httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel R. Blair" <joeca...@realcoders.org>
Subject Re: [users@httpd] Problems with SSL All of a Sudden
Date Sun, 25 May 2003 17:09:45 GMT
On Sun, 25 May 2003, Zac Stevens wrote:

> > That's what I was thinking, but, my Boss doesn't want to "touch anything
> > that's not nessecary right now" so, I don't think it would be well
> > received, although may inevitably be done soon.
>
> Yeah, I've been in that situation before.  To be honest, I haven't used SSL
> with Apache 2 so I'm not sure whether the security holes affect it or only
> Apache 1.3.  Assuming that the vulnerability is common to both, you run the
> risk of infection by the 'Slapper' worm, or a root compromise via one of
> the other SSL-based exploits.  Perhaps you may have more luck if you
> explain to your boss that leaving things as-is may result in "secure" data
> being stolen or destroyed?

I might just take that approach, given his obsessive way of thinking about
things like security, etc.

> There's no right or wrong way to define it, as long as it works :)  Just a
> few different approaches.  I'm not sure whether you're aware of this, but
> the "0.0.0.0" address can be read as "all addresses".  That is, when you
> see 0.0.0.0:443 in the netstat output, it means that something is bound to
> port 443 on *every* address you have configured on your system.

That's what I thought... that's ok because the system only has one public
(internet) address.. so, that's fine.. and that's what I usually interpret
0.0.0.0(*) to indicate is that it's on all/any address(es).. thanks for
the clarification/warning though.

> The other way you might have configured Apache involves listing the actual
> IP address in the Listen statement - ie "Listen 216.24.170.247:443".
>
> There are arguments for and against both approaches - the reason I asked
> was to make sure that the Apache configuration you're using does match what
> is happening on your system.

Gotcha.  Well, it is set to "Listen 80\nListen 443" so, I am pretty sure
that it does match what is happening on my system..

> > user list?  As in allowed users?  Not that I know of, but I will check..
>
> Sorry, I meant a user support list - ie, email :)  There is a modssl-users
> email list mentioned on www.modssl.org, however I'm not sure whether this
> is also appropriate for Apache 2.

Yeah, I am aware of it.. I even subscribed to it when I subscribed to the
Apache HTTPD list and for some reason it didn't subscribe me properly...
so, I'll try again and see if anything happens..  thanks though.

> > Zac, how would I go about doing this, if you don't mind me asking?
>
> Unfortunately, now that I've looked at this further I seem to have lead you
> astray.  In Apache 1.3's mod_ssl, there were two logging directives -
> SSLLog, and SSLLogLevel.  Documentation for them can be found here:
> 	http://www.modssl.org/docs/2.8/ssl_reference.html#ToC19
>
> Unfortunately, I can't find any reference to either of those in the Apache
> 2.0 documentation.  In fact, nothing related to debugging SSL problems at
> all.  I believe that the 2.0 module started life as, more or less, a port
> from the 1.3 module, so this omission is surprising.

Meaning that their should be documentation and it's not there yet, which
is suprising to you?

> > Thanks alot, your help is GREATLY appreciated,
>
> No problem - although it seems to be less useful than I first thought!

Well, it has been help in establishing that at least it's not something in
the configuration that's the problem.. and your time is appreciated more
than anything.. I really do want to thank you for taking your time in
helping me deal with this..

Take care,

Danny

                           = Daniel Blair =
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- dblair@realcoders.org -                   [http://www.realcoders.org]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message