ModSSL directives & Books about ModSSL

Hi,

Are the apache directives/configuration for modssl handled only by the
openssl package? Or does modssl have it's own configuration settings?

Also a related question, can anyone recommend any good books that cover Mod
SSL well? Such as something that covers setting up the apache httpd.conf
file for secure site configuration (if the above applies), ssl apache
directives, installing and maintaining CA certificates, keys, etc? I
checked amazon and there are only two books on ssl I could find, got a great
recommendation in the openssl forum for two good books on openssl.

Thanks for any info on this (& patience with a modssl newbie question).

Dan

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ModSSL directives & Books about ModSSL

> Are the apache directives/configuration for modssl handled only by the
> openssl package? Or does modssl have it's own configuration settings?
> SSL well? Such as something that covers setting up the apache httpd.conf
> file for secure site configuration (if the above applies), ssl apache
> directives, installing and maintaining CA certificates, keys, etc? I
> checked amazon and there are only two books on ssl I could find, got a great
> recommendation in the openssl forum for two good books on openssl.

I have the mod_ssl chapter of my book freely available online. I think
together with the mod_ssl reference documentation you should be fine, it
covers everything you mention. It is oriented towards Apache 2

http://www.apacheworld.org/ty24/site.chapter17.html

Best regards

Daniel
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ModSSL directives & Books about ModSSL

Hi All,

I want to provide HTTP & HTTPS delete option on my webserver [general and
some specific folder].

apache [1.3.27] with mod-ssl

Do i need to make any configuration changes on server side to support it ?
Any config sample will be highly appreciated.

Regards
Nauman


-----Original Message-----
From: Daniel Lopez [mailto:daniel@rawbyte.com]
Sent: Friday, May 16, 2003 1:14 PM
To: modssl-users@modssl.org
Subject: Re: ModSSL directives & Books about ModSSL



> Are the apache directives/configuration for modssl handled only by the
> openssl package? Or does modssl have it's own configuration settings?
> SSL well? Such as something that covers setting up the apache httpd.conf
> file for secure site configuration (if the above applies), ssl apache
> directives, installing and maintaining CA certificates, keys, etc? I
> checked amazon and there are only two books on ssl I could find, got a
great
> recommendation in the openssl forum for two good books on openssl.

I have the mod_ssl chapter of my book freely available online. I think
together with the mod_ssl reference documentation you should be fine, it
covers everything you mention. It is oriented towards Apache 2

http://www.apacheworld.org/ty24/site.chapter17.html

Best regards

Daniel
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ModSSL directives & Books about ModSSL

I guess by "delete option" you mean the delete WebDAV method that allows
clients to remove files from the web server. I have another chapter online
on it:

http://www.apacheworld.org/ty24/site.chapter13.html

It is for Apache 2, which already includes mod_dav. For Apache 1.3 it should
work too, but you will need to download and install mod_dav separately,
checkout htp://www.webdav.org

> Hi All,
>
> I want to provide HTTP & HTTPS delete option on my webserver [general and
> some specific folder].
>
> apache [1.3.27] with mod-ssl
>
> Do i need to make any configuration changes on server side to support it ?
> Any config sample will be highly appreciated.
>
> Regards
> Nauman
>
>
> -----Original Message-----
> From: Daniel Lopez [mailto:daniel@rawbyte.com]
> Sent: Friday, May 16, 2003 1:14 PM
> To: modssl-users@modssl.org
> Subject: Re: ModSSL directives & Books about ModSSL
>
>
>
> > Are the apache directives/configuration for modssl handled only by the
> > openssl package? Or does modssl have it's own configuration settings?
> > SSL well? Such as something that covers setting up the apache httpd.conf
> > file for secure site configuration (if the above applies), ssl apache
> > directives, installing and maintaining CA certificates, keys, etc? I
> > checked amazon and there are only two books on ssl I could find, got a
> great
> > recommendation in the openssl forum for two good books on openssl.
>
> I have the mod_ssl chapter of my book freely available online. I think
> together with the mod_ssl reference documentation you should be fine, it
> covers everything you mention. It is oriented towards Apache 2
>
> http://www.apacheworld.org/ty24/site.chapter17.html
>
> Best regards
>
> Daniel
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ModSSL directives & Books about ModSSL

Thanks Daniel,

Is there any other way of deleting file through HTTP ?

Infact i have to implement this for multiple web servers like iPlanet, IIS
etc. So i am trying to design some strategy, which can be worked out in all.

Regards
Nauman

-----Original Message-----
From: Daniel Lopez [mailto:daniel@rawbyte.com]
Sent: Wednesday, May 21, 2003 2:09 PM
To: modssl-users@modssl.org
Subject: Re: ModSSL directives & Books about ModSSL



I guess by "delete option" you mean the delete WebDAV method that allows
clients to remove files from the web server. I have another chapter online
on it:

http://www.apacheworld.org/ty24/site.chapter13.html

It is for Apache 2, which already includes mod_dav. For Apache 1.3 it should
work too, but you will need to download and install mod_dav separately,
checkout htp://www.webdav.org

> Hi All,
>
> I want to provide HTTP & HTTPS delete option on my webserver [general and
> some specific folder].
>
> apache [1.3.27] with mod-ssl
>
> Do i need to make any configuration changes on server side to support it ?
> Any config sample will be highly appreciated.
>
> Regards
> Nauman
>
>
> -----Original Message-----
> From: Daniel Lopez [mailto:daniel@rawbyte.com]
> Sent: Friday, May 16, 2003 1:14 PM
> To: modssl-users@modssl.org
> Subject: Re: ModSSL directives & Books about ModSSL
>
>
>
> > Are the apache directives/configuration for modssl handled only by the
> > openssl package? Or does modssl have it's own configuration settings?
> > SSL well? Such as something that covers setting up the apache
httpd.conf
> > file for secure site configuration (if the above applies), ssl apache
> > directives, installing and maintaining CA certificates, keys, etc? I
> > checked amazon and there are only two books on ssl I could find, got a
> great
> > recommendation in the openssl forum for two good books on openssl.
>
> I have the mod_ssl chapter of my book freely available online. I think
> together with the mod_ssl reference documentation you should be fine, it
> covers everything you mention. It is oriented towards Apache 2
>
> http://www.apacheworld.org/ty24/site.chapter17.html
>
> Best regards
>
> Daniel
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ModSSL directives & Books about ModSSL

If your needs is for dealing with content, especially content of multiple
clients and such, you might take a look at rsync, and rsync under ssh,
there is a dos/windoes version available. Of course a more specific
description of what you wish to try and do might help folks in suggesting
how to accomplish the chore.

Thanks,

Ron DuFresne

On Thu, 22 May 2003, Nauman, Ahmed [IT] wrote:

> Thanks Daniel,
>
> Is there any other way of deleting file through HTTP ?
>
> Infact i have to implement this for multiple web servers like iPlanet, IIS
> etc. So i am trying to design some strategy, which can be worked out in all.
>
> Regards
> Nauman
>
> -----Original Message-----
> From: Daniel Lopez [mailto:daniel@rawbyte.com]
> Sent: Wednesday, May 21, 2003 2:09 PM
> To: modssl-users@modssl.org
> Subject: Re: ModSSL directives & Books about ModSSL
>
>
>
> I guess by "delete option" you mean the delete WebDAV method that allows
> clients to remove files from the web server. I have another chapter online
> on it:
>
> http://www.apacheworld.org/ty24/site.chapter13.html
>
> It is for Apache 2, which already includes mod_dav. For Apache 1.3 it should
> work too, but you will need to download and install mod_dav separately,
> checkout htp://www.webdav.org
>
> > Hi All,
> >
> > I want to provide HTTP & HTTPS delete option on my webserver [general and
> > some specific folder].
> >
> > apache [1.3.27] with mod-ssl
> >
> > Do i need to make any configuration changes on server side to support it ?
> > Any config sample will be highly appreciated.
> >
> > Regards
> > Nauman
> >
> >
> > -----Original Message-----
> > From: Daniel Lopez [mailto:daniel@rawbyte.com]
> > Sent: Friday, May 16, 2003 1:14 PM
> > To: modssl-users@modssl.org
> > Subject: Re: ModSSL directives & Books about ModSSL
> >
> >
> >
> > > Are the apache directives/configuration for modssl handled only by the
> > > openssl package? Or does modssl have it's own configuration settings?
> > > SSL well? Such as something that covers setting up the apache
> httpd.conf
> > > file for secure site configuration (if the above applies), ssl apache
> > > directives, installing and maintaining CA certificates, keys, etc? I
> > > checked amazon and there are only two books on ssl I could find, got a
> > great
> > > recommendation in the openssl forum for two good books on openssl.
> >
> > I have the mod_ssl chapter of my book freely available online. I think
> > together with the mod_ssl reference documentation you should be fine, it
> > covers everything you mention. It is oriented towards Apache 2
> >
> > http://www.apacheworld.org/ty24/site.chapter17.html
> >
> > Best regards
> >
> > Daniel
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

SSL certs

It has been a long time since I have last posted. I am looking at renewing
some of my SSL certs (Currently with VeriSign). Has anyone used or had
problems with XRampSSL (verisignssl.com). They are selling a 128 bit cert
for 180 for 3 years! Why wouldn't I want to go with them (I do not care
about name recognition for this part of my website)? I realize that my
question has nothing to do with modssl directly, but I thought this would be
a good forum to ask.

Thanks!
Kevin Klawon
CTO - InterSightTechnologies

Tel.: (888) 843-6935 Ext. 483
Mobile: 203-675-5644
Office: 407-888-0739

kevin@intersighttechnologies.com



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ModSSL directives & Books about ModSSL

On Thu, 22 May 2003, Daniel Lopez wrote:

>
> I dont know about iPlanet, but later versions of IIS support DAV.


which lead to many of thise IIS systems being sploited just recently,
AGAIN, since they tend to be poorly installed and even more poorly
maintained, even with the major headaches that ensue when one tries to do
so due to M$'s poor patch strutures and implimentations. Anything less
the totally static pages in an IIS deployment needs to be CAREFULLY
considered, and even then, more carefully gone over prior to putting into
prodution by security staff.


so far dav support under other implimentations have not suffered in the
same area blue and purple, we do not hold our breadth on such matters...>

> Another option is to implement the functionality in a CGI script and hook up
> the CGI to answer all requests for a particular method (DELETE in this case)
> This can be done with Apache (checkout Script directive from mod_actions)
> prob. with IIS and iPlaent as well (maybe some NSAPI and ISAPI programming
> required)

And, as always, be wary of how one impliments filters for what can be
input into and returned from the cgi. one way validation is *not* the way
to do these things, of course everyone here knows this .

> Like Ron mentions, it is probably necessary that you explain in more detail
> what you want to accomplish. You may want to post the question in the apache
> users list at http://httpd.apache.org/lists.html since it seems the question
> is not mod_ssl specific
>


Thanks,

Ron DuFresne
[SNIP .sig cleanup]
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
-- Johnny Hart

testing, only testing, and damn good at it too!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ModSSL directives & Books about ModSSL

I dont know about iPlanet, but later versions of IIS support DAV.
Another option is to implement the functionality in a CGI script and hook up
the CGI to answer all requests for a particular method (DELETE in this case)
This can be done with Apache (checkout Script directive from mod_actions)
prob. with IIS and iPlaent as well (maybe some NSAPI and ISAPI programming
required)
Like Ron mentions, it is probably necessary that you explain in more detail
what you want to accomplish. You may want to post the question in the apache
users list at http://httpd.apache.org/lists.html since it seems the question
is not mod_ssl specific

Cheers

Daniel

> Thanks Daniel,
>
> Is there any other way of deleting file through HTTP ?
>
> Infact i have to implement this for multiple web servers like iPlanet, IIS
> etc. So i am trying to design some strategy, which can be worked out in all.
>
> Regards
> Nauman
>
> -----Original Message-----
> From: Daniel Lopez [mailto:daniel@rawbyte.com]
> Sent: Wednesday, May 21, 2003 2:09 PM
> To: modssl-users@modssl.org
> Subject: Re: ModSSL directives & Books about ModSSL
>
>
>
> I guess by "delete option" you mean the delete WebDAV method that allows
> clients to remove files from the web server. I have another chapter online
> on it:
>
> http://www.apacheworld.org/ty24/site.chapter13.html
>
> It is for Apache 2, which already includes mod_dav. For Apache 1.3 it should
> work too, but you will need to download and install mod_dav separately,
> checkout htp://www.webdav.org
>
> > Hi All,
> >
> > I want to provide HTTP & HTTPS delete option on my webserver [general and
> > some specific folder].
> >
> > apache [1.3.27] with mod-ssl
> >
> > Do i need to make any configuration changes on server side to support it ?
> > Any config sample will be highly appreciated.
> >
> > Regards
> > Nauman
> >
> >
> > -----Original Message-----
> > From: Daniel Lopez [mailto:daniel@rawbyte.com]
> > Sent: Friday, May 16, 2003 1:14 PM
> > To: modssl-users@modssl.org
> > Subject: Re: ModSSL directives & Books about ModSSL
> >
> >
> >
> > > Are the apache directives/configuration for modssl handled only by the
> > > openssl package? Or does modssl have it's own configuration settings?
> > > SSL well? Such as something that covers setting up the apache
> httpd.conf
> > > file for secure site configuration (if the above applies), ssl apache
> > > directives, installing and maintaining CA certificates, keys, etc? I
> > > checked amazon and there are only two books on ssl I could find, got a
> > great
> > > recommendation in the openssl forum for two good books on openssl.
> >
> > I have the mod_ssl chapter of my book freely available online. I think
> > together with the mod_ssl reference documentation you should be fine, it
> > covers everything you mention. It is oriented towards Apache 2
> >
> > http://www.apacheworld.org/ty24/site.chapter17.html
> >
> > Best regards
> >
> > Daniel
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> > ____________________________________________________________ __________
> > Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> > User Support Mailing List modssl-users@modssl.org
> > Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org