Is anyone doing this!?!

I need to know if anyone else is doing this successfully... loading apache
aware ssl with multiple vhosts --- all with their own PEM passphrase on
their key files --- and each has thier own PassPhraseDialog exec: line where
it gets the password from... if you do this sucessfully, can you please send
a part of ur httpd.conf file so I can see how you are doing it, the way im
doing it is messing it up because what it ends up doing is taking the very
last occurance of the PassPhraseDialog directive and uses it for ALL of the
sites when it should us each one for each site respectively...

any help?

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Configure SSL on Debian Linux Server

Hi all ,

I am naive to SSL technologies. We are trying to install SSL on Debian Linux
Server. We are having a Debian released Apache version .

Where I can get good documentation about installing SSL on Debian Linux.

What all do I need to configure the SSL ? As far as my knowledge , we need
to install Open-SSL along with mod-ssl on the server and set the necessary
config files. Am I right?

The server we are using is going to host some applications/ web pages ,
which are accessed from PDA phones. , I appreciate if any one can brief how
and where to start with.

Thanks in advance

Regards
Ibrahim
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/2002
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

On Wed, 25 Sep 2002 16:24:22 -0500
"Rick Kukiela" wrote:

> I need to know if anyone else is doing this successfully... loading
> apache aware ssl with multiple vhosts --- all with their own PEM
> passphrase on their key files --- and each has thier own
> PassPhraseDialog exec: line where it gets the password from... if you do
> this sucessfully, can you please send a part of ur httpd.conf file so I
> can see how you are doing it, the way im doing it is messing it up
> because what it ends up doing is taking the very last occurance of the
> PassPhraseDialog directive and uses it for ALL of the sites when it
> should us each one for each site respectively...

If you are talking about Name Based Virtual Hosts (same ip:port, but
different names) you are out of luck. You can't present different
certificates with Name Based Virtual Hosts, because the Hostname is not
known by the server at the time it should present the certificate. The
hostname is only present in the http headers, which are transmitted
_after_ the SSL handshake.

Otherwise, I'd suggest you send your config file so people can tell you
what's wrong.

Bye
Tim

>
> any help?
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Configure SSL on Debian Linux Server

apt-get install libapache-mod-ssl

And then check your configuration file that you are loading the module
and have a key and certificate.

James
Debian Developer.

>>> ibrahim@mediasoft-inc.com 09/26/02 05:58am >>>

Hi all ,

I am naive to SSL technologies. We are trying to install SSL on Debian
Linux
Server. We are having a Debian released Apache version .

Where I can get good documentation about installing SSL on Debian
Linux.

What all do I need to configure the SSL ? As far as my knowledge , we
need
to install Open-SSL along with mod-ssl on the server and set the
necessary
config files. Am I right?

The server we are using is going to host some applications/ web pages
,
which are accessed from PDA phones. , I appreciate if any one can
brief how
and where to start with.

Thanks in advance

Regards
Ibrahim
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.391 / Virus Database: 222 - Release Date: 9/19/2002
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org

User Support Mailing List modssl-users@modssl.org

Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Um... no, every virtual host has its own IP address, thats not what I'm
asking... What I need to know is, if there is away for each virtualhost to
have its OWN PassPhraseDialog directive. Right now I try to do that and It
just uses the last occurence of the passphrasedialog directive for EVERY
virtualhost. So basically its trying to use the Password for the last
virtualhost on all of the virtual hosts. You can see my problem now?


Any help?

Rick
----- Original Message -----
From: "Tim Tassonis"
To:
Sent: Wednesday, September 25, 2002 6:30 PM
Subject: Re: Is anyone doing this!?!


> On Wed, 25 Sep 2002 16:24:22 -0500
> "Rick Kukiela" wrote:
>
> > I need to know if anyone else is doing this successfully... loading
> > apache aware ssl with multiple vhosts --- all with their own PEM
> > passphrase on their key files --- and each has thier own
> > PassPhraseDialog exec: line where it gets the password from... if you do
> > this sucessfully, can you please send a part of ur httpd.conf file so I
> > can see how you are doing it, the way im doing it is messing it up
> > because what it ends up doing is taking the very last occurance of the
> > PassPhraseDialog directive and uses it for ALL of the sites when it
> > should us each one for each site respectively...
>
> If you are talking about Name Based Virtual Hosts (same ip:port, but
> different names) you are out of luck. You can't present different
> certificates with Name Based Virtual Hosts, because the Hostname is not
> known by the server at the time it should present the certificate. The
> hostname is only present in the http headers, which are transmitted
> _after_ the SSL handshake.
>
> Otherwise, I'd suggest you send your config file so people can tell you
> what's wrong.
>
> Bye
> Tim
>
> >
> > any help?
> >
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Hi!

On Thu, Sep 26, 2002 at 10:41:36AM -0500, Rick Kukiela wrote:
> What I need to know is, if there is away for each virtualhost to
> have its OWN PassPhraseDialog directive. Right now I try to do
> that and It just uses the last occurence of the passphrasedialog
> directive for EVERY virtualhost. So basically its trying to use
> the Password for the last virtualhost on all of the virtual
> hosts. You can see my problem now?

If you set a program for PassPhraseDialog (i.e.
"exec:/path/to/program"), this program's first parameter will be
the name of the virtual host whose password's being requested.

HTH.


Ciao

Thomas
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Wowwww thanks man, finally some help!

much appreciated!

Rick
----- Original Message -----
From: "Thomas Binder"
To:
Sent: Thursday, September 26, 2002 10:54 AM
Subject: Re: Is anyone doing this!?!


> Hi!
>
> On Thu, Sep 26, 2002 at 10:41:36AM -0500, Rick Kukiela wrote:
> > What I need to know is, if there is away for each virtualhost to
> > have its OWN PassPhraseDialog directive. Right now I try to do
> > that and It just uses the last occurence of the passphrasedialog
> > directive for EVERY virtualhost. So basically its trying to use
> > the Password for the last virtualhost on all of the virtual
> > hosts. You can see my problem now?
>
> If you set a program for PassPhraseDialog (i.e.
> "exec:/path/to/program"), this program's first parameter will be
> the name of the virtual host whose password's being requested.
>
> HTH.
>
>
> Ciao
>
> Thomas
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Of all the gin joints in all the towns in all the world, Tim Tassonis
had to walk into mine and say:
>
> If you are talking about Name Based Virtual Hosts (same ip:port, but
> different names) you are out of luck. You can't present different
> certificates with Name Based Virtual Hosts, because the Hostname is not
> known by the server at the time it should present the certificate.

SubjectAltName?

--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Hey all,

I am missing something in my understanding. Many people have asked this
question countless times.
Is this something that mod_ssl needs or is this a apache(etc) related
problem? Is there ever going to be a way to do name based virtual hosting
with apache and mod_ssl?


"because the Hostname is not known by the server at the time it should
present the certificate."

Surely this isnt as trivial as it sounds? How about we let the server know
the hostname?


Thanks for any info.
------------------------------------------------
-ccma Supreme Being of Leisure


----- Original Message -----
From: "Harald Koch"
To:
Sent: Friday, September 27, 2002 10:12 PM
Subject: Re: Is anyone doing this!?!


>
> Of all the gin joints in all the towns in all the world, Tim Tassonis
> had to walk into mine and say:
> >
> > If you are talking about Name Based Virtual Hosts (same ip:port, but
> > different names) you are out of luck. You can't present different
> > certificates with Name Based Virtual Hosts, because the Hostname is not
> > known by the server at the time it should present the certificate.
>
> SubjectAltName?
>
> --
> Harald Koch
>
> "It takes a child to raze a village."
> -Michael T. Fry
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

On Saturday 28 September 2002 16:50, Chris Allen wrote:

i think the problem is that in http1.0 the hostname is not sent along with the
Http-header. So you just know the IP.

> Hey all,
>
> I am missing something in my understanding. Many people have asked this
> question countless times.
> Is this something that mod_ssl needs or is this a apache(etc) related
> problem? Is there ever going to be a way to do name based virtual hosting
> with apache and mod_ssl?
>
>
> "because the Hostname is not known by the server at the time it should
> present the certificate."
>
> Surely this isnt as trivial as it sounds? How about we let the server know
> the hostname?
>
>
> Thanks for any info.
> ------------------------------------------------
> -ccma Supreme Being of Leisure
>
>
> ----- Original Message -----
> From: "Harald Koch"
> To:
> Sent: Friday, September 27, 2002 10:12 PM
> Subject: Re: Is anyone doing this!?!
>
> > Of all the gin joints in all the towns in all the world, Tim Tassonis
> >
> > had to walk into mine and say:
> > > If you are talking about Name Based Virtual Hosts (same ip:port, but
> > > different names) you are out of luck. You can't present different
> > > certificates with Name Based Virtual Hosts, because the Hostname is not
> > > known by the server at the time it should present the certificate.
> >
> > SubjectAltName?
> >
> > --
> > Harald Koch
> >
> > "It takes a child to raze a village."
> > -Michael T. Fry
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org

--
e-admin internet gmbh
Andreas Gietl tel +49 941 3810884
Ludwig-Thoma-Strasse 35 fax +49 941 3810891
93051 Regensburg mobil +49 171 6070008

PGP/GPG-Key unter http://www.e-admin.de/gpg.html




____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Because an SSL connection is established before the HTTP protocol sends
any information, there is no way for it to get the hostname as that is
transmitted as part of the HTTP protocol. The only known information is
the IP address.

-Brian

Chris Allen wrote:
> Hey all,
>
> I am missing something in my understanding. Many people have asked this
> question countless times.
> Is this something that mod_ssl needs or is this a apache(etc) related
> problem? Is there ever going to be a way to do name based virtual hosting
> with apache and mod_ssl?
>
>
> "because the Hostname is not known by the server at the time it should
> present the certificate."
>
> Surely this isnt as trivial as it sounds? How about we let the server know
> the hostname?
>
>
> Thanks for any info.
> ------------------------------------------------
> -ccma Supreme Being of Leisure
>
>
> ----- Original Message -----
> From: "Harald Koch"
> To:
> Sent: Friday, September 27, 2002 10:12 PM
> Subject: Re: Is anyone doing this!?!
>
>
>
>>Of all the gin joints in all the towns in all the world, Tim Tassonis
>>had to walk into mine and say:
>>
>>>If you are talking about Name Based Virtual Hosts (same ip:port, but
>>>different names) you are out of luck. You can't present different
>>>certificates with Name Based Virtual Hosts, because the Hostname is not
>>>known by the server at the time it should present the certificate.
>>
>>SubjectAltName?
>>
>>--
>>Harald Koch
>>
>>"It takes a child to raze a village."
>>-Michael T. Fry
>>__________________________________________________________ ____________
>>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>>User Support Mailing List modssl-users@modssl.org
>>Automated List Manager majordomo@modssl.org
>>
>
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i think that the only infos in clear text are the ip and port, eg. the tcp
header
https is encapsulated
other http data are ssl crypted
url is http, not tcp
so, apache can differentiate by ip:port and not by name .
- --
Maurizio Marini
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9lcbG4Q/49nIJTlwRAkWYAJ41gzJ2LUorgfRUzfaXilRY9JEgMgCd GLUG
Sv8uuMkecOD9ITYcR5+0hqo=
=NqHx
-----END PGP SIGNATURE-----
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

> i think the problem is that in http1.0 the hostname is not sent along with the
> Http-header. So you just know the IP.

Not quite.

The problem is that the SSL handshake happens before any HTTP
traffic is sent. Thus, the server doesn't know.

Fixing this requires a change to SSL/TLS. This change is in
process (see draft-ietf-tls-extensions-XX.txt). However,
you will still have to wait for it to percolate through
most of the browsers in the world, which will take quite some
time.

-Ekr
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

On Sat, 28 Sep 2002, Chris Allen wrote:

> Hey all,
>
> I am missing something in my understanding. Many people have asked this
> question countless times.
> Is this something that mod_ssl needs or is this a apache(etc) related
> problem? Is there ever going to be a way to do name based virtual hosting
> with apache and mod_ssl?

It is the nature of the SSL/TLS protocol. The entire payload is encrypted.
The only key available for determining which key to use for decrypting the
payload is the target IP address.

To expose some portions of the HTTP header, i.e. the Host: entity, would
require a change to the SSL/TLS protocol. In turn, this would require
changes to mod_ssl, Apache, and all other web server software. In addition,
it would require changes to every web gateway, proxy, and browser in extent.

> "because the Hostname is not known by the server at the time it should
> present the certificate."
>
> Surely this isnt as trivial as it sounds? How about we let the server know
> the hostname?

It's not trivial.

Merton Campbell Crockett

>
> ----- Original Message -----
> From: "Harald Koch"
> To:
> Sent: Friday, September 27, 2002 10:12 PM
> Subject: Re: Is anyone doing this!?!
>
>
> >
> > Of all the gin joints in all the towns in all the world, Tim Tassonis
> > had to walk into mine and say:
> > >
> > > If you are talking about Name Based Virtual Hosts (same ip:port, but
> > > different names) you are out of luck. You can't present different
> > > certificates with Name Based Virtual Hosts, because the Hostname is not
> > > known by the server at the time it should present the certificate.
> >
> > SubjectAltName?
> >
> > --
> > Harald Koch
> >
> > "It takes a child to raze a village."
> > -Michael T. Fry
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> >
>
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence Solutions
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc@CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=pager,msg: +1(877)528-0049
TEL;TYPE=fax,work: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Thanks! Great, can't hardly wait.

>
> Fixing this requires a change to SSL/TLS. This change is in
> process (see draft-ietf-tls-extensions-XX.txt). However,
> you will still have to wait for it to percolate through
> most of the browsers in the world, which will take quite some
> time.


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

Of all the gin joints in all the towns in all the world, "Chris Allen"
had to walk into mine and say:
>
> Is this something that mod_ssl needs or is this a apache(etc) related
> problem? Is there ever going to be a way to do name based virtual hosting
> with apache and mod_ssl?

It's an HTTP over SSL problem.

The normal HTTP transaction looks something like:
- connect to server
- issue GET request, with Host: header
- web server serves virtual host information based on Host: header

The normal HTTPS transaction looks something like:
- connect (TCP) to server
- perform SSL handshake; server sends server SSL certificate
- perform server certificate verification
- issue get request, with Host: header

Notice the order of operations is backwards; the server issues the SSL
certificate *before* the server receives the Host: header, so it can't
send out *different* SSL certificates.

There are several solutions to this problem:

1) use IP address based virtual hosting. In this case, the SSL server
knows the IP address before sending the SSL request. This is the most
common solution, because it is easy and can be extended to new
virtual hosts easily. The downside is that you need a separate
address per virtual host.

2) use SSL over HTTP (not very well supported at this time).

3) Configure the SSL server to use a single SSL certificate. Put *all*
of the names and addresses of the server into the "subjectAltName"
extension field of the certificate.

Note that this only works well if your set of virtual hosts is small
and unchanging (like mine), or if you have your own CA. This is
because you need to reissue the certificate every time you add (or
remove :-) a virtual host.

--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

>3) Configure the SSL server to use a single SSL certificate. Put *all*
>   of the names and addresses of the server into the "subjectAltName"
>   extension field of the certificate.

In several months of working with SSL and its limitations, I have *never* seen this as a solution - presumably this will work like a wildcard certificate?

Does anyone have any experiences of which client/server combinatipons this will work with?

Cheers,
cam


____________________________________________________________ ______
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Is anyone doing this!?!

> Does anyone have any experiences of which client/server combinatipons this will work with?

I've used subjectAltName with IE 5.0, 5.5, and 6.0; and several recent
Mozilla versions. I vaguely remember it working with earlier Netscape
browsers, but I don't remember which versions.

--
Harald Koch

"It takes a child to raze a village."
-Michael T. Fry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org