Re: Amiga Apache-SSL??!

[sudog%dcss.douglas.bc.ca@localhost]

I have managed to compile an Apache-SSL secure server which works great
(with Netscape at least--I haven't tried it with anything else). What I
was forced to do because strlen, strcat both will core dump if fed a zero
value (problem in kernel?) is rewrite a very small portion of
ERR_add_error_data() in ./crypto/err/err.c in the SSLeay-0.9.0 source. In
each strlen() and strcat() case (there are only two of them) I just added
a wrapper if() statement which checked to see if (a) was non-zero. The
functions would be returning a zero if they DID work properly, so the
overall impact is virtually nil.

Unfortunately, this is more of a kludge than anything else. I think that
there may be a problem with the variable argument handling in SSLeay.. why
would the final argument returned by VAR_ARG be a zero? It's almost as if
VAR_INIT is saying there is one more argument than there really is and
mucking up the for() loop.

In any case, that is *pretty much* all I had to do to get things working.
I then rebuilt the libcrypto.a library, and consequently rebuilt the
httpsd object to include the newer library. Wow that sucker's huge! 2+ MB!

I have to change the (source?) to allow me to put the SSL logfiles and
the conf/mime.types somewhere OTHER than /usr/local/etc/httpd. That part
is obnoxious. It's almost as if the rest of the configuration options of
Apache_1.2.6 get turned off by the apache_ssl source patches. Blah!

Also, on a side note, telling it to simply "GET" when it's an SSL-based
server won't work. Of course it closes the connection--you're not
connecting with an SSL-aware client. Try lynx with the https patches
installed or Netscape or MSIE. If you were connecting to the
"https-disabled port" and you had configured it that way in the
httpsd.conf, then something's wrong--that part I won't even try to track
down.

And oh yea--turn off the "required-ciphers" part and relax the encryption
requirements.. most people don't have Fortify or the 128-bit MSIE patch.

Just a hint of advice: for the regular stuff, use a regular Apache.
It's about 1/10th the size and far more appropriate for regular http
serving. 

I'm using NetBSD1.3--the original release. I don't think NetBSD is the
problem here.

With SSLeay-0.9.0, and apache_1.2.6+ssl_1.16 I got no warnings during the
compile. With SSLeay-0.9.0, "./Configure gcc", I got absolutely no
warnings at all, and all the test programs ran perfectly.

> You've obviously spent more time than I with the problem, but I've the
> same problem. I also first tried SSLeay-0.8.0, that one worked, but gave
> me a very secure server indeed, it immediately closed the connection
> upon any HTTP/1.x GET command. Which NetBSD version are you using? I'm
> using version 1.3, but consider upgrading to 1.3.1 or 1.3.2 since it
> seems to be near now. I got some warnings when compiling, did you? Also,
> the https server doesn't recognise the SSL-cache commands.
> 
> How did you configure SSLeay? I used ./Configure gcc.