Server :: Switching From Openssl To Gnutls For Https Traffic On Apache
Nov 3, 2010
For some years now I have been able to use openssl (apache-mod_ssl) to process encrypted traffic because I had, in effect, only one host - the main server - as the sole entry in our ssl_vhost.conf file.
Now we are working toward serving a couple of more secure sites for closely related organizations, but with their own distinct identities. This, in the past, would have meant additional static IPs with matching nic cards for starters. But my understanding is that since 2007/8 we have been able to use gnutls (apache-mod_gnutls) which gets around the old problem of Apache not being able to direct name-based traffic because that would not yet have been decoded. This is referred to as SNI - Server Name Indication.
Here my confusion begins. Is there an overlap between SSL and TLS? For instance, I would have generated RSA keys and a self-signed certificate with the genrsa command. Is this sufficient for gnutls or does it need to generate its own keys and certificates? I realize gnutls is relatively a new kid on the block but it is appealing and I'd like to give it a try.
I am working with the Mandriva/Mageia cooker with an x86_64 architecture so all packages are up-to-the-minute.
View 3 Replies
ADVERTISEMENT
May 6, 2011
I need to build an https client in 'C' language on linux platfrom and my app is a multithreaded one...in each thread it need to send a seperate https request to the same server..and receive response.... I used openssl library for this, i am able to send request to server. but when i am trying to read the socket (using SSL_Read) it's closing connection(returning 0 with error code 29).
View 3 Replies
View Related
Nov 9, 2010
We have a apache server which have a ssl certificate like www.abc.com. We hosting a website is a online giving shop which need ssl cetificate in https. website of this is www.123.com, it will redirect tow this website owner don't want to show What can I do to achieve this ? Can I use rewrite function in apache to achieve this? How? or we need to buy any other ssl certificate for www.123.com? How can I install multiple sslcertificate in one apache server?
View 4 Replies
View Related
Oct 30, 2015
How to best manage both http and https pages on the same apache-server without conflicts. For example, if i have both 000-default.conf and 000-default-ssl.conf pointing to mydomain.com, and don't want users who visit mydomain.com without specifically type the https-prefix to be redirected to the https-page - how to handle users using browserplugins such as https-everywhere etc?
Another option would be to create a subdomain ssl.mudomain.com and have users who want to reach the ssl site to have to type ssl. I have tested several things with https everywhere enabled in my own browser, and it seems really hard to make this working the way i want, in one way or another i always end up getting redirected to the ssl-site automatically.
The reason i need this to work is because i run one site that i don't care much about SSL, that is the "official" part of that site, and i also host some things for friends and family on the SSL-part. This would not have been a problem if it wasn't that i use self-signed certificates for my ssl-site and the major user become afraid when a certificate-warning pops up in their browser and therefor leave the site.
View 2 Replies
View Related
Jul 12, 2010
any plans to include (or not include) Apache Traffic Server in Squeeze?
View 1 Replies
View Related
Sep 16, 2010
We have a production web site running apache 2.2.3 across several web servers. we also have a major problem with SPAM comments right now. our method of identifying valid IPs (whether by external clients/customers, or internal personnel) vs SPAM'ers is not ideal - its prone to erroneously labeling legit IP's as targets to be blacklisted.
What we need is.. a way to see how much distinct request traffic is coming from any given IP address to the site in real time (or very near realtime). Essentially we want to see in some graphic/chart way requests per sec to apache / per ip sorted by requests per sec.Would nTop do this? I've only used this in a limited form at a branch office, not on a production web server.
View 3 Replies
View Related
Aug 11, 2011
I am trying to configure iptables for only HTTP and HTTPS traffic. I start by blocking all traffic, which works, via:
Code:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
I then try to allow HTTP and HTTPS on eth0 with these commands, which does not work:
Code:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Code:
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT After these commands I should be able to access the internet. Does anyone know why this is not working?
View 4 Replies
View Related
Sep 27, 2009
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code:
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT
iptables -I FORWARD -d 172.16.10.101 -j ACCEPT
The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
View 3 Replies
View Related
Apr 6, 2011
I need to redirect all http/https/ftp traffic through the remote proxy, but when I changes connection settings in browser or in System->Preferences->Network Proxy it doesn't work well: instead of getting page content browser asks for saving some short (8 bytes) file with the same content for all requested pages. It happens in Chrome/Opera/Firefox. This proxy requires authorization and works on computer with Windos XP. It worked well when I was using Windows 7 and Proxifier, now I have Ubuntu 9.10 with all available updates.
View 3 Replies
View Related
Aug 17, 2011
in order to share profiles between a Mahara and a Moodle installation I need to get OpenSSL working.
I've got OpenSSL installed on the server and followed this tutorial. However, I still get an error message saying that either OpenSSL or PHPs support for OpenSSL are missing: Could not generate a new SSL key. Are you sure that both openssl and the PHP module for openssl are installed on this machine?
What would be the next steps to actually set up the Apache server and PHP so they can use OpenSSL? (I've already specified the path to my caconfig.cnf file in Maharas config.php)
View 4 Replies
View Related
Nov 23, 2010
I was wondering if it is possible to have different certificates for different directories in a https-directory ?So what I want is that for a specificry a specific TLS-certificate is needed by the http-client to be authorized to the directory.Directory /var/www/html/secure/1 needs a certificate A.Directory /var/www/html/secure/2 need a different certificate B.So I have 1 CA, which signs the other certificates of the specific directory. The http-client gets the certificate A or certificate B (to be authenticated for secure/1 of secure/2)
View 5 Replies
View Related
Mar 7, 2011
For some of the files that I share using Apache, I want to make sure that they are served ONLY via https.
How can I configure this for Apache?
View 1 Replies
View Related
Apr 11, 2011
I am trying to get name based virtual hosts all running on HTTPS (port 443) so I can run multiple sites on the one IP.
The DocumentRoot needs to be different for each host.
[URL]
However, I am unable to find where to actually enable these hosts in the configs. The apache website says to put it in httpd.conf however that file is empty on my machine.
The existing default virtual hosts are in "/etc/apache2/sites-available/default" and "default-ssl"
The main config file is /etc/apache2/apache2.conf
I am running version 2.2.16 of apache
I need to use the same .htpasswd file for all the sites.
I have configured CNAMES on my domain for all of these hosts.
View 4 Replies
View Related
Apr 1, 2010
I have configured apache using mod_jk to front tomcat. Then I configured tomcat and my application to use https. but after that I cannot access it through https without adding port 8080 in the URL. I think I need to add some configurations to apache to cope with this situation, but I still couldn't find the proper config though I tried many.
View 4 Replies
View Related
Jan 17, 2010
I have 2 web server in my office : http and https. You will find attached the httpd.conf and ssl.conf. I can acces the https server from home, but not the http one.
What I did :
configure the router to forward port 80 to my fedora 11 machine
open port 80 with system-config-network
created a virtualhost
The same exact steps have been done for port 443
I can access both server locally but only the https server remotelly.
Here are my iptables :
Code:
you can try to acces my servers using [url]
I made httpd to listen to port 8080, and done all the port forwarding/opening stuf, and it works. so is it a bug ?
Finally found my error seams like turning off UseCanonicalName to off did the trick
I really think it's a bug now. It was definitively working last week, I just added content to the main host of my website, and now i can't acces it from port 80. If someone think it's not a bug or find someting missing/wrong in my conf file.
View 2 Replies
View Related
May 1, 2011
On one of my servers (Centos 5.5), I have been hosting articularly complex CRM application for one of my clients. Recently they have asked about configuring SSL connections to the CRM. Problem is, SSL is already configured for their main domain but not the sub-domain where the CRM application is accessed. Rather than purchasing another SSL certificate for their sub-domain (and probably another IP address),ld it be possible to setup a redirection from the subdomain to a sub-directory in the SSL directory using mod_rewrite. I have searched online and through the other posts on LinuxQuestions but nothing I have tried works.For example:[URl]
View 2 Replies
View Related
Aug 13, 2010
Has anyone successfully kickstarted a rhel/fedora/centos over HTTPS ? In other words, is it possible to do the rhel/fedora/centos install from running apache with SSL enabled?
View 1 Replies
View Related
Mar 15, 2011
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
Code: iptables -F INPUT
iptables -F OUTPUT
iptables -I INPUT 1 -s *.*.*.* -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -s *.*.*.* -p tcp -j ACCEPT
[Code]...
After seeing that i went digging in the code and figured it was something todo with memory allocation.
View 1 Replies
View Related
Apr 1, 2010
I want to recompile Apache in order to be SNI supportive because I need to use ssl named based virtual host:
I referred to the following links:
[URL]
I installed the latest version of openssl which is now openssl-1.0.0 I ran the following commands:
./config enable-tlsext --prefix=/usr/local2 --openssldir=/usr/local2/openssl
make
make test
make install
then to recompile apache with new SNI support I ran the following:
./configure --enable-so --enable-ssl --enable-rewrite --enable-unique-id --with-ssl=/usr/local2/openssl
make
make install
After that when I start Apache: /usr/local/apache2/bin/apachectl -k start I get the following error:
SSLStrictSNIVHostCheck failed; OpenSSL is not built with support for TLS extensions and SNI indication. Refer to the documentation, and build a compatible version of OpenSSL.
View 11 Replies
View Related
Aug 9, 2011
I'm about to create a CSR and was reading this page in the Ubuntu docs: [URL] A couple of things:
* There's no date on the article. The documentation needs DATES because this information gets out of date! Check MySQL docs, for instance -- they are organized by version.
* The instructions for generating a cert only specify 2048 bits. I believe that's kind of out of date? The verisign site has big red warnings saying you need 2048 if you want your cert to last past 2013 -- and that article is 4 years old!
* The instructions are confusing when discussing the passphrase. We enter a passphrase only to remove it immediately. We need some clarity here. Why do this?
How to understand the current best practices for generating an HTTPS cert for apache and/or mail access?
View 6 Replies
View Related
Jul 14, 2010
I got an task assigned to me, i have to create new ssl key, csr & crt files using openssl. But the file name must be of this kind (*.aaa.xx.aa). When I tried the file name starting with * its not accepting the file name. But when I tried with the file name starting with . its getting generated.
View 1 Replies
View Related
Jan 18, 2011
I inherited a project that someone built in lampp, and I need create new SSL certs.
So I go to do so and it says that OpenSSL is not installed and to apt-get and install it.(Ubuntu by the way)
So before I did so, I wondered if it would cause any problems...since it was supposed to be part of the lampp stack.
View 3 Replies
View Related
May 22, 2011
I have set up certain portions of my web site to be forced https:// How do I force, non https:// protocols. I know this sounds confusing, so let me give you an example.
[Code]...
View 7 Replies
View Related
Feb 25, 2010
I would like to encrypt and decrypt zip file using OpenSSL keys. I have generated the keys and can encrypt normal text files but if I try to encrypt the zip file, I get error: "Error reading input Data" Following is what I have done.
generate keys:
Code:
openssl genrsa 4096 > private-key.pem
openssl rsa -pubout < private-key.pem
openssl rsa -pubout < private-key.pem > public-key.pem
encrypt the file:
Code:
openssl rsautl -encrypt -pubin -inkey public-key.pem -in test.zip test.zip.encrypted
I must use public/ private key pair (without any password) and I must use OpenSSL. But I can use any algorithm other than RSA (not sure which one to use and how).
View 3 Replies
View Related
Jun 15, 2011
i just installed debian squeeze today and i was trying to install a program and when trying to install a .deb file and i got the error message "Error: Dependency is not satisfiable: libcurl3" when i searched the repos i found "libcurl3-gnutls" is there any real diffrence between libcurl3 and libcurl3-gnutls? and is there a way i could edit the .deb installer to change the dependancy to make the program compatible with libcurl3-gnutls?
View 8 Replies
View Related
Oct 14, 2010
I am trying to solve a problem where Apache stats aren't displaying correctly in Munin. I've ran through quite a bit of checks and tests regarding Munin setup, but I think my issue is related to Apache, but my skill set there is lacking.
first, system info:
monitored server:
CentOS 5.3 2.6.18-128.1.1.el5
[code]....
View 7 Replies
View Related
Oct 29, 2009
I did this several other similar servers here today without errors. I'm not quite sure what I'm getting hung up on here.
[root@devoratech yum.repos.d]# rpm -q centos-release
centos-release-5-3.el5.centos.1
[root@devoratech yum.repos.d]# yum repolist
[code]....
View 1 Replies
View Related
Mar 8, 2011
I have a debian box running Apache2 and PHP5.2.6 lenny.
When a request is made via https, php displays the content fine. If the request is made over HTTP the file is offered for download, rather than displaying it.
I know its probably something trivial but I've never seen this issue.
The plot thickens, I can display PHP over HTTP in some directories but not others (which offer the file for download)?
View 9 Replies
View Related
Nov 10, 2010
I am using fetchmail (with ssl support) to download my e-mail. About a week ago, the downloading from two servers stopped, among them gmail.com, due to an ssl error. Usually that means updating the ssl fingerprint in fetchmail.conf, and when I wanted to do this I discovered that there seems to a issue with openssl.
When I do openssl s_client -connect pop.gmail.com:995 -showcerts I now get an error
server:> openssl s_client -connect pop.gmail.com:995 -showcerts
CONNECTED(00000003) 5448:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
Ubuntu 8.04 (2.6.24-28-server #1 SMP Sat Oct 16 17:53:34 UTC 2010 i686 GNU/Linux)OpenSSL 0.9.8g 19 Oct 2007
Can anybody explain to me what the error means and how to fix it?
View 1 Replies
View Related
Jan 12, 2010
How to start https on FC10?[root@smartgateway conf]# openssl versionOpenSSL 0.9.8g 19 Oct 2007
View 1 Replies
View Related
