From 7d075c36ee710a20b4a7dcb065a374afcf0bc942 Mon Sep 17 00:00:00 2001 From: Martin Kraemer Date: Thu, 17 Jan 2002 11:18:03 +0000 Subject: [PATCH] Fix minor typos. Mention that mod_ssl is part of Apache-2.0. Change absolute self-references to relative jumps. TODO: * IMHO the topic ToC3 should be deleted completely. * All references to "patch Apache" or "EAPI patch" should be removed * A native english speaker might want to proof-read the doc and polish it git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92887 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/ssl/ssl_faq.html | 111 ++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 54 deletions(-) diff --git a/docs/manual/ssl/ssl_faq.html b/docs/manual/ssl/ssl_faq.html index e7ea61f0ba..36d03de9dc 100644 --- a/docs/manual/ssl/ssl_faq.html +++ b/docs/manual/ssl/ssl_faq.html @@ -133,7 +133,7 @@ author. What is the history of mod_ssl?    - [L] + [L]

The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting + After the US export restrictions for cryptographic software were + opened, mod_ssl was integrated into the code base of Apache V2 in 2001.

  • -What are the functional differences between mod_ssl and Apache-SSL, from where +What are the functional differences between mod_ssl and Apache-SSL, from which it is originally derived?    - [L] + [L]

    This neither can be answered in short (there were too many code changes) nor can be answered at all by the author (there would immediately be flame @@ -201,7 +204,7 @@ it is originally derived? What are the major differences between mod_ssl and the commercial alternatives like Raven or Stronghold?    - [L] + [L]

    In the past (until September 20th, 2000) the major difference was the RSA license which one received (very cheaply in contrast to @@ -250,7 +253,7 @@ the commercial alternatives like Raven or Stronghold? How do I know which mod_ssl version is for which Apache version?    - [L] + [L]

    That's trivial: mod_ssl uses version strings of the syntax <mod_ssl-version>-<apache-version>, for @@ -265,7 +268,7 @@ How do I know which mod_ssl version is for which Apache version? Is mod_ssl Year 2000 compliant?    - [L] + [L]

    Yes, mod_ssl is Year 2000 compliant.

    @@ -290,7 +293,7 @@ Is mod_ssl Year 2000 compliant? What about mod_ssl and the Wassenaar Arrangement?    - [L] + [L]

    First, let us explain what Wassenaar and its Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and @@ -349,7 +352,7 @@ What about mod_ssl and the Wassenaar Arrangement? When I access my website the first time via HTTPS I get a core dump?    - [L] + [L]

    There can be a lot of reasons why a core dump can occur, of course. Ranging from buggy third-party modules, over buggy vendor libraries up to @@ -365,20 +368,20 @@ When I access my website the first time via HTTPS I get a core dump? My Apache dumps core when I add both mod_ssl and PHP3?    - [L] + [L]

    Make sure you add mod_ssl to the Apache source tree first and then do a fresh configuration and installation of PHP3. For SSL support EAPI patches are required which have to change internal Apache structures. PHP3 needs to know about these in order to work correctly. Always make sure that - -DEAPI is contained in the compiler flags when PHP3 is build. + -DEAPI is contained in the compiler flags when PHP3 is built.

  • When I startup Apache I get errors about undefined symbols like ap_global_ctx?    - [L] + [L]

    This actually means you installed mod_ssl as a DSO, but without rebuilding Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an @@ -391,7 +394,7 @@ When I startup Apache I get errors about undefined symbols like ap_global_ctx? When I startup Apache I get permission errors related to SSLMutex?    - [L] + [L]

    When you receive entries like ``mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) @@ -408,7 +411,7 @@ When I startup Apache I get permission errors related to SSLMutex? When I use the MM library and the shared memory cache each process grows 1.5MB according to `top' although I specified 512000 as the cache size?    - [L] + [L]

    The additional 1MB are caused by the global shared memory pool EAPI allocates for all modules and which is not used by mod_ssl for @@ -427,7 +430,7 @@ Apache creates files in a directory declared by the internal EAPI_MM_CORE_PATH define. Is there a way to override the path using a configuration directive?    - [L] + [L]

    No, there is not configuration directive, because for technical bootstrapping reasons, a directive not possible at all. Instead @@ -442,7 +445,7 @@ When I fire up the server, mod_ssl stops with the error "Failed to generate temporary 512 bit RSA private key", why? And a "PRNG not seeded" error occurs if I try "make certificate".    - [L] + [L]

    Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide @@ -471,7 +474,7 @@ And a "PRNG not seeded" error occurs if I try "make certificate". Is it possible to provide HTTP and HTTPS with a single server?    - [L] + [L]

    Yes, HTTP and HTTPS use different server ports, so there is no direct conflict between them. Either run two separate server instances (one binds @@ -485,7 +488,7 @@ Is it possible to provide HTTP and HTTPS with a single server? I know that HTTP is on port 80, but where is HTTPS?    - [L] + [L]

    You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force @@ -497,7 +500,7 @@ I know that HTTP is on port 80, but where is HTTPS? How can I speak HTTPS manually for testing purposes?    - [L] + [L]

    While you usually just use

    @@ -528,7 +531,7 @@ How can I speak HTTPS manually for testing purposes? Why does the connection hang when I connect to my SSL-aware Apache server?    - [L] + [L]

    Because you connected with HTTP to the HTTPS port, i.e. you used an URL of the form ``http://'' instead of ``https://''. @@ -544,7 +547,7 @@ Why does the connection hang when I connect to my SSL-aware Apache server? Why do I get ``Connection Refused'' messages when trying to access my freshly installed Apache+mod_ssl server via HTTPS?    - [L] + [L]

    There can be various reasons. Some of the common mistakes is that people start Apache with just ``apachectl start'' (or @@ -559,9 +562,9 @@ installed Apache+mod_ssl server via HTTPS? In my CGI programs and SSI scripts the various documented -SSL_XXX variables do not exists. Why? +SSL_XXX variables do not exist. Why?    - [L] + [L]

    Just make sure you have ``SSLOptions +StdEnvVars'' enabled for the context of your CGI/SSI requests. @@ -571,7 +574,7 @@ In my CGI programs and SSI scripts the various documented How can I use relative hyperlinks to switch between HTTP and HTTPS?    - [L] + [L]

    Usually you have to use fully-qualified hyperlinks because you have to change the URL scheme. But with the help of some URL @@ -597,7 +600,7 @@ How can I use relative hyperlinks to switch between HTTP and HTTPS? What are RSA Private Keys, CSRs and Certificates?    - [L] + [L]

    The RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via @@ -617,7 +620,7 @@ What are RSA Private Keys, CSRs and Certificates? Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?    - [L] + [L]

    Yes, in general, starting Apache with a built-in mod_ssl is just like starting an unencumbered Apache, except for the fact that when you have a @@ -635,7 +638,7 @@ Seems like there is a difference on startup between the original Apache and an S How can I create a dummy SSL server Certificate for testing purposes?    - [L] + [L]

    A Certificate does not have to be signed by a public CA. You can use your private key to sign the Certificate which contains your public key. You @@ -660,7 +663,7 @@ How can I create a dummy SSL server Certificate for testing purposes? Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it?    - [L] + [L]

    Here is a step-by-step description:

    @@ -757,7 +760,7 @@ server Certificate for it. How do I do it? How can I create and use my own Certificate Authority (CA)?    - [L] + [L]

    The short answer is to use the CA.sh or CA.pl script provided by OpenSSL. The long and manual answer is this: @@ -809,7 +812,7 @@ How can I create and use my own Certificate Authority (CA)? How can I change the pass-phrase on my private key file?    - [L] + [L]

    You simply have to read it with the old pass-phrase and write it again by specifying the new pass-phrase. You can accomplish this with the following @@ -827,7 +830,7 @@ How can I change the pass-phrase on my private key file? How can I get rid of the pass-phrase dialog at Apache startup time?    - [L] + [L]

    The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in @@ -864,7 +867,7 @@ How can I get rid of the pass-phrase dialog at Apache startup time? How do I verify that a private key matches its Certificate?    - [L] + [L]

    The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public @@ -897,7 +900,7 @@ How do I verify that a private key matches its Certificate? What does it mean when my connections fail with an "alert bad certificate" error?    - [L] + [L]

    Usually when you see errors like ``OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate'' in the SSL @@ -910,7 +913,7 @@ error? Why does my 2048-bit private key not work?    - [L] + [L]

    The private key sizes for SSL must be either 512 or 1024 for compatibility with certain web browsers. A keysize of 1024 bits is recommended because @@ -924,7 +927,7 @@ Why does my 2048-bit private key not work? Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9?    - [L] + [L]

    The CA certificates under the path you configured with SSLCACertificatePath are found by SSLeay through hash @@ -939,7 +942,7 @@ SSLeay version 0.8 to 0.9? How can I convert a certificate from PEM to DER format?    - [L] + [L]

    The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications @@ -954,7 +957,7 @@ How can I convert a certificate from PEM to DER format? I try to install a Verisign certificate. Why can't I find neither the getca nor getverisign programs Verisign mentions?    - [L] + [L]

    This is because Verisign has never provided specific instructions for Apache+mod_ssl. Rather they tell you what you should do @@ -974,7 +977,7 @@ I try to install a Verisign certificate. Why can't I find neither the Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) also with mod_ssl?    - [L] + [L]

    Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have to configure anything special for this, just use a Global ID as your @@ -988,7 +991,7 @@ ID) also with mod_ssl? After I have installed my new Verisign Global ID server certificate, the browsers complain that they cannot verify the server certificate?    - [L] + [L]

    That is because Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and @@ -1009,7 +1012,7 @@ browsers complain that they cannot verify the server certificate? Why do I get lots of random SSL protocol errors under heavy server load?    - [L] + [L]

    There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the @@ -1022,7 +1025,7 @@ Why do I get lots of random SSL protocol errors under heavy server load? Why has my webserver a higher load now that I run SSL there?    - [L] + [L]

    Because SSL uses strong cryptographic encryption and this needs a lot of number crunching. And because when you request a webpage via HTTPS even @@ -1035,7 +1038,7 @@ Why has my webserver a higher load now that I run SSL there? Often HTTPS connections to my server require up to 30 seconds for establishing the connection, although sometimes it works faster?    - [L] + [L]

    Usually this is caused by using a /dev/random device for SSLRandomSeed which is blocking in read(2) calls if not @@ -1047,7 +1050,7 @@ the connection, although sometimes it works faster? What SSL Ciphers are supported by mod_ssl?    - [L] + [L]

    Usually just all SSL ciphers which are supported by the version of OpenSSL in use (can depend on the way you built @@ -1074,7 +1077,7 @@ What SSL Ciphers are supported by mod_ssl? I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no shared cipher'' errors?    - [L] + [L]

    In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough to just put ``ADH'' into your SSLCipherSuite. @@ -1089,7 +1092,7 @@ shared cipher'' errors? I always just get a 'no shared ciphers' error if I try to connect to my freshly installed server?    - [L] + [L]

    Either you have messed up your SSLCipherSuite directive (compare it with the pre-configured example in @@ -1108,7 +1111,7 @@ I try to connect to my freshly installed server? Why can't I use SSL with name-based/non-IP-based virtual hosts?    - [L] + [L]

    The reason is very technical. Actually it's some sort of a chicken and egg problem: The SSL protocol layer stays below the HTTP protocol layer @@ -1126,10 +1129,10 @@ Why can't I use SSL with name-based/non-IP-based virtual hosts? When I use Basic Authentication over HTTPS the lock icon in Netscape browsers -still show the unlocked state when the dialog pops up. Does this mean the +still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted?    - [L] + [L]

    No, the username/password is already transmitted encrypted. The icon in Netscape browsers is just not really synchronized with the SSL/TLS layer @@ -1147,7 +1150,7 @@ username/password is still transmitted unencrypted? When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?    - [L] + [L]

    The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close @@ -1208,7 +1211,7 @@ When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the server" What's the reason?    - [L] + [L]

    The problem usually is that you had created a new server certificate with the same DN, but you had told your browser to accept forever the old @@ -1227,7 +1230,7 @@ server" What's the reason? What information resources are available in case of mod_ssl problems?    - [L] + [L]

    The following information resources are available. In case of problems you should search here first. @@ -1258,7 +1261,7 @@ In case of problems you should search here first. What support contacts are available in case of mod_ssl problems?    - [L] + [L]

    The following lists all support possibilities for mod_ssl, in order of preference, i.e. start in this order and do not pick the support possibility @@ -1295,7 +1298,7 @@ you just like most, please. What information and details I've to provide to the author when writing a bug report?    - [L] + [L]

    You have to at least always provide the following information:

    @@ -1334,7 +1337,7 @@ You have to at least always provide the following information: I got a core dump, can you help me?    - [L] + [L]

    In general no, at least not unless you provide more details about the code location where Apache dumped core. What is usually always required in @@ -1347,7 +1350,7 @@ I got a core dump, can you help me? Ok, I got a core dump but how do I get a backtrace to find out the reason for it?    - [L] + [L]

    Follow the following steps:

    -- 2.40.0