perhaps know, mod_ssl is not the only existing SSL solution for Apache.
Actually there are four additional major products available on the market: Ben
Laurie's freely available <a href="http://www.apache-ssl.org/">Apache-SSL</a>
-(from where mod_ssl were originally derived in 1998), RedHat's commercial <a
+(from where mod_ssl were originally derived in 1998), Red
Hat's commercial <a
href="http://www.redhat.com/products/product-details.phtml?id=rhsa">Secure Web
Server</a> (which is based on mod_ssl), Covalent's commercial <a
href="http://raven.covalent.net/">Raven SSL Module</a> (also based on mod_ssl)
counterpart in mod_ssl are mapped silently while other directives lead to a
warning message in the logfiles. The currently implemented directive mapping
is listed in <a href="#table1">Table 1</a>. Currently full backward
-compatibilty is provided only for Apache-SSL 1.x and mod_ssl 2.0.x.
+compatibility is provided only for Apache-SSL 1.x and mod_ssl 2.0.x.
Compatibility to Sioux 1.x and Stronghold 2.x is only partial because of
special functionality in these interfaces which mod_ssl (still) doesn't
provide.</p>
</blockquote>
<p>This chapter is a collection of frequently asked questions (FAQ) and
corresponding answers following the popular USENET tradition. Most of these
-questions occured on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix"
+questions occur
red on the Newsgroup <code><a href="news:comp.infosystems.www.servers.unix"
>comp.infosystems.www.servers.unix</a></code> or the mod_ssl Support
Mailing List <code><a href="mailto:modssl-users@modssl.org"
>modssl-users@modssl.org</a></code>. They are collected at this place
Laurie's development cycle it then was re-assembled from scratch for
Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
- first publically released version was mod_ssl 2.0.0 from August 10th,
+ first publicly released version was mod_ssl 2.0.0 from August 10th,
1998. As of this writing (August 1999) the current mod_ssl version
is 2.4.0.</p>
<p>Additionally according to a <a
href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000
statement</a> from the Apache Group, the Apache webserver is Year 2000
- compliant, too. But whether OpenSSL or the underlaying Operating System
+ compliant, too. But whether OpenSSL or the underlying Operating System
(either a Unix or Win32 platform) is Year 2000 compliant is a different
question which cannot be answered here.</p>
</section>
replaced the previous <dfn>CoCom</dfn> regime. 33 countries are signatories:
Argentina, Australia, Austria, Belgium, Bulgaria, Canada, Czech Republic,
Denmark, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Japan,
- Luxembourg, Netherlands, New Zealand, Norway, Poland, Portugal, Republic
+ Luxembourg, the Netherlands, New Zealand, Norway, Poland, Portugal, Republic
of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
- Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
+ Switzerland, Turkey, Ukraine, the United Kingdom and the United States. For more
details look at <a
href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p>
<section id="load"><title>Why has my webserver a higher load now that I run SSL there?</title>
<p>Because SSL uses strong cryptographic encryption and this needs a lot of
number crunching. And because when you request a webpage via HTTPS even
- the images are transfered encrypted. So, when you have a lot of HTTPS
+ the images are transferred encrypted. So, when you have a lot of HTTPS
traffic the load increases.</p>
</section>
the connection, although sometimes it works faster?</title>
<p>Usually this is caused by using a <code>/dev/random</code> device for
<code>SSLRandomSeed</code> which is blocking in read(2) calls if not
- enough entropy is available. Read more about this problem in the refernce
+ enough entropy is available. Read more about this problem in the reference
chapter under <code>SSLRandomSeed</code>.</p>
</section>
I try to connect to my freshly installed server?</title>
<p>Either you have messed up your <code>SSLCipherSuite</code>
directive (compare it with the pre-configured example in
- <code>httpd.conf-dist</code>) or you have choosen the DSA/DH
+ <code>httpd.conf-dist</code>) or you have chosen the DSA/DH
algorithms instead of RSA when you generated your private key
- and ignored or overlooked the warnings. If you have choosen
+ and ignored or overlooked the warnings. If you have chosen
DSA/DH, then your server no longer speaks RSA-based SSL ciphers
(at least not until you also configure an additional RSA-based
certificate/key pair). But current browsers like NS or IE only speak
strong encryption or have to upgrade to strong encryption, but are
not allowed to keep the export ciphers. The following does the trick:</p>
<example><title>httpd.conf</title>
- # allow all ciphers for the inital handshake,<br />
+ # allow all ciphers for the initial handshake,<br />
# so export browsers can upgrade via SGC facility<br />
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br />
<br />
situation), as it's the case for instance in an Intranet, you can
use plain certificate authentication. All you have to do is to
create client certificates signed by your own CA certificate
- <code>ca.crt</code> and then verifiy the clients against this
+ <code>ca.crt</code> and then verify the clients against this
certificate.</p>
<example><title>httpd.conf</title>
# require a client certificate which has to be directly<br />
<title>How can I authenticate only particular clients for a some URLs based
on certificates but still allow arbitrary clients to access the remaining
parts of the server?</title>
- <p>The key is to check for various ingredients of the client certficate.
+ <p>The key is to check for various ingredients of the client certificate.
Usually this means to check the whole or part of the Distinguished
Name (DN) of the Subject. For this two methods exists: The <module
>mod_auth_basic</module> based variant and the <directive
Open Group Research Institute, which was published in <a
href="http://www.ora.com/catalog/wjsum97/">Web Security: A Matter of
Trust</a>, World Wide Web Journal, Volume 2, Issue 3, Summer 1997.
-Please send any postive feedback to <a
+Please send any pos
itive feedback to <a
href="mailto:hirsch@fjhirsch.com">Frederick Hirsch</a> (the original
article author) and all negative feedback to <a
href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the
substituting one message for another while maintaining the same digest.</p>
<p>Another challenge that Alice faces is finding a way to send the digest to the
bank securely; when this is achieved, the integrity of the associated message
-is assured. One way to to this is to include the digest in a digital
+is assured. One way to do this is to include the digest in a digital
signature.</p>
</section>
<tr><th>Administrative Information</th>
<td>Version, Serial Number</td></tr>
<tr><th>Extended Information</th>
- <td>Basic Contraints, Netscape Flags, etc.</td></tr>
+ <td>Basic Constraints, Netscape Flags, etc.</td></tr>
</table>
</section>
projects / apache / commitdiff