<div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs-project/">Documentation</a> > <a href="../">Version 2.1</a> > <a href="./">SSL/TLS</a></div><div id="page-content"><div id="preamble"><h1>SSL/TLS Strong Encryption: FAQ</h1>
+<div class="toplang">
+<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p>
+</div>
+
<blockquote>
<p>The wise man doesn't give the right answers,
he poses the right questions.</p>
</blockquote>
<p>This chapter is a collection of frequently asked questions (FAQ) and
corresponding answers following the popular USENET tradition. Most of these
-questions occured on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
+questions occurred on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix">comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
Mailing List <code><a href="mailto:modssl-users@modssl.org">modssl-users@modssl.org</a></code>. They are collected at this place
to avoid answering the same questions over and over.</p>
Laurie's development cycle it then was re-assembled from scratch for
Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
- first publically released version was mod_ssl 2.0.0 from August 10th,
+ first publicly released version was mod_ssl 2.0.0 from August 10th,
1998. As of this writing (August 1999) the current mod_ssl version
is 2.4.0.</p>
<p>Additionally according to a <a href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000
statement</a> from the Apache Group, the Apache webserver is Year 2000
- compliant, too. But whether OpenSSL or the underlaying Operating System
+ compliant, too. But whether OpenSSL or the underlying Operating System
(either a Unix or Win32 platform) is Year 2000 compliant is a different
question which cannot be answered here.</p>
replaced the previous <dfn>CoCom</dfn> regime. 33 countries are signatories:
Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
- Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic
+ Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, Republic
of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
- Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
+ Switzerland, Turkey, Ukraine, the United Kingdom and the United States. For more
details look at <a href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
of the Wassenaar Agreement and its <q>List of Dual Use Goods and
Technologies And Munitions List</q>.</p>
-
- <p>Additionally the Wassenaar Agreement itself has no direct consequence for
- exporting cryptography software. What is actually allowed or forbidden to
- be exported from the countries has still to be defined in the local laws
- of each country. And at least according to official press releases from
- the German BMWi (see <a href="http://www.bmwi.de/presse/1998/1208prm2.html">here</a>) and the
- Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there
- will be no forthcoming export restriction for free cryptography software
- for their countries. Remember that mod_ssl is created in Germany and
- distributed from Switzerland.</p>
-
<p>So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<li><a href="#coredump">Core dumps for HTTPS requests?</a></li>
<li><a href="#mutex">Permission problem on SSLMutex</a></li>
<li><a href="#mm">Shared memory and process size?</a></li>
-<li><a href="#mmpath">Shared memory and pathname?</a></li>
<li><a href="#entropy">PRNG and not enough entropy?</a></li>
</ul>
instance and not once per Apache server process.</p>
-<h3><a name="mmpath" id="mmpath">Apache creates files in a directory declared by the internal
-EAPI_MM_CORE_PATH define. Is there a way to override the path using a
-configuration directive?</a></h3>
-<p>No, there is not configuration directive, because for technical
- bootstrapping reasons, a directive not possible at all. Instead
- use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
- ./configure ...</code>'' when building Apache or use option
- <code>-d</code> when starting <code>httpd</code>.</p>
-
-
<h3><a name="entropy" id="entropy">When I fire up the server, mod_ssl stops with the error
"Failed to generate temporary 512 bit RSA private key", why?</a></h3>
<p>Cryptographic software needs a source of unpredictable data
</a>
</li>
</ol>
- <br />
+
Second you can use your own CA and now have to sign the CSR yourself by
this CA. Read the next answer in this FAQ on how to sign a CSR with
your CA yourself.
that file to the <code>SSLCertificateFile</code> directive.
Remember that you need to give the key file in as well (see
<code>SSLCertificateKeyFile</code> directive). For a better
- CA-related overview on SSL certificate fiddling you can look at <a href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">Thawte's mod_ssl instructions</a>.</p>
+ CA-related overview on SSL certificate fiddling you can look at <a href="http://www.thawte.com/html/SUPPORT/server/softwaredocs/modssl.html">Thawte's mod_ssl instructions</a>.</p>
<h3><a name="sgc" id="sgc">Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
<li><a href="#adh">How to use Anonymous-DH ciphers</a></li>
<li><a href="#sharedciphers">Why do I get 'no shared ciphers'?</a></li>
<li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
+<li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
+Hosting to identify different SSL virtual hosts?</a></li>
<li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
<li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
<h3><a name="load" id="load">Why has my webserver a higher load now that I run SSL there?</a></h3>
<p>Because SSL uses strong cryptographic encryption and this needs a lot of
number crunching. And because when you request a webpage via HTTPS even
- the images are transfered encrypted. So, when you have a lot of HTTPS
+ the images are transferred encrypted. So, when you have a lot of HTTPS
traffic the load increases.</p>
the connection, although sometimes it works faster?</a></h3>
<p>Usually this is caused by using a <code>/dev/random</code> device for
<code>SSLRandomSeed</code> which is blocking in read(2) calls if not
- enough entropy is available. Read more about this problem in the refernce
+ enough entropy is available. Read more about this problem in the reference
chapter under <code>SSLRandomSeed</code>.</p>
I try to connect to my freshly installed server?</a></h3>
<p>Either you have messed up your <code>SSLCipherSuite</code>
directive (compare it with the pre-configured example in
- <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
+ <code>httpd.conf-dist</code>) or you have chosen the DSA/DH
algorithms instead of RSA when you generated your private key
- and ignored or overlooked the warnings. If you have choosen
+ and ignored or overlooked the warnings. If you have chosen
DSA/DH, then your server no longer speaks RSA-based SSL ciphers
(at least not until you also configure an additional RSA-based
certificate/key pair). But current browsers like NS or IE only speak
handshake phase. Bingo!</p>
+<h3><a name="vhosts2" id="vhosts2">Why is it not possible to use Name-Based
+Virtual Hosting to identify different SSL virtual hosts?</a></h3>
+ <p>Name-Based Virtual Hosting is a very popular method of identifying
+ different virtual hosts. It allows you to use the same IP address and
+ the same port number for many different sites. When people move on to
+ SSL, it seems natural to assume that the same method can be used to have
+ lots of different SSL virtual hosts on the same server.</p>
+
+ <p>It comes as rather a shock to learn that it is impossible.</p>
+
+ <p>The reason is that the SSL protocol is a separate layer which
+ encapsulates the HTTP protocol. So the problem is that the SSL session
+ is a separate transaction that takes place before the HTTP session even
+ starts. Therefore all the server receives is an SSL request on IP
+ address X and port Y (usually 443). Since the SSL request does not
+ contain any Host: field, the server has no way to decide which SSL
+ virtual host to use. Usually, it will just use the first one it finds
+ that matches the port and IP address.</p>
+
+ <p>You can, of course, use Name-Based Virtual Hosting to identify many
+ non-SSL virtual hosts (all on port 80, for example) and then you can
+ have no more than 1 SSL virtual host (on port 443). But if you do this,
+ you must make sure to put the non-SSL port number on the NameVirtualHost
+ directive, e.g.</p>
+
+ <div class="example"><p><code>
+ NameVirtualHost 192.168.1.1:80
+ </code></p></div>
+
+ <p>Other workaround solutions are: </p>
+
+ <p>Use separate IP addresses for different SSL hosts.
+ Use different port numbers for different SSL hosts.</p>
+
+
<h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
still shows the unlocked state when the dialog pops up. Does this mean the
username/password is still transmitted unencrypted?</a></h3>
popular that it was already answered a lot of times in the past.
</dd>
<dt>Postings from the modssl-users Support Mailing List
- <a href="http://www.modssl.org/support/">
- http://www.modssl.org/support/</a></dt>
+ <a href="http://www.modssl.org/support/">http://www.modssl.org/support/</a></dt>
<dd>Second search for your problem in one of the existing archives of the
modssl-users mailing list. Perhaps your problem popped up at least once for
another user, too.
</dd>
- <dt>Problem Reports in the Bug Database
- <a href="http://www.modssl.org/support/bugdb/">
- http://www.modssl.org/support/bugdb/</a></dt>
- <dd>Third look inside the mod_ssl Bug Database. Perhaps
- someone else already has reported the problem.
- </dd>
-
</dl>
</ol>
</div></div>
-<div id="footer">
+<div class="bottomlang">
+<p><span>Available Languages: </span><a href="../en/ssl/ssl_faq.html" title="English"> en </a></p>
+</div><div id="footer">
<p class="apache">Maintained by the <a href="http://httpd.apache.org/docs-project/">Apache HTTP Server Documentation Project</a></p>
<p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
</body></html>
\ No newline at end of file