From: Igor Galić Date: Mon, 10 May 2010 15:58:06 +0000 (+0000) Subject: Removing the obscenely obsolete FAQs'' from the SSL FAQ. X-Git-Tag: 2.3.6~127 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=37a5d548602f4a8e6e6c1cc69b4beae144024235;p=apache Removing the obscenely obsolete FAQs'' from the SSL FAQ. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@942800 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 030ae37dde..2bb3535ad2 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -266,16 +266,8 @@ dialog at Apache startup time? Certificate?
  • Why do connections fail with an "alert bad certificate" error?
    • -
  • Why does my 2048-bit private key not work?
    • -
  • Why is client authentication broken after -upgrading from SSLeay version 0.8 to 0.9?
  • How can I convert a certificate from PEM to DER format?
    • -
  • Why can't I find the -getca or getverisign programs mentioned by -Verisign, for installing my Verisign certificate?
    • -
  • Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl?
  • Why do browsers complain that they cannot verify my Verisign Global ID server certificate?
    • @@ -545,25 +537,6 @@ bad certificate" error? unable to handle RSA key lengths not equal to 1024 bits.

    -

    Why does my 2048-bit private key not work?

    -

    The private key sizes for SSL must be either 512 or 1024 bits, for compatibility - with certain web browsers. A keysize of 1024 bits is recommended because - keys larger than 1024 bits are incompatible with some versions of Netscape - Navigator and Microsoft Internet Explorer, and with other browsers that - use RSA's BSAFE cryptography toolkit.

    - - -

    Why is client authentication broken after upgrading from -SSLeay version 0.8 to 0.9?

    -

    The CA certificates under the path you configured with - SSLCACertificatePath are found by SSLeay through hash - symlinks. These hash values are generated by the `openssl x509 -noout - -hash' command. However, the algorithm used to calculate the hash for a - certificate changed between SSLeay 0.8 and 0.9. You will need to remove - all old hash symlinks and create new ones after upgrading. Use the - Makefile provided by mod_ssl.

    - -

    How can I convert a certificate from PEM to DER format?

    The default certificate format for SSLeay/OpenSSL is PEM, which is simply Base64 encoded DER, with header and footer lines. For some applications @@ -573,29 +546,6 @@ SSLeay version 0.8 to 0.9? $ openssl x509 -in cert.pem -out cert.der -outform DER

    -

    Why can't I find the -getca or getverisign programs mentioned by -Verisign, for installing my Verisign certificate?

    -

    Verisign has never provided specific instructions - for Apache+mod_ssl. The instructions provided are for C2Net's - Stronghold (a commercial Apache based server with SSL support).

    -

    To install your certificate, all you need to do is to save the - certificate to a file, and give the name of that file to the - SSLCertificateFile directive. - You will also need to give it the key file. For more information, - see the SSLCertificateKeyFile - directive.

    - - -

    Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl?

    -

    Yes. mod_ssl has included support for the SGC - facility since version 2.1. No special configuration is required - - just use the Global ID as your server certificate. The - step up of the clients is then automatically handled by - mod_ssl at run-time.

    - -

    Why do browsers complain that they cannot verify my Verisign Global ID server certificate?

    Verisign uses an intermediate CA certificate between the root CA @@ -723,7 +673,8 @@ error when connecting to my newly installed server? Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to - complete the SSL handshake phase. Bingo!

    + complete the SSL handshake phase. See the next question for how to + circumvent this issue.

    Is it possible to use Name-Based diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index c82cf2ca50..4d5c2e39d0 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -272,16 +272,8 @@ dialog at Apache startup time? Certificate?
  • Why do connections fail with an "alert bad certificate" error?
    • -
  • Why does my 2048-bit private key not work?
    • -
  • Why is client authentication broken after -upgrading from SSLeay version 0.8 to 0.9?
  • How can I convert a certificate from PEM to DER format?
    • -
  • Why can't I find the -getca or getverisign programs mentioned by -Verisign, for installing my Verisign certificate?
    • -
  • Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl?
  • Why do browsers complain that they cannot verify my Verisign Global ID server certificate?
    • @@ -551,25 +543,6 @@ bad certificate" error? unable to handle RSA key lengths not equal to 1024 bits.

    -
    Why does my 2048-bit private key not work? -

    The private key sizes for SSL must be either 512 or 1024 bits, for compatibility - with certain web browsers. A keysize of 1024 bits is recommended because - keys larger than 1024 bits are incompatible with some versions of Netscape - Navigator and Microsoft Internet Explorer, and with other browsers that - use RSA's BSAFE cryptography toolkit.

    -
    - - -
    How can I convert a certificate from PEM to DER format?

    The default certificate format for SSLeay/OpenSSL is PEM, which is simply Base64 encoded DER, with header and footer lines. For some applications @@ -579,29 +552,6 @@ SSLeay version 0.8 to 0.9? $ openssl x509 -in cert.pem -out cert.der -outform DER

    -
    Why can't I find the -<code>getca</code> or <code>getverisign</code> programs mentioned by -Verisign, for installing my Verisign certificate? -

    Verisign has never provided specific instructions - for Apache+mod_ssl. The instructions provided are for C2Net's - Stronghold (a commercial Apache based server with SSL support).

    -

    To install your certificate, all you need to do is to save the - certificate to a file, and give the name of that file to the - SSLCertificateFile directive. - You will also need to give it the key file. For more information, - see the SSLCertificateKeyFile - directive.

    -
    - -
    Can I use the Server Gated Cryptography (SGC) -facility (aka Verisign Global ID) with mod_ssl? -

    Yes. mod_ssl has included support for the SGC - facility since version 2.1. No special configuration is required - - just use the Global ID as your server certificate. The - step up of the clients is then automatically handled by - mod_ssl at run-time.

    -
    -
    Why do browsers complain that they cannot verify my Verisign Global ID server certificate?

    Verisign uses an intermediate CA certificate between the root CA @@ -731,7 +681,8 @@ error when connecting to my newly installed server? Apache has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to - complete the SSL handshake phase. Bingo!

    + complete the SSL handshake phase. See the next question for how to + circumvent this issue.

    Is it possible to use Name-Based