > <VirtualHost 24.218.83.113> > ServerAdmin root@universe.ne.mediaone.net > DocumentRoot /home/httpsd/american-pastime.com > ServerName www.american-pastime.com > ErrorLog american-pastime.com-error_log > CustomLog american-pastime.com-access_log common > </VirtualHost> > > I did the same in the httpsd.conf for Apache-SSL. Well, I seem to be > missing something here, because when I try to restart httpsd, I get an > error message referring to something about the certificate. I'm pretty > sure that this indicates that I need a certificate for each site. > > Is there a way to use one certificate (I'm using a fake one right now, > until I get this set up) for each virtual domain I want to set up, or does > each domain need it's own certificate? In either event, has anyone ever > done this, or know the steps to set this up? Each domain needs it's own certificate, I believe. :( They base it on the domain name, not the IP address. Thawte.com is a good place to go get info on that. BTW, where did you get the Apache-SSL? Did you use an RPM? === Subject: RE: [OFF-TOPIC] Apache-SSL Question From: "Greg Wright" <redhat_list@mail.com> Date: Fri, 16 Jun 2000 03:36:54 +1000 *********** REPLY SEPARATOR *********** On 15/06/00 at 10:01 Brian Wright wrote: >Hi, Mike! >Each domain needs it's own certificate, I believe. :( They >base it on the domain name, not the IP address. Thawte.com >is a good place to go get info on that. Thats true, but what Charles pointed out is correct, you cannot do multiple domains on one IP with SSL , you can do virtual hosting ok, just get IP's === Subject: Re: [OFF-TOPIC] Apache-SSL Question >From: Gordon Messmer <yinyang@eburg.com> >Date: Thu, 15 Jun 2000 11:22:14 -0700 "Michael J. McGillick" wrote: > Is there a way to use one certificate (I'm using a fake one right now, > until I get this set up) for each virtual domain I want to set up, or does > each domain need it's own certificate? In either event, has anyone ever > done this, or know the steps to set this up? Nope, every domain needs it's own certificate. I've included a shell script that will help you easily generate certificates using openssl. Read it :) Because the HTTP request is made _after_ the SSL session is negotiated, you'll have to run your hosts on different IP's (as others pointed out) OR different ports. Choose whichever you think will work for you. You can specify a port number in the <VirtualHost ...> tag, along with the IP. filename="Generate_SSL_Certificate" #!/bin/sh # # This is a self documenting shell script. It is intended that you read # this file before executing it. # There are a few things that should be checked further: # 1) This script creates new private keys for every CSR. As far as I know, # you can create any number of CSR's using the same key. Are there any # advantages/disadvantages to creating news keys for each certificate? # Should we be reusing keys? # 2) This script unencrypts the private key so that apache can use it. # Does apache-ssl need the key to function? If not, we can avoid # keeping an unencrypted key around, and avoid specifying that file # in apache's configs. # # This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>, # so that we can keep an archival copy of all certificates, and related # files. # Once finished, the certificate should be placed in /usr/local/ssl/certs, # and the private key (unencrypted) should be in /usr/local/ssl/private # # All of the files in /usr/local/ssl/private should be mode 0400, and owned # by root. Apache will read them as root, before it drops root permissions. # The original keys should also be mode 0400 and owned by root. # PATH=$PATH:/usr/local/ssl/bin # # Give the domain name as the first argument to this script. # DOMAIN=$1 [ "$DOMAIN" = "" ] && { echo "No domain given" exit 1 } # # If you wish to have an organization's name attached to this certificate, # then it should be the second argument to this script. # Because SSL does not require this field, no default is given. However, # Thawte may require an organization's name to be attached to a certificate, # so this script SHOULD be called as: # ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>" # ORG=$2 [ "$ORG" = "" ] && { echo "No organization name given, using \".\"" ORG="." } EMAIL=$3 [ "$EMAIL" = "" ] && { echo "No email address given, using support@eburg.com" EMAIL=support@eburg.com } # # The first step in generating a certificate is to generate a CSR, or # certificate request. This step will also generate an encrypted, # private key, called privkey.pem. Don't lose this file, or the # password used to encrypt the key. That would be bad. # openssl req -new > ${DOMAIN}.csr <<EOF US Washington Ellensburg ${ORG} . ${DOMAIN} ${EMAIL} EOF # # Now, we remove the password (unencrypt) from the domain's private key. # The resulting key is used by apache. # openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key # # Finally, use the CSR (certificate request) and our own private key to # create a "self signed" certificate. This certificate can be used # until a certificate signed by a known authority (eg Thawte) is # available. # openssl x509 -in ${DOMAIN}.csr \ -out ${DOMAIN}.cert \ -req -signkey \ ${DOMAIN}.cert.key -days 365 # # I'm renaming this file for consitancy. # mv privkey.pem $DOMAIN.privkey.pem # # We should now have the following files: # DOMAIN.privkey.pem The PEM encrypted private key # DOMAIN.key The unencrypted private key used by apache # DOMAIN.csr The certificate request used by Thawte # DOMAIN.cert The certificate that we signed # === Subject: Re: [OFF-TOPIC] Apache-SSL Question >From: Brian Ashe <brian@dee-web.com> >Date: Thu, 15 Jun 2000 14:42:01 -0400 > Hi Michael, 1) Each domain must have its own certificate. 2) Each domain that does not use SSL must be specified as such. (Turn SSL off for that domain) 3) Any domain that will provide both regular and SSL connections must have a virtual host set up for each listening on the appropriate port. 4) I cannot confirm or deny the single IP address theory, as I have not tried it. But I do have some trouble believing it since the ServerName directive is what gets matched against the certificate and the certificate has no knowledge of the IP it came from. I could be wrong, it wouldn't be the first time. But you will probably have to be quite creative about your Virtual hosting directives to get things working. I would suggest hacking at it a little before giving up. Especially since @Home is not likely to give you additional IP addresses just so you can go against their service policy. 5) For the proper set up and directives that you need to use you should go to www.apache-ssl.org. I would help you out on the directives but I use mod_ssl and they have different directives, so you are on your own there. === Subject: RE: [OFF-TOPIC] Apache-SSL Question From: "Michael J. McGillick" <mike@universe.ne.mediaone.net> Date: Thu, 15 Jun 2000 15:16:01 -0400 (EDT) Brian: Ti took the work done by Greg Wright and some others on the apache-ssl-1.3.9.src.rpm and went in to make the customizations so it would build a the apache-ssl-1.3.12.i386.rpm. So far, it seems to work pcorrectly. It even installs the apache-ssl stuff in it's own directory, httpsd instead of overwriting the httpd stuff. I actually have both apache and apache-ssl running at the same time, with separate html directories for each. What I'm really stuck on is getting php to work with apache-ssl. I have absolutely no problems getting it to work with the regular apache. I downloaded the newest php4 source, read through the install instructions for building a DSO of libphp4.so, and it built with no problems. I included 4 flags: --with-apxs --with-pgsql --with-apache=/usr/include --with-openssl It built with no error messages, and I see libphp4.so in the /usr/include/apache directory. I first tried loading this into regular apache, and it works beautifully. I then try loading it into apache-ssl, and I get the following error message when trying to restart the daemon: Starting httpsd: Syntax error on line 248 of /etc/httpsd/conf/httpsd.conf: API module structure `php4_module' in file /usr/lib/apache/libphp4.so is garbled - perhaps this is not an Apache module DSO? Any ideas? Anyone else seen this before? Am I missing something from the compile that needs to be included so it knows how to talk correctly toapache-ssl? The source for apache is the stock apache-1.3.12 source from www.apache.org, and the ssl source is from www.apache-ssl.org. Any clues, hints, suggestions would be greatly appreciated. :) === Subject: Re: [OFF-TOPIC] Apache-SSL Question From: Charles Galpin <cgalpin@lighthouse-software.com> Date: Fri, 16 Jun 2000 08:14:54 -0400 (EDT) perhaps if I explain my experience with this, it will help On Thu, 15 Jun 2000, Brian Ashe wrote: > > 4) I cannot confirm or deny the single IP address theory, as I have not > tried it. But I do have some trouble believing it since the ServerName > directive is what gets matched against the certificate and the certificate > has no knowledge of the IP it came from. I could be wrong, it wouldn't be > the first time. But you will probably have to be quite creative about your > Virtual hosting directives to get things working. I would suggest hacking at > it a little before giving up. Especially since @Home is not likely to give > you additional IP addresses just so you can go against their service policy. Lets say you have two domains, a.com and b.com using name based virtual hosting. If the user first visits a.com, they will get given the a.com cert. When they go to site b.com, they will not be offered a new cert as the browser thinks they are the same (same IP). If they stop their browser, and then go to b.com first, they will pick up the b.com cert, and then when they visit a.com, just like above, they will not get given the a.com cert. So if you can live with this behaviour, then fine, but this not the same as the behaviour you would get with seperate IPs. I consider this not working properly. Every other aspect of name based virtual hosting is identical to the ip based counterpart except this... === Subject: Re: [OFF-TOPIC] Apache-SSL Question From: "Greg Wright" <redhat_list@mail.com> Date: Fri, 16 Jun 2000 22:57:40 +1000 REPLY SEPARATOR *********** On 16/06/00 at 8:14 Charles Galpin wrote: >perhaps if I explain my experience with this, it will help > >On Thu, 15 Jun 2000, Brian Ashe wrote: >> >> 4) I cannot confirm or deny the single IP address theory, as I have not >> tried it. But I do have some trouble believing it since the ServerName >> directive is what gets matched against the certificate and the certificate >> has no knowledge of the IP it came from. I could be wrong, it wouldn't be >> the first time. But you will probably have to be quite creative about your >> Virtual hosting directives to get things working. I would suggest hacking at >> it a little before giving up. Especially since @Home is not likely to give >> you additional IP addresses just so you can go against their service policy. > >Lets say you have two domains, a.com and b.com using name based virtual >hosting. > >If the user first visits a.com, they will get given the a.com cert. When >they go to site b.com, they will not be offered a new cert as the browser >thinks they are the same (same IP). > >If they stop their browser, and then go to b.com first, they will pick up >the b.com cert, and then when they visit a.com, just like above, they will >not get given the a.com cert. > >So if you can live with this behaviour, then fine, but this not the same >as the behaviour you would get with seperate IPs. I consider this not >working properly. Every other aspect of name based virtual hosting is >identical to the ip based counterpart except this... > Here is another reason, if you intend getting positiones on a search engine, IP's are also needed, even with the normal Apache, reason...because the search engine crawlers can tell its a virt host and will not rate it highly, or at all possibly. I have taken the word of some people in the hosting industry on this. I cannot give specifics on engines Anyway, it gets down to if you have IP's or not, if you are using SSL in a serious way like for submission of Credit cards etc, I would suggest using the IP and correct cert method, in fact as Charles has pointed out, most people place the importance on the certificate being correct ( myself I was always more concerned about the SSL connection, but then again I understand the certificate warnings) so it gets down to the end user....again ;-) === Subject: Re[2]: [OFF-TOPIC] Apache-SSL Question From: Brian Ashe <brian@dee-web.com> Date: Fri, 16 Jun 2000 15:47:01 -0400 Hi Charles, Thanks for the insight. I can see how that makes sense. So here's another one for you... (this is just curiosity) What if you set up the virtual hosts to use alternate port? ie. a.com 10.10.10.1:4400 b.com 10.10.10.1:4500 This should fix the problem you were describing, but does leave us with a new one, which is that now people behind firewalls may not be able to use the secure connection due to those ports being non-standard. Now can the redirect directive be used to compensate for this? ie. redirect http://a.com:443 http://a.com:4400 Or would this need to be mapped for each file instead? This may not be the exact syntax, but I hope you see what I am after here. === Subject: Re: Re[2]: [OFF-TOPIC] Apache-SSL Question From: Charles Galpin <cgalpin@lighthouse-software.com> Date: Fri, 16 Jun 2000 21:45:55 -0400 (EDT) On Fri, 16 Jun 2000, Brian Ashe wrote: > Thanks for the insight. I can see how that makes sense. > > So here's another one for you... (this is just curiosity) > > What if you set up the virtual hosts to use alternate port? > ie. a.com 10.10.10.1:4400 > b.com 10.10.10.1:4500 > This should fix the problem you were describing, but does leave us with a > new one, which is that now people behind firewalls may not be able to use > the secure connection due to those ports being non-standard. I *think* this might work, but don't have the time to try. Yes non standard ports may pose problems to some. > > Now can the redirect directive be used to compensate for this? > ie. redirect http://a.com:443 http://a.com:4400 > Or would this need to be mapped for each file instead? > > This may not be the exact syntax, but I hope you see what I am after here. nope, this won't help. Aftet the redirect you are back to the above problem again :) === Subject: Re: [OFF-TOPIC] Apache-SSL Question From: Charles Galpin <cgalpin@lighthouse-software.com> Date: Fri, 16 Jun 2000 21:49:49 -0400 (EDT) > Here is another reason, if you intend getting positiones on a search engine > , IP's are also needed, even with the normal Apache, reason...because the > search engine crawlers can tell its a virt host and will not rate it > highly, or at all possibly. I have taken the word of some people in the > hosting industry on this. I cannot give specifics on engines interesting. can anyone else confirm this? I'm about to get my hands ona 32 block of ip's and might consider using some of them if this is true. > Anyway, it gets down to if you have IP's or not, if you are using SSL in a > serious way like for submission of Credit cards etc, I would suggest using > the IP and correct cert method, in fact as Charles has pointed out, most > people place the importance on the certificate being correct ( myself I > was always more concerned about the SSL connection, but then again I > understand the certificate warnings) so it gets down to the end > user....again ;-) I agree 100% === Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP From: Chuck Mead <chuck@moongroup.com> Date: Tue, 19 Oct 1999 14:48:34 -0400 (EDT) On Tue, 19 Oct 1999, Kevin Diffily said: KD>I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I KD>am a little uncertain as to how to proceed. I am waiting for Red KD>Hat's Secure Server to arrive since I ordered it this morning. Has KD>anyone installed this yet and does it include all of the above? Yes. KD>In general how does one install additions to Apache with rpms? You won't need to change anything just install the rpm's you want and enable the modules in httpd.conf. KD>It seems as if there are a lot of packages out there that have some of KD>the additions; ie apache-ssl-***.rpm but then where do you go from KD>there if you want to add additional functionality? You won't be adding anything to the SWS. There are built in limitations with SWS as it is a commercial product. On the flip side of that I think you'll find that it has everything you could imagine already included. KD>Direct assistance or links would be very much appreciated? === Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP From: Eric Wood <eric@interplas.com> Date: Tue, 19 Oct 1999 15:22:40 -0400 Kevin Diffily <kdiffily@webpageweaver.com> wrote: >I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I >am a little uncertain as to how to proceed. Right, install the apache-ssl and config that and get that working for plain html pages. Next, you have to recompile the mod_php rpm package to include mysql support (--with-mysql). RH doesn't compile that in because MySQL isn't GPL'd. So you have to get the SRPM of mod_php. Get all the MySQL RPM (include the devel package) and install them. Edit mod_php's spec file to add the --with-mysql option. Rebuild that rpm and install it. Edit Apache's srm.conf and httpd.conf files to enable the mod_php package. That should get you started. === Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP From: Chuck Mead <chuck@moongroup.com> Date: Tue, 19 Oct 1999 15:40:24 -0400 (EDT) On Tue, 19 Oct 1999, Eric Wood said: EW> EW>-----Original Message----- EW>From: Kevin Diffily <kdiffily@webpageweaver.com> EW>To: redhat-list@redhat.com <redhat-list@redhat.com> EW>Date: Tuesday, October 19, 1999 2:19 PM EW>Subject: Apache with SSL, MySQL, Mod Perl, and PHP EW> EW> EW>>I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I EW>>am a little uncertain as to how to proceed. EW> EW>Right, install the apache-ssl and config that and get that working for plain EW>html pages. SWS is not apache-ssl. The rpm name is secureweb. Though the source rpm is available, "besafe" (besafe is required to work with the RSA stuff) is not, so don't try to rebuild it. EW>Next, you have to recompile the mod_php rpm package to include mysql support EW>(--with-mysql). RH doesn't compile that in because MySQL isn't GPL'd. So EW>you have to get the SRPM of mod_php. Get all the MySQL RPM (include the EW>devel package) and install them. Edit mod_php's spec file to add EW>the --with-mysql option. Rebuild that rpm and install it. Edit Apache's EW>srm.conf and httpd.conf files to enable the mod_php package. SWS 3.1 is based on apache 1.3.9 and it doesn't use srm.conf anymore though srm.conf is still present. Everything you'll need to address should be in the httpd.conf file. I hope that with the two of us answering it's not too confusing... === Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP From: Eric Wood <eric@interplas.com> Date: Tue, 19 Oct 1999 16:58:15 -0400 My whole dicussion is not using SWS.... that's the reason I didn't QUOTE IT!!!!! === Subject: Re: Apache with SSL, MySQL, Mod Perl, and PHP From: Jason Costomiris <jcostom@jasons.org> Date: Tue, 19 Oct 1999 17:22:35 -0400 On Tue, Oct 19, 1999 at 02:19:47PM -0400, Kevin Diffily wrote: : I would like to install Apache with SSL, MySQL, Mod Perl, and PHP. I did it today. The RH Secure Server is a fine product if your goal is to get up and running fast with minimal headaches. My goal was to get up and running with a config that works for me. I started by grabbing the apache-mod_ssl SRPM from ftp.replay.com. I unpacked the src.rpm and verified the md5 checksums of the files contained in that archive. Then I did an rpm -ba <file>.spec and built the RPMs. After that was done, I installed them with rpm -Uvh. Next I grabbed the MySQL src.rpm from www.mysql.com for 3.22.27 http://www.mysql.com/Downloads/MySQL-3.22/MySQL-3.22.27-1.src.rpm rpm --rebuild on that one. I then installed the MySQL, MySQL-devel and MySQL-client packages. Next up was PHP. I started by grabbing the mod_php3-3.0.9 SRPM from the RH6 updates. I hacked the .spec file a bit to remove PostgreSQL support, added MySQL support, and in the process removed a config patch that was specific to 3.0.9 and replaced the 3.0.9 distribution with PHP 3.0.12. Yet again, rpm -ba, then installed mod_php3, mod_php3-imap, and mod_php3-manual. I didn't do mod_perl, but it shouldn't be all that difficult for you to get done. :-) === Subject: Apache+SSL From: Ingo Luetkebohle <ingo@devconsult.de> Date: Fri, 12 Nov 1999 17:09:35 +0100 (CET) Hoi, would it be possible for RedHat to distribute Apache with the patches from Apache+SSL or mod_ssl already included, and have just the SSL module as a drop-in, available from Replay? That way, one would not have to recompile Apache in order to get SSL. === Subject: Re: Apache+SSL From: Ingo Luetkebohle <ingo@devconsult.de> Date: Fri, 12 Nov 1999 17:49:29 +0100 (CET) On Fri, 12 Nov 1999, Ingo Luetkebohle wrote: > would it be possible for RedHat to distribute Apache with the patches from > Apache+SSL or mod_ssl already included, and have just the SSL module as a > drop-in, available from Replay? That way, one would not have to recompile > Apache in order to get SSL. *cough* Forget it. I just found ftp://ftp.redhat.de/pub/rh-addons/security/ "Livin' in a free world" ;-) ---Ingo Luetkebohle / 21st Century Digital Boy === Subject: Re: Apache+SSL From: "James M. Rogers" <jrogers@visnetinc.com> Date: Fri, 12 Nov 1999 09:23:34 -0800 Probably not, This would probably still violate some sort of patent that RSA has covering public key encrytion. Probably best to avoid for now til the RSA patent expires and some other companies successfully win a court case against RSA. Also it would make it difficult to export out of the US, you know how the government feels about those foreigners having any sort of strong encryption... Not that they aren't smart enough to figure out strong encryption on their own... ;) -- Imagine a simple cypher where all R's are turned into N's... Who is RSA now? === Subject: Re: Apache+SSL From: "Edward S. Marshall" <emarshal@xnet.com> Date: Fri, 12 Nov 1999 14:21:01 -0600 (CST) On Fri, 12 Nov 1999, Ingo Luetkebohle wrote: > would it be possible for RedHat to distribute Apache with the patches from > Apache+SSL or mod_ssl already included, and have just the SSL module as a > drop-in, available from Replay? That way, one would not have to recompile > Apache in order to get SSL. Export restrictions would stop them, and it would cut into their sales of RedHat Secure Web Server (or whatever it's called :-). However, the EAPI patch (a slight extention of the Apache module API) isn't too much to ask for, methinks. That makes it possible to build your own mod_ssl (since mod_ssl relies on it) without specifically adding any encryption-related material to the distribution. There is the "binary modules" argument (vendors who ship binary modules designed to work with stock Apache 1.3.9 won't work with a version of Apache with the EAPI patches), but it's a red herring; even Allaire is shipping enough source with their ColdFusion module now to facilitate relinking it in the event of a slight API modification. === Subject: Re: Apache+SSL From: "H. Peter Anvin" <hpa@transmeta.com> Date: Fri, 12 Nov 1999 12:44:29 -0800 "James M. Rogers" wrote: > > Probably not, > > This would probably still violate some sort of patent that RSA has covering > public key encrytion. Probably best to avoid for now til the RSA patent > expires and some other companies successfully win a court case against RSA. > Also it would make it difficult to export out of the US, you know how the > government feels about those foreigners having any sort of strong > encryption... Not that they aren't smart enough to figure out strong > encryption on their own... ;) > The generic public key encryption patent has already expired. That's why gpg uses DSS/Diffie-Hellman, it's completely patent free. The actual RSA patent (which is valid only inside the US) expires next year. === Subject: Apache+SSL compilation error From: Enrico Morelli <morelli@CERM.UNIFI.IT> Date: Wed, 17 Nov 1999 16:54:17 +0100 (CET) Dear all, I had download apache-ssl-1.3.3-1.28-0.src.rpm, SSLeay-0_9_0b-3_i386.rpm and openssl-0.9.4.tar.gz . When I try to compile the compilation stops with the following errors: gcc -c -I../../os/unix -I../../include -I/usr/local/ssl/include -DLINUX=2 -DUSE_HSREGEX -DAPACHE_SSL `../../apaci` apache_ssl.c apache_ssl.c: In function `SSLCheckCipher': apache_ssl.c:251: warning: assignment discards `const' from pointer target type apache_ssl.c: In function `SSLFixups': apache_ssl.c:397: warning: assignment discards `const' from pointer target type apache_ssl.c: In function `GetPrivateKey': apache_ssl.c:960: too few arguments to function `PEM_read_RSAPrivateKey' apache_ssl.c: In function `GetCertificateAndKey': apache_ssl.c:1051: too few arguments to function `PEM_read_X509' apache_ssl.c:1071: warning: passing arg 2 of `SSL_CTX_set_tmp_rsa_callback' from incompatible pointer type make[4]: *** [apache_ssl.o] Error 1 make[3]: *** [all] Error 1 make[2]: *** [subdirs] Error 1 make[2]: Leaving directory `/usr/src/redhat/SOURCES/apache_1.3.3/src' make[1]: *** [build-std] Error 2 make[1]: Leaving directory `/usr/src/redhat/SOURCES/apache_1.3.3' make: *** [build] Error 2 Any suggestion? === Subject: Re: Apache SSL and OpenSSl RPMs From: Jason Costomiris <jcostom@jasons.org> Date: Mon, 15 Nov 1999 22:57:28 -0500 On Mon, Nov 15, 1999 at 02:07:14PM -0500, Michael J. McGillick wrote: : Anyone know where I can pick up the Apache-SSL-1.3.9 and OpenSSL-0.9.4 : RPMs? Anyone know if they exist yet? Just the other day I did this very thing, well, almost this very thing. I went to ftp.replay.com, and grabbed: /pub/crypto/redhat/SRPMS/openssl-0.9.3a-3.src.rpm /pub/crypto/redhat/SRPMS/apache-mod_ssl-1.3.6.2.3.0-0.src.rpm I took the openssl, and rebuilt it and installed it "as-is". I grabbed the apache_1.3.9.tar.gz source from www.apache.org, and then grabbed the mod_ssl 2.4.8 sources from www.modssl.org. I unpacked the apache-mod_ssl SRPM, and hacked a bit on the .spec file, remove the no-longer needed patches, and putting the version numbers in the spec file up to reflect the 1.3.9 apache, and 2.4.8 mod_ssl. It built pretty easily. After that, I grabbed the php3 3.0.12 SRPM from RH6.1, got rid of the PostgreSQL support, added in support for MySQL, SNMP, PDFlib, and the CyberCash MCK. That rebuilt pretty easily too. I've found the mod_ssl code to be a bit more stable overall, compared with Apache-SSL. More features, as well.. ===