2 #use "ssl_template.inc" title="F.A.Q." tag=faq num=6
4 <page_prev name="HowTo" url="ssl_howto.html">
5 <page_next name="Glossary" url="ssl_glossary.html">
7 #use wml::std::toc style=nbsp
9 <quotation width=200 author="Claude Levi-Strauss">
10 ``The wise man doesn't give the right answers,
11 he poses the right questions.''
15 <table cellspacing=0 cellpadding=0 border=0>
19 <big T>his chapter is a collection of frequently asked questions (FAQ) and
20 corresponding answers following the popular USENET tradition. Most of these
21 questions occured on the Newsgroup <a
22 href="news:comp.infosystems.www.servers.unix">
23 <code>comp.infosystems.www.servers.unix</code></a> or the mod_ssl Support
24 Mailing List <a href="mailto:modssl-users@modssl.org">
25 <code>modssl-users@modssl.org</code></a>. They are collected at this place
26 to avoid answering the same questions over and over.
29 Please read this chapter at least once when installing mod_ssl or at least
30 search for your problem here before submitting a problem report to the
40 <table cellspacing=0 cellpadding=5 border=0 bgcolor="#ccccff" width=350>
42 <td bgcolor="#333399">
43 <font face="Arial,Helvetica" color="#ccccff">
44 <b>Table Of Contents</b>
50 <font face="Arial,Helvetica" size=-1>
62 # container tag for layouting a question
63 <define-tag faq endtag=required>
68 <li><toc_h3 alt="<get-var toc>"></toc_h3>
69 <a name="<get-var ref>"></a>
70 <strong id="faq">%body</strong>\
72 [<a href="http://www.modssl.org/docs/2.8/ssl_faq.html#<get-var ref>"><b>L</b></a>]
79 <h2>About the module</h2>
83 <faq ref="history" toc="What is the history of mod_ssl?">
84 What is the history of mod_ssl?
87 The mod_ssl v1 package was initially created in April 1998 by <a
88 href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a
89 href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a
90 href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
91 Apache 1.2.6 to Apache 1.3b6. Because of conflicts with Ben
92 Laurie's development cycle it then was re-assembled from scratch for
93 Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
94 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
95 first publically released version was mod_ssl 2.0.0 from August 10th,
96 1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0.
98 After one year of very active development with over 1000 working hours and
99 over 40 releases mod_ssl reached its current state. The result is an
100 already very clean source base implementing a very rich functionality.
101 The code size increased by a factor of 4 to currently a total of over
102 10.000 lines of ANSI C consisting of approx. 70% code and 30% code
103 documentation. From the original Apache-SSL code currently approx. 5% is
106 <faq ref="apssl-diff" toc="Apache-SSL vs. mod_ssl: differences?">
107 What are the functional differences between mod_ssl and Apache-SSL, from where
108 it is originally derived?
111 This neither can be answered in short (there were too many code changes)
112 nor can be answered at all by the author (there would immediately be flame
113 wars with no reasonable results at the end). But as you easily can guess
114 from the 5% of remaining Apache-SSL code, a lot of differences exists,
115 although user-visible backward compatibility exists for most things.
117 When you really want a detailed comparison you have to read the entries in
118 the large <code>CHANGES</code> file that is in the mod_ssl
119 distribution. Usually this is much too hard-core. So I recommend you to
120 either believe in the opinion and recommendations of other users (the
121 simplest approach) or do a comparison yourself (the most reasonable
122 approach). For the latter, grab distributions of mod_ssl (from <a
123 href="http://www.modssl.org/">http://www.modssl.org</a>) and Apache-SSL
124 (from <a href="http://www.apache-ssl.org/">http://www.apache-ssl.org</a>),
125 install both packages, read their documentation and try them out yourself.
126 Then choose the one which pleases you most.
128 A few final hints to help direct your comparison: quality of documentation
129 ("can you easily find answers and are they sufficient?"), quality of
130 source code ("is the source code reviewable so you can make sure there
131 aren't any trapdoors or inherent security risks because of bad programming
132 style?"), easy and clean installation ("can the SSL functionality easily
133 added to an Apache source tree without manual editing or patching?"),
134 clean integration into Apache ("is the SSL functionality encapsulated and
135 cleanly separated from the remaining Apache functionality?"), support for
136 Dynamic Shared Object (DSO) facility ("can the SSL functionality built as
137 a separate DSO for maximum flexibility?"), Win32 port ("is the SSL
138 functionality available also under the Win32 platform?"), amount and
139 quality of functionality ("is the provided SSL functionality and control
140 possibilities sufficient for your situation?"), quality of problem tracing
141 ("is it possible for you to easily trace down the problems via logfiles,
144 <faq ref="apssl-diff" toc="mod_ssl vs. commercial alternatives?">
145 What are the major differences between mod_ssl and
146 the commercial alternatives like Raven or Stronghold?
149 In the past (until September 20th, 2000) the major difference was
150 the RSA license which one received (very cheaply in contrast to
151 a direct licensing from RSA DSI) with the commercial Apache SSL
152 products. On the other hand, one needed this license only in the US,
153 of course. So for non-US citizens this point was useless. But now
154 even for US citizens the situations changed because the RSA patent
155 expired on September 20th, 2000 and RSA DSI also placed the RSA
156 algorithm explicitly into the public domain.
159 Second, there is the point that one has guaranteed support from
160 the commercial vendors. On the other hand, if you monitored the
161 Open Source quality of mod_ssl and the support activities
162 found on <a href="mailto:modssl-users@modssl.org">
163 <code>modssl-users@modssl.org</code></a>, you could ask yourself
164 whether you are really convinced that you can get better support
165 from a commercial vendor.
168 Third, people often think they would receive perhaps at least a
169 better technical SSL solution than mod_ssl from the commercial
170 vendors. But this is not really true, because all commercial
171 alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
172 <i>are</i> actually based on mod_ssl and OpenSSL. The reason for
173 this common misunderstanding is mainly because some vendors make no
174 attempt to make it reasonably clear that their product is actually
175 mod_ssl based. So, do not think, just because the commercial
176 alternatives are usually more expensive, that you are also receiving
177 an alternative <i>technical</i> SSL solution. This is usually not
178 the case. Actually the vendor versions of Apache, mod_ssl and OpenSSL
179 often stay behind the latest free versions and perhaps this way still do not
180 include important bug and security fixes. On the other hand,
181 it sometimes occurs that a vendor version includes useful changes
182 which are not available through the official freely available
183 packages. But most vendors play fair and contribute back those
184 changes to the free software world, of course.
187 So, in short: There are lots of commercial versions of the popular
188 Apache+mod_ssl+OpenSSL server combination available. Every user
189 should decide carefully whether they really need to buy a commercial
190 version or whether it would not be sufficient to directly use the
191 free and official versions of the Apache, mod_ssl and OpenSSL
194 <faq ref="what-version" toc="mod_ssl/Apache versions?">
195 How do I know which mod_ssl version is for which Apache version?
198 That's trivial: mod_ssl uses version strings of the syntax
199 <em><mod_ssl-version></em>-<em><apache-version></em>, for
200 instance <code>2.4.0-1.3.9</code>. This directly indicates that it's
201 mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you
202 <em>only</em> can apply this mod_ssl version to exactly this Apache
203 version (unless you use the <code>--force</code> option to mod_ssl's
204 <code>configure</code> command ;-).
206 <faq ref="y2k" toc="mod_ssl and Year 2000?">
207 Is mod_ssl Year 2000 compliant?
210 Yes, mod_ssl is Year 2000 compliant.
213 Because first mod_ssl internally never stores years as two digits.
214 Instead it always uses the ANSI C & POSIX numerical data type
215 <code>time_t</code> type, which on almost all Unix platforms at the moment
216 is a <code>signed long</code> (usually 32-bits) representing seconds since
217 epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in
218 early January 2038 and not in the year 2000. Second, date and time
219 presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'')
220 are done with full year value instead of abbreviating to two digits.
223 Additionally according to a <a
224 href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000
225 statement</a> from the Apache Group, the Apache webserver is Year 2000
226 compliant, too. But whether OpenSSL or the underlaying Operating System
227 (either a Unix or Win32 platform) is Year 2000 compliant is a different
228 question which cannot be answered here.
230 <faq ref="wassenaar" toc="mod_ssl and Wassenaar Arrangement?">
231 What about mod_ssl and the Wassenaar Arrangement?
234 First, let us explain what <i>Wassenaar</i> and its <i>Arrangement on
235 Export Controls for Conventional Arms and Dual-Use Goods and
236 Technologies</i> is: This is a international regime, established 1995, to
237 control trade in conventional arms and dual-use goods and technology. It
238 replaced the previous <i>CoCom</i> regime. 33 countries are signatories:
239 Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
240 Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
241 Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic
242 of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
243 Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
245 href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.
248 In short: The aim of the Wassenaar Arrangement is to prevent the build up
249 of military capabilities that threaten regional and international security
250 and stability. The Wassenaar Arrangement controls the export of
251 cryptography as a dual-use good, i.e., one that has both military and
252 civilian applications. However, the Wassenaar Arrangement also provides an
253 exemption from export controls for mass-market software and free software.
256 In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And
257 Munitions</i>'', under ``<i>GENERAL SOFTWARE NOTE</i>'' (GSN) it says
258 ``<i>The Lists do not control "software" which is either: 1. [...] 2. "in
259 the public domain".</i>'' And under ``<i>DEFINITIONS OF TERMS USED IN
260 THESE LISTS</i>'' one can find the definition: ``<i>"In the public
261 domain": This means "technology" or "software" which has been made
262 available without restrictions upon its further dissemination. N.B.
263 Copyright restrictions do not remove "technology" or "software" from being
264 "in the public domain".</i>''
267 So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
268 of the Wassenaar Agreement and its ``<i>List of Dual Use Goods and
269 Technologies And Munitions List</i>''.
272 Additionally the Wassenaar Agreement itself has no direct consequence for
273 exporting cryptography software. What is actually allowed or forbidden to
274 be exported from the countries has still to be defined in the local laws
275 of each country. And at least according to official press releases from
276 the German BMWi (see <a
277 href="http://www.bmwi.de/presse/1998/1208prm2.html">here</a>) and the
278 Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there
279 will be no forthcoming export restriction for free cryptography software
280 for their countries. Remember that mod_ssl is created in Germany and
281 distributed from Switzerland.
284 So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.
290 <h2>About Installation</h2>
294 <faq ref="core-dbm" toc="Core dumps for HTTPS requests?">
295 When I access my website the first time via HTTPS I get a core dump?
298 There can be a lot of reasons why a core dump can occur, of course.
299 Ranging from buggy third-party modules, over buggy vendor libraries up to
300 a buggy mod_ssl version. But the above situation is often caused by old or
301 broken vendor DBM libraries. To solve it either build mod_ssl with the
302 built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the
303 APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the
304 newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you have rebuilt
305 Apache with MM, of course).
307 <faq ref="core-php3" toc="Core dumps for Apache+mod_ssl+PHP3?">
308 My Apache dumps core when I add both mod_ssl and PHP3?
311 Make sure you add mod_ssl to the Apache source tree first and then do a
312 fresh configuration and installation of PHP3. For SSL support EAPI patches
313 are required which have to change internal Apache structures. PHP3 needs
314 to know about these in order to work correctly. Always make sure that
315 <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is build.
317 <faq ref="dso-sym" toc="Undefined symbols on startup?">
318 When I startup Apache I get errors about undefined symbols like ap_global_ctx?
321 This actually means you installed mod_ssl as a DSO, but without rebuilding
322 Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
323 extra patched Apache (containing the EAPI patches) and you have to build
324 this Apache with EAPI enabled (explicitly specify
325 <tt>--enable-rule=EAPI</tt> at the APACI command line).
327 <faq ref="mutex-perm" toc="Permission problem on SSLMutex">
328 When I startup Apache I get permission errors related to SSLMutex?
331 When you receive entries like ``<code>mod_ssl: Child could not open
332 SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
333 [...] System: Permission denied (errno: 13)</code>'' this is usually
334 caused by to restrictive permissions on the <i>parent</i> directories.
335 Make sure that all parent directories (here <code>/opt</code>,
336 <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
337 set at least for the UID under which Apache's children are running (see
338 the <code>User</code> directive of Apache).
340 <faq ref="mm" toc="Shared memory and process size?">
341 When I use the MM library and the shared memory cache each process grows
342 1.5MB according to `top' although I specified 512000 as the cache size?
345 The additional 1MB are caused by the global shared memory pool EAPI
346 allocates for all modules and which is not used by mod_ssl for
347 various reasons. So the actually allocated shared memory is always
348 1MB more than what you specify on <code>SSLSessionCache</code>.
349 But don't be confused by the display of `top': although is
350 indicates that <i>each</i> process grow, this is not reality, of
351 course. Instead the additional memory consumption is shared by
352 all processes, i.e. the 1.5MB are allocated only once per Apache
353 instance and not once per Apache server process.
355 <faq ref="mmpath" toc="Shared memory and pathname?">
356 Apache creates files in a directory declared by the internal
357 EAPI_MM_CORE_PATH define. Is there a way to override the path using a
358 configuration directive?
361 No, there is not configuration directive, because for technical
362 bootstrapping reasons, a directive not possible at all. Instead
363 use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
364 ./configure ...</code>'' when building Apache or use option
365 <b>-d</b> when starting <code>httpd</code>.
367 <faq ref="entropy" toc="PRNG and not enough entropy?">
368 When I fire up the server, mod_ssl stops with the error
369 "Failed to generate temporary 512 bit RSA private key", why?
370 And a "PRNG not seeded" error occurs if I try "make certificate".
373 Cryptographic software needs a source of unpredictable data
374 to work correctly. Many open source operating systems provide
375 a "randomness device" that serves this purpose (usually named
376 <code>/dev/random</code>). On other systems, applications have to
377 seed the OpenSSL Pseudo Random Number Generator (PRNG) manually with
378 appropriate data before generating keys or performing public key
379 encryption. As of version 0.9.5, the OpenSSL functions that need
380 randomness report an error if the PRNG has not been seeded with
381 at least 128 bits of randomness. So mod_ssl has to provide enough
382 entropy to the PRNG to work correctly. For this one has to use the
383 <code>SSLRandomSeed</code> directives (to solve the run-time problem)
384 and create a <code>$HOME/.rnd</code> file to make sure enough
385 entropy is available also for the "<code>make certificate</code>"
386 step (in case the "<code>make certificate</code>" procedure is not
387 able to gather enough entropy theirself by searching for system
394 <h2>About Configuration</h2>
398 <faq ref="https-parallel" toc="HTTP and HTTPS with a single server?">
399 Is it possible to provide HTTP and HTTPS with a single server?</strong>
402 Yes, HTTP and HTTPS use different server ports, so there is no direct
403 conflict between them. Either run two separate server instances (one binds
404 to port 80, the other to port 443) or even use Apache's elegant virtual
405 hosting facility where you can easily create two virtual servers which
406 Apache dispatches: one responding to port 80 and speaking HTTP and one
407 responding to port 443 speaking HTTPS.
409 <faq ref="https-port" toc="Where is the HTTPS port?">
410 I know that HTTP is on port 80, but where is HTTPS?
413 You can run HTTPS on any port, but the standards specify port 443, which
414 is where any HTTPS compliant browser will look by default. You can force
415 your browser to look on a different port by specifying it in the URL like
416 this (for port 666): <code>https://secure.server.dom:666/</code>
418 <faq ref="https-test" toc="How to test HTTPS manually?">
419 How can I speak HTTPS manually for testing purposes?
422 While you usually just use
424 <code><b>$ telnet localhost 80</b></code><br>
425 <code><b>GET / HTTP/1.0</b></code>
427 for simple testing the HTTP protocol of Apache, it's not so easy for
428 HTTPS because of the SSL protocol between TCP and HTTP. But with the
429 help of OpenSSL's <code>s_client</code> command you can do a similar
430 check even for HTTPS:
432 <code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br>
433 <code><b>GET / HTTP/1.0</b></code>
435 Before the actual HTTP response you receive detailed information about the
436 SSL handshake. For a more general command line client which directly
437 understands both the HTTP and HTTPS scheme, can perform GET and POST
438 methods, can use a proxy, supports byte ranges, etc. you should have a
439 look at nifty <a href="http://curl.haxx.nu/">cURL</a>
440 tool. With it you can directly check if your Apache is running fine on
441 Port 80 and 443 as following:
443 <code><b>$ curl http://localhost/</b></code><br>
444 <code><b>$ curl https://localhost/</b></code><br>
446 <faq ref="hang" toc="Why does my connection hang?">
447 Why does the connection hang when I connect to my SSL-aware Apache server?
450 Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
451 the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
452 This also happens the other way round when you connect via HTTPS to a HTTP
453 port, i.e. when you try to use ``<code>https://</code>'' on a server that
454 doesn't support SSL (on this port). Make sure you are connecting to a
455 virtual server that supports SSL, which is probably the IP associated with
456 your hostname, not localhost (127.0.0.1).
458 <faq ref="hang" toc="Why do I get connection refused?">
459 Why do I get ``Connection Refused'' messages when trying to access my freshly
460 installed Apache+mod_ssl server via HTTPS?
463 There can be various reasons. Some of the common mistakes is that people
464 start Apache with just ``<tt>apachectl start</tt>'' (or
465 ``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or
466 ``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At
467 least make sure that your ``<tt>Listen</tt>'' directives match your
468 ``<tt><VirtualHost></tt>'' directives. And if all fails, please do
469 yourself a favor and start over with the default configuration mod_ssl
472 <faq ref="env-vars" toc="Why are the SSL_XXX variables missing?">
473 In my CGI programs and SSI scripts the various documented
474 <code>SSL_XXX</code> variables do not exists. Why?
477 Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
478 enabled for the context of your CGI/SSI requests.
480 <faq ref="relative-links" toc="How to switch with relative hyperlinks?">
481 How can I use relative hyperlinks to switch between HTTP and HTTPS?
484 Usually you have to use fully-qualified hyperlinks because
485 you have to change the URL scheme. But with the help of some URL
486 manipulations through mod_rewrite you can achieve the same effect while
487 you still can use relative URLs:
491 RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
492 RewriteRule ^/(.*):NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
495 This rewrite ruleset lets you use hyperlinks of the form
498 <a href="document.html:SSL">
505 <h2>About Certificates</h2>
509 <faq ref="what-is" toc="What are Keys, CSRs and Certs?">
510 What are RSA Private Keys, CSRs and Certificates?</strong>
513 The RSA private key file is a digital file that you can use to decrypt
514 messages sent to you. It has a public component which you distribute (via
515 your Certificate file) which allows people to encrypt those messages to
516 you. A Certificate Signing Request (CSR) is a digital file which contains
517 your public key and your name. You send the CSR to a Certifying Authority
518 (CA) to be converted into a real Certificate. A Certificate contains your
519 RSA public key, your name, the name of the CA, and is digitally signed by
520 your CA. Browsers that know the CA can verify the signature on that
521 Certificate, thereby obtaining your RSA public key. That enables them to
522 send messages which only you can decrypt.
523 See the <a href="ssl_intro.html">Introduction</a> chapter for a general
524 description of the SSL protocol.
526 <faq ref="startup" toc="Difference on startup?">
527 Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?
530 Yes, in general, starting Apache with a built-in mod_ssl is just like
531 starting an unencumbered Apache, except for the fact that when you have a
532 pass phrase on your SSL private key file. Then a startup dialog pops up
533 asking you to enter the pass phrase.
535 To type in the pass phrase manually when starting the server can be
536 problematic, for instance when starting the server from the system boot
537 scripts. As an alternative to this situation you can follow the steps
538 below under ``How can I get rid of the pass-phrase dialog at Apache
541 <faq ref="cert-dummy" toc="How to create a dummy cert?">
542 How can I create a dummy SSL server Certificate for testing purposes?
545 A Certificate does not have to be signed by a public CA. You can use your
546 private key to sign the Certificate which contains your public key. You
547 can install this Certificate into your server, and people using Netscape
548 Navigator (not MSIE) will be able to connect after clicking OK to a
549 warning dialogue. You can get MSIE to work, and your customers can
550 eliminate the dialogue, by installing that Certificate manually into their
553 Just use the ``<code>make certificate</code>'' command at the top-level
554 directory of the Apache source tree right before installing Apache via
555 ``<code>make install</code>''. This creates a self-signed SSL Certificate
556 which expires after 30 days and isn't encrypted (which means you don't
557 need to enter a pass-phrase at Apache startup time).
559 BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
560 RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
562 <faq ref="cert-real" toc="How to create a real cert?">
563 Ok, I've got my server installed and want to create a real SSL
564 server Certificate for it. How do I do it?
567 Here is a step-by-step description:
570 <li>Make sure OpenSSL is really installed and in your <code>PATH</code>.
571 But some commands even work ok when you just run the
572 ``<code>openssl</code>'' program from within the OpenSSL source tree as
573 ``<code>./apps/openssl</code>''.
575 <li>Create a RSA private key for your Apache server
576 (will be Triple-DES encrypted and PEM formatted):
579 <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code>
582 Please backup this <code>server.key</code> file and remember the
583 pass-phrase you had to enter at a secure location.
584 You can see the details of this RSA private key via the command:
587 <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
590 And you could create a decrypted PEM version (not recommended)
591 of this RSA private key via:
594 <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code>
597 <li>Create a Certificate Signing Request (CSR) with the server RSA private
598 key (output will be PEM formatted):
601 <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code>
604 Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
605 server when OpenSSL prompts you for the "CommonName", i.e. when you
606 generate a CSR for a website which will be later accessed via
607 <code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
608 You can see the details of this CSR via the command
611 <code><strong>$ openssl req -noout -text -in server.csr</strong></code>
614 <li>You now have to send this Certificate Signing Request (CSR) to
615 a Certifying Authority (CA) for signing. The result is then a real
616 Certificate which can be used for Apache. Here you have two options:
618 First you can let the CSR sign by a commercial CA like Verisign or
619 Thawte. Then you usually have to post the CSR into a web form, pay for
620 the signing and await the signed Certificate you then can store into a
621 server.crt file. For more information about commercial CAs have a look
622 at the following locations:
627 <a href="http://digitalid.verisign.com/server/apacheNotice.htm">
628 http://digitalid.verisign.com/server/apacheNotice.htm
630 <li> Thawte Consulting<br>
631 <a href="http://www.thawte.com/certs/server/request.html">
632 http://www.thawte.com/certs/server/request.html
634 <li> CertiSign Certificadora Digital Ltda.<br>
635 <a href="http://www.certisign.com.br">
636 http://www.certisign.com.br
639 <a href="http://www.iks-jena.de/produkte/ca/">
640 http://www.iks-jena.de/produkte/ca/
642 <li> Uptime Commerce Ltd.<br>
643 <a href="http://www.uptimecommerce.com">
644 http://www.uptimecommerce.com
646 <li> BelSign NV/SA<br>
647 <a href="http://www.belsign.be">
648 http://www.belsign.be
653 Second you can use your own CA and now have to sign the CSR yourself by
654 this CA. Read the next answer in this FAQ on how to sign a CSR with
657 You can see the details of the received Certificate via the command:
660 <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code>
663 <li>Now you have two files: <code>server.key</code> and
664 <code>server.crt</code>. These now can be used as following inside your
665 Apache's <code>httpd.conf</code> file:
668 SSLCertificateFile /path/to/this/server.crt
669 SSLCertificateKeyFile /path/to/this/server.key
672 The <code>server.csr</code> file is no longer needed.
675 <faq ref="cert-ownca" toc="How to create my own CA?">
676 How can I create and use my own Certificate Authority (CA)?
679 The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
680 script provided by OpenSSL. The long and manual answer is this:
684 <li>Create a RSA private key for your CA
685 (will be Triple-DES encrypted and PEM formatted):
688 <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code>
691 Please backup this <code>ca.key</code> file and remember the
692 pass-phrase you currently entered at a secure location.
693 You can see the details of this RSA private key via the command
696 <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code>
699 And you can create a decrypted PEM version (not recommended) of this
703 <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code>
706 <li>Create a self-signed CA Certificate (X509 structure)
707 with the RSA key of the CA (output will be PEM formatted):
710 <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code>
713 You can see the details of this Certificate via the command:
716 <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code>
719 <li>Prepare a script for signing which is needed because
720 the ``<code>openssl ca</code>'' command has some strange requirements
721 and the default OpenSSL config doesn't allow one easily to use
722 ``<code>openssl ca</code>'' directly. So a script named
723 <code>sign.sh</code> is distributed with the mod_ssl distribution
724 (subdir <code>pkg.contrib/</code>). Use this script for signing.
727 <li>Now you can use this CA to sign server CSR's in order to create real
728 SSL Certificates for use inside an Apache webserver (assuming
729 you already have a <code>server.csr</code> at hand):
732 <code><strong>$ ./sign.sh server.csr</strong></code>
735 This signs the server CSR and results in a <code>server.crt</code> file.
738 <faq ref="change-passphrase" toc="How to change a pass phrase?">
739 How can I change the pass-phrase on my private key file?
742 You simply have to read it with the old pass-phrase and write it again
743 by specifying the new pass-phrase. You can accomplish this with the following
747 <code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br>
748 <code><strong>$ mv server.key.new server.key</strong></code><br>
751 Here you're asked two times for a PEM pass-phrase. At the first
752 prompt enter the old pass-phrase and at the second prompt
753 enter the new pass-phrase.
755 <faq ref="remove-passphrase" toc="How to remove a pass phrase?">
756 How can I get rid of the pass-phrase dialog at Apache startup time?
759 The reason why this dialog pops up at startup and every re-start
760 is that the RSA private key inside your server.key file is stored in
761 encrypted format for security reasons. The pass-phrase is needed to be
762 able to read and parse this file. When you can be sure that your server is
763 secure enough you perform two steps:
767 <li>Remove the encryption from the RSA private key (while
768 preserving the original file):
771 <code><strong>$ cp server.key server.key.org</strong></code><br>
772 <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code>
775 <li>Make sure the server.key file is now only readable by root:
778 <code><strong>$ chmod 400 server.key</strong></code>
782 Now <code>server.key</code> will contain an unencrypted copy of the key.
783 If you point your server at this file it will not prompt you for a
784 pass-phrase. HOWEVER, if anyone gets this key they will be able to
785 impersonate you on the net. PLEASE make sure that the permissions on that
786 file are really such that only root or the web server user can read it
787 (preferably get your web server to start as root but run as another
788 server, and have the key readable only by root).
791 As an alternative approach you can use the ``<code>SSLPassPhraseDialog
792 exec:/path/to/program</code>'' facility. But keep in mind that this is
793 neither more nor less secure, of course.
795 <faq ref="verify-key" toc="How to verify a key/cert pair?">
796 How do I verify that a private key matches its Certificate?
799 The private key contains a series of numbers. Two of those numbers form
800 the "public key", the others are part of your "private key". The "public
801 key" bits are also embedded in your Certificate (we get them from your
802 CSR). To check that the public key in your cert matches the public
803 portion of your private key, you need to view the cert and the key and
804 compare the numbers. To view the Certificate and the key run the
808 <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br>
809 <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
812 The `modulus' and the `public exponent' portions in the key and the
813 Certificate must match. But since the public exponent is usually 65537
814 and it's bothering comparing long modulus you can use the following
818 <code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br>
819 <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code>
822 And then compare these really shorter numbers. With overwhelming
823 probability they will differ if the keys are different. BTW, if I want to
824 check to which key or certificate a particular CSR belongs you can compute
827 <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code>
829 <faq ref="keysize1" toc="Bad Certificate Error?">
830 What does it mean when my connections fail with an "alert bad certificate"
834 Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
835 routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL
836 logfile, this means that the browser was unable to handle the server
837 certificate/private-key which perhaps contain a RSA-key not equal to 1024
838 bits. For instance Netscape Navigator 3.x is one of those browsers.
840 <faq ref="keysize2" toc="Why does a 2048-bit key not work?">
841 Why does my 2048-bit private key not work?
844 The private key sizes for SSL must be either 512 or 1024 for compatibility
845 with certain web browsers. A keysize of 1024 bits is recommended because
846 keys larger than 1024 bits are incompatible with some versions of Netscape
847 Navigator and Microsoft Internet Explorer, and with other browsers that
848 use RSA's BSAFE cryptography toolkit.
850 <faq ref="hash-symlinks" toc="Why is client auth broken?">
851 Why is client authentication broken after upgrading from
852 SSLeay version 0.8 to 0.9?
855 The CA certificates under the path you configured with
856 <code>SSLCACertificatePath</code> are found by SSLeay through hash
857 symlinks. These hash values are generated by the `<code>openssl x509 -noout
858 -hash</code>' command. But the algorithm used to calculate the hash for a
859 certificate has changed between SSLeay 0.8 and 0.9. So you have to remove
860 all old hash symlinks and re-create new ones after upgrading. Use the
861 <code>Makefile</code> mod_ssl placed into this directory.
863 <faq ref="pem-to-der" toc="How to convert from PEM to DER?">
864 How can I convert a certificate from PEM to DER format?
867 The default certificate format for SSLeay/OpenSSL is PEM, which actually
868 is Base64 encoded DER with header and footer lines. For some applications
869 (e.g. Microsoft Internet Explorer) you need the certificate in plain DER
870 format. You can convert a PEM file <code>cert.pem</code> into the
871 corresponding DER file <code>cert.der</code> with the following command:
873 <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code>
875 <faq ref="verisign-getca" toc="Verisign and the magic getca program?">
876 I try to install a Verisign certificate. Why can't I find neither the
877 <code>getca</code> nor <code>getverisign</code> programs Verisign mentions?
880 This is because Verisign has never provided specific instructions
881 for Apache+mod_ssl. Rather they tell you what you should do
882 if you were using C2Net's Stronghold (a commercial Apache
883 based server with SSL support). The only thing you have to do
884 is to save the certificate into a file and give the name of
885 that file to the <code>SSLCertificateFile</code> directive.
886 Remember that you need to give the key file in as well (see
887 <code>SSLCertificateKeyFile</code> directive). For a better
888 CA-related overview on SSL certificate fiddling you can look at <a
889 href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
890 Thawte's mod_ssl instructions</a>.
892 <faq ref="gid" toc="Global IDs or SGC?">
893 Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
894 ID) also with mod_ssl?
897 Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
898 to configure anything special for this, just use a Global ID as your
899 server certificate. The <i>step up</i> of the clients are then
900 automatically handled by mod_ssl under run-time. For details please read
901 the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
903 <faq ref="gid" toc="Global IDs and Cert Chain?">
904 After I have installed my new Verisign Global ID server certificate, the
905 browsers complain that they cannot verify the server certificate?
908 That is because Verisign uses an intermediate CA certificate between
909 the root CA certificate (which is installed in the browsers) and
910 the server certificate (which you installed in the server). You
911 should have received this additional CA certificate from Verisign.
912 If not, complain to them. Then configure this certificate with the
913 <code>SSLCertificateChainFile</code> directive in the server. This
914 makes sure the intermediate CA certificate is send to the browser
915 and this way fills the gap in the certificate chain.
921 <h2>About SSL Protocol</h2>
925 <faq ref="random-errors" toc="Random SSL errors under heavy load?">
926 Why do I get lots of random SSL protocol errors under heavy server load?
929 There can be a number of reasons for this, but the main one
930 is problems with the SSL session Cache specified by the
931 <tt>SSLSessionCache</tt> directive. The DBM session cache is most
932 likely the source of the problem, so trying the SHM session cache or
933 no cache at all may help.
935 <faq ref="load" toc="Why has the server a higher load?">
936 Why has my webserver a higher load now that I run SSL there?
939 Because SSL uses strong cryptographic encryption and this needs a lot of
940 number crunching. And because when you request a webpage via HTTPS even
941 the images are transfered encrypted. So, when you have a lot of HTTPS
942 traffic the load increases.
944 <faq ref="random" toc="Why are connections horribly slow?">
945 Often HTTPS connections to my server require up to 30 seconds for establishing
946 the connection, although sometimes it works faster?
949 Usually this is caused by using a <code>/dev/random</code> device for
950 <code>SSLRandomSeed</code> which is blocking in read(2) calls if not
951 enough entropy is available. Read more about this problem in the refernce
952 chapter under <code>SSLRandomSeed</code>.
954 <faq ref="ciphers" toc="Which ciphers are supported?">
955 What SSL Ciphers are supported by mod_ssl?
958 Usually just all SSL ciphers which are supported by the
959 version of OpenSSL in use (can depend on the way you built
960 OpenSSL). Typically this at least includes the following:
964 <li>RC4 with MD5 (export version restricted to 40-bit key)
966 <li>RC2 with MD5 (export version restricted to 40-bit key)
969 <li>Triple-DES with MD5
972 To determine the actual list of supported ciphers you can
973 run the following command:
975 <code><strong>$ openssl ciphers -v</strong></code><br>
977 <faq ref="cipher-adh" toc="How to use Anonymous-DH ciphers">
978 I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
979 shared cipher'' errors?
982 In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
983 to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
984 Additionally you have to build OpenSSL with
985 ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
986 allow ADH ciphers for security reasons. So if you are actually enabling
987 these ciphers make sure you are informed about the side-effects.
989 <faq ref="cipher-shared" toc="Why do I get 'no shared ciphers'?">
990 I always just get a 'no shared ciphers' error if
991 I try to connect to my freshly installed server?
994 Either you have messed up your <code>SSLCipherSuite</code>
995 directive (compare it with the pre-configured example in
996 <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
997 algorithms instead of RSA under "<code>make certificate</code>"
998 and ignored or overseen the warnings. Because if you have choosen
999 DSA/DH, then your server no longer speaks RSA-based SSL ciphers
1000 (at least not until you also configure an additional RSA-based
1001 certificate/key pair). But current browsers like NS or IE only speak
1002 RSA ciphers. The result is the "no shared ciphers" error. To fix
1003 this, regenerate your server certificate/key pair and this time
1004 choose the RSA algorithm.
1006 <faq ref="vhosts" toc="HTTPS and name-based vhosts">
1007 Why can't I use SSL with name-based/non-IP-based virtual hosts?
1010 The reason is very technical. Actually it's some sort of a chicken and
1011 egg problem: The SSL protocol layer stays below the HTTP protocol layer
1012 and encapsulates HTTP. When an SSL connection (HTTPS) is established
1013 Apache/mod_ssl has to negotiate the SSL protocol parameters with the
1014 client. For this mod_ssl has to consult the configuration of the virtual
1015 server (for instance it has to look for the cipher suite, the server
1016 certificate, etc.). But in order to dispatch to the correct virtual server
1017 Apache has to know the <code>Host</code> HTTP header field. For this the
1018 HTTP request header has to be read. This cannot be done before the SSL
1019 handshake is finished. But the information is already needed at the SSL
1020 handshake phase. Bingo!
1022 <faq ref="lock-icon" toc="The lock icon in Netscape locks very late">
1023 When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
1024 still show the unlocked state when the dialog pops up. Does this mean the
1025 username/password is still transmitted unencrypted?
1028 No, the username/password is already transmitted encrypted. The icon in
1029 Netscape browsers is just not really synchronized with the SSL/TLS layer
1030 (it toggles to the locked state when the first part of the actual webpage
1031 data is transferred which is not quite correct) and this way confuses
1032 people. The Basic Authentication facility is part of the HTTP layer and
1033 this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data
1034 communication takes place in HTTPS the SSL/TLS layer has already done the
1035 handshake phase and switched to encrypted communication. So, don't get
1036 confused by this icon.
1038 <faq ref="io-ie" toc="Why do I get I/O errors with MSIE clients?">
1039 When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
1040 Explorer (MSIE) I get various I/O errors. What is the reason?
1043 The first reason is that the SSL implementation in some MSIE versions has
1044 some subtle bugs related to the HTTP keep-alive facility and the SSL close
1045 notify alerts on socket connection close. Additionally the interaction
1046 between SSL and HTTP/1.1 features are problematic with some MSIE versions,
1047 too. You've to work-around these problems by forcing
1048 Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
1049 sending the SSL close notify messages to MSIE clients. This can be done by
1050 using the following directive in your SSL-aware virtual host section:
1053 SetEnvIf User-Agent ".*MSIE.*" \\
1054 <b>nokeepalive ssl-unclean-shutdown \\
1055 downgrade-1.0 force-response-1.0</b>\
1058 Additionally it is known some MSIE versions have also problems
1059 with particular ciphers. Unfortunately one cannot workaround these
1060 bugs only for those MSIE particular clients, because the ciphers
1061 are already used in the SSL handshake phase. So a MSIE-specific
1062 <tt>SetEnvIf</tt> doesn't work to solve these problems. Instead one
1063 has to do more drastic adjustments to the global parameters. But
1064 before you decide to do this, make sure your clients really have
1065 problems. If not, do not do this, because it affects all(!) your
1066 clients, i.e., also your non-MSIE clients.
1069 The next problem is that 56bit export versions of MSIE 5.x browsers have a
1070 broken SSLv3 implementation which badly interacts with OpenSSL versions
1071 greater than 0.9.4. You can either accept this and force your clients to
1072 upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
1073 can decide to workaround it by accepting the drawback that your workaround
1074 will horribly affect also other browsers:
1077 SSLProtocol all <b>-SSLv3</b>\
1080 This completely disables the SSLv3 protocol and lets those browsers work.
1081 But usually this is an even less acceptable workaround. A more reasonable
1082 workaround is to address the problem more closely and disable only the
1083 ciphers which cause trouble.
1086 SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP\
1089 This also lets the broken MSIE versions work, but only removes the
1090 newer 56bit TLS ciphers.
1093 Another problem with MSIE 5.x clients is that they refuse to connect to
1094 URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used
1095 instead of the hostname), if the server is using the Server Gated
1096 Cryptography (SGC) facility. This can only be avoided by using the fully
1097 qualified domain name (FQDN) of the website in hyperlinks instead, because
1098 MSIE 5.x has an error in the way it handles the SGC negotiation.
1101 And finally there are versions of MSIE which seem to require that
1102 an SSL session can be reused (a totally non standard-conforming
1103 behaviour, of course). Connection with those MSIE versions only work
1104 if a SSL session cache is used. So, as a work-around, make sure you
1105 are using a session cache (see <tt>SSLSessionCache</tt> directive).
1107 <faq ref="io-ns" toc="Why do I get I/O errors with NS clients?">
1108 When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
1109 get I/O errors and the message "Netscape has encountered bad data from the
1110 server" What's the reason?
1113 The problem usually is that you had created a new server certificate with
1114 the same DN, but you had told your browser to accept forever the old
1115 server certificate. Once you clear the entry in your browser for the old
1116 certificate, everything usually will work fine. Netscape's SSL
1117 implementation is correct, so when you encounter I/O errors with Netscape
1118 Navigator it is most of the time caused by the configured certificates.
1124 <h2>About Support</h2>
1128 <faq ref="resources" toc="Resources in case of problems?">
1129 What information resources are available in case of mod_ssl problems?
1132 The following information resources are available.
1133 In case of problems you should search here first.
1137 <li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
1138 <a href="http://www.modssl.org/docs/2.8/ssl_faq.html">
1139 http://www.modssl.org/docs/2.8/ssl_faq.html</a><br>
1140 First look inside the F.A.Q. (this text), perhaps your problem is such
1141 popular that it was already answered a lot of times in the past.
1143 <li><em>Postings from the modssl-users Support Mailing List</em>
1144 <a href="http://www.modssl.org/support/">
1145 http://www.modssl.org/support/</a><br>
1146 Second search for your problem in one of the existing archives of the
1147 modssl-users mailing list. Perhaps your problem popped up at least once for
1150 <li><em>Problem Reports in the Bug Database</em>
1151 <a href="http://www.modssl.org/support/bugdb/">
1152 http://www.modssl.org/support/bugdb/</a><br>
1153 Third look inside the mod_ssl Bug Database. Perhaps
1154 someone else already has reported the problem.
1157 <faq ref="contact" toc="Support in case of problems?">
1158 What support contacts are available in case of mod_ssl problems?
1161 The following lists all support possibilities for mod_ssl, in order of
1162 preference, i.e. start in this order and do not pick the support possibility
1163 you just like most, please.
1167 <li><em>Write a Problem Report into the Bug Database</em><br>
1168 <a href="http://www.modssl.org/support/bugdb/">
1169 http://www.modssl.org/support/bugdb/</a><br>
1170 This is the preferred way of submitting your problem report, because this
1171 way it gets filed into the bug database (it cannot be lost) <em>and</em>
1172 send to the modssl-users mailing list (others see the current problems and
1173 learn from answers).
1175 <li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br>
1176 <a href="mailto:modssl-users@modssl.org">
1177 modssl-users @ modssl.org</a><br>
1178 This is the second way of submitting your problem report. You have to
1179 subscribe to the list first, but then you can easily discuss your problem
1180 with both the author and the whole mod_ssl user community.
1182 <li><em>Write a Problem Report to the author</em><br>
1183 <a href="mailto:rse@engelschall.com">
1184 rse @ engelschall.com</a><br>
1185 This is the last way of submitting your problem report. Please avoid this
1186 in your own interest because the author is really a very busy men. Your
1187 mail will always be filed to one of his various mail-folders and is
1188 usually not processed as fast as a posting on modssl-users.
1191 <faq ref="report-details" toc="How to write a problem report?">
1192 What information and details I've to provide to
1193 the author when writing a bug report?
1196 You have to at least always provide the following information:
1200 <li><em>Apache, mod_ssl and OpenSSL version information</em><br>
1201 The mod_ssl version you should really know. For instance, it's the version
1202 number in the distribution tarball. The Apache version can be determined
1203 by running ``<code>httpd -v</code>''. The OpenSSL version can be
1204 determined by running ``<code>openssl version</code>''. Alternatively when
1205 you have Lynx installed you can run the command ``<code>lynx -mime_header
1206 http://localhost/ | grep Server</code>'' to determine all information in a
1209 <li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br>
1210 For this you can provide a logfile of your terminal session which shows
1211 the configuration and install steps. Alternatively you can at least
1212 provide the author with the APACI `<code>configure</code>'' command line
1213 you used (assuming you used APACI, of course).
1216 <li><em>In case of core dumps please include a Backtrace</em><br>
1217 In case your Apache+mod_ssl+OpenSSL should really dumped core please attach
1218 a stack-frame ``backtrace'' (see the next question on how to get it).
1219 Without this information the reason for your core dump cannot be found.
1220 So you have to provide the backtrace, please.
1222 <li><em>A detailed description of your problem</em><br>
1223 Don't laugh, I'm totally serious. I already got a lot of problem reports
1224 where the people not really said what's the actual problem is. So, in your
1225 own interest (you want the problem be solved, don't you?) include as much
1226 details as possible, please. But start with the essentials first, of
1230 <faq ref="core-dumped" toc="I got a core dump, can you help me?">
1231 I got a core dump, can you help me?
1234 In general no, at least not unless you provide more details about the code
1235 location where Apache dumped core. What is usually always required in
1236 order to help you is a backtrace (see next question). Without this
1237 information it is mostly impossible to find the problem and help you in
1240 <faq ref="report-backtrace" toc="How to get a backtrace?">
1241 Ok, I got a core dump but how do I get a backtrace to find out the reason for it?
1244 Follow the following steps:
1248 <li>Make sure you have debugging symbols available in at least
1249 Apache and mod_ssl. On platforms where you use GCC/GDB you have to build
1250 Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On
1251 other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
1253 <li>Startup the server and try to produce the core-dump. For this you perhaps
1254 want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
1255 make sure that the core-dump file can be written. You then should get a
1256 <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
1257 don't get this, try to run your server under an UID != 0 (root), because
1258 most "current" kernels do not allow a process to dump core after it has
1259 done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
1260 security reasons (there can be privileged information left over in
1261 memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
1262 manually to force Apache to not fork.
1264 <li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
1265 /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
1266 just have to enter the ``<code>bt</code>'' command and, voila, you get the
1267 backtrace. For other debuggers consult your local debugger manual. Send
1268 this backtrace to the author.