Apache1.3.3 + Apache-SSL mod + fp-apache mod

Apache1.3.3 + Apache-SSL mod + fp-apache mod

Post by Matthew H. Nort » Wed, 18 Nov 1998 04:00:00


We are currently working on integrating our succesful Apache+SSL and
Apache+FP servers together, to create a hybrid Apache+SSL+FP server.
We've done this, with the source compiling and binaries running without
flaw, however, we cannot get FP extension calls to work when called
through an https: reference.  The FP server works fine.  The SSL server
works fine.  But, if you're on a page with frontpage content, accessed
through an https: reference, and you click on one of the FP controls,
the followin error is returned to the client's browser:

FrontPage Error.

User: please report details to this site's webmaster.

Webmaster: please see the server's system log for more details.

No error is reported in the server log.  This error is returned by the
FP extension being called (as we found out through some digging around).

I've done some digging in the Apache+FP+SSL source code, and I managed
to trace the code to the point where the FP extensions are called by the
server.  Specifically, I've added some debug code to dump the exact exec
call that's made to call the fpexe suid wrapper (which then calls
whichever fp extension is needed), and the entire environment variable
list at the time.  I've done this for both successful Apache+FP and
unsuccessful Apache+FP+SSL.  The ONLY differences between the two
environments are the addition, in the SSL server, of some extra
environment variables that are SSL specific (HTTPS, HTTPS_CIPHER,
SSL_SSLEAY_VERSION).  These are all passed to fpexe when called through
SSL, along with all the other normal env vars that are passed to fpexe
durring a working non-SSL call.  So one might come to the conclusion
that these extra env vars throw up some warning flags in the fp
extentions themselves.

So, I began looking at the source to the only component of the FP
extensions that the source is available for, fpexe.  It does some
environment cleanup before calling any extensions, to make the
environment as secure as possible before calling the required
extension.  If anything doesn't fit, the call is not made.  In this
code, there is a routine that compares the environment to a structure
containing a set of acceptable environment variables to pass to the
extension being called.  This structure did not contain HTTPS* and SSL_*
as one might think it would need to.  As a result, the extension being
called was called without any of the HTTPS* or SSL_* env vars passed to
it.  One might think come to the conclusion that this was the source of
the problem.  So, I went ahead and added these env vars to the
acceptable list, recompiled and tested.  No luck.  Upon further
supposition, it follows that if the HTTPS* and SSL_* env vars weren't
being passed to the extension, AND they constitute the only difference
between the SSL and non-SSL calls to the extension, that the SSL call
would be, in effect, identical to to the non-SSL call.  If this is the
case, it should work fine!

Furthermore, I *know* the requested extension *is* being executed
because the error returned to the client's browser is ONLY contained in
the shtml.exe executable (which is the extension we've been calling for
testing purposes).  The only way this gets called is if fpexe completes
its security checks, and continues with the exec of the shtml.exe
executable.  And, to take it one step farther, the shtml.exe that is
called is acutally a stub executable in the user's web directory.  It
calls a base shtml.exe executable in
/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe.  I know the
stub is calling the base shtml.exe because if the error message returned
to the client's browser is not contained in the stub executable, but is
in the base executable.

So, I've come to the conclusion that the shtml.exe extension is seeing
something in the environment (be it environment variables, lock files,
whatever), that it doesn't like, and is failing based on that.  What I
need to know is: what is it that it's seeing that's causing it to fail?

Any comments are appreciated.

Matthew H. North
Technical Support Supervisor
   ___  ____  ___

 /__    /   ___/  Services | Fax 619/637-3630 | WWW: http://www.cts.com


1. Apache-ssl or mod-ssl?

Hello there!

I'm trying to host ssl site on my apache httpd, now the big question
is .. should I use apache-ssl or mod-ssl?

what is better for security? and why apache has got two derivatives
.... ? is that apache-ssl for a complete replacemant of apache httpd?
or the mod-ssl can be used with any apache 1.3 httpd? Who provides the
128 bit encription?

I went to both ... apache-ssl.org and modssl.org .... it's really
confusing :(

Any ideas?


Raqueeb Hassan

2. Linux on a ZIP DISK

3. Apache-SSL or mod-SSL?

4. Cron

5. Apache1.3.3 + FP + SSL

6. Invalid BINCL?

7. Replacing SSL Certficates in Apache mod-ssl

8. Problem with compiling glibc...

9. Diff between Apache SSL and Mod SSL

10. weird error message | Apache 1.3.22 with mod-ssl

11. How do you make a certificate for apache mod-ssl?

12. Apache and mod-ssl

13. Apache, mod-ssl and PHP installation tutorial