provides an interface to the <a
href="http://www.openssl.org/">OpenSSL</a> library, which provides
Strong Encryption using the Secure Sockets Layer and Transport Layer
-Security protocols. The module and this documentation are based on
-Ralf S. Engelschall's mod_ssl project.</p>
+Security protocols.</p>
</summary>
<section id="documentation"><title>Documentation</title>
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision : 1070915 -->
+<!-- English Revision : 1328159 -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
href="http://www.openssl.org/">OpenSSL</a>, qui permet d'effectuer un
chiffrement fort en s'appuyant sur les protocoles "Couche Points d'accès
Sécurisés" (Secure Sockets Layer - SSL) et "Sécurité de la Couche Transport"
-(Transport Layer Security - TLS). Le module et cette documentation sont basés
-sur le projet mod_ssl de Ralf S. Engelschall.</p>
+(Transport Layer Security - TLS).</p>
</summary>
<section id="documentation"><title>Documentation</title>
fully-qualified hyperlinks (because you have to change the URL
scheme). Using <module>mod_rewrite</module> however, you can
manipulate relative hyperlinks, to achieve the same effect.</p>
- <example>
- RewriteEngine on<br />
- RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]<br />
- RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
- </example>
+ <highlight language="config">
+RewriteEngine on
+RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]
+RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L]
+ </highlight>
<p>This rewrite ruleset lets you use hyperlinks of the form
<code><a href="document.html_SSL"></code>, to switch to HTTPS
-keyout server.key</strong></code><br />
These can be used as follows in your <code>httpd.conf</code>
file:
- <pre>
- SSLCertificateFile /path/to/this/server.crt
- SSLCertificateKeyFile /path/to/this/server.key
- </pre>
+ <highlight language="config">
+SSLCertificateFile /path/to/this/server.crt
+SSLCertificateKeyFile /path/to/this/server.key
+ </highlight>
</li>
<li>It is important that you are aware that this
<code>server.key</code> does <em>not</em> have any passphrase.
<li>You should now have two files: <code>server.key</code> and
<code>server.crt</code>. These can be used as follows in your
<code>httpd.conf</code> file:
- <pre>
- SSLCertificateFile /path/to/this/server.crt
- SSLCertificateKeyFile /path/to/this/server.key
- </pre>
+ <highlight language="config">
+SSLCertificateFile /path/to/this/server.crt
+SSLCertificateKeyFile /path/to/this/server.key
+ </highlight>
The <code>server.csr</code> file is no longer needed.
</li>
handshake is finished, but the information is needed in order to
complete the SSL handshake phase. See the next question for how to
circumvent this issue.</p>
-
+
<p>Note that if you have a wildcard SSL certificate, or a
- certificate that has multple hostnames on it using subjectAltName
+ certificate that has multiple hostnames on it using subjectAltName
fields, you can use SSL on name-based virtual hosts without further
workarounds.</p>
</section>
you must make sure to put the non-SSL port number on the NameVirtualHost
directive, e.g.</p>
- <example>
+ <highlight language="config">
NameVirtualHost 192.168.1.1:80
- </example>
+ </highlight>
<p>Other workaround solutions include: </p>
<p>OpenSSL 0.9.8 started to support this by default when compiled with the
<code>zlib</code> option. If both the client and the server support compression,
it will be used. However, most clients still try to initially connect with an
-SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
+SSLv2 Hello. As SSLv2 did not include an array of preferred compression algorithms
in its handshake, compression cannot be negotiated with these clients.
If the client disables support for SSLv2, either an SSLv3 or TLS Hello
may be sent, depending on which SSL library is used, and compression may
keep-alive connections or send the SSL close notify messages to MSIE clients.
This can be done by using the following directive in your SSL-aware
virtual host section:</p>
- <example>
- SetEnvIf User-Agent "MSIE [2-5]" \<br />
- nokeepalive ssl-unclean-shutdown \<br />
- downgrade-1.0 force-response-1.0
- </example>
+ <highlight language="config">
+SetEnvIf User-Agent "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+ </highlight>
<p>Further, some MSIE versions have problems with particular ciphers.
Unfortunately, it is not possible to implement a MSIE-specific
workaround for this, because the ciphers are needed as early as the
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English revision : 1303823 -->
+<!-- English Revision: 1328589:1330881 (outdated) -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
couche de protocole HTTP qu'elle encapsule. Lors de l'établissement d'une
connexion SSL (HTTPS), Apache/mod_ssl doit négocier les paramètres du
protocole SSL avec le client. Pour cela, mod_ssl doit consulter la
-configuration du serveur virtuel (par exemple, il doit accéder à la la suite
+configuration du serveur virtuel (par exemple, il doit accéder à la suite
d'algorithmes de chiffrement, au certificat du serveur, etc...). Mais afin de
sélectionner le bon serveur virtuel, Apache doit connaître le contenu du champ
d'en-tête HTTP <code>Host</code>. Pour cela, il doit lire l'en-tête de la
<p>Notez que si votre certificat comporte un nom de serveur avec
caractères génériques, ou des noms de serveurs multiples dans le
champ subjectAltName, vous pouvez utiliser SSL avec les serveurs
- virtuels à base de noms sans avoir à contourner ce problème.</p>
+ virtuels à base de noms sans avoir à contourner ce problème.</p>
<p>La raison en est que le protocole SSL constitue une couche séparée qui
encapsule le protocole HTTP. Aini, la session SSL nécessite une
<section id="configexample">
<title>Basic Configuration Example</title>
-<p>Your SSL configuration will need to contain, at a minumum, the
+<p>Your SSL configuration will need to contain, at minimum, the
following directives.</p>
-<example>
- Listen 443<br />
- <VirtualHost *:443><br />
- <indent>
- ServerName www.example.com<br />
- SSLEngine on<br />
- SSLCertificateFile /path/to/www.example.com.cert<br />
- SSLCertificateKeyFile /path/to/www.example.com.key<br />
- </indent>
- </VirtualHost>
-</example>
+<highlight language="config">
+Listen 443
+<VirtualHost *:443>
+ ServerName www.example.com
+ SSLEngine on
+ SSLCertificateFile /path/to/www.example.com.cert
+ SSLCertificateKeyFile /path/to/www.example.com.key
+</VirtualHost>
+</highlight>
</section>
<title>How can I create an SSL server which accepts strong encryption
only?</title>
<p>The following enables only the strongest ciphers:</p>
- <example><title>httpd.conf</title>
- SSLCipherSuite HIGH:!aNULL:!MD5<br />
- </example>
+ <highlight language="config">
+ SSLCipherSuite HIGH:!aNULL:!MD5
+ </highlight>
<p>While with the following configuration you specify a preference
for specific speed-optimized ciphers (which will be selected by
mod_ssl, provided that they are supported by the client):</p>
- <example><title>httpd.conf</title>
- SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5<br />
- SSLHonorCipherOrder on
- </example>
+ <highlight language="config">
+SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
+SSLHonorCipherOrder on
+ </highlight>
</section>
<section id="strongurl">
blocks, to give a per-directory solution, and can automatically force
a renegotiation of the SSL parameters to meet the new configuration.
This can be done as follows:</p>
- <example>
- # be liberal in general<br />
- SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
- <br />
- <Location /strong/area><br />
- # but https://hostname/strong/area/ and below<br />
- # requires strong ciphers<br />
- SSLCipherSuite HIGH:!aNULL:!MD5<br />
- </Location>
- </example>
+ <highlight language="config">
+# be liberal in general
+SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL
+
+<Location /strong/area>
+# but https://hostname/strong/area/ and below
+# requires strong ciphers
+SSLCipherSuite HIGH:!aNULL:!MD5
+</Location>
+ </highlight>
</section>
</section>
<!-- /ciphersuites -->
need to do is to create client certificates signed by your own CA
certificate (<code>ca.crt</code>) and then verify the clients against this
certificate.</p>
- <example><title>httpd.conf</title>
- # require a client certificate which has to be directly<br />
- # signed by our CA certificate in ca.crt<br />
- SSLVerifyClient require<br />
- SSLVerifyDepth 1<br />
- SSLCACertificateFile conf/ssl.crt/ca.crt
- </example>
+ <highlight language="config">
+# require a client certificate which has to be directly
+# signed by our CA certificate in ca.crt
+SSLVerifyClient require
+SSLVerifyDepth 1
+SSLCACertificateFile conf/ssl.crt/ca.crt
+ </highlight>
</section>
<section id="arbitraryclients">
you can use the per-directory reconfiguration features of
<module>mod_ssl</module>:</p>
- <example><title>httpd.conf</title>
- SSLVerifyClient none<br />
- SSLCACertificateFile conf/ssl.crt/ca.crt<br />
- <br />
- <Location /secure/area><br />
- SSLVerifyClient require<br />
- SSLVerifyDepth 1<br />
- </Location><br />
- </example>
+ <highlight language="config">
+SSLVerifyClient none
+SSLCACertificateFile conf/ssl.crt/ca.crt
+
+<Location /secure/area>
+SSLVerifyClient require
+SSLVerifyDepth 1
+</Location>
+ </highlight>
</section>
<section id="certauthenticate">
you should establish a password database containing <em>all</em>
clients allowed, as follows:</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
-
-SSLVerifyClient require
-SSLVerifyDepth 5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions +FakeBasicAuth
-SSLRequireSSL
-AuthName "Snake Oil Authentication"
-AuthType Basic
-AuthBasicProvider file
-AuthUserFile /usr/local/apache2/conf/httpd.passwd
-Require valid-user
-</Directory></pre>
- </example>
+ SSLVerifyClient require
+ SSLVerifyDepth 5
+ SSLCACertificateFile conf/ssl.crt/ca.crt
+ SSLCACertificatePath conf/ssl.crt
+ SSLOptions +FakeBasicAuth
+ SSLRequireSSL
+ AuthName "Snake Oil Authentication"
+ AuthType Basic
+ AuthBasicProvider file
+ AuthUserFile /usr/local/apache2/conf/httpd.passwd
+ Require valid-user
+</Directory>
+ </highlight>
<p>The password used in this example is the DES encrypted string "password".
See the <directive module="mod_ssl">SSLOptions</directive> docs for more
>SSLRequire</directive>, as follows:</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
-
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile conf/ssl.crt/ca.crt
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory></pre>
- </example>
+</Directory>
+ </highlight>
</section>
<section id="intranet">
This configuration should remain outside of your HTTPS virtual host, so
that it applies to both HTTPS and HTTP.</p>
- <example><title>httpd.conf</title><pre>
+ <highlight language="config">
SSLCACertificateFile conf/ssl.crt/company-ca.crt
<Directory /usr/local/apache2/htdocs>
-# Outside the subarea only Intranet access is granted
-Order deny,allow
-Deny from all
-Allow from 192.168.1.0/24
+ # Outside the subarea only Intranet access is granted
+ Order deny,allow
+ Deny from all
+ Allow from 192.168.1.0/24
</Directory>
<Directory /usr/local/apache2/htdocs/subarea>
-# Inside the subarea any Intranet access is allowed
-# but from the Internet only HTTPS + Strong-Cipher + Password
-# or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-# If HTTPS is used, make sure a strong cipher is used.
-# Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient optional
-SSLVerifyDepth 1
-SSLOptions +FakeBasicAuth +StrictRequire
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-# Force clients from the Internet to use HTTPS
-RewriteEngine on
-RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond %{HTTPS} !=on
-RewriteRule . - [F]
-
-# Allow Network Access and/or Basic Auth
-Satisfy any
-
-# Network Access Control
-Order deny,allow
-Deny from all
-Allow 192.168.1.0/24
-
-# HTTP Basic Authentication
-AuthType basic
-AuthName "Protected Intranet Area"
-AuthBasicProvider file
-AuthUserFile conf/protected.passwd
-Require valid-user
-</Directory></pre>
- </example>
+ # Inside the subarea any Intranet access is allowed
+ # but from the Internet only HTTPS + Strong-Cipher + Password
+ # or the alternative HTTPS + Strong-Cipher + Client-Certificate
+
+ # If HTTPS is used, make sure a strong cipher is used.
+ # Additionally allow client certs as alternative to basic auth.
+ SSLVerifyClient optional
+ SSLVerifyDepth 1
+ SSLOptions +FakeBasicAuth +StrictRequire
+ SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+ # Force clients from the Internet to use HTTPS
+ RewriteEngine on
+ RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
+ RewriteCond %{HTTPS} !=on
+ RewriteRule . - [F]
+
+ # Allow Network Access and/or Basic Auth
+ Satisfy any
+
+ # Network Access Control
+ Order deny,allow
+ Deny from all
+ Allow 192.168.1.0/24
+
+ # HTTP Basic Authentication
+ AuthType basic
+ AuthName "Protected Intranet Area"
+ AuthBasicProvider file
+ AuthUserFile conf/protected.passwd
+ Require valid-user
+</Directory>
+ </highlight>
</section>
</section>
<!-- /access control -->
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision : 1203753 -->
+<!-- English Revision: 1328589:1330881 (outdated) -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
Cette configuration peut se présenter comme suit :</p>
<example>
# soyons très tolérant a priori<br />
- SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
+ SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL<br />
<br />
<Location /strong/area><br />
# sauf pour https://hostname/strong/area/ et ses sous-répertoires<br />
<title>SSL/TLS Strong Encryption: An Introduction</title>
<summary>
-<blockquote>
-<p>The nice thing about standards is that there are so many to choose
-from. And if you really don't like all the standards you just have to
-wait another year until the one arises you are looking for.</p>
-
-<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to
-Computer Networks"</p>
-</blockquote>
<p>As an introduction this chapter is aimed at readers who are familiar
with the Web, HTTP, and Apache, but are not security experts. It is not
Rather, it is intended to provide a common background to <module
>mod_ssl</module> users by pulling together various concepts, definitions,
and examples as a starting point for further exploration.</p>
-
-<p>The presented content is mainly derived, with the author's permission,
-from the article <a
-href="http://home.comcast.net/~fjhirsch/Papers/wwwj/">Introducing
-SSL and Certificates using SSLeay</a> by <a
-href="http://home.comcast.net/~fjhirsch/">Frederick J. Hirsch</a>, of The
-Open Group Research Institute, which was published in <a
-href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of
-Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
-Please send any positive feedback to <a
-href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (the original
-article author) and all negative feedback to <a
-href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the
-<module>mod_ssl</module> author).</p>
</summary>
<section id="cryptographictech">
as <code>*.snakeoil.com</code>.</p>
<p>The binary format of a certificate is defined using the ASN.1
- notation [<a href="#
X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This
+ notation [<a href="#
ASN1">ASN1</a>] [<a href="#PKCS">PKCS</a>]. This
notation defines how to specify the contents and encoding rules
define how this information is translated into binary form. The binary
encoding of the certificate is defined using Distinguished Encoding
<th>Description</th>
<th>Browser Support</th></tr>
<tr><td>SSL v2.0</td>
- <td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2"
- >SSL2</a>]</td>
+ <td>Vendor Standard (from Netscape Corp.)</td>
<td>First SSL protocol for which implementations exist</td>
<td>- NS Navigator 1.x/2.x<br />
- MS IE 3.x<br />
padding for block ciphers, message order standardization and more
alert messages.</td>
<td>- Lynx/2.8+OpenSSL</td></tr>
+ <tr><td>TLS v1.1</td>
+ <td>Proposed Internet Standard (from IETF) [<a href="#TLS11"
+ >TLS11</a>]</td>
+ <td>Update of TLS 1.0 to add protection against Cipher block chaining
+ (CBC) attacks.</td>
+ <td>-</td></tr>
+ <tr><td>TLS v1.2</td>
+ <td>Proposed Internet Standard (from IETF) [<a href="#TLS12"
+ >TLS12</a>]</td>
+ <td>Update of TLS 1.2 deprecating MD5 as hash, and adding incompatibility
+ to SSL so it will never negotiate the use of SSLv2.</td>
+ <td>-</td></tr>
</table>
</section>
to start a session. To do this, the server assigns each SSL session a
unique session identifier which is cached in the server and which the
client can use in future connections to reduce the handshake time
- (until the session identifer expires from the cache of the server).</p>
+ (until the session identifier expires from the cache of the server).</p>
</note>
<p class="figure">
>http://www.counterpane.com/</a> for various other materials by Bruce
Schneier.</dd>
-<dt><a id="X208" name="X208">[X208]</a></dt>
+<dt><a id="ASN1" name="ASN1">[ASN1]</a></dt>
<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation
-One (ASN.1)</q>, 1988. See for instance <a
-href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I"
->http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>.
+One (ASN.1)</q>, last updated 2008. See <a href="http://www.itu.int/ITU-T/asn1/"
+>http://www.itu.int/ITU-T/asn1/</a>.
</dd>
<dt><a id="X509" name="X509">[X509]</a></dt>
<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication
-Framework</q>.
See for instance <a
-href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509"
->http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>.
+Framework</q>.
For references, see <a
+href="http://en.wikipedia.org/wiki/X.509"
+>http://en.wikipedia.org/wiki/X.509</a>.
</dd>
<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt>
<dt><a id="MIME" name="MIME">[MIME]</a></dt>
<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions
(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045.
-See for instance <a href="http://ietf.org/rfc/rfc2045.txt"
->http://ietf.org/rfc/rfc2045.txt</a>.</dd>
-
-<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt>
-<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a
-href="http://www.netscape.com/eng/security/SSL_2.html"
->http://www.netscape.com/eng/security/SSL_2.html</a>.</dd>
+See for instance <a href="http://tools.ietf.org/html/rfc2045"
+>http://tools.ietf.org/html/rfc2045</a>.</dd>
<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt>
<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol
<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>,
1999. See <a href="http://ietf.org/rfc/rfc2246.txt"
>http://ietf.org/rfc/rfc2246.txt</a>.</dd>
+
+<dt><a id="TLS11" name="TLS11">[TLS11]</a></dt>
+<dd><q>The TLS Protocol Version 1.1</q>,
+2006. See <a href="http://tools.ietf.org/html/rfc4346"
+>http://tools.ietf.org/html/rfc4346</a>.</dd>
+
+<dt><a id="TLS12" name="TLS12">[TLS12]</a></dt>
+<dd><q>The TLS Protocol Version 1.2</q>,
+2008. See <a href="http://tools.ietf.org/html/rfc5246"
+>http://tools.ietf.org/html/rfc5246</a>.</dd>
</dl>
</section>
<!-- /references -->
<?xml version="1.0" encoding="ISO-8859-1" ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.fr.xsl"?>
-<!-- English Revision: 713605:1174747 (outdated) -->
+<!-- English revision : 1328589 -->
<!-- French translation : Lucien GENTIS -->
<!-- Reviewed by : Vincent Deffontaines -->
<title>Chiffrement SSL/TLS fort : Introduction</title>
<summary>
-<blockquote>
-<p>Ce qui est agréable avec les standards est d'avoir l'embarras du choix. Et
-si certains standards ne vous conviennent pas vraiment, il vous suffit
-d'attendre un an pour voir apparaître celui qui répondra à vos attentes.</p>
-
-<p class="cite">-- <cite>A. Tanenbaum</cite>, "Introduction to
-Computer Networks"</p>
-</blockquote>
<p>Ce chapitre en guise d'introduction est destiné aux lecteurs pour lesquels
le Web, HTTP et Apache sont familiers, mais ne sont pas des experts en matière
rassemblant différents concepts, définitions et exemples comme point de départ
pour une exploration plus détaillée.</p>
-<p>Le contenu s'inspire en grande partie, avec la permission de l'auteur,
-de l'article <a
-href="http://home.comcast.net/~fjhirsch/Papers/wwwj/">Introducing
-SSL and Certificates using SSLeay</a> de <a
-href="http://home.comcast.net/~fjhirsch/">Frederick J. Hirsch</a>, de
-l'Open Group Research Institute, publié dans <a
-href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of
-Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. Vous
-pouvez envoyer toute remarque positive à <a
-href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (l'auteur de l'article
-original) et toute remarque négative à <a
-href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (l'auteur du module
-<module>mod_ssl</module>).</p>
</summary>
<section id="cryptographictech">
<code>*.snakeoil.com</code>.</p>
<p>Le format binaire d'un certificat est défini en utilisant la
- notation ASN.1 [<a href="#
X208">X208</a>] [<a href="#PKCS">PKCS</a>].
+ notation ASN.1 [<a href="#
ASN1">ASN1</a>] [<a href="#PKCS">PKCS</a>].
Cette notation definit la manière de spécifier les contenus, et les règles
d'encodage définissent la manière dont ces information sont converties au
format binaire. L'encodage binaire du certificat est défini par les Règles
<th>Description</th>
<th>Navigateurs supportés</th></tr>
<tr><td>SSL v2.0</td>
- <td>Standard du fournisseur (de Netscape Corp.) [<a href="#SSL2"
- >SSL2</a>]</td>
+ <td>Standard du fournisseur (de Netscape Corp.)</td>
<td>Premier protocole SSL pour lequel il existe des implémentations</td>
<td>- NS Navigator 1.x/2.x<br />
- MS IE 3.x<br />
ajout du bourrage de bloc pour le chiffrement de bloc, standardisation
de l'ordonnancement des messages et plus de messages d'alerte.</td>
<td>- Lynx/2.8+OpenSSL</td></tr>
+ <tr><td>TLS v1.1</td>
+ <td>Standard proposé pour l'Internet (de l'IETF) [<a href="#TLS11"
+ >TLS11</a>]</td>
+ <td>Mise à jour de TLS 1.0 pour la protection contre les
+ attaques de type Cipher block chaining (CBC).</td>
+ <td>-</td></tr>
+ <tr><td>TLS v1.2</td>
+ <td>Standard proposé pour l'Internet (de l'IETF) [<a href="#TLS12"
+ >TLS12</a>]</td>
+ <td>Mise à jour de TLS 1.2 rendant les condensés MD5 obsolètes,
+ et introduisant une incompatibilité avec SSL ce qui interdit toute
+ négociation en vue d'une utilisation de SSLv2.</td>
+ <td>-</td></tr>
</table>
</section>
>http://www.counterpane.com/</a> pour diverses autres productions de Bruce
Schneier.</dd>
-<dt><a id="X208" name="X208">[X208]</a></dt>
+<dt><a id="ASN1" name="ASN1">[ASN1]</a></dt>
<dd>ITU-T Recommendation X.208, <q>Specification of Abstract Syntax Notation
-One (ASN.1)</q>, 1988. Voir par exemple <a
-href="http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I"
->http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I</a>.
+One (ASN.1)</q>, dernière mise à jour en 2008. Voir <a
+href="http://www.itu.int/ITU-T/asn1/">http://www.itu.int/ITU-T/asn1/</a>.
</dd>
<dt><a id="X509" name="X509">[X509]</a></dt>
<dd>ITU-T Recommendation X.509, <q>The Directory - Authentication
-Framework</q>. Voir par exemple <a
-href="http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509"
->http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509</a>.
+Framework</q>. A titre de référence, voir <a
+href="http://en.wikipedia.org/wiki/X.509">http://en.wikipedia.org/wiki/X.509</a>.
</dd>
<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt>
<dt><a id="MIME" name="MIME">[MIME]</a></dt>
<dd>N. Freed, N. Borenstein, <q>Multipurpose Internet Mail Extensions
(MIME) Part One: Format of Internet Message Bodies</q>, RFC2045.
-Voir par exemple <a href="http://ietf.org/rfc/rfc2045.txt"
->http://ietf.org/rfc/rfc2045.txt</a>.</dd>
-
-<dt><a id="SSL2" name="SSL2">[SSL2]</a></dt>
-<dd>Kipp E.B. Hickman, <q>The SSL Protocol</q>, 1995. See <a
-href="http://www.netscape.com/eng/security/SSL_2.html"
->http://www.netscape.com/eng/security/SSL_2.html</a>.</dd>
+Voir par exemple <a
+href="http://tools.ietf.org/html/rfc2045">http://tools.ietf.org/html/rfc2045</a>.</dd>
<dt><a id="SSL3" name="SSL3">[SSL3]</a></dt>
<dd>Alan O. Freier, Philip Karlton, Paul C. Kocher, <q>The SSL Protocol
<dd>Tim Dierks, Christopher Allen, <q>The TLS Protocol Version 1.0</q>,
1999. Voir <a href="http://ietf.org/rfc/rfc2246.txt"
>http://ietf.org/rfc/rfc2246.txt</a>.</dd>
+
+<dt><a id="TLS11" name="TLS11">[TLS11]</a></dt>
+<dd><q>Le protocole TLS Version 1.1</q>,
+2006. Voir <a href="http://tools.ietf.org/html/rfc4346"
+>http://tools.ietf.org/html/rfc4346</a>.</dd>
+
+<dt><a id="TLS12" name="TLS12">[TLS12]</a></dt>
+<dd><q>Le protocole TLS Version 1.2</q>,
+2008. Voir <a href="http://tools.ietf.org/html/rfc5246"
+>http://tools.ietf.org/html/rfc5246</a>.</dd>
</dl>
</section>
<!-- /references -->
projects / apache / commitdiff