From: Noirin Plunkett Date: Wed, 16 Jan 2008 15:31:07 +0000 (+0000) Subject: Tidying up the SSL FAQ, incorporating changes suggested by Lucien Gentis X-Git-Tag: 2.3.0~1025 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4304e4825fd8a1ad6e2ac4860951a38334dadb29;p=apache Tidying up the SSL FAQ, incorporating changes suggested by Lucien Gentis http://mail-archives.apache.org/mod_mbox/httpd-docs/200801.mbox/raw/%3c478A1806.1090307@lorraine.iufm.fr%3e git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@612486 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 995798062f..224fffe80d 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -103,7 +103,7 @@ author.

  • Why do I get permission errors related to SSLMutex when I start Apache?
  • Why does mod_ssl stop with the error "Failed to -generate temporary 512 bit RSA private key", when I start Apache?
    • +generate temporary 512 bit RSA private key" when I start Apache?

    Why do I get permission errors related to @@ -119,7 +119,7 @@ generate temporary 512 bit RSA private key", when I start Apache?

    Why does mod_ssl stop with the error - "Failed to generate temporary 512 bit RSA private key", when I start + "Failed to generate temporary 512 bit RSA private key" when I start Apache?

    Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide @@ -133,7 +133,7 @@ generate temporary 512 bit RSA private key", when I start Apache?

    To prevent this error, mod_ssl has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via the SSLRandomSeed - directives.

    + directive.

    top
    @@ -145,7 +145,7 @@ the same server?
  • How do I speak HTTPS manually for testing purposes?
  • Why does the connection hang when I connect to my -SSL-aware Apache server
    • +SSL-aware Apache server?
  • Why do I get ``Connection Refused'' errors, when trying to access my newly installed Apache+mod_ssl server via HTTPS?
  • Why are the SSL_XXX variables not @@ -160,16 +160,17 @@ relative hyperlinks?
    • port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache's elegant virtual hosting facility to - create two virtual servers over one instance of Apache - one - responding to requests on port 80 and speaking HTTP and the other - responding to requests on port 443 speaking HTTPS.

    + create two virtual servers, both served by the same instance of Apache + - one responding over HTTP to requests on port 80, and the other + responding over HTTPS to requests on port 443.

    Which port does HTTPS use?

    You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force - your browser to look on a different port by specifying it in the URL like - this (for port 666): https://secure.server.dom:666/

    + your browser to look on a different port by specifying it in the URL. For + example, if your server is set up to serve pages over HTTPS on port 8080, + you can access them at https://example.com:8080/

    How do I speak HTTPS manually for testing purposes?

    @@ -181,7 +182,7 @@ relative hyperlinks?

    for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL's s_client command, however, you can - do a similar check for HTTPS:

    + do a similar check via HTTPS:

    $ openssl s_client -connect localhost:443 -state -debug
    GET / HTTP/1.0

    @@ -192,7 +193,7 @@ relative hyperlinks? perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can - check that Apache is responding correctly on ports 80 and 443 as + check that Apache is responding correctly to requests via HTTP and HTTPS as follows:

    $ curl http://localhost/
    @@ -201,21 +202,19 @@ relative hyperlinks?

    Why does the connection hang when I connect to my SSL-aware Apache server?

    -

    Because you connected with HTTP to the HTTPS port, i.e. you used an URL of - the form ``http://'' instead of ``https://''. - This also happens the other way round when you connect via HTTPS to a HTTP - port, i.e. when you try to use ``https://'' on a server that - doesn't support SSL (on this port). Make sure you are connecting to a - virtual server that supports SSL, which is probably the IP associated with - your hostname, not localhost (127.0.0.1).

    +

    This can happen when you try to connect to a HTTPS server (or virtual + server) via HTTP (eg, using http://example.com/ instead of + https://example.com). It can also happen when trying to + connect via HTTPS to a HTTP server (eg, using + https://example.com/ on a server which doesn't support HTTPS, + or which supports it on a non-standard port). Make sure that you're + connecting to a (virtual) server that supports SSL.

    Why do I get ``Connection Refused'' messages, when trying to access my newly installed Apache+mod_ssl server via HTTPS?

    -

    This can happen for various reasons. The most common mistakes - include starting Apache with just apachectl start (or - httpd) instead of apachectl startssl (or - httpd -DSSL). Your configuration may also be incorrect. +

    + This error can be caused by an incorrect configuration. Please make sure that your Listen directives match your <VirtualHost> directives. If all else fails, please start afresh, using the default @@ -243,7 +242,7 @@ relative hyperlinks?

    This rewrite ruleset lets you use hyperlinks of the form <a href="document.html:SSL">, to switch to HTTPS - in a relative link.

    + in a relative link. (Replace SSL with NOSSL to switch to HTTP.)

    top
    @@ -252,7 +251,7 @@ relative hyperlinks?
  • What are RSA Private Keys, CSRs and Certificates?
  • Is there a difference on startup between -the original Apache and an SSL-aware Apache?
    • +a non-SSL-aware Apache and an SSL-aware Apache?
  • How do I create a self-signed SSL Certificate for testing purposes?
  • How do I create a real SSL Certificate?
    • @@ -298,7 +297,7 @@ verify my Verisign Global ID server certificate?

    Is there a difference on startup between - the original Apache and an SSL-aware Apache?

    + a non-SSL-aware Apache and an SSL-aware Apache?

    Yes. In general, starting Apache with mod_ssl built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private @@ -309,7 +308,8 @@ verify my Verisign Global ID server certificate? can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from - your private key.

    + your private key. Bear in mind that doing so brings additional security + risks - proceed with caution!

    How do I create a self-signed SSL @@ -504,7 +504,7 @@ Certificate for testing purposes?

    How can I get rid of the pass-phrase dialog at Apache startup time?

    The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in - encrypted format for security reasons. The pass-phrase is needed decrypt + encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

      @@ -571,7 +571,7 @@ Certificate for testing purposes? bad certificate" error?

      Errors such as OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate in the SSL - logfile, are usually caused a browser which is unable to handle the server + logfile, are usually caused by a browser which is unable to handle the server certificate/private-key. For example, Netscape Navigator 3.x is unable to handle RSA key lengths not equal to 1024 bits.

      @@ -982,8 +982,8 @@ provide when writing a bug report?
      In case of core dumps please include a Backtrace
      If your Apache+mod_ssl+OpenSSL dumps its core, please attach a stack-frame ``backtrace'' (see below - for information on how to get this). Without this information, the - reason for your core dump cannot be found + for information on how to get this). This information is required + in order to find a reason for your core dump.
      A detailed description of your problem
      @@ -1038,6 +1038,6 @@ the reason for my core dump?

      Available Languages:  en 

      \ No newline at end of file diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index a72d22d047..7a861faab5 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -107,7 +107,7 @@ author.

    1. Why do I get permission errors related to SSLMutex when I start Apache?
    2. Why does mod_ssl stop with the error "Failed to -generate temporary 512 bit RSA private key", when I start Apache?
      3. +generate temporary 512 bit RSA private key" when I start Apache?
      Why do I get permission errors related to @@ -123,7 +123,7 @@ generate temporary 512 bit RSA private key", when I start Apache?</a></li> </section> <section id="entropy"><title>Why does mod_ssl stop with the error - "Failed to generate temporary 512 bit RSA private key", when I start + "Failed to generate temporary 512 bit RSA private key" when I start Apache?

      Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide @@ -137,7 +137,7 @@ generate temporary 512 bit RSA private key", when I start Apache?

      To prevent this error, mod_ssl has to provide enough entropy to the PRNG to allow it to work correctly. This can be done via the SSLRandomSeed - directives.

      + directive.

      @@ -150,7 +150,7 @@ the same server?
    3. How do I speak HTTPS manually for testing purposes?
    4. Why does the connection hang when I connect to my -SSL-aware Apache server
      5. +SSL-aware Apache server?
    5. Why do I get ``Connection Refused'' errors, when trying to access my newly installed Apache+mod_ssl server via HTTPS?
    6. Why are the SSL_XXX variables not @@ -165,16 +165,17 @@ relative hyperlinks?
      7. port 80, HTTPS to port 443), so there is no direct conflict between them. You can either run two separate server instances bound to these ports, or use Apache's elegant virtual hosting facility to - create two virtual servers over one instance of Apache - one - responding to requests on port 80 and speaking HTTP and the other - responding to requests on port 443 speaking HTTPS.

      + create two virtual servers, both served by the same instance of Apache + - one responding over HTTP to requests on port 80, and the other + responding over HTTPS to requests on port 443.

      Which port does HTTPS use?

      You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force - your browser to look on a different port by specifying it in the URL like - this (for port 666): https://secure.server.dom:666/

      + your browser to look on a different port by specifying it in the URL. For + example, if your server is set up to serve pages over HTTPS on port 8080, + you can access them at https://example.com:8080/

      How do I speak HTTPS manually for testing purposes? @@ -186,7 +187,7 @@ relative hyperlinks?

      for simple testing of Apache via HTTP, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. With the help of OpenSSL's s_client command, however, you can - do a similar check for HTTPS:

      + do a similar check via HTTPS:

      $ openssl s_client -connect localhost:443 -state -debug
      GET / HTTP/1.0       @@ -197,7 +198,7 @@ relative hyperlinks? perform GET and POST operations, can use a proxy, supports byte ranges, etc. you should have a look at the nifty cURL tool. Using this, you can - check that Apache is responding correctly on ports 80 and 443 as + check that Apache is responding correctly to requests via HTTP and HTTPS as follows:

      $ curl http://localhost/
      @@ -206,21 +207,19 @@ relative hyperlinks?
      Why does the connection hang when I connect to my SSL-aware Apache server? -

      Because you connected with HTTP to the HTTPS port, i.e. you used an URL of - the form ``http://'' instead of ``https://''. - This also happens the other way round when you connect via HTTPS to a HTTP - port, i.e. when you try to use ``https://'' on a server that - doesn't support SSL (on this port). Make sure you are connecting to a - virtual server that supports SSL, which is probably the IP associated with - your hostname, not localhost (127.0.0.1).

      -
      + +

      This can happen when you try to connect to a HTTPS server (or virtual + server) via HTTP (eg, using http://example.com/ instead of + https://example.com). It can also happen when trying to + connect via HTTPS to a HTTP server (eg, using + https://example.com/ on a server which doesn't support HTTPS, + or which supports it on a non-standard port). Make sure that you're + connecting to a (virtual) server that supports SSL.

      Why do I get ``Connection Refused'' messages, when trying to access my newly installed Apache+mod_ssl server via HTTPS? -

      This can happen for various reasons. The most common mistakes - include starting Apache with just apachectl start (or - httpd) instead of apachectl startssl (or - httpd -DSSL). Your configuration may also be incorrect. +

      + This error can be caused by an incorrect configuration. Please make sure that your Listen directives match your VirtualHost @@ -249,7 +248,7 @@ relative hyperlinks?

      This rewrite ruleset lets you use hyperlinks of the form <a href="document.html:SSL">, to switch to HTTPS - in a relative link.

      + in a relative link. (Replace SSL with NOSSL to switch to HTTP.)

      @@ -259,7 +258,7 @@ relative hyperlinks?
    7. What are RSA Private Keys, CSRs and Certificates?
    8. Is there a difference on startup between -the original Apache and an SSL-aware Apache?
      9. +a non-SSL-aware Apache and an SSL-aware Apache?
    9. How do I create a self-signed SSL Certificate for testing purposes?
    10. How do I create a real SSL Certificate?
      11. @@ -305,7 +304,7 @@ verify my Verisign Global ID server certificate?
      Is there a difference on startup between - the original Apache and an SSL-aware Apache? + a non-SSL-aware Apache and an SSL-aware Apache?

      Yes. In general, starting Apache with mod_ssl built-in is just like starting Apache without it. However, if you have a passphrase on your SSL private @@ -316,7 +315,8 @@ verify my Verisign Global ID server certificate? can be problematic - for example, when starting the server from the system boot scripts. In this case, you can follow the steps below to remove the passphrase from - your private key.

      + your private key. Bear in mind that doing so brings additional security + risks - proceed with caution!

      How do I create a self-signed SSL @@ -511,7 +511,7 @@ Certificate for testing purposes?
      How can I get rid of the pass-phrase dialog at Apache startup time?

      The reason this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in - encrypted format for security reasons. The pass-phrase is needed decrypt + encrypted format for security reasons. The pass-phrase is needed to decrypt this file, so it can be read and parsed. Removing the pass-phrase removes a layer of security from your server - proceed with caution!

        @@ -578,7 +578,7 @@ Certificate for testing purposes? bad certificate" error?

        Errors such as OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate in the SSL - logfile, are usually caused a browser which is unable to handle the server + logfile, are usually caused by a browser which is unable to handle the server certificate/private-key. For example, Netscape Navigator 3.x is unable to handle RSA key lengths not equal to 1024 bits.

      @@ -994,8 +994,8 @@ provide when writing a bug report?
      In case of core dumps please include a Backtrace
      If your Apache+mod_ssl+OpenSSL dumps its core, please attach a stack-frame ``backtrace'' (see below - for information on how to get this). Without this information, the - reason for your core dump cannot be found + for information on how to get this). This information is required + in order to find a reason for your core dump.
      A detailed description of your problem