vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Setting which addresses and ports Apache
+ <h1 align="center">Setting which addresses and ports Apache
uses</h1>
<p>When Apache starts, it connects to some port and address on
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">PATH_INFO Changes in the CGI
+ <h1 align="center">PATH_INFO Changes in the CGI
Environment</h1>
<hr />
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-
-<html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta name="generator" content="HTML Tidy, see www.w3.org" />
-
- <title>Configuration Files</title>
- </head>
- <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
-
- <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
- vlink="#000080" alink="#FF0000">
- <!--#include virtual="header.html" -->
-
- <h1 align="CENTER">Configuration Files</h1>
-
- <ul>
- <li><a href="#main">Main Configuration Files</a></li>
-
- <li><a href="#syntax">Syntax of the Configuration
- Files</a></li>
-
- <li><a href="#modules">Modules</a></li>
-
- <li><a href="#scope">Scope of Directives</a></li>
-
- <li><a href="#htaccess">.htaccess Files</a></li>
- </ul>
- <hr />
-
- <h2><a id="main" name="main">Main Configuration Files</a></h2>
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Modules</strong><br />
- <br />
- <a href="mod/mod_mime.html">mod_mime</a><br />
- </td>
-
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <a
- href="mod/core.html#ifdefine"><IfDefine></a><br />
- <a href="mod/core.html#include">Include</a><br />
- <a
- href="mod/mod_mime.html#typesconfig">TypesConfig</a><br />
- </td>
- </tr>
- </table>
-
- <p>Apache is configured by placing <a
- href="mod/directives.html">directives</a> in plain text
+<html xmlns="http://www.w3.org/TR/xhtml1/strict"><head><!--
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ This file is generated from xml source: DO NOT EDIT
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+ --><title>Configuration Files- Apache HTTP Server</title><link href="./style/manual.css" type="text/css" rel="stylesheet"/></head><body><blockquote><div align="center"><img src="./images/sub.gif" alt="[APACHE DOCUMENTATION]"/><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module
+ Configuration Files</h1>
+<p>This document describes the files used to configure the Apache
+HTTP server.</p>
+<ul><li><a href="#main">Main Configuration Files</a></li><li><a href="#syntax">Syntax of the Configuration Files</a></li><li><a href="#modules">Modules</a></li><li><a href="#scope">Scope of Directives</a></li><li><a href="#htaccess">.htaccess Files</a></li></ul><hr/><h2><a name="main">Main Configuration Files</a></h2>
+
+ <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/><code><a href="./mod/mod_mime.html">mod_mime</a></code><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#ifdefine" class="directive"><code class="directive"><IfDefine></code></a><br/><a href="./mod/core.html#include" class="directive"><code class="directive">Include</code></a><br/><a href="./mod/mod_mime.html#typesconfig" class="directive"><code class="directive">TypesConfig</code></a><br/></td></tr></table>
+
+ <p>Apache is configured by placing <a href="mod/directives.html">directives</a> in plain text
configuration files. The main configuration file is usually
called <code>httpd.conf</code>. The location of this file is
set at compile-time, but may be overridden with the
<code>-f</code> command line flag. In addition, other
- configuration files may be added using the <code><a
- href="mod/core.html#include">Include</a></code> directive. Any
+ configuration files may be added using the <a href="./mod/core.html#include" class="directive"><code class="directive">Include</code></a> directive. Any
directive may be placed in any of these configuration files.
Changes to the main configuration files are only recognized by
Apache when it is started or restarted.</p>
makes automating such processes much easier.</p>
<p>The server also reads a file containing mime document types;
- the filename is set by the <a
- href="mod/mod_mime.html#typesconfig">TypesConfig</a> directive,
+ the filename is set by the <a href="./mod/mod_mime.html#typesconfig" class="directive"><code class="directive">TypesConfig</code></a> directive,
and is <code>mime.types</code> by default.</p>
- <hr />
-
- <h2><a id="syntax" name="syntax">Syntax of the Configuration
- Files</a></h2>
+ <h2><a name="syntax">Syntax of the Configuration Files</a></h2>
+
<p>Apache configuration files contain one directive per line.
The back-slash "\" may be used as the last character on a line
without starting the server by using <code>apachectl
configtest</code> or the <code>-t</code> command line
option.</p>
- <hr />
-
- <h2><a id="modules" name="modules">Modules</a></h2>
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Modules</strong><br />
- <br />
- <a href="mod/mod_so.html">mod_so</a><br />
- </td>
-
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <a href="mod/core.html#addmodule">AddModule</a><br />
- <a
- href="mod/core.html#clearmodulelist">ClearModuleList</a><br />
- <a
- href="mod/core.html#ifmodule"><IfModule></a><br />
- <a href="mod/mod_so.html#loadmodule">LoadModule</a><br />
- </td>
- </tr>
- </table>
+ <h2><a name="modules">Modules</a></h2>
+
+
+ <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/><code><a href="./mod/mod_so.html">mod_so</a></code><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#addmodule" class="directive"><code class="directive">AddModule</code></a><br/><a href="./mod/core.html#clearmodulelist" class="directive"><code class="directive">ClearModuleList</code></a><br/><a href="./mod/core.html#ifmodule" class="directive"><code class="directive"><IfModule></code></a><br/><a href="./mod/mod_so.html#loadmodule" class="directive"><code class="directive">LoadModule</code></a><br/></td></tr></table>
<p>Apache is a modular server. This implies that only the most
basic functionality is included in the core server. Extended
- features are available through <a
- href="mod/index-bytype.html">modules</a> which can be loaded
- into Apache. By default, a <a
- href="mod/module-dict.html#Status">base</a> set of modules is
+ features are available through <a href="mod/index-bytype.html">modules</a> which can be loaded
+ into Apache. By default, a <a href="mod/module-dict.html#Status">base</a> set of modules is
included in the server at compile-time. If the server is
compiled to use <a href="dso.html">dynamically loaded</a>
modules, then modules can be compiled separately and added at
- any time using the <a
- href="mod/mod_so.html#loadmodule">LoadModule</a> directive.
+ any time using the <a href="./mod/mod_so.html#loadmodule" class="directive"><code class="directive">LoadModule</code></a>
+ directive.
Otherwise, Apache must be recompiled to add or remove modules.
Configuration directives may be included conditional on a
- presence of a particular module by enclosing them in an <a
- href="mod/core.html#ifmodule"><IfModule></a> block.</p>
+ presence of a particular module by enclosing them in an<a href="./mod/core.html#ifmodule" class="directive"><code class="directive"><IfModule></code></a> block.</p>
<p>To see which modules are currently compiled into the server,
you can use the <code>-l</code> command line option.</p>
- <hr />
-
- <h2><a id="scope" name="scope">Scope of Directives</a></h2>
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <a
- href="mod/core.html#directory"><Directory></a><br />
- <a
- href="mod/core.html#directorymatch"><DirectoryMatch></a><br />
- <a href="mod/core.html#files"><Files></a><br />
- <a
- href="mod/core.html#filesmatch"><FilesMatch></a><br />
- <a
- href="mod/core.html#location"><Location></a><br />
- <a
- href="mod/core.html#locationmatch"><LocationMatch></a><br />
- <a
- href="mod/core.html#virtualhost"><VirtualHost></a><br />
- </td>
- </tr>
- </table>
+ <h2><a name="scope">Scope of Directives</a></h2>
+
+
+ <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#directory" class="directive"><code class="directive"><Directory></code></a><br/><a href="./mod/core.html#directorymatch" class="directive"><code class="directive"><DirectoryMatch></code></a><br/><a href="./mod/core.html#files" class="directive"><code class="directive"><Files></code></a><br/><a href="./mod/core.html#filesmatch" class="directive"><code class="directive"><FilesMatch></code></a><br/><a href="./mod/core.html#location" class="directive"><code class="directive"><Location></code></a><br/><a href="./mod/core.html#locationmatch" class="directive"><code class="directive"><LocationMatch></code></a><br/><a href="./mod/core.html#virtualhost" class="directive"><code class="directive"><VirtualHost></code></a><br/></td></tr></table>
<p>Directives placed in the main configuration files apply to
the entire server. If you wish to change the configuration for
only a part of the server, you can scope your directives by
- placing them in <code><a
- href="mod/core.html#directory"><Directory></a>, <a
- href="mod/core.html#directorymatch"><DirectoryMatch></a>,
- <a href="mod/core.html#files"><Files></a>, <a
- href="mod/core.html#filesmatch"><FilesMatch></a>, <a
- href="mod/core.html#location"><Location></a>,</code> and
- <code><a
- href="mod/core.html#locationmatch"><LocationMatch></a></code>
+ placing them in <a href="./mod/core.html#directory" class="directive"><code class="directive"><Directory></code></a>, <a href="./mod/core.html#directorymatch" class="directive"><code class="directive"><DirectoryMatch></code></a>, <a href="./mod/core.html#files" class="directive"><code class="directive"><Files></code></a>, <a href="./mod/core.html#filesmatch" class="directive"><code class="directive"><FilesMatch></code></a>, <a href="./mod/core.html#location" class="directive"><code class="directive"><Location></code></a>, and <a href="./mod/core.html#locationmatch" class="directive"><code class="directive"><LocationMatch></code></a>
sections. These sections limit the application of the
directives which they enclose to particular filesystem
locations or URLs. They can also be nested, allowing for very
<p>Apache has the capability to serve many different websites
simultaneously. This is called <a href="vhosts/">Virtual
Hosting</a>. Directives can also be scoped by placing them
- inside <code><a
- href="mod/core.html#virtualhost"><VirtualHost></a></code>
+ inside <a href="./mod/core.html#virtualhost" class="directive"><code class="directive"><VirtualHost></code></a>
sections, so that they will only apply to requests for a
particular website.</p>
sections, some directives do not make sense in some contexts.
For example, directives controlling process creation can only
be placed in the main server context. To find which directives
- can be placed in which sections, check the <a
- href="mod/directive-dict.html#Context">Context</a> of the
- directive. For further information, we provide details on <a
- href="sections.html">How Directory, Location and Files sections
+ can be placed in which sections, check the <a href="mod/directive-dict.html#Context">Context</a> of the
+ directive. For further information, we provide details on <a href="sections.html">How Directory, Location and Files sections
work</a>.</p>
- <hr />
-
- <h2><a id="htaccess" name="htaccess">.htaccess Files</a></h2>
-
- <table border="1">
- <tr>
- <td valign="top"><strong>Related Directives</strong><br />
- <br />
- <a
- href="mod/core.html#accessfilename">AccessFileName</a><br />
- <a
- href="mod/core.html#allowoverride">AllowOverride</a><br />
- </td>
- </tr>
- </table>
+ <h2><a name="htaccess">.htaccess Files</a></h2>
+
+
+ <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#accessfilename" class="directive"><code class="directive">AccessFileName</code></a><br/><a href="./mod/core.html#allowoverride" class="directive"><code class="directive">AllowOverride</code></a><br/></td></tr></table>
<p>Apache allows for decentralized management of configuration
via special files placed inside the web tree. The special files
are usually called <code>.htaccess</code>, but any name can be
- specified in the <a
- href="mod/core.html#accessfilename"><code>AccessFileName</code></a>
+ specified in the <a href="./mod/core.html#accessfilename" class="directive"><code class="directive">AccessFileName</code></a>
directive. Directives placed in <code>.htaccess</code> files
apply to the directory where you place the file, and all
sub-directories. The <code>.htaccess</code> files follow the
made in these files take immediate effect.</p>
<p>To find which directives can be placed in
- <code>.htaccess</code> files, check the <a
- href="mod/directive-dict.html#Context">Context</a> of the
+ <code>.htaccess</code> files, check the <a href="mod/directive-dict.html#Context">Context</a> of the
directive. The server administrator further controls what
directives may be placed in <code>.htaccess</code> files by
- configuring the <a
- href="mod/core.html#allowoverride"><code>AllowOverride</code></a>
+ configuring the <a href="./mod/core.html#allowoverride" class="directive"><code class="directive">AllowOverride</code></a>
directive in the main configuration files.</p>
<p>For more information on <code>.htaccess</code> files, see
- Ken Coar's tutorial on <a
- href="http://apache-server.com/tutorials/ATusing-htaccess.html">
+ Ken Coar's tutorial on <a href="http://apache-server.com/tutorials/ATusing-htaccess.html">
Using .htaccess Files with Apache</a>.</p>
- <!--#include virtual="footer.html" -->
- </body>
-</html>
-
+ </blockquote><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img src="./images/index.gif" alt="Index"/></a><a href="./"><img src="./images/home.gif" alt="Home"/></a></body></html>
\ No newline at end of file
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Content Negotiation</h1>
+ <h1 align="center">Content Negotiation</h1>
<p>Apache's supports content negotiation as described in
the HTTP/1.1 specification. It can choose the best
<tt>CacheNegotiatedDocs</tt> can be used to allow caching of
responses which were subject to negotiation. This directive can
be given in the server config or virtual host, and takes no
- arguments. It has no effect on requests from HTTP/1.1 clients.
+ arguments. It has no effect on requests from HTTP/1.1 clients.</p>
<h2>More Information</h2>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Custom error responses</h1>
+ <h1 align="center">Custom error responses</h1>
<dl>
<dt>Purpose</dt>
relevant, but please use it with care.
</blockquote>
- <h1 align="CENTER">Apache API notes</h1>
+ <h1 align="center">Apache API notes</h1>
These are some notes on the Apache API and the data structures
you have to deal with, <em>etc.</em> They are not yet nearly
complete, but hopefully, they will help you get your bearings.
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Debugging Memory Allocation in APR<br />
+ <h1 align="center">Debugging Memory Allocation in APR<br />
</h1>
<p>The allocation mechanism's within APR have a number of
* @package Name of library header
*/
</pre>
-<pre>
<br />
+<pre>
ScanDoc uses a new html file for each package. The html files are named
{Name_of_library_header}.html, so try to be concise with your names.
-
-<!--#include virtual="footer.html" -->
</pre>
+ <!--#include virtual="footer.html" -->
</body>
</html>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">From Apache 1.3 to Apache 2.0<br />
+ <h1 align="center">From Apache 1.3 to Apache 2.0<br />
Modules</h1>
<p>This is a first attempt at writing the lessons I learned
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Issues Regarding DNS and Apache</h1>
+ <h1 align="center">Issues Regarding DNS and Apache</h1>
<p>This page could be summarized with the statement: <em>don't
require Apache to use DNS for any parsing of the configuration
a webserver has no requirement to do DNS lookups during
configuration. But as of March 1997 these features have not
been deployed widely enough to be put into use on critical
- webservers. <!--#include virtual="footer.html" -->
- </p>
+ webservers.</p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
relevant, but please use it with care.
</blockquote>
- <h1 align="CENTER">Overview of the Apache EBCDIC Port</h1>
+ <h1 align="center">Overview of the Apache EBCDIC Port</h1>
<p>Version 1.3 of the Apache HTTP Server is the first version
which includes a port to a (non-ASCII) mainframe machine which
<p>This document serves as a rationale to describe some of the
design decisions of the port to this machine.</p>
- <h2 align="CENTER">Design Goals</h2>
+ <h2 align="center">Design Goals</h2>
<p>One objective of the EBCDIC port was to maintain enough
backwards compatibility with the (EBCDIC) CERN server to make
problem by defining an "ebcdic-handler" for all documents which
must be converted.</p>
- <h2 align="CENTER">Technical Solution</h2>
+ <h2 align="center">Technical Solution</h2>
<p>Since all Apache input and output is based upon the BUFF
data type and its methods, the easiest solution was to add the
<br />
- <h2 align="CENTER">Porting Notes</h2>
+ <h2 align="center">Porting Notes</h2>
<ol>
<li>
<br />
- <h2 align="CENTER">Document Storage Notes</h2>
+ <h2 align="center">Document Storage Notes</h2>
- <h3 align="CENTER">Binary Files</h3>
+ <h3 align="center">Binary Files</h3>
<p>All files with a <samp>Content-Type:</samp> which does not
start with <samp>text/</samp> are regarded as <em>binary
<samp>rcp -b</samp> command from the mainframe host (the
-b switch is not supported in unix rcp's).</p>
- <h3 align="CENTER">Text Documents</h3>
+ <h3 align="center">Text Documents</h3>
<p>The default assumption of the server is that Text Files
(<em>i.e.</em>, all files whose <samp>Content-Type:</samp>
starts with <samp>text/</samp>) are stored in the native
character set of the host, EBCDIC.</p>
- <h3 align="CENTER">Server Side Included Documents</h3>
+ <h3 align="center">Server Side Included Documents</h3>
<p>SSI documents must currently be stored in EBCDIC only. No
provision is made to convert it from ASCII before
processing.</p>
- <h2 align="CENTER">Apache Modules' Status</h2>
+ <h2 align="center">Apache Modules' Status</h2>
- <table border="1" align="middle">
+ <table border="1" align="center">
<tr>
<th>Module</th>
</tr>
<tr>
- <td align="LEFT">http_core</td>
+ <td align="left">http_core</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_access</td>
+ <td align="left">mod_access</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_actions</td>
+ <td align="left">mod_actions</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_alias</td>
+ <td align="left">mod_alias</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_asis</td>
+ <td align="left">mod_asis</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_auth</td>
+ <td align="left">mod_auth</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_auth_anon</td>
+ <td align="left">mod_auth_anon</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_auth_dbm</td>
+ <td align="left">mod_auth_dbm</td>
- <td align="CENTER">?</td>
+ <td align="center">?</td>
<td>with own libdb.a</td>
</tr>
<tr>
- <td align="LEFT">mod_autoindex</td>
+ <td align="left">mod_autoindex</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_cern_meta</td>
+ <td align="left">mod_cern_meta</td>
- <td align="CENTER">?</td>
+ <td align="center">?</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_cgi</td>
+ <td align="left">mod_cgi</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_digest</td>
+ <td align="left">mod_digest</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_dir</td>
+ <td align="left">mod_dir</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_so</td>
+ <td align="left">mod_so</td>
- <td align="CENTER">-</td>
+ <td align="center">-</td>
<td>no shared libs</td>
</tr>
<tr>
- <td align="LEFT">mod_env</td>
+ <td align="left">mod_env</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_example</td>
+ <td align="left">mod_example</td>
- <td align="CENTER">-</td>
+ <td align="center">-</td>
<td>(test bed only)</td>
</tr>
<tr>
- <td align="LEFT">mod_expires</td>
+ <td align="left">mod_expires</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_headers</td>
+ <td align="left">mod_headers</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_imap</td>
+ <td align="left">mod_imap</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_include</td>
+ <td align="left">mod_include</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_info</td>
+ <td align="left">mod_info</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_log_agent</td>
+ <td align="left">mod_log_agent</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_log_config</td>
+ <td align="left">mod_log_config</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_log_referer</td>
+ <td align="left">mod_log_referer</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_mime</td>
+ <td align="left">mod_mime</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_mime_magic</td>
+ <td align="left">mod_mime_magic</td>
- <td align="CENTER">?</td>
+ <td align="center">?</td>
<td>not ported yet</td>
</tr>
<tr>
- <td align="LEFT">mod_negotiation</td>
+ <td align="left">mod_negotiation</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_proxy</td>
+ <td align="left">mod_proxy</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_rewrite</td>
+ <td align="left">mod_rewrite</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>untested</td>
</tr>
<tr>
- <td align="LEFT">mod_setenvif</td>
+ <td align="left">mod_setenvif</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_speling</td>
+ <td align="left">mod_speling</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_status</td>
+ <td align="left">mod_status</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_unique_id</td>
+ <td align="left">mod_unique_id</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_userdir</td>
+ <td align="left">mod_userdir</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>
</td>
</tr>
<tr>
- <td align="LEFT">mod_usertrack</td>
+ <td align="left">mod_usertrack</td>
- <td align="CENTER">?</td>
+ <td align="center">?</td>
<td>untested</td>
</tr>
</table>
- <h2 align="CENTER">Third Party Modules' Status</h2>
+ <h2 align="center">Third Party Modules' Status</h2>
- <table border="1" align="middle">
+ <table border="1" align="center">
<tr>
<th>Module</th>
</tr>
<tr>
href="http://java.apache.org/">mod_jserv</a> </td>
- <td align="CENTER">-</td>
+ <td align="center">-</td>
<td>JAVA still being ported.</td>
</tr>
<tr>
- <td align="
LEFT"><a href="http://www.php.net/">mod_php3</a>
+ <td align="
left"><a href="http://www.php.net/">mod_php3</a>
</td>
- <td align="CENTER">+</td>
+ <td align="center">+</td>
<td>mod_php3 runs fine, with LDAP and GD and FreeType
libraries</td>
</tr>
<tr>
href="http://hpwww.ec-lyon.fr/~vincent/apache/mod_put.html">
mod_put</a> </td>
- <td align="CENTER">?</td>
+ <td align="center">?</td>
<td>untested</td>
</tr>
<tr>
href="ftp://hachiman.vidya.com/pub/apache/">mod_session</a>
</td>
- <td align="CENTER">-</td>
+ <td align="center">-</td>
<td>untested</td>
</tr>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Frequently Asked Questions</h1>
+ <h1 align="center">Frequently Asked Questions</h1>
<p>The latest version of this FAQ is always available from the
main Apache web site, at <<a
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Frequently Asked Questions</h1>
+ <h1 align="center">Frequently Asked Questions</h1>
<!--#endif -->
<h2><a id="support.html" name="support.html">Support</a></h2>
href="http://groups.google.com/groups?group=comp.infosystems.www.authoring.cgi">
google</a>]</li>
</ul>
+ </li>
<li>
<strong>If all else fails, report the problem in the bug
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Filters</h1>
+ <h1 align="center">Filters</h1>
<table border="1">
<tr>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="images/index.gif" alt="Index" /></a>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">Glossary</h1>
+<h1 align="center">Glossary</h1>
resolve to an IP address. For example, <code>www</code> is a hostname,
<code>whatever.com</code> is a domain name, and
<code>www.whatever.com</code> is a fully-qualified domain name.<br
-/><br /></dt>
+/><br /></dd>
<dt><a name="handler">Handler</a></dt> <dd>An internal Apache
representation of the action to be performed when a file is
<dd>The unencrypted text.<br /><br /></dd>
<dt><a name="privatekey">Private Key</a></dt> <dd>The secret key in a
-<a name="#publickeycryptography">Public Key Cryptography</a> system,
+<a name="publickeycryptography">Public Key Cryptography</a> system,
used to decrypt incoming messages and sign outgoing ones.<br />
See: <a href="ssl/">SSL/TLS Encryption</a><br /><br /></dd>
client. If several clients request the same content, the proxy
can deliver that content from its cache, rather than requesting it
from the origin server each time, thereby reducing response time.<br />
-See: <a href="mod/mod_proxy.html">mod_proxy</a><br /><br /></dt>
+See: <a href="mod/mod_proxy.html">mod_proxy</a><br /><br /></dd>
<dt><a name="publickey">Public Key</a></dt> <dd>The publically
-available key in a <a name="#publickeycryptography">Public Key
+available key in a <a name="publickeycryptography">Public Key
Cryptography</a> system, used to encrypt messages bound for its owner
and to decrypt signatures made by its owner.<br />
See: <a href="ssl/">SSL/TLS Encryption</a><br /><br /></dd>
href="#proxy">proxy</a> server that appears to the client as if it is
an <em>origin server</em>. This is useful to hide the real origin
server from the client for security reasons, or to load balance.<br
-/><br /></dt>
+/><br /></dd>
<dt><a name="securesocketslayer">Secure Sockets Layer</a> <a
name="ssl">(SSL)</a></dt> <dd>A protocol created by Netscape
<dt><a name="x.509">X.509</a></dt> <dd>An authentication certificate
scheme recommended by the International Telecommunication Union
-(ITU-T) which is used for SSL/TLS authentication.<br > See: <a
+(ITU-T) which is used for SSL/TLS authentication.<br
/> See: <a
href="ssl/">SSL/TLS Encryption</a><br /><br /></dd>
</dl>
-<p><!--#include virtual="footer.html" --> </p>
+<!--#include virtual="footer.html" -->
</body>
</html>
\ No newline at end of file
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache's Handler Use</h1>
+ <h1 align="center">Apache's Handler Use</h1>
<ul>
<li><a href="#definition">What is a Handler</a></li>
- <div align="CENTER">
+ <div align="center">
<img src="images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Dynamic Content with CGI</h1>
+ <h1 align="center">Dynamic Content with CGI</h1>
<a id="__index__" name="__index__"></a> <!-- INDEX BEGIN -->
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache Tutorial: Introduction to Server Side
+ <h1 align="center">Apache Tutorial: Introduction to Server Side
Includes</h1>
<a id="__index__" name="__index__"></a> <!-- INDEX BEGIN -->
<a href="#basicssidirectives">Basic SSI directives</a>
<ul>
- <li><a href="#today'sdate">Today's date</a></li>
+ <li><a href="#todaysdate">Today's date</a></li>
<li><a href="#modificationdateofthefile">Modification
date of the file</a></li>
series. For now, here are some examples of what you can do with
SSI</p>
- <h3><a id="today'sdate" name="today'sdate">Today's
+ <h3><a id="todaysdate" name="todaysdate">Today's
date</a></h3>
<pre>
<!--#echo var="DATE_LOCAL" -->
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Compiling and Installing</h1>
+ <h1 align="center">Compiling and Installing</h1>
<p>This document covers compilation and installation of Apache
on Unix and Unix-like systems only. For compiling and
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Starting Apache</h1>
+ <h1 align="center">Starting Apache</h1>
<ul>
<li><a href="#windows">Starting Apache on Windows</a></li>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Using XSSI and <samp>ErrorDocument</samp> to
+ <h1 align="center">Using XSSI and <samp>ErrorDocument</samp> to
configure customized international server error responses</h1>
<h2>Index</h2>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Descriptors and Apache</h1>
+ <h1 align="center">Descriptors and Apache</h1>
<p>A <em>descriptor</em>, also commonly called a <em>file
handle</em> is an object that a program uses to read or write
you problems, you can disable it. Add <code>-DNO_SLACK</code>
to <code>EXTRA_CFLAGS</code> and rebuild. But please report it
to our <a href="http://httpd.apache.org/bug_report.html">Bug
- Report Page</a> so that we can investigate.
+ Report Page</a> so that we can investigate. </p>
<!--#include virtual="footer.html" -->
- </p>
</body>
</html>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Connections in the FIN_WAIT_2 state and
+ <h1 align="center">Connections in the FIN_WAIT_2 state and
Apache</h1>
<ol>
patch available</a> for adding a timeout to the FIN_WAIT_2
state; it was originally intended for BSD/OS, but should be
adaptable to most systems using BSD networking code. You
- need kernel source code to be able to use it.
+ need kernel source code to be able to use it. </p>
<h3>Compile without using
<code>lingering_close()</code></h3>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache Miscellaneous Documentation</h1>
+ <h1 align="center">Apache Miscellaneous Documentation</h1>
<p>Below is a list of additional documentation pages that apply
to the Apache web server development project.</p>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Known Problems in Clients</h1>
+ <h1 align="center">Known Problems in Clients</h1>
<p>Over time the Apache Group has discovered or been notified
of problems with various clients which we have had to work
href="http://www.apache.org/dist/httpd/patches/apply_to_1.2.1/msie_4_0b2_fixes.patch">
patch</a> against 1.2.1.
- <h3><a id="257th-byte" name="257th-byte">Boundary problems with
+ <h3><a id="byte-257" name="byte-257">Boundary problems with
header parsing</a></h3>
<p>All versions of Navigator from 2.0 through 4.0b2 (and
<p>Here is a system call trace of Apache 2.0.38 with the worker MPM
on Solaris 8. This trace was collected using:</p>
<blockquote>
-<code>truss -l -p <i>httpd_child_pid</i></code>.</code>
+<code>truss -l -p <i>httpd_child_pid</i></code>.
</blockquote>
<p>The <code>-l</code> option tells truss to log the ID of the
LWP (lightweight process--Solaris's form of kernel-level thread)
<p>In this trace, a client has requested a 10KB static file
from the httpd. Traces of non-static requests or requests
with content negotiation look wildly different (and quite ugly
- in some cases).
+ in some cases).</p>
+<blockquote>
<pre>
/67: accept(3, 0x00200BEC, 0x00200C0C, 1) (sleeping...)
/67: accept(3, 0x00200BEC, 0x00200C0C, 1) = 9
</pre>
+</blockquote>
<blockquote>
<p>In this trace, the listener thread is running within LWP #67.</p>
<p>Note the lack of accept(2) serialization. On this particular
<code>apr_bucket_alloc</code>) for most request processing.
In this trace, the httpd has just been started, so it must
call malloc(3) to get the blocks of raw memory with which
-to create the custom memory allocators.
+to create the custom memory allocators.</p>
</blockquote>
<pre>
/65: fcntl(9, F_GETFL, 0x00000000) = 2
each directory in the path leading up to the requested file, nor
check for <code>.htaccess</code> files. It simply calls stat(2) to
verify that the file: 1) exists, and 2) is a regular file, not a
-directory.
+directory.</p>
</blockquote>
<pre>
/65: sendfilev(0, 9, 0x00200F90, 2, 0xFAF7B53C) = 10269
and blocks until the listener assigns it another connection.</p>
</blockquote>
<pre>
-/67: accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)</pre>
+/67: accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)
</pre>
<blockquote>
<p>Meanwhile, the listener thread is able to accept another connection
conditions) occur in parallel with the worker thread's handling of the
just-accepted connection.</p>
</blockquote>
- </blockquote>
-
+ <!--#include virtual="footer.html" -->
</body>
</html>
<blockquote>
<!--#include virtual="header.html" -->
- <div align="CENTER">
+ <div align="center">
<h1>Apache 1.3<br />
URL Rewriting Guide<br />
</h1>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Security Tips for Server Configuration</h1>
+ <h1 align="center">Security Tips for Server Configuration</h1>
<ul>
<li><a href="#serverroot">Permissions on ServerRoot
href="http://httpd.apache.org/bug_report.html">please let us
know</a>.</p>
- <p><!--#include virtual="footer.html" --></p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache Tutorials</h1>
+ <h1 align="center">Apache Tutorials</h1>
<blockquote>
<strong>Warning:</strong> This document has not been updated
<p>If you have a pointer to an accurate and well-written
tutorial not included here, please let us know by submitting it
to the <a href="http://bugs.apache.org/">Apache Bug
- Database</a>. <!--#include virtual="footer.html" -->
- </p>
+ Database</a>. </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Terms Used to Describe Apache
+ <h1 align="center">Terms Used to Describe Apache
Directives</h1>
<p>Each Apache configuration directive is described using a
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Overview of New Features in Apache 2.0</h1>
+ <h1 align="center">Overview of New Features in Apache 2.0</h1>
<p>Enhancements: <a href="#core">Core</a> | <a
href="#module">Module</a></p>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Using Apache With Novell NetWare</h1>
+ <h1 align="center">Using Apache With Novell NetWare</h1>
<p>This document explains how to install, configure and run
Apache 2.0 under Novell NetWare 5.x and above. If you find any bugs,
or wish to contribute in other ways, please
- use our <a HREF="http://httpd.apache.org/bug_report.html">bug reporting
+ use our <a href="http://httpd.apache.org/bug_report.html">bug reporting
page.</a></p>
<p>The bug reporting page and dev-httpd mailing list are <em>not</em>
provided to answer questions about configuration or running Apache.
Before you submit a bug report or request, first consult this document, the
- <a HREF="faq/index.html">Frequently Asked Questions</a> page and the other
+ <a href="faq/index.html">Frequently Asked Questions</a> page and the other
relevant documentation topics. If you still have a question or problem,
- post it to the <a HREF="news://developer-forums.novell.com/novell.devsup.webserver">
+ post it to the <a href="news://developer-forums.novell.com/novell.devsup.webserver">
novell.devsup.webserver</a> newsgroup, where many
Apache users are more than willing to answer new
and obscure questions about using Apache on NetWare.</p>
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Running a High-Performance Web Server for
+ <h1 align="center">Running a High-Performance Web Server for
HPUX</h1>
<pre>
Date: Wed, 05 Nov 1997 16:59:34 -0800
href="http://www.cup.hp.com/netperf/NetperfPage.html">http://www.cup.hp.com/netperf/NetperfPage.html</a></p>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
+ <h3 align="center">Apache HTTP Server Version 1.3</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
</body>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Running Apache for Windows as a Service</h1>
+ <h1 align="center">Running Apache for Windows as a Service</h1>
<p>Apache can be run as a service on Windows NT/2000. (There is
also some HIGHLY EXPERIMENTAL support for similar behavior on
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Using Apache with Microsoft Windows</h1>
+ <h1 align="center">Using Apache with Microsoft Windows</h1>
<p>This document explains how to install, configure and run
Apache 2.0 under Microsoft Windows. If you find any bugs, or
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Server and Supporting Programs</h1>
+ <h1 align="center">Server and Supporting Programs</h1>
<p>This page documents all the executable programs included
with the Apache HTTP Server.</p>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Other Programs</h1>
+ <h1 align="center">Other Programs</h1>
<p>The following programs are simple support programs included
with the Apache HTTP Server which do not have their own manual
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">How Directory, Location and Files sections
+ <h1 align="center">How Directory, Location and Files sections
work</h1>
<p>The sections <a
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption</h1>
+<h1 align="center">SSL/TLS Strong Encryption</h1>
<p>The Apache HTTP Server module <a href="../mod/mod_ssl.html">mod_ssl</a>
provides an interface to the <a
href="../mod/mod_ssl.html">mod_ssl reference documentation</a>.</p>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
<head>
<title>Apache SSL/TLS Encryption: Compatibility</title>
<style type="text/css"><!--
-#H {
+.H {
}
-#D {
+.D {
background-color: #f0f0f0;
}
--></style>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption: Compatibility</h1>
+<h1 align="center">SSL/TLS Strong Encryption: Compatibility</h1>
<div align="right">
<table cellspacing="0" cellpadding="0" width="200" summary="">
superset of the functionality of all other solutions we can easily provide
backward compatibility for most of the cases. Actually there are three
compatibility areas we currently address: configuration directives,
-environment variables and custom log functions.
+environment variables and custom log functions.</p>
<ul>
<li><a href="#ToC1">Configuration Directives</a></li>
</ul>
<h2><a name="ToC1">Configuration Directives</a></h2>
-For backward compatibility to the configuration directives of other SSL
+<p>For backward compatibility to the configuration directives of other SSL
solutions we do an on-the-fly mapping: directives which have a direct
counterpart in mod_ssl are mapped silently while other directives lead to a
warning message in the logfiles. The currently implemented directive mapping
provide.</p>
-<p>
<div align="center">
<a name="table1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 1: Configuration Directive Mapping</caption>
+<caption align="bottom" >Table 1: Configuration Directive Mapping</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
-<tr id="D">
+<tr class="D">
<td><strong>Old Directive</strong></td>
<td><strong>mod_ssl Directive</strong></td>
<td><strong>Comment</strong></td>
</tr>
-<tr id="H"><td colspan="3"><b>Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</b></td></tr>
-<tr id="D"><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr>
-<tr id="H"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr>
-<tr id="D"><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr>
-<tr id="H"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr>
-<tr id="H"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr>
-<tr id="D"><td><code>SSLFakeBasicAuth</td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr>
-<tr id="H"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr>
-<tr id="D"><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr>
-<tr id="H"><td colspan="3"><b>Apache-SSL 1.x compatibility:</b></td></tr>
-<tr id="D"><td><code>SSLExportClientCertificates</td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr>
-<tr id="H"><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td colspan="3"><b>Sioux 1.x compatibility:</b></td></tr>
-<tr id="H"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr>
-<tr id="D"><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr>
-<tr id="H"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr>
-<tr id="D"><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td colspan="3"><b>Stronghold 2.x compatibility:</b></td></tr>
-<tr id="H"><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
-<tr id="D"><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="H"><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr>
-<tr id="D"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td colspan="3"><b>Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</b></td></tr>
+<tr class="D"><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr>
+<tr class="H"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr>
+<tr class="D"><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr>
+<tr class="H"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr>
+<tr class="H"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr>
+<tr class="D"><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr>
+<tr class="H"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr>
+<tr class="D"><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr>
+<tr class="H"><td colspan="3"><b>Apache-SSL 1.x compatibility:</b></td></tr>
+<tr class="D"><td><code>SSLExportClientCertificates</code></td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr>
+<tr class="H"><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td colspan="3"><b>Sioux 1.x compatibility:</b></td></tr>
+<tr class="H"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr>
+<tr class="D"><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr>
+<tr class="H"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr>
+<tr class="D"><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td colspan="3"><b>Stronghold 2.x compatibility:</b></td></tr>
+<tr class="H"><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr>
+<tr class="H"><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="H"><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr>
+<tr class="D"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
-<p>
-<br>
+<br />
<h2><a name="ToC2">Environment Variables</a></h2>
-When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment
+<p>When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment
variables are generated. They all correspond to existing official mod_ssl
variables. The currently implemented variable derivation is listed in <a
-href="#table2">Table 2</a>.
-<p>
+href="#table2">Table 2</a>.</p>
<div align="center">
<a name="table2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 2: Environment Variable Derivation</caption>
+<caption align="bottom" >Table 2: Environment Variable Derivation</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
-<tr id="D">
+<tr class="D">
<td><strong>Old Variable</strong></td>
<td><strong>mod_ssl Variable</strong></td>
<td><strong>Comment</strong></td>
</tr>
-<tr id="H"><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
-<tr id="H"><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
-<tr id="D"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="H"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="H"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="H"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="H"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="H"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
-<tr id="D"><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr>
+<tr class="H"><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr>
+<tr class="D"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="D"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="D"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="D"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="D"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="D"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
+<tr class="H"><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
-<p>
-<br>
+<br />
<h2><a name="ToC3">Custom Log Functions</a></h2>
+<p>
When mod_ssl is built into Apache or at least loaded (under DSO situation)
additional functions exist for the <a
href="../mod/mod_log_config.html#formats">Custom Log Format</a> of <a
by any module, an additional Cryptography
``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function
exists for backward compatibility. The currently implemented function calls
-are listed in <a href="#table3">Table 3</a>.
-<p>
+are listed in <a href="#table3">Table 3</a>.</p>
<div align="center">
<a name="table3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 3: Custom Log Cryptography Function</caption>
+<caption align="bottom" >Table 3: Custom Log Cryptography Function</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
<table border="0" cellspacing="0" cellpadding="2" width="598" summary="">
-<tr id="H">
+<tr class="D">
<td><strong>Function Call</strong></td>
<td><strong>Description</strong></td>
</tr>
-<tr id="D"><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr>
-<tr id="H"><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr>
-<tr id="D"><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr>
-<tr id="H"><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr>
-<tr id="D"><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr>
-<tr id="H"><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr>
+<tr class="H"><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr>
+<tr class="D"><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr>
+<tr class="H"><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr>
+<tr class="D"><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr>
+<tr class="H"><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr>
+<tr class="D"><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr>
</table>
</td>
</tr></table>
</td></tr></table>
</div>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
\ No newline at end of file
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption: FAQ</h1>
+<h1 align="center">SSL/TLS Strong Encryption: FAQ</h1>
<div align="right">
<code>comp.infosystems.www.servers.unix</code></a> or the mod_ssl Support
Mailing List <a href="mailto:modssl-users@modssl.org">
<code>modssl-users@modssl.org</code></a>. They are collected at this place
-to avoid answering the same questions over and over.
+to avoid answering the same questions over and over.</p>
<p>
Please read this chapter at least once when installing mod_ssl or at least
search for your problem here before submitting a problem report to the
-author.
+author.</p>
<ul>
<li><a href="#ToC1">About the module</a>
<li><a href="#ToC5">mod_ssl/Apache versions?</a></li>
<li><a href="#ToC6">mod_ssl and Year 2000?</a></li>
<li><a href="#ToC7">mod_ssl and Wassenaar Arrangement?</a></li>
-</ul></li>
-<li><a href="#ToC8">About Installation</a></li>
+</ul>
+</li>
+</ul>
+
+<ul>
+<li><a href="#ToC8">About Installation</a>
<ul>
<li><a href="#ToC9">Core dumps for HTTPS requests?</a></li>
<li><a href="#ToC10">Core dumps for Apache+mod_ssl+PHP3?</a></li>
<li><a href="#ToC13">Shared memory and process size?</a></li>
<li><a href="#ToC14">Shared memory and pathname?</a></li>
<li><a href="#ToC15">PRNG and not enough entropy?</a></li>
-</ul></li>
-<li><a href="#ToC16">About Configuration</a></li>
+</ul>
+</li>
+</ul>
+
+<ul>
+<li><a href="#ToC16">About Configuration</a>
<ul>
<li><a href="#ToC17">HTTP and HTTPS with a single server?</a></li>
<li><a href="#ToC18">Where is the HTTPS port?</a></li>
<li><a href="#ToC21">Why do I get connection refused?</a></li>
<li><a href="#ToC22">Why are the SSL_XXX variables missing?</a></li>
<li><a href="#ToC23">How to switch with relative hyperlinks?</a></li>
-</ul></li>
-<li><a href="#ToC24">About Certificates</a></li>
+</ul>
+</li>
+</ul>
+
+<ul>
+<li><a href="#ToC24">About Certificates</a>
<ul>
<li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li>
<li><a href="#ToC26">Difference on startup?</a></li>
<li><a href="#ToC37">Verisign and the magic getca program?</a></li>
<li><a href="#ToC38">Global IDs or SGC?</a></li>
<li><a href="#ToC39">Global IDs and Cert Chain?</a></li>
-</ul></li>
-<li><a href="#ToC40">About SSL Protocol</a></li>
+</ul>
+</li>
+</ul>
+
+<ul>
+<li><a href="#ToC40">About SSL Protocol</a>
<ul>
<li><a href="#ToC41">Random SSL errors under heavy load?</a></li>
<li><a href="#ToC42">Why has the server a higher load?</a></li>
<li><a href="#ToC48">The lock icon in Netscape locks very late</a></li>
<li><a href="#ToC49">Why do I get I/O errors with MSIE clients?</a></li>
<li><a href="#ToC50">Why do I get I/O errors with NS clients?</a></li>
-</ul></li>
-<li><a href="#ToC51">About Support</a></li>
+</ul>
+</li>
+</ul>
+
+<ul>
+<li><a href="#ToC51">About Support</a>
<ul>
<li><a href="#ToC52">Resources in case of problems?</a></li>
<li><a href="#ToC53">Support in case of problems?</a></li>
<li><a href="#ToC54">How to write a problem report?</a></li>
<li><a href="#ToC55">I got a core dump, can you help me?</a></li>
<li><a href="#ToC56">How to get a backtrace?</a></li>
-</ul></li>
+</ul>
+</li>
</ul>
<h2><a name="ToC1">About the module</a></h2>
<ul>
-<p>
<li><a name="ToC2"></a>
<a name="history"></a>
- <strong id="faq">
+ <strong>
What is the history of mod_ssl?
</strong>
[<a href="#history"><b>L</b></a>]
- <p>
- The mod_ssl v1 package was initially created in April 1998 by <a
+ <p>The mod_ssl v1 package was initially created in April 1998 by <a
href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a
href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a
href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for
Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
first publically released version was mod_ssl 2.0.0 from August 10th,
- 1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0.
- <p>
- After one year of very active development with over 1000 working hours and
+ 1998. As of this writing (August 1999) the current mod_ssl version
+ is 2.4.0.</p>
+
+ <p>After one year of very active development with over 1000 working hours and
over 40 releases mod_ssl reached its current state. The result is an
already very clean source base implementing a very rich functionality.
The code size increased by a factor of 4 to currently a total of over
10.000 lines of ANSI C consisting of approx. 70% code and 30% code
documentation. From the original Apache-SSL code currently approx. 5% is
- remaining only.
- <p>
- After the US export restrictions for cryptographic software were
- opened, mod_ssl was integrated into the code base of Apache V2 in 2001.
-<p>
+ remaining only.</p>
+
+ <p>After the US export restrictions for cryptographic software were
+ opened, mod_ssl was integrated into the code base of Apache V2 in 2001.</p>
+</li>
<li><a name="ToC3"></a>
<a name="apssl-diff"></a>
- <strong id="faq">
+ <strong>
What are the functional differences between mod_ssl and Apache-SSL, from which
it is originally derived?
</strong>
[<a href="#apssl-diff"><b>L</b></a>]
- <p>
- This neither can be answered in short (there were too many code changes)
+ <p>This neither can be answered in short (there were too many code changes)
nor can be answered at all by the author (there would immediately be flame
wars with no reasonable results at the end). But as you easily can guess
from the 5% of remaining Apache-SSL code, a lot of differences exists,
- although user-visible backward compatibility exists for most things.
- <p>
- When you really want a detailed comparison you have to read the entries in
+ although user-visible backward compatibility exists for most things.</p>
+
+ <p>When you really want a detailed comparison you have to read the entries in
the large <code>CHANGES</code> file that is in the mod_ssl
distribution. Usually this is much too hard-core. So I recommend you to
either believe in the opinion and recommendations of other users (the
href="http://www.modssl.org/">http://www.modssl.org</a>) and Apache-SSL
(from <a href="http://www.apache-ssl.org/">http://www.apache-ssl.org</a>),
install both packages, read their documentation and try them out yourself.
- Then choose the one which pleases you most.
- <p>
- A few final hints to help direct your comparison: quality of documentation
+ Then choose the one which pleases you most.</p>
+
+ <p>A few final hints to help direct your comparison: quality of documentation
("can you easily find answers and are they sufficient?"), quality of
source code ("is the source code reviewable so you can make sure there
aren't any trapdoors or inherent security risks because of bad programming
quality of functionality ("is the provided SSL functionality and control
possibilities sufficient for your situation?"), quality of problem tracing
("is it possible for you to easily trace down the problems via logfiles,
- etc?"), etc. pp.
-<p>
+ etc?"), etc. pp.</p>
+</li>
<li><a name="ToC4"></a>
<a name="apssl-diff"></a>
- <strong id="faq">
+ <strong>
What are the major differences between mod_ssl and
the commercial alternatives like Raven or Stronghold?
</strong>
[<a href="#apssl-diff"><b>L</b></a>]
- <p>
- In the past (until September 20th, 2000) the major difference was
+ <p>In the past (until September 20th, 2000) the major difference was
the RSA license which one received (very cheaply in contrast to
a direct licensing from RSA DSI) with the commercial Apache SSL
products. On the other hand, one needed this license only in the US,
of course. So for non-US citizens this point was useless. But now
even for US citizens the situations changed because the RSA patent
expired on September 20th, 2000 and RSA DSI also placed the RSA
- algorithm explicitly into the public domain.
- <p>
- Second, there is the point that one has guaranteed support from
+ algorithm explicitly into the public domain.</p>
+
+ <p>Second, there is the point that one has guaranteed support from
the commercial vendors. On the other hand, if you monitored the
Open Source quality of mod_ssl and the support activities
found on <a href="mailto:modssl-users@modssl.org">
<code>modssl-users@modssl.org</code></a>, you could ask yourself
whether you are really convinced that you can get better support
- from a commercial vendor.
- <p>
- Third, people often think they would receive perhaps at least a
+ from a commercial vendor.</p>
+
+ <p>Third, people often think they would receive perhaps at least a
better technical SSL solution than mod_ssl from the commercial
vendors. But this is not really true, because all commercial
alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
it sometimes occurs that a vendor version includes useful changes
which are not available through the official freely available
packages. But most vendors play fair and contribute back those
- changes to the free software world, of course.
- <p>
- So, in short: There are lots of commercial versions of the popular
+ changes to the free software world, of course.</p>
+
+ <p>So, in short: There are lots of commercial versions of the popular
Apache+mod_ssl+OpenSSL server combination available. Every user
should decide carefully whether they really need to buy a commercial
version or whether it would not be sufficient to directly use the
free and official versions of the Apache, mod_ssl and OpenSSL
- packages.
-<p>
+ packages.</p>
+</li>
<li><a name="ToC5"></a>
<a name="what-version"></a>
- <strong id="faq">
+ <strong>
How do I know which mod_ssl version is for which Apache version?
</strong>
[<a href="#what-version"><b>L</b></a>]
- <p>
- That's trivial: mod_ssl uses version strings of the syntax
+ <p>That's trivial: mod_ssl uses version strings of the syntax
<em><mod_ssl-version></em>-<em><apache-version></em>, for
instance <code>2.4.0-1.3.9</code>. This directly indicates that it's
mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you
<em>only</em> can apply this mod_ssl version to exactly this Apache
version (unless you use the <code>--force</code> option to mod_ssl's
- <code>configure</code> command ;-).
-<p>
+ <code>configure</code> command ;-).</p>
+</li>
<li><a name="ToC6"></a>
<a name="y2k"></a>
- <strong id="faq">
+ <strong>
Is mod_ssl Year 2000 compliant?
</strong>
[<a href="#y2k"><b>L</b></a>]
- <p>
- Yes, mod_ssl is Year 2000 compliant.
- <p>
- Because first mod_ssl internally never stores years as two digits.
+ <p>Yes, mod_ssl is Year 2000 compliant.</p>
+
+ <p>Because first mod_ssl internally never stores years as two digits.
Instead it always uses the ANSI C & POSIX numerical data type
<code>time_t</code> type, which on almost all Unix platforms at the moment
is a <code>signed long</code> (usually 32-bits) representing seconds since
epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in
early January 2038 and not in the year 2000. Second, date and time
presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'')
- are done with full year value instead of abbreviating to two digits.
- <p>
- Additionally according to a <a
+ are done with full year value instead of abbreviating to two digits.</p>
+
+
<p>Additionally according to a <a
href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000
statement</a> from the Apache Group, the Apache webserver is Year 2000
compliant, too. But whether OpenSSL or the underlaying Operating System
(either a Unix or Win32 platform) is Year 2000 compliant is a different
- question which cannot be answered here.
-<p>
+ question which cannot be answered here.</p>
+</li>
<li><a name="ToC7"></a>
<a name="wassenaar"></a>
- <strong id="faq">
+ <strong>
What about mod_ssl and the Wassenaar Arrangement?
</strong>
[<a href="#wassenaar"><b>L</b></a>]
- <p>
- First, let us explain what <i>Wassenaar</i> and its <i>Arrangement on
+ <p>First, let us explain what <i>Wassenaar</i> and its <i>Arrangement on
Export Controls for Conventional Arms and Dual-Use Goods and
Technologies</i> is: This is a international regime, established 1995, to
control trade in conventional arms and dual-use goods and technology. It
of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
details look at <a
- href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.
- <p>
- In short: The aim of the Wassenaar Arrangement is to prevent the build up
+ href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
+
+ <p>In short: The aim of the Wassenaar Arrangement is to prevent the build up
of military capabilities that threaten regional and international security
and stability. The Wassenaar Arrangement controls the export of
cryptography as a dual-use good, i.e., one that has both military and
civilian applications. However, the Wassenaar Arrangement also provides an
- exemption from export controls for mass-market software and free software.
- <p>
- In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And
+ exemption from export controls for mass-market software and free software.</p>
+
+ <p>In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And
Munitions</i>'', under ``<i>GENERAL SOFTWARE NOTE</i>'' (GSN) it says
``<i>The Lists do not control "software" which is either: 1. [...] 2. "in
the public domain".</i>'' And under ``<i>DEFINITIONS OF TERMS USED IN
domain": This means "technology" or "software" which has been made
available without restrictions upon its further dissemination. N.B.
Copyright restrictions do not remove "technology" or "software" from being
- "in the public domain".</i>''
- <p>
- So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
+ "in the public domain".</i>''</p>
+
+ <p>So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
of the Wassenaar Agreement and its ``<i>List of Dual Use Goods and
- Technologies And Munitions List</i>''.
- <p>
- Additionally the Wassenaar Agreement itself has no direct consequence for
+ Technologies And Munitions List</i>''.</p>
+
+ <p>Additionally the Wassenaar Agreement itself has no direct consequence for
exporting cryptography software. What is actually allowed or forbidden to
be exported from the countries has still to be defined in the local laws
of each country. And at least according to official press releases from
Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there
will be no forthcoming export restriction for free cryptography software
for their countries. Remember that mod_ssl is created in Germany and
- distributed from Switzerland.
- <p>
- So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.
+ distributed from Switzerland.</p>
+
+ <p>So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.</p>
+</li>
</ul>
-<p>
-<br>
+<br />
<h2><a name="ToC8">About Installation</a></h2>
<ul>
-<p>
<li><a name="ToC9"></a>
<a name="core-dbm"></a>
- <strong id="faq">
+ <strong>
When I access my website the first time via HTTPS I get a core dump?
</strong>
[<a href="#core-dbm"><b>L</b></a>]
- <p>
- There can be a lot of reasons why a core dump can occur, of course.
+ <p>There can be a lot of reasons why a core dump can occur, of course.
Ranging from buggy third-party modules, over buggy vendor libraries up to
a buggy mod_ssl version. But the above situation is often caused by old or
broken vendor DBM libraries. To solve it either build mod_ssl with the
built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the
APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the
newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you have rebuilt
- Apache with MM, of course).
-<p>
+ Apache with MM, of course).</p>
+</li>
<li><a name="ToC10"></a>
<a name="core-php3"></a>
- <strong id="faq">
+ <strong>
My Apache dumps core when I add both mod_ssl and PHP3?
</strong>
[<a href="#core-php3"><b>L</b></a>]
- <p>
- Make sure you add mod_ssl to the Apache source tree first and then do a
+ <p>Make sure you add mod_ssl to the Apache source tree first and then do a
fresh configuration and installation of PHP3. For SSL support EAPI patches
are required which have to change internal Apache structures. PHP3 needs
to know about these in order to work correctly. Always make sure that
- <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is built.
-<p>
+ <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is built.</p>
+</li>
<li><a name="ToC11"></a>
<a name="dso-sym"></a>
- <strong id="faq">
+ <strong>
When I startup Apache I get errors about undefined symbols like ap_global_ctx?
</strong>
[<a href="#dso-sym"><b>L</b></a>]
- <p>
- This actually means you installed mod_ssl as a DSO, but without rebuilding
+ <p>This actually means you installed mod_ssl as a DSO, but without rebuilding
Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
extra patched Apache (containing the EAPI patches) and you have to build
this Apache with EAPI enabled (explicitly specify
- <tt>--enable-rule=EAPI</tt> at the APACI command line).
-<p>
+ <tt>--enable-rule=EAPI</tt> at the APACI command line).</p>
+</li>
<li><a name="ToC12"></a>
<a name="mutex-perm"></a>
- <strong id="faq">
+ <strong>
When I startup Apache I get permission errors related to SSLMutex?
</strong>
[<a href="#mutex-perm"><b>L</b></a>]
- <p>
- When you receive entries like ``<code>mod_ssl: Child could not open
+ <p>When you receive entries like ``<code>mod_ssl: Child could not open
SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
[...] System: Permission denied (errno: 13)</code>'' this is usually
caused by to restrictive permissions on the <i>parent</i> directories.
Make sure that all parent directories (here <code>/opt</code>,
<code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit
set at least for the UID under which Apache's children are running (see
- the <code>User</code> directive of Apache).
-<p>
+ the <code>User</code> directive of Apache).</p>
+</li>
<li><a name="ToC13"></a>
<a name="mm"></a>
- <strong id="faq">
+ <strong>
When I use the MM library and the shared memory cache each process grows
1.5MB according to `top' although I specified 512000 as the cache size?
</strong>
[<a href="#mm"><b>L</b></a>]
- <p>
- The additional 1MB are caused by the global shared memory pool EAPI
+ <p>The additional 1MB are caused by the global shared memory pool EAPI
allocates for all modules and which is not used by mod_ssl for
various reasons. So the actually allocated shared memory is always
1MB more than what you specify on <code>SSLSessionCache</code>.
indicates that <i>each</i> process grow, this is not reality, of
course. Instead the additional memory consumption is shared by
all processes, i.e. the 1.5MB are allocated only once per Apache
- instance and not once per Apache server process.
-<p>
+ instance and not once per Apache server process.</p>
+</li>
<li><a name="ToC14"></a>
<a name="mmpath"></a>
- <strong id="faq">
+ <strong>
Apache creates files in a directory declared by the internal
EAPI_MM_CORE_PATH define. Is there a way to override the path using a
configuration directive?
</strong>
[<a href="#mmpath"><b>L</b></a>]
- <p>
- No, there is not configuration directive, because for technical
+ <p>No, there is not configuration directive, because for technical
bootstrapping reasons, a directive not possible at all. Instead
use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
./configure ...</code>'' when building Apache or use option
- <b>-d</b> when starting <code>httpd</code>.
-<p>
+ <b>-d</b> when starting <code>httpd</code>.</p>
+</li>
<li><a name="ToC15"></a>
<a name="entropy"></a>
- <strong id="faq">
+ <strong>
When I fire up the server, mod_ssl stops with the error
"Failed to generate temporary 512 bit RSA private key", why?
</strong>
[<a href="#entropy"><b>L</b></a>]
- <p>
- Cryptographic software needs a source of unpredictable data
+ <p>Cryptographic software needs a source of unpredictable data
to work correctly. Many open source operating systems provide
a "randomness device" that serves this purpose (usually named
<code>/dev/random</code>). On other systems, applications have to
randomness report an error if the PRNG has not been seeded with
at least 128 bits of randomness. So mod_ssl has to provide enough
entropy to the PRNG to work correctly. For this one has to use the
- <code>SSLRandomSeed</code> directives.
+ <code>SSLRandomSeed</code> directives.</p>
+</li>
</ul>
-<p>
-<br>
+<br />
<h2><a name="ToC16">About Configuration</a></h2>
<ul>
-<p>
<li><a name="ToC17"></a>
<a name="https-parallel"></a>
- <strong id="faq">
-Is it possible to provide HTTP and HTTPS with a single server?</strong>
+ <strong>
+Is it possible to provide HTTP and HTTPS with a single server?
</strong>
[<a href="#https-parallel"><b>L</b></a>]
- <p>
- Yes, HTTP and HTTPS use different server ports, so there is no direct
+ <p>Yes, HTTP and HTTPS use different server ports, so there is no direct
conflict between them. Either run two separate server instances (one binds
to port 80, the other to port 443) or even use Apache's elegant virtual
hosting facility where you can easily create two virtual servers which
Apache dispatches: one responding to port 80 and speaking HTTP and one
- responding to port 443 speaking HTTPS.
-<p>
+ responding to port 443 speaking HTTPS.</p>
+</li>
<li><a name="ToC18"></a>
<a name="https-port"></a>
- <strong id="faq">
+ <strong>
I know that HTTP is on port 80, but where is HTTPS?
</strong>
[<a href="#https-port"><b>L</b></a>]
- <p>
- You can run HTTPS on any port, but the standards specify port 443, which
+ <p>You can run HTTPS on any port, but the standards specify port 443, which
is where any HTTPS compliant browser will look by default. You can force
your browser to look on a different port by specifying it in the URL like
- this (for port 666): <code>https://secure.server.dom:666/</code>
-<p>
+ this (for port 666): <code>https://secure.server.dom:666/</code></p>
+</li>
<li><a name="ToC19"></a>
<a name="https-test"></a>
- <strong id="faq">
+ <strong>
How can I speak HTTPS manually for testing purposes?
</strong>
[<a href="#https-test"><b>L</b></a>]
- <p>
- While you usually just use
- <p>
- <code><b>$ telnet localhost 80</b></code><br>
- <code><b>GET / HTTP/1.0</b></code>
- <p>
- for simple testing the HTTP protocol of Apache, it's not so easy for
+ <p>While you usually just use</p>
+
+ <p><code><b>$ telnet localhost 80</b></code><br />
+ <code><b>GET / HTTP/1.0</b></code></p>
+
+ <p>for simple testing the HTTP protocol of Apache, it's not so easy for
HTTPS because of the SSL protocol between TCP and HTTP. But with the
help of OpenSSL's <code>s_client</code> command you can do a similar
- check even for HTTPS:
- <p>
- <code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br>
- <code><b>GET / HTTP/1.0</b></code>
- <p>
- Before the actual HTTP response you receive detailed information about the
+ check even for HTTPS:</p>
+
+ <p><code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br />
+ <code><b>GET / HTTP/1.0</b></code></p>
+
+ <p>Before the actual HTTP response you receive detailed information about the
SSL handshake. For a more general command line client which directly
understands both the HTTP and HTTPS scheme, can perform GET and POST
methods, can use a proxy, supports byte ranges, etc. you should have a
look at nifty <a href="http://curl.haxx.nu/">cURL</a>
tool. With it you can directly check if your Apache is running fine on
- Port 80 and 443 as following:
- <p>
- <code><b>$ curl http://localhost/</b></code><br>
- <code><b>$ curl https://localhost/</b></code><br>
-<p>
+ Port 80 and 443 as following:</p>
+
+ <p><code><b>$ curl http://localhost/</b></code><br />
+ <code><b>$ curl https://localhost/</b></code><br /></p>
+</li>
<li><a name="ToC20"></a>
<a name="hang"></a>
- <strong id="faq">
+ <strong>
Why does the connection hang when I connect to my SSL-aware Apache server?
</strong>
[<a href="#hang"><b>L</b></a>]
- <p>
- Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
+ <p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
the form ``<code>http://</code>'' instead of ``<code>https://</code>''.
This also happens the other way round when you connect via HTTPS to a HTTP
port, i.e. when you try to use ``<code>https://</code>'' on a server that
doesn't support SSL (on this port). Make sure you are connecting to a
virtual server that supports SSL, which is probably the IP associated with
- your hostname, not localhost (127.0.0.1).
-<p>
+ your hostname, not localhost (127.0.0.1).</p>
+</li>
<li><a name="ToC21"></a>
<a name="hang"></a>
- <strong id="faq">
+ <strong>
Why do I get ``Connection Refused'' messages when trying to access my freshly
installed Apache+mod_ssl server via HTTPS?
</strong>
[<a href="#hang"><b>L</b></a>]
- <p>
- There can be various reasons. Some of the common mistakes is that people
+ <p>There can be various reasons. Some of the common mistakes is that people
start Apache with just ``<tt>apachectl start</tt>'' (or
``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or
``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At
least make sure that your ``<tt>Listen</tt>'' directives match your
``<tt><VirtualHost></tt>'' directives. And if all fails, please do
yourself a favor and start over with the default configuration mod_ssl
- provides you.
-<p>
+ provides you.</p>
+</li>
<li><a name="ToC22"></a>
<a name="env-vars"></a>
- <strong id="faq">
+ <strong>
In my CGI programs and SSI scripts the various documented
<code>SSL_XXX</code> variables do not exist. Why?
</strong>
[<a href="#env-vars"><b>L</b></a>]
- <p>
- Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
- enabled for the context of your CGI/SSI requests.
-<p>
+ <p>Just make sure you have ``<code>SSLOptions +StdEnvVars</code>''
+ enabled for the context of your CGI/SSI requests.</p>
+</li>
<li><a name="ToC23"></a>
<a name="relative-links"></a>
- <strong id="faq">
+ <strong>
How can I use relative hyperlinks to switch between HTTP and HTTPS?
</strong>
[<a href="#relative-links"><b>L</b></a>]
- <p>
- Usually you have to use fully-qualified hyperlinks because
+ <p>Usually you have to use fully-qualified hyperlinks because
you have to change the URL scheme. But with the help of some URL
manipulations through mod_rewrite you can achieve the same effect while
- you still can use relative URLs:
+ you still can use relative URLs:</p>
<pre>
RewriteEngine on
RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L]
</pre>
This rewrite ruleset lets you use hyperlinks of the form
<pre>
- <a href="document.html:SSL">
+ <a href="document.html:SSL">
</pre>
+</li>
</ul>
-<p>
-<br>
+<br />
<h2><a name="ToC24">About Certificates</a></h2>
<ul>
-<p>
<li><a name="ToC25"></a>
<a name="what-is"></a>
- <strong id="faq">
-What are RSA Private Keys, CSRs and Certificates?</strong>
+ <strong>
+What are RSA Private Keys, CSRs and Certificates?
</strong>
[<a href="#what-is"><b>L</b></a>]
- <p>
- The RSA private key file is a digital file that you can use to decrypt
+ <p>The RSA private key file is a digital file that you can use to decrypt
messages sent to you. It has a public component which you distribute (via
your Certificate file) which allows people to encrypt those messages to
you. A Certificate Signing Request (CSR) is a digital file which contains
Certificate, thereby obtaining your RSA public key. That enables them to
send messages which only you can decrypt.
See the <a href="ssl_intro.html">Introduction</a> chapter for a general
- description of the SSL protocol.
-<p>
+ description of the SSL protocol.</p>
+</li>
<li><a name="ToC26"></a>
<a name="startup"></a>
- <strong id="faq">
+ <strong>
Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?
</strong>
[<a href="#startup"><b>L</b></a>]
- <p>
- Yes, in general, starting Apache with a built-in mod_ssl is just like
+ <p>Yes, in general, starting Apache with a built-in mod_ssl is just like
starting an unencumbered Apache, except for the fact that when you have a
pass phrase on your SSL private key file. Then a startup dialog pops up
- asking you to enter the pass phrase.
- <p>
- To type in the pass phrase manually when starting the server can be
+ asking you to enter the pass phrase.</p>
+
+ <p>To type in the pass phrase manually when starting the server can be
problematic, for instance when starting the server from the system boot
scripts. As an alternative to this situation you can follow the steps
below under ``How can I get rid of the pass-phrase dialog at Apache
- startup time?''.
-<p>
+ startup time?''.</p>
+</li>
<li><a name="ToC28"></a>
<a name="cert-real"></a>
- <strong id="faq">
+ <strong>
Ok, I've got my server installed and want to create a real SSL
server Certificate for it. How do I do it?
</strong>
[<a href="#cert-real"><b>L</b></a>]
- <p>
- Here is a step-by-step description:
- <p>
+ <p>Here is a step-by-step description:</p>
+
<ol>
<li>Make sure OpenSSL is really installed and in your <code>PATH</code>.
But some commands even work ok when you just run the
``<code>openssl</code>'' program from within the OpenSSL source tree as
- ``<code>./apps/openssl</code>''.
- <p>
+ ``<code>./apps/openssl</code>''.<br />
+ <br />
+ </li>
<li>Create a RSA private key for your Apache server
- (will be Triple-DES encrypted and PEM formatted):
- <p>
- <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code>
- <p>
+ (will be Triple-DES encrypted and PEM formatted):<br />
+ <br />
+ <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br />
+ <br />
Please backup this <code>server.key</code> file and remember the
pass-phrase you had to enter at a secure location.
- You can see the details of this RSA private key via the command:
- <p>
- <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
- <p>
+ You can see the details of this RSA private key via the command:<br />
+ <br />
+ <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
+ <br />
And you could create a decrypted PEM version (not recommended)
- of this RSA private key via:
- <p>
- <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code>
- <p>
+ of this RSA private key via:<br />
+ <br />
+ <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
+ <br />
+ </li>
<li>Create a Certificate Signing Request (CSR) with the server RSA private
- key (output will be PEM formatted):
- <p>
- <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code>
- <p>
+ key (output will be PEM formatted):<br />
+ <br />
+ <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br />
+ <br />
Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
server when OpenSSL prompts you for the "CommonName", i.e. when you
generate a CSR for a website which will be later accessed via
<code>https://www.foo.dom/</code>, enter "www.foo.dom" here.
- You can see the details of this CSR via the command
- <p>
- <code><strong>$ openssl req -noout -text -in server.csr</strong></code>
- <p>
+ You can see the details of this CSR via the command<br />
+ <br />
+ <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br />
+ <br />
+ </li>
<li>You now have to send this Certificate Signing Request (CSR) to
a Certifying Authority (CA) for signing. The result is then a real
Certificate which can be used for Apache. Here you have two options:
Thawte. Then you usually have to post the CSR into a web form, pay for
the signing and await the signed Certificate you then can store into a
server.crt file. For more information about commercial CAs have a look
- at the following locations:
- <p>
- <ul>
- <li> Verisign<br>
+ at the following locations:<br />
+ <br />
+ <ol>
+ <li> Verisign<br />
<a href="http://digitalid.verisign.com/server/apacheNotice.htm">
http://digitalid.verisign.com/server/apacheNotice.htm
</a>
- <li> Thawte Consulting<br>
+ </li>
+ <li> Thawte Consulting<br />
<a href="http://www.thawte.com/certs/server/request.html">
http://www.thawte.com/certs/server/request.html
</a>
- <li> CertiSign Certificadora Digital Ltda.<br>
+ </li>
+ <li> CertiSign Certificadora Digital Ltda.<br />
<a href="http://www.certisign.com.br">
http://www.certisign.com.br
</a>
- <li> IKS GmbH<br>
+ </li>
+ <li> IKS GmbH<br />
<a href="http://www.iks-jena.de/produkte/ca/">
http://www.iks-jena.de/produkte/ca/
</a>
- <li> Uptime Commerce Ltd.<br>
+ </li>
+ <li> Uptime Commerce Ltd.<br />
<a href="http://www.uptimecommerce.com">
http://www.uptimecommerce.com
</a>
- <li> BelSign NV/SA<br>
+ </li>
+ <li> BelSign NV/SA<br />
<a href="http://www.belsign.be">
http://www.belsign.be
</a>
- </ul>
- <p>
+ </li>
+ </ol>
+ <br />
Second you can use your own CA and now have to sign the CSR yourself by
this CA. Read the next answer in this FAQ on how to sign a CSR with
your CA yourself.
- You can see the details of the received Certificate via the command:
- <p>
- <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code>
- <p>
+ You can see the details of the received Certificate via the command:<br />
+ <br />
+ <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
+ </li>
<li>Now you have two files: <code>server.key</code> and
<code>server.crt</code>. These now can be used as following inside your
Apache's <code>httpd.conf</code> file:
SSLCertificateKeyFile /path/to/this/server.key
</pre>
The <code>server.csr</code> file is no longer needed.
+ </li>
</ol>
-<p>
+</li>
<li><a name="ToC29"></a>
<a name="cert-ownca"></a>
- <strong id="faq">
+ <strong>
How can I create and use my own Certificate Authority (CA)?
</strong>
[<a href="#cert-ownca"><b>L</b></a>]
- <p>
- The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
- script provided by OpenSSL. The long and manual answer is this:
- <p>
+ <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
+ script provided by OpenSSL. The long and manual answer is this:</p>
+
<ol>
<li>Create a RSA private key for your CA
- (will be Triple-DES encrypted and PEM formatted):
- <p>
- <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code>
- <p>
+ (will be Triple-DES encrypted and PEM formatted):<br />
+ <br />
+ <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code><br />
+ <br />
Please backup this <code>ca.key</code> file and remember the
pass-phrase you currently entered at a secure location.
- You can see the details of this RSA private key via the command
- <p>
- <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code>
- <p>
+ You can see the details of this RSA private key via the command<br />
+ <br />
+ <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code><br />
+ <br />
And you can create a decrypted PEM version (not recommended) of this
- private key via:
- <p>
- <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code>
- <p>
+ private key via:<br />
+ <br />
+ <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code><br />
+ <br />
+ </li>
<li>Create a self-signed CA Certificate (X509 structure)
- with the RSA key of the CA (output will be PEM formatted):
- <p>
- <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code>
- <p>
- You can see the details of this Certificate via the command:
- <p>
- <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code>
- <p>
+ with the RSA key of the CA (output will be PEM formatted):<br />
+ <br />
+ <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code><br />
+ <br />
+ You can see the details of this Certificate via the command:<br />
+ <br />
+ <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code><br />
+ <br />
+ </li>
<li>Prepare a script for signing which is needed because
the ``<code>openssl ca</code>'' command has some strange requirements
and the default OpenSSL config doesn't allow one easily to use
``<code>openssl ca</code>'' directly. So a script named
<code>sign.sh</code> is distributed with the mod_ssl distribution
(subdir <code>pkg.contrib/</code>). Use this script for signing.
- <p>
+ </li>
<li>Now you can use this CA to sign server CSR's in order to create real
SSL Certificates for use inside an Apache webserver (assuming
- you already have a <code>server.csr</code> at hand):
- <p>
- <code><strong>$ ./sign.sh server.csr</strong></code>
- <p>
- This signs the server CSR and results in a <code>server.crt</code> file.
+ you already have a <code>server.csr</code> at hand):<br />
+ <br />
+ <code><strong>$ ./sign.sh server.csr</strong></code><br />
+ <br />
+ This signs the server CSR and results in a <code>server.crt</code> file.<br />
+ </li>
</ol>
-<p>
+</li>
<li><a name="ToC30"></a>
<a name="change-passphrase"></a>
- <strong id="faq">
+ <strong>
How can I change the pass-phrase on my private key file?
</strong>
[<a href="#change-passphrase"><b>L</b></a>]
- <p>
- You simply have to read it with the old pass-phrase and write it again
+ <p>You simply have to read it with the old pass-phrase and write it again
by specifying the new pass-phrase. You can accomplish this with the following
- commands:
- <p>
- <code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br>
- <code><strong>$ mv server.key.new server.key</strong></code><br>
- <p>
- Here you're asked two times for a PEM pass-phrase. At the first
+ commands:</p>
+
+ <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
+ <code><strong>$ mv server.key.new server.key</strong></code><br /></p>
+
+ <p>Here you're asked two times for a PEM pass-phrase. At the first
prompt enter the old pass-phrase and at the second prompt
- enter the new pass-phrase.
-<p>
+ enter the new pass-phrase.</p>
+</li>
<li><a name="ToC31"></a>
<a name="remove-passphrase"></a>
- <strong id="faq">
+ <strong>
How can I get rid of the pass-phrase dialog at Apache startup time?
</strong>
[<a href="#remove-passphrase"><b>L</b></a>]
- <p>
- The reason why this dialog pops up at startup and every re-start
+ <p>The reason why this dialog pops up at startup and every re-start
is that the RSA private key inside your server.key file is stored in
encrypted format for security reasons. The pass-phrase is needed to be
able to read and parse this file. When you can be sure that your server is
- secure enough you perform two steps:
- <p>
+ secure enough you perform two steps:</p>
+
<ol>
<li>Remove the encryption from the RSA private key (while
- preserving the original file):
- <p>
- <code><strong>$ cp server.key server.key.org</strong></code><br>
- <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code>
- <p>
- <li>Make sure the server.key file is now only readable by root:
- <p>
- <code><strong>$ chmod 400 server.key</strong></code>
+ preserving the original file):<br />
+ <br />
+ <code><strong>$ cp server.key server.key.org</strong></code><br />
+ <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br />
+ <br />
+ </li>
+ <li>Make sure the server.key file is now only readable by root:<br />
+ <br />
+ <code><strong>$ chmod 400 server.key</strong></code><br />
+ <br />
+ </li>
</ol>
- <p>
- Now <code>server.key</code> will contain an unencrypted copy of the key.
+ <p>Now <code>server.key</code> will contain an unencrypted copy of the key.
If you point your server at this file it will not prompt you for a
pass-phrase. HOWEVER, if anyone gets this key they will be able to
impersonate you on the net. PLEASE make sure that the permissions on that
file are really such that only root or the web server user can read it
(preferably get your web server to start as root but run as another
- server, and have the key readable only by root).
- <p>
- As an alternative approach you can use the ``<code>SSLPassPhraseDialog
+ server, and have the key readable only by root).</p>
+
+ <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog
exec:/path/to/program</code>'' facility. But keep in mind that this is
- neither more nor less secure, of course.
-<p>
+ neither more nor less secure, of course.</p>
+</li>
<li><a name="ToC32"></a>
<a name="verify-key"></a>
- <strong id="faq">
+ <strong>
How do I verify that a private key matches its Certificate?
</strong>
[<a href="#verify-key"><b>L</b></a>]
- <p>
- The private key contains a series of numbers. Two of those numbers form
+ <p>The private key contains a series of numbers. Two of those numbers form
the "public key", the others are part of your "private key". The "public
key" bits are also embedded in your Certificate (we get them from your
CSR). To check that the public key in your cert matches the public
portion of your private key, you need to view the cert and the key and
compare the numbers. To view the Certificate and the key run the
- commands:
- <p>
- <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br>
- <code><strong>$ openssl rsa -noout -text -in server.key</strong></code>
- <p>
- The `modulus' and the `public exponent' portions in the key and the
+ commands:</p>
+
+ <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
+ <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p>
+
+ <p>The `modulus' and the `public exponent' portions in the key and the
Certificate must match. But since the public exponent is usually 65537
and it's bothering comparing long modulus you can use the following
- approach:
- <p>
- <code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br>
- <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code>
- <p>
- And then compare these really shorter numbers. With overwhelming
+ approach:</p>
+
+ <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br />
+ <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p>
+
+ <p>And then compare these really shorter numbers. With overwhelming
probability they will differ if the keys are different. BTW, if I want to
- check to which key or certificate a particular CSR belongs you can compute
- <p>
- <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code>
-<p>
+ check to which key or certificate a particular CSR belongs you can compute</p>
+
+ <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p>
+</li>
<li><a name="ToC33"></a>
<a name="keysize1"></a>
- <strong id="faq">
+ <strong>
What does it mean when my connections fail with an "alert bad certificate"
error?
</strong>
[<a href="#keysize1"><b>L</b></a>]
- <p>
- Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
+ <p>Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL
logfile, this means that the browser was unable to handle the server
certificate/private-key which perhaps contain a RSA-key not equal to 1024
- bits. For instance Netscape Navigator 3.x is one of those browsers.
-<p>
+ bits. For instance Netscape Navigator 3.x is one of those browsers.</p>
+</li>
<li><a name="ToC34"></a>
<a name="keysize2"></a>
- <strong id="faq">
+ <strong>
Why does my 2048-bit private key not work?
</strong>
[<a href="#keysize2"><b>L</b></a>]
- <p>
- The private key sizes for SSL must be either 512 or 1024 for compatibility
+ <p>The private key sizes for SSL must be either 512 or 1024 for compatibility
with certain web browsers. A keysize of 1024 bits is recommended because
keys larger than 1024 bits are incompatible with some versions of Netscape
Navigator and Microsoft Internet Explorer, and with other browsers that
- use RSA's BSAFE cryptography toolkit.
-<p>
+ use RSA's BSAFE cryptography toolkit.</p>
+</li>
<li><a name="ToC35"></a>
<a name="hash-symlinks"></a>
- <strong id="faq">
+ <strong>
Why is client authentication broken after upgrading from
SSLeay version 0.8 to 0.9?
</strong>
[<a href="#hash-symlinks"><b>L</b></a>]
- <p>
- The CA certificates under the path you configured with
+ <p>The CA certificates under the path you configured with
<code>SSLCACertificatePath</code> are found by SSLeay through hash
symlinks. These hash values are generated by the `<code>openssl x509 -noout
-hash</code>' command. But the algorithm used to calculate the hash for a
certificate has changed between SSLeay 0.8 and 0.9. So you have to remove
all old hash symlinks and re-create new ones after upgrading. Use the
- <code>Makefile</code> mod_ssl placed into this directory.
-<p>
+ <code>Makefile</code> mod_ssl placed into this directory.</p>
+</li>
<li><a name="ToC36"></a>
<a name="pem-to-der"></a>
- <strong id="faq">
+ <strong>
How can I convert a certificate from PEM to DER format?
</strong>
[<a href="#pem-to-der"><b>L</b></a>]
- <p>
- The default certificate format for SSLeay/OpenSSL is PEM, which actually
+ <p>The default certificate format for SSLeay/OpenSSL is PEM, which actually
is Base64 encoded DER with header and footer lines. For some applications
(e.g. Microsoft Internet Explorer) you need the certificate in plain DER
format. You can convert a PEM file <code>cert.pem</code> into the
corresponding DER file <code>cert.der</code> with the following command:
- <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code>
-<p>
+ <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
+</li>
<li><a name="ToC37"></a>
<a name="verisign-getca"></a>
- <strong id="faq">
+ <strong>
I try to install a Verisign certificate. Why can't I find neither the
<code>getca</code> nor <code>getverisign</code> programs Verisign mentions?
</strong>
[<a href="#verisign-getca"><b>L</b></a>]
- <p>
- This is because Verisign has never provided specific instructions
+ <p>This is because Verisign has never provided specific instructions
for Apache+mod_ssl. Rather they tell you what you should do
if you were using C2Net's Stronghold (a commercial Apache
based server with SSL support). The only thing you have to do
<code>SSLCertificateKeyFile</code> directive). For a better
CA-related overview on SSL certificate fiddling you can look at <a
href="http://www.thawte.com/certs/server/keygen/mod_ssl.html">
- Thawte's mod_ssl instructions</a>.
-<p>
+ Thawte's mod_ssl instructions</a>.</p>
+</li>
<li><a name="ToC38"></a>
<a name="gid"></a>
- <strong id="faq">
+ <strong>
Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global
ID) also with mod_ssl?
</strong>
[<a href="#gid"><b>L</b></a>]
- <p>
- Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
+ <p>Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have
to configure anything special for this, just use a Global ID as your
server certificate. The <i>step up</i> of the clients are then
automatically handled by mod_ssl under run-time. For details please read
- the <tt>README.GlobalID</tt> document in the mod_ssl distribution.
-<p>
+ the <tt>README.GlobalID</tt> document in the mod_ssl distribution.</p>
+</li>
<li><a name="ToC39"></a>
<a name="gid"></a>
- <strong id="faq">
+ <strong>
After I have installed my new Verisign Global ID server certificate, the
browsers complain that they cannot verify the server certificate?
</strong>
[<a href="#gid"><b>L</b></a>]
- <p>
- That is because Verisign uses an intermediate CA certificate between
+ <p>That is because Verisign uses an intermediate CA certificate between
the root CA certificate (which is installed in the browsers) and
the server certificate (which you installed in the server). You
should have received this additional CA certificate from Verisign.
If not, complain to them. Then configure this certificate with the
<code>SSLCertificateChainFile</code> directive in the server. This
makes sure the intermediate CA certificate is send to the browser
- and this way fills the gap in the certificate chain.
+ and this way fills the gap in the certificate chain.</p>
+</li>
</ul>
-<p>
-<br>
+<br />
<h2><a name="ToC40">About SSL Protocol</a></h2>
<ul>
-<p>
<li><a name="ToC41"></a>
<a name="random-errors"></a>
- <strong id="faq">
+ <strong>
Why do I get lots of random SSL protocol errors under heavy server load?
</strong>
[<a href="#random-errors"><b>L</b></a>]
- <p>
- There can be a number of reasons for this, but the main one
+ <p>There can be a number of reasons for this, but the main one
is problems with the SSL session Cache specified by the
<tt>SSLSessionCache</tt> directive. The DBM session cache is most
likely the source of the problem, so trying the SHM session cache or
- no cache at all may help.
-<p>
+ no cache at all may help.</p>
+</li>
<li><a name="ToC42"></a>
<a name="load"></a>
- <strong id="faq">
+ <strong>
Why has my webserver a higher load now that I run SSL there?
</strong>
[<a href="#load"><b>L</b></a>]
- <p>
- Because SSL uses strong cryptographic encryption and this needs a lot of
+ <p>Because SSL uses strong cryptographic encryption and this needs a lot of
number crunching. And because when you request a webpage via HTTPS even
the images are transfered encrypted. So, when you have a lot of HTTPS
- traffic the load increases.
-<p>
+ traffic the load increases.</p>
+</li>
<li><a name="ToC43"></a>
<a name="random"></a>
- <strong id="faq">
+ <strong>
Often HTTPS connections to my server require up to 30 seconds for establishing
the connection, although sometimes it works faster?
</strong>
[<a href="#random"><b>L</b></a>]
- <p>
- Usually this is caused by using a <code>/dev/random</code> device for
+ <p>Usually this is caused by using a <code>/dev/random</code> device for
<code>SSLRandomSeed</code> which is blocking in read(2) calls if not
enough entropy is available. Read more about this problem in the refernce
- chapter under <code>SSLRandomSeed</code>.
-<p>
+ chapter under <code>SSLRandomSeed</code>.</p>
+</li>
<li><a name="ToC44"></a>
<a name="ciphers"></a>
- <strong id="faq">
+ <strong>
What SSL Ciphers are supported by mod_ssl?
</strong>
[<a href="#ciphers"><b>L</b></a>]
- <p>
- Usually just all SSL ciphers which are supported by the
+ <p>Usually just all SSL ciphers which are supported by the
version of OpenSSL in use (can depend on the way you built
- OpenSSL). Typically this at least includes the following:
- <p>
- <ul>
- <li>RC4 with MD5
- <li>RC4 with MD5 (export version restricted to 40-bit key)
- <li>RC2 with MD5
- <li>RC2 with MD5 (export version restricted to 40-bit key)
- <li>IDEA with MD5
- <li>DES with MD5
- <li>Triple-DES with MD5
- </ul>
- <p>
- To determine the actual list of supported ciphers you can
- run the following command:
- <p>
- <code><strong>$ openssl ciphers -v</strong></code><br>
-<p>
+ OpenSSL). Typically this at least includes the following:</p>
+
+ <ol>
+ <li>RC4 with MD5</li>
+ <li>RC4 with MD5 (export version restricted to 40-bit key)</li>
+ <li>RC2 with MD5</li>
+ <li>RC2 with MD5 (export version restricted to 40-bit key)</li>
+ <li>IDEA with MD5</li>
+ <li>DES with MD5</li>
+ <li>Triple-DES with MD5</li>
+ </ol>
+
+ <p>To determine the actual list of supported ciphers you can
+ run the following command:</p>
+ <code><strong>$ openssl ciphers -v</strong></code><br />
+</li>
<li><a name="ToC45"></a>
<a name="cipher-adh"></a>
- <strong id="faq">
+ <strong>
I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no
shared cipher'' errors?
</strong>
[<a href="#cipher-adh"><b>L</b></a>]
- <p>
- In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
+ <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough
to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>.
Additionally you have to build OpenSSL with
``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not
allow ADH ciphers for security reasons. So if you are actually enabling
- these ciphers make sure you are informed about the side-effects.
-<p>
+ these ciphers make sure you are informed about the side-effects.</p>
+</li>
<li><a name="ToC46"></a>
<a name="cipher-shared"></a>
- <strong id="faq">
+ <strong>
I always just get a 'no shared ciphers' error if
I try to connect to my freshly installed server?
</strong>
[<a href="#cipher-shared"><b>L</b></a>]
- <p>
- Either you have messed up your <code>SSLCipherSuite</code>
+ <p>Either you have messed up your <code>SSLCipherSuite</code>
directive (compare it with the pre-configured example in
<code>httpd.conf-dist</code>) or you have choosen the DSA/DH
algorithms instead of RSA when you generated your private key
certificate/key pair). But current browsers like NS or IE only speak
RSA ciphers. The result is the "no shared ciphers" error. To fix
this, regenerate your server certificate/key pair and this time
- choose the RSA algorithm.
-<p>
+ choose the RSA algorithm.</p>
+</li>
<li><a name="ToC47"></a>
<a name="vhosts"></a>
- <strong id="faq">
+ <strong>
Why can't I use SSL with name-based/non-IP-based virtual hosts?
</strong>
[<a href="#vhosts"><b>L</b></a>]
- <p>
- The reason is very technical. Actually it's some sort of a chicken and
+ <p>The reason is very technical. Actually it's some sort of a chicken and
egg problem: The SSL protocol layer stays below the HTTP protocol layer
and encapsulates HTTP. When an SSL connection (HTTPS) is established
Apache/mod_ssl has to negotiate the SSL protocol parameters with the
Apache has to know the <code>Host</code> HTTP header field. For this the
HTTP request header has to be read. This cannot be done before the SSL
handshake is finished. But the information is already needed at the SSL
- handshake phase. Bingo!
-<p>
+ handshake phase. Bingo!</p>
+</li>
<li><a name="ToC48"></a>
<a name="lock-icon"></a>
- <strong id="faq">
+ <strong>
When I use Basic Authentication over HTTPS the lock icon in Netscape browsers
still shows the unlocked state when the dialog pops up. Does this mean the
username/password is still transmitted unencrypted?
</strong>
[<a href="#lock-icon"><b>L</b></a>]
- <p>
- No, the username/password is already transmitted encrypted. The icon in
+ <p>No, the username/password is already transmitted encrypted. The icon in
Netscape browsers is just not really synchronized with the SSL/TLS layer
(it toggles to the locked state when the first part of the actual webpage
data is transferred which is not quite correct) and this way confuses
this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data
communication takes place in HTTPS the SSL/TLS layer has already done the
handshake phase and switched to encrypted communication. So, don't get
- confused by this icon.
-<p>
+ confused by this icon.</p>
+</li>
<li><a name="ToC49"></a>
<a name="io-ie"></a>
- <strong id="faq">
+ <strong>
When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet
Explorer (MSIE) I get various I/O errors. What is the reason?
</strong>
[<a href="#io-ie"><b>L</b></a>]
- <p>
- The first reason is that the SSL implementation in some MSIE versions has
+ <p>The first reason is that the SSL implementation in some MSIE versions has
some subtle bugs related to the HTTP keep-alive facility and the SSL close
notify alerts on socket connection close. Additionally the interaction
between SSL and HTTP/1.1 features are problematic with some MSIE versions,
too. You've to work-around these problems by forcing
Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or
sending the SSL close notify messages to MSIE clients. This can be done by
- using the following directive in your SSL-aware virtual host section:
+ using the following directive in your SSL-aware virtual host section:</p>
<pre>
SetEnvIf User-Agent ".*MSIE.*" \
<b>nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0</b></pre>
- Additionally it is known some MSIE versions have also problems
+ <p>Additionally it is known some MSIE versions have also problems
with particular ciphers. Unfortunately one cannot workaround these
bugs only for those MSIE particular clients, because the ciphers
are already used in the SSL handshake phase. So a MSIE-specific
has to do more drastic adjustments to the global parameters. But
before you decide to do this, make sure your clients really have
problems. If not, do not do this, because it affects all(!) your
- clients, i.e., also your non-MSIE clients.
- <p>
- The next problem is that 56bit export versions of MSIE 5.x browsers have a
+ clients, i.e., also your non-MSIE clients.</p>
+
+ <p>The next problem is that 56bit export versions of MSIE 5.x browsers have a
broken SSLv3 implementation which badly interacts with OpenSSL versions
greater than 0.9.4. You can either accept this and force your clients to
upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you
can decide to workaround it by accepting the drawback that your workaround
- will horribly affect also other browsers:
+ will horribly affect also other browsers:</p>
<pre>
SSLProtocol all <b>-SSLv3</b></pre>
- This completely disables the SSLv3 protocol and lets those browsers work.
+ <p>This completely disables the SSLv3 protocol and lets those browsers work.
But usually this is an even less acceptable workaround. A more reasonable
workaround is to address the problem more closely and disable only the
- ciphers which cause trouble.
+ ciphers which cause trouble.</p>
<pre>
SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre>
- This also lets the broken MSIE versions work, but only removes the
- newer 56bit TLS ciphers.
- <p>
- Another problem with MSIE 5.x clients is that they refuse to connect to
+ <p>This also lets the broken MSIE versions work, but only removes the
+ newer 56bit TLS ciphers.</p>
+
+ <p>Another problem with MSIE 5.x clients is that they refuse to connect to
URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used
instead of the hostname), if the server is using the Server Gated
Cryptography (SGC) facility. This can only be avoided by using the fully
qualified domain name (FQDN) of the website in hyperlinks instead, because
- MSIE 5.x has an error in the way it handles the SGC negotiation.
- <p>
- And finally there are versions of MSIE which seem to require that
+ MSIE 5.x has an error in the way it handles the SGC negotiation.</p>
+
+ <p>And finally there are versions of MSIE which seem to require that
an SSL session can be reused (a totally non standard-conforming
behaviour, of course). Connection with those MSIE versions only work
if a SSL session cache is used. So, as a work-around, make sure you
- are using a session cache (see <tt>SSLSessionCache</tt> directive).
-<p>
+ are using a session cache (see <tt>SSLSessionCache</tt> directive).</p>
+</li>
<li><a name="ToC50"></a>
<a name="io-ns"></a>
- <strong id="faq">
+ <strong>
When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I
get I/O errors and the message "Netscape has encountered bad data from the
server" What's the reason?
server certificate. Once you clear the entry in your browser for the old
certificate, everything usually will work fine. Netscape's SSL
implementation is correct, so when you encounter I/O errors with Netscape
- Navigator it is most of the time caused by the configured certificates.
+ Navigator it is most of the time caused by the configured certificates.</p>
+</li>
</ul>
-<p>
-<br>
+<br />
<h2><a name="ToC51">About Support</a></h2>
<ul>
-<p>
<li><a name="ToC52"></a>
<a name="resources"></a>
- <strong id="faq">
+ <strong>
What information resources are available in case of mod_ssl problems?
</strong>
[<a href="#resources"><b>L</b></a>]
- <p>
-The following information resources are available.
-In case of problems you should search here first.
-<p>
-<ol>
-<li><em>Answers in the User Manual's F.A.Q. List (this)</em><br>
- <a href="http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html">
- http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html</a><br>
- First look inside the F.A.Q. (this text), perhaps your problem is such
- popular that it was already answered a lot of times in the past.
-<p>
-<li><em>Postings from the modssl-users Support Mailing List</em>
- <a href="http://www.modssl.org/support/">
- http://www.modssl.org/support/</a><br>
- Second search for your problem in one of the existing archives of the
- modssl-users mailing list. Perhaps your problem popped up at least once for
- another user, too.
-<p>
-<li><em>Problem Reports in the Bug Database</em>
- <a href="http://www.modssl.org/support/bugdb/">
- http://www.modssl.org/support/bugdb/</a><br>
- Third look inside the mod_ssl Bug Database. Perhaps
- someone else already has reported the problem.
-</ol>
-<p>
+ <p>The following information resources are available.
+ In case of problems you should search here first.</p>
+
+ <ol>
+ <li><em>Answers in the User Manual's F.A.Q. List (this)</em><br />
+ <a href="http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html">
+ http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html</a><br />
+ First look inside the F.A.Q. (this text), perhaps your problem is such
+ popular that it was already answered a lot of times in the past.
+ </li>
+ <li><em>Postings from the modssl-users Support Mailing List</em>
+ <a href="http://www.modssl.org/support/">
+ http://www.modssl.org/support/</a><br />
+ Second search for your problem in one of the existing archives of the
+ modssl-users mailing list. Perhaps your problem popped up at least once for
+ another user, too.
+ </li>
+ <li><em>Problem Reports in the Bug Database</em>
+ <a href="http://www.modssl.org/support/bugdb/">
+ http://www.modssl.org/support/bugdb/</a><br />
+ Third look inside the mod_ssl Bug Database. Perhaps
+ someone else already has reported the problem.
+ </li>
+ </ol>
+</li>
<li><a name="ToC53"></a>
<a name="contact"></a>
- <strong id="faq">
+ <strong>
What support contacts are available in case of mod_ssl problems?
</strong>
[<a href="#contact"><b>L</b></a>]
- <p>
-The following lists all support possibilities for mod_ssl, in order of
-preference, i.e. start in this order and do not pick the support possibility
-you just like most, please.
-<p>
-<ol>
-<li><em>Write a Problem Report into the Bug Database</em><br>
- <a href="http://www.modssl.org/support/bugdb/">
- http://www.modssl.org/support/bugdb/</a><br>
- This is the preferred way of submitting your problem report, because this
- way it gets filed into the bug database (it cannot be lost) <em>and</em>
- send to the modssl-users mailing list (others see the current problems and
- learn from answers).
-<p>
-<li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br>
- <a href="mailto:modssl-users@modssl.org">
- modssl-users @ modssl.org</a><br>
- This is the second way of submitting your problem report. You have to
- subscribe to the list first, but then you can easily discuss your problem
- with both the author and the whole mod_ssl user community.
-<p>
-<li><em>Write a Problem Report to the author</em><br>
- <a href="mailto:rse@engelschall.com">
- rse @ engelschall.com</a><br>
- This is the last way of submitting your problem report. Please avoid this
- in your own interest because the author is really a very busy men. Your
- mail will always be filed to one of his various mail-folders and is
- usually not processed as fast as a posting on modssl-users.
-</ol>
-<p>
+ <p>The following lists all support possibilities for mod_ssl, in order of
+ preference, i.e. start in this order and do not pick the support possibility
+ you just like most, please.</p>
+
+ <ol>
+ <li><em>Write a Problem Report into the Bug Database</em><br />
+ <a href="http://www.modssl.org/support/bugdb/">
+ http://www.modssl.org/support/bugdb/</a><br />
+ This is the preferred way of submitting your problem report, because this
+ way it gets filed into the bug database (it cannot be lost) <em>and</em>
+ send to the modssl-users mailing list (others see the current problems and
+ learn from answers).
+ </li>
+ <li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br />
+ <a href="mailto:modssl-users@modssl.org">
+ modssl-users @ modssl.org</a><br />
+ This is the second way of submitting your problem report. You have to
+ subscribe to the list first, but then you can easily discuss your problem
+ with both the author and the whole mod_ssl user community.
+ </li>
+ <li><em>Write a Problem Report to the author</em><br />
+ <a href="mailto:rse@engelschall.com">
+ rse @ engelschall.com</a><br />
+ This is the last way of submitting your problem report. Please avoid this
+ in your own interest because the author is really a very busy men. Your
+ mail will always be filed to one of his various mail-folders and is
+ usually not processed as fast as a posting on modssl-users.
+ </li>
+ </ol>
+</li>
<li><a name="ToC54"></a>
<a name="report-details"></a>
- <strong id="faq">
+ <strong>
What information and details I've to provide to
the author when writing a bug report?
</strong>
[<a href="#report-details"><b>L</b></a>]
- <p>
-You have to at least always provide the following information:
-<p>
-<ul>
-<li><em>Apache, mod_ssl and OpenSSL version information</em><br>
- The mod_ssl version you should really know. For instance, it's the version
- number in the distribution tarball. The Apache version can be determined
- by running ``<code>httpd -v</code>''. The OpenSSL version can be
- determined by running ``<code>openssl version</code>''. Alternatively when
- you have Lynx installed you can run the command ``<code>lynx -mime_header
- http://localhost/ | grep Server</code>'' to determine all information in a
- single step.
-<p>
-<li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br>
- For this you can provide a logfile of your terminal session which shows
- the configuration and install steps. Alternatively you can at least
- provide the author with the APACI `<code>configure</code>'' command line
- you used (assuming you used APACI, of course).
-<p>
-<li><em>In case of core dumps please include a Backtrace</em><br>
- In case your Apache+mod_ssl+OpenSSL should really dumped core please attach
- a stack-frame ``backtrace'' (see the next question on how to get it).
- Without this information the reason for your core dump cannot be found.
- So you have to provide the backtrace, please.
-<p>
-<li><em>A detailed description of your problem</em><br>
- Don't laugh, I'm totally serious. I already got a lot of problem reports
- where the people not really said what's the actual problem is. So, in your
- own interest (you want the problem be solved, don't you?) include as much
- details as possible, please. But start with the essentials first, of
- course.
-</ul>
-<p>
+ <p>You have to at least always provide the following information:</p>
+
+ <ol>
+ <li><em>Apache, mod_ssl and OpenSSL version information</em><br />
+ The mod_ssl version you should really know. For instance, it's the version
+ number in the distribution tarball. The Apache version can be determined
+ by running ``<code>httpd -v</code>''. The OpenSSL version can be
+ determined by running ``<code>openssl version</code>''. Alternatively when
+ you have Lynx installed you can run the command ``<code>lynx -mime_header
+ http://localhost/ | grep Server</code>'' to determine all information in a
+ single step.
+ </li>
+ <li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br />
+ For this you can provide a logfile of your terminal session which shows
+ the configuration and install steps. Alternatively you can at least
+ provide the author with the APACI `<code>configure</code>'' command line
+ you used (assuming you used APACI, of course).
+ </li>
+ <li><em>In case of core dumps please include a Backtrace</em><br />
+ In case your Apache+mod_ssl+OpenSSL should really dumped core please attach
+ a stack-frame ``backtrace'' (see the next question on how to get it).
+ Without this information the reason for your core dump cannot be found.
+ So you have to provide the backtrace, please.
+ </li>
+ <li><em>A detailed description of your problem</em><br />
+ Don't laugh, I'm totally serious. I already got a lot of problem reports
+ where the people not really said what's the actual problem is. So, in your
+ own interest (you want the problem be solved, don't you?) include as much
+ details as possible, please. But start with the essentials first, of
+ course.
+ </li>
+ </ol>
+</li>
<li><a name="ToC55"></a>
<a name="core-dumped"></a>
- <strong id="faq">
+ <strong>
I got a core dump, can you help me?
</strong>
[<a href="#core-dumped"><b>L</b></a>]
- <p>
- In general no, at least not unless you provide more details about the code
+ <p>In general no, at least not unless you provide more details about the code
location where Apache dumped core. What is usually always required in
order to help you is a backtrace (see next question). Without this
information it is mostly impossible to find the problem and help you in
- fixing it.
-<p>
+ fixing it.</p>
+</li>
<li><a name="ToC56"></a>
<a name="report-backtrace"></a>
- <strong id="faq">
+ <strong>
Ok, I got a core dump but how do I get a backtrace to find out the reason for it?
</strong>
[<a href="#report-backtrace"><b>L</b></a>]
- <p>
-Follow the following steps:
-<p>
-<ol>
-<li>Make sure you have debugging symbols available in at least
- Apache and mod_ssl. On platforms where you use GCC/GDB you have to build
- Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On
- other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
-<p>
-<li>Startup the server and try to produce the core-dump. For this you perhaps
- want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
- make sure that the core-dump file can be written. You then should get a
- <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
- don't get this, try to run your server under an UID != 0 (root), because
- most "current" kernels do not allow a process to dump core after it has
- done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
- security reasons (there can be privileged information left over in
- memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
- manually to force Apache to not fork.
-<p>
-<li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
- /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
- just have to enter the ``<code>bt</code>'' command and, voila, you get the
- backtrace. For other debuggers consult your local debugger manual. Send
- this backtrace to the author.
-</ol>
+ <p>Follow the following steps:</p>
+
+ <ol>
+ <li>Make sure you have debugging symbols available in at least
+ Apache and mod_ssl. On platforms where you use GCC/GDB you have to build
+ Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On
+ other platforms at least ``<code>OPTIM="-g"</code>'' is needed.
+ </li>
+ <li>Startup the server and try to produce the core-dump. For this you perhaps
+ want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
+ make sure that the core-dump file can be written. You then should get a
+ <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you
+ don't get this, try to run your server under an UID != 0 (root), because
+ most "current" kernels do not allow a process to dump core after it has
+ done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
+ security reasons (there can be privileged information left over in
+ memory). Additionally you can run ``<code>/path/to/httpd -X</code>''
+ manually to force Apache to not fork.
+ </li>
+ <li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd
+ /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then
+ just have to enter the ``<code>bt</code>'' command and, voila, you get the
+ backtrace. For other debuggers consult your local debugger manual. Send
+ this backtrace to the author.
+ </li>
+ </ol>
+</li>
</ul>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption: Glossary</h1>
+<h1 align="center">SSL/TLS Strong Encryption: Glossary</h1>
<div align="right">
<table cellspacing="0" cellpadding="0" width="300" summary="">
</div>
<dl>
-<dt><div id="term">Authentication</div>
+<dt>Authentication</dt>
<dd>The positive identification of a network entity such as a server, a
client, or a user. In SSL context the server and client
<em>Certificate</em> verification process.
-<p>
-<dt><div id="term">Access Control</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Access Control</dt>
<dd>The restriction of access to network realms. In Apache context
usually the restriction of access to certain <em>URLs</em>.
-<p>
-<dt><div id="term">Algorithm</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Algorithm</dt>
<dd>An unambiguous formula or set of rules for solving a problem in a finite
number of steps. Algorithms for encryption are usually called <em>Ciphers</em>.
-<p>
-<dt><div id="term">Certificate</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Certificate</dt>
<dd>A data record used for authenticating network entities such
as a server or a client. A certificate contains X.509 information pieces
about its owner (called the subject) and the signing <em>Certificate
Authority</em> (called the issuer), plus the owner's public key and the
signature made by the CA. Network entities verify these signatures using
CA certificates.
-<p>
-<dt><div id="term">Certification Authority (CA)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Certification Authority (CA)</dt>
<dd>A trusted third party whose purpose is to sign certificates for network
entities it has authenticated using secure means. Other network entities
can check the signature to verify that a CA has authenticated the bearer
of a certificate.
-<p>
-<dt><div id="term">Certificate Signing Request (CSR)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Certificate Signing Request (CSR)</dt>
<dd>An unsigned certificate for submission to a <em>Certification Authority</em>,
which signs it with the <em>Private Key</em> of their CA <em>Certificate</em>. Once
the CSR is signed, it becomes a real certificate.
-<p>
-<dt><div id="term">Cipher</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Cipher</dt>
<dd>An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc.
-<p>
-<dt><div id="term">Ciphertext</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Ciphertext</dt>
<dd>The result after a <em>Plaintext</em> passed a <em>Cipher</em>.
-<p>
-<dt><div id="term">Configuration Directive</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Configuration Directive</dt>
<dd>A configuration command that controls one or more aspects of a program's
behavior. In Apache context these are all the command names in the first
column of the configuration files.
-<p>
-<dt><div id="term">CONNECT</div>
+</dd>
+</dl>
+
+<dl>
+<dt>CONNECT</dt>
<dd>A HTTP command for proxying raw data channels over HTTP. It can be used to
encapsulate other protocols, such as the SSL protocol.
-<p>
-<dt><div id="term">Digital Signature</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Digital Signature</dt>
<dd>An encrypted text block that validates a certificate or other file. A
<em>Certification Authority</em> creates a signature by generating a
hash of the <em>Public Key</em> embedded in a <em>Certificate</em>, then
encrypting the hash with its own <em>Private Key</em>. Only the CA's
public key can decrypt the signature, verifying that the CA has
authenticated the network entity that owns the <em>Certificate</em>.
-<p>
-<dt><div id="term">Export-Crippled</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Export-Crippled</dt>
<dd>Diminished in cryptographic strength (and security) in order to comply
with the United States' Export Administration Regulations (EAR).
Export-crippled cryptographic software is limited to a small key size,
resulting in <em>Ciphertext</em> which usually can be decrypted by brute
force.
-<p>
-<dt><div id="term">Fully-Qualified Domain-Name (FQDN)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Fully-Qualified Domain-Name (FQDN)</dt>
<dd>The unique name of a network entity, consisting of a hostname and a domain
name that can resolve to an IP address. For example, <code>www</code> is a
hostname, <code>whatever.com</code> is a domain name, and
<code>www.whatever.com</code> is a fully-qualified domain name.
-<p>
-<dt><div id="term">HyperText Transfer Protocol (HTTP)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>HyperText Transfer Protocol (HTTP)</dt>
<dd>The HyperText Transport Protocol is the standard transmission protocol used
on the World Wide Web.
-<p>
-<dt><div id="term">HTTPS</div>
+</dd>
+</dl>
+
+<dl>
+<dt>HTTPS</dt>
<dd>The HyperText Transport Protocol (Secure), the standard encrypted
communication mechanism on the World Wide Web. This is actually just HTTP
over SSL.
-<p>
-<dt><div id="term">Message Digest</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Message Digest</dt>
<dd>A hash of a message, which can be used to verify that the contents of
the message have not been altered in transit.
-<p>
-<dt><div id="term">OpenSSL</div>
+</dd>
+</dl>
+
+<dl>
+<dt>OpenSSL</dt>
<dd>The Open Source toolkit for SSL/TLS;
see <a href="http://www.openssl.org/">http://www.openssl.org/</a>
-<p>
-<dt><div id="term">Pass Phrase</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Pass Phrase</dt>
<dd>The word or phrase that protects private key files.
It prevents unauthorized users from encrypting them. Usually it's just
the secret encryption/decryption key used for <em>Ciphers</em>.
-<p>
-<dt><div id="term">Plaintext</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Plaintext</dt>
<dd>The unencrypted text.
-<p>
-<dt><div id="term">Private Key</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Private Key</dt>
<dd>The secret key in a <em>Public Key Cryptography</em> system, used to
decrypt incoming messages and sign outgoing ones.
-<p>
-<dt><div id="term">Public Key</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Public Key</dt>
<dd>The publically available key in a <em>Public Key Cryptography</em> system, used to
encrypt messages bound for its owner and to decrypt signatures made by its
owner.
-<p>
-<dt><div id="term">Public Key Cryptography</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Public Key Cryptography</dt>
<dd>The study and application of asymmetric encryption systems, which use one
key for encryption and another for decryption. A corresponding pair of
such keys constitutes a key pair. Also called Asymmetric Crypography.
-<p>
-<dt><div id="term">Secure Sockets Layer (SSL)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Secure Sockets Layer (SSL)</dt>
<dd>A protocol created by Netscape Communications Corporation for
general communication authentication and encryption over TCP/IP networks.
The most popular usage is <em>HTTPS</em>, i.e. the HyperText Transfer
Protocol (HTTP) over SSL.
-<p>
-<dt><div id="term">Session</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Session</dt>
<dd>The context information of an SSL communication.
-<p>
-<dt><div id="term">SSLeay</div>
+</dd>
+</dl>
+
+<dl>
+<dt>SSLeay</dt>
<dd>The original SSL/TLS implementation library developed by
Eric A. Young <eay@aus.rsa.com>;
see <a href="http://www.ssleay.org/">http://www.ssleay.org/</a>
-<p>
-<dt><div id="term">Symmetric Cryptography</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Symmetric Cryptography</dt>
<dd>The study and application of <em>Ciphers</em> that use a single secret key
for both encryption and decryption operations.
-<p>
-<dt><div id="term">Transport Layer Security (TLS)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Transport Layer Security (TLS)</dt>
<dd>The successor protocol to SSL, created by the Internet Engineering Task
Force (IETF) for general communication authentication and encryption over
TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3.
-<p>
-<dt><div id="term">Uniform Resource Locator (URL)</div>
+</dd>
+</dl>
+
+<dl>
+<dt>Uniform Resource Locator (URL)</dt>
<dd>The formal identifier to locate various resources on the World Wide Web.
The most popular URL scheme is <code>http</code>. SSL uses the
scheme <code>https</code>
-<p>
-<dt><div id="term">X.509</div>
+</dd>
+</dl>
+
+<dl>
+<dt>X.509</dt>
<dd>An authentication certificate scheme recommended by the International
Telecommunication Union (ITU-T) which is used for SSL/TLS authentication.
+</dd>
</dl>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
\ No newline at end of file
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption: How-To</h1>
+<h1 align="center">SSL/TLS Strong Encryption: How-To</h1>
<div align="right">
</table>
</div>
-<p>
-How to solve particular security constraints for an SSL-aware webserver
+<p>How to solve particular security constraints for an SSL-aware webserver
is not always obvious because of the coherences between SSL, HTTP and Apache's
way of processing requests. This chapter gives instructions on how to solve
such typical situations. Treat is as a first step to find out the final
solution, but always try to understand the stuff before you use it. Nothing is
worse than using a security solution without knowing its restrictions and
-coherences.
+coherences.</p>
<ul>
<li><a href="#ToC1">Cipher Suites and Enforced Strong Security</a></li>
<h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2>
<ul>
-<p>
<li><a name="ToC2"></a>
<a name="cipher-sslv2"></a>
- <strong id="howto">
+ <strong>
How can I create a real SSLv2-only server?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sslv2"><b>L</b></a>]
- <p>
-The following creates an SSL server which speaks only the SSLv2 protocol and
-its ciphers.
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLProtocol -all +SSLv2
-SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>The following creates an SSL server which speaks only the SSLv2 protocol and
+ its ciphers.</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLProtocol -all +SSLv2
+ SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC3"></a>
<a name="cipher-strong"></a>
- <strong id="howto">
+ <strong>
How can I create an SSL server which accepts strong encryption only?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-strong"><b>L</b></a>]
- <p>
-The following enables only the seven strongest ciphers:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLProtocol all
-SSLCipherSuite HIGH:MEDIUM
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>The following enables only the seven strongest ciphers:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLProtocol all
+ SSLCipherSuite HIGH:MEDIUM
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC4"></a>
<a name="cipher-sgc"></a>
- <strong id="howto">
+ <strong>
How can I create an SSL server which accepts strong encryption only,
but allows export browsers to upgrade to stronger encryption?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sgc"><b>L</b></a>]
- <p>
-This facility is called Server Gated Cryptography (SGC) and details you can
-find in the <code>README.GlobalID</code> document in the mod_ssl distribution.
-In short: The server has a Global ID server certificate, signed by a special
-CA certificate from Verisign which enables strong encryption in export
-browsers. This works as following: The browser connects with an export cipher,
-the server sends its Global ID certificate, the browser verifies it and
-subsequently upgrades the cipher suite before any HTTP communication takes
-place. The question now is: How can we allow this upgrade, but enforce strong
-encryption. Or in other words: Browser either have to initially connect with
-strong encryption or have to upgrade to strong encryption, but are not allowed
-to keep the export ciphers. The following does the trick:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-# allow all ciphers for the inital handshake,
-# so export browsers can upgrade via SGC facility
-SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-<Directory /usr/local/apache/htdocs>
-# but finally deny all browsers which haven't upgraded
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-</Directory>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>This facility is called Server Gated Cryptography (SGC) and details you can
+ find in the <code>README.GlobalID</code> document in the mod_ssl distribution.
+ In short: The server has a Global ID server certificate, signed by a special
+ CA certificate from Verisign which enables strong encryption in export
+ browsers. This works as following: The browser connects with an export cipher,
+ the server sends its Global ID certificate, the browser verifies it and
+ subsequently upgrades the cipher suite before any HTTP communication takes
+ place. The question now is: How can we allow this upgrade, but enforce strong
+ encryption. Or in other words: Browser either have to initially connect with
+ strong encryption or have to upgrade to strong encryption, but are not allowed
+ to keep the export ciphers. The following does the trick:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ # allow all ciphers for the inital handshake,
+ # so export browsers can upgrade via SGC facility
+ SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ <Directory /usr/local/apache/htdocs>
+ # but finally deny all browsers which haven't upgraded
+ SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+ </Directory>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC5"></a>
<a name="cipher-perdir"></a>
- <strong id="howto">
+ <strong>
How can I create an SSL server which accepts all types of ciphers in general,
but requires a strong ciphers for access to a particular URL?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-perdir"><b>L</b></a>]
- <p>
-Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which
-restricts the ciphers to the strong variants. But mod_ssl allows you to
-reconfigure the cipher suite in per-directory context and automatically forces
-a renegotiation of the SSL parameters to meet the new configuration. So, the
-solution is:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-# be liberal in general
-SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-<Location /strong/area>
-# but https://hostname/strong/area/ and below requires strong ciphers
-SSLCipherSuite HIGH:MEDIUM
-</Location>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
+ <p>Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which
+ restricts the ciphers to the strong variants. But mod_ssl allows you to
+ reconfigure the cipher suite in per-directory context and automatically forces
+ a renegotiation of the SSL parameters to meet the new configuration. So, the
+ solution is:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ # be liberal in general
+ SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ <Location /strong/area>
+ # but https://hostname/strong/area/ and below requires strong ciphers
+ SSLCipherSuite HIGH:MEDIUM
+ </Location>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
</ul>
<h2><a name="ToC6">Client Authentication and Access Control</a></h2>
<ul>
-<p>
<li><a name="ToC7"></a>
<a name="auth-simple"></a>
- <strong id="howto">
+ <strong>
How can I authenticate clients based on certificates when I know all my
clients?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-simple"><b>L</b></a>]
- <p>
-When you know your user community (i.e. a closed user group situation), as
-it's the case for instance in an Intranet, you can use plain certificate
-authentication. All you have to do is to create client certificates signed by
-your own CA certificate <code>ca.crt</code> and then verifiy the clients
-against this certificate.
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-# require a client certificate which has to be directly
-# signed by our CA certificate in ca.crt
-SSLVerifyClient require
-SSLVerifyDepth 1
-SSLCACertificateFile conf/ssl.crt/ca.crt
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>When you know your user community (i.e. a closed user group situation), as
+ it's the case for instance in an Intranet, you can use plain certificate
+ authentication. All you have to do is to create client certificates signed by
+ your own CA certificate <code>ca.crt</code> and then verifiy the clients
+ against this certificate.</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ # require a client certificate which has to be directly
+ # signed by our CA certificate in ca.crt
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC8"></a>
<a name="auth-selective"></a>
- <strong id="howto">
+ <strong>
How can I authenticate my clients for a particular URL based on certificates
but still allow arbitrary clients to access the remaining parts of the server?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-selective"><b>L</b></a>]
- <p>
-For this we again use the per-directory reconfiguration feature of mod_ssl:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-<Location /secure/area>
-SSLVerifyClient require
-SSLVerifyDepth 1
-</Location>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>For this we again use the per-directory reconfiguration feature of mod_ssl:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLVerifyClient none
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+ <Location /secure/area>
+ SSLVerifyClient require
+ SSLVerifyDepth 1
+ </Location>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC9"></a>
<a name="auth-particular"></a>
- <strong id="howto">
+ <strong>
How can I authenticate only particular clients for a some URLs based
on certificates but still allow arbitrary clients to access the remaining
parts of the server?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-particular"><b>L</b></a>]
- <p>
-The key is to check for various ingredients of the client certficate. Usually
-this means to check the whole or part of the Distinguished Name (DN) of the
-Subject. For this two methods exists: The <code>mod_auth</code> based variant
-and the <code>SSLRequire</code> variant. The first method is good when the
-clients are of totally different type, i.e. when their DNs have no common
-fields (usually the organisation, etc.). In this case you've to establish a
-password database containing <em>all</em> clients. The second method is better
-when your clients are all part of a common hierarchy which is encoded into the
-DN. Then you can match them more easily.
-<p>
-The first method:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLVerifyClient none
-<Directory /usr/local/apache/htdocs/secure/area>
-SSLVerifyClient require
-SSLVerifyDepth 5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-AuthName "Snake Oil Authentication"
-AuthType Basic
-AuthUserFile /usr/local/apache/conf/httpd.passwd
-require valid-user
-</Directory>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.passwd</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
-/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
-/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
-The second method:
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLVerifyClient none
-<Directory /usr/local/apache/htdocs/secure/area>
-SSLVerifyClient require
-SSLVerifyDepth 5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
- %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
-<p>
+ <p>The key is to check for various ingredients of the client certficate. Usually
+ this means to check the whole or part of the Distinguished Name (DN) of the
+ Subject. For this two methods exists: The <code>mod_auth</code> based variant
+ and the <code>SSLRequire</code> variant. The first method is good when the
+ clients are of totally different type, i.e. when their DNs have no common
+ fields (usually the organisation, etc.). In this case you've to establish a
+ password database containing <em>all</em> clients. The second method is better
+ when your clients are all part of a common hierarchy which is encoded into the
+ DN. Then you can match them more easily.</p>
+
+ <p>The first method:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLVerifyClient none
+ <Directory /usr/local/apache/htdocs/secure/area>
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+ SSLCACertificatePath conf/ssl.crt
+ SSLOptions +FakeBasicAuth
+ SSLRequireSSL
+ AuthName "Snake Oil Authentication"
+ AuthType Basic
+ AuthUserFile /usr/local/apache/conf/httpd.passwd
+ require valid-user
+ </Directory>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+<br />
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.passwd</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
+ /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
+ /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+
+ <p>The second method:</p>
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLVerifyClient none
+ <Directory /usr/local/apache/htdocs/secure/area>
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+ SSLCACertificatePath conf/ssl.crt
+ SSLOptions +FakeBasicAuth
+ SSLRequireSSL
+ SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \
+ %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
+ </Directory>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
<li><a name="ToC10"></a>
<a name="auth-intranet"></a>
- <strong id="howto"> How can
+ <strong> How can
I require HTTPS with strong ciphers and either basic authentication or client
certificates for access to a subarea on the Intranet website for clients
coming from the Internet but still allow plain HTTP access for clients on the
Intranet?
</strong>
[<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-intranet"><b>L</b></a>]
- <p>
-Let us assume the Intranet can be distinguished through the IP network
-192.160.1.0/24 and the subarea on the Intranet website has the URL
-<tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
-host (so it applies to both HTTPS and HTTP):
-<p>
-<table border="0" cellpadding="0" cellspacing="0" summary="">
- <tr>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td>
- <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
- <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td>
- <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- <td colspan="3" bgcolor="#ffffff">
- <table border="0" cellspacing="4" summary="">
- <tr>
- <td>
-<pre>
-
-SSLCACertificateFile conf/ssl.crt/company-ca.crt
-
-<Directory /usr/local/apache/htdocs>
-# Outside the subarea only Intranet access is granted
-Order deny,allow
-Deny from all
-Allow from 192.168.1.0/24
-</Directory>
-
-<Directory /usr/local/apache/htdocs/subarea>
-# Inside the subarea any Intranet access is allowed
-# but from the Internet only HTTPS + Strong-Cipher + Password
-# or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-# If HTTPS is used, make sure a strong cipher is used.
-# Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth +StrictRequire
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-# Force clients from the Internet to use HTTPS
-RewriteEngine on
-RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond %{HTTPS} !=on
-RewriteRule .* - [F]
-
-# Allow Network Access and/or Basic Auth
-Satisfy any
-
-# Network Access Control
-Order deny,allow
-Deny from all
-Allow 192.168.1.0/24
-
-# HTTP Basic Authentication
-AuthType basic
-AuthName "Protected Intranet Area"
-AuthUserFile conf/protected.passwd
-Require valid-user
-</Directory>
-
-</pre>
-</td>
- </tr>
- </table>
- </td>
-
- <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
- <tr>
- <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td>
- </tr>
-</table>
+ <p>Let us assume the Intranet can be distinguished through the IP network
+ 192.160.1.0/24 and the subarea on the Intranet website has the URL
+ <tt>/subarea</tt>. Then configure the following outside your HTTPS virtual
+ host (so it applies to both HTTPS and HTTP):</p>
+
+ <table border="0" cellpadding="0" cellspacing="0" summary="">
+ <tr>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td>
+ <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td>
+ <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ <td colspan="3" bgcolor="#ffffff">
+ <table border="0" cellspacing="4" summary="">
+ <tr>
+ <td>
+ <pre>
+
+ SSLCACertificateFile conf/ssl.crt/company-ca.crt
+
+ <Directory /usr/local/apache/htdocs>
+ # Outside the subarea only Intranet access is granted
+ Order deny,allow
+ Deny from all
+ Allow from 192.168.1.0/24
+ </Directory>
+
+ <Directory /usr/local/apache/htdocs/subarea>
+ # Inside the subarea any Intranet access is allowed
+ # but from the Internet only HTTPS + Strong-Cipher + Password
+ # or the alternative HTTPS + Strong-Cipher + Client-Certificate
+
+ # If HTTPS is used, make sure a strong cipher is used.
+ # Additionally allow client certs as alternative to basic auth.
+ SSLVerifyClient optional
+ SSLVerifyDepth 1
+ SSLOptions +FakeBasicAuth +StrictRequire
+ SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+ # Force clients from the Internet to use HTTPS
+ RewriteEngine on
+ RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
+ RewriteCond %{HTTPS} !=on
+ RewriteRule .* - [F]
+
+ # Allow Network Access and/or Basic Auth
+ Satisfy any
+
+ # Network Access Control
+ Order deny,allow
+ Deny from all
+ Allow 192.168.1.0/24
+
+ # HTTP Basic Authentication
+ AuthType basic
+ AuthName "Protected Intranet Area"
+ AuthUserFile conf/protected.passwd
+ Require valid-user
+ </Directory>
+
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </td>
+
+ <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ <tr>
+ <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td>
+ </tr>
+ </table>
+</li>
</ul>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
-<h1 align="CENTER">SSL/TLS Strong Encryption: An Introduction</h1>
+<h1 align="center">SSL/TLS Strong Encryption: An Introduction</h1>
<div align="right">
<table cellspacing="0" cellpadding="0" width="400" summary="">
</tr>
</table>
</div>
-<p>
-As an introduction this chapter is aimed at readers who are familiar
+<p>As an introduction this chapter is aimed at readers who are familiar
with the Web, HTTP, and Apache, but are not security experts. It is not
intended to be a definitive guide to the SSL protocol, nor does it discuss
specific techniques for managing certificates in an organization, or the
important legal issues of patents and import and export restrictions. Rather,
it is intended to provide a common background to mod_ssl users by pulling
together various concepts, definitions, and examples as a starting point for
-further exploration.
-<p>
-The presented content is mainly derived, with permission by the author, from
+further exploration.</p>
+
+<p>The presented content is mainly derived, with permission by the author, from
the article <a
href="http://www.ultranet.com/~fhirsch/Papers/wwwj/index.html"><em>Introducing SSL
and Certificates using SSLeay</em></a> from <a
href="mailto:fjh@alum.mit.edu">Frederick Hirsch</a> (the original
article author) and all negative feedback to <a
href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the mod_ssl
-author).
-</td>
-<td>
-
-</td>
-<td>
+author).</p>
<ul>
<li><a href="#ToC1">Cryptographic Techniques</a></li>
</ul>
<h2><a name="ToC1">Cryptographic Techniques</a></h2>
-Understanding SSL requires an understanding of cryptographic algorithms,
+<p>Understanding SSL requires an understanding of cryptographic algorithms,
message digest functions (aka. one-way or hash functions), and digital
signatures. These techniques are the subject of entire books (see for instance
[<a href="#AC96">AC96</a>]) and provide the basis for privacy, integrity, and
-authentication.
+authentication.</p>
<h3><a name="ToC2">Cryptographic Algorithms</a></h3>
-Suppose Alice wants to send a message to her bank to transfer some money.
+<p>Suppose Alice wants to send a message to her bank to transfer some money.
Alice would like the message to be private, since it will include information
such as her account number and transfer amount. One solution is to use a
cryptographic algorithm, a technique that would transform her message into an
form, the message may only be interpreted through the use of a secret key.
Without the key the message is useless: good cryptographic algorithms make it
so difficult for intruders to decode the original text that it isn't worth
-their effort.
-<p>
-There are two categories of cryptographic algorithms:
-conventional and public key.
+their effort.</p>
+<p>There are two categories of cryptographic algorithms:
+conventional and public key.</p>
<ul>
<li><em>Conventional cryptography</em>, also known as symmetric
cryptography, requires the sender and receiver to share a key: a secret
If this key is secret, then nobody other than the sender or receiver may
read the message. If Alice and the bank know a secret key, then they
may send each other private messages. The task of privately choosing a key
-before communicating, however, can be problematic.
-<p>
+before communicating, however, can be problematic.<br />
+<br />
+</li>
<li><em>Public key cryptography</em>, also known as asymmetric cryptography,
solves the key exchange problem by defining an algorithm which uses two keys,
each of which may be used to encrypt a message. If one key is used to encrypt
a message then the other must be used to decrypt it. This makes it possible
to receive secure messages by simply publishing one key (the public key) and
keeping the other secret (the private key).
-<p>
-Anyone may encrypt a message using the public key, but only the owner of the
+</li>
+</ul>
+<p>Anyone may encrypt a message using the public key, but only the owner of the
private key will be able to read it. In this way, Alice may send private
messages to the owner of a key-pair (the bank), by encrypting it using their
-public key. Only the bank will be able to decrypt it.
-</ul>
+public key. Only the bank will be able to decrypt it.</p>
+
<h3><a name="ToC3">Message Digests</a></h3>
-Although Alice may encrypt her message to make it private, there is still a
+<p>Although Alice may encrypt her message to make it private, there is still a
concern that someone might modify her original message or substitute
it with a different one, in order to transfer the money to themselves, for
instance. One way of guaranteeing the integrity of Alice's message is to
create a concise summary of her message and send this to the bank as well.
Upon receipt of the message, the bank creates its own summary and compares it
-with the one Alice sent. If they agree then the message was received intact.
-<p>
-A summary such as this is called a <em>message digest</em>, <em>one-way
+with the one Alice sent. If they agree then the message was received intact.</p>
+<p>A summary such as this is called a <em>message digest</em>, <em>one-way
function</em> or <em>hash function</em>. Message digests are used to create
short, fixed-length representations of longer, variable-length messages.
Digest algorithms are designed to produce unique digests for different
messages. Message digests are designed to make it too difficult to determine
the message from the digest, and also impossible to find two different
messages which create the same digest -- thus eliminating the possibility of
-substituting one message for another while maintaining the same digest.
-<p>
-Another challenge that Alice faces is finding a way to send the digest to the
+substituting one message for another while maintaining the same digest.</p>
+<p>Another challenge that Alice faces is finding a way to send the digest to the
bank securely; when this is achieved, the integrity of the associated message
is assured. One way to to this is to include the digest in a digital
-signature.
+signature.</p>
<h3><a name="ToC4">Digital Signatures</a></h3>
-When Alice sends a message to the bank, the bank needs to ensure that the
+<p>When Alice sends a message to the bank, the bank needs to ensure that the
message is really from her, so an intruder does not request a transaction
involving her account. A <em>digital signature</em>, created by Alice and
-included with the message, serves this purpose.
-<p>
-Digital signatures are created by encrypting a digest of the message,
+included with the message, serves this purpose.</p>
+<p>Digital signatures are created by encrypting a digest of the message,
and other information (such as a sequence number) with the sender's
private key. Though anyone may <em>decrypt</em> the signature using the public
key, only the signer knows the private key. This means that only they may
have signed it. Including the digest in the signature means the signature is
only good for that message; it also ensures the integrity of the message since
-no one can change the digest and still sign it.
-<p>
-To guard against interception and reuse of the signature by an intruder at a
+no one can change the digest and still sign it.</p>
+<p>To guard against interception and reuse of the signature by an intruder at a
later date, the signature contains a unique sequence number. This protects
the bank from a fraudulent claim from Alice that she did not send the message
--- only she could have signed it (non-repudiation).
+-- only she could have signed it (non-repudiation).</p>
<h2><a name="ToC5">Certificates</a></h2>
-Although Alice could have sent a private message to the bank, signed it, and
+<p>Although Alice could have sent a private message to the bank, signed it, and
ensured the integrity of the message, she still needs to be sure that she is
really communicating with the bank. This means that she needs to be sure that
the public key she is using corresponds to the bank's private key. Similarly,
the bank also needs to verify that the message signature really corresponds to
-Alice's signature.
-<p>
-If each party has a certificate which validates the other's identity, confirms
+Alice's signature.</p>
+<p>If each party has a certificate which validates the other's identity, confirms
the public key, and is signed by a trusted agency, then they both will be
assured that they are communicating with whom they think they are. Such a
trusted agency is called a <em>Certificate Authority</em>, and certificates are
-used for authentication.
+used for authentication.</p>
<h3><a name="ToC6">Certificate Contents</a></h3>
-A certificate associates a public key with the real identity of an individual,
+<p>A certificate associates a public key with the real identity of an individual,
server, or other entity, known as the subject. As shown in <a
href="#table1">Table 1</a>, information about the subject includes identifying
information (the distinguished name), and the public key. It also includes
the identification and signature of the Certificate Authority that issued the
certificate, and the period of time during which the certificate is valid. It
may have additional information (or extensions) as well as administrative
-information for the Certificate Authority's use, such as a serial number.
-<p>
+information for the Certificate Authority's use, such as a serial number.</p>
<div align="center">
<a name="table1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 1: Certificate Information</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<table summary="">
-<tr valign="top"><td><b>Subject:</b></td>
-<td>Distinguished Name, Public Key</td></tr>
-<tr valign="top"><td><b>Issuer:</b></td>
-<td>Distinguished Name, Signature</td></tr>
-<tr><td><b>Period of Validity:</b></td>
-<td>Not Before Date, Not After Date</td></tr>
-<tr><td><b>Administrative Information:</b></td>
-<td>Version, Serial Number</td></TR>
-<tr><td><b>Extended Information:</b></td>
-<td>Basic Contraints, Netscape Flags, etc.</td></TR>
+ <caption align="bottom">Table 1: Certificate Information</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <table summary="">
+ <tr valign="top">
+ <td><b>Subject:</b></td>
+ <td>Distinguished Name, Public Key</td>
+ </tr>
+ <tr valign="top">
+ <td><b>Issuer:</b></td>
+ <td>Distinguished Name, Signature</td>
+ </tr>
+ <tr>
+ <td><b>Period of Validity:</b></td>
+ <td>Not Before Date, Not After Date</td>
+ </tr>
+ <tr>
+ <td><b>Administrative Information:</b></td>
+ <td>Version, Serial Number</td>
+ </tr>
+ <tr>
+ <td><b>Extended Information:</b></td>
+ <td>Basic Contraints, Netscape Flags, etc.</td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
</table>
-</td>
-</tr></table>
-</td></tr></table>
</div>
-<p>
-A distinguished name is used to provide an identity in a specific context --
+<p>A distinguished name is used to provide an identity in a specific context --
for instance, an individual might have a personal certificate as well as one
for their identity as an employee. Distinguished names are defined by the
-X.509 standard [<a href="#X509">X509</A>], which defines the fields, field
+X.509 standard [<a href="#X509">X509</a>], which defines the fields, field
names, and abbreviations used to refer to the fields
-(see <a href="#table2">Table 2</a>).
-<p>
+(see <a href="#table2">Table 2</a>).</p>
+
<div align="center">
<a name="table2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 2: Distinguished Name Information</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<table summary="">
-<tr valign="top"><td><b>DN Field:</b></td><td><b>Abbrev.:</b></td><td><b>Description:</b></td>
-<td><b>Example:</b></td>
-</t>
-<tr valign="top"><td>Common Name</td><td>CN</td>
-<td>Name being certified</td><td>CN=Joe Average</td></tr>
-<tr valign="top"><td>Organization or Company</td><td>O</td>
-<td>Name is associated with this<br>organization</td><td>O=Snake Oil, Ltd.</td></tr>
-<tr valign="top"><td>Organizational Unit</td><td>OU</td>
-<td>Name is associated with this <br>organization unit, such as a department</td><td>OU=Research Institute</td></tr>
-<tr valign="top"><td>City/Locality</td><td>L</td>
-<td>Name is located in this City</td><td>L=Snake City</td></tr>
-<tr valign="top"><td>State/Province</td><td>ST</td>
-<td>Name is located in this State/Province</td><td>ST=Desert</td></tr>
-<tr valign="top"><td>Country</td><td>C</td>
-<td>Name is located in this Country (ISO code)</td><td>C=XZ</td></tr>
+ <caption align="bottom">Table 2: Distinguished Name Information</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <table summary="">
+ <tr valign="top">
+ <td><b>DN Field:</b></td>
+ <td><b>Abbrev.:</b></td>
+ <td><b>Description:</b></td>
+ <td><b>Example:</b></td>
+ </tr>
+ <tr valign="top">
+ <td>Common Name</td>
+ <td>CN</td>
+ <td>Name being certified</td>
+ <td>CN=Joe Average</td>
+ </tr>
+ <tr valign="top">
+ <td>Organization or Company</td>
+ <td>O</td>
+ <td>Name is associated with this<br />organization</td>
+ <td>O=Snake Oil, Ltd.</td>
+ </tr>
+ <tr valign="top">
+ <td>Organizational Unit</td>
+ <td>OU</td>
+ <td>Name is associated with this <br />organization unit, such as a department</td>
+ <td>OU=Research Institute</td>
+ </tr>
+ <tr valign="top">
+ <td>City/Locality</td>
+ <td>L</td>
+ <td>Name is located in this City</td>
+ <td>L=Snake City</td>
+ </tr>
+ <tr valign="top">
+ <td>State/Province</td>
+ <td>ST</td>
+ <td>Name is located in this State/Province</td>
+ <td>ST=Desert</td>
+ </tr>
+ <tr valign="top">
+ <td>Country</td>
+ <td>C</td>
+ <td>Name is located in this Country (ISO code)</td>
+ <td>C=XZ</td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
</table>
-</td>
-</tr></table>
-</td></tr></table>
</div>
-<p>
-A Certificate Authority may define a policy specifying which distinguished
+<p>A Certificate Authority may define a policy specifying which distinguished
field names are optional, and which are required. It may also place
requirements upon the field contents, as may users of certificates. As an
example, a Netscape browser requires that the Common Name for a certificate
representing a server has a name which matches a wildcard pattern for the
-domain name of that server, such as <code>*.snakeoil.com</code>.
-<p>
-The binary format of a certificate is defined using the ASN.1 notation [ <a
+domain name of that server, such as <code>*.snakeoil.com</code>.</p>
+<p>The binary format of a certificate is defined using the ASN.1 notation [ <a
href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This notation defines how to
specify the contents, and encoding rules define how this information is
translated into binary form. The binary encoding of the certificate is
handle binary, the binary form may be translated into an ASCII form by using
Base64 encoding [<a href="#MIME">MIME</a>]. This encoded version is called PEM
encoded (the name comes from "Privacy Enhanced Mail"), when placed between
-begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>.
-<p>
+begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>.</p>
+
<div align="center">
<a name="table3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption>
+<caption align="bottom">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption>
<tr><td bgcolor="#cccccc">
<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
<tr><td valign="top" align="center" bgcolor="#ffffff">
</td></tr></table>
</div>
<h3><a name="ToC7">Certificate Authorities</a></h3>
-By first verifying the information in a certificate request before granting
+<p>By first verifying the information in a certificate request before granting
the certificate, the Certificate Authority assures the identity of the private
key owner of a key-pair. For instance, if Alice requests a personal
certificate, the Certificate Authority must first make sure that Alice really
-is the person the certificate request claims.
+is the person the certificate request claims.</p>
<h4><a name="ToC8">Certificate Chains</a></h4>
-A Certificate Authority may also issue a certificate for another Certificate
+<p>A Certificate Authority may also issue a certificate for another Certificate
Authority. When examining a certificate, Alice may need to examine the
certificate of the issuer, for each parent Certificate Authority, until
reaching one which she has confidence in. She may decide to trust only
certificates with a limited chain of issuers, to reduce her risk of a "bad"
-certificate in the chain.
+certificate in the chain.</p>
<h4><a name="ToC9">Creating a Root-Level CA</a></h4>
-As noted earlier, each certificate requires an issuer to assert the validity
+<p>As noted earlier, each certificate requires an issuer to assert the validity
of the identity of the certificate subject, up to the top-level Certificate
Authority (CA). This presents a problem: Since this is who vouches for the
certificate of the top-level authority, which has no issuer?
care in trusting a self-signed certificate. The wide publication of a public
key by the root authority reduces the risk in trusting this key -- it would be
obvious if someone else publicized a key claiming to be the authority.
-Browsers are preconfigured to trust well-known certificate authorities.
-<p>
-A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and
+Browsers are preconfigured to trust well-known certificate authorities.</p>
+<p>A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and
<a href="http://www.verisign.com/">VeriSign</a> have established themselves as
-Certificate Authorities. These companies provide the following services:
+Certificate Authorities. These companies provide the following services:</p>
<ul>
-<li>Verifying certificate requests
-<li>Processing certificate requests
-<li>Issuing and managing certificates
+<li>Verifying certificate requests</li>
+<li>Processing certificate requests</li>
+<li>Issuing and managing certificates</li>
</ul>
-<p>
-It is also possible to create your own Certificate Authority. Although risky
+<p>It is also possible to create your own Certificate Authority. Although risky
in the Internet environment, it may be useful within an Intranet where the
-organization can easily verify the identities of individuals and servers.
+organization can easily verify the identities of individuals and servers.</p>
<h4><a name="ToC10">Certificate Management</a></h4>
-Establishing a Certificate Authority is a responsibility which requires a
+<p>Establishing a Certificate Authority is a responsibility which requires a
solid administrative, technical, and management framework.
Certificate Authorities not only issue certificates, they also manage them --
that is, they determine how long certificates are valid, they renew them, and
the certificate alone that it has been revoked.
When examining certificates for validity, therefore, it is necessary to
contact the issuing Certificate Authority to check CRLs -- this is not usually
-an automated part of the process.
-<p>
-<div align="center"><B>Note:</B></div>
-If you use a Certificate Authority that is not configured into browsers by
+an automated part of the process.</p>
+<div align="center"><b>Note:</b></div>
+<p>If you use a Certificate Authority that is not configured into browsers by
default, it is necessary to load the Certificate Authority certificate into
the browser, enabling the browser to validate server certificates signed by
that Certificate Authority. Doing so may be dangerous, since once loaded, the
-browser will accept all certificates signed by that Certificate Authority.
+browser will accept all certificates signed by that Certificate Authority.</p>
<h2><a name="ToC11">Secure Sockets Layer (SSL)</a></h2>
-The Secure Sockets Layer protocol is a protocol layer which may be placed
+<p>The Secure Sockets Layer protocol is a protocol layer which may be placed
between a reliable connection-oriented network layer protocol (e.g. TCP/IP)
and the application protocol layer (e.g. HTTP). SSL provides for secure
communication between client and server by allowing mutual authentication, the
-use of digital signatures for integrity, and encryption for privacy.
-<p>
-The protocol is designed to support a range of choices for specific algorithms
+use of digital signatures for integrity, and encryption for privacy.</p>
+<p>The protocol is designed to support a range of choices for specific algorithms
used for cryptography, digests, and signatures. This allows algorithm
selection for specific servers to be made based on legal, export or other
concerns, and also enables the protocol to take advantage of new algorithms.
Choices are negotiated between client and server at the start of establishing
-a protocol session.
-<p>
+a protocol session.</p>
<div align="center">
<a name="table4"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Table 4: Versions of the SSL protocol</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<table summary="">
-<tr valign="top">
-<td><b>Version:</b></td>
-<td><b>Source:</b></td>
-<td><b>Description:</b></td>
-<td><b>Browser Support:</b></td>
-</tr>
-<tr valign="top">
-<td>SSL v2.0</td>
-<td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td>
-<td>First SSL protocol for which implementations exists</td>
-<td>- NS Navigator 1.x/2.x<br>
- - MS IE 3.x<br>
- - Lynx/2.8+OpenSSL
-</td>
-</tr>
-<tr valign="top">
-<td>SSL v3.0</td>
-<td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td>
-<td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td>
-<td>- NS Navigator 2.x/3.x/4.x<br>
- - MS IE 3.x/4.x<br>
- - Lynx/2.8+OpenSSL
-</td>
-</tr>
-<tr valign="top">
-<td>TLS v1.0</td>
-<td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td>
-<td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for
- block ciphers, message order standardization and more alert messages.
-</td>
-<td>- Lynx/2.8+OpenSSL</td>
+ <caption align="bottom">Table 4: Versions of the SSL protocol</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <table summary="">
+ <tr valign="top">
+ <td><b>Version:</b></td>
+ <td><b>Source:</b></td>
+ <td><b>Description:</b></td>
+ <td><b>Browser Support:</b></td>
+ </tr>
+ <tr valign="top">
+ <td>SSL v2.0</td>
+ <td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td>
+ <td>First SSL protocol for which implementations exists</td>
+ <td>- NS Navigator 1.x/2.x<br />
+ - MS IE 3.x<br />
+ - Lynx/2.8+OpenSSL
+ </td>
+ </tr>
+ <tr valign="top">
+ <td>SSL v3.0</td>
+ <td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td>
+ <td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td>
+ <td>- NS Navigator 2.x/3.x/4.x<br />
+ - MS IE 3.x/4.x<br />
+ - Lynx/2.8+OpenSSL
+ </td>
+ </tr>
+ <tr valign="top">
+ <td>TLS v1.0</td>
+ <td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td>
+ <td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for
+ block ciphers, message order standardization and more alert messages.
+ </td>
+ <td>- Lynx/2.8+OpenSSL</td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
</table>
-</td>
-</tr></table>
-</td></tr></table>
</div>
-<p>
-There are a number of versions of the SSL protocol, as shown in <a
+<p>There are a number of versions of the SSL protocol, as shown in <a
href="#table4">Table 4</a>. As noted there, one of the benefits in SSL 3.0 is
that it adds support of certificate chain loading. This feature allows a
server to pass a server certificate along with issuer certificates to the
browser. Chain loading also permits the browser to validate the server
certificate, even if Certificate Authority certificates are not installed for
the intermediate issuers, since they are included in the certificate chain.
-SSL 3.0 is the basis for the Transport Layer Security [<A
-HREF="#TLS1">TLS</A>] protocol standard, currently in development by the
-Internet Engineering Task Force (IETF).
+SSL 3.0 is the basis for the Transport Layer Security [<a
+href="#TLS1">TLS</a>] protocol standard, currently in development by the
+Internet Engineering Task Force (IETF).</p>
<h3><a name="ToC12">Session Establishment</a></h3>
-The SSL session is established by following a <I>handshake sequence</I>
+<p>The SSL session is established by following a <a>handshake sequence</a>
between client and server, as shown in <a href="#figure1">Figure 1</a>. This
sequence may vary, depending on whether the server is configured to provide a
server certificate or request a client certificate. Though cases exist where
additional handshake steps are required for management of cipher information,
this article summarizes one common scenario: see the SSL specification for the
-full range of possibilities.
-<p>
+full range of possibilities.</p>
<div align="center"><b>Note</b></div>
-Once an SSL session has been established it may be reused, thus avoiding the
+<p>Once an SSL session has been established it may be reused, thus avoiding the
performance penalty of repeating the many steps needed to start a session.
For this the server assigns each SSL session a unique session identifier which
is cached in the server and which the client can use on forthcoming
connections to reduce the handshake (until the session identifer expires in
-the cache of the server).
-<p>
+the cache of the server).</p>
<div align="center">
<a name="figure1"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Figure 1: Simplified SSL Handshake Sequence</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<img src="ssl_intro_fig1.gif" alt="" width="423" height="327">
-</td>
-</tr></table>
-</td></tr></table>
+ <caption align="bottom">Figure 1: Simplified SSL Handshake Sequence</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <img src="ssl_intro_fig1.gif" alt="" width="423" height="327" />
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ </table>
</div>
-<p>
-The elements of the handshake sequence, as used by the client and server, are
-listed below:
+<p>The elements of the handshake sequence, as used by the client and server, are
+listed below:</p>
<ol>
-<li>Negotiate the Cipher Suite to be used during data transfer
-<li>Establish and share a session key between client and server
-<li>Optionally authenticate the server to the client
-<li>Optionally authenticate the client to the server
+<li>Negotiate the Cipher Suite to be used during data transfer</li>
+<li>Establish and share a session key between client and server</li>
+<li>Optionally authenticate the server to the client</li>
+<li>Optionally authenticate the client to the server</li>
</ol>
-<p>
-The first step, Cipher Suite Negotiation, allows the client and server to
+<p>The first step, Cipher Suite Negotiation, allows the client and server to
choose a Cipher Suite supportable by both of them. The SSL3.0 protocol
specification defines 31 Cipher Suites. A Cipher Suite is defined by the
-following components:
+following components:</p>
<ul>
-<li>Key Exchange Method
-<li>Cipher for Data Transfer
-<li>Message Digest for creating the Message Authentication Code (MAC)
+<li>Key Exchange Method</li>
+<li>Cipher for Data Transfer</li>
+<li>Message Digest for creating the Message Authentication Code (MAC)</li>
</ul>
-These three elements are described in the sections that follow.
+<p>These three elements are described in the sections that follow.</p>
<h3><a name="ToC13">Key Exchange Method</a></h3>
-The key exchange method defines how the shared secret symmetric cryptography
+<p>The key exchange method defines how the shared secret symmetric cryptography
key used for application data transfer will be agreed upon by client and
server. SSL 2.0 uses RSA key exchange only, while SSL 3.0 supports a choice of
key exchange algorithms including the RSA key exchange when certificates are
used, and Diffie-Hellman key exchange for exchanging keys without certificates
-and without prior communication between client and server.
-<p>
-One variable in the choice of key exchange methods is digital signatures --
+and without prior communication between client and server.</p>
+<p>One variable in the choice of key exchange methods is digital signatures --
whether or not to use them, and if so, what kind of signatures to use.
Signing with a private key provides assurance against a
man-in-the-middle-attack during the information exchange used in generating
-the shared key [<a href="#AC96">AC96</a>, p516].
+the shared key [<a href="#AC96">AC96</a>, p516].</p>
<h3><a name="ToC14">Cipher for Data Transfer</a></h3>
-SSL uses the conventional cryptography algorithm (symmetric cryptography)
+<p>SSL uses the conventional cryptography algorithm (symmetric cryptography)
described earlier for encrypting messages in a session. There are nine
-choices, including the choice to perform no encryption:
+choices, including the choice to perform no encryption:</p>
<ul>
-<li>No encryption
+<li>No encryption</li>
<li>Stream Ciphers
<ul>
- <li>RC4 with 40-bit keys
- <li>RC4 with 128-bit keys
+ <li>RC4 with 40-bit keys</li>
+ <li>RC4 with 128-bit keys</li>
</ul>
+</li>
<li>CBC Block Ciphers
<ul>
- <li>RC2 with 40 bit key
- <li>DES with 40 bit key
- <li>DES with 56 bit key
- <li>Triple-DES with 168 bit key
- <li>Idea (128 bit key)
- <li>Fortezza (96 bit key)
+ <li>RC2 with 40 bit key</li>
+ <li>DES with 40 bit key</li>
+ <li>DES with 56 bit key</li>
+ <li>Triple-DES with 168 bit key</li>
+ <li>Idea (128 bit key)</li>
+ <li>Fortezza (96 bit key)</li>
</ul>
+</li>
</ul>
-Here "CBC" refers to Cipher Block Chaining, which means that a portion of the
+<p>Here "CBC" refers to Cipher Block Chaining, which means that a portion of the
previously encrypted cipher text is used in the encryption of the current
block. "DES" refers to the Data Encryption Standard [<a href="#AC96">AC96</a>,
ch12], which has a number of variants (including DES40 and 3DES_EDE). "Idea"
is one of the best and cryptographically strongest available algorithms, and
"RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>,
-ch13].
+ch13].</p>
<h3><a name="ToC15">Digest Function</a></h3>
-The choice of digest function determines how a digest is created from a record
-unit. SSL supports the following:
+<p>The choice of digest function determines how a digest is created from a record
+unit. SSL supports the following:</p>
<ul>
-<li>No digest (Null choice)
-<li>MD5, a 128-bit hash
-<li>Secure Hash Algorithm (SHA-1), a 160-bit hash
+<li>No digest (Null choice)</li>
+<li>MD5, a 128-bit hash</li>
+<li>Secure Hash Algorithm (SHA-1), a 160-bit hash</li>
</ul>
-The message digest is used to create a Message Authentication Code (MAC) which
+<p>The message digest is used to create a Message Authentication Code (MAC) which
is encrypted with the message to provide integrity and to prevent against
-replay attacks.
+replay attacks.</p>
<h3><a name="ToC16">Handshake Sequence Protocol</a></h3>
-The handshake sequence uses three protocols:
+<p>The handshake sequence uses three protocols:</p>
<ul>
<li>The <em>SSL Handshake Protocol</em>
for performing the client and server SSL session establishment.
+</li>
<li>The <em>SSL Change Cipher Spec Protocol</em> for actually establishing agreement
on the Cipher Suite for the session.
+</li>
<li>The <em>SSL Alert Protocol</em> for
conveying SSL error messages between client and server.
+</li>
</ul>
These protocols, as well as application protocol data, are encapsulated in the
<em>SSL Record Protocol</em>, as shown in <a href="#figure2">Figure 2</a>. An
encapsulated protocol is transferred as data by the lower layer protocol,
which does not examine the data. The encapsulated protocol has no knowledge of
the underlying protocol.
-<p>
<div align="center">
<a name="figure2"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Figure 2: SSL Protocol Stack</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<img src="ssl_intro_fig2.gif" alt="" width="428" height="217">
-</td>
-</tr></table>
-</td></tr></table>
+ <caption align="bottom">Figure 2: SSL Protocol Stack</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <img src="ssl_intro_fig2.gif" alt="" width="428" height="217" />
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+</table>
</div>
-<p>
-The encapsulation of SSL control protocols by the record protocol means that
+<p>The encapsulation of SSL control protocols by the record protocol means that
if an active session is renegotiated the control protocols will be transmitted
securely. If there were no session before, then the Null cipher suite is
used, which means there is no encryption and messages have no integrity
-digests until the session has been established.
+digests until the session has been established.</p>
<h3><a name="ToC17">Data Transfer</a></h3>
-The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to
+
<p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to
transfer application and SSL Control data between the client and server,
possibly fragmenting this data into smaller units, or combining multiple
higher level protocol data messages into single units. It may compress, attach
digest signatures, and encrypt these units before transmitting them using the
underlying reliable transport protocol (Note: currently all major SSL
-implementations lack support for compression).
-<p>
+implementations lack support for compression).</p>
<div align="center">
<a name="figure3"></a>
<table width="600" cellspacing="0" cellpadding="1" border="0" summary="">
-<caption align="bottom" id="sf">Figure 3: SSL Record Protocol</caption>
-<tr><td bgcolor="#cccccc">
-<table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
-<tr><td valign="top" align="center" bgcolor="#ffffff">
-<img src="ssl_intro_fig3.gif" alt="" width="423" height="323">
-</td>
-</tr></table>
-</td></tr></table>
+ <caption align="bottom">Figure 3: SSL Record Protocol</caption>
+ <tr>
+ <td bgcolor="#cccccc">
+ <table width="598" cellpadding="5" cellspacing="0" border="0" summary="">
+ <tr>
+ <td valign="top" align="center" bgcolor="#ffffff">
+ <img src="ssl_intro_fig3.gif" alt="" width="423" height="323" />
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+</table>
</div>
<h3><a name="ToC18">Securing HTTP Communication</a></h3>
-One common use of SSL is to secure Web HTTP communication between a browser
+<p>One common use of SSL is to secure Web HTTP communication between a browser
and a webserver. This case does not preclude the use of non-secured HTTP. The
secure version is mainly plain HTTP over SSL (named HTTPS), but with one major
difference: it uses the URL scheme <code>https</code> rather than
<code>http</code> and a different server port (by default 443). This mainly
-is what mod_ssl provides to you for the Apache webserver...
+is what mod_ssl provides to you for the Apache webserver...</p>
<h2><a name="ToC19">References</a></h2>
<ul>
-<p>
<li><a name="AC96"></a>
[AC96] Bruce Schneier, <em>Applied Cryptography</em>, 2nd Edition, Wiley,
1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for
various other materials by Bruce Schneier.
-<p>
+</li>
<li><a name="X208"></a>
[X208] ITU-T Recommendation X.208, <em>Specification of Abstract Syntax Notation
One (ASN.1)</em>, 1988. See for instance <a
href="ftp://ftp.neda.com/pub/itu/x.series/x208.ps">
ftp://ftp.neda.com/pub/itu/x.series/x208.ps</a>.
-<p>
+</li>
<li><a name="X509"></a>
[X509] ITU-T Recommendation X.509, <em>The Directory - Authentication
Framework</em>, 1988. See for instance <a
href="ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc">
ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc</a>.
-<p>
+</li>
<li><a name="PKCS"></a>
[PKCS] Kaliski, Burton S., Jr., <em>An Overview of the PKCS Standards</em>, An RSA
Laboratories Technical Note, revised November 1, 1993.
See <a href="http://www.rsa.com/rsalabs/pubs/PKCS/">
http://www.rsa.com/rsalabs/pubs/PKCS/</a>.
-<p>
+</li>
<li><a name="MIME"></a>
[MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions
(MIME) Part One: Format of Internet Message Bodies</em>, RFC2045.
See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt">
ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>.
-<p>
+</li>
<li><a name="SSL2"></a>
[SSL2] Kipp E.B. Hickman, <em>The SSL Protocol</em>, 1995.
See <a href="http://www.netscape.com/eng/security/SSL_2.html">
http://www.netscape.com/eng/security/SSL_2.html</a>.
-<p>
+</li>
<li><a name="SSL3"></a>
[SSL3] Alan O. Freier, Philip Karlton, Paul C. Kocher, <em>The SSL Protocol
Version 3.0</em>, 1996. See <a
href="http://www.netscape.com/eng/ssl3/draft302.txt">
http://www.netscape.com/eng/ssl3/draft302.txt</a>.
-<p>
+</li>
<li><a name="TLS1"></a>
[TLS1] Tim Dierks, Christopher Allen, <em>The TLS Protocol Version 1.0</em>,
1997. See <a
href="ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt">
ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt</a>.
+</li>
</ul>
-<p><!--#include virtual="footer.html" --> </p>
+ <!--#include virtual="footer.html" -->
</body>
</html>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Stopping and Restarting the Server</h1>
+ <h1 align="center">Stopping and Restarting the Server</h1>
<p>This document covers stopping and restarting Apache on
Unix-like systems. Windows users should see <a
timeouts. In practice it doesn't seem to affect anything either
-- in a test case the server was restarted twenty times per
second and clients successfully browsed the site without
- getting broken images or empty documents.
+ getting broken images or empty documents. </p>
<!--#include virtual="footer.html" -->
- </p>
</body>
</html>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache suEXEC Support</h1>
+ <h1 align="center">Apache suEXEC Support</h1>
<ol>
<li><big><strong>CONTENTS</strong></big></li>
<h3><a id="what" name="what">What is suEXEC?</a></h3>
- <p align="LEFT">The <strong>suEXEC</strong> feature provides
+ <p align="left">The <strong>suEXEC</strong> feature provides
Apache users the ability
to run <strong>CGI</strong> and <strong>SSI</strong> programs
under user IDs different from the user ID of the calling
web-server. Normally, when a CGI or SSI program executes, it
runs as the same user who is running the web server.</p>
- <p align="LEFT">Used properly, this feature can reduce
+ <p align="left">Used properly, this feature can reduce
considerably the security risks involved with allowing users to
develop and run private CGI or SSI programs. However, if suEXEC
is improperly configured, it can cause any number of problems
security issues they present, we highly recommend that you not
consider using suEXEC.</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="before" name="before">Before we begin.</a></h3>
- <p align="LEFT">Before jumping head-first into this document,
+ <p align="left">Before jumping head-first into this document,
you should be aware of the assumptions made on the part of the
Apache Group and this document.</p>
- <p align="LEFT">First, it is assumed that you are using a UNIX
+ <p align="left">First, it is assumed that you are using a UNIX
derivate operating system that is capable of
<strong>setuid</strong> and <strong>setgid</strong> operations.
All command examples are given in this regard. Other platforms,
if they are capable of supporting suEXEC, may differ in their
configuration.</p>
- <p align="LEFT">Second, it is assumed you are familiar with
+ <p align="left">Second, it is assumed you are familiar with
some basic concepts of your computer's security and its
administration. This involves an understanding of
<strong>setuid/setgid</strong> operations and the various
effects they may have on your system and its level of
security.</p>
- <p align="LEFT">Third, it is assumed that you are using an
+ <p align="left">Third, it is assumed that you are using an
<strong>unmodified</strong> version of suEXEC code. All code
for suEXEC has been carefully scrutinized and tested by the
developers as well as numerous beta testers. Every precaution
particulars of security programming and are willing to share
your work with the Apache Group for consideration.</p>
- <p align="LEFT">Fourth, and last, it has been the decision of
+ <p align="left">Fourth, and last, it has been the decision of
the Apache Group to <strong>NOT</strong> make suEXEC part of
the default installation of Apache. To this end, suEXEC
configuration requires of the administrator careful attention
installation only to those who are careful and determined
enough to use it.</p>
- <p align="LEFT">Still with us? Yes? Good. Let's move on!</p>
+ <p align="left">Still with us? Yes? Good. Let's move on!</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="model" name="model">suEXEC Security Model</a></h3>
- <p align="LEFT">Before we begin configuring and installing
+ <p align="left">Before we begin configuring and installing
suEXEC, we will first discuss the security model you are about
to implement. By doing so, you may better understand what
exactly is going on inside suEXEC and what precautions are
taken to ensure your system's security.</p>
- <p align="LEFT"><strong>suEXEC</strong> is based on a setuid
+ <p align="left"><strong>suEXEC</strong> is based on a setuid
"wrapper" program that is called by the main Apache web server.
This wrapper is called when an HTTP request is made for a CGI
or SSI program that the administrator has designated to run as
program's name and the user and group IDs under which the
program is to execute.</p>
- <p align="LEFT">The wrapper then employs the following process
+ <p align="left">The wrapper then employs the following process
to determine success or failure -- if any one of these
conditions fail, the program logs the failure and exits with an
error, otherwise it will continue:</p>
<br />
- <p align="LEFT">This is the standard operation of the the
+ <p align="left">This is the standard operation of the the
suEXEC wrapper's security model. It is somewhat stringent and
can impose new limitations and guidelines for CGI/SSI design,
but it was developed carefully step-by-step with security in
mind.</p>
- <p align="LEFT">For more information as to how this security
+ <p align="left">For more information as to how this security
model can limit your possibilities in regards to server
configuration, as well as what security risks can be avoided
with a proper suEXEC setup, see the <a
href="#jabberwock">"Beware the Jabberwock"</a> section of this
document.</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="install" name="install">Configuring & Installing
suEXEC</a></h3>
- <p align="LEFT">Here's where we begin the fun.</p>
+ <p align="left">Here's where we begin the fun.</p>
- <p align="LEFT"><strong>suEXEC configuration
+ <p align="left"><strong>suEXEC configuration
options</strong><br />
</p>
<br />
- <p align="LEFT"><strong>Checking your suEXEC
+ <p align="left"><strong>Checking your suEXEC
setup</strong><br />
Before you compile and install the suEXEC wrapper you can
check the configuration with the --layout option.<br />
<br />
- <p align="LEFT"><strong>Compiling and installing the suEXEC
+ <p align="left"><strong>Compiling and installing the suEXEC
wrapper</strong><br />
If you have enabled the suEXEC feature with the
--enable-suexec option the suexec binary (together with Apache
owner <code><em>root</em></code> and must have the setuserid
execution bit set for file modes.</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="enable" name="enable">Enabling & Disabling
suEXEC</a></h3>
- <p align="LEFT">Upon startup of Apache, it looks for the file
+ <p align="left">Upon startup of Apache, it looks for the file
"suexec" in the "sbin" directory (default is
"/usr/local/apache/sbin/suexec"). If Apache finds a properly
configured suEXEC wrapper, it will print the following message
<br />
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="usage" name="usage">Using suEXEC</a></h3>
- <p align="LEFT"><strong>Virtual Hosts:</strong><br />
+ <p align="left"><strong>Virtual Hosts:</strong><br />
One way to use the suEXEC wrapper is through the <a
href="mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a>
directive in <a
meet the scrutiny of the <a href="#model">security checks</a>
above.</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="debug" name="debug">Debugging suEXEC</a></h3>
- <p align="LEFT">The suEXEC wrapper will write log information
+ <p align="left">The suEXEC wrapper will write log information
to the file defined with the --with-suexec-logfile option as
indicated above. If you feel you have configured and installed
the wrapper properly, have a look at this log and the error_log
for the server to see where you may have gone astray.</p>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<h3><a id="jabberwock" name="jabberwock">Beware the Jabberwock:
Warnings & Examples</a></h3>
- <p align="LEFT"><strong>NOTE!</strong> This section may not be
+ <p align="left"><strong>NOTE!</strong> This section may not be
complete. For the latest revision of this section of the
documentation, see the Apache Group's <a
href="http://www.apache.org/docs/suexec.html">Online
Documentation</a> version.</p>
- <p align="LEFT">There are a few points of interest regarding
+ <p align="left">There are a few points of interest regarding
the wrapper that can cause limitations on server setup. Please
review these before submitting any "bugs" regarding suEXEC.</p>
</li>
</ul>
- <p align="
CENTER"><strong><a href="suexec.html">BACK TO
+ <p align="
center"><strong><a href="suexec.html">BACK TO
CONTENTS</a></strong></p>
<!--#include virtual="footer.html" -->
</body>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Upgrading to 2.0 from 1.3</h1>
+ <h1 align="center">Upgrading to 2.0 from 1.3</h1>
<p>In order to assist folks upgrading, we maintain a document
describing information critical to existing Apache users. These
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">An In-Depth Discussion of Virtual Host
+ <h1 align="center">An In-Depth Discussion of Virtual Host
Matching</h1>
<p>The virtual host code was completely rewritten in
alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Virtual Host examples for common setups</h1>
+ <h1 align="center">Virtual Host examples for common setups</h1>
<p>This document attempts to answer the commonly-asked questions about
setting up virtual hosts. These scenarios are those involving multiple
there is one.</p>
<hr />
- <h3><a id="#ipport" name="#ipport">Mixed port-based and ip-based
+ <h3><a id="ipport" name="ipport">Mixed port-based and ip-based
virtual hosts</a></h3>
<p><strong>Setup:</strong></p>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">File Descriptor Limits</h1>
+ <h1 align="center">File Descriptor Limits</h1>
<p>When using a large number of Virtual Hosts, Apache may run
out of available file descriptors (sometimes called <cite>file
of your log format string:</p>
<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
- LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost<br>
+ LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost<br />
CustomLog logs/multiple_vhost_log vhost
</code></td></tr></table></blockquote>
<hr />
- <h3 align="CENTER">Apache HTTP Server Version 2.0</h3>
+ <h3 align="center">Apache HTTP Server Version 2.0</h3>
<a href="./"><img src="../images/index.gif" alt="Index" /></a>
<a href="../"><img src="../images/home.gif" alt="Home" /></a>
- <div align="CENTER">
+ <div align="center">
<img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
<h3>Apache HTTP Server Version 2.0</h3>
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache Virtual Host documentation</h1>
+ <h1 align="center">Apache Virtual Host documentation</h1>
<p>The term <cite>Virtual Host</cite> refers to the practice of
running more than one web site (such as
<li><a href="../mod/core.html#serverpath">ServerPath</a></li>
<li><b>See also</b> <a
- href="../mod/mod_vhost_alias.html">mod_vhost_alias</a>
+ href="../mod/mod_vhost_alias.html">mod_vhost_alias</a></li>
</ul>
<p>If you are trying to debug your virtual host configuration, you
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Apache IP-based Virtual Host Support</h1>
+ <h1 align="center">Apache IP-based Virtual Host Support</h1>
<strong>See also:</strong> <a href="name-based.html">Name-based
Virtual Hosts Support</a>
<hr />
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Dynamically configured mass virtual
+ <h1 align="center">Dynamically configured mass virtual
hosting</h1>
<p>This document describes how to efficiently serve an
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
- <h1 align="CENTER">Name-based Virtual Host Support</h1>
+ <h1 align="center">Name-based Virtual Host Support</h1>
<p>This document describes when and how to use name-based virtual hosts.</p>
<h2><a name="using">Using Name-based Virtual Hosts</a></h2>
<table border="1">
-<tr><td align="top">
-<strong>Related Directives</strong><br><br>
+<tr><td valign="top">
+<strong>Related Directives</strong><br /><br />
<a href="../mod/core.html#documentroot">DocumentRoot</a><br />
<a href="../mod/core.html#namevirtualhost">NameVirtualHost</a><br />
projects / apache / commitdiff