From: Rainer Jung Date: Mon, 1 Jun 2015 16:13:53 +0000 (+0000) Subject: Xforms. X-Git-Tag: 2.2.30~45 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7667c4cfece36cf3c9928f5dfa5ba8b0b2eb0184;p=thirdparty%2Fapache%2Fhttpd.git Xforms. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1682944 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/convenience.map b/docs/manual/convenience.map index 1fdf857e161..ddc9b7a1f20 100644 --- a/docs/manual/convenience.map +++ b/docs/manual/convenience.map @@ -399,6 +399,8 @@ sslrequire mod/mod_ssl.html#sslrequire sslrequiressl mod/mod_ssl.html#sslrequiressl sslsessioncache mod/mod_ssl.html#sslsessioncache sslsessioncachetimeout mod/mod_ssl.html#sslsessioncachetimeout +sslsessionticketkeyfile mod/mod_ssl.html#sslsessionticketkeyfile +sslsessiontickets mod/mod_ssl.html#sslsessiontickets sslstrictsnivhostcheck mod/mod_ssl.html#sslstrictsnivhostcheck sslusername mod/mod_ssl.html#sslusername sslverifyclient mod/mod_ssl.html#sslverifyclient diff --git a/docs/manual/mod/directives.html.de b/docs/manual/mod/directives.html.de index c996c4a5bee..ef06e1e06e1 100644 --- a/docs/manual/mod/directives.html.de +++ b/docs/manual/mod/directives.html.de @@ -441,6 +441,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.en b/docs/manual/mod/directives.html.en index 3560ddcf41f..3daf3707004 100644 --- a/docs/manual/mod/directives.html.en +++ b/docs/manual/mod/directives.html.en @@ -442,6 +442,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.es b/docs/manual/mod/directives.html.es index e966fa78b8d..15970cff9d7 100644 --- a/docs/manual/mod/directives.html.es +++ b/docs/manual/mod/directives.html.es @@ -444,6 +444,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.ja.utf8 b/docs/manual/mod/directives.html.ja.utf8 index 6380329f5fa..b60523b1737 100644 --- a/docs/manual/mod/directives.html.ja.utf8 +++ b/docs/manual/mod/directives.html.ja.utf8 @@ -439,6 +439,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.ko.euc-kr b/docs/manual/mod/directives.html.ko.euc-kr index bfe0654d029..a5dcfd16513 100644 --- a/docs/manual/mod/directives.html.ko.euc-kr +++ b/docs/manual/mod/directives.html.ko.euc-kr @@ -439,6 +439,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.ru.koi8-r b/docs/manual/mod/directives.html.ru.koi8-r index d321403ed6e..cd56b05b37b 100644 --- a/docs/manual/mod/directives.html.ru.koi8-r +++ b/docs/manual/mod/directives.html.ru.koi8-r @@ -441,6 +441,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.tr.utf8 b/docs/manual/mod/directives.html.tr.utf8 index 21e3fae4a4b..b8cfc62a836 100644 --- a/docs/manual/mod/directives.html.tr.utf8 +++ b/docs/manual/mod/directives.html.tr.utf8 @@ -438,6 +438,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/directives.html.zh-cn.utf8 b/docs/manual/mod/directives.html.zh-cn.utf8 index 7e702329aaf..15914f13f7e 100644 --- a/docs/manual/mod/directives.html.zh-cn.utf8 +++ b/docs/manual/mod/directives.html.zh-cn.utf8 @@ -437,6 +437,8 @@
  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • diff --git a/docs/manual/mod/mod_log_config.html.en b/docs/manual/mod/mod_log_config.html.en index b9bfd088d8e..680c8e7bfde 100644 --- a/docs/manual/mod/mod_log_config.html.en +++ b/docs/manual/mod/mod_log_config.html.en @@ -169,20 +169,46 @@ format) %{format}t The time, in the form given by format, which should be in - strftime(3) format. (potentially localized) + an extended strftime(3) format (potentially localized). + If the format starts with begin: (default) the time is taken + at the beginning of the request processing. If it starts with + end: it is the time when the log entry gets written, + close to the end of the request processing. In addition to the formats + supported by strftime(3), the following format tokens are + supported: + + + + + + +
    secnumber of seconds since the Epoch
    msecnumber of milliseconds since the Epoch
    usecnumber of microseconds since the Epoch
    msec_fracmillisecond fraction
    usec_fracmicrosecond fraction
    + These tokens can not be combined with each other or strftime(3) + formatting in the same format string. You can use multiple + %{format}t tokens instead. The extended + strftime(3) tokens are available in 2.2.30 and later. + %T The time taken to serve the request, in seconds. -%u +%{UNIT}T + The time taken to serve the request, in a time unit given by + UNIT. Valid units are ms for milliseconds, + us for microseconds, and s for seconds. + Using s gives the same result as %T + without any format; using us gives the same result + as %D. Combining %T with a unit is + available in 2.2.30 and later. +%u Remote user (from auth; may be bogus if return status (%s) is 401) -%U +%U The URL path requested, not including any query string. -%v +%v The canonical ServerName of the server serving the request. -%V +%V The server name according to the UseCanonicalName setting. -%X +%X Connection status when response is completed: @@ -200,16 +226,16 @@

    (This directive was %c in late versions of Apache 1.3, but this conflicted with the historical ssl %{var}c syntax.)

    - + - + - + - +
    %I
    %I Bytes received, including request and headers, cannot be zero. You need to enable mod_logio to use this.
    %O
    %O Bytes sent, including headers, cannot be zero. You need to enable mod_logio to use this.
    %{VARNAME}^ti
    %{VARNAME}^ti The contents of VARNAME: trailer line(s) in the request sent to the server.
    %{VARNAME}^to
    %{VARNAME}^to The contents of VARNAME: trailer line(s) in the response sent from the server.
    @@ -291,6 +317,16 @@
    Agent (Browser) log format
    "%{User-agent}i"
    + +

    You can use the %{format}t directive multiple + times to build up a time format using the extended format tokens + like msec_frac:

    +
    +
    Timestamp including milliseconds
    +
    "%{%d/%b/%Y %T}t.%{msec_frac}t %{%z}t"
    + +
    +
    top
    diff --git a/docs/manual/mod/mod_log_config.html.tr.utf8 b/docs/manual/mod/mod_log_config.html.tr.utf8 index 80dd3fa7032..96d2cfe3724 100644 --- a/docs/manual/mod/mod_log_config.html.tr.utf8 +++ b/docs/manual/mod/mod_log_config.html.tr.utf8 @@ -31,6 +31,7 @@  ko  |  tr 

    +
    Bu çeviri güncel olmayabilir. Son değişiklikler için İngilizce sürüm geçerlidir.
    diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index d2aa5f60d14..3c746ce0ca6 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -91,6 +91,8 @@ to provide the cryptography engine.

  • SSLRequireSSL
  • SSLSessionCache
  • SSLSessionCacheTimeout
    • +
  • SSLSessionTicketKeyFile
    • +
  • SSLSessionTickets
  • SSLStrictSNIVHostCheck
  • SSLUserName
  • SSLVerifyClient
    • @@ -393,12 +395,48 @@ SSLCertificateChainFile /usr/local/apache2/conf/ssl.crt/ca.crt
    Açıklama:Sunucuya yapılan isteklerin günlük kayıtlarının tutulması
    Durum:Temel
    Compatibility:ECC support is available in Apache 2.2.26 and later

    -This directive points to the PEM-encoded Certificate file for the server and -optionally also to the corresponding RSA or DSA Private Key file for it -(contained in the same file). If the contained Private Key is encrypted the -Pass Phrase dialog is forced at startup time. This directive can be used up to -three times (referencing different filenames) when both a RSA, a DSA, and an -ECC based server certificate is used in parallel.

    +This directive points to a file with certificate data in PEM format. +At a minimum, the file must include an end-entity (leaf) certificate. +The directive can be used up to three times (referencing different filenames) +when an RSA, a DSA, and an ECC based server certificate is used in parallel. +

    + +

    +Custom DH parameters and an EC curve name for ephemeral keys, +can be added to end of the first file configured using +SSLCertificateFile. +This is supported in version 2.2.30 or later. +Such parameters can be generated using the commands +openssl dhparam and openssl ecparam. +The parameters can be added as-is to the end of the first +certificate file. Only the first file can be used for custom +parameters, as they are applied independently of the authentication +algorithm type. +

    + +

    +Finally the the end-entity certificate's private key can also be +added to the certificate file instead of using a separate +SSLCertificateKeyFile +directive. This practice is highly discouraged. If the private +key is encrypted, the pass phrase dialog is forced at startup time. +

    + +
    +

    DH parameter interoperability with primes > 1024 bit

    +

    +Beginning with version 2.2.30, mod_ssl makes use of +standardized DH parameters with prime lengths of 2048, 3072, 4096, 6144 and +8192 bits (from RFC 3526), +and hands them out to clients based on the length of the certificate's RSA/DSA +key. +With Java-based clients in particular (Java 7 or earlier), this may lead +to handshake failures - see this +FAQ answer for working around +such issues. +

    +
    +

    Example

    SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt

    @@ -415,18 +453,22 @@ SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt Compatibility:ECC support is available in Apache 2.2.26 and later

    -This directive points to the PEM-encoded Private Key file for the -server. If the Private Key is not combined with the Certificate in the -SSLCertificateFile, use this additional directive to -point to the file with the stand-alone Private Key. When -SSLCertificateFile is used and the file -contains both the Certificate and the Private Key this directive need -not be used. But we strongly discourage this practice. Instead we -recommend you to separate the Certificate and the Private Key. If the -contained Private Key is encrypted, the Pass Phrase dialog is forced -at startup time. This directive can be used up to three times -(referencing different filenames) when both a RSA, a DSA, and an ECC based -private key is used in parallel.

    +This directive points to the PEM-encoded private key file for the +server. If the contained private key is encrypted, the pass phrase +dialog is forced at startup time.

    + +

    +The directive can be used up to three times (referencing different filenames) +when an RSA, a DSA, and an ECC based private key is used in parallel. For each +SSLCertificateKeyFile +directive, there must be a matching SSLCertificateFile +directive.

    + +

    +The private key may also be combined with the certificate in the file given by +SSLCertificateFile, but this practice +is highly discouraged.

    +

    Example

    SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

    @@ -530,6 +572,15 @@ prefixes are:

  • -: remove cipher from list (can be added later again)
  • !: kill cipher from list completely (can not be added later again)
    • + +
    +

    aNULL, eNULL and EXP +ciphers are always disabled

    +

    Beginning with version 2.2.30, null and export-grade +ciphers are always disabled, as mod_ssl unconditionally prepends any supplied +cipher suite string with !aNULL:!eNULL:!EXP: at initialization.

    +
    +

    A simpler way to look at all of this is to use the ``openssl ciphers -v'' command which provides a nice way to successively create the correct cipher-spec string. The default cipher-spec string @@ -1812,6 +1863,65 @@ values like 300 in real life.

    SSLSessionCacheTimeout 600

    + +
    top
    +

    SSLSessionTicketKeyFile Directive

    + + + + + + + +
    Description:Persistent encryption/decryption key for TLS session tickets
    Syntax:SSLSessionTicketKeyFile file-path
    Context:server config, virtual host
    Status:Extension
    Module:mod_ssl
    Compatibility:Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8h or later
    +

    Optionally configures a secret key for encrypting and decrypting +TLS session tickets, as defined in +RFC 5077. +Primarily suitable for clustered environments where TLS sessions information +should be shared between multiple nodes. For single-instance httpd setups, +it is recommended to not configure a ticket key file, but to +rely on (random) keys generated by mod_ssl at startup, instead.

    +

    The ticket key file must contain 48 bytes of random data, +preferrably created from a high-entropy source. On a Unix-based system, +a ticket key file can be created as follows:

    + +

    +dd if=/dev/random of=/path/to/file.tkey bs=1 count=48 +

    + +

    Ticket keys should be rotated (replaced) on a frequent basis, +as this is the only way to invalidate an existing session ticket - +OpenSSL currently doesn't allow to specify a limit for ticket lifetimes. +A new ticket key only gets used after restarting the web server. +All existing session tickets become invalid after a restart.

    + +
    +

    The ticket key file contains sensitive keying material and should +be protected with file permissions similar to those used for +SSLCertificateKeyFile.

    +
    + +
    +
    top
    +

    SSLSessionTickets Directive

    + + + + + + + + +
    Description:Enable or disable use of TLS session tickets
    Syntax:SSLSessionTickets on|off
    Default:SSLSessionTickets on
    Context:server config, virtual host
    Status:Extension
    Module:mod_ssl
    Compatibility:Available in httpd 2.2.30 and later, if using OpenSSL 0.9.8f +or later.
    +

    This directive allows to enable or disable the use of TLS session tickets +(RFC 5077).

    +
    +

    TLS session tickets are enabled by default. Using them without restarting +the web server with an appropriate frequency (e.g. daily) compromises perfect +forward secrecy.

    +
    +
    top

    SSLStrictSNIVHostCheck Directive

    diff --git a/docs/manual/mod/mod_unique_id.html.en b/docs/manual/mod/mod_unique_id.html.en index 57aae96319d..f5ccc0ed29a 100644 --- a/docs/manual/mod/mod_unique_id.html.en +++ b/docs/manual/mod/mod_unique_id.html.en @@ -97,7 +97,10 @@ identifier for each request

    Given those assumptions, at a single point in time we can identify any httpd process on any machine in the cluster from all other httpd processes. The machine's IP address and the pid - of the httpd process are sufficient to do this. So in order to + of the httpd process are sufficient to do this. A httpd process + can handle multiple requests simultaneously if you use a + multi-threaded MPM. In order to identify threads, we use a thread + index Apache httpd uses internally. So in order to generate unique identifiers for requests we need only distinguish between different points in time.

    @@ -167,11 +170,13 @@ identifier for each request even still, if you're running NTP then your UTC time will be correct very shortly after reboot.

    +

    The UNIQUE_ID environment variable is - constructed by encoding the 112-bit (32-bit IP address, 32 bit - pid, 32 bit time stamp, 16 bit counter) quadruple using the + constructed by encoding the 144-bit (32-bit IP address, 32 bit + pid, 32 bit time stamp, 16 bit counter, 32 bit thread index) + quadruple using the alphabet [A-Za-z0-9@-] in a manner similar to MIME - base64 encoding, producing 19 characters. The MIME base64 + base64 encoding, producing 24 characters. The MIME base64 alphabet is actually [A-Za-z0-9+/] however + and / need to be specially encoded in URLs, which makes them less desirable. All values are @@ -197,8 +202,7 @@ identifier for each request issuing the new encodings.

    This we believe is a relatively portable solution to this - problem. It can be extended to multithreaded systems like - Windows NT, and can grow with future needs. The identifiers + problem. The identifiers generated have essentially an infinite life-time because future identifiers can be made longer as required. Essentially no communication is required between machines in the cluster (only diff --git a/docs/manual/mod/quickreference.html.de b/docs/manual/mod/quickreference.html.de index 5012eb35e67..c55d1d19207 100644 --- a/docs/manual/mod/quickreference.html.de +++ b/docs/manual/mod/quickreference.html.de @@ -779,6 +779,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.en b/docs/manual/mod/quickreference.html.en index f22ada24b44..81a1dd44256 100644 --- a/docs/manual/mod/quickreference.html.en +++ b/docs/manual/mod/quickreference.html.en @@ -762,6 +762,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.es b/docs/manual/mod/quickreference.html.es index 56424d7b6e4..6a00bbb6920 100644 --- a/docs/manual/mod/quickreference.html.es +++ b/docs/manual/mod/quickreference.html.es @@ -769,6 +769,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.ja.utf8 b/docs/manual/mod/quickreference.html.ja.utf8 index 744e39c4323..1d3d49ab63a 100644 --- a/docs/manual/mod/quickreference.html.ja.utf8 +++ b/docs/manual/mod/quickreference.html.ja.utf8 @@ -698,6 +698,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.ko.euc-kr b/docs/manual/mod/quickreference.html.ko.euc-kr index 4d1aae6dc17..072ead85b2b 100644 --- a/docs/manual/mod/quickreference.html.ko.euc-kr +++ b/docs/manual/mod/quickreference.html.ko.euc-kr @@ -712,6 +712,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.ru.koi8-r b/docs/manual/mod/quickreference.html.ru.koi8-r index fad09e249c4..3f23f63c4d7 100644 --- a/docs/manual/mod/quickreference.html.ru.koi8-r +++ b/docs/manual/mod/quickreference.html.ru.koi8-r @@ -767,6 +767,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.tr.utf8 b/docs/manual/mod/quickreference.html.tr.utf8 index 0ff45803f16..831ec9be354 100644 --- a/docs/manual/mod/quickreference.html.tr.utf8 +++ b/docs/manual/mod/quickreference.html.tr.utf8 @@ -772,6 +772,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 skENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathskEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on skEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off skEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/mod/quickreference.html.zh-cn.utf8 b/docs/manual/mod/quickreference.html.zh-cn.utf8 index 2401ec08c27..4b6a50ebf5b 100644 --- a/docs/manual/mod/quickreference.html.zh-cn.utf8 +++ b/docs/manual/mod/quickreference.html.zh-cn.utf8 @@ -757,6 +757,8 @@ HTTP request Cache SSLSessionCacheTimeout seconds 300 svENumber of seconds before an SSL session expires in the Session Cache +SSLSessionTicketKeyFile file-pathsvEPersistent encryption/decryption key for TLS session tickets +SSLSessionTickets on|off on svEEnable or disable use of TLS session tickets SSLStrictSNIVHostCheck on|off off svEWhether to allow non SNI clients to access a name based virtual host. diff --git a/docs/manual/ssl/ssl_faq.html.en b/docs/manual/ssl/ssl_faq.html.en index 01cc8abdbb4..9df28028d90 100644 --- a/docs/manual/ssl/ssl_faq.html.en +++ b/docs/manual/ssl/ssl_faq.html.en @@ -677,6 +677,7 @@ HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer

  • Why do I get I/O errors, or the message "Netscape has encountered bad data from the server", when connecting via HTTPS to an Apache+mod_ssl server with Netscape Navigator?
    • +
  • Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?

    • Why do I get lots of random SSL protocol @@ -920,6 +921,40 @@ HTTPS to an Apache+mod_ssl server with Netscape Navigator?

    implementation is correct, so when you encounter I/O errors with Netscape Navigator it is usually caused by the configured certificates.

    + +

    Why do I get handshake failures with Java-based clients when using a certificate with more than 1024 bits?

    +

    Beginning with version 2.2.30, + mod_ssl will use DH parameters which include primes + with lengths of more than 1024 bits. Java 7 and earlier limit their + support for DH prime sizes to a maximum of 1024 bits, however.

    + +

    If your Java-based client aborts with exceptions such as + java.lang.RuntimeException: Could not generate DH keypair and + java.security.InvalidAlgorithmParameterException: Prime size must be + multiple of 64, and can only range from 512 to 1024 (inclusive), + and httpd logs tlsv1 alert internal error (SSL alert number 80) + (at LogLevel info + or higher), you can either rearrange mod_ssl's cipher list with + SSLCipherSuite + (possibly in conjunction with SSLHonorCipherOrder), + or you can use custom DH parameters with a 1024-bit prime, which + will always have precedence over any of the built-in DH parameters.

    + +

    To generate custom DH parameters, use the openssl dhparam 1024 + command. Alternatively, you can use the following standard 1024-bit DH + parameters from RFC 2409, + section 6.2:

    + 
    -----BEGIN DH PARAMETERS-----
+MIGHAoGBAP//////////yQ/aoiFowjTExmKLgNwc0SkCTgiKZ8x0Agu+pjsTmyJR
+Sgh5jjQE3e+VGbPNOkMbMCsKbfJfFDdP4TVtbVHCReSFtXZiXn7G9ExC6aY37WsL
+/1y29Aa37e44a/taiZ+lrp8kEXxLH+ZJKGZR7OZTgf//////////AgEC
+-----END DH PARAMETERS-----
    +

    Add the custom parameters including the "BEGIN DH PARAMETERS" and + "END DH PARAMETERS" lines to the end of the first certificate file + you have configured using the + SSLCertificateFile directive.

    + +
    top

    mod_ssl Support