1 <?xml version="1.0" encoding="ISO-8859-1"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 --><title>SSL/TLS Strong Encryption: FAQ - Apache HTTP Server</title><link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" /><link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" /><link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link href="../images/favicon.ico" rel="shortcut icon" /></head><body id="manual-page"><div id="page-header"><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p><p class="apache">Apache HTTP Server Version 2.1</p><img alt="" src="../images/feather.gif" /></div><div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div><div id="path"><a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.1</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
9 <p>The wise man doesn't give the right answers,
10 he poses the right questions.</p>
11 <p class="cite">-- <cite>Claude Levi-Strauss</cite></p>
14 <p>This chapter is a collection of frequently asked questions (FAQ) and
15 corresponding answers following the popular USENET tradition. Most of these
16 questions occured on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
17 Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
18 to avoid answering the same questions over and over.</p>
20 <p>Please read this chapter at least once when installing mod_ssl or at least
21 search for your problem here before submitting a problem report to the
23 </div><div id="quickview"><ul id="toc"><li><img alt="" src="../images/down.gif" /> <a href="#about">About The Module</a></li><li><img alt="" src="../images/down.gif" /> <a href="#installation">About Installation</a></li><li><img alt="" src="../images/down.gif" /> <a href="#aboutconfig">About Configuration</a></li><li><img alt="" src="../images/down.gif" /> <a href="#aboutcerts">About Certificates</a></li><li><img alt="" src="../images/down.gif" /> <a href="#aboutssl">About SSL Protocol</a></li><li><img alt="" src="../images/down.gif" /> <a href="#support">About Support</a></li></ul></div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="about" id="about">About The Module</a></h2>
25 <li><a href="#history">What is the history of mod_ssl?</a></li>
26 <li><a href="#y2k">mod_ssl and Year 2000?</a></li>
27 <li><a href="#wassenaar">mod_ssl and Wassenaar Arrangement?</a></li>
30 <h3><a name="history" id="history">What is the history of mod_ssl?</a></h3>
31 <p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
32 Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
33 Laurie's development cycle it then was re-assembled from scratch for
34 Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
35 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
36 first publically released version was mod_ssl 2.0.0 from August 10th,
37 1998. As of this writing (August 1999) the current mod_ssl version
41 <p>After one year of very active development with over 1000 working hours and
42 over 40 releases mod_ssl reached its current state. The result is an
43 already very clean source base implementing a very rich functionality.
44 The code size increased by a factor of 4 to currently a total of over
45 10.000 lines of ANSI C consisting of approx. 70% code and 30% code
46 documentation. From the original Apache-SSL code currently approx. 5% is
49 <p>After the US export restrictions for cryptographic software were
50 opened, mod_ssl was integrated into the code base of Apache V2 in 2001.</p>
53 <h3><a name="y2k" id="y2k">Is mod_ssl Year 2000 compliant?</a></h3>
54 <p>Yes, mod_ssl is Year 2000 compliant.</p>
56 <p>Because first mod_ssl internally never stores years as two digits.
57 Instead it always uses the ANSI C & POSIX numerical data type
58 <code>time_t</code> type, which on almost all Unix platforms at the moment
59 is a <code>signed long</code> (usually 32-bits) representing seconds since
60 epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in
61 early January 2038 and not in the year 2000. Second, date and time
62 presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'')
63 are done with full year value instead of abbreviating to two digits.</p>
66 <p>Additionally according to a <a href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000
67 statement</a> from the Apache Group, the Apache webserver is Year 2000
68 compliant, too. But whether OpenSSL or the underlaying Operating System
69 (either a Unix or Win32 platform) is Year 2000 compliant is a different
70 question which cannot be answered here.</p>
73 <h3><a name="wassenaar" id="wassenaar">What about mod_ssl and the Wassenaar Arrangement?</a></h3>
74 <p>First, let us explain what <dfn>Wassenaar</dfn> and its <dfn>Arrangement on
75 Export Controls for Conventional Arms and Dual-Use Goods and
76 Technologies</dfn> is: This is a international regime, established 1995, to
77 control trade in conventional arms and dual-use goods and technology. It
78 replaced the previous <dfn>CoCom</dfn> regime. 33 countries are signatories:
79 Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
80 Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
81 Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic
82 of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
83 Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
84 details look at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
87 <p>In short: The aim of the Wassenaar Arrangement is to prevent the build up
88 of military capabilities that threaten regional and international security
89 and stability. The Wassenaar Arrangement controls the export of
90 cryptography as a dual-use good, i.e., one that has both military and
91 civilian applications. However, the Wassenaar Arrangement also provides an
92 exemption from export controls for mass-market software and free software.</p>
94 <p>In the current Wassenaar <cite>List of Dual Use Goods and Technologies And
95 Munitions</cite>, under <q>GENERAL SOFTWARE NOTE (GSN)</q> it says
96 <q>The Lists do not control "software" which is either: 1. [...] 2. "in
97 the public domain".</q> And under <q>DEFINITIONS OF TERMS USED IN
98 THESE LISTS</q> one can find the definition: <q>In the public
99 domain": This means "technology" or "software" which has been made
100 available without restrictions upon its further dissemination. N.B.
101 Copyright restrictions do not remove "technology" or "software" from being
102 "in the public domain".</q></p>
104 <p>So, both mod_ssl and OpenSSL are <q>in the public domain</q> for the purposes
105 of the Wassenaar Agreement and its <q>List of Dual Use Goods and
106 Technologies And Munitions List</q>.</p>
109 <p>Additionally the Wassenaar Agreement itself has no direct consequence for
110 exporting cryptography software. What is actually allowed or forbidden to
111 be exported from the countries has still to be defined in the local laws
112 of each country. And at least according to official press releases from
113 the German BMWi (see <a href="http://www.bmwi.de/presse/1998/1208prm2.html">here</a>) and the
114 Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there
115 will be no forthcoming export restriction for free cryptography software
116 for their countries. Remember that mod_ssl is created in Germany and
117 distributed from Switzerland.</p>
119 <p>So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.</p>
121 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="installation" id="installation">About Installation</a></h2>
123 <li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
124 <li><a href="#mutex">Permission problem on SSLMutex</a></li>
125 <li><a href="#mm">Shared memory and process size?</a></li>
126 <li><a href="#mmpath">Shared memory and pathname?</a></li>
127 <li><a href="#entropy">PRNG and not enough entropy?</a></li>
130 <h3><a name="coredump" id="coredump">When I access my website the first time via HTTPS I get a core dump?</a></h3>
131 <p>There can be a lot of reasons why a core dump can occur, of course.
132 Ranging from buggy third-party modules, over buggy vendor libraries up to
133 a buggy mod_ssl version. But the above situation is often caused by old or
134 broken vendor DBM libraries. To solve it either build mod_ssl with the
135 built-in SDBM library (specify <code>--enable-rule=SSL_SDBM</code> at the
136 APACI command line) or switch from <code>SSLSessionCache dbm:</code> to the
137 newer <code>SSLSessionCache shm:</code>'' variant (after you have rebuilt
138 Apache with MM, of course).</p>
141 <h3><a name="mutex" id="mutex">When I startup Apache I get permission errors related to SSLMutex?</a></h3>
142 <p>When you receive entries like ``<code>mod_ssl: Child could not open
143 SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
144 [...] System: Permission denied (errno: 13)</code>'' this is usually
145 caused by to restrictive permissions on the <em>parent</em> directories.
146 Make sure that all parent directories (here <code>/opt</code>,
147 <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
148 set at least for the UID under which Apache's children are running (see
149 the <code class="directive"><a href="../mod/mpm_common.html#user">User</a></code> directive of Apache).</p>
152 <h3><a name="mm" id="mm">When I use the MM library and the shared memory cache each process grows
153 1.5MB according to `top' although I specified 512000 as the cache size?</a></h3>
154 <p>The additional 1MB are caused by the global shared memory pool Apache
155 allocates for all modules and which is not used by mod_ssl for
156 various reasons. So the actually allocated shared memory is always
157 1MB more than what you specify on <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code>.
158 But don't be confused by the display of `top': although is
159 indicates that <em>each</em> process grow, this is not reality, of
160 course. Instead the additional memory consumption is shared by
161 all processes, i.e. the 1.5MB are allocated only once per Apache
162 instance and not once per Apache server process.</p>
165 <h3><a name="mmpath" id="mmpath">Apache creates files in a directory declared by the internal
166 EAPI_MM_CORE_PATH define. Is there a way to override the path using a
167 configuration directive?</a></h3>
168 <p>No, there is not configuration directive, because for technical
169 bootstrapping reasons, a directive not possible at all. Instead
170 use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
171 ./configure ...</code>'' when building Apache or use option
172 <code>-d</code> when starting <code>httpd</code>.</p>
175 <h3><a name="entropy" id="entropy">When I fire up the server, mod_ssl stops with the error
176 "Failed to generate temporary 512 bit RSA private key", why?</a></h3>
177 <p>Cryptographic software needs a source of unpredictable data
178 to work correctly. Many open source operating systems provide
179 a "randomness device" that serves this purpose (usually named
180 <code>/dev/random</code>). On other systems, applications have to
181 seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
182 appropriate data before generating keys or performing public key
183 encryption. As of version 0.9.5, the OpenSSL functions that need
184 randomness report an error if the PRNG has not been seeded with
185 at least 128 bits of randomness. So mod_ssl has to provide enough
186 entropy to the PRNG to work correctly. For this one has to use the
187 <code>SSLRandomSeed</code> directives.</p>
189 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="aboutconfig" id="aboutconfig">About Configuration</a></h2>
191 <li><a href="#parallel">HTTP and HTTPS with a single server?</a></li>
192 <li><a href="#ports">Where is the HTTPS port?</a></li>
193 <li><a href="#httpstest">How to test HTTPS manually?</a></li>
194 <li><a href="#hang">Why does my connection hang?</a></li>
195 <li><a href="#refused">Why do I get connection refused?</a></li>
196 <li><a href="#envvars">Why are the <code>SSL_XXX</code> variables missing?</a></li>
197 <li><a href="#relative">How to switch with relative hyperlinks?</a></li>
200 <h3><a name="parallel" id="parallel">Is it possible to provide HTTP and HTTPS with a single server?</a></h3>
201 <p>Yes, HTTP and HTTPS use different server ports, so there is no direct
202 conflict between them. Either run two separate server instances (one binds
203 to port 80, the other to port 443) or even use Apache's elegant virtual
204 hosting facility where you can easily create two virtual servers which
205 Apache dispatches: one responding to port 80 and speaking HTTP and one
206 responding to port 443 speaking HTTPS.</p>
209 <h3><a name="ports" id="ports">I know that HTTP is on port 80, but where is HTTPS?</a></h3>
210 <p>You can run HTTPS on any port, but the standards specify port 443, which
211 is where any HTTPS compliant browser will look by default. You can force
212 your browser to look on a different port by specifying it in the URL like
213 this (for port 666): <code>https://secure.server.dom:666/</code></p>
216 <h3><a name="httpstest" id="httpstest">How can I speak HTTPS manually for testing purposes?</a></h3>
217 <p>While you usually just use</p>
219 <div class="example"><p><code>$ telnet localhost 80<br />
220 GET / HTTP/1.0</code></p></div>
223 <p>for simple testing the HTTP protocol of Apache, it's not so easy for
224 HTTPS because of the SSL protocol between TCP and HTTP. But with the
225 help of OpenSSL's <code>s_client</code> command you can do a similar
226 check even for HTTPS:</p>
228 <div class="example"><p><code>$ openssl s_client -connect localhost:443 -state -debug<br />
229 GET / HTTP/1.0</code></p></div>
231 <p>Before the actual HTTP response you receive detailed information about the
232 SSL handshake. For a more general command line client which directly
233 understands both the HTTP and HTTPS scheme, can perform GET and POST
234 methods, can use a proxy, supports byte ranges, etc. you should have a
235 look at nifty <a href="http://curl.haxx.nu/">cURL</a>
236 tool. With it you can directly check if your Apache is running fine on
237 Port 80 and 443 as following:</p>
239 <div class="example"><p><code>$ curl http://localhost/<br />
240 $ curl https://localhost/</code></p></div>
243 <h3><a name="hang" id="hang">Why does the connection hang when I connect to my SSL-aware Apache server?</a></h3>
244 <p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
245 the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
246 This also happens the other way round when you connect via HTTPS to a HTTP
247 port, i.e. when you try to use ``<code>https://</code>'' on a server that
248 doesn't support SSL (on this port). Make sure you are connecting to a
249 virtual server that supports SSL, which is probably the IP associated with
250 your hostname, not localhost (127.0.0.1).</p>
253 <h3><a name="refused" id="refused">Why do I get ``Connection Refused'' messages when trying to access my freshly
254 installed Apache+mod_ssl server via HTTPS?</a></h3>
255 <p>There can be various reasons. Some of the common mistakes is that people
256 start Apache with just ``<code>apachectl start</code>'' (or
257 ``<code>httpd</code>'') instead of ``<code>apachectl startssl</code>'' (or
258 ``<code>httpd -DSSL</code>''. Or you're configuration is not correct. At
259 least make sure that your <code class="directive"><a href="../mod/mpm_common.html#listen">Listen</a></code>
260 directives match your <code class="directive"><a href="../mod/core.html#virtualhost"><VirtualHost></a></code>
261 directives. And if all fails, please do yourself a favor and start over with the
262 default configuration mod_ssl provides you.</p>
265 <h3><a name="envvars" id="envvars">In my CGI programs and SSI scripts the various documented
266 <code>SSL_XXX</code> variables do not exist. Why?</a></h3>
267 <p>Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
268 enabled for the context of your CGI/SSI requests.</p>
271 <h3><a name="relative" id="relative">How can I use relative hyperlinks to switch between HTTP and
274 <p>Usually you have to use fully-qualified hyperlinks because
275 you have to change the URL scheme. But with the help of some URL
276 manipulations through mod_rewrite you can achieve the same effect while
277 you still can use relative URLs:</p>
278 <div class="example"><p><code>
279 RewriteEngine on<br />
280 RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]<br />
281 RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
284 <p>This rewrite ruleset lets you use hyperlinks of the form
285 <code><a href="document.html:SSL"></code></p>
287 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="aboutcerts" id="aboutcerts">About Certificates</a></h2>
289 <li><a href="#keyscerts">What are Keys, CSRs and Certs?</a></li>
290 <li><a href="#startup">Difference on startup?</a></li>
291 <li><a href="#realcert">How to create a real cert?</a></li>
292 <li><a href="#ownca">How to create my own CA?</a></li>
293 <li><a href="#passphrase">How to change a pass phrase?</a></li>
294 <li><a href="#removepassphrase">How to remove a pass phrase?</a></li>
295 <li><a href="#verify">How to verify a key/cert pair?</a></li>
296 <li><a href="#badcert">Bad Certificate Error?</a></li>
297 <li><a href="#keysize">Why does a 2048-bit key not work?</a></li>
298 <li><a href="#hashsymlinks">Why is client auth broken?</a></li>
299 <li><a href="#pemder">How to convert from PEM to DER?</a></li>
300 <li><a href="#verisign">Verisign and the magic getca program?</a></li>
301 <li><a href="#sgc">Global IDs or SGC?</a></li>
302 <li><a href="#gid">Global IDs and Cert Chain?</a></li>
305 <h3><a name="keyscerts" id="keyscerts">What are RSA Private Keys, CSRs and Certificates?</a></h3>
306 <p>The RSA private key file is a digital file that you can use to decrypt
307 messages sent to you. It has a public component which you distribute (via
308 your Certificate file) which allows people to encrypt those messages to
309 you. A Certificate Signing Request (CSR) is a digital file which contains
310 your public key and your name. You send the CSR to a Certifying Authority
311 (CA) to be converted into a real Certificate. A Certificate contains your
312 RSA public key, your name, the name of the CA, and is digitally signed by
313 your CA. Browsers that know the CA can verify the signature on that
314 Certificate, thereby obtaining your RSA public key. That enables them to
315 send messages which only you can decrypt.
316 See the <a href="ssl_intro.html">Introduction</a> chapter for a general
317 description of the SSL protocol.</p>
320 <h3><a name="startup" id="startup">Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?</a></h3>
321 <p>Yes, in general, starting Apache with a built-in mod_ssl is just like
322 starting an unencumbered Apache, except for the fact that when you have a
323 pass phrase on your SSL private key file. Then a startup dialog pops up
324 asking you to enter the pass phrase.</p>
326 <p>To type in the pass phrase manually when starting the server can be
327 problematic, for instance when starting the server from the system boot
328 scripts. As an alternative to this situation you can follow the steps
329 below under ``How can I get rid of the pass-phrase dialog at Apache
333 <h3><a name="realcert" id="realcert">Ok, I've got my server installed and want to create a real SSL
334 server Certificate for it. How do I do it?</a></h3>
335 <p>Here is a step-by-step description:</p>
338 <li>Make sure OpenSSL is really installed and in your <code>PATH</code>.
339 But some commands even work ok when you just run the
340 ``<code>openssl</code>'' program from within the OpenSSL source tree as
341 ``<code>./apps/openssl</code>''.<br />
345 <li>Create a RSA private key for your Apache server
346 (will be Triple-DES encrypted and PEM formatted):<br />
348 <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
350 Please backup this <code>server.key</code> file and remember the
351 pass-phrase you had to enter at a secure location.
352 You can see the details of this RSA private key via the command:<br />
355 <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
357 And you could create a decrypted PEM version (not recommended)
358 of this RSA private key via:<br />
360 <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
364 <li>Create a Certificate Signing Request (CSR) with the server RSA private
365 key (output will be PEM formatted):<br />
367 <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
369 Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
370 server when OpenSSL prompts you for the "CommonName", i.e. when you
371 generate a CSR for a website which will be later accessed via
372 <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
373 You can see the details of this CSR via the command<br />
376 <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
379 <li>You now have to send this Certificate Signing Request (CSR) to
380 a Certifying Authority (CA) for signing. The result is then a real
381 Certificate which can be used for Apache. Here you have two options:
382 First you can let the CSR sign by a commercial CA like Verisign or
383 Thawte. Then you usually have to post the CSR into a web form, pay for
384 the signing and await the signed Certificate you then can store into a
385 server.crt file. For more information about commercial CAs have a look
386 at the following locations:<br />
391 <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
392 http://digitalid.verisign.com/server/apacheNotice.htm
395 <li> Thawte Consulting<br />
396 <a href="http://www.thawte.com/certs/server/request.html">
397 http://www.thawte.com/certs/server/request.html
401 <li> CertiSign Certificadora Digital Ltda.<br />
402 <a href="http://www.certisign.com.br">
403 http://www.certisign.com.br
407 <a href="http://www.iks-jena.de/produkte/ca/">
409 http://www.iks-jena.de/produkte/ca/
412 <li> Uptime Commerce Ltd.<br />
413 <a href="http://www.uptimecommerce.com">
414 http://www.uptimecommerce.com
417 <li> BelSign NV/SA<br />
419 <a href="http://www.belsign.be">
420 http://www.belsign.be
425 Second you can use your own CA and now have to sign the CSR yourself by
426 this CA. Read the next answer in this FAQ on how to sign a CSR with
428 You can see the details of the received Certificate via the command:<br />
430 <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
433 <li>Now you have two files: <code>server.key</code> and
434 <code>server.crt</code>. These now can be used as following inside your
435 Apache's <code>httpd.conf</code> file:
437 SSLCertificateFile /path/to/this/server.crt
438 SSLCertificateKeyFile /path/to/this/server.key
440 The <code>server.csr</code> file is no longer needed.
446 <h3><a name="ownca" id="ownca">How can I create and use my own Certificate Authority (CA)?</a></h3>
447 <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
449 script provided by OpenSSL. The long and manual answer is this:</p>
452 <li>Create a RSA private key for your CA
453 (will be Triple-DES encrypted and PEM formatted):<br />
455 <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code><br />
457 Please backup this <code>ca.key</code> file and remember the
458 pass-phrase you currently entered at a secure location.
459 You can see the details of this RSA private key via the command<br />
462 <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code><br />
464 And you can create a decrypted PEM version (not recommended) of this
465 private key via:<br />
467 <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code><br />
471 <li>Create a self-signed CA Certificate (X509 structure)
472 with the RSA key of the CA (output will be PEM formatted):<br />
474 <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code><br />
476 You can see the details of this Certificate via the command:<br />
479 <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code><br />
482 <li>Prepare a script for signing which is needed because
483 the ``<code>openssl ca</code>'' command has some strange requirements
484 and the default OpenSSL config doesn't allow one easily to use
485 ``<code>openssl ca</code>'' directly. So a script named
486 <code>sign.sh</code> is distributed with the mod_ssl distribution
487 (subdir <code>pkg.contrib/</code>). Use this script for signing.
490 <li>Now you can use this CA to sign server CSR's in order to create real
491 SSL Certificates for use inside an Apache webserver (assuming
492 you already have a <code>server.csr</code> at hand):<br />
494 <code><strong>$ ./sign.sh server.csr</strong></code><br />
496 This signs the server CSR and results in a <code>server.crt</code> file.<br />
503 <h3><a name="passphrase" id="passphrase">How can I change the pass-phrase on my private key file?</a></h3>
504 <p>You simply have to read it with the old pass-phrase and write it again
505 by specifying the new pass-phrase. You can accomplish this with the following
509 <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
510 <code><strong>$ mv server.key.new server.key</strong></code><br /></p>
512 <p>Here you're asked two times for a PEM pass-phrase. At the first
513 prompt enter the old pass-phrase and at the second prompt
514 enter the new pass-phrase.</p>
517 <h3><a name="removepassphrase" id="removepassphrase">How can I get rid of the pass-phrase dialog at Apache startup time?</a></h3>
518 <p>The reason why this dialog pops up at startup and every re-start
519 is that the RSA private key inside your server.key file is stored in
520 encrypted format for security reasons. The pass-phrase is needed to be
521 able to read and parse this file. When you can be sure that your server is
522 secure enough you perform two steps:</p>
525 <li>Remove the encryption from the RSA private key (while
526 preserving the original file):<br />
528 <code><strong>$ cp server.key server.key.org</strong></code><br />
529 <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />
533 <li>Make sure the server.key file is now only readable by root:<br />
535 <code><strong>$ chmod 400 server.key</strong></code><br />
540 <p>Now <code>server.key</code> will contain an unencrypted copy of the key.
541 If you point your server at this file it will not prompt you for a
542 pass-phrase. HOWEVER, if anyone gets this key they will be able to
543 impersonate you on the net. PLEASE make sure that the permissions on that
544 file are really such that only root or the web server user can read it
545 (preferably get your web server to start as root but run as another
546 server, and have the key readable only by root).</p>
548 <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog
549 exec:/path/to/program</code>'' facility. But keep in mind that this is
550 neither more nor less secure, of course.</p>
553 <h3><a name="verify" id="verify">How do I verify that a private key matches its Certificate?</a></h3>
554 <p>The private key contains a series of numbers. Two of those numbers form
555 the "public key", the others are part of your "private key". The "public
556 key" bits are also embedded in your Certificate (we get them from your
557 CSR). To check that the public key in your cert matches the public
558 portion of your private key, you need to view the cert and the key and
559 compare the numbers. To view the Certificate and the key run the
562 <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
563 <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p>
565 <p>The `modulus' and the `public exponent' portions in the key and the
566 Certificate must match. But since the public exponent is usually 65537
567 and it's bothering comparing long modulus you can use the following
571 <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br />
572 <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p>
574 <p>And then compare these really shorter numbers. With overwhelming
575 probability they will differ if the keys are different. BTW, if I want to
576 check to which key or certificate a particular CSR belongs you can compute</p>
578 <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p>
581 <h3><a name="badcert" id="badcert">What does it mean when my connections fail with an "alert bad certificate"
583 <p>Usually when you see errors like <code>OpenSSL: error:14094412: SSL
584 routines:SSL3_READ_BYTES:sslv3 alert bad certificate</code> in the SSL
585 logfile, this means that the browser was unable to handle the server
586 certificate/private-key which perhaps contain a RSA-key not equal to 1024
587 bits. For instance Netscape Navigator 3.x is one of those browsers.</p>
590 <h3><a name="keysize" id="keysize">Why does my 2048-bit private key not work?</a></h3>
591 <p>The private key sizes for SSL must be either 512 or 1024 for compatibility
592 with certain web browsers. A keysize of 1024 bits is recommended because
593 keys larger than 1024 bits are incompatible with some versions of Netscape
594 Navigator and Microsoft Internet Explorer, and with other browsers that
595 use RSA's BSAFE cryptography toolkit.</p>
598 <h3><a name="hashsymlinks" id="hashsymlinks">Why is client authentication broken after upgrading from
599 SSLeay version 0.8 to 0.9?</a></h3>
600 <p>The CA certificates under the path you configured with
601 <code>SSLCACertificatePath</code> are found by SSLeay through hash
602 symlinks. These hash values are generated by the `<code>openssl x509 -noout
603 -hash</code>' command. But the algorithm used to calculate the hash for a
604 certificate has changed between SSLeay 0.8 and 0.9. So you have to remove
605 all old hash symlinks and re-create new ones after upgrading. Use the
606 <code>Makefile</code> mod_ssl placed into this directory.</p>
609 <h3><a name="pemder" id="pemder">How can I convert a certificate from PEM to DER format?</a></h3>
610 <p>The default certificate format for SSLeay/OpenSSL is PEM, which actually
611 is Base64 encoded DER with header and footer lines. For some applications
612 (e.g. Microsoft Internet Explorer) you need the certificate in plain DER
613 format. You can convert a PEM file <code>cert.pem</code> into the
614 corresponding DER file <code>cert.der</code> with the following command:
615 <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
618 <h3><a name="verisign" id="verisign">I try to install a Verisign certificate. Why can't I find neither the
619 <code>getca</code> nor <code>getverisign</code> programs Verisign mentions?</a></h3>
620 <p>This is because Verisign has never provided specific instructions
621 for Apache+mod_ssl. Rather they tell you what you should do
622 if you were using C2Net's Stronghold (a commercial Apache
623 based server with SSL support). The only thing you have to do
624 is to save the certificate into a file and give the name of
625 that file to the <code>SSLCertificateFile</code> directive.
626 Remember that you need to give the key file in as well (see
627 <code>SSLCertificateKeyFile</code> directive). For a better
628 CA-related overview on SSL certificate fiddling you can look at <a href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">Thawte's mod_ssl instructions</a>.</p>
631 <h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
632 ID) also with mod_ssl?</a></h3>
633 <p>Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
634 to configure anything special for this, just use a Global ID as your
635 server certificate. The <em>step up</em> of the clients are then
636 automatically handled by mod_ssl under run-time. For details please read
637 the <code>README.GlobalID</code> document in the mod_ssl distribution.</p>
640 <h3><a name="gid" id="gid">After I have installed my new Verisign Global ID server certificate, the
641 browsers complain that they cannot verify the server certificate?</a></h3>
642 <p>That is because Verisign uses an intermediate CA certificate between
643 the root CA certificate (which is installed in the browsers) and
644 the server certificate (which you installed in the server). You
645 should have received this additional CA certificate from Verisign.
646 If not, complain to them. Then configure this certificate with the
647 <code>SSLCertificateChainFile</code> directive in the server. This
648 makes sure the intermediate CA certificate is send to the browser
649 and this way fills the gap in the certificate chain.</p>
651 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="aboutssl" id="aboutssl">About SSL Protocol</a></h2>
653 <li><a href="#random">Random SSL errors under heavy load?</a></li>
654 <li><a href="#load">Why has the server a higher load?</a></li>
655 <li><a href="#establishing">Why are connections horribly slow?</a></li>
656 <li><a href="#ciphers">Which ciphers are supported?</a></li>
657 <li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
658 <li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
659 <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
660 <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
661 <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
662 <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
665 <h3><a name="random" id="random">Why do I get lots of random SSL protocol errors under heavy server load?</a></h3>
666 <p>There can be a number of reasons for this, but the main one
667 is problems with the SSL session Cache specified by the
668 <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive. The DBM session
669 cache is most likely the source of the problem, so trying the SHM session cache or
670 no cache at all may help.</p>
673 <h3><a name="load" id="load">Why has my webserver a higher load now that I run SSL there?</a></h3>
674 <p>Because SSL uses strong cryptographic encryption and this needs a lot of
675 number crunching. And because when you request a webpage via HTTPS even
676 the images are transfered encrypted. So, when you have a lot of HTTPS
677 traffic the load increases.</p>
680 <h3><a name="establishing" id="establishing">Often HTTPS connections to my server require up to 30 seconds for establishing
681 the connection, although sometimes it works faster?</a></h3>
682 <p>Usually this is caused by using a <code>/dev/random</code> device for
683 <code>SSLRandomSeed</code> which is blocking in read(2) calls if not
684 enough entropy is available. Read more about this problem in the refernce
685 chapter under <code>SSLRandomSeed</code>.</p>
688 <h3><a name="ciphers" id="ciphers">What SSL Ciphers are supported by mod_ssl?</a></h3>
689 <p>Usually just all SSL ciphers which are supported by the
690 version of OpenSSL in use (can depend on the way you built
691 OpenSSL). Typically this at least includes the following:</p>
694 <li>RC4 with MD5</li>
696 <li>RC4 with MD5 (export version restricted to 40-bit key)</li>
697 <li>RC2 with MD5</li>
698 <li>RC2 with MD5 (export version restricted to 40-bit key)</li>
699 <li>IDEA with MD5</li>
700 <li>DES with MD5</li>
701 <li>Triple-DES with MD5</li>
705 <p>To determine the actual list of supported ciphers you can
706 run the following command:</p>
707 <div class="example"><p><code>$ openssl ciphers -v</code></p></div>
710 <h3><a name="adh" id="adh">I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
711 shared cipher'' errors?</a></h3>
712 <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
713 to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
714 Additionally you have to build OpenSSL with
715 ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
716 allow ADH ciphers for security reasons. So if you are actually enabling
717 these ciphers make sure you are informed about the side-effects.</p>
720 <h3><a name="sharedciphers" id="sharedciphers">I always just get a 'no shared ciphers' error if
721 I try to connect to my freshly installed server?</a></h3>
722 <p>Either you have messed up your <code>SSLCipherSuite</code>
723 directive (compare it with the pre-configured example in
724 <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
725 algorithms instead of RSA when you generated your private key
726 and ignored or overlooked the warnings. If you have choosen
727 DSA/DH, then your server no longer speaks RSA-based SSL ciphers
728 (at least not until you also configure an additional RSA-based
729 certificate/key pair). But current browsers like NS or IE only speak
730 RSA ciphers. The result is the "no shared ciphers" error. To fix
731 this, regenerate your server certificate/key pair and this time
732 choose the RSA algorithm.</p>
735 <h3><a name="vhosts" id="vhosts">Why can't I use SSL with name-based/non-IP-based virtual hosts?</a></h3>
736 <p>The reason is very technical. Actually it's some sort of a chicken and
737 egg problem: The SSL protocol layer stays below the HTTP protocol layer
738 and encapsulates HTTP. When an SSL connection (HTTPS) is established
739 Apache/mod_ssl has to negotiate the SSL protocol parameters with the
740 client. For this mod_ssl has to consult the configuration of the virtual
741 server (for instance it has to look for the cipher suite, the server
742 certificate, etc.). But in order to dispatch to the correct virtual server
743 Apache has to know the <code>Host</code> HTTP header field. For this the
744 HTTP request header has to be read. This cannot be done before the SSL
745 handshake is finished. But the information is already needed at the SSL
746 handshake phase. Bingo!</p>
749 <h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
750 still shows the unlocked state when the dialog pops up. Does this mean the
751 username/password is still transmitted unencrypted?</a></h3>
752 <p>No, the username/password is already transmitted encrypted. The icon in
753 Netscape browsers is just not really synchronized with the SSL/TLS layer
754 (it toggles to the locked state when the first part of the actual webpage
755 data is transferred which is not quite correct) and this way confuses
756 people. The Basic Authentication facility is part of the HTTP layer and
757 this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data
758 communication takes place in HTTPS the SSL/TLS layer has already done the
759 handshake phase and switched to encrypted communication. So, don't get
760 confused by this icon.</p>
763 <h3><a name="msie" id="msie">When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
764 Explorer (MSIE) I get various I/O errors. What is the reason?</a></h3>
765 <p>The first reason is that the SSL implementation in some MSIE versions has
766 some subtle bugs related to the HTTP keep-alive facility and the SSL close
767 notify alerts on socket connection close. Additionally the interaction
768 between SSL and HTTP/1.1 features are problematic with some MSIE versions,
769 too. You've to work-around these problems by forcing
770 Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
771 sending the SSL close notify messages to MSIE clients. This can be done by
772 using the following directive in your SSL-aware virtual host section:</p>
773 <div class="example"><p><code>
774 SetEnvIf User-Agent ".*MSIE.*" \<br />
775 nokeepalive ssl-unclean-shutdown \<br />
776 downgrade-1.0 force-response-1.0
778 <p>Additionally it is known some MSIE versions have also problems
779 with particular ciphers. Unfortunately one cannot workaround these
780 bugs only for those MSIE particular clients, because the ciphers
781 are already used in the SSL handshake phase. So a MSIE-specific
782 <code class="directive"><a href="../mod/mod_setenvif.html#setenvif">SetEnvIf</a></code> doesn't work
783 to solve these problems. Instead one has to do more drastic
784 adjustments to the global parameters. But before you decide to do
785 this, make sure your clients really have problems. If not, do not
786 do this, because it affects all(!) your clients, i.e., also your
787 non-MSIE clients.</p>
789 <p>The next problem is that 56bit export versions of MSIE 5.x browsers have a
790 broken SSLv3 implementation which badly interacts with OpenSSL versions
791 greater than 0.9.4. You can either accept this and force your clients to
792 upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
793 can decide to workaround it by accepting the drawback that your workaround
794 will horribly affect also other browsers:</p>
795 <div class="example"><p><code>SSLProtocol all -SSLv3</code></p></div>
796 <p>This completely disables the SSLv3 protocol and lets those browsers work.
797 But usually this is an even less acceptable workaround. A more reasonable
798 workaround is to address the problem more closely and disable only the
799 ciphers which cause trouble.</p>
800 <div class="example"><p><code>SSLCipherSuite
801 ALL:!ADH:<strong>!EXPORT56</strong>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</code>
804 <p>This also lets the broken MSIE versions work, but only removes the
805 newer 56bit TLS ciphers.</p>
807 <p>Another problem with MSIE 5.x clients is that they refuse to connect to
808 URLs of the form <code>https://12.34.56.78/</code> (IP-addresses are used
809 instead of the hostname), if the server is using the Server Gated
810 Cryptography (SGC) facility. This can only be avoided by using the fully
811 qualified domain name (FQDN) of the website in hyperlinks instead, because
812 MSIE 5.x has an error in the way it handles the SGC negotiation.</p>
814 <p>And finally there are versions of MSIE which seem to require that
815 an SSL session can be reused (a totally non standard-conforming
816 behaviour, of course). Connection with those MSIE versions only work
817 if a SSL session cache is used. So, as a work-around, make sure you
818 are using a session cache (see <code class="directive"><a href="../mod/mod_ssl.html#sslsessioncache">SSLSessionCache</a></code> directive).</p>
821 <h3><a name="nn" id="nn">When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
822 get I/O errors and the message "Netscape has encountered bad data from the
823 server" What's the reason?</a></h3>
825 The problem usually is that you had created a new server certificate with
826 the same DN, but you had told your browser to accept forever the old
827 server certificate. Once you clear the entry in your browser for the old
828 certificate, everything usually will work fine. Netscape's SSL
829 implementation is correct, so when you encounter I/O errors with Netscape
830 Navigator it is most of the time caused by the configured certificates.</p>
832 </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div><div class="section"><h2><a name="support" id="support">About Support</a></h2>
834 <li><a href="#resources">Resources in case of problems?</a></li>
835 <li><a href="#contact">Support in case of problems?</a></li>
836 <li><a href="#reportdetails">How to write a problem report?</a></li>
837 <li><a href="#coredumphelp">I got a core dump, can you help me?</a></li>
838 <li><a href="#backtrace">How to get a backtrace?</a></li>
841 <h3><a name="resources" id="resources">What information resources are available in case of mod_ssl problems?</a></h3>
842 <p>The following information resources are available.
843 In case of problems you should search here first.</p>
846 <dt>Answers in the User Manual's F.A.Q. List (this)</dt>
847 <dd><a href="http://httpd.apache.org/docs-2.1/ssl/ssl_faq.html">
848 http://httpd.apache.org/docs-2.1/ssl/ssl_faq.html</a><br />
849 First look inside the F.A.Q. (this text), perhaps your problem is such
850 popular that it was already answered a lot of times in the past.
852 <dt>Postings from the modssl-users Support Mailing List
853 <a href="http://www.modssl.org/support/">
854 http://www.modssl.org/support/</a></dt>
855 <dd>Second search for your problem in one of the existing archives of the
856 modssl-users mailing list. Perhaps your problem popped up at least once for
859 <dt>Problem Reports in the Bug Database
860 <a href="http://www.modssl.org/support/bugdb/">
861 http://www.modssl.org/support/bugdb/</a></dt>
862 <dd>Third look inside the mod_ssl Bug Database. Perhaps
863 someone else already has reported the problem.
869 <h3><a name="contact" id="contact">What support contacts are available in case of mod_ssl problems?</a></h3>
870 <p>The following lists all support possibilities for mod_ssl, in order of
871 preference, i.e. start in this order and do not pick the support possibility
872 you just like most, please.</p>
875 <li><em>Write a Problem Report into the Bug Database</em><br />
876 <a href="http://www.modssl.org/support/bugdb/">
877 http://www.modssl.org/support/bugdb/</a><br />
878 This is the preferred way of submitting your problem report, because this
879 way it gets filed into the bug database (it cannot be lost) <em>and</em>
880 send to the modssl-users mailing list (others see the current problems and
884 <li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br />
885 <a href="mailto:modssl-users@modssl.org">
886 modssl-users@modssl.org</a><br />
887 This is the second way of submitting your problem report. You have to
888 subscribe to the list first, but then you can easily discuss your problem
889 with both the author and the whole mod_ssl user community.
894 <h3><a name="reportdetails" id="reportdetails">What information and details should I
895 provide when writing a bug report?</a></h3>
896 <p>You have to at least always provide the following information:</p>
899 <dt>Apache and OpenSSL version information</dt>
900 <dd>The Apache version can be determined
901 by running ``<code>httpd -v</code>''. The OpenSSL version can be
902 determined by running ``<code>openssl version</code>''. Alternatively when
903 you have Lynx installed you can run the command ``<code>lynx -mime_header
904 http://localhost/ | grep Server</code>'' to determine all information in a
908 <dt>The details on how you built and installed Apache+mod_ssl+OpenSSL</dt>
909 <dd>For this you can provide a logfile of your terminal session which shows
910 the configuration and install steps. Alternatively you can at least
911 provide the <code>configure</code> command line you used.
914 <dt>In case of core dumps please include a Backtrace</dt>
915 <dd>In case your Apache+mod_ssl+OpenSSL should really dump core please attach
916 a stack-frame ``backtrace'' (see the next question on how to get it).
917 Without this information the reason for your core dump cannot be found.
918 So you have to provide the backtrace, please.
921 <dt>A detailed description of your problem</dt>
922 <dd>Don't laugh, I'm totally serious. I already got a lot of problem reports
923 where the people not really said what's the actual problem is. So, in your
924 own interest (you want the problem be solved, don't you?) include as much
925 details as possible, please. But start with the essentials first, of
931 <h3><a name="coredumphelp" id="coredumphelp">I got a core dump, can you help me?</a></h3>
932 <p>In general no, at least not unless you provide more details about the code
933 location where Apache dumped core. What is usually always required in
934 order to help you is a backtrace (see next question). Without this
935 information it is mostly impossible to find the problem and help you in
939 <h3><a name="backtrace" id="backtrace">Ok, I got a core dump but how do I get a backtrace to find out the reason for it?</a></h3>
940 <p>Follow the following steps:</p>
942 <li>Make sure you have debugging symbols available in at least
943 Apache. On platforms where you use GCC/GDB you have to build
944 Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On
945 other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
948 <li>Startup the server and try to produce the core-dump. For this you perhaps
949 want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
950 make sure that the core-dump file can be written. You then should get a
951 <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
952 don't get this, try to run your server under an UID != 0 (root), because
953 most "current" kernels do not allow a process to dump core after it has
954 done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
955 security reasons (there can be privileged information left over in
956 memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
957 manually to force Apache to not fork.
960 <li>Analyze the core-dump. For this run <code>gdb /path/to/httpd
961 /tmp/httpd.core</code> or a similar command has to run. In GDB you then
962 just have to enter the <code>bt</code> command and, voila, you get the
963 backtrace. For other debuggers consult your local debugger manual. Send
964 this backtrace to the author.
968 </div></div><div id="footer"><p class="apache">Maintained by the <a href="http://httpd.apache.org/docs-project/">Apache HTTP Server Documentation Project</a></p><p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div></body></html>