Subject: Re: Failed uploading file to Appache HTTP Server after using SSL - msg#00037

Previous Message by Date: click to view message preview

Re: A SSL scenario (involving multiple SSL-servers)

remove now!BJ Swope <bigblueswope@xxxxxxxxx> wrote: Every item the browser requests, such as images, comes from a unique/distinct connection.So the links to the other web servers will result in independent connections to the other web servers.  So you should be good to go. On 4/24/06, Vishwas <ivishwas@xxxxxxxxx> wrote: Hello there,I have few doubts, the scenario goes as below.Scenario: There are 4 SSL-enabled Apache servers {A1, A2, A3, A4}, all of them independently controlled and have valid certificates. Now, a "user" on A1 designs an HTML page ( index.html) that refers to images from all the 4 servers. The links to these images are specified in the HTML file using "https://A[1-4]/..."Questions:1. A request for https://A1/~user/index.html comes, The requestor is going to get a SSL connection from A1. And the content from A1 to the browser is flowing through the SSL-tunnel. I think only the files that reside on A1 are going to flow through this tunnel from A1 to the browser!? And the files from A2, A3, and A4 are flowing through separate SSL-tunnels to the browser!? Then the browser shows only one PADLOCK symbol, will it be for A1? YES. Then what about the SSL-connections from A2, A3, and A4? How does browser tells its user about these connections? 2. Or does A1 brings the files from A2, A3, and A4 that referred inside the "index.html" file by the "user" and serves to the browser?Am confused. Because my understanding was SSL is Secure socket layer, and one cannot tamper with this tunnel. And I used to think, when I ask the browser to open some URL, it opens a connection (by obtaining a socket, say 56789, from underlying OS) to the port 80 of URL server. Now I feel, if the URL page has objects residing on other servers, my browser opens separate sockets (different from 56789) for these objects.!? Please clarify my doubts. Or point me to some guides et al. Thank you for your patience.-- Best Regards, Vishwas. Yahoo! Messenger with Voice. Make PC-to-Phone Calls to the US (and 30+ countries) for 2¢/min or less.

Next Message by Date: click to view message preview

SSLRequire

Hi, I still have trouble configuring apache 2.0 with the SSLRequire directive. For me it looks like that: When I have something that allows access (eg. "allow 192.186.2" and I connect from that network), than access is allowed (and the SSLRequire expression has no effect, it is simply ignored). When I have something that denies access (eg. "deny all"), than access is denied (again SSLRequire has no effect). How are these mechanisms supposed to interact? I did try "Satisfy any" and "Satisfy all", and I tried "SSLOptions +StrictRequire", but no help. I want to restrict access to a directory of the webserver to only certain users (= X.509 certificates). Anyone has a working config for this? At the end of this mail is a part of my configuration... So Client authentication is already required, but the entries from the certificates are not considered when granting access. Thanx for any help, cheers, Olaf SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL SSLCertificateFile /etc/apache2/ssl.ssltest/server-cert.pem SSLCertificateKeyFile /etc/apache2/ssl.ssltest/server-key.pem SSLCertificateChainFile /etc/apache2/ssl.ssltest/server-chain.pem SSLCACertificateFile /etc/apache2/ssl.ssltest/clientcachain.pem SSLVerifyClient require SSLVerifyDepth 3 <Directory /home/httpd/htdocs/ssltest> AllowOverride None Options FollowSymLinks +Includes Order deny,allow Deny from all Allow from 192.168.2 127.0.0.1 SSLRequireSSL SSLOptions +StdEnvVars +StrictRequire SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "SSLTest SubCA 01" \ && %{SSL_CLIENT_S_DN_CN} eq "Testuser" ) </Directory> -- Dipl.Inform. Olaf Gellert PRESECURE (R) Senior Researcher, Consulting GmbH Phone: (+49) 0700 / PRESECURE og@xxxxxxxxxxxxx A daily view on Internet Attacks https://www.ecsirt.net/sensornet ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@xxxxxxxxxx Automated List Manager majordomo@xxxxxxxxxx

Previous Message by Thread: click to view message preview

Re: Failed uploading file to Appache HTTP Server after using SSL

FYI. I have tried to test upload with Firefox. But it turns out that it fails too. Then, it might not be only a MSIE issue. On 4/22/06, Ken Chen <chengusky@xxxxxxxxx> wrote: > Hi, > > My colleague has helped to deploy the patch and the ssl vhost has been > configured as follow: > <VirtualHost test:443> > DocumentRoot "/home/server/webpage" > ServerName 192.168.2.130:443 > LogLevel debug > ErrorLog logs/ssl-error_log > CustomLog logs/ssl-access_log common > > BrowserMatch ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > ProxyPass /eservices http://localhost:8855/eservices > ProxyPassReverse /eservices http://localhost:8855/eservices > > Alias /eservices-webpage/ /home/server/webpage/ > > SSLEngine on > SSLCipherSuite > ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL > SSLCertificateFile someCrt.crt > SSLCertificateKeyFile someKey.key > </VirtualHost> > > But seems the problem remains: Page can't be displayed. I found no > error in log (maybe I was not able to found). Here attached the log > when I press upload to upload file. > > > Ken > > > On 4/21/06, Ken Chen <chengusky@xxxxxxxxx> wrote: > > Joe, > > > > Do you mind telling me how to apply the patch? Type command as follow? > > patch -s < xxxx.patch > > > > Do I need to stop the httpd server? or recompile or anything else? > > > > Thanks. > > > > > > On 4/21/06, Ken Chen <chengusky@xxxxxxxxx> wrote: > > > ic. Thanks so much. I will apply that patch and see what is going on > > > later. > > > > > > > > > On 4/21/06, Joe Orton <jorton@xxxxxxxxxx> wrote: > > > > On Fri, Apr 21, 2006 at 03:19:35PM +0800, Ken Chen wrote: > > > > > Hi Joe, > > > > > > > > > > We are using 2.0.55 already. Is it already include that patch? > > > > > > > > No, it will be in 2.0.56 and later. But note this only applies if you > > > > are using a reverse proxy, and it only affects the application of the > > > > BrowserMatch statement - if you don't have the BrowserMatch, it has no > > > > effect. > > > > > > > > joe > > > > ______________________________________________________________________ > > > > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > > > > User Support Mailing List modssl-users@xxxxxxxxxx > > > > Automated List Manager majordomo@xxxxxxxxxx > > > > > > > > > > > > > -- > > > -------------------------------------------------- > > > Ken Chen > > > > > > > > > -- > > -------------------------------------------------- > > Ken Chen > > > > > -- > -------------------------------------------------- > Ken Chen > > > -- -------------------------------------------------- Ken Chen ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@xxxxxxxxxx Automated List Manager majordomo@xxxxxxxxxx

Next Message by Thread: click to view message preview

Re: Failed uploading file to Appache HTTP Server after using SSL

On Wed, Apr 26, 2006 at 01:12:50PM +0800, Ken Chen wrote: > FYI. > > We had to choose to test that by using other versions and we found > that the problem is resolved if we downgrade to 2.0.50. Was this an exhaustive search: 2.0.51 failed but 2.0.50 worked? That would be a little surprising: there aren't any regressions in 2.0.51 that I know of. joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@xxxxxxxxxx Automated List Manager majordomo@xxxxxxxxxx