To ask a different way, and potentially simplify the question-
On Apache 1.3.x webserver, when I specify the following cipher suite config
using:
SSLCipherSuite NULL:eNULL
Apache demands a certificate and keyfile, even though the only valid request is
for NULL.
So, the question is, what is the format for NULL certificate files and key
files? How do I generate them?
Thanks,
josh
Josh Wyatt wrote:
Spil Oss wrote:
Hi Josh,
When you say "https is hard-coded as the beginning of all URLs" you
mean that that is done in all pages that the webserver generates? In
that case you might just address oapache using http, and in apache2's
config ProxyPass / http://localhost/.
Kind Regards,
Spil
Hi Spil,
Thank you for your response.
Actually, the logic goes something like this:
1. End-human requests a report from the application server.
2. The request is handed off to a report server;
3. the report server generates the report himself via a special URL on
the webserver;
4. The report retrieval URL is then mangled for security reasons, and
sent back to the end-human
5. a new browser window pops up for the end-human, and retrieves the
report via mangled URL.
Now, step 3 uses a "hidden" internal URL which gets mangled later on in
step 4. This mangling action doesn't happen unless SSL is enabled on on
oapache.
Sounds complicated, and I'm sure R. Goldberg had a hand in this. But
stage 3 requires SSL.
Thanks,
Josh
On 18/09/06, Josh Wyatt <[EMAIL PROTECTED]> wrote:
Joshua Slive wrote:
> On 9/16/06, Josh Wyatt <[EMAIL PROTECTED]> wrote:
>> I'd like to use NULL authentication, ciphers, etc to reduce the
>> proxyapache <-> oapache SSL overhead. How can I configure oapache
and
>> proxyapache to use NULL for authentication, ciphers, etc?
>
>
> I don't know the answer to that. I suspect it is impossible without
> modifying the configuratio n of oapache to accept null ciphers.
>
> But in any case, this is silly. Why no just configure oapache to use
> ordinary http instead?
>
> Joshua.
I agree it's silly that SSL is required. But it truly is for this
application (https is hard-coded as the beginning of all URLs), and
it's a COTS application, so we can't change that bit.
Now, I absolutely DO have control over oapache's configuration. And
as I stated in my initial post, I already tried specifying NULL
ciphers with. Quoting my initial post:
'SSLProxyCipherSuite NULL' on proxyapache, and 'SSLCipherSuite NULL'
on oapache. In oapache's logfiles I get:
[Fri Sep 15 22:00:51 2006] [error] mod_ssl: SSL handshake failed
(server oapache:8888, client proxyapache) (OpenSSL library error
follows)
[Fri Sep 15 22:00:51 2006] [error] OpenSSL: error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared cipher [Hint: Too
restrictive SSLCipherSuite or using DSA server certificate?]
Any help you can provide would be greatly appreciated.
Thanks,
Josh
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
