[AWS] SSL questions

Jessica et Vincent Tourvieille jv@tourvieille.org
Mon, 5 Jan 2004 00:10:49 -0800
Next message: [AWS] SSL questions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Greetings !

I am trying to set up an AWS-based secure server and here are
the following problems (and associated questions) I have:

1) When installing AWS in the /usr/local/... directly,
libz.a did not end up being copied
to the lib directory, I had to copy it manually.
Would that be a makefile bug, or is this file
simply not needed?

2) When building AWS, the secure part of the
runme demo does behave as expected.
However after installing AWS (in the usr/local/Ada/AWS... directory).
It was quite a challenge to find the appropriate command line,
(it would be helpful to display the command line being used to compile the
demos,
even DEBUG=1 does not display it)

So I tried the following:
(my program uses the gnade ODBC features)
(Note that I get the same result whether
my_program.adb is the runme demo or my own program,
I tried both with each command line)

gnatmake my_program.adb \
-I/usr/local/Ada/AWS/aws-1.4/AWS/include \
-I/usr/local/Ada/AWS/aws-1.4/AWS/components \
-aI/usr/local/Ada/gnade/cvs_snapshot_27_12_2003/gnade/lib/ada \
-aO/usr/local/Ada/gnade/lib/ \
-bargs -E -largs \
-L/usr/local/Ada/AWS/aws-1.4/AWS/lib -laws \
-lz -lssl -lcrypto \
-L/usr/local/Ada/gnade/cvs_snapshot_27_12_2003/gnade/lib/ \
-lodbc

when I run my program this is the output I get :

-- Beginning of output
I'm on the port 1234
press Q key if you want me to stop.
Execution terminated by unhandled exception
Exception name: PROGRAM_ERROR
Message: AWS has been configured without SSL support.
Call stack traceback locations:
0x817f7ab 0x8166657 0x816677a
-- end of output

But if I remove the "-laws" from the command, my program
runs fine. Now the only problem is that with my switches,
all my aws* ali and object files are in the local directory.
To avoid this I followed the AWS user guide
and changed the command to:

gnatmake my_program.adb \
-aI/usr/local/Ada/AWS/aws-1.4/AWS/include \
-I/usr/local/Ada/AWS/aws-1.4/AWS/components \
-aO/usr/local/Ada/AWS/aws-1.4/AWS/lib \
-aI/usr/local/Ada/gnade/cvs_snapshot_27_12_2003/gnade/lib/ada \
-aO/usr/local/Ada/gnade/cvs_snapshot_27_12_2003/gnade/lib/ \
-bargs -E -largs \
-L/usr/local/Ada/AWS/aws-1.4/AWS/lib -laws \
-lz -lssl -lcrypto \
-L/usr/local/Ada/gnade/cvs_snapshot_27_12_2003/gnade/lib/ \
-lodbc

NOTE that there is still the -laws.

And I get the same exception:

-- Begin output
I'm on the port 1234
press Q key if you want me to stop.
Execution terminated by unhandled exception
Exception name: PROGRAM_ERROR
Message: AWS has been configured without SSL support.
Call stack traceback locations:
0x8126d1f 0x810ddaf 0x810ded2
-- end output

But if I remove the -laws I get compilation error:

-- begin extract of output
b~my_program.o(.text+0x482): In function `adainit':
: undefined reference to `aws__config_E'
b~my_program.o(.text+0x48d): In function `adainit':
: undefined reference to `aws__config___elabs'
b~my_program.o(.text+0x493): In function `adainit':
: undefined reference to `aws__config_E'
b~my_program.o(.text+0x49a): In function `adainit':
: undefined reference to `aws__config__set_E'
b~my_program.o(.text+0x4a0): In function `adainit':
: undefined reference to `aws__net_E'
...
./my_program.o(.text+0x7dd): In function `_ada_my_program':
: undefined reference to `aws__server__shutdown'
gnatlink: cannot call /usr/local/Ada/Gnat/bin/real/gcc
gnatmake: *** link failed.
-- end of output

So when I force gnatmake to use the object and ALI files
that I installed previously, then it says that AWS
is configured without SSL support. But when I built
AWS, I have made sure that in makefile.conf, the MODE
is set to ssl.

In summary the only command line that enables me to run
successfully is the one without -laws and that recompiles
the AWS library.

Would you have any idea why this is happenning ?
(I would welcome an explanation about the -laws flag meaning
too since I am a bit lost !)



3) Attempt to generate a self signed certificate:
Using the successful command line above and the AWS provided
certificate, I can run sucessfully the secure server.
However,  when I try to generate my own self signed certificate
(my ultimate goal is to have a CA approved one) following the methods
described in http://www.openssl.org/docs/HOWTO/
I get the  "No Common Encryption Algorithm" error from my Mozilla browser
(the opera browser simply does not say nor load anything, while internet
explorer
gives "page not found")

(I tried key generated with and without a password, same result).

Did you generate your self signed certificate differently than what is
described in
the URL above, or do you have any hint for me ?

4) Would AWS support a certificate protected by a password ?
(in the apache case, I think you get prompted for the
 password when starting the server)

5) Would AWS support chained certificate ?
( I just read that those are harder to setup so I am
just asking, I didn't do much research)

6) I am using Mandrake 9.2, with a security level of "higher"
(the one advised for using the machine as a server).
To run a server at ports 80 or 443, the program has to be started as root.
(the question is not really AWS specific) Isn't running a server as root
a security problem rather than a good thing ?
How can I do to be allowed to start my process on port 80
or 443 as a normal user ?


Thank you very much !

Vincent
Next message: [AWS] SSL questions
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]