change cipher suite of a virtual host without restarting apache

Hi,=20

I've Apache running as reverse proxy on Linux with SSL
(mod_ssl).=20

There are multiple sites behind the Apache.=20

There are cases when cipher-suite or certificate for a
site has to be changed. In that case Apache is
restarted to take changes in account.=20

This results in disconnection of all the connected
users (whether they are connected for site for which
changes are done or for the sie for which nothing has
been changed).

Is there a way I can modify cipher-suite or
certificate so that I dont need to restart the Apache
and all the users session stay valid and working. (I
wont mind if users connected to site for which changes
are made get disconnected).

Thanks in advance,=20

-Sourabh

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: change cipher suite of a virtual host without restarting apache

AFAIK this is not possible with a virtual host.
However there is no reason you can't run each virtual
host as it's own server (split off into own config,
use the -f and -d options). It really depends on the
your load and flexibility requirements. Currently some
servers I manage have 50+ apache servers. While not
the best for memory and efficency, the flexibility is
good.

Regards
Matt

--- Sourabh Bhandari
wrote:

> Hi,=20
>=20
> I've Apache running as reverse proxy on Linux with
> SSL
> (mod_ssl).=20
>=20
> There are multiple sites behind the Apache.=20
>=20
> There are cases when cipher-suite or certificate for
> a
> site has to be changed. In that case Apache is
> restarted to take changes in account.=20
>=20
> This results in disconnection of all the connected
> users (whether they are connected for site for which
> changes are done or for the sie for which nothing
> has
> been changed).
>=20
> Is there a way I can modify cipher-suite or
> certificate so that I dont need to restart the
> Apache
> and all the users session stay valid and working. (I
> wont mind if users connected to site for which
> changes
> are made get disconnected).
>=20
> Thanks in advance,=20
>=20
> -Sourabh
>=20
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around=20
> http://mail.yahoo.com=20
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20


=09
____________________________________________________=20
Yahoo! Sports=20
Rekindle the Rivalries. Sign up for Fantasy Football=20
http://football.fantasysports.yahoo.com
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Client certificate expiry handling

Hi,

I know this has been raised before but please read on.

Currently AFAIK client certificate expiry checking is
done by openssl and the connection is terminated
before apache comes into play, hence no error page can
be sent. This is a problem as IE doesn't tell the user
the client certificate is expired. Hence the user
experiences a horrible disconnect page (not nice for
issue tracking either as its pretty generic).

Both Netscape and IIS can send back an error to the
browser under this condition. The company I work for
would also like apache to be able to do this. There is
a good possiblity that the changes would be funded.

I'm looking for someone who has experience with
apache/mod_ssl/openssl to give an idea on the
feasibility and a time estimate to do the work.
Suggestions on who could do this are also welcome.

Regards
Matt


=09
__________________________________=20
Yahoo! Mail Mobile=20
Take Yahoo! Mail with you! Check email on your mobile phone.=20
http://mobile.yahoo.com/learn/mail=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: change cipher suite of a virtual host without restarting apache

Hi Matt,=20

Thanks for the reply.=20

I can't have as many instances of httpd running as
there are number of sites, so I've to figure out a way
to do it using single instance of httpd running (I'm
not bothered about the forks performed by apache
itself).

I think I've found a solution to this by patching
ssl_io_filter_connect() function in ssl_engine_io.c.=20

Before mod_ssl tries to make a connection with OpenSSL
(either SSL_connect, or SSL_accept), I make a call to
SSL_set_cipher_list() to set cutomized cipher list.

This way, just before connection takes place, I've
customized cipher-suite in place.=20

Regards,
-Sourabh=20
--- Matt Stevenson wrote:

> AFAIK this is not possible with a virtual host.
> However there is no reason you can't run each
> virtual
> host as it's own server (split off into own config,
> use the -f and -d options). It really depends on the
> your load and flexibility requirements. Currently
> some
> servers I manage have 50+ apache servers. While not
> the best for memory and efficency, the flexibility
> is
> good.
>=20
> Regards
> Matt
>=20
> --- Sourabh Bhandari
> wrote:
>=20
> > Hi,=20
> >=20
> > I've Apache running as reverse proxy on Linux with
> > SSL
> > (mod_ssl).=20
> >=20
> > There are multiple sites behind the Apache.=20
> >=20
> > There are cases when cipher-suite or certificate
> for
> > a
> > site has to be changed. In that case Apache is
> > restarted to take changes in account.=20
> >=20
> > This results in disconnection of all the connected
> > users (whether they are connected for site for
> which
> > changes are done or for the sie for which nothing
> > has
> > been changed).
> >=20
> > Is there a way I can modify cipher-suite or
> > certificate so that I dont need to restart the
> > Apache
> > and all the users session stay valid and working.
> (I
> > wont mind if users connected to site for which
> > changes
> > are made get disconnected).
> >=20
> > Thanks in advance,=20
> >=20
> > -Sourabh
> >=20
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> > protection around=20
> > http://mail.yahoo.com=20
> >
>
____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) =20
> =20
> > www.modssl.org
> > User Support Mailing List =20
> > modssl-users@modssl.org
> > Automated List Manager =20
> > majordomo@modssl.org
> >=20
>=20
>=20
> =09
> ____________________________________________________
>=20
> Yahoo! Sports=20
> Rekindle the Rivalries. Sign up for Fantasy Football
>=20
> http://football.fantasysports.yahoo.com
>
____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) =20
> www.modssl.org
> User Support Mailing List =20
> modssl-users@modssl.org
> Automated List Manager =20
> majordomo@modssl.org
>=20


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around=20
http://mail.yahoo.com=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org