Encryption key size

Apache 2.2.3 on RHEL 5.4

Hi All:

I am attempting to find a way of determining the encryption key size.
Apparently the old environment variable was HTTPS_KEYSIZE which was
renamed SSL_CIPHER_USEKEYSIZE. However this is only active if you
specify +CompatEnvVars on the SSLOptions directives.

When I attempted this I encountered the error:

SSLOptions: Illegal option 'CompatEnvVars'

Searching for this error leads me to the conclusion that the
CompatEnvVars directive was deprecated in Apache 2.2 (and was possibly
never implemented correctly anyway).

I have done a bunch of searching but can find nothing further on this
subject. So...

Is there any way of determining the encryption key size on Apache 2.2.3?

TIA

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Encryption key size

On Tue, Mar 16, 2010 at 9:54 PM, Hugh E Cruickshank wrot=
e:
> Apache 2.2.3 on RHEL 5.4
>
> Hi All:
>
> I am attempting to find a way of determining the encryption key size.
> Apparently the old environment variable was HTTPS_KEYSIZE which was
> renamed SSL_CIPHER_USEKEYSIZE. However this is only active if you
> specify +CompatEnvVars on the SSLOptions directives.
>
> When I attempted this I encountered the error:
>
> =A0 =A0SSLOptions: Illegal option 'CompatEnvVars'
>
> Searching for this error leads me to the conclusion that the
> CompatEnvVars directive was deprecated in Apache 2.2 (and was possibly
> never implemented correctly anyway).

See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
(StdEnvVars). SSL_CIPHER_USEKEYSIZE should be set.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Jeff Trawick Sent: March 17, 2010 04:10
> On Tue, Mar 16, 2010 at 9:54 PM, Hugh E Cruickshank
> >
> > I am attempting to find a way of determining the encryption key size.
> > Apparently the old environment variable was HTTPS_KEYSIZE which was
> > renamed SSL_CIPHER_USEKEYSIZE. However this is only active if you
> > specify +CompatEnvVars on the SSLOptions directives.
> >
> > When I attempted this I encountered the error:
> >
> >    SSLOptions: Illegal option 'CompatEnvVars'
> >
> > Searching for this error leads me to the conclusion that the
> > CompatEnvVars directive was deprecated in Apache 2.2 (and was possibly
> > never implemented correctly anyway).
>
> See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
> (StdEnvVars). SSL_CIPHER_USEKEYSIZE should be set.

Hi Jeff:

That looks perfect. Thank you muchly.

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Hugh E Cruickshank Sent: March 17, 2010 11:00
> From: Jeff Trawick Sent: March 17, 2010 04:10
> >
> > See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
> > (StdEnvVars). SSL_CIPHER_USEKEYSIZE should be set.
>
> That looks perfect. Thank you muchly.

Unfortunately that did not work either.

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Encryption key size

On Wed, Mar 17, 2010 at 2:08 PM, Hugh E Cruickshank wrot=
e:
> From: Hugh E Cruickshank Sent: March 17, 2010 11:00
>> From: Jeff Trawick Sent: March 17, 2010 04:10
>> >
>> > See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
>> > (StdEnvVars). =A0SSL_CIPHER_USEKEYSIZE should be set.
>>
>> That looks perfect. Thank you muchly.
>
> Unfortunately that did not work either.

Exactly where are you/your software looking for it to be set?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Jeff Trawick Sent: March 17, 2010 11:10
>
> Exactly where are you/your software looking for it to be set?

First a little background infor that may help explain things...

We are a PROGRESS shop and are using their WebSpeed package. WebSpeed
provides us the ability to write programs as either augmented HTML or
as 4GL programs that output HTML (we use the former). Our development
system uses a CentOS 4.8 server for the database and CUI programs,
Windows PCs for GUI development and a Windows 200 Server for a web
sever and web development. The QA and live environments run on two
RHEL 5.4 servers, one for a database server & CUI program host and
one for a web server.

The WebSpeed programs run in CGI mode for both the IIS and Apache web
servers. Within our programs we can interrogate any of the standard
CGI and OS environment variables. On IIS I can get the HTTPS_KEYSIZE
value to determine the encryption key size but I have not been able
to find anything similar on Apache that will work. I had tried
SSL_CIPHER_ALGKEYSIZE in the past but it never returned a value and
now it appears the CompatEnvVars directive that was supposed to
generate this environment variable has been deprecated.

Here is a list of the CGI variables that I can see when using an HTTPS
connection:

AUTH_TYPE*:
CONTENT_LENGTH*: 12
CONTENT_TYPE*: application/x-www-form-urlencoded
DLC: /usr/dlc91e
DOCUMENT_ROOT: /var/www/faq
GATEWAY_INTERFACE*: CGI/1.1
HTTPS: on
HTTP_ACCEPT*: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
HTTP_ACCEPT_ENCODING: gzip, deflate
HTTP_ACCEPT_LANGUAGE: en-ca
HTTP_CACHE_CONTROL: no-cache
HTTP_CONNECTION: Keep-Alive
HTTP_COOKIE*: safeSessionID=ddjjVkjKlbdmgkCi6794
HTTP_HOST:
HTTP_REFERER*:
HTTP_USER_AGENT*: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)
nokeepalive: 1
PATH: /sbin:/usr/sbin:/bin:/usr/bin
PATH_INFO*: /webtools/session.w
PATH_TRANSLATED*: /var/www/faq/webtools/session.w
PROMSGS: /usr/dlc91e/promsgs
PWD: /var/www/cgi-bin
QUERY_STRING*:
REMOTE_ADDR*: 192.168.2.30
REMOTE_HOST*:
REMOTE_IDENT*:
REMOTE_PORT: 1388
REMOTE_USER*:
REQUEST_METHOD*: POST
REQUEST_URI: /cgi-bin/faq/webtools/session.w
SCRIPT_FILENAME: /var/www/cgi-bin/faq
SCRIPT_NAME*: /cgi-bin/faq
SERVER_ADDR: 192.168.4.1
SERVER_ADMIN:
SERVER_NAME*:
SERVER_PORT*: 443
SERVER_PROTOCOL*: HTTP/1.1
SERVER_SIGNATURE:

Re: Encryption key size

On Wed, Mar 17, 2010 at 3:00 PM, Hugh E Cruickshank wrot=
e:
> From: Jeff Trawick Sent: March 17, 2010 11:10
>>
>> Exactly where are you/your software looking for it to be set?
>
> Here is a list of the CGI variables that I can see when using an HTTPS
> connection:
>
> AUTH_TYPE*:
> CONTENT_LENGTH*: =A012
> CONTENT_TYPE*: =A0application/x-www-form-urlencoded
> DLC: =A0/usr/dlc91e
> DOCUMENT_ROOT: =A0/var/www/faq
> GATEWAY_INTERFACE*: =A0CGI/1.1
> HTTPS: =A0on
....
(no mod_ssl-set envvars but HTTPS)

Can you show the part of your config where you added

SSLOptions +StdEnvVars

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Jeff Trawick Sent: March 17, 2010 13:25
>
> (no mod_ssl-set envvars but HTTPS)
>
> Can you show the part of your config where you added
>
> SSLOptions +StdEnvVars

From /etc/httpd/conf.d/ssl.conf:


ServerName
ServerAlias
ServerAlias
DocumentRoot /var/www/fap
ServerAdmin
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
SSLEngine on
SSLCertificateFile /usr/pgi/crt/pgi.crt
SSLCertificateKeyFile /usr/pgi/crt/pgi.key
# SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.crt

SSLOptions +StdEnvVars


SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog /etc/httpd/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"


There are two VirtualHost entries in the configuration file but both
are virtually identical except for the ServerName, ServerAlias and
DocumentRoot values.

TIA

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Encryption key size

On Wed, Mar 17, 2010 at 4:40 PM, Hugh E Cruickshank wrot=
e:
> From: Jeff Trawick Sent: March 17, 2010 13:25
>>
>> (no mod_ssl-set envvars but HTTPS)
>>
>> Can you show the part of your config where you added
>>
>> SSLOptions +StdEnvVars
>
> From /etc/httpd/conf.d/ssl.conf:
>
>
> =A0ServerName =A0
> =A0ServerAlias
> =A0ServerAlias
> =A0DocumentRoot /var/www/fap
> =A0ServerAdmin
> =A0ErrorLog /etc/httpd/logs/error_log
> =A0TransferLog /etc/httpd/logs/access_log
> =A0SSLEngine on
> =A0SSLCertificateFile =A0 =A0/usr/pgi/crt/pgi.crt
> =A0SSLCertificateKeyFile /usr/pgi/crt/pgi.key
> # SSLCACertificateFile =A0/etc/httpd/conf/ssl.crt/ca-bundle.crt
> =A0
> =A0 =A0SSLOptions +StdEnvVars
> =A0
> =A0

Either this ("/etc/httpd/cgi-bin") is the wrong directory, or you need
to also enable SSL envvars for /var/www/cgi-bin. From your envvars
dump, the script is running from /var/www/cgi-bin:

SCRIPT_FILENAME: /var/www/cgi-bin/faq

> =A0 =A0SSLOptions +StdEnvVars
> =A0
> =A0SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
> =A0CustomLog /etc/httpd/logs/ssl_request_log \
> =A0 =A0 =A0 =A0 =A0 =A0"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> There are two VirtualHost entries in the configuration file but both
> are virtually identical except for the ServerName, ServerAlias and
> DocumentRoot values.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Jeff Trawick Sent: March 17, 2010 13:50
>
> Either this ("/etc/httpd/cgi-bin") is the wrong directory, or you need
> to also enable SSL envvars for /var/www/cgi-bin. From your envvars
> dump, the script is running from /var/www/cgi-bin:
>
> SCRIPT_FILENAME: /var/www/cgi-bin/faq

Good catch. That's what I get for using someone else's example and not
taking the time to double check absolutely everything. My bad!

"/etc/httpd/cgi-bin" is the wrong directory, in fact it does not even
exist. "/var/www/cgi-bin" is the correct directory. I have made the
suggested correction but I will be unable to test it until this evening
when I can restart the httpd service otherwise I will have a bunch of
upset users. I will post my results.

Thanks very much for all your assistance. It is greatly appreciated.

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Encryption key size

From: Hugh E Cruickshank Sent: March 17, 2010 14:18
> From: Jeff Trawick Sent: March 17, 2010 13:50
> >
> > Either this ("/etc/httpd/cgi-bin") is the wrong directory, or you
> > need
> > to also enable SSL envvars for /var/www/cgi-bin. From your envvars
> > dump, the script is running from /var/www/cgi-bin:
> >
> > SCRIPT_FILENAME: /var/www/cgi-bin/faq
>
> Good catch. That's what I get for using someone else's example and not
> taking the time to double check absolutely everything. My bad!
>
> "/etc/httpd/cgi-bin" is the wrong directory, in fact it does not even
> exist. "/var/www/cgi-bin" is the correct directory. I have made the
> suggested correction but I will be unable to test it until this
> evening
> when I can restart the httpd service otherwise I will have a bunch of
> upset users. I will post my results.

Give the man a cigar!

That has worked. Both SSL_CIPHER_ALGKEYSIZE and SSL_CIPHER_USEKEYSIZE
are being returned with the proper value.

Thanks again for all your help. It was definitely appreciated.

Regards, Hugh

--
Hugh E Cruickshank, Forward Software, www.forward-software.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org