From 5db810124546df7bd66cf7762c06a0287687de7a Mon Sep 17 00:00:00 2001 From: Daniel Gruno Date: Fri, 4 May 2012 14:42:35 +0000 Subject: [PATCH] Backporting syntax highlighting and igor's changes for ssl/ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1333999 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/ssl/index.xml | 3 +- docs/manual/ssl/index.xml.fr | 5 +- docs/manual/ssl/ssl_faq.xml | 46 +++---- docs/manual/ssl/ssl_faq.xml.fr | 6 +- docs/manual/ssl/ssl_howto.xml | 200 +++++++++++++++---------------- docs/manual/ssl/ssl_howto.xml.fr | 4 +- docs/manual/ssl/ssl_intro.xml | 73 +++++------ docs/manual/ssl/ssl_intro.xml.fr | 72 +++++------ 8 files changed, 195 insertions(+), 214 deletions(-) diff --git a/docs/manual/ssl/index.xml b/docs/manual/ssl/index.xml index 2f0497fbdc..b23d05404a 100644 --- a/docs/manual/ssl/index.xml +++ b/docs/manual/ssl/index.xml @@ -30,8 +30,7 @@ provides an interface to the OpenSSL library, which provides Strong Encryption using the Secure Sockets Layer and Transport Layer -Security protocols. The module and this documentation are based on -Ralf S. Engelschall's mod_ssl project.

+Security protocols.

Documentation diff --git a/docs/manual/ssl/index.xml.fr b/docs/manual/ssl/index.xml.fr index c02f2eb8f8..851c7fe61b 100644 --- a/docs/manual/ssl/index.xml.fr +++ b/docs/manual/ssl/index.xml.fr @@ -1,7 +1,7 @@ - + @@ -33,8 +33,7 @@ interface avec la bibliothèque OpenSSL, qui permet d'effectuer un chiffrement fort en s'appuyant sur les protocoles "Couche Points d'accès Sécurisés" (Secure Sockets Layer - SSL) et "Sécurité de la Couche Transport" -(Transport Layer Security - TLS). Le module et cette documentation sont basés -sur le projet mod_ssl de Ralf S. Engelschall.

+(Transport Layer Security - TLS).

Documentation diff --git a/docs/manual/ssl/ssl_faq.xml b/docs/manual/ssl/ssl_faq.xml index 9ae71d3a30..a7e36f8833 100644 --- a/docs/manual/ssl/ssl_faq.xml +++ b/docs/manual/ssl/ssl_faq.xml @@ -172,11 +172,11 @@ relative hyperlinks? fully-qualified hyperlinks (because you have to change the URL scheme). Using mod_rewrite however, you can manipulate relative hyperlinks, to achieve the same effect.

- - RewriteEngine on
- RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L]
- RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] - + +RewriteEngine on +RewriteRule ^/(.*)_SSL$ https://%{SERVER_NAME}/$1 [R,L] +RewriteRule ^/(.*)_NOSSL$ http://%{SERVER_NAME}/$1 [R,L] +

This rewrite ruleset lets you use hyperlinks of the form <a href="document.html_SSL">, to switch to HTTPS @@ -253,10 +253,10 @@ Certificate for testing purposes? -keyout server.key
These can be used as follows in your httpd.conf file: - 

-             SSLCertificateFile    /path/to/this/server.crt
-             SSLCertificateKeyFile /path/to/this/server.key
-
+ +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key +
  • It is important that you are aware that this server.key does not have any passphrase. @@ -333,10 +333,10 @@ Certificate for testing purposes?
  • You should now have two files: server.key and server.crt. These can be used as follows in your httpd.conf file: - 
    -       SSLCertificateFile    /path/to/this/server.crt
-       SSLCertificateKeyFile /path/to/this/server.key
-
    + +SSLCertificateFile /path/to/this/server.crt +SSLCertificateKeyFile /path/to/this/server.key + The server.csr file is no longer needed.
    • @@ -605,9 +605,9 @@ error when connecting to my newly installed server? handshake is finished, but the information is needed in order to complete the SSL handshake phase. See the next question for how to circumvent this issue.

    - +

    Note that if you have a wildcard SSL certificate, or a - certificate that has multple hostnames on it using subjectAltName + certificate that has multiple hostnames on it using subjectAltName fields, you can use SSL on name-based virtual hosts without further workarounds.

    @@ -650,9 +650,9 @@ Virtual Hosting to identify different SSL virtual hosts? you must make sure to put the non-SSL port number on the NameVirtualHost directive, e.g.

    - + NameVirtualHost 192.168.1.1:80 - +

    Other workaround solutions include:

    @@ -668,7 +668,7 @@ a negotiable standard compression method.

    OpenSSL 0.9.8 started to support this by default when compiled with the zlib option. If both the client and the server support compression, it will be used. However, most clients still try to initially connect with an -SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms +SSLv2 Hello. As SSLv2 did not include an array of preferred compression algorithms in its handshake, compression cannot be negotiated with these clients. If the client disables support for SSLv2, either an SSLv3 or TLS Hello may be sent, depending on which SSL library is used, and compression may @@ -702,11 +702,11 @@ Explorer (MSIE)? keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in your SSL-aware virtual host section:

    - - SetEnvIf User-Agent "MSIE [2-5]" \
    - nokeepalive ssl-unclean-shutdown \
    - downgrade-1.0 force-response-1.0 -     + +SetEnvIf User-Agent "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 +

    Further, some MSIE versions have problems with particular ciphers. Unfortunately, it is not possible to implement a MSIE-specific workaround for this, because the ciphers are needed as early as the diff --git a/docs/manual/ssl/ssl_faq.xml.fr b/docs/manual/ssl/ssl_faq.xml.fr index c6e56fca7a..963c62d27b 100644 --- a/docs/manual/ssl/ssl_faq.xml.fr +++ b/docs/manual/ssl/ssl_faq.xml.fr @@ -1,7 +1,7 @@ - + @@ -644,7 +644,7 @@ l'oeuf ou de la poule. La couche du protocole SSL se trouve en dessous de la couche de protocole HTTP qu'elle encapsule. Lors de l'établissement d'une connexion SSL (HTTPS), Apache/mod_ssl doit négocier les paramètres du protocole SSL avec le client. Pour cela, mod_ssl doit consulter la -configuration du serveur virtuel (par exemple, il doit accéder à la la suite +configuration du serveur virtuel (par exemple, il doit accéder à la suite d'algorithmes de chiffrement, au certificat du serveur, etc...). Mais afin de sélectionner le bon serveur virtuel, Apache doit connaître le contenu du champ d'en-tête HTTP Host. Pour cela, il doit lire l'en-tête de la @@ -681,7 +681,7 @@ pour différencier plusieurs hôtes virtuels ?

    Notez que si votre certificat comporte un nom de serveur avec caractères génériques, ou des noms de serveurs multiples dans le champ subjectAltName, vous pouvez utiliser SSL avec les serveurs - virtuels à base de noms sans avoir à contourner ce problème.

    + virtuels à base de noms sans avoir à contourner ce problème.

    La raison en est que le protocole SSL constitue une couche séparée qui encapsule le protocole HTTP. Aini, la session SSL nécessite une diff --git a/docs/manual/ssl/ssl_howto.xml b/docs/manual/ssl/ssl_howto.xml index e69b311064..bada94668f 100644 --- a/docs/manual/ssl/ssl_howto.xml +++ b/docs/manual/ssl/ssl_howto.xml @@ -36,20 +36,18 @@ before progressing to the advanced techniques.

    Basic Configuration Example -

    Your SSL configuration will need to contain, at a minumum, the +

    Your SSL configuration will need to contain, at minimum, the following directives.

    - - Listen 443
    - <VirtualHost *:443>
    - - ServerName www.example.com
    - SSLEngine on
    - SSLCertificateFile /path/to/www.example.com.cert
    - SSLCertificateKeyFile /path/to/www.example.com.key
    -     - </VirtualHost> -     + +Listen 443 +<VirtualHost *:443> + ServerName www.example.com + SSLEngine on + SSLCertificateFile /path/to/www.example.com.cert + SSLCertificateKeyFile /path/to/www.example.com.key +</VirtualHost> +
    @@ -65,18 +63,18 @@ requires a strong cipher for access to a particular URL? How can I create an SSL server which accepts strong encryption only?

    The following enables only the strongest ciphers:

    - httpd.conf - SSLCipherSuite HIGH:!aNULL:!MD5
    -     + + SSLCipherSuite HIGH:!aNULL:!MD5 +

    While with the following configuration you specify a preference for specific speed-optimized ciphers (which will be selected by mod_ssl, provided that they are supported by the client):

    - httpd.conf - SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    - SSLHonorCipherOrder on -     + +SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5 +SSLHonorCipherOrder on +
    @@ -90,16 +88,16 @@ URL? blocks, to give a per-directory solution, and can automatically force a renegotiation of the SSL parameters to meet the new configuration. This can be done as follows:

    - - # be liberal in general
    - SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    -
    - <Location /strong/area>
    - # but https://hostname/strong/area/ and below
    - # requires strong ciphers
    - SSLCipherSuite HIGH:!aNULL:!MD5
    - </Location> -     + +# be liberal in general +SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL + +<Location /strong/area> +# but https://hostname/strong/area/ and below +# requires strong ciphers +SSLCipherSuite HIGH:!aNULL:!MD5 +</Location> +
    @@ -125,13 +123,13 @@ Intranet website, for clients coming from the Internet? need to do is to create client certificates signed by your own CA certificate (ca.crt) and then verify the clients against this certificate.

    - httpd.conf - # require a client certificate which has to be directly
    - # signed by our CA certificate in ca.crt
    - SSLVerifyClient require
    - SSLVerifyDepth 1
    - SSLCACertificateFile conf/ssl.crt/ca.crt -     + +# require a client certificate which has to be directly +# signed by our CA certificate in ca.crt +SSLVerifyClient require +SSLVerifyDepth 1 +SSLCACertificateFile conf/ssl.crt/ca.crt +
    @@ -142,15 +140,15 @@ Intranet website, for clients coming from the Internet? you can use the per-directory reconfiguration features of mod_ssl:

    - httpd.conf - SSLVerifyClient none
    - SSLCACertificateFile conf/ssl.crt/ca.crt
    -
    - <Location /secure/area>
    - SSLVerifyClient require
    - SSLVerifyDepth 1
    - </Location>
    -     + +SSLVerifyClient none +SSLCACertificateFile conf/ssl.crt/ca.crt + +<Location /secure/area> +SSLVerifyClient require +SSLVerifyDepth 1 +</Location> +
    @@ -169,23 +167,22 @@ Intranet website, for clients coming from the Internet? you should establish a password database containing all clients allowed, as follows:

    - httpd.conf
    +    
 SSLVerifyClient      none
 <Directory /usr/local/apache2/htdocs/secure/area>
-
-SSLVerifyClient      require
-SSLVerifyDepth       5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions           +FakeBasicAuth
-SSLRequireSSL
-AuthName             "Snake Oil Authentication"
-AuthType             Basic
-AuthBasicProvider    file
-AuthUserFile         /usr/local/apache2/conf/httpd.passwd
-Require              valid-user
-</Directory>
    -     + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + AuthName "Snake Oil Authentication" + AuthType Basic + AuthBasicProvider file + AuthUserFile /usr/local/apache2/conf/httpd.passwd + Require valid-user +</Directory> +

    The password used in this example is the DES encrypted string "password". See the SSLOptions docs for more @@ -202,10 +199,9 @@ Require valid-user >SSLRequire, as follows:

    - httpd.conf
    +    
 SSLVerifyClient      none
 <Directory /usr/local/apache2/htdocs/secure/area>
-
   SSLVerifyClient      require
   SSLVerifyDepth       5
   SSLCACertificateFile conf/ssl.crt/ca.crt
@@ -214,8 +210,8 @@ SSLVerifyClient      none
   SSLRequireSSL
   SSLRequire       %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." \
                and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory>
    -     +</Directory> +
    @@ -230,50 +226,50 @@ plain HTTP access for clients on the Intranet. This configuration should remain outside of your HTTPS virtual host, so that it applies to both HTTPS and HTTP.

    - httpd.conf
    +    
 SSLCACertificateFile conf/ssl.crt/company-ca.crt
 
 <Directory /usr/local/apache2/htdocs>
-#   Outside the subarea only Intranet access is granted
-Order                deny,allow
-Deny                 from all
-Allow                from 192.168.1.0/24
+    #   Outside the subarea only Intranet access is granted
+    Order                deny,allow
+    Deny                 from all
+    Allow                from 192.168.1.0/24
 </Directory>
 
 <Directory /usr/local/apache2/htdocs/subarea>
-#   Inside the subarea any Intranet access is allowed
-#   but from the Internet only HTTPS + Strong-Cipher + Password
-#   or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-#   If HTTPS is used, make sure a strong cipher is used.
-#   Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient      optional
-SSLVerifyDepth       1
-SSLOptions           +FakeBasicAuth +StrictRequire
-SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-#   Force clients from the Internet to use HTTPS
-RewriteEngine        on
-RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond          %{HTTPS} !=on
-RewriteRule          . - [F]
-
-#   Allow Network Access and/or Basic Auth
-Satisfy              any
-
-#   Network Access Control
-Order                deny,allow
-Deny                 from all
-Allow                192.168.1.0/24
-
-#   HTTP Basic Authentication
-AuthType             basic
-AuthName             "Protected Intranet Area"
-AuthBasicProvider    file
-AuthUserFile         conf/protected.passwd
-Require              valid-user
-</Directory>
    -     + # Inside the subarea any Intranet access is allowed + # but from the Internet only HTTPS + Strong-Cipher + Password + # or the alternative HTTPS + Strong-Cipher + Client-Certificate + + # If HTTPS is used, make sure a strong cipher is used. + # Additionally allow client certs as alternative to basic auth. + SSLVerifyClient optional + SSLVerifyDepth 1 + SSLOptions +FakeBasicAuth +StrictRequire + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + + # Force clients from the Internet to use HTTPS + RewriteEngine on + RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteRule . - [F] + + # Allow Network Access and/or Basic Auth + Satisfy any + + # Network Access Control + Order deny,allow + Deny from all + Allow 192.168.1.0/24 + + # HTTP Basic Authentication + AuthType basic + AuthName "Protected Intranet Area" + AuthBasicProvider file + AuthUserFile conf/protected.passwd + Require valid-user +</Directory> +
    diff --git a/docs/manual/ssl/ssl_howto.xml.fr b/docs/manual/ssl/ssl_howto.xml.fr index 50093952e1..035106e20d 100644 --- a/docs/manual/ssl/ssl_howto.xml.fr +++ b/docs/manual/ssl/ssl_howto.xml.fr @@ -1,7 +1,7 @@ - + @@ -105,7 +105,7 @@ accéder à une URL particulière ? Cette configuration peut se présenter comme suit :

    # soyons très tolérant a priori
    - SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    + SSLCipherSuite ALL:!aNULL:RC4+RSA:+HIGH:+MEDIUM:+LOW:+EXP:+eNULL

    <Location /strong/area>
    # sauf pour https://hostname/strong/area/ et ses sous-répertoires
    diff --git a/docs/manual/ssl/ssl_intro.xml b/docs/manual/ssl/ssl_intro.xml index 9e779cf1eb..13f51e0250 100644 --- a/docs/manual/ssl/ssl_intro.xml +++ b/docs/manual/ssl/ssl_intro.xml @@ -26,14 +26,6 @@ SSL/TLS Strong Encryption: An Introduction -
    -

    The nice thing about standards is that there are so many to choose -from. And if you really don't like all the standards you just have to -wait another year until the one arises you are looking for.

    - -

    -- A. Tanenbaum, "Introduction to -Computer Networks"

    -

    As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts. It is not @@ -43,20 +35,6 @@ important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for further exploration.

    - -

    The presented content is mainly derived, with the author's permission, -from the article Introducing -SSL and Certificates using SSLeay by Frederick J. Hirsch, of The -Open Group Research Institute, which was published in Web Security: A Matter of -Trust, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. -Please send any positive feedback to Frederick Hirsch (the original -article author) and all negative feedback to Ralf S. Engelschall (the -mod_ssl author).
    @@ -262,7 +240,7 @@ certificates are used for authentication.

    as *.snakeoil.com.

    The binary format of a certificate is defined using the ASN.1 - notation [X208] [PKCS]. This + notation [ASN1] [PKCS]. This notation defines how to specify the contents and encoding rules define how this information is translated into binary form. The binary encoding of the certificate is defined using Distinguished Encoding @@ -409,8 +387,7 @@ establishing a protocol session.

    Description Browser Support SSL v2.0 - Vendor Standard (from Netscape Corp.) [SSL2] + Vendor Standard (from Netscape Corp.) First SSL protocol for which implementations exist - NS Navigator 1.x/2.x
    - MS IE 3.x
    @@ -430,6 +407,18 @@ establishing a protocol session.

    padding for block ciphers, message order standardization and more alert messages. - Lynx/2.8+OpenSSL + TLS v1.1 + Proposed Internet Standard (from IETF) [TLS11] + Update of TLS 1.0 to add protection against Cipher block chaining + (CBC) attacks. + - + TLS v1.2 + Proposed Internet Standard (from IETF) [TLS12] + Update of TLS 1.2 deprecating MD5 as hash, and adding incompatibility + to SSL so it will never negotiate the use of SSLv2. + -
    @@ -461,7 +450,7 @@ the Internet Engineering Task Force (IETF).

    to start a session. To do this, the server assigns each SSL session a unique session identifier which is cached in the server and which the client can use in future connections to reduce the handshake time - (until the session identifer expires from the cache of the server).

    + (until the session identifier expires from the cache of the server).

    @@ -635,18 +624,17 @@ the Internet Engineering Task Force (IETF).

    >http://www.counterpane.com/ for various other materials by Bruce Schneier. -
    [X208]
    +
    [ASN1]
    ITU-T Recommendation X.208, Specification of Abstract Syntax Notation -One (ASN.1), 1988. See for instance http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I. +One (ASN.1), last updated 2008. See http://www.itu.int/ITU-T/asn1/.
    [X509]
    ITU-T Recommendation X.509, The Directory - Authentication -Framework. See for instance http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509. +Framework. For references, see http://en.wikipedia.org/wiki/X.509.
    [PKCS]
    @@ -658,13 +646,8 @@ href="http://www.rsasecurity.com/rsalabs/pkcs/"
    [MIME]
    N. Freed, N. Borenstein, Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, RFC2045. -See for instance http://ietf.org/rfc/rfc2045.txt.
    - -
    [SSL2]
    -
    Kipp E.B. Hickman, The SSL Protocol, 1995. See http://www.netscape.com/eng/security/SSL_2.html.
    +See for instance http://tools.ietf.org/html/rfc2045.
    [SSL3]
    Alan O. Freier, Philip Karlton, Paul C. Kocher, The SSL Protocol @@ -676,6 +659,16 @@ href="http://www.netscape.com/eng/ssl3/draft302.txt"
    Tim Dierks, Christopher Allen, The TLS Protocol Version 1.0, 1999. See http://ietf.org/rfc/rfc2246.txt.
    + +
    [TLS11]
    +
    The TLS Protocol Version 1.1, +2006. See http://tools.ietf.org/html/rfc4346.
    + +
    [TLS12]
    +
    The TLS Protocol Version 1.2, +2008. See http://tools.ietf.org/html/rfc5246.
    diff --git a/docs/manual/ssl/ssl_intro.xml.fr b/docs/manual/ssl/ssl_intro.xml.fr index fbb151262d..f9b84329cc 100644 --- a/docs/manual/ssl/ssl_intro.xml.fr +++ b/docs/manual/ssl/ssl_intro.xml.fr @@ -1,7 +1,7 @@ - + @@ -28,14 +28,6 @@ Chiffrement SSL/TLS fort : Introduction -
    -

    Ce qui est agréable avec les standards est d'avoir l'embarras du choix. Et -si certains standards ne vous conviennent pas vraiment, il vous suffit -d'attendre un an pour voir apparaître celui qui répondra à vos attentes.

    - -

    -- A. Tanenbaum, "Introduction to -Computer Networks"

    -

    Ce chapitre en guise d'introduction est destiné aux lecteurs pour lesquels le Web, HTTP et Apache sont familiers, mais ne sont pas des experts en matière @@ -47,19 +39,6 @@ une base de travail pour les utilisateurs de mod_ssl en rassemblant différents concepts, définitions et exemples comme point de départ pour une exploration plus détaillée.

    -

    Le contenu s'inspire en grande partie, avec la permission de l'auteur, -de l'article Introducing -SSL and Certificates using SSLeay de Frederick J. Hirsch, de -l'Open Group Research Institute, publié dans Web Security: A Matter of -Trust, World Wide Web Journal, Volume 2, Issue 3, Summer 1997. Vous -pouvez envoyer toute remarque positive à Frederick Hirsch (l'auteur de l'article -original) et toute remarque négative à Ralf S. Engelschall (l'auteur du module -mod_ssl).
    @@ -280,7 +259,7 @@ on utilise les certificats à des fins d'authentification.

    *.snakeoil.com.

    Le format binaire d'un certificat est défini en utilisant la - notation ASN.1 [X208] [PKCS]. + notation ASN.1 [ASN1] [PKCS]. Cette notation definit la manière de spécifier les contenus, et les règles d'encodage définissent la manière dont ces information sont converties au format binaire. L'encodage binaire du certificat est défini par les Règles @@ -437,8 +416,7 @@ l'établissement de la session protocolaire.

    Description Navigateurs supportés SSL v2.0 - Standard du fournisseur (de Netscape Corp.) [SSL2] + Standard du fournisseur (de Netscape Corp.) Premier protocole SSL pour lequel il existe des implémentations - NS Navigator 1.x/2.x
    - MS IE 3.x
    @@ -459,6 +437,19 @@ l'établissement de la session protocolaire.

    ajout du bourrage de bloc pour le chiffrement de bloc, standardisation de l'ordonnancement des messages et plus de messages d'alerte. - Lynx/2.8+OpenSSL + TLS v1.1 + Standard proposé pour l'Internet (de l'IETF) [TLS11] + Mise à jour de TLS 1.0 pour la protection contre les + attaques de type Cipher block chaining (CBC). + - + TLS v1.2 + Standard proposé pour l'Internet (de l'IETF) [TLS12] + Mise à jour de TLS 1.2 rendant les condensés MD5 obsolètes, + et introduisant une incompatibilité avec SSL ce qui interdit toute + négociation en vue d'une utilisation de SSLv2. + -
    @@ -685,18 +676,16 @@ l'Internet Engineering Task Force (IETF).

    >http://www.counterpane.com/ pour diverses autres productions de Bruce Schneier. -
    [X208]
    +
    [ASN1]
    ITU-T Recommendation X.208, Specification of Abstract Syntax Notation -One (ASN.1), 1988. Voir par exemple http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=T-REC-X.208-198811-I. +One (ASN.1), dernière mise à jour en 2008. Voir http://www.itu.int/ITU-T/asn1/.
    [X509]
    ITU-T Recommendation X.509, The Directory - Authentication -Framework. Voir par exemple http://www.itu.int/rec/recommendation.asp?type=folders&lang=e&parent=T-REC-X.509. +Framework. A titre de référence, voir http://en.wikipedia.org/wiki/X.509.
    [PKCS]
    @@ -708,13 +697,8 @@ href="http://www.rsasecurity.com/rsalabs/pkcs/"
    [MIME]
    N. Freed, N. Borenstein, Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies, RFC2045. -Voir par exemple http://ietf.org/rfc/rfc2045.txt.
    - -
    [SSL2]
    -
    Kipp E.B. Hickman, The SSL Protocol, 1995. See http://www.netscape.com/eng/security/SSL_2.html.
    +Voir par exemple http://tools.ietf.org/html/rfc2045.
    [SSL3]
    Alan O. Freier, Philip Karlton, Paul C. Kocher, The SSL Protocol @@ -726,6 +710,16 @@ href="http://www.netscape.com/eng/ssl3/draft302.txt"
    Tim Dierks, Christopher Allen, The TLS Protocol Version 1.0, 1999. Voir http://ietf.org/rfc/rfc2246.txt.
    + +
    [TLS11]
    +
    Le protocole TLS Version 1.1, +2006. Voir http://tools.ietf.org/html/rfc4346.
    + +
    [TLS12]
    +
    Le protocole TLS Version 1.2, +2008. Voir http://tools.ietf.org/html/rfc5246.
    -- 2.50.1