From d78c998c6a23a703722fefbf74b7a26537032925 Mon Sep 17 00:00:00 2001 From: Rich Bowen Date: Thu, 25 Jul 2002 21:46:42 +0000 Subject: [PATCH] Patch submitted by David Shane Holden to make docs valid xhtml. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96194 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/bind.html.en | 2 +- docs/manual/cgi_path.html.en | 2 +- docs/manual/configuring.html.en | 199 +--- docs/manual/content-negotiation.html.en | 4 +- docs/manual/custom-error.html.en | 2 +- docs/manual/developer/API.html | 2 +- docs/manual/developer/debugging.html | 2 +- docs/manual/developer/documenting.html | 5 +- docs/manual/developer/footer.html | 2 +- docs/manual/developer/header.html | 2 +- docs/manual/developer/modules.html.en | 2 +- docs/manual/dns-caveats.html | 6 +- docs/manual/ebcdic.html | 180 +-- docs/manual/faq/footer.html | 2 +- docs/manual/faq/header.html | 2 +- docs/manual/faq/index.html | 2 +- docs/manual/faq/support.html | 3 +- docs/manual/filter.html.en | 2 +- docs/manual/footer.html | 2 +- docs/manual/glossary.html | 16 +- docs/manual/handler.html.en | 2 +- docs/manual/header.html | 2 +- docs/manual/howto/cgi.html.en | 2 +- docs/manual/howto/footer.html | 2 +- docs/manual/howto/header.html | 2 +- docs/manual/howto/ssi.html.en | 6 +- docs/manual/install.html.en | 2 +- docs/manual/invoking.html.en | 2 +- docs/manual/misc/custom_errordocs.html | 2 +- docs/manual/misc/descriptors.html | 5 +- docs/manual/misc/fin_wait_2.html | 4 +- docs/manual/misc/footer.html | 2 +- docs/manual/misc/header.html | 2 +- docs/manual/misc/index.html | 2 +- docs/manual/misc/known_client_problems.html | 4 +- docs/manual/misc/perf-tuning.html | 16 +- docs/manual/misc/rewriteguide.html | 2 +- docs/manual/misc/security_tips.html | 4 +- docs/manual/misc/tutorials.html | 6 +- docs/manual/mod/directive-dict.html.en | 2 +- docs/manual/mod/footer.html | 2 +- docs/manual/mod/header.html | 2 +- docs/manual/new_features_2_0.html.en | 2 +- docs/manual/platform/netware.html | 8 +- docs/manual/platform/perf-hp.html | 4 +- docs/manual/platform/win_service.html | 2 +- docs/manual/platform/windows.html | 2 +- docs/manual/programs/footer.html | 2 +- docs/manual/programs/header.html | 2 +- docs/manual/programs/index.html | 2 +- docs/manual/programs/other.html | 2 +- docs/manual/sections.html.en | 2 +- docs/manual/ssl/footer.html | 2 +- docs/manual/ssl/header.html | 2 +- docs/manual/ssl/index.html.en | 4 +- docs/manual/ssl/ssl_compat.html | 278 +++-- docs/manual/ssl/ssl_faq.html | 1099 +++++++++---------- docs/manual/ssl/ssl_glossary.html | 203 +++- docs/manual/ssl/ssl_howto.html | 1059 +++++++++--------- docs/manual/ssl/ssl_intro.html | 569 +++++----- docs/manual/stopping.html.en | 5 +- docs/manual/suexec.html.en | 62 +- docs/manual/upgrading.html.en | 2 +- docs/manual/vhosts/details.html | 2 +- docs/manual/vhosts/examples.html | 4 +- docs/manual/vhosts/fd-limits.html.en | 4 +- docs/manual/vhosts/footer.html | 2 +- docs/manual/vhosts/header.html | 2 +- docs/manual/vhosts/index.html.en | 4 +- docs/manual/vhosts/ip-based.html | 2 +- docs/manual/vhosts/mass.html | 2 +- docs/manual/vhosts/name-based.html.en | 6 +- 72 files changed, 1918 insertions(+), 1937 deletions(-) diff --git a/docs/manual/bind.html.en b/docs/manual/bind.html.en index a52d8ee3d0a..ba3cdf93a13 100644 --- a/docs/manual/bind.html.en +++ b/docs/manual/bind.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

Setting which addresses and ports Apache +

Setting which addresses and ports Apache uses

When Apache starts, it connects to some port and address on diff --git a/docs/manual/cgi_path.html.en b/docs/manual/cgi_path.html.en index 4ed74ade20a..b019173b90d 100644 --- a/docs/manual/cgi_path.html.en +++ b/docs/manual/cgi_path.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

PATH_INFO Changes in the CGI +

PATH_INFO Changes in the CGI Environment

diff --git a/docs/manual/configuring.html.en b/docs/manual/configuring.html.en index f0b3e2e47fc..2d03fd5af81 100644 --- a/docs/manual/configuring.html.en +++ b/docs/manual/configuring.html.en @@ -1,62 +1,21 @@ - - - - - - - Configuration Files - - - - - - -

Configuration Files

- - -
- -

Main Configuration Files

- - - - - - - -
Related Modules
-
- mod_mime
- 		Related Directives
-
- <IfDefine>
- Include
- TypesConfig
-
- -

Apache is configured by placing directives in plain text +Configuration Files- Apache HTTP Server

[APACHE DOCUMENTATION]

Apache HTTP Server Version 2.0

Apache Module + Configuration Files

+

This document describes the files used to configure the Apache +HTTP server.

+

Main Configuration Files

+ +
Related Modules

mod_mime
Related Directives

<IfDefine>
Include
TypesConfig
+ +

Apache is configured by placing directives in plain text configuration files. The main configuration file is usually called httpd.conf. The location of this file is set at compile-time, but may be overridden with the -f command line flag. In addition, other - configuration files may be added using the Include directive. Any + configuration files may be added using the Include directive. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache when it is started or restarted.

@@ -72,13 +31,10 @@ makes automating such processes much easier.

The server also reads a file containing mime document types; - the filename is set by the TypesConfig directive, + the filename is set by the TypesConfig directive, and is mime.types by default.

-
- -

Syntax of the Configuration - Files

+

Syntax of the Configuration Files

+

Apache configuration files contain one directive per line. The back-slash "\" may be used as the last character on a line @@ -98,83 +54,35 @@ without starting the server by using apachectl configtest or the -t command line option.

-
- -

Modules

- - - - - - - -
Related Modules
-
- mod_so
- 		Related Directives
-
- AddModule
- ClearModuleList
- <IfModule>
- LoadModule
-
+

Modules

+ + +
Related Modules

mod_so
Related Directives

AddModule
ClearModuleList
<IfModule>
LoadModule

Apache is a modular server. This implies that only the most basic functionality is included in the core server. Extended - features are available through modules which can be loaded - into Apache. By default, a base set of modules is + features are available through modules which can be loaded + into Apache. By default, a base set of modules is included in the server at compile-time. If the server is compiled to use dynamically loaded modules, then modules can be compiled separately and added at - any time using the LoadModule directive. + any time using the LoadModule + directive. Otherwise, Apache must be recompiled to add or remove modules. Configuration directives may be included conditional on a - presence of a particular module by enclosing them in an <IfModule> block.

+ presence of a particular module by enclosing them in an<IfModule> block.

To see which modules are currently compiled into the server, you can use the -l command line option.

-
- -

Scope of Directives

- - - - - -
Related Directives
-
- <Directory>
- <DirectoryMatch>
- <Files>
- <FilesMatch>
- <Location>
- <LocationMatch>
- <VirtualHost>
-
+

Scope of Directives

+ + +
Related Modules

Related Directives

<Directory>
<DirectoryMatch>
<Files>
<FilesMatch>
<Location>
<LocationMatch>
<VirtualHost>

Directives placed in the main configuration files apply to the entire server. If you wish to change the configuration for only a part of the server, you can scope your directives by - placing them in <Directory>, <DirectoryMatch>, - <Files>, <FilesMatch>, <Location>, and - <LocationMatch> + placing them in <Directory>, <DirectoryMatch>, <Files>, <FilesMatch>, <Location>, and <LocationMatch> sections. These sections limit the application of the directives which they enclose to particular filesystem locations or URLs. They can also be nested, allowing for very @@ -183,8 +91,7 @@

Apache has the capability to serve many different websites simultaneously. This is called Virtual Hosting. Directives can also be scoped by placing them - inside <VirtualHost> + inside <VirtualHost> sections, so that they will only apply to requests for a particular website.

@@ -192,32 +99,18 @@ sections, some directives do not make sense in some contexts. For example, directives controlling process creation can only be placed in the main server context. To find which directives - can be placed in which sections, check the Context of the - directive. For further information, we provide details on How Directory, Location and Files sections + can be placed in which sections, check the Context of the + directive. For further information, we provide details on How Directory, Location and Files sections work.

-
- -

.htaccess Files

- - - - - -
Related Directives
-
- AccessFileName
- AllowOverride
-
+

.htaccess Files

+ + +
Related Modules

Related Directives

AccessFileName
AllowOverride

Apache allows for decentralized management of configuration via special files placed inside the web tree. The special files are usually called .htaccess, but any name can be - specified in the AccessFileName + specified in the AccessFileName directive. Directives placed in .htaccess files apply to the directory where you place the file, and all sub-directories. The .htaccess files follow the @@ -226,19 +119,13 @@ made in these files take immediate effect.

To find which directives can be placed in - .htaccess files, check the Context of the + .htaccess files, check the Context of the directive. The server administrator further controls what directives may be placed in .htaccess files by - configuring the AllowOverride + configuring the AllowOverride directive in the main configuration files.

For more information on .htaccess files, see - Ken Coar's tutorial on + Ken Coar's tutorial on Using .htaccess Files with Apache.

- - - - +

Apache HTTP Server Version 2.0

IndexHome \ No newline at end of file diff --git a/docs/manual/content-negotiation.html.en b/docs/manual/content-negotiation.html.en index 0f4e03ce317..8466779bb53 100644 --- a/docs/manual/content-negotiation.html.en +++ b/docs/manual/content-negotiation.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

Content Negotiation

+

Content Negotiation

Apache's supports content negotiation as described in the HTTP/1.1 specification. It can choose the best @@ -606,7 +606,7 @@ CacheNegotiatedDocs can be used to allow caching of responses which were subject to negotiation. This directive can be given in the server config or virtual host, and takes no - arguments. It has no effect on requests from HTTP/1.1 clients. + arguments. It has no effect on requests from HTTP/1.1 clients.

More Information

diff --git a/docs/manual/custom-error.html.en b/docs/manual/custom-error.html.en index 3cbb5704364..2a4741d3219 100644 --- a/docs/manual/custom-error.html.en +++ b/docs/manual/custom-error.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

Custom error responses

+

Custom error responses

Purpose
diff --git a/docs/manual/developer/API.html b/docs/manual/developer/API.html index 2c0a4ad8cc6..1d39165b8fb 100644 --- a/docs/manual/developer/API.html +++ b/docs/manual/developer/API.html @@ -20,7 +20,7 @@ relevant, but please use it with care. -

Apache API notes

+

Apache API notes

These are some notes on the Apache API and the data structures you have to deal with, etc. They are not yet nearly complete, but hopefully, they will help you get your bearings. diff --git a/docs/manual/developer/debugging.html b/docs/manual/developer/debugging.html index 79594dfbe57..b76522d4b94 100644 --- a/docs/manual/developer/debugging.html +++ b/docs/manual/developer/debugging.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

Debugging Memory Allocation in APR
+

Debugging Memory Allocation in APR

The allocation mechanism's within APR have a number of diff --git a/docs/manual/developer/documenting.html b/docs/manual/developer/documenting.html index a342a62afe5..77199bcddc8 100644 --- a/docs/manual/developer/documenting.html +++ b/docs/manual/developer/documenting.html @@ -61,13 +61,12 @@ At the top of the header file, always include: * @package Name of library header */ -

 

+
 ScanDoc uses a new html file for each package.  The html files are named
    {Name_of_library_header}.html, so try to be concise with your names.
- 
-
 

+  
   
 
 
diff --git a/docs/manual/developer/footer.html b/docs/manual/developer/footer.html
index 965ff02cf89..03ee28e6bd5 100644
--- a/docs/manual/developer/footer.html
+++ b/docs/manual/developer/footer.html
@@ -1,6 +1,6 @@
     

 
-    
Apache HTTP Server Version 2.0

+    
Apache HTTP Server Version 2.0

     Index
     Home
 
diff --git a/docs/manual/developer/header.html b/docs/manual/developer/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/developer/header.html
+++ b/docs/manual/developer/header.html
@@ -1,4 +1,4 @@
-    

+    

       [APACHE DOCUMENTATION] 
 
       
Apache HTTP Server Version 2.0

diff --git a/docs/manual/developer/modules.html.en b/docs/manual/developer/modules.html.en
index 259e27defe7..f4934c9cae8 100644
--- a/docs/manual/developer/modules.html.en
+++ b/docs/manual/developer/modules.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
From Apache 1.3 to Apache 2.0

+    
From Apache 1.3 to Apache 2.0

      Modules

 
     
This is a first attempt at writing the lessons I learned
diff --git a/docs/manual/dns-caveats.html b/docs/manual/dns-caveats.html
index a68c8c5a7e3..4e771abdf9f 100644
--- a/docs/manual/dns-caveats.html
+++ b/docs/manual/dns-caveats.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
Issues Regarding DNS and Apache

+    
Issues Regarding DNS and Apache

 
     
This page could be summarized with the statement: don't
     require Apache to use DNS for any parsing of the configuration
@@ -210,8 +210,8 @@
     a webserver has no requirement to do DNS lookups during
     configuration. But as of March 1997 these features have not
     been deployed widely enough to be put into use on critical
-    webservers. 
-    

+    webservers.

+    
   
 
 
diff --git a/docs/manual/ebcdic.html b/docs/manual/ebcdic.html
index 8936ec3a4ee..b543ab06dc6 100644
--- a/docs/manual/ebcdic.html
+++ b/docs/manual/ebcdic.html
@@ -20,7 +20,7 @@
       relevant, but please use it with care.
     
 
-    
Overview of the Apache EBCDIC Port

+    
Overview of the Apache EBCDIC Port

 
     
Version 1.3 of the Apache HTTP Server is the first version
     which includes a port to a (non-ASCII) mainframe machine which
@@ -52,7 +52,7 @@
     
This document serves as a rationale to describe some of the
     design decisions of the port to this machine.

 
-    
Design Goals

+    
Design Goals

 
     
One objective of the EBCDIC port was to maintain enough
     backwards compatibility with the (EBCDIC) CERN server to make
@@ -68,7 +68,7 @@
     problem by defining an "ebcdic-handler" for all documents which
     must be converted.

 
-    
Technical Solution

+    
Technical Solution

 
     
Since all Apache input and output is based upon the BUFF
     data type and its methods, the easiest solution was to add the
@@ -100,7 +100,7 @@
      

      
 
-    
Porting Notes

+    
Porting Notes

 
     
    
       
  1. 
@@ -242,9 +242,9 @@
      
    
      
 
-    
    Document Storage Notes
    
+    
    Document Storage Notes
    
 
-    
    Binary Files
    
+    
    Binary Files
    
 
     
    All files with a Content-Type: which does not
     start with text/ are regarded as binary
@@ -258,22 +258,22 @@
     rcp -b command from the mainframe host (the
     -b switch is not supported in unix rcp's).
    
 
-    
    Text Documents
    
+    
    Text Documents
    
 
     
    The default assumption of the server is that Text Files
     (i.e., all files whose Content-Type:
     starts with text/) are stored in the native
     character set of the host, EBCDIC.
    
 
-    
    Server Side Included Documents
    
+    
    Server Side Included Documents
    
 
     
    SSI documents must currently be stored in EBCDIC only. No
     provision is made to convert it from ASCII before
     processing.
    
 
-    
    Apache Modules' Status
    
+    
    Apache Modules' Status
    
 
-    
+    
    
 
@@ -283,318 +283,318 @@
       
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
-        
+        
 
-        
+        
    
       
    
         Module
    
 
       
    http_corehttp_core++
 
         
         
       
    
 
       
    mod_accessmod_access++
 
         
         
       
    
 
       
    mod_actionsmod_actions++
 
         
         
       
    
 
       
    mod_aliasmod_alias++
 
         
         
       
    
 
       
    mod_asismod_asis++
 
         
         
       
    
 
       
    mod_authmod_auth++
 
         
         
       
    
 
       
    mod_auth_anonmod_auth_anon++
 
         
         
       
    
 
       
    mod_auth_dbmmod_auth_dbm??
 
         with own libdb.a
       
    
 
       
    mod_autoindexmod_autoindex++
 
         
         
       
    
 
       
    mod_cern_metamod_cern_meta??
 
         
         
       
    
 
       
    mod_cgimod_cgi++
 
         
         
       
    
 
       
    mod_digestmod_digest++
 
         
         
       
    
 
       
    mod_dirmod_dir++
 
         
         
       
    
 
       
    mod_somod_so--
 
         no shared libs
       
    
 
       
    mod_envmod_env++
 
         
         
       
    
 
       
    mod_examplemod_example--
 
         (test bed only)
       
    
 
       
    mod_expiresmod_expires++
 
         
         
       
    
 
       
    mod_headersmod_headers++
 
         
         
       
    
 
       
    mod_imapmod_imap++
 
         
         
       
    
 
       
    mod_includemod_include++
 
         
         
       
    
 
       
    mod_infomod_info++
 
         
         
       
    
 
       
    mod_log_agentmod_log_agent++
 
         
         
       
    
 
       
    mod_log_configmod_log_config++
 
         
         
       
    
 
       
    mod_log_referermod_log_referer++
 
         
         
       
    
 
       
    mod_mimemod_mime++
 
         
         
       
    
 
       
    mod_mime_magicmod_mime_magic??
 
         not ported yet
       
    
 
       
    mod_negotiationmod_negotiation++
 
         
         
       
    
 
       
    mod_proxymod_proxy++
 
         
         
       
    
 
       
    mod_rewritemod_rewrite++
 
         untested
       
    
 
       
    mod_setenvifmod_setenvif++
 
         
         
       
    
 
       
    mod_spelingmod_speling++
 
         
         
       
    
 
       
    mod_statusmod_status++
 
         
         
       
    
 
       
    mod_unique_idmod_unique_id++
 
         
         
       
    
 
       
    mod_userdirmod_userdir++
 
         
         
       
    
 
       
    mod_usertrackmod_usertrack??
 
         untested
       
    
     
    
 
-    
    Third Party Modules' Status
    
+    
    Third Party Modules' Status
    
 
-    
+    
    
 
@@ -604,40 +604,40 @@
       
-        
 
-        
+        
-        
 
-        
+        
-        
 
-        
+        
-        
 
-        
+        
diff --git a/docs/manual/faq/footer.html b/docs/manual/faq/footer.html
index 54f6044a57e..bda0e28b8bd 100644
--- a/docs/manual/faq/footer.html
+++ b/docs/manual/faq/footer.html
@@ -1,6 +1,6 @@
     
    
 
-    
    Apache HTTP Server Version 2.0
    
+    
    Apache HTTP Server Version 2.0
    IndexHome
 
diff --git a/docs/manual/faq/header.html b/docs/manual/faq/header.html
index cbdcb995915..61d9a9121b7 100644
--- a/docs/manual/faq/header.html
+++ b/docs/manual/faq/header.html
@@ -1,4 +1,4 @@
-    
    
+    
    
       [APACHE DOCUMENTATION] 
 
       
    Apache HTTP Server Version 2.0
    
diff --git a/docs/manual/faq/index.html b/docs/manual/faq/index.html
index 5916e759689..0cf11788d09 100644
--- a/docs/manual/faq/index.html
+++ b/docs/manual/faq/index.html
@@ -17,7 +17,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
    Frequently Asked Questions
    
+    
    Frequently Asked Questions
    
 
     
    The latest version of this FAQ is always available from the
     main Apache web site, at <
     
 
-    
    Frequently Asked Questions
    
+    
    Frequently Asked Questions
    
     
 
     
    Support
    
@@ -111,6 +111,7 @@
           href="http://groups.google.com/groups?group=comp.infosystems.www.authoring.cgi">
           google]
         
+      
 
       
  2. 
         If all else fails, report the problem in the bug
diff --git a/docs/manual/filter.html.en b/docs/manual/filter.html.en
index 7c1b2b46de8..85c460ab381 100644
--- a/docs/manual/filter.html.en
+++ b/docs/manual/filter.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
    Filters
    
+    
    Filters
    
 
     
    3. 
       
    
         Module
    
 
       
    mod_jserv --
 
         JAVA still being ported.
       
    
 
       
    mod_php3
+        mod_php3
         ++
 
         mod_php3 runs fine, with LDAP and GD and FreeType
         libraries
       
    
 
       
    
         mod_put ??
 
         untested
       
    
 
       
    mod_session
         --
 
         untested
       
    
     
     
    
diff --git a/docs/manual/footer.html b/docs/manual/footer.html
index 48bfc2cbfbb..74b1ddf0f5d 100644
--- a/docs/manual/footer.html
+++ b/docs/manual/footer.html
@@ -1,6 +1,6 @@
     
    
 
-    
    Apache HTTP Server Version 2.0
    
+    
    Apache HTTP Server Version 2.0
    
     Index
 
 
diff --git a/docs/manual/glossary.html b/docs/manual/glossary.html
index 8a328768c81..90e0a03ff38 100644
--- a/docs/manual/glossary.html
+++ b/docs/manual/glossary.html
@@ -9,7 +9,7 @@
  
 
 
-
    Glossary
    
+
    Glossary
    
 
 
 
@@ -147,7 +147,7 @@ a network entity, consisting of a hostname and a domain name that can
 resolve to an IP address. For example, www is a hostname,
 whatever.com is a domain name, and
 www.whatever.com is a fully-qualified domain name.

    
+/>
    
 
 
    Handler
     
    An internal Apache
 representation of the action to be performed when a file is
@@ -238,7 +238,7 @@ href="ssl/">SSL/TLS Encryption

    
 
    The unencrypted text.

    
 
 
    Private Key
     
    The secret key in a
-Public Key Cryptography system,
+Public Key Cryptography system,
 used to decrypt incoming messages and sign outgoing ones.
    
 See: SSL/TLS Encryption

    
 
@@ -249,10 +249,10 @@ server, and then returns the response from the origin server to the
 client.  If several clients request the same content, the proxy
 can deliver that content from its cache, rather than requesting it
 from the origin server each time, thereby reducing response time.
    
-See: mod_proxy

    
+See: mod_proxy

    
 
 
    Public Key
     
    The publically
-available key in a Public Key
+available key in a Public Key
 Cryptography system, used to encrypt messages bound for its owner
 and to decrypt signatures made by its owner.
    
 See: SSL/TLS Encryption

    
@@ -279,7 +279,7 @@ Apache uses Perl Compatible Regular Expressions provided by the
 href="#proxy">proxy server that appears to the client as if it is
 an origin server.  This is useful to hide the real origin
 server from the client for security reasons, or to load balance.

    
+/>
    
 
 
    Secure Sockets Layer (SSL)
     
    A protocol created by Netscape
@@ -341,11 +341,11 @@ documentation

    
 
 
    X.509
     
    An authentication certificate
 scheme recommended by the International Telecommunication Union
-(ITU-T) which is used for SSL/TLS authentication.
     See:  See: SSL/TLS Encryption

    
 
 
 
-
     
    
+
   
 
\ No newline at end of file
diff --git a/docs/manual/handler.html.en b/docs/manual/handler.html.en
index 8545b0da268..f937095dcd7 100644
--- a/docs/manual/handler.html.en
+++ b/docs/manual/handler.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
    Apache's Handler Use
    
+    
    Apache's Handler Use
    
 
     
      
       
    • What is a Handler
      • 
diff --git a/docs/manual/header.html b/docs/manual/header.html
index 040cd98d4cc..579bb14f8fa 100644
--- a/docs/manual/header.html
+++ b/docs/manual/header.html
@@ -1,4 +1,4 @@
-    
      
+    
      
       [APACHE DOCUMENTATION] 
 
       
      Apache HTTP Server Version 2.0
      
diff --git a/docs/manual/howto/cgi.html.en b/docs/manual/howto/cgi.html.en
index 8d80d532d5e..8322e0ed0a3 100644
--- a/docs/manual/howto/cgi.html.en
+++ b/docs/manual/howto/cgi.html.en
@@ -14,7 +14,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
      Dynamic Content with CGI
      
+    
      Dynamic Content with CGI
      
      
      
 
diff --git a/docs/manual/howto/footer.html b/docs/manual/howto/footer.html
index 965ff02cf89..03ee28e6bd5 100644
--- a/docs/manual/howto/footer.html
+++ b/docs/manual/howto/footer.html
@@ -1,6 +1,6 @@
     
      
 
-    
      Apache HTTP Server Version 2.0
      
+    
      Apache HTTP Server Version 2.0
      
     Index
     Home
 
diff --git a/docs/manual/howto/header.html b/docs/manual/howto/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/howto/header.html
+++ b/docs/manual/howto/header.html
@@ -1,4 +1,4 @@
-    
      
+    
      
       [APACHE DOCUMENTATION] 
 
       
      Apache HTTP Server Version 2.0
      
diff --git a/docs/manual/howto/ssi.html.en b/docs/manual/howto/ssi.html.en
index 90e82d1fba2..e80a2a29886 100644
--- a/docs/manual/howto/ssi.html.en
+++ b/docs/manual/howto/ssi.html.en
@@ -15,7 +15,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
      Apache Tutorial: Introduction to Server Side
+    
      Apache Tutorial: Introduction to Server Side
     Includes
      
      
      
@@ -34,7 +34,7 @@
         Basic SSI directives 
 
         
        
-          
      • Today's date
        • 
+          
      • Today's date
        • 
 
           
      • Modification
           date of the file
        • 
@@ -237,7 +237,7 @@
     series. For now, here are some examples of what you can do with
     SSI
        
 
-    
        Today's
+    
        Today's
     date
        
 
                 <!--#echo var="DATE_LOCAL" -->
diff --git a/docs/manual/install.html.en b/docs/manual/install.html.en
index 7495c5aeb68..be9eaaf4ae4 100644
--- a/docs/manual/install.html.en
+++ b/docs/manual/install.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
        Compiling and Installing
        
+    
        Compiling and Installing
        
 
     
        This document covers compilation and installation of Apache
     on Unix and Unix-like systems only. For compiling and
diff --git a/docs/manual/invoking.html.en b/docs/manual/invoking.html.en
index a9c625551f8..3ab8d7f4734 100644
--- a/docs/manual/invoking.html.en
+++ b/docs/manual/invoking.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
        Starting Apache
        
+    
        Starting Apache
        
 
     
          
       
        • Starting Apache on Windows
          • 
diff --git a/docs/manual/misc/custom_errordocs.html b/docs/manual/misc/custom_errordocs.html
index 2623a973316..6a426a76f22 100644
--- a/docs/manual/misc/custom_errordocs.html
+++ b/docs/manual/misc/custom_errordocs.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
          Using XSSI and ErrorDocument to
+    
          Using XSSI and ErrorDocument to
     configure customized international server error responses
          
 
     
          Index
          
diff --git a/docs/manual/misc/descriptors.html b/docs/manual/misc/descriptors.html
index 6f8485c09c1..75aaedf8748 100644
--- a/docs/manual/misc/descriptors.html
+++ b/docs/manual/misc/descriptors.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
          Descriptors and Apache
          
+    
          Descriptors and Apache
          
 
     
          A descriptor, also commonly called a file
     handle is an object that a program uses to read or write
@@ -189,9 +189,8 @@
     you problems, you can disable it. Add -DNO_SLACK
     to EXTRA_CFLAGS and rebuild. But please report it
     to our Bug
-    Report Page so that we can investigate. 
+    Report Page so that we can investigate. 
          
     
-    
          
   
 
 
diff --git a/docs/manual/misc/fin_wait_2.html b/docs/manual/misc/fin_wait_2.html
index 5b3276e58a3..413bab55719 100644
--- a/docs/manual/misc/fin_wait_2.html
+++ b/docs/manual/misc/fin_wait_2.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
          Connections in the FIN_WAIT_2 state and
+    
          Connections in the FIN_WAIT_2 state and
     Apache
          
 
     
            
@@ -248,7 +248,7 @@
         patch available for adding a timeout to the FIN_WAIT_2
         state; it was originally intended for BSD/OS, but should be
         adaptable to most systems using BSD networking code. You
-        need kernel source code to be able to use it. 
+        need kernel source code to be able to use it. 
            
 
         
            Compile without using
         lingering_close()
            
diff --git a/docs/manual/misc/footer.html b/docs/manual/misc/footer.html
index 24e2703091e..5ee7eec68a6 100644
--- a/docs/manual/misc/footer.html
+++ b/docs/manual/misc/footer.html
@@ -1,5 +1,5 @@
     
            
 
-    
            Apache HTTP Server Version 2.0
            
+    
            Apache HTTP Server Version 2.0
            
     Index
     Home
diff --git a/docs/manual/misc/header.html b/docs/manual/misc/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/misc/header.html
+++ b/docs/manual/misc/header.html
@@ -1,4 +1,4 @@
-    
            
+    
            
       [APACHE DOCUMENTATION] 
 
       
            Apache HTTP Server Version 2.0
            
diff --git a/docs/manual/misc/index.html b/docs/manual/misc/index.html
index 8e05abcea41..eb40b5996f7 100644
--- a/docs/manual/misc/index.html
+++ b/docs/manual/misc/index.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
            Apache Miscellaneous Documentation
            
+    
            Apache Miscellaneous Documentation
            
 
     
            Below is a list of additional documentation pages that apply
     to the Apache web server development project.
            
diff --git a/docs/manual/misc/known_client_problems.html b/docs/manual/misc/known_client_problems.html
index 54643ef69ab..1896aeabbe6 100644
--- a/docs/manual/misc/known_client_problems.html
+++ b/docs/manual/misc/known_client_problems.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
            Known Problems in Clients
            
+    
            Known Problems in Clients
            
 
     
            Over time the Apache Group has discovered or been notified
     of problems with various clients which we have had to work
@@ -149,7 +149,7 @@
     href="http://www.apache.org/dist/httpd/patches/apply_to_1.2.1/msie_4_0b2_fixes.patch">
     patch against 1.2.1. 
 
-    
            Boundary problems with
+    
            Boundary problems with
     header parsing
            
 
     
            All versions of Navigator from 2.0 through 4.0b2 (and
diff --git a/docs/manual/misc/perf-tuning.html b/docs/manual/misc/perf-tuning.html
index fbe23faef18..586486e8486 100644
--- a/docs/manual/misc/perf-tuning.html
+++ b/docs/manual/misc/perf-tuning.html
@@ -706,7 +706,7 @@ DirectoryIndex index.cgi index.pl index.shtml index.html
     
            Here is a system call trace of Apache 2.0.38 with the worker MPM
     on Solaris 8.  This trace was collected using:
            
 
            
-truss -l -p httpd_child_pid.
+truss -l -p httpd_child_pid.
 
            
     
            The -l option tells truss to log the ID of the
     LWP (lightweight process--Solaris's form of kernel-level thread)
@@ -719,13 +719,14 @@ DirectoryIndex index.cgi index.pl index.shtml index.html
     
            In this trace, a client has requested a 10KB static file
     from the httpd.  Traces of non-static requests or requests
     with content negotiation look wildly different (and quite ugly
-    in some cases).
+    in some cases).
            
 
-    
            
+
            
 
             /67:    accept(3, 0x00200BEC, 0x00200C0C, 1) (sleeping...)
 /67:    accept(3, 0x00200BEC, 0x00200C0C, 1)            = 9
 
            
+
            
 
            
 
            In this trace, the listener thread is running within LWP #67.
            
 
            Note the lack of accept(2) serialization.  On this particular
@@ -763,7 +764,7 @@ custom memory allocators (apr_pool and
 apr_bucket_alloc) for most request processing.
 In this trace, the httpd has just been started, so it must
 call malloc(3) to get the blocks of raw memory with which
-to create the custom memory allocators.
+to create the custom memory allocators.
            
 
            
 
             /65:    fcntl(9, F_GETFL, 0x00000000)                   = 2
@@ -795,7 +796,7 @@ and AllowOverride None.  Thus it doesn't need to lstat(2)
 each directory in the path leading up to the requested file, nor
 check for .htaccess files.  It simply calls stat(2) to
 verify that the file: 1) exists, and 2) is a regular file, not a
-directory.
+directory.
            
 
            
 
             /65:    sendfilev(0, 9, 0x00200F90, 2, 0xFAF7B53C)      = 10269
@@ -836,7 +837,7 @@ as much overhead as a typical system call.
            
 and blocks until the listener assigns it another connection.
            
 
 
            -/67:    accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)
            
+/67:    accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)
 
            
 
            
 
            Meanwhile, the listener thread is able to accept another connection
@@ -847,8 +848,7 @@ this trace, the next accept(2) can (and usually does, under high load
 conditions) occur in parallel with the worker thread's handling of the
 just-accepted connection.
            
 
            
-    
-
+    
   
 
 
diff --git a/docs/manual/misc/rewriteguide.html b/docs/manual/misc/rewriteguide.html
index 7ad778f62a9..8079c2b88e8 100644
--- a/docs/manual/misc/rewriteguide.html
+++ b/docs/manual/misc/rewriteguide.html
@@ -14,7 +14,7 @@
     
            
       
 
-      
            
+      
            
         
            Apache 1.3
            
          URL Rewriting Guide
            
         
            
diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html
index 26a47fbfa10..1223afcb11f 100644
--- a/docs/manual/misc/security_tips.html
+++ b/docs/manual/misc/security_tips.html
@@ -12,7 +12,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
            Security Tips for Server Configuration
            
+    
            Security Tips for Server Configuration
            
 
     
              
       
            • Permissions on ServerRoot
@@ -342,7 +342,7 @@
     href="http://httpd.apache.org/bug_report.html">please let us
     know.
              
 
-    
              
+    
   
 
 
diff --git a/docs/manual/misc/tutorials.html b/docs/manual/misc/tutorials.html
index 17f488a676f..020c760ec06 100644
--- a/docs/manual/misc/tutorials.html
+++ b/docs/manual/misc/tutorials.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Apache Tutorials
              
+    
              Apache Tutorials
              
 
     
              
       Warning: This document has not been updated
@@ -204,8 +204,8 @@
     
              If you have a pointer to an accurate and well-written
     tutorial not included here, please let us know by submitting it
     to the Apache Bug
-    Database. 
-    
              
+    Database. 
              
+    
   
 
 
diff --git a/docs/manual/mod/directive-dict.html.en b/docs/manual/mod/directive-dict.html.en
index deedf08aca0..1f539b1b285 100644
--- a/docs/manual/mod/directive-dict.html.en
+++ b/docs/manual/mod/directive-dict.html.en
@@ -14,7 +14,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Terms Used to Describe Apache
+    
              Terms Used to Describe Apache
     Directives
              
 
     
              Each Apache configuration directive is described using a
diff --git a/docs/manual/mod/footer.html b/docs/manual/mod/footer.html
index 54f6044a57e..bda0e28b8bd 100644
--- a/docs/manual/mod/footer.html
+++ b/docs/manual/mod/footer.html
@@ -1,6 +1,6 @@
     
              
 
-    
              Apache HTTP Server Version 2.0
              
+    
              Apache HTTP Server Version 2.0
              
     Index
     Home
 
diff --git a/docs/manual/mod/header.html b/docs/manual/mod/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/mod/header.html
+++ b/docs/manual/mod/header.html
@@ -1,4 +1,4 @@
-    
              
+    
              
       [APACHE DOCUMENTATION] 
 
       
              Apache HTTP Server Version 2.0
              
diff --git a/docs/manual/new_features_2_0.html.en b/docs/manual/new_features_2_0.html.en
index f977e65f2c0..cadb5dd8569 100644
--- a/docs/manual/new_features_2_0.html.en
+++ b/docs/manual/new_features_2_0.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Overview of New Features in Apache 2.0
              
+    
              Overview of New Features in Apache 2.0
              
 
     
              Enhancements: Core | Module
              
diff --git a/docs/manual/platform/netware.html b/docs/manual/platform/netware.html
index fe465fc3567..f22ee8ee6bd 100644
--- a/docs/manual/platform/netware.html
+++ b/docs/manual/platform/netware.html
@@ -13,20 +13,20 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Using Apache With Novell NetWare
              
+    
              Using Apache With Novell NetWare
              
 
 	
              This document explains how to install, configure and run
 	   Apache 2.0 under Novell NetWare 5.x and above. If you find any bugs, 
 	   or wish to contribute in other ways, please
-	   use our bug reporting
+	   use our bug reporting
 	   page.
              
 
 	
              The bug reporting page and dev-httpd mailing list are not 
 	   provided to answer questions about configuration or running Apache.  
 	   Before you submit a bug report or request, first consult this document, the
-    Frequently Asked Questions page and the other 
+    Frequently Asked Questions page and the other 
 	   relevant documentation topics.  If you still have a question or problem, 
-	   post it to the 
+	   post it to the 
 	   novell.devsup.webserver newsgroup, where many 
 	   Apache users are more than willing to answer new 
 	   and obscure questions about using Apache on NetWare.
              
diff --git a/docs/manual/platform/perf-hp.html b/docs/manual/platform/perf-hp.html
index 9a88c4b08e8..26d6bb33d9f 100644
--- a/docs/manual/platform/perf-hp.html
+++ b/docs/manual/platform/perf-hp.html
@@ -15,7 +15,7 @@
     
      
 
-    
              Running a High-Performance Web Server for
+    
              Running a High-Performance Web Server for
     HPUX
              
 
               Date: Wed, 05 Nov 1997 16:59:34 -0800
@@ -92,7 +92,7 @@ Subject: HP-UX tuning tips
     href="http://www.cup.hp.com/netperf/NetperfPage.html">http://www.cup.hp.com/netperf/NetperfPage.html
              
     
              
 
-    
              Apache HTTP Server Version 1.3
              
+    
              Apache HTTP Server Version 1.3
              
     Index
     Home
   
diff --git a/docs/manual/platform/win_service.html b/docs/manual/platform/win_service.html
index 405ff5108c0..70c324231fd 100644
--- a/docs/manual/platform/win_service.html
+++ b/docs/manual/platform/win_service.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Running Apache for Windows as a Service
              
+    
              Running Apache for Windows as a Service
              
 
     
              Apache can be run as a service on Windows NT/2000. (There is
     also some HIGHLY EXPERIMENTAL support for similar behavior on
diff --git a/docs/manual/platform/windows.html b/docs/manual/platform/windows.html
index dc03236a471..c0cd2b1e010 100644
--- a/docs/manual/platform/windows.html
+++ b/docs/manual/platform/windows.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Using Apache with Microsoft Windows
              
+    
              Using Apache with Microsoft Windows
              
 
     
              This document explains how to install, configure and run
     Apache 2.0 under Microsoft Windows. If you find any bugs, or
diff --git a/docs/manual/programs/footer.html b/docs/manual/programs/footer.html
index 54f6044a57e..bda0e28b8bd 100644
--- a/docs/manual/programs/footer.html
+++ b/docs/manual/programs/footer.html
@@ -1,6 +1,6 @@
     
              
 
-    
              Apache HTTP Server Version 2.0
              
+    
              Apache HTTP Server Version 2.0
              
     Index
     Home
 
diff --git a/docs/manual/programs/header.html b/docs/manual/programs/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/programs/header.html
+++ b/docs/manual/programs/header.html
@@ -1,4 +1,4 @@
-    
              
+    
              
       [APACHE DOCUMENTATION] 
 
       
              Apache HTTP Server Version 2.0
              
diff --git a/docs/manual/programs/index.html b/docs/manual/programs/index.html
index 9964f1c0ab6..2cb298a7aeb 100755
--- a/docs/manual/programs/index.html
+++ b/docs/manual/programs/index.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Server and Supporting Programs
              
+    
              Server and Supporting Programs
              
 
     
              This page documents all the executable programs included
     with the Apache HTTP Server.
              
diff --git a/docs/manual/programs/other.html b/docs/manual/programs/other.html
index 226674ded53..80b48194876 100755
--- a/docs/manual/programs/other.html
+++ b/docs/manual/programs/other.html
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              Other Programs
              
+    
              Other Programs
              
 
     
              The following programs are simple support programs included
     with the Apache HTTP Server which do not have their own manual
diff --git a/docs/manual/sections.html.en b/docs/manual/sections.html.en
index 94a7ed1cb6c..23242965768 100644
--- a/docs/manual/sections.html.en
+++ b/docs/manual/sections.html.en
@@ -13,7 +13,7 @@
   vlink="#000080" alink="#FF0000">
     
 
-    
              How Directory, Location and Files sections
+    
              How Directory, Location and Files sections
     work
              
 
     
              The sections 
 
-    
              Apache HTTP Server Version 2.0
              
+    
              Apache HTTP Server Version 2.0
              
                   Index
     Home
 
diff --git a/docs/manual/ssl/header.html b/docs/manual/ssl/header.html
index 749461de9e0..78b9744837e 100644
--- a/docs/manual/ssl/header.html
+++ b/docs/manual/ssl/header.html
@@ -1,4 +1,4 @@
-    
              
+    
              
       [APACHE DOCUMENTATION] 
 
       
              Apache HTTP Server Version 2.0
              
diff --git a/docs/manual/ssl/index.html.en b/docs/manual/ssl/index.html.en
index 971686a1b71..b843a190056 100644
--- a/docs/manual/ssl/index.html.en
+++ b/docs/manual/ssl/index.html.en
@@ -9,7 +9,7 @@
  
 
 
-
              SSL/TLS Strong Encryption
              
+
              SSL/TLS Strong Encryption
              
 
 
              The Apache HTTP Server module mod_ssl
 provides an interface to the mod_ssl reference documentation.
              
 
 
-
               
              
+    
   
 
diff --git a/docs/manual/ssl/ssl_compat.html b/docs/manual/ssl/ssl_compat.html
index 9b395c02891..18ae58bdb32 100644
--- a/docs/manual/ssl/ssl_compat.html
+++ b/docs/manual/ssl/ssl_compat.html
@@ -5,9 +5,9 @@
   
 Apache SSL/TLS Encryption: Compatibility
 
@@ -16,7 +16,7 @@
  
 
 
-
              SSL/TLS Strong Encryption: Compatibility
              
+
              SSL/TLS Strong Encryption: Compatibility
              
 
 
              
 
    
       
    
@@ -56,7 +56,7 @@ The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a
 superset of the functionality of all other solutions we can easily provide
 backward compatibility for most of the cases. Actually there are three
 compatibility areas we currently address: configuration directives,
-environment variables and custom log functions.
+environment variables and custom log functions.
    
 
 
 
 
    Configuration Directives
    
-For backward compatibility to the configuration directives of other SSL
+
    For backward compatibility to the configuration directives of other SSL
 solutions we do an on-the-fly mapping: directives which have a direct
 counterpart in mod_ssl are mapped silently while other directives lead to a
 warning message in the logfiles. The currently implemented directive mapping
@@ -76,167 +76,164 @@ special functionality in these interfaces which mod_ssl (still) doesn't
 provide.
    
 
 
-
    
 
    
 
 
    
-
+
    Table 1: Configuration Directive MappingTable 1: Configuration Directive Mapping
 
    
 
    
 
    
 
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
    
 Old Directive
 mod_ssl Directive
 Comment
 
    Apache-SSL 1.x & mod_ssl 2.0.x compatibility:
    SSLEnableSSLEngine oncompactified
    SSLDisableSSLEngine offcompactified
    SSLLogFile fileSSLLog filecompactified
    SSLRequiredCiphers specSSLCipherSuite specrenamed
    SSLRequireCipher c1 ...SSLRequire %{SSL_CIPHER} in {"c1", ...}generalized
    SSLBanCipher c1 ...SSLRequire not (%{SSL_CIPHER} in {"c1", ...})generalized
    SSLFakeBasicAuthSSLOptions +FakeBasicAuthmerged
    SSLCacheServerPath dir-functionality removed
    SSLCacheServerPort integer-functionality removed
    Apache-SSL 1.x compatibility:
    SSLExportClientCertificatesSSLOptions +ExportCertDatamerged
    SSLCacheServerRunDir dir-functionality not supported
    Sioux 1.x compatibility:
    SSL_CertFile fileSSLCertificateFile filerenamed
    SSL_KeyFile fileSSLCertificateKeyFile filerenamed
    SSL_CipherSuite argSSLCipherSuite argrenamed
    SSL_X509VerifyDir argSSLCACertificatePath argrenamed
    SSL_Log fileSSLLogFile filerenamed
    SSL_Connect flagSSLEngine flagrenamed
    SSL_ClientAuth argSSLVerifyClient argrenamed
    SSL_X509VerifyDepth argSSLVerifyDepth argrenamed
    SSL_FetchKeyPhraseFrom arg-not directly mappable; use SSLPassPhraseDialog
    SSL_SessionDir dir-not directly mappable; use SSLSessionCache
    SSL_Require expr-not directly mappable; use SSLRequire
    SSL_CertFileType arg-functionality not supported
    SSL_KeyFileType arg-functionality not supported
    SSL_X509VerifyPolicy arg-functionality not supported
    SSL_LogX509Attributes arg-functionality not supported
    Stronghold 2.x compatibility:
    StrongholdAccelerator dir-functionality not supported
    StrongholdKey dir-functionality not supported
    StrongholdLicenseFile dir-functionality not supported
    SSLFlag flagSSLEngine flagrenamed
    SSLSessionLockFile fileSSLMutex filerenamed
    SSLCipherList specSSLCipherSuite specrenamed
    RequireSSLSSLRequireSSLrenamed
    SSLErrorFile file-functionality not supported
    SSLRoot dir-functionality not supported
    SSL_CertificateLogDir dir-functionality not supported
    AuthCertDir dir-functionality not supported
    SSL_Group name-functionality not supported
    SSLProxyMachineCertPath dir-functionality not supported
    SSLProxyMachineCertFile file-functionality not supported
    SSLProxyCACertificatePath dir-functionality not supported
    SSLProxyCACertificateFile file-functionality not supported
    SSLProxyVerifyDepth number-functionality not supported
    SSLProxyCipherList spec-functionality not supported
    Apache-SSL 1.x & mod_ssl 2.0.x compatibility:
    SSLEnableSSLEngine oncompactified
    SSLDisableSSLEngine offcompactified
    SSLLogFile fileSSLLog filecompactified
    SSLRequiredCiphers specSSLCipherSuite specrenamed
    SSLRequireCipher c1 ...SSLRequire %{SSL_CIPHER} in {"c1", ...}generalized
    SSLBanCipher c1 ...SSLRequire not (%{SSL_CIPHER} in {"c1", ...})generalized
    SSLFakeBasicAuthSSLOptions +FakeBasicAuthmerged
    SSLCacheServerPath dir-functionality removed
    SSLCacheServerPort integer-functionality removed
    Apache-SSL 1.x compatibility:
    SSLExportClientCertificatesSSLOptions +ExportCertDatamerged
    SSLCacheServerRunDir dir-functionality not supported
    Sioux 1.x compatibility:
    SSL_CertFile fileSSLCertificateFile filerenamed
    SSL_KeyFile fileSSLCertificateKeyFile filerenamed
    SSL_CipherSuite argSSLCipherSuite argrenamed
    SSL_X509VerifyDir argSSLCACertificatePath argrenamed
    SSL_Log fileSSLLogFile filerenamed
    SSL_Connect flagSSLEngine flagrenamed
    SSL_ClientAuth argSSLVerifyClient argrenamed
    SSL_X509VerifyDepth argSSLVerifyDepth argrenamed
    SSL_FetchKeyPhraseFrom arg-not directly mappable; use SSLPassPhraseDialog
    SSL_SessionDir dir-not directly mappable; use SSLSessionCache
    SSL_Require expr-not directly mappable; use SSLRequire
    SSL_CertFileType arg-functionality not supported
    SSL_KeyFileType arg-functionality not supported
    SSL_X509VerifyPolicy arg-functionality not supported
    SSL_LogX509Attributes arg-functionality not supported
    Stronghold 2.x compatibility:
    StrongholdAccelerator dir-functionality not supported
    StrongholdKey dir-functionality not supported
    StrongholdLicenseFile dir-functionality not supported
    SSLFlag flagSSLEngine flagrenamed
    SSLSessionLockFile fileSSLMutex filerenamed
    SSLCipherList specSSLCipherSuite specrenamed
    RequireSSLSSLRequireSSLrenamed
    SSLErrorFile file-functionality not supported
    SSLRoot dir-functionality not supported
    SSL_CertificateLogDir dir-functionality not supported
    AuthCertDir dir-functionality not supported
    SSL_Group name-functionality not supported
    SSLProxyMachineCertPath dir-functionality not supported
    SSLProxyMachineCertFile file-functionality not supported
    SSLProxyCACertificatePath dir-functionality not supported
    SSLProxyCACertificateFile file-functionality not supported
    SSLProxyVerifyDepth number-functionality not supported
    SSLProxyCipherList spec-functionality not supported
    
 
    
     		
 
    
 
    
 

-

-

+

 
Environment Variables

-When you use ``SSLOptions +CompatEnvVars'' additional environment
+
When you use ``SSLOptions +CompatEnvVars'' additional environment
 variables are generated. They all correspond to existing official mod_ssl
 variables. The currently implemented variable derivation is listed in Table 2.
-

+href="#table2">Table 2.

 

 
 
-
+
Table 2: Environment Variable DerivationTable 2: Environment Variable Derivation
 

 

 

 
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+

 Old Variable
 mod_ssl Variable
 Comment
 
SSL_PROTOCOL_VERSIONSSL_PROTOCOLrenamed
SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
HTTPS_SECRETKEYSIZESSL_CIPHER_USEKEYSIZErenamed
HTTPS_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
HTTPS_CIPHERSSL_CIPHERrenamed
HTTPS_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_SERVER_KEY_SIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SERVER_CERTIFICATESSL_SERVER_CERTrenamed
SSL_SERVER_CERT_STARTSSL_SERVER_V_STARTrenamed
SSL_SERVER_CERT_ENDSSL_SERVER_V_ENDrenamed
SSL_SERVER_CERT_SERIALSSL_SERVER_M_SERIALrenamed
SSL_SERVER_SIGNATURE_ALGORITHMSSL_SERVER_A_SIGrenamed
SSL_SERVER_DNSSL_SERVER_S_DNrenamed
SSL_SERVER_CNSSL_SERVER_S_DN_CNrenamed
SSL_SERVER_EMAILSSL_SERVER_S_DN_Emailrenamed
SSL_SERVER_OSSL_SERVER_S_DN_Orenamed
SSL_SERVER_OUSSL_SERVER_S_DN_OUrenamed
SSL_SERVER_CSSL_SERVER_S_DN_Crenamed
SSL_SERVER_SPSSL_SERVER_S_DN_SPrenamed
SSL_SERVER_LSSL_SERVER_S_DN_Lrenamed
SSL_SERVER_IDNSSL_SERVER_I_DNrenamed
SSL_SERVER_ICNSSL_SERVER_I_DN_CNrenamed
SSL_SERVER_IEMAILSSL_SERVER_I_DN_Emailrenamed
SSL_SERVER_IOSSL_SERVER_I_DN_Orenamed
SSL_SERVER_IOUSSL_SERVER_I_DN_OUrenamed
SSL_SERVER_ICSSL_SERVER_I_DN_Crenamed
SSL_SERVER_ISPSSL_SERVER_I_DN_SPrenamed
SSL_SERVER_ILSSL_SERVER_I_DN_Lrenamed
SSL_CLIENT_CERTIFICATESSL_CLIENT_CERTrenamed
SSL_CLIENT_CERT_STARTSSL_CLIENT_V_STARTrenamed
SSL_CLIENT_CERT_ENDSSL_CLIENT_V_ENDrenamed
SSL_CLIENT_CERT_SERIALSSL_CLIENT_M_SERIALrenamed
SSL_CLIENT_SIGNATURE_ALGORITHMSSL_CLIENT_A_SIGrenamed
SSL_CLIENT_DNSSL_CLIENT_S_DNrenamed
SSL_CLIENT_CNSSL_CLIENT_S_DN_CNrenamed
SSL_CLIENT_EMAILSSL_CLIENT_S_DN_Emailrenamed
SSL_CLIENT_OSSL_CLIENT_S_DN_Orenamed
SSL_CLIENT_OUSSL_CLIENT_S_DN_OUrenamed
SSL_CLIENT_CSSL_CLIENT_S_DN_Crenamed
SSL_CLIENT_SPSSL_CLIENT_S_DN_SPrenamed
SSL_CLIENT_LSSL_CLIENT_S_DN_Lrenamed
SSL_CLIENT_IDNSSL_CLIENT_I_DNrenamed
SSL_CLIENT_ICNSSL_CLIENT_I_DN_CNrenamed
SSL_CLIENT_IEMAILSSL_CLIENT_I_DN_Emailrenamed
SSL_CLIENT_IOSSL_CLIENT_I_DN_Orenamed
SSL_CLIENT_IOUSSL_CLIENT_I_DN_OUrenamed
SSL_CLIENT_ICSSL_CLIENT_I_DN_Crenamed
SSL_CLIENT_ISPSSL_CLIENT_I_DN_SPrenamed
SSL_CLIENT_ILSSL_CLIENT_I_DN_Lrenamed
SSL_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SECKEYSIZESSL_CIPHER_USEKEYSIZErenamed
SSL_SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
SSL_STRONG_CRYPTO-Not supported by mod_ssl
SSL_SERVER_KEY_EXP-Not supported by mod_ssl
SSL_SERVER_KEY_ALGORITHM-Not supported by mod_ssl
SSL_SERVER_KEY_SIZE-Not supported by mod_ssl
SSL_SERVER_SESSIONDIR-Not supported by mod_ssl
SSL_SERVER_CERTIFICATELOGDIR-Not supported by mod_ssl
SSL_SERVER_CERTFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILETYPE-Not supported by mod_ssl
SSL_CLIENT_KEY_EXP-Not supported by mod_ssl
SSL_CLIENT_KEY_ALGORITHM-Not supported by mod_ssl
SSL_CLIENT_KEY_SIZE-Not supported by mod_ssl
SSL_PROTOCOL_VERSIONSSL_PROTOCOLrenamed
SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
HTTPS_SECRETKEYSIZESSL_CIPHER_USEKEYSIZErenamed
HTTPS_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
HTTPS_CIPHERSSL_CIPHERrenamed
HTTPS_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_SERVER_KEY_SIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SERVER_CERTIFICATESSL_SERVER_CERTrenamed
SSL_SERVER_CERT_STARTSSL_SERVER_V_STARTrenamed
SSL_SERVER_CERT_ENDSSL_SERVER_V_ENDrenamed
SSL_SERVER_CERT_SERIALSSL_SERVER_M_SERIALrenamed
SSL_SERVER_SIGNATURE_ALGORITHMSSL_SERVER_A_SIGrenamed
SSL_SERVER_DNSSL_SERVER_S_DNrenamed
SSL_SERVER_CNSSL_SERVER_S_DN_CNrenamed
SSL_SERVER_EMAILSSL_SERVER_S_DN_Emailrenamed
SSL_SERVER_OSSL_SERVER_S_DN_Orenamed
SSL_SERVER_OUSSL_SERVER_S_DN_OUrenamed
SSL_SERVER_CSSL_SERVER_S_DN_Crenamed
SSL_SERVER_SPSSL_SERVER_S_DN_SPrenamed
SSL_SERVER_LSSL_SERVER_S_DN_Lrenamed
SSL_SERVER_IDNSSL_SERVER_I_DNrenamed
SSL_SERVER_ICNSSL_SERVER_I_DN_CNrenamed
SSL_SERVER_IEMAILSSL_SERVER_I_DN_Emailrenamed
SSL_SERVER_IOSSL_SERVER_I_DN_Orenamed
SSL_SERVER_IOUSSL_SERVER_I_DN_OUrenamed
SSL_SERVER_ICSSL_SERVER_I_DN_Crenamed
SSL_SERVER_ISPSSL_SERVER_I_DN_SPrenamed
SSL_SERVER_ILSSL_SERVER_I_DN_Lrenamed
SSL_CLIENT_CERTIFICATESSL_CLIENT_CERTrenamed
SSL_CLIENT_CERT_STARTSSL_CLIENT_V_STARTrenamed
SSL_CLIENT_CERT_ENDSSL_CLIENT_V_ENDrenamed
SSL_CLIENT_CERT_SERIALSSL_CLIENT_M_SERIALrenamed
SSL_CLIENT_SIGNATURE_ALGORITHMSSL_CLIENT_A_SIGrenamed
SSL_CLIENT_DNSSL_CLIENT_S_DNrenamed
SSL_CLIENT_CNSSL_CLIENT_S_DN_CNrenamed
SSL_CLIENT_EMAILSSL_CLIENT_S_DN_Emailrenamed
SSL_CLIENT_OSSL_CLIENT_S_DN_Orenamed
SSL_CLIENT_OUSSL_CLIENT_S_DN_OUrenamed
SSL_CLIENT_CSSL_CLIENT_S_DN_Crenamed
SSL_CLIENT_SPSSL_CLIENT_S_DN_SPrenamed
SSL_CLIENT_LSSL_CLIENT_S_DN_Lrenamed
SSL_CLIENT_IDNSSL_CLIENT_I_DNrenamed
SSL_CLIENT_ICNSSL_CLIENT_I_DN_CNrenamed
SSL_CLIENT_IEMAILSSL_CLIENT_I_DN_Emailrenamed
SSL_CLIENT_IOSSL_CLIENT_I_DN_Orenamed
SSL_CLIENT_IOUSSL_CLIENT_I_DN_OUrenamed
SSL_CLIENT_ICSSL_CLIENT_I_DN_Crenamed
SSL_CLIENT_ISPSSL_CLIENT_I_DN_SPrenamed
SSL_CLIENT_ILSSL_CLIENT_I_DN_Lrenamed
SSL_EXPORTSSL_CIPHER_EXPORTrenamed
SSL_KEYSIZESSL_CIPHER_ALGKEYSIZErenamed
SSL_SECKEYSIZESSL_CIPHER_USEKEYSIZErenamed
SSL_SSLEAY_VERSIONSSL_VERSION_LIBRARYrenamed
SSL_STRONG_CRYPTO-Not supported by mod_ssl
SSL_SERVER_KEY_EXP-Not supported by mod_ssl
SSL_SERVER_KEY_ALGORITHM-Not supported by mod_ssl
SSL_SERVER_KEY_SIZE-Not supported by mod_ssl
SSL_SERVER_SESSIONDIR-Not supported by mod_ssl
SSL_SERVER_CERTIFICATELOGDIR-Not supported by mod_ssl
SSL_SERVER_CERTFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILE-Not supported by mod_ssl
SSL_SERVER_KEYFILETYPE-Not supported by mod_ssl
SSL_CLIENT_KEY_EXP-Not supported by mod_ssl
SSL_CLIENT_KEY_ALGORITHM-Not supported by mod_ssl
SSL_CLIENT_KEY_SIZE-Not supported by mod_ssl

 

 		
 

 

 

-

-

+

 
Custom Log Functions

+

 When mod_ssl is built into Apache or at least loaded (under DSO situation)
 additional functions exist for the Custom Log Format of %{name}c'' cryptography format function
 exists for backward compatibility. The currently implemented function calls
-are listed in Table 3.
-

+are listed in Table 3.

 

 
 
-
+
Table 3: Custom Log Cryptography FunctionTable 3: Custom Log Cryptography Function
 

 

 

 
-
+
-
-
-
-
-
-
+
+
+
+
+
+

  Function Call
  Description
 
%...{version}c   SSL protocol version
%...{cipher}c    SSL cipher
%...{subjectdn}c Client Certificate Subject Distinguished Name
%...{issuerdn}c  Client Certificate Issuer Distinguished Name
%...{errcode}c   Certificate Verification Error (numerical)
%...{errstr}c    Certificate Verification Error (string)
%...{version}c   SSL protocol version
%...{cipher}c    SSL cipher
%...{subjectdn}c Client Certificate Subject Distinguished Name
%...{issuerdn}c  Client Certificate Issuer Distinguished Name
%...{errcode}c   Certificate Verification Error (numerical)
%...{errstr}c    Certificate Verification Error (string)

 

 		
 

 

 

-
 

+    
   
 
\ No newline at end of file
diff --git a/docs/manual/ssl/ssl_faq.html b/docs/manual/ssl/ssl_faq.html
index 37430c8ef22..0f56ecc3cb2 100644
--- a/docs/manual/ssl/ssl_faq.html
+++ b/docs/manual/ssl/ssl_faq.html
@@ -16,7 +16,7 @@
  
 
 
-
SSL/TLS Strong Encryption: FAQ

+
SSL/TLS Strong Encryption: FAQ

 
 
 

@@ -47,11 +47,11 @@ href="news:comp.infosystems.www.servers.unix">
 comp.infosystems.www.servers.unix or the mod_ssl Support
 Mailing List 
 modssl-users@modssl.org. They are collected at this place
-to avoid answering the same questions over and over.
+to avoid answering the same questions over and over.

 

 Please read this chapter at least once when installing mod_ssl or at least
 search for your problem here before submitting a problem report to the
-author.
+author.

 
 
-
  • About Installation
    • 
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 
 
 
 
    About the module
    
 
      
-
      
 
    • 
     
-    
+    
 What is the history of mod_ssl?
   
     [L]
-    
      
-    The mod_ssl v1 package was initially created in April 1998 by The mod_ssl v1 package was initially created in April 1998 by Ralf S. Engelschall via porting Ben Laurie's Apache-SSL 1.17 source patches for
@@ -143,34 +162,34 @@ What is the history of mod_ssl?
     Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL
     1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The
     first publically released version was mod_ssl 2.0.0 from August 10th,
-    1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0.
-    
      
-    After one year of very active development with over 1000 working hours and
+    1998. As of this writing (August 1999) the current mod_ssl version 
+    is 2.4.0.
      
+    
+    
      After one year of very active development with over 1000 working hours and
     over 40 releases mod_ssl reached its current state. The result is an
     already very clean source base implementing a very rich functionality.
     The code size increased by a factor of 4 to currently a total of over
     10.000 lines of ANSI C consisting of approx. 70% code and 30% code
     documentation. From the original Apache-SSL code currently approx. 5% is
-    remaining only.
-    
      
-    After the US export restrictions for cryptographic software were
-    opened, mod_ssl was integrated into the code base of Apache V2 in 2001.
-
      
+    remaining only.
      
+    
+    
      After the US export restrictions for cryptographic software were
+    opened, mod_ssl was integrated into the code base of Apache V2 in 2001.
      
+
      • 
 
    • 
     
-    
+    
 What are the functional differences between mod_ssl and Apache-SSL, from which
 it is originally derived?
   
     [L]
-    
      
-    This neither can be answered in short (there were too many code changes)
+    
      This neither can be answered in short (there were too many code changes)
     nor can be answered at all by the author (there would immediately be flame
     wars with no reasonable results at the end). But as you easily can guess
     from the 5% of remaining Apache-SSL code, a lot of differences exists,
-    although user-visible backward compatibility exists for most things.
-    
      
-    When you really want a detailed comparison you have to read the entries in
+    although user-visible backward compatibility exists for most things.
      
+    
+    
      When you really want a detailed comparison you have to read the entries in
     the large CHANGES file that is in the mod_ssl
     distribution. Usually this is much too hard-core. So I recommend you to
     either believe in the opinion and recommendations of other users (the
@@ -179,9 +198,9 @@ it is originally derived?
     href="http://www.modssl.org/">http://www.modssl.org) and Apache-SSL
     (from http://www.apache-ssl.org),
     install both packages, read their documentation and try them out yourself.
-    Then choose the one which pleases you most.
-    
      
-    A few final hints to help direct your comparison: quality of documentation
+    Then choose the one which pleases you most.
      
+    
+    
      A few final hints to help direct your comparison: quality of documentation
     ("can you easily find answers and are they sufficient?"), quality of
     source code ("is the source code reviewable so you can make sure there
     aren't any trapdoors or inherent security risks because of bad programming
@@ -195,34 +214,33 @@ it is originally derived?
     quality of functionality ("is the provided SSL functionality and control
     possibilities sufficient for your situation?"), quality of problem tracing
     ("is it possible for you to easily trace down the problems via logfiles,
-    etc?"), etc. pp.
-
      
+    etc?"), etc. pp.
      
+
      • 
 
    • 
     
-    
+    
 What are the major differences between mod_ssl and
 the commercial alternatives like Raven or Stronghold?
   
     [L]
-    
      
-    In the past (until September 20th, 2000) the major difference was
+    
      In the past (until September 20th, 2000) the major difference was
     the RSA license which one received (very cheaply in contrast to
     a direct licensing from RSA DSI) with the commercial Apache SSL
     products. On the other hand, one needed this license only in the US,
     of course. So for non-US citizens this point was useless. But now
     even for US citizens the situations changed because the RSA patent
     expired on September 20th, 2000 and RSA DSI also placed the RSA
-    algorithm explicitly into the public domain.
-    
      
-    Second, there is the point that one has guaranteed support from
+    algorithm explicitly into the public domain.
      
+    
+    
      Second, there is the point that one has guaranteed support from
     the commercial vendors. On the other hand, if you monitored the
     Open Source quality of mod_ssl and the support activities
     found on 
     modssl-users@modssl.org, you could ask yourself
     whether you are really convinced that you can get better support
-    from a commercial vendor.
-    
      
-    Third, people often think they would receive perhaps at least a
+    from a commercial vendor.
      
+    
+    
      Third, people often think they would receive perhaps at least a
     better technical SSL solution than mod_ssl from the commercial
     vendors. But this is not really true, because all commercial
     alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.)
@@ -238,63 +256,60 @@ the commercial alternatives like Raven or Stronghold?
     it sometimes occurs that a vendor version includes useful changes
     which are not available through the official freely available
     packages. But most vendors play fair and contribute back those
-    changes to the free software world, of course.
-    
      
-    So, in short: There are lots of commercial versions of the popular
+    changes to the free software world, of course.
      
+    
+    
      So, in short: There are lots of commercial versions of the popular
     Apache+mod_ssl+OpenSSL server combination available. Every user
     should decide carefully whether they really need to buy a commercial
     version or whether it would not be sufficient to directly use the
     free and official versions of the Apache, mod_ssl and OpenSSL
-    packages.
-
      
+    packages.
      
+
      • 
 
    • 
     
-    
+    
 How do I know which mod_ssl version is for which Apache version?
   
     [L]
-    
      
-    That's trivial: mod_ssl uses version strings of the syntax
+    
      That's trivial: mod_ssl uses version strings of the syntax
     <mod_ssl-version>-<apache-version>, for
     instance 2.4.0-1.3.9. This directly indicates that it's
     mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you
     only can apply this mod_ssl version to exactly this Apache
     version (unless you use the --force option to mod_ssl's
-    configure command ;-).
-
      
+    configure command ;-).
      
+
      • 
 
    • 
     
-    
+    
 Is mod_ssl Year 2000 compliant?
   
     [L]
-    
      
-    Yes, mod_ssl is Year 2000 compliant.
-    
      
-    Because first mod_ssl internally never stores years as two digits.
+    
      Yes, mod_ssl is Year 2000 compliant.
      
+    
+    
      Because first mod_ssl internally never stores years as two digits.
     Instead it always uses the ANSI C & POSIX numerical data type
     time_t type, which on almost all Unix platforms at the moment
     is a signed long (usually 32-bits) representing seconds since
     epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in
     early January 2038 and not in the year 2000. Second, date and time
     presentations (for instance the variable ``%{TIME_YEAR}'')
-    are done with full year value instead of abbreviating to two digits.
-    
      
-    Additionally according to a 
+    
+    
      Additionally according to a Year 2000
     statement from the Apache Group, the Apache webserver is Year 2000
     compliant, too. But whether OpenSSL or the underlaying Operating System
     (either a Unix or Win32 platform) is Year 2000 compliant is a different
-    question which cannot be answered here.
-
      
+    question which cannot be answered here.
      
+
      • 
 
    • 
     
-    
+    
 What about mod_ssl and the Wassenaar Arrangement?
   
     [L]
-    
      
-    First, let us explain what Wassenaar and its Arrangement on
+    
      First, let us explain what Wassenaar and its Arrangement on
     Export Controls for Conventional Arms and Dual-Use Goods and
     Technologies is: This is a international regime, established 1995, to
     control trade in conventional arms and dual-use goods and technology. It
@@ -305,16 +320,16 @@ What about mod_ssl and the Wassenaar Arrangement?
     of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden,
     Switzerland, Turkey, Ukraine, United Kingdom and United States. For more
     details look at http://www.wassenaar.org/.
-    
      
-    In short: The aim of the Wassenaar Arrangement is to prevent the build up
+    href="http://www.wassenaar.org/">http://www.wassenaar.org/.
      
+    
+    
      In short: The aim of the Wassenaar Arrangement is to prevent the build up
     of military capabilities that threaten regional and international security
     and stability. The Wassenaar Arrangement controls the export of
     cryptography as a dual-use good, i.e., one that has both military and
     civilian applications. However, the Wassenaar Arrangement also provides an
-    exemption from export controls for mass-market software and free software.
-    
      
-    In the current Wassenaar ``List of Dual Use Goods and Technologies And
+    exemption from export controls for mass-market software and free software.
      
+    
+    
      In the current Wassenaar ``List of Dual Use Goods and Technologies And
     Munitions'', under ``GENERAL SOFTWARE NOTE'' (GSN) it says
     ``The Lists do not control "software" which is either: 1. [...] 2. "in
     the public domain".'' And under ``DEFINITIONS OF TERMS USED IN
@@ -322,13 +337,13 @@ What about mod_ssl and the Wassenaar Arrangement?
     domain": This means "technology" or "software" which has been made
     available without restrictions upon its further dissemination. N.B.
     Copyright restrictions do not remove "technology" or "software" from being
-    "in the public domain".''
-    
      
-    So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
+    "in the public domain".''
      
+    
+    
      So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes
     of the Wassenaar Agreement and its ``List of Dual Use Goods and
-    Technologies And Munitions List''.
-    
      
-    Additionally the Wassenaar Agreement itself has no direct consequence for
+    Technologies And Munitions List''.
      
+    
+    
      Additionally the Wassenaar Agreement itself has no direct consequence for
     exporting cryptography software. What is actually allowed or forbidden to
     be exported from the countries has still to be defined in the local laws
     of each country. And at least according to official press releases from
@@ -337,82 +352,76 @@ What about mod_ssl and the Wassenaar Arrangement?
     Switzerland Bawi (see here) there
     will be no forthcoming export restriction for free cryptography software
     for their countries. Remember that mod_ssl is created in Germany and
-    distributed from Switzerland.
-    
      
-    So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.
+    distributed from Switzerland.
      
+    
+    
      So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.
      
+
      • 
 
    
-
    
-
    
+
    
 
    About Installation
    
 
      
-
      
 
    • 
     
-    
+    
 When I access my website the first time via HTTPS I get a core dump?
   
     [L]
-    
      
-    There can be a lot of reasons why a core dump can occur, of course.
+    
      There can be a lot of reasons why a core dump can occur, of course.
     Ranging from buggy third-party modules, over buggy vendor libraries up to
     a buggy mod_ssl version. But the above situation is often caused by old or
     broken vendor DBM libraries. To solve it either build mod_ssl with the
     built-in SDBM library (specify --enable-rule=SSL_SDBM at the
     APACI command line) or switch from ``SSLSessionCache dbm:'' to the
     newer ``SSLSessionCache shm:'' variant (after you have rebuilt
-    Apache with MM, of course).
-
      
+    Apache with MM, of course).
      
+
      • 
 
    • 
     
-    
+    
 My Apache dumps core when I add both mod_ssl and PHP3?
   
     [L]
-    
      
-    Make sure you add mod_ssl to the Apache source tree first and then do a
+    
      Make sure you add mod_ssl to the Apache source tree first and then do a
     fresh configuration and installation of PHP3. For SSL support EAPI patches
     are required which have to change internal Apache structures. PHP3 needs
     to know about these in order to work correctly. Always make sure that
-    -DEAPI is contained in the compiler flags when PHP3 is built.
-
      
+    -DEAPI is contained in the compiler flags when PHP3 is built.
      
+
      • 
 
    • 
     
-    
+    
 When I startup Apache I get errors about undefined symbols like ap_global_ctx?
   
     [L]
-    
      
-    This actually means you installed mod_ssl as a DSO, but without rebuilding
+    
      This actually means you installed mod_ssl as a DSO, but without rebuilding
     Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an
     extra patched Apache (containing the EAPI patches) and you have to build
     this Apache with EAPI enabled (explicitly specify
-    --enable-rule=EAPI at the APACI command line).
-
      
+    --enable-rule=EAPI at the APACI command line).
      
+
      • 
 
    • 
     
-    
+    
 When I startup Apache I get permission errors related to SSLMutex?
   
     [L]
-    
      
-    When you receive entries like ``mod_ssl: Child could not open
+    
      When you receive entries like ``mod_ssl: Child could not open
     SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
     [...] System: Permission denied (errno: 13)'' this is usually
     caused by to restrictive permissions on the parent directories.
     Make sure that all parent directories (here /opt,
     /opt/apache and /opt/apache/logs) have the x-bit
     set at least for the UID under which Apache's children are running (see
-    the User directive of Apache).
-
      
+    the User directive of Apache).
      
+
      • 
 
    • 
     
-    
+    
 When I use the MM library and the shared memory cache each process grows
 1.5MB according to `top' although I specified 512000 as the cache size?
   
     [L]
-    
      
-    The additional 1MB are caused by the global shared memory pool EAPI
+    
      The additional 1MB are caused by the global shared memory pool EAPI
     allocates for all modules and which is not used by mod_ssl for
     various reasons. So the actually allocated shared memory is always
     1MB more than what you specify on SSLSessionCache.
@@ -420,32 +429,30 @@ When I use the MM library and the shared memory cache each process grows
     indicates that each process grow, this is not reality, of
     course. Instead the additional memory consumption is shared by
     all processes, i.e. the 1.5MB are allocated only once per Apache
-    instance and not once per Apache server process.
-
      
+    instance and not once per Apache server process.
      
+
      • 
 
    • 
     
-    
+    
 Apache creates files in a directory declared by the internal
 EAPI_MM_CORE_PATH define. Is there a way to override the path using a
 configuration directive?
   
     [L]
-    
      
-    No, there is not configuration directive, because for technical
+    
      No, there is not configuration directive, because for technical
     bootstrapping reasons, a directive not possible at all. Instead
     use ``CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"'
     ./configure ...'' when building Apache or use option
-    -d when starting httpd.
-
      
+    -d when starting httpd.
      
+
      • 
 
    • 
     
-    
+    
 When I fire up the server, mod_ssl stops with the error
 "Failed to generate temporary 512 bit RSA private key", why?
   
     [L]
-    
      
-    Cryptographic software needs a source of unpredictable data
+    
      Cryptographic software needs a source of unpredictable data
     to work correctly. Many open source operating systems provide
     a "randomness device" that serves this purpose (usually named
     /dev/random). On other systems, applications have to
@@ -455,124 +462,116 @@ When I fire up the server, mod_ssl stops with the error
     randomness report an error if the PRNG has not been seeded with
     at least 128 bits of randomness. So mod_ssl has to provide enough
     entropy to the PRNG to work correctly.  For this one has to use the
-    SSLRandomSeed directives.
+    SSLRandomSeed directives.
      
+
      • 
 
    
-
    
-
    
+
    
 
    About Configuration
    
 
      
-
      
 
    • 
     
-    
-Is it possible to provide HTTP and HTTPS with a single server?
+    
+Is it possible to provide HTTP and HTTPS with a single server?
   
     [L]
-    
      
-    Yes, HTTP and HTTPS use different server ports, so there is no direct
+    
      Yes, HTTP and HTTPS use different server ports, so there is no direct
     conflict between them. Either run two separate server instances (one binds
     to port 80, the other to port 443) or even use Apache's elegant virtual
     hosting facility where you can easily create two virtual servers which
     Apache dispatches: one responding to port 80 and speaking HTTP and one
-    responding to port 443 speaking HTTPS.
-
      
+    responding to port 443 speaking HTTPS.
      
+
      • 
 
    • 
     
-    
+    
 I know that HTTP is on port 80, but where is HTTPS?
   
     [L]
-    
      
-    You can run HTTPS on any port, but the standards specify port 443, which
+    
      You can run HTTPS on any port, but the standards specify port 443, which
     is where any HTTPS compliant browser will look by default. You can force
     your browser to look on a different port by specifying it in the URL like
-    this (for port 666): https://secure.server.dom:666/
-
      
+    this (for port 666): https://secure.server.dom:666/
      
+
      • 
 
    • 
     
-    
+    
 How can I speak HTTPS manually for testing purposes?
   
     [L]
-    
      
-    While you usually just use
-    
      
-    $ telnet localhost 80
      
-    GET / HTTP/1.0
-    
      
-    for simple testing the HTTP protocol of Apache, it's not so easy for
+    
      While you usually just use
      
+    
+    
      $ telnet localhost 80
      
+    GET / HTTP/1.0
      
+    
+    
      for simple testing the HTTP protocol of Apache, it's not so easy for
     HTTPS because of the SSL protocol between TCP and HTTP. But with the
     help of OpenSSL's s_client command you can do a similar
-    check even for HTTPS:
-    
      
-    $ openssl s_client -connect localhost:443 -state -debug
      
-    GET / HTTP/1.0
-    
      
-    Before the actual HTTP response you receive detailed information about the
+    check even for HTTPS:
      
+    
+    
      $ openssl s_client -connect localhost:443 -state -debug
      
+    GET / HTTP/1.0
      
+    
+    
      Before the actual HTTP response you receive detailed information about the
     SSL handshake. For a more general command line client which directly
     understands both the HTTP and HTTPS scheme, can perform GET and POST
     methods, can use a proxy, supports byte ranges, etc. you should have a
     look at nifty cURL
     tool. With it you can directly check if your Apache is running fine on
-    Port 80 and 443 as following:
-    
      
-    $ curl http://localhost/
      
-    $ curl https://localhost/
      
-
      
+    Port 80 and 443 as following:
      
+    
+    
      $ curl http://localhost/
      
+    $ curl https://localhost/
      
+
      • 
 
    • 
     
-    
+    
 Why does the connection hang when I connect to my SSL-aware Apache server?
   
     [L]
-    
      
-    Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
+    
      Because you connected with HTTP to the HTTPS port, i.e. you used an URL of
     the form ``http://'' instead of ``https://''.
     This also happens the other way round when you connect via HTTPS to a HTTP
     port, i.e. when you try to use ``https://'' on a server that
     doesn't support SSL (on this port). Make sure you are connecting to a
     virtual server that supports SSL, which is probably the IP associated with
-    your hostname, not localhost (127.0.0.1).
-
      
+    your hostname, not localhost (127.0.0.1).
      
+
      • 
 
    • 
     
-    
+    
 Why do I get ``Connection Refused'' messages when trying to access my freshly
 installed Apache+mod_ssl server via HTTPS?
   
     [L]
-    
      
-    There can be various reasons. Some of the common mistakes is that people
+    
      There can be various reasons. Some of the common mistakes is that people
     start Apache with just ``apachectl start'' (or
     ``httpd'') instead of ``apachectl startssl'' (or
     ``httpd -DSSL''. Or you're configuration is not correct. At
     least make sure that your ``Listen'' directives match your
     ``<VirtualHost>'' directives. And if all fails, please do
     yourself a favor and start over with the default configuration mod_ssl
-    provides you.
-
      
+    provides you.
      
+
      • 
 
    • 
     
-    
+    
 In my CGI programs and SSI scripts the various documented
 SSL_XXX variables do not exist. Why?
   
     [L]
-    
      
-    Just make sure you have ``SSLOptions +StdEnvVars''
-    enabled for the context of your CGI/SSI requests.
-
      
+    
      Just make sure you have ``SSLOptions +StdEnvVars''
+    enabled for the context of your CGI/SSI requests.
      
+
      • 
 
    • 
     
-    
+    
 How can I use relative hyperlinks to switch between HTTP and HTTPS?
   
     [L]
-    
      
-    Usually you have to use fully-qualified hyperlinks because
+    
      Usually you have to use fully-qualified hyperlinks because
     you have to change the URL scheme. But with the help of some URL
     manipulations through mod_rewrite you can achieve the same effect while
-    you still can use relative URLs:
+    you still can use relative URLs:
      
     
           RewriteEngine on
     RewriteRule   ^/(.*):SSL$   https://%{SERVER_NAME}/$1 [R,L]
@@ -580,22 +579,20 @@ How can I use relative hyperlinks to switch between HTTP and HTTPS?
     
      
     This rewrite ruleset lets you use hyperlinks of the form
     
      -    <a href="document.html:SSL">
+    <a href="document.html:SSL">
     
      
+
      • 
 
    
-
    
-
    
+
    
 
    About Certificates
    
 
      
-
      
 
    • 
     
-    
-What are RSA Private Keys, CSRs and Certificates?
+    
+What are RSA Private Keys, CSRs and Certificates?
   
     [L]
-    
      
-    The RSA private key file is a digital file that you can use to decrypt
+    
      The RSA private key file is a digital file that you can use to decrypt
     messages sent to you. It has a public component which you distribute (via
     your Certificate file) which allows people to encrypt those messages to
     you. A Certificate Signing Request (CSR) is a digital file which contains
@@ -606,71 +603,72 @@ What are RSA Private Keys, CSRs and Certificates?
     Certificate, thereby obtaining your RSA public key. That enables them to
     send messages which only you can decrypt.
     See the Introduction chapter for a general
-    description of the SSL protocol.
-
      
+    description of the SSL protocol.
      
+
      • 
 
    • 
     
-    
+    
 Seems like there is a difference on startup between the original Apache and an SSL-aware Apache?
   
     [L]
-    
      
-    Yes, in general, starting Apache with a built-in mod_ssl is just like
+    
      Yes, in general, starting Apache with a built-in mod_ssl is just like
     starting an unencumbered Apache, except for the fact that when you have a
     pass phrase on your SSL private key file. Then a startup dialog pops up
-    asking you to enter the pass phrase.
-    
      
-    To type in the pass phrase manually when starting the server can be
+    asking you to enter the pass phrase.
      
+    
+    
      To type in the pass phrase manually when starting the server can be
     problematic, for instance when starting the server from the system boot
     scripts. As an alternative to this situation you can follow the steps
     below under ``How can I get rid of the pass-phrase dialog at Apache
-    startup time?''.
-
      
+    startup time?''.
      
+
      • 
 
    • 
     
-    
+    
 Ok, I've got my server installed and want to create a real SSL
 server Certificate for it. How do I do it?
   
     [L]
-    
      
-    Here is a step-by-step description:
-    
      
+    
      Here is a step-by-step description:
      
+    
     
        
     
      1. Make sure OpenSSL is really installed and in your PATH.
         But some commands even work ok when you just run the
         ``openssl'' program from within the OpenSSL source tree as
-        ``./apps/openssl''.
-    
        
+        ``./apps/openssl''.
        
+        
        
+    
        2. 
     
      2. Create a RSA private key for your Apache server
-       (will be Triple-DES encrypted and PEM formatted):
-       
        
-       $ openssl genrsa -des3 -out server.key 1024
-       
        
+       (will be Triple-DES encrypted and PEM formatted):
        
+       
        
+       $ openssl genrsa -des3 -out server.key 1024
        
+       
        
        Please backup this server.key file and remember the
        pass-phrase you had to enter at a secure location.
-       You can see the details of this RSA private key via the command:
-       
        
-       $ openssl rsa -noout -text -in server.key
-       
        
+       You can see the details of this RSA private key via the command:
        
+       
        
+       $ openssl rsa -noout -text -in server.key
        
+       
        
        And you could create a decrypted PEM version (not recommended)
-       of this RSA private key via:
-       
        
-       $ openssl rsa -in server.key -out server.key.unsecure
-    
        
+       of this RSA private key via:
        
+       
        
+       $ openssl rsa -in server.key -out server.key.unsecure
        
+       
        
+    
        3. 
     
      3. Create a Certificate Signing Request (CSR) with the server RSA private
-       key (output will be PEM formatted):
-       
        
-       $ openssl req -new -key server.key -out server.csr
-       
        
+       key (output will be PEM formatted):
        
+       
        
+       $ openssl req -new -key server.key -out server.csr
        
+       
        
        Make sure you enter the FQDN ("Fully Qualified Domain Name") of the
        server when OpenSSL prompts you for the "CommonName", i.e. when you
        generate a CSR for a website which will be later accessed via
        https://www.foo.dom/, enter "www.foo.dom" here.
-       You can see the details of this CSR via the command
-       
        
-       $ openssl req -noout -text -in server.csr
-    
        
+       You can see the details of this CSR via the command
        
+       
        
+       $ openssl req -noout -text -in server.csr
        
+       
        
+    
        4. 
     
      4. You now have to send this Certificate Signing Request (CSR) to
        a Certifying Authority (CA) for signing. The result is then a real
        Certificate which can be used for Apache. Here you have two options:
@@ -678,42 +676,48 @@ server Certificate for it. How do I do it?
        Thawte. Then you usually have to post the CSR into a web form, pay for
        the signing and await the signed Certificate you then can store into a
        server.crt file. For more information about commercial CAs have a look
-       at the following locations:
-       
        
-       
        
-       
        
+       
        5. 
+       
      
+       
      
        Second you can use your own CA and now have to sign the CSR yourself by
        this CA. Read the next answer in this FAQ on how to sign a CSR with
        your CA yourself.
-       You can see the details of the received Certificate via the command:
-       
      
-       $ openssl x509 -noout -text -in server.crt
-    
      
+       You can see the details of the received Certificate via the command:
      
+       
      
+       $ openssl x509 -noout -text -in server.crt
      
+    
      • 
     
    • Now you have two files: server.key and
     server.crt. These now can be used as following inside your
     Apache's httpd.conf file:
@@ -722,213 +726,210 @@ server Certificate for it. How do I do it?
        SSLCertificateKeyFile /path/to/this/server.key
    The server.csr file is no longer needed. + -

    +

  • - + How can I create and use my own Certificate Authority (CA)?    [L] -

    - The short answer is to use the CA.sh or CA.pl - script provided by OpenSSL. The long and manual answer is this: -

    +

    The short answer is to use the CA.sh or CA.pl + script provided by OpenSSL. The long and manual answer is this:

    +
    1. Create a RSA private key for your CA - (will be Triple-DES encrypted and PEM formatted): -

      - $ openssl genrsa -des3 -out ca.key 1024 -

      + (will be Triple-DES encrypted and PEM formatted):
      +
      + $ openssl genrsa -des3 -out ca.key 1024
      +
      Please backup this ca.key file and remember the pass-phrase you currently entered at a secure location. - You can see the details of this RSA private key via the command -

      - $ openssl rsa -noout -text -in ca.key -

      + You can see the details of this RSA private key via the command
      +
      + $ openssl rsa -noout -text -in ca.key
      +
      And you can create a decrypted PEM version (not recommended) of this - private key via: -

      - $ openssl rsa -in ca.key -out ca.key.unsecure -

      + private key via:
      +
      + $ openssl rsa -in ca.key -out ca.key.unsecure
      +
      +

    2. Create a self-signed CA Certificate (X509 structure) - with the RSA key of the CA (output will be PEM formatted): -

      - $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt -

      - You can see the details of this Certificate via the command: -

      - $ openssl x509 -noout -text -in ca.crt -

      + with the RSA key of the CA (output will be PEM formatted):
      +
      + $ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
      +
      + You can see the details of this Certificate via the command:
      +
      + $ openssl x509 -noout -text -in ca.crt
      +
      +

    3. Prepare a script for signing which is needed because the ``openssl ca'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``openssl ca'' directly. So a script named sign.sh is distributed with the mod_ssl distribution (subdir pkg.contrib/). Use this script for signing. -

      +

    4. Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming - you already have a server.csr at hand): -

      - $ ./sign.sh server.csr -

      - This signs the server CSR and results in a server.crt file. + you already have a server.csr at hand):
      +
      + $ ./sign.sh server.csr
      +
      + This signs the server CSR and results in a server.crt file.
      +

    -

    +

  • - + How can I change the pass-phrase on my private key file?    [L] -

    - You simply have to read it with the old pass-phrase and write it again +

    You simply have to read it with the old pass-phrase and write it again by specifying the new pass-phrase. You can accomplish this with the following - commands: -

    - $ openssl rsa -des3 -in server.key -out server.key.new
    - $ mv server.key.new server.key
    -

    - Here you're asked two times for a PEM pass-phrase. At the first + commands:

    + +

    $ openssl rsa -des3 -in server.key -out server.key.new
    + $ mv server.key.new server.key

    + +

    Here you're asked two times for a PEM pass-phrase. At the first prompt enter the old pass-phrase and at the second prompt - enter the new pass-phrase. -

    + enter the new pass-phrase.

    +
  • - + How can I get rid of the pass-phrase dialog at Apache startup time?    [L] -

    - The reason why this dialog pops up at startup and every re-start +

    The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is - secure enough you perform two steps: -

    + secure enough you perform two steps:

    +
    1. Remove the encryption from the RSA private key (while - preserving the original file): -

      - $ cp server.key server.key.org
      - $ openssl rsa -in server.key.org -out server.key -

      -

    2. Make sure the server.key file is now only readable by root: -

      - $ chmod 400 server.key + preserving the original file):
      +
      + $ cp server.key server.key.org
      + $ openssl rsa -in server.key.org -out server.key
      +
      +

      3. +
    3. Make sure the server.key file is now only readable by root:
      +
      + $ chmod 400 server.key
      +
      +
    -

    - Now server.key will contain an unencrypted copy of the key. +

    Now server.key will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another - server, and have the key readable only by root). -

    - As an alternative approach you can use the ``SSLPassPhraseDialog + server, and have the key readable only by root).

    + +

    As an alternative approach you can use the ``SSLPassPhraseDialog exec:/path/to/program'' facility. But keep in mind that this is - neither more nor less secure, of course. -

    + neither more nor less secure, of course.

    +
  • - + How do I verify that a private key matches its Certificate?    [L] -

    - The private key contains a series of numbers. Two of those numbers form +

    The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the - commands: -

    - $ openssl x509 -noout -text -in server.crt
    - $ openssl rsa -noout -text -in server.key -

    - The `modulus' and the `public exponent' portions in the key and the + commands:

    + +

    $ openssl x509 -noout -text -in server.crt
    + $ openssl rsa -noout -text -in server.key

    + +

    The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following - approach: -

    - $ openssl x509 -noout -modulus -in server.crt | openssl md5
    - $ openssl rsa -noout -modulus -in server.key | openssl md5 -

    - And then compare these really shorter numbers. With overwhelming + approach:

    + +

    $ openssl x509 -noout -modulus -in server.crt | openssl md5
    + $ openssl rsa -noout -modulus -in server.key | openssl md5

    + +

    And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. BTW, if I want to - check to which key or certificate a particular CSR belongs you can compute -

    - $ openssl req -noout -modulus -in server.csr | openssl md5 -

    + check to which key or certificate a particular CSR belongs you can compute

    + +

    $ openssl req -noout -modulus -in server.csr | openssl md5

    +
  • - + What does it mean when my connections fail with an "alert bad certificate" error?    [L] -

    - Usually when you see errors like ``OpenSSL: error:14094412: SSL +

    Usually when you see errors like ``OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate'' in the SSL logfile, this means that the browser was unable to handle the server certificate/private-key which perhaps contain a RSA-key not equal to 1024 - bits. For instance Netscape Navigator 3.x is one of those browsers. -

    + bits. For instance Netscape Navigator 3.x is one of those browsers.

    +
  • - + Why does my 2048-bit private key not work?    [L] -

    - The private key sizes for SSL must be either 512 or 1024 for compatibility +

    The private key sizes for SSL must be either 512 or 1024 for compatibility with certain web browsers. A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that - use RSA's BSAFE cryptography toolkit. -

    + use RSA's BSAFE cryptography toolkit.

    +
  • - + Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9?    [L] -

    - The CA certificates under the path you configured with +

    The CA certificates under the path you configured with SSLCACertificatePath are found by SSLeay through hash symlinks. These hash values are generated by the `openssl x509 -noout -hash' command. But the algorithm used to calculate the hash for a certificate has changed between SSLeay 0.8 and 0.9. So you have to remove all old hash symlinks and re-create new ones after upgrading. Use the - Makefile mod_ssl placed into this directory. -

    + Makefile mod_ssl placed into this directory.

    +
  • - + How can I convert a certificate from PEM to DER format?    [L] -

    - The default certificate format for SSLeay/OpenSSL is PEM, which actually +

    The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file cert.pem into the corresponding DER file cert.der with the following command: - $ openssl x509 -in cert.pem -out cert.der -outform DER -

    + $ openssl x509 -in cert.pem -out cert.der -outform DER

    +
  • - + I try to install a Verisign certificate. Why can't I find neither the getca nor getverisign programs Verisign mentions?    [L] -

    - This is because Verisign has never provided specific instructions +

    This is because Verisign has never provided specific instructions for Apache+mod_ssl. Rather they tell you what you should do if you were using C2Net's Stronghold (a commercial Apache based server with SSL support). The only thing you have to do @@ -938,132 +939,122 @@ I try to install a Verisign certificate. Why can't I find neither the SSLCertificateKeyFile directive). For a better CA-related overview on SSL certificate fiddling you can look at - Thawte's mod_ssl instructions. -

    + Thawte's mod_ssl instructions.

    +
  • - + Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) also with mod_ssl?    [L] -

    - Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have +

    Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have to configure anything special for this, just use a Global ID as your server certificate. The step up of the clients are then automatically handled by mod_ssl under run-time. For details please read - the README.GlobalID document in the mod_ssl distribution. -

    + the README.GlobalID document in the mod_ssl distribution.

    +
  • - + After I have installed my new Verisign Global ID server certificate, the browsers complain that they cannot verify the server certificate?    [L] -

    - That is because Verisign uses an intermediate CA certificate between +

    That is because Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and the server certificate (which you installed in the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then configure this certificate with the SSLCertificateChainFile directive in the server. This makes sure the intermediate CA certificate is send to the browser - and this way fills the gap in the certificate chain. + and this way fills the gap in the certificate chain.

    +
    • -

    -
    +

    About SSL Protocol

      -

    • - + Why do I get lots of random SSL protocol errors under heavy server load?    [L] -

      - There can be a number of reasons for this, but the main one +

      There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the SSLSessionCache directive. The DBM session cache is most likely the source of the problem, so trying the SHM session cache or - no cache at all may help. -

      + no cache at all may help.

      +
    • - + Why has my webserver a higher load now that I run SSL there?    [L] -

      - Because SSL uses strong cryptographic encryption and this needs a lot of +

      Because SSL uses strong cryptographic encryption and this needs a lot of number crunching. And because when you request a webpage via HTTPS even the images are transfered encrypted. So, when you have a lot of HTTPS - traffic the load increases. -

      + traffic the load increases.

      +
    • - + Often HTTPS connections to my server require up to 30 seconds for establishing the connection, although sometimes it works faster?    [L] -

      - Usually this is caused by using a /dev/random device for +

      Usually this is caused by using a /dev/random device for SSLRandomSeed which is blocking in read(2) calls if not enough entropy is available. Read more about this problem in the refernce - chapter under SSLRandomSeed. -

      + chapter under SSLRandomSeed.

      +
    • - + What SSL Ciphers are supported by mod_ssl?    [L] -

      - Usually just all SSL ciphers which are supported by the +

      Usually just all SSL ciphers which are supported by the version of OpenSSL in use (can depend on the way you built - OpenSSL). Typically this at least includes the following: -

      -

        -
      • RC4 with MD5 -
      • RC4 with MD5 (export version restricted to 40-bit key) -
      • RC2 with MD5 -
      • RC2 with MD5 (export version restricted to 40-bit key) -
      • IDEA with MD5 -
      • DES with MD5 -
      • Triple-DES with MD5 -
      -

      - To determine the actual list of supported ciphers you can - run the following command: -

      - $ openssl ciphers -v
      -

      + OpenSSL). Typically this at least includes the following:

      + +
        +
      1. RC4 with MD5
        2. +
      2. RC4 with MD5 (export version restricted to 40-bit key)
        3. +
      3. RC2 with MD5
        4. +
      4. RC2 with MD5 (export version restricted to 40-bit key)
        5. +
      5. IDEA with MD5
        6. +
      6. DES with MD5
        7. +
      7. Triple-DES with MD5
        8. +
      + +

      To determine the actual list of supported ciphers you can + run the following command:

      + $ openssl ciphers -v
      +
    • - + I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no shared cipher'' errors?    [L] -

      - In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough +

      In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough to just put ``ADH'' into your SSLCipherSuite. Additionally you have to build OpenSSL with ``-DSSL_ALLOW_ADH''. Because per default OpenSSL does not allow ADH ciphers for security reasons. So if you are actually enabling - these ciphers make sure you are informed about the side-effects. -

      + these ciphers make sure you are informed about the side-effects.

      +
    • - + I always just get a 'no shared ciphers' error if I try to connect to my freshly installed server?    [L] -

      - Either you have messed up your SSLCipherSuite +

      Either you have messed up your SSLCipherSuite directive (compare it with the pre-configured example in httpd.conf-dist) or you have choosen the DSA/DH algorithms instead of RSA when you generated your private key @@ -1073,16 +1064,15 @@ I try to connect to my freshly installed server? certificate/key pair). But current browsers like NS or IE only speak RSA ciphers. The result is the "no shared ciphers" error. To fix this, regenerate your server certificate/key pair and this time - choose the RSA algorithm. -

      + choose the RSA algorithm.

      +
    • - + Why can't I use SSL with name-based/non-IP-based virtual hosts?    [L] -

      - The reason is very technical. Actually it's some sort of a chicken and +

      The reason is very technical. Actually it's some sort of a chicken and egg problem: The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the @@ -1092,18 +1082,17 @@ Why can't I use SSL with name-based/non-IP-based virtual hosts? Apache has to know the Host HTTP header field. For this the HTTP request header has to be read. This cannot be done before the SSL handshake is finished. But the information is already needed at the SSL - handshake phase. Bingo! -

      + handshake phase. Bingo!

      +
    • - + When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted?    [L] -

      - No, the username/password is already transmitted encrypted. The icon in +

      No, the username/password is already transmitted encrypted. The icon in Netscape browsers is just not really synchronized with the SSL/TLS layer (it toggles to the locked state when the first part of the actual webpage data is transferred which is not quite correct) and this way confuses @@ -1111,29 +1100,28 @@ username/password is still transmitted unencrypted? this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data communication takes place in HTTPS the SSL/TLS layer has already done the handshake phase and switched to encrypted communication. So, don't get - confused by this icon. -

      + confused by this icon.

      +
    • - + When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason?    [L] -

      - The first reason is that the SSL implementation in some MSIE versions has +

      The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by - using the following directive in your SSL-aware virtual host section: + using the following directive in your SSL-aware virtual host section:

           SetEnvIf User-Agent ".*MSIE.*" \
              nokeepalive ssl-unclean-shutdown \
              downgrade-1.0 force-response-1.0
      - Additionally it is known some MSIE versions have also problems +

      Additionally it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific @@ -1141,41 +1129,41 @@ Explorer (MSIE) I get various I/O errors. What is the reason? has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all(!) your - clients, i.e., also your non-MSIE clients. -

      - The next problem is that 56bit export versions of MSIE 5.x browsers have a + clients, i.e., also your non-MSIE clients.

      + +

      The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation which badly interacts with OpenSSL versions greater than 0.9.4. You can either accept this and force your clients to upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you can decide to workaround it by accepting the drawback that your workaround - will horribly affect also other browsers: + will horribly affect also other browsers:

           SSLProtocol all -SSLv3
      - This completely disables the SSLv3 protocol and lets those browsers work. +

      This completely disables the SSLv3 protocol and lets those browsers work. But usually this is an even less acceptable workaround. A more reasonable workaround is to address the problem more closely and disable only the - ciphers which cause trouble. + ciphers which cause trouble.

           SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
      - This also lets the broken MSIE versions work, but only removes the - newer 56bit TLS ciphers. -

      - Another problem with MSIE 5.x clients is that they refuse to connect to +

      This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers.

      + +

      Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the form https://12.34.56.78/ (IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because - MSIE 5.x has an error in the way it handles the SGC negotiation. -

      - And finally there are versions of MSIE which seem to require that + MSIE 5.x has an error in the way it handles the SGC negotiation.

      + +

      And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connection with those MSIE versions only work if a SSL session cache is used. So, as a work-around, make sure you - are using a session cache (see SSLSessionCache directive). -

      + are using a session cache (see SSLSessionCache directive).

      +
    • - + When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the server" What's the reason? @@ -1187,168 +1175,167 @@ server" What's the reason? server certificate. Once you clear the entry in your browser for the old certificate, everything usually will work fine. Netscape's SSL implementation is correct, so when you encounter I/O errors with Netscape - Navigator it is most of the time caused by the configured certificates. + Navigator it is most of the time caused by the configured certificates.

      +
    -

    -
    +

    About Support

      -

    • - + What information resources are available in case of mod_ssl problems?    [L] -

      -The following information resources are available. -In case of problems you should search here first. -

      -

        -
      1. Answers in the User Manual's F.A.Q. List (this)
        - - http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
        - First look inside the F.A.Q. (this text), perhaps your problem is such - popular that it was already answered a lot of times in the past. -

        -

      2. Postings from the modssl-users Support Mailing List - - http://www.modssl.org/support/
        - Second search for your problem in one of the existing archives of the - modssl-users mailing list. Perhaps your problem popped up at least once for - another user, too. -

        -

      3. Problem Reports in the Bug Database - - http://www.modssl.org/support/bugdb/
        - Third look inside the mod_ssl Bug Database. Perhaps - someone else already has reported the problem. -
      -

      +

      The following information resources are available. + In case of problems you should search here first.

      + +
        +
      1. Answers in the User Manual's F.A.Q. List (this)
        + + http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html
        + First look inside the F.A.Q. (this text), perhaps your problem is such + popular that it was already answered a lot of times in the past. +
        2. +
      2. Postings from the modssl-users Support Mailing List + + http://www.modssl.org/support/
        + Second search for your problem in one of the existing archives of the + modssl-users mailing list. Perhaps your problem popped up at least once for + another user, too. +
        3. +
      3. Problem Reports in the Bug Database + + http://www.modssl.org/support/bugdb/
        + Third look inside the mod_ssl Bug Database. Perhaps + someone else already has reported the problem. +
        4. +
      +
    • - + What support contacts are available in case of mod_ssl problems?    [L] -

      -The following lists all support possibilities for mod_ssl, in order of -preference, i.e. start in this order and do not pick the support possibility -you just like most, please. -

      -

        -
      1. Write a Problem Report into the Bug Database
        - - http://www.modssl.org/support/bugdb/
        - This is the preferred way of submitting your problem report, because this - way it gets filed into the bug database (it cannot be lost) and - send to the modssl-users mailing list (others see the current problems and - learn from answers). -

        -

      2. Write a Problem Report to the modssl-users Support Mailing List
        - - modssl-users @ modssl.org
        - This is the second way of submitting your problem report. You have to - subscribe to the list first, but then you can easily discuss your problem - with both the author and the whole mod_ssl user community. -

        -

      3. Write a Problem Report to the author
        - - rse @ engelschall.com
        - This is the last way of submitting your problem report. Please avoid this - in your own interest because the author is really a very busy men. Your - mail will always be filed to one of his various mail-folders and is - usually not processed as fast as a posting on modssl-users. -
      -

      +

      The following lists all support possibilities for mod_ssl, in order of + preference, i.e. start in this order and do not pick the support possibility + you just like most, please.

      + +
        +
      1. Write a Problem Report into the Bug Database
        + + http://www.modssl.org/support/bugdb/
        + This is the preferred way of submitting your problem report, because this + way it gets filed into the bug database (it cannot be lost) and + send to the modssl-users mailing list (others see the current problems and + learn from answers). +
        2. +
      2. Write a Problem Report to the modssl-users Support Mailing List
        + + modssl-users @ modssl.org
        + This is the second way of submitting your problem report. You have to + subscribe to the list first, but then you can easily discuss your problem + with both the author and the whole mod_ssl user community. +
        3. +
      3. Write a Problem Report to the author
        + + rse @ engelschall.com
        + This is the last way of submitting your problem report. Please avoid this + in your own interest because the author is really a very busy men. Your + mail will always be filed to one of his various mail-folders and is + usually not processed as fast as a posting on modssl-users. +
        4. +
      +
    • - + What information and details I've to provide to the author when writing a bug report?    [L] -

      -You have to at least always provide the following information: -

      -

        -
      • Apache, mod_ssl and OpenSSL version information
        - The mod_ssl version you should really know. For instance, it's the version - number in the distribution tarball. The Apache version can be determined - by running ``httpd -v''. The OpenSSL version can be - determined by running ``openssl version''. Alternatively when - you have Lynx installed you can run the command ``lynx -mime_header - http://localhost/ | grep Server'' to determine all information in a - single step. -

        -

      • The details on how you built and installed Apache+mod_ssl+OpenSSL
        - For this you can provide a logfile of your terminal session which shows - the configuration and install steps. Alternatively you can at least - provide the author with the APACI `configure'' command line - you used (assuming you used APACI, of course). -

        -

      • In case of core dumps please include a Backtrace
        - In case your Apache+mod_ssl+OpenSSL should really dumped core please attach - a stack-frame ``backtrace'' (see the next question on how to get it). - Without this information the reason for your core dump cannot be found. - So you have to provide the backtrace, please. -

        -

      • A detailed description of your problem
        - Don't laugh, I'm totally serious. I already got a lot of problem reports - where the people not really said what's the actual problem is. So, in your - own interest (you want the problem be solved, don't you?) include as much - details as possible, please. But start with the essentials first, of - course. -
      -

      +

      You have to at least always provide the following information:

      + +
        +
      1. Apache, mod_ssl and OpenSSL version information
        + The mod_ssl version you should really know. For instance, it's the version + number in the distribution tarball. The Apache version can be determined + by running ``httpd -v''. The OpenSSL version can be + determined by running ``openssl version''. Alternatively when + you have Lynx installed you can run the command ``lynx -mime_header + http://localhost/ | grep Server'' to determine all information in a + single step. +
        2. +
      2. The details on how you built and installed Apache+mod_ssl+OpenSSL
        + For this you can provide a logfile of your terminal session which shows + the configuration and install steps. Alternatively you can at least + provide the author with the APACI `configure'' command line + you used (assuming you used APACI, of course). +
        3. +
      3. In case of core dumps please include a Backtrace
        + In case your Apache+mod_ssl+OpenSSL should really dumped core please attach + a stack-frame ``backtrace'' (see the next question on how to get it). + Without this information the reason for your core dump cannot be found. + So you have to provide the backtrace, please. +
        4. +
      4. A detailed description of your problem
        + Don't laugh, I'm totally serious. I already got a lot of problem reports + where the people not really said what's the actual problem is. So, in your + own interest (you want the problem be solved, don't you?) include as much + details as possible, please. But start with the essentials first, of + course. +
        5. +
      +
    • - + I got a core dump, can you help me?    [L] -

      - In general no, at least not unless you provide more details about the code +

      In general no, at least not unless you provide more details about the code location where Apache dumped core. What is usually always required in order to help you is a backtrace (see next question). Without this information it is mostly impossible to find the problem and help you in - fixing it. -

      + fixing it.

      +
    • - + Ok, I got a core dump but how do I get a backtrace to find out the reason for it?    [L] -

      -Follow the following steps: -

      -

        -
      1. Make sure you have debugging symbols available in at least - Apache and mod_ssl. On platforms where you use GCC/GDB you have to build - Apache+mod_ssl with ``OPTIM="-g -ggdb3"'' to achieve this. On - other platforms at least ``OPTIM="-g"'' is needed. -

        -

      2. Startup the server and try to produce the core-dump. For this you perhaps - want to use a directive like ``CoreDumpDirectory /tmp'' to - make sure that the core-dump file can be written. You then should get a - /tmp/core or /tmp/httpd.core file. When you - don't get this, try to run your server under an UID != 0 (root), because - most "current" kernels do not allow a process to dump core after it has - done a setuid() (unless it does an exec()) for - security reasons (there can be privileged information left over in - memory). Additionally you can run ``/path/to/httpd -X'' - manually to force Apache to not fork. -

        -

      3. Analyze the core-dump. For this run ``gdb /path/to/httpd - /tmp/httpd.core'' or a similar command has to run. In GDB you then - just have to enter the ``bt'' command and, voila, you get the - backtrace. For other debuggers consult your local debugger manual. Send - this backtrace to the author. -
      +

      Follow the following steps:

      + +
        +
      1. Make sure you have debugging symbols available in at least + Apache and mod_ssl. On platforms where you use GCC/GDB you have to build + Apache+mod_ssl with ``OPTIM="-g -ggdb3"'' to achieve this. On + other platforms at least ``OPTIM="-g"'' is needed. +
        2. +
      2. Startup the server and try to produce the core-dump. For this you perhaps + want to use a directive like ``CoreDumpDirectory /tmp'' to + make sure that the core-dump file can be written. You then should get a + /tmp/core or /tmp/httpd.core file. When you + don't get this, try to run your server under an UID != 0 (root), because + most "current" kernels do not allow a process to dump core after it has + done a setuid() (unless it does an exec()) for + security reasons (there can be privileged information left over in + memory). Additionally you can run ``/path/to/httpd -X'' + manually to force Apache to not fork. +
        3. +
      3. Analyze the core-dump. For this run ``gdb /path/to/httpd + /tmp/httpd.core'' or a similar command has to run. In GDB you then + just have to enter the ``bt'' command and, voila, you get the + backtrace. For other debuggers consult your local debugger manual. Send + this backtrace to the author. +
        4. +
      +
    -

    + diff --git a/docs/manual/ssl/ssl_glossary.html b/docs/manual/ssl/ssl_glossary.html index b55633b3169..366e850a7c8 100644 --- a/docs/manual/ssl/ssl_glossary.html +++ b/docs/manual/ssl/ssl_glossary.html @@ -16,7 +16,7 @@ -

    SSL/TLS Strong Encryption: Glossary

    +

    SSL/TLS Strong Encryption: Glossary

    @@ -39,146 +39,231 @@ Richard Nixon
    -
    Authentication
    +
    Authentication
    The positive identification of a network entity such as a server, a client, or a user. In SSL context the server and client Certificate verification process. -

    -

    Access Control
    + +
    + +
    +
    Access Control
    The restriction of access to network realms. In Apache context usually the restriction of access to certain URLs. -

    -

    Algorithm
    + +
    + +
    +
    Algorithm
    An unambiguous formula or set of rules for solving a problem in a finite number of steps. Algorithms for encryption are usually called Ciphers. -

    -

    Certificate
    + +
    + +
    +
    Certificate
    A data record used for authenticating network entities such as a server or a client. A certificate contains X.509 information pieces about its owner (called the subject) and the signing Certificate Authority (called the issuer), plus the owner's public key and the signature made by the CA. Network entities verify these signatures using CA certificates. -

    -

    Certification Authority (CA)
    + +
    + +
    +
    Certification Authority (CA)
    A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate. -

    -

    Certificate Signing Request (CSR)
    + +
    + +
    +
    Certificate Signing Request (CSR)
    An unsigned certificate for submission to a Certification Authority, which signs it with the Private Key of their CA Certificate. Once the CSR is signed, it becomes a real certificate. -

    -

    Cipher
    + +
    + +
    +
    Cipher
    An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc. -

    -

    Ciphertext
    + +
    + +
    +
    Ciphertext
    The result after a Plaintext passed a Cipher. -

    -

    Configuration Directive
    + +
    + +
    +
    Configuration Directive
    A configuration command that controls one or more aspects of a program's behavior. In Apache context these are all the command names in the first column of the configuration files. -

    -

    CONNECT
    + +
    + +
    +
    CONNECT
    A HTTP command for proxying raw data channels over HTTP. It can be used to encapsulate other protocols, such as the SSL protocol. -

    -

    Digital Signature
    + +
    + +
    +
    Digital Signature
    An encrypted text block that validates a certificate or other file. A Certification Authority creates a signature by generating a hash of the Public Key embedded in a Certificate, then encrypting the hash with its own Private Key. Only the CA's public key can decrypt the signature, verifying that the CA has authenticated the network entity that owns the Certificate. -

    -

    Export-Crippled
    + +
    + +
    +
    Export-Crippled
    Diminished in cryptographic strength (and security) in order to comply with the United States' Export Administration Regulations (EAR). Export-crippled cryptographic software is limited to a small key size, resulting in Ciphertext which usually can be decrypted by brute force. -

    -

    Fully-Qualified Domain-Name (FQDN)
    + +
    + +
    +
    Fully-Qualified Domain-Name (FQDN)
    The unique name of a network entity, consisting of a hostname and a domain name that can resolve to an IP address. For example, www is a hostname, whatever.com is a domain name, and www.whatever.com is a fully-qualified domain name. -

    -

    HyperText Transfer Protocol (HTTP)
    + +
    + +
    +
    HyperText Transfer Protocol (HTTP)
    The HyperText Transport Protocol is the standard transmission protocol used on the World Wide Web. -

    -

    HTTPS
    + +
    + +
    +
    HTTPS
    The HyperText Transport Protocol (Secure), the standard encrypted communication mechanism on the World Wide Web. This is actually just HTTP over SSL. -

    -

    Message Digest
    + +
    + +
    +
    Message Digest
    A hash of a message, which can be used to verify that the contents of the message have not been altered in transit. -

    -

    OpenSSL
    + +
    + +
    +
    OpenSSL
    The Open Source toolkit for SSL/TLS; see http://www.openssl.org/ -

    -

    Pass Phrase
    + +
    + +
    +
    Pass Phrase
    The word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers. -

    -

    Plaintext
    + +
    + +
    +
    Plaintext
    The unencrypted text. -

    -

    Private Key
    + +
    + +
    +
    Private Key
    The secret key in a Public Key Cryptography system, used to decrypt incoming messages and sign outgoing ones. -

    -

    Public Key
    + +
    + +
    +
    Public Key
    The publically available key in a Public Key Cryptography system, used to encrypt messages bound for its owner and to decrypt signatures made by its owner. -

    -

    Public Key Cryptography
    + +
    + +
    +
    Public Key Cryptography
    The study and application of asymmetric encryption systems, which use one key for encryption and another for decryption. A corresponding pair of such keys constitutes a key pair. Also called Asymmetric Crypography. -

    -

    Secure Sockets Layer (SSL)
    + +
    + +
    +
    Secure Sockets Layer (SSL)
    A protocol created by Netscape Communications Corporation for general communication authentication and encryption over TCP/IP networks. The most popular usage is HTTPS, i.e. the HyperText Transfer Protocol (HTTP) over SSL. -

    -

    Session
    + +
    + +
    +
    Session
    The context information of an SSL communication. -

    -

    SSLeay
    + +
    + +
    +
    SSLeay
    The original SSL/TLS implementation library developed by Eric A. Young <eay@aus.rsa.com>; see http://www.ssleay.org/ -

    -

    Symmetric Cryptography
    + +
    + +
    +
    Symmetric Cryptography
    The study and application of Ciphers that use a single secret key for both encryption and decryption operations. -

    -

    Transport Layer Security (TLS)
    + +
    + +
    +
    Transport Layer Security (TLS)
    The successor protocol to SSL, created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3. -

    -

    Uniform Resource Locator (URL)
    + +
    + +
    +
    Uniform Resource Locator (URL)
    The formal identifier to locate various resources on the World Wide Web. The most popular URL scheme is http. SSL uses the scheme https -

    -

    X.509
    + +
    + +
    +
    X.509
    An authentication certificate scheme recommended by the International Telecommunication Union (ITU-T) which is used for SSL/TLS authentication. +
    -

    + \ No newline at end of file diff --git a/docs/manual/ssl/ssl_howto.html b/docs/manual/ssl/ssl_howto.html index ba42683f70a..d5eab18c678 100644 --- a/docs/manual/ssl/ssl_howto.html +++ b/docs/manual/ssl/ssl_howto.html @@ -16,7 +16,7 @@ -

    SSL/TLS Strong Encryption: How-To

    +

    SSL/TLS Strong Encryption: How-To

    @@ -39,14 +39,13 @@ Standard textbook cookie
    -

    -How to solve particular security constraints for an SSL-aware webserver +

    How to solve particular security constraints for an SSL-aware webserver is not always obvious because of the coherences between SSL, HTTP and Apache's way of processing requests. This chapter gives instructions on how to solve such typical situations. Treat is as a first step to find out the final solution, but always try to understand the stuff before you use it. Nothing is worse than using a security solution without knowing its restrictions and -coherences. +coherences.

    • Cipher Suites and Enforced Strong Security
      • @@ -63,593 +62,577 @@ coherences.

      Cipher Suites and Enforced Strong Security

        -

      • - + How can I create a real SSLv2-only server?    [L] -

        -The following creates an SSL server which speaks only the SSLv2 protocol and -its ciphers. -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLProtocol -all +SSLv2
-SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
-
-
        -
        -
        -

        +

        The following creates an SSL server which speaks only the SSLv2 protocol and + its ciphers.

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLProtocol -all +SSLv2
+    SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP
+
+
        +
        +
        +
      • - + How can I create an SSL server which accepts strong encryption only?    [L] -

        -The following enables only the seven strongest ciphers: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLProtocol all
-SSLCipherSuite HIGH:MEDIUM
-
-
        -
        -
        -

        +

        The following enables only the seven strongest ciphers:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLProtocol all
+    SSLCipherSuite HIGH:MEDIUM
+
+
        +
        +
        +
      • - + How can I create an SSL server which accepts strong encryption only, but allows export browsers to upgrade to stronger encryption?    [L] -

        -This facility is called Server Gated Cryptography (SGC) and details you can -find in the README.GlobalID document in the mod_ssl distribution. -In short: The server has a Global ID server certificate, signed by a special -CA certificate from Verisign which enables strong encryption in export -browsers. This works as following: The browser connects with an export cipher, -the server sends its Global ID certificate, the browser verifies it and -subsequently upgrades the cipher suite before any HTTP communication takes -place. The question now is: How can we allow this upgrade, but enforce strong -encryption. Or in other words: Browser either have to initially connect with -strong encryption or have to upgrade to strong encryption, but are not allowed -to keep the export ciphers. The following does the trick: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-#   allow all ciphers for the inital handshake,
-#   so export browsers can upgrade via SGC facility
-SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-<Directory /usr/local/apache/htdocs>
-#   but finally deny all browsers which haven't upgraded
-SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
-</Directory>
-
-
        -
        -
        -

        +

        This facility is called Server Gated Cryptography (SGC) and details you can + find in the README.GlobalID document in the mod_ssl distribution. + In short: The server has a Global ID server certificate, signed by a special + CA certificate from Verisign which enables strong encryption in export + browsers. This works as following: The browser connects with an export cipher, + the server sends its Global ID certificate, the browser verifies it and + subsequently upgrades the cipher suite before any HTTP communication takes + place. The question now is: How can we allow this upgrade, but enforce strong + encryption. Or in other words: Browser either have to initially connect with + strong encryption or have to upgrade to strong encryption, but are not allowed + to keep the export ciphers. The following does the trick:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    #   allow all ciphers for the inital handshake,
+    #   so export browsers can upgrade via SGC facility
+    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+    <Directory /usr/local/apache/htdocs>
+    #   but finally deny all browsers which haven't upgraded
+    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
+    </Directory>
+
+
        +
        +
        +
      • - + How can I create an SSL server which accepts all types of ciphers in general, but requires a strong ciphers for access to a particular URL?    [L] -

        -Obviously you cannot just use a server-wide SSLCipherSuite which -restricts the ciphers to the strong variants. But mod_ssl allows you to -reconfigure the cipher suite in per-directory context and automatically forces -a renegotiation of the SSL parameters to meet the new configuration. So, the -solution is: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-#   be liberal in general
-SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-<Location /strong/area>
-#   but https://hostname/strong/area/ and below requires strong ciphers
-SSLCipherSuite HIGH:MEDIUM
-</Location>
-
-
        -
        -
        +

        Obviously you cannot just use a server-wide SSLCipherSuite which + restricts the ciphers to the strong variants. But mod_ssl allows you to + reconfigure the cipher suite in per-directory context and automatically forces + a renegotiation of the SSL parameters to meet the new configuration. So, the + solution is:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    #   be liberal in general
+    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+    <Location /strong/area>
+    #   but https://hostname/strong/area/ and below requires strong ciphers
+    SSLCipherSuite HIGH:MEDIUM
+    </Location>
+
+
        +
        +
        +

      Client Authentication and Access Control

        -

      • - + How can I authenticate clients based on certificates when I know all my clients?    [L] -

        -When you know your user community (i.e. a closed user group situation), as -it's the case for instance in an Intranet, you can use plain certificate -authentication. All you have to do is to create client certificates signed by -your own CA certificate ca.crt and then verifiy the clients -against this certificate. -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-#   require a client certificate which has to be directly
-#   signed by our CA certificate in ca.crt
-SSLVerifyClient require
-SSLVerifyDepth 1
-SSLCACertificateFile conf/ssl.crt/ca.crt
-
-
        -
        -
        -

        +

        When you know your user community (i.e. a closed user group situation), as + it's the case for instance in an Intranet, you can use plain certificate + authentication. All you have to do is to create client certificates signed by + your own CA certificate ca.crt and then verifiy the clients + against this certificate.

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    #   require a client certificate which has to be directly
+    #   signed by our CA certificate in ca.crt
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+    SSLCACertificateFile conf/ssl.crt/ca.crt
+
+
        +
        +
        +
      • - + How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server?    [L] -

        -For this we again use the per-directory reconfiguration feature of mod_ssl: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLVerifyClient none
-SSLCACertificateFile conf/ssl.crt/ca.crt
-<Location /secure/area>
-SSLVerifyClient require
-SSLVerifyDepth 1
-</Location>
-
-
        -
        -
        -

        +

        For this we again use the per-directory reconfiguration feature of mod_ssl:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLVerifyClient none
+    SSLCACertificateFile conf/ssl.crt/ca.crt
+    <Location /secure/area>
+    SSLVerifyClient require
+    SSLVerifyDepth 1
+    </Location>
+
+
        +
        +
        +
      • - + How can I authenticate only particular clients for a some URLs based on certificates but still allow arbitrary clients to access the remaining parts of the server?    [L] -

        -The key is to check for various ingredients of the client certficate. Usually -this means to check the whole or part of the Distinguished Name (DN) of the -Subject. For this two methods exists: The mod_auth based variant -and the SSLRequire variant. The first method is good when the -clients are of totally different type, i.e. when their DNs have no common -fields (usually the organisation, etc.). In this case you've to establish a -password database containing all clients. The second method is better -when your clients are all part of a common hierarchy which is encoded into the -DN. Then you can match them more easily. -

        -The first method: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLVerifyClient      none
-<Directory /usr/local/apache/htdocs/secure/area>
-SSLVerifyClient      require
-SSLVerifyDepth       5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions           +FakeBasicAuth
-SSLRequireSSL
-AuthName             "Snake Oil Authentication"
-AuthType             Basic
-AuthUserFile         /usr/local/apache/conf/httpd.passwd
-require              valid-user
-</Directory>
-
-
        -
        -
        -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.passwd  
        - - - - -
        -
        -
-/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
-/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
-/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
-
-
        -
        -
        -

        -The second method: -

        - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLVerifyClient      none
-<Directory /usr/local/apache/htdocs/secure/area>
-SSLVerifyClient      require
-SSLVerifyDepth       5
-SSLCACertificateFile conf/ssl.crt/ca.crt
-SSLCACertificatePath conf/ssl.crt
-SSLOptions           +FakeBasicAuth
-SSLRequireSSL
-SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." and \
-                     %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
-</Directory>
-
-
        -
        -
        -

        +

        The key is to check for various ingredients of the client certficate. Usually + this means to check the whole or part of the Distinguished Name (DN) of the + Subject. For this two methods exists: The mod_auth based variant + and the SSLRequire variant. The first method is good when the + clients are of totally different type, i.e. when their DNs have no common + fields (usually the organisation, etc.). In this case you've to establish a + password database containing all clients. The second method is better + when your clients are all part of a common hierarchy which is encoded into the + DN. Then you can match them more easily.

        + +

        The first method:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLVerifyClient      none
+    <Directory /usr/local/apache/htdocs/secure/area>
+    SSLVerifyClient      require
+    SSLVerifyDepth       5
+    SSLCACertificateFile conf/ssl.crt/ca.crt
+    SSLCACertificatePath conf/ssl.crt
+    SSLOptions           +FakeBasicAuth
+    SSLRequireSSL
+    AuthName             "Snake Oil Authentication"
+    AuthType             Basic
+    AuthUserFile         /usr/local/apache/conf/httpd.passwd
+    require              valid-user
+    </Directory>
+
+
        +
        +
        +
        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.passwd  
        + + + + +
        + 
        +
+    /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
+    /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
+    /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA
+
+
        +
        +
        + +

        The second method:

        + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLVerifyClient      none
+    <Directory /usr/local/apache/htdocs/secure/area>
+    SSLVerifyClient      require
+    SSLVerifyDepth       5
+    SSLCACertificateFile conf/ssl.crt/ca.crt
+    SSLCACertificatePath conf/ssl.crt
+    SSLOptions           +FakeBasicAuth
+    SSLRequireSSL
+    SSLRequire           %{SSL_CLIENT_S_DN_O}  eq "Snake Oil, Ltd." and \
+                         %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}
+    </Directory>
+
+
        +
        +
        +
      • - How can + How can I require HTTPS with strong ciphers and either basic authentication or client certificates for access to a subarea on the Intranet website for clients coming from the Internet but still allow plain HTTP access for clients on the Intranet?    [L] -

        -Let us assume the Intranet can be distinguished through the IP network -192.160.1.0/24 and the subarea on the Intranet website has the URL -/subarea. Then configure the following outside your HTTPS virtual -host (so it applies to both HTTPS and HTTP): -

        - - - - - - - - - - - - - - - - - - - - - - - - - -
          httpd.conf  
        - - - - -
        -
        -
-SSLCACertificateFile conf/ssl.crt/company-ca.crt
-
-<Directory /usr/local/apache/htdocs>
-#   Outside the subarea only Intranet access is granted
-Order                deny,allow
-Deny                 from all
-Allow                from 192.168.1.0/24
-</Directory>
-
-<Directory /usr/local/apache/htdocs/subarea>
-#   Inside the subarea any Intranet access is allowed
-#   but from the Internet only HTTPS + Strong-Cipher + Password
-#   or the alternative HTTPS + Strong-Cipher + Client-Certificate
-
-#   If HTTPS is used, make sure a strong cipher is used.
-#   Additionally allow client certs as alternative to basic auth.
-SSLVerifyClient      optional
-SSLVerifyDepth       1
-SSLOptions           +FakeBasicAuth +StrictRequire
-SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
-
-#   Force clients from the Internet to use HTTPS
-RewriteEngine        on
-RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
-RewriteCond          %{HTTPS} !=on
-RewriteRule          .* - [F]
-
-#   Allow Network Access and/or Basic Auth
-Satisfy              any
-
-#   Network Access Control
-Order                deny,allow
-Deny                 from all
-Allow                192.168.1.0/24
-
-#   HTTP Basic Authentication
-AuthType             basic
-AuthName             "Protected Intranet Area"
-AuthUserFile         conf/protected.passwd
-Require              valid-user
-</Directory>
-
-
        -
        -
        +

        Let us assume the Intranet can be distinguished through the IP network + 192.160.1.0/24 and the subarea on the Intranet website has the URL + /subarea. Then configure the following outside your HTTPS virtual + host (so it applies to both HTTPS and HTTP):

        + + + + + + + + + + + + + + + + + + + + + + + + + + +
          httpd.conf  
        + + + + +
        + 
        +
+    SSLCACertificateFile conf/ssl.crt/company-ca.crt
+
+    <Directory /usr/local/apache/htdocs>
+    #   Outside the subarea only Intranet access is granted
+    Order                deny,allow
+    Deny                 from all
+    Allow                from 192.168.1.0/24
+    </Directory>
+
+    <Directory /usr/local/apache/htdocs/subarea>
+    #   Inside the subarea any Intranet access is allowed
+    #   but from the Internet only HTTPS + Strong-Cipher + Password
+    #   or the alternative HTTPS + Strong-Cipher + Client-Certificate
+
+    #   If HTTPS is used, make sure a strong cipher is used.
+    #   Additionally allow client certs as alternative to basic auth.
+    SSLVerifyClient      optional
+    SSLVerifyDepth       1
+    SSLOptions           +FakeBasicAuth +StrictRequire
+    SSLRequire           %{SSL_CIPHER_USEKEYSIZE} >= 128
+
+    #   Force clients from the Internet to use HTTPS
+    RewriteEngine        on
+    RewriteCond          %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$
+    RewriteCond          %{HTTPS} !=on
+    RewriteRule          .* - [F]
+
+    #   Allow Network Access and/or Basic Auth
+    Satisfy              any
+
+    #   Network Access Control
+    Order                deny,allow
+    Deny                 from all
+    Allow                192.168.1.0/24
+
+    #   HTTP Basic Authentication
+    AuthType             basic
+    AuthName             "Protected Intranet Area"
+    AuthUserFile         conf/protected.passwd
+    Require              valid-user
+    </Directory>
+
+
        +
        +
        +
      -

      + diff --git a/docs/manual/ssl/ssl_intro.html b/docs/manual/ssl/ssl_intro.html index 248e62ce242..251c7100590 100644 --- a/docs/manual/ssl/ssl_intro.html +++ b/docs/manual/ssl/ssl_intro.html @@ -16,7 +16,7 @@ -

      SSL/TLS Strong Encryption: An Introduction

      +

      SSL/TLS Strong Encryption: An Introduction

      @@ -38,17 +38,16 @@ A. Tanenbaum, ``Introduction to Computer Networks''
      -

      -As an introduction this chapter is aimed at readers who are familiar +

      As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts. It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for -further exploration. -

      -The presented content is mainly derived, with permission by the author, from +further exploration.

      + +

      The presented content is mainly derived, with permission by the author, from the article Introducing SSL and Certificates using SSLeay from Frederick Hirsch (the original article author) and all negative feedback to Ralf S. Engelschall (the mod_ssl -author). - - -   - - +author).

      Cryptographic Techniques

      -Understanding SSL requires an understanding of cryptographic algorithms, +

      Understanding SSL requires an understanding of cryptographic algorithms, message digest functions (aka. one-way or hash functions), and digital signatures. These techniques are the subject of entire books (see for instance [AC96]) and provide the basis for privacy, integrity, and -authentication. +authentication.

      Cryptographic Algorithms

      -Suppose Alice wants to send a message to her bank to transfer some money. +

      Suppose Alice wants to send a message to her bank to transfer some money. Alice would like the message to be private, since it will include information such as her account number and transfer amount. One solution is to use a cryptographic algorithm, a technique that would transform her message into an @@ -104,10 +98,9 @@ encrypted form, unreadable except by those it is intended for. Once in this form, the message may only be interpreted through the use of a secret key. Without the key the message is useless: good cryptographic algorithms make it so difficult for intruders to decode the original text that it isn't worth -their effort. -

      -There are two categories of cryptographic algorithms: -conventional and public key. +their effort.

      +

      There are two categories of cryptographic algorithms: +conventional and public key.

      • Conventional cryptography, also known as symmetric cryptography, requires the sender and receiver to share a key: a secret @@ -115,151 +108,191 @@ piece of information that may be used to encrypt or decrypt a message. If this key is secret, then nobody other than the sender or receiver may read the message. If Alice and the bank know a secret key, then they may send each other private messages. The task of privately choosing a key -before communicating, however, can be problematic. -

        +before communicating, however, can be problematic.
        +
        +

      • Public key cryptography, also known as asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key). -

        -Anyone may encrypt a message using the public key, but only the owner of the +

        • +
      +

      Anyone may encrypt a message using the public key, but only the owner of the private key will be able to read it. In this way, Alice may send private messages to the owner of a key-pair (the bank), by encrypting it using their -public key. Only the bank will be able to decrypt it. -

    +public key. Only the bank will be able to decrypt it.

    +

    Message Digests

    -Although Alice may encrypt her message to make it private, there is still a +

    Although Alice may encrypt her message to make it private, there is still a concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity of Alice's message is to create a concise summary of her message and send this to the bank as well. Upon receipt of the message, the bank creates its own summary and compares it -with the one Alice sent. If they agree then the message was received intact. -

    -A summary such as this is called a message digest, one-way +with the one Alice sent. If they agree then the message was received intact.

    +

    A summary such as this is called a message digest, one-way function or hash function. Message digests are used to create short, fixed-length representations of longer, variable-length messages. Digest algorithms are designed to produce unique digests for different messages. Message digests are designed to make it too difficult to determine the message from the digest, and also impossible to find two different messages which create the same digest -- thus eliminating the possibility of -substituting one message for another while maintaining the same digest. -

    -Another challenge that Alice faces is finding a way to send the digest to the +substituting one message for another while maintaining the same digest.

    +

    Another challenge that Alice faces is finding a way to send the digest to the bank securely; when this is achieved, the integrity of the associated message is assured. One way to to this is to include the digest in a digital -signature. +signature.

    Digital Signatures

    -When Alice sends a message to the bank, the bank needs to ensure that the +

    When Alice sends a message to the bank, the bank needs to ensure that the message is really from her, so an intruder does not request a transaction involving her account. A digital signature, created by Alice and -included with the message, serves this purpose. -

    -Digital signatures are created by encrypting a digest of the message, +included with the message, serves this purpose.

    +

    Digital signatures are created by encrypting a digest of the message, and other information (such as a sequence number) with the sender's private key. Though anyone may decrypt the signature using the public key, only the signer knows the private key. This means that only they may have signed it. Including the digest in the signature means the signature is only good for that message; it also ensures the integrity of the message since -no one can change the digest and still sign it. -

    -To guard against interception and reuse of the signature by an intruder at a +no one can change the digest and still sign it.

    +

    To guard against interception and reuse of the signature by an intruder at a later date, the signature contains a unique sequence number. This protects the bank from a fraudulent claim from Alice that she did not send the message --- only she could have signed it (non-repudiation). +-- only she could have signed it (non-repudiation).

    Certificates

    -Although Alice could have sent a private message to the bank, signed it, and +

    Although Alice could have sent a private message to the bank, signed it, and ensured the integrity of the message, she still needs to be sure that she is really communicating with the bank. This means that she needs to be sure that the public key she is using corresponds to the bank's private key. Similarly, the bank also needs to verify that the message signature really corresponds to -Alice's signature. -

    -If each party has a certificate which validates the other's identity, confirms +Alice's signature.

    +

    If each party has a certificate which validates the other's identity, confirms the public key, and is signed by a trusted agency, then they both will be assured that they are communicating with whom they think they are. Such a trusted agency is called a Certificate Authority, and certificates are -used for authentication. +used for authentication.

    Certificate Contents

    -A certificate associates a public key with the real identity of an individual, +

    A certificate associates a public key with the real identity of an individual, server, or other entity, known as the subject. As shown in Table 1, information about the subject includes identifying information (the distinguished name), and the public key. It also includes the identification and signature of the Certificate Authority that issued the certificate, and the period of time during which the certificate is valid. It may have additional information (or extensions) as well as administrative -information for the Certificate Authority's use, such as a serial number. -

    +information for the Certificate Authority's use, such as a serial number.

    - -
    Table 1: Certificate Information
    - - -
    - - - - - - - - - - - + + + +
    Subject:Distinguished Name, Public Key
    Issuer:Distinguished Name, Signature
    Period of Validity:Not Before Date, Not After Date
    Administrative Information:Version, Serial Number
    Extended Information:Basic Contraints, Netscape Flags, etc.
    Table 1: Certificate Information
    + + + + +
    + + + + + + + + + + + + + + + + + + + + + +
    Subject:Distinguished Name, Public Key
    Issuer:Distinguished Name, Signature
    Period of Validity:Not Before Date, Not After Date
    Administrative Information:Version, Serial Number
    Extended Information:Basic Contraints, Netscape Flags, etc.
    +
    +
    -
    -
    -

    -A distinguished name is used to provide an identity in a specific context -- +

    A distinguished name is used to provide an identity in a specific context -- for instance, an individual might have a personal certificate as well as one for their identity as an employee. Distinguished names are defined by the -X.509 standard [X509], which defines the fields, field +X.509 standard [X509], which defines the fields, field names, and abbreviations used to refer to the fields -(see Table 2). -

    +(see Table 2).

    +
    - -
    Table 2: Distinguished Name Information
    - - -
    - - - - - - - - - - - - - - - - + + + +
    DN Field:Abbrev.:Description:Example:
    Common NameCNName being certifiedCN=Joe Average
    Organization or CompanyOName is associated with this
    organization    		O=Snake Oil, Ltd.
    Organizational UnitOUName is associated with this
    organization unit, such as a department    		OU=Research Institute
    City/LocalityLName is located in this CityL=Snake City
    State/ProvinceSTName is located in this State/ProvinceST=Desert
    CountryCName is located in this Country (ISO code)C=XZ
    Table 2: Distinguished Name Information
    + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    DN Field:Abbrev.:Description:Example:
    Common NameCNName being certifiedCN=Joe Average
    Organization or CompanyOName is associated with this
    organization    		O=Snake Oil, Ltd.
    Organizational UnitOUName is associated with this
    organization unit, such as a department    		OU=Research Institute
    City/LocalityLName is located in this CityL=Snake City
    State/ProvinceSTName is located in this State/ProvinceST=Desert
    CountryCName is located in this Country (ISO code)C=XZ
    +
    +
    -
    -
    -

    -A Certificate Authority may define a policy specifying which distinguished +

    A Certificate Authority may define a policy specifying which distinguished field names are optional, and which are required. It may also place requirements upon the field contents, as may users of certificates. As an example, a Netscape browser requires that the Common Name for a certificate representing a server has a name which matches a wildcard pattern for the -domain name of that server, such as *.snakeoil.com. -

    -The binary format of a certificate is defined using the ASN.1 notation [ *.snakeoil.com.

    +

    The binary format of a certificate is defined using the ASN.1 notation [ X208] [PKCS]. This notation defines how to specify the contents, and encoding rules define how this information is translated into binary form. The binary encoding of the certificate is @@ -268,12 +301,12 @@ general Basic Encoding Rules (BER). For those transmissions which cannot handle binary, the binary form may be translated into an ASCII form by using Base64 encoding [MIME]. This encoded version is called PEM encoded (the name comes from "Privacy Enhanced Mail"), when placed between -begin and end delimiter lines as illustrated in Table 3. -

    +begin and end delimiter lines as illustrated in Table 3.

    +
    - + + + + +
    Table 3: Example of a PEM-encoded certificate (snakeoil.crt)Table 3: Example of a PEM-encoded certificate (snakeoil.crt)
    @@ -303,20 +336,20 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ==

    Certificate Authorities

    -By first verifying the information in a certificate request before granting +

    By first verifying the information in a certificate request before granting the certificate, the Certificate Authority assures the identity of the private key owner of a key-pair. For instance, if Alice requests a personal certificate, the Certificate Authority must first make sure that Alice really -is the person the certificate request claims. +is the person the certificate request claims.

    Certificate Chains

    -A Certificate Authority may also issue a certificate for another Certificate +

    A Certificate Authority may also issue a certificate for another Certificate Authority. When examining a certificate, Alice may need to examine the certificate of the issuer, for each parent Certificate Authority, until reaching one which she has confidence in. She may decide to trust only certificates with a limited chain of issuers, to reduce her risk of a "bad" -certificate in the chain. +certificate in the chain.

    Creating a Root-Level CA

    -As noted earlier, each certificate requires an issuer to assert the validity +

    As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents a problem: Since this is who vouches for the certificate of the top-level authority, which has no issuer? @@ -325,22 +358,20 @@ certificate is the same as the subject. As a result, one must exercise extra care in trusting a self-signed certificate. The wide publication of a public key by the root authority reduces the risk in trusting this key -- it would be obvious if someone else publicized a key claiming to be the authority. -Browsers are preconfigured to trust well-known certificate authorities. -

    -A number of companies, such as Thawte and +Browsers are preconfigured to trust well-known certificate authorities.

    +

    A number of companies, such as Thawte and VeriSign have established themselves as -Certificate Authorities. These companies provide the following services: +Certificate Authorities. These companies provide the following services:

      -
    • Verifying certificate requests -
    • Processing certificate requests -
    • Issuing and managing certificates +
    • Verifying certificate requests
      • +
    • Processing certificate requests
      • +
    • Issuing and managing certificates
    -

    -It is also possible to create your own Certificate Authority. Although risky +

    It is also possible to create your own Certificate Authority. Although risky in the Internet environment, it may be useful within an Intranet where the -organization can easily verify the identities of individuals and servers. +organization can easily verify the identities of individuals and servers.

    Certificate Management

    -Establishing a Certificate Authority is a responsibility which requires a +

    Establishing a Certificate Authority is a responsibility which requires a solid administrative, technical, and management framework. Certificate Authorities not only issue certificates, they also manage them -- that is, they determine how long certificates are valid, they renew them, and @@ -352,295 +383,309 @@ certificates are objects that get passed around, it is impossible to tell from the certificate alone that it has been revoked. When examining certificates for validity, therefore, it is necessary to contact the issuing Certificate Authority to check CRLs -- this is not usually -an automated part of the process. -

    -

    Note:
    -If you use a Certificate Authority that is not configured into browsers by +an automated part of the process.

    +
    Note:
    +

    If you use a Certificate Authority that is not configured into browsers by default, it is necessary to load the Certificate Authority certificate into the browser, enabling the browser to validate server certificates signed by that Certificate Authority. Doing so may be dangerous, since once loaded, the -browser will accept all certificates signed by that Certificate Authority. +browser will accept all certificates signed by that Certificate Authority.

    Secure Sockets Layer (SSL)

    -The Secure Sockets Layer protocol is a protocol layer which may be placed +

    The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable connection-oriented network layer protocol (e.g. TCP/IP) and the application protocol layer (e.g. HTTP). SSL provides for secure communication between client and server by allowing mutual authentication, the -use of digital signatures for integrity, and encryption for privacy. -

    -The protocol is designed to support a range of choices for specific algorithms +use of digital signatures for integrity, and encryption for privacy.

    +

    The protocol is designed to support a range of choices for specific algorithms used for cryptography, digests, and signatures. This allows algorithm selection for specific servers to be made based on legal, export or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing -a protocol session. -

    +a protocol session.

    - -
    Table 4: Versions of the SSL protocol
    - - -
    - - - - - - - - - - - - - - - - - - - - - - - - + + + +
    Version:Source:Description:Browser Support:
    SSL v2.0Vendor Standard (from Netscape Corp.) [SSL2]First SSL protocol for which implementations exists- NS Navigator 1.x/2.x
    - - MS IE 3.x
    - - Lynx/2.8+OpenSSL -
    SSL v3.0Expired Internet Draft (from Netscape Corp.) [SSL3]Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains- NS Navigator 2.x/3.x/4.x
    - - MS IE 3.x/4.x
    - - Lynx/2.8+OpenSSL -
    TLS v1.0Proposed Internet Standard (from IETF) [TLS1]Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for - block ciphers, message order standardization and more alert messages. -- Lynx/2.8+OpenSSL
    Table 4: Versions of the SSL protocol
    + + + + +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    Version:Source:Description:Browser Support:
    SSL v2.0Vendor Standard (from Netscape Corp.) [SSL2]First SSL protocol for which implementations exists- NS Navigator 1.x/2.x
    + - MS IE 3.x
    + - Lynx/2.8+OpenSSL +
    SSL v3.0Expired Internet Draft (from Netscape Corp.) [SSL3]Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains- NS Navigator 2.x/3.x/4.x
    + - MS IE 3.x/4.x
    + - Lynx/2.8+OpenSSL +
    TLS v1.0Proposed Internet Standard (from IETF) [TLS1]Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for + block ciphers, message order standardization and more alert messages. + - Lynx/2.8+OpenSSL
    +
    +
    -
    -
    -

    -There are a number of versions of the SSL protocol, as shown in There are a number of versions of the SSL protocol, as shown in Table 4. As noted there, one of the benefits in SSL 3.0 is that it adds support of certificate chain loading. This feature allows a server to pass a server certificate along with issuer certificates to the browser. Chain loading also permits the browser to validate the server certificate, even if Certificate Authority certificates are not installed for the intermediate issuers, since they are included in the certificate chain. -SSL 3.0 is the basis for the Transport Layer Security [TLS] protocol standard, currently in development by the -Internet Engineering Task Force (IETF). +SSL 3.0 is the basis for the Transport Layer Security [TLS] protocol standard, currently in development by the +Internet Engineering Task Force (IETF).

    Session Establishment

    -The SSL session is established by following a handshake sequence +

    The SSL session is established by following a handshake sequence between client and server, as shown in Figure 1. This sequence may vary, depending on whether the server is configured to provide a server certificate or request a client certificate. Though cases exist where additional handshake steps are required for management of cipher information, this article summarizes one common scenario: see the SSL specification for the -full range of possibilities. -

    +full range of possibilities.

    Note
    -Once an SSL session has been established it may be reused, thus avoiding the +

    Once an SSL session has been established it may be reused, thus avoiding the performance penalty of repeating the many steps needed to start a session. For this the server assigns each SSL session a unique session identifier which is cached in the server and which the client can use on forthcoming connections to reduce the handshake (until the session identifer expires in -the cache of the server). -

    +the cache of the server).

    - -
    Figure 1: Simplified SSL Handshake Sequence
    - - -
    - -
    -
    +
    Figure 1: Simplified SSL Handshake Sequence
    + + + + +
    + +
    +
    -

    -The elements of the handshake sequence, as used by the client and server, are -listed below: +

    The elements of the handshake sequence, as used by the client and server, are +listed below:

      -
    1. Negotiate the Cipher Suite to be used during data transfer -
    2. Establish and share a session key between client and server -
    3. Optionally authenticate the server to the client -
    4. Optionally authenticate the client to the server +
    5. Negotiate the Cipher Suite to be used during data transfer
      6. +
    6. Establish and share a session key between client and server
      7. +
    7. Optionally authenticate the server to the client
      8. +
    8. Optionally authenticate the client to the server
    -

    -The first step, Cipher Suite Negotiation, allows the client and server to +

    The first step, Cipher Suite Negotiation, allows the client and server to choose a Cipher Suite supportable by both of them. The SSL3.0 protocol specification defines 31 Cipher Suites. A Cipher Suite is defined by the -following components: +following components:

      -
    • Key Exchange Method -
    • Cipher for Data Transfer -
    • Message Digest for creating the Message Authentication Code (MAC) +
    • Key Exchange Method
      • +
    • Cipher for Data Transfer
      • +
    • Message Digest for creating the Message Authentication Code (MAC)
    -These three elements are described in the sections that follow. +

    These three elements are described in the sections that follow.

    Key Exchange Method

    -The key exchange method defines how the shared secret symmetric cryptography +

    The key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server. SSL 2.0 uses RSA key exchange only, while SSL 3.0 supports a choice of key exchange algorithms including the RSA key exchange when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates -and without prior communication between client and server. -

    -One variable in the choice of key exchange methods is digital signatures -- +and without prior communication between client and server.

    +

    One variable in the choice of key exchange methods is digital signatures -- whether or not to use them, and if so, what kind of signatures to use. Signing with a private key provides assurance against a man-in-the-middle-attack during the information exchange used in generating -the shared key [AC96, p516]. +the shared key [AC96, p516].

    Cipher for Data Transfer

    -SSL uses the conventional cryptography algorithm (symmetric cryptography) +

    SSL uses the conventional cryptography algorithm (symmetric cryptography) described earlier for encrypting messages in a session. There are nine -choices, including the choice to perform no encryption: +choices, including the choice to perform no encryption:

      -
    • No encryption +
    • No encryption
    • Stream Ciphers
        -
      • RC4 with 40-bit keys -
      • RC4 with 128-bit keys +
      • RC4 with 40-bit keys
        • +
      • RC4 with 128-bit keys
      +
    • CBC Block Ciphers
        -
      • RC2 with 40 bit key -
      • DES with 40 bit key -
      • DES with 56 bit key -
      • Triple-DES with 168 bit key -
      • Idea (128 bit key) -
      • Fortezza (96 bit key) +
      • RC2 with 40 bit key
        • +
      • DES with 40 bit key
        • +
      • DES with 56 bit key
        • +
      • Triple-DES with 168 bit key
        • +
      • Idea (128 bit key)
        • +
      • Fortezza (96 bit key)
      +
    -Here "CBC" refers to Cipher Block Chaining, which means that a portion of the +

    Here "CBC" refers to Cipher Block Chaining, which means that a portion of the previously encrypted cipher text is used in the encryption of the current block. "DES" refers to the Data Encryption Standard [AC96, ch12], which has a number of variants (including DES40 and 3DES_EDE). "Idea" is one of the best and cryptographically strongest available algorithms, and "RC2" is a proprietary algorithm from RSA DSI [AC96, -ch13]. +ch13].

    Digest Function

    -The choice of digest function determines how a digest is created from a record -unit. SSL supports the following: +

    The choice of digest function determines how a digest is created from a record +unit. SSL supports the following:

      -
    • No digest (Null choice) -
    • MD5, a 128-bit hash -
    • Secure Hash Algorithm (SHA-1), a 160-bit hash +
    • No digest (Null choice)
      • +
    • MD5, a 128-bit hash
      • +
    • Secure Hash Algorithm (SHA-1), a 160-bit hash
    -The message digest is used to create a Message Authentication Code (MAC) which +

    The message digest is used to create a Message Authentication Code (MAC) which is encrypted with the message to provide integrity and to prevent against -replay attacks. +replay attacks.

    Handshake Sequence Protocol

    -The handshake sequence uses three protocols: +

    The handshake sequence uses three protocols:

    • The SSL Handshake Protocol for performing the client and server SSL session establishment. +
    • The SSL Change Cipher Spec Protocol for actually establishing agreement on the Cipher Suite for the session. +
    • The SSL Alert Protocol for conveying SSL error messages between client and server. +
    These protocols, as well as application protocol data, are encapsulated in the SSL Record Protocol, as shown in Figure 2. An encapsulated protocol is transferred as data by the lower layer protocol, which does not examine the data. The encapsulated protocol has no knowledge of the underlying protocol. -

    - -
    Figure 2: SSL Protocol Stack
    - - -
    - -
    -
    + Figure 2: SSL Protocol Stack + + + + + + +
    + +
    + + +
    -

    -The encapsulation of SSL control protocols by the record protocol means that +

    The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there were no session before, then the Null cipher suite is used, which means there is no encryption and messages have no integrity -digests until the session has been established. +digests until the session has been established.

    Data Transfer

    -The SSL Record Protocol, shown in Figure 3, is used to +

    The SSL Record Protocol, shown in Figure 3, is used to transfer application and SSL Control data between the client and server, possibly fragmenting this data into smaller units, or combining multiple higher level protocol data messages into single units. It may compress, attach digest signatures, and encrypt these units before transmitting them using the underlying reliable transport protocol (Note: currently all major SSL -implementations lack support for compression). -

    +implementations lack support for compression).

    - -
    Figure 3: SSL Record Protocol
    - - -
    - -
    -
    + Figure 3: SSL Record Protocol + + + + + + +
    + +
    + + +

    Securing HTTP Communication

    -One common use of SSL is to secure Web HTTP communication between a browser +

    One common use of SSL is to secure Web HTTP communication between a browser and a webserver. This case does not preclude the use of non-secured HTTP. The secure version is mainly plain HTTP over SSL (named HTTPS), but with one major difference: it uses the URL scheme https rather than http and a different server port (by default 443). This mainly -is what mod_ssl provides to you for the Apache webserver... +is what mod_ssl provides to you for the Apache webserver...

    References

    -

    + diff --git a/docs/manual/stopping.html.en b/docs/manual/stopping.html.en index 628c40403be..654fba471b7 100644 --- a/docs/manual/stopping.html.en +++ b/docs/manual/stopping.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

    Stopping and Restarting the Server

    +

    Stopping and Restarting the Server

    This document covers stopping and restarting Apache on Unix-like systems. Windows users should see -

    diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en index 61c68fd4389..58967a7f393 100644 --- a/docs/manual/suexec.html.en +++ b/docs/manual/suexec.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

    Apache suEXEC Support

    +

    Apache suEXEC Support

    1. CONTENTS
      2. @@ -43,14 +43,14 @@

      What is suEXEC?

      -

      The suEXEC feature provides +

      The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.

      -

      Used properly, this feature can reduce +

      Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems @@ -59,30 +59,30 @@ security issues they present, we highly recommend that you not consider using suEXEC.

      -

      BACK TO +

      BACK TO CONTENTS

      Before we begin.

      -

      Before jumping head-first into this document, +

      Before jumping head-first into this document, you should be aware of the assumptions made on the part of the Apache Group and this document.

      -

      First, it is assumed that you are using a UNIX +

      First, it is assumed that you are using a UNIX derivate operating system that is capable of setuid and setgid operations. All command examples are given in this regard. Other platforms, if they are capable of supporting suEXEC, may differ in their configuration.

      -

      Second, it is assumed you are familiar with +

      Second, it is assumed you are familiar with some basic concepts of your computer's security and its administration. This involves an understanding of setuid/setgid operations and the various effects they may have on your system and its level of security.

      -

      Third, it is assumed that you are using an +

      Third, it is assumed that you are using an unmodified version of suEXEC code. All code for suEXEC has been carefully scrutinized and tested by the developers as well as numerous beta testers. Every precaution @@ -93,7 +93,7 @@ particulars of security programming and are willing to share your work with the Apache Group for consideration.

      -

      Fourth, and last, it has been the decision of +

      Fourth, and last, it has been the decision of the Apache Group to NOT make suEXEC part of the default installation of Apache. To this end, suEXEC configuration requires of the administrator careful attention @@ -107,20 +107,20 @@ installation only to those who are careful and determined enough to use it.

      -

      Still with us? Yes? Good. Let's move on!

      +

      Still with us? Yes? Good. Let's move on!

      -

      BACK TO +

      BACK TO CONTENTS

      suEXEC Security Model

      -

      Before we begin configuring and installing +

      Before we begin configuring and installing suEXEC, we will first discuss the security model you are about to implement. By doing so, you may better understand what exactly is going on inside suEXEC and what precautions are taken to ensure your system's security.

      -

      suEXEC is based on a setuid +

      suEXEC is based on a setuid "wrapper" program that is called by the main Apache web server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as @@ -129,7 +129,7 @@ program's name and the user and group IDs under which the program is to execute.

      -

      The wrapper then employs the following process +

      The wrapper then employs the following process to determine success or failure -- if any one of these conditions fail, the program logs the failure and exits with an error, otherwise it will continue:

      @@ -348,28 +348,28 @@
      -

      This is the standard operation of the the +

      This is the standard operation of the the suEXEC wrapper's security model. It is somewhat stringent and can impose new limitations and guidelines for CGI/SSI design, but it was developed carefully step-by-step with security in mind.

      -

      For more information as to how this security +

      For more information as to how this security model can limit your possibilities in regards to server configuration, as well as what security risks can be avoided with a proper suEXEC setup, see the "Beware the Jabberwock" section of this document.

      -

      BACK TO +

      BACK TO CONTENTS

      Configuring & Installing suEXEC

      -

      Here's where we begin the fun.

      +

      Here's where we begin the fun.

      -

      suEXEC configuration +

      suEXEC configuration options

      @@ -453,7 +453,7 @@
      -

      Checking your suEXEC +

      Checking your suEXEC setup
      Before you compile and install the suEXEC wrapper you can check the configuration with the --layout option.
      @@ -473,7 +473,7 @@
      -

      Compiling and installing the suEXEC +

      Compiling and installing the suEXEC wrapper
      If you have enabled the suEXEC feature with the --enable-suexec option the suexec binary (together with Apache @@ -490,13 +490,13 @@ owner root and must have the setuserid execution bit set for file modes.

      -

      BACK TO +

      BACK TO CONTENTS

      Enabling & Disabling suEXEC

      -

      Upon startup of Apache, it looks for the file +

      Upon startup of Apache, it looks for the file "suexec" in the "sbin" directory (default is "/usr/local/apache/sbin/suexec"). If Apache finds a properly configured suEXEC wrapper, it will print the following message @@ -517,12 +517,12 @@
      -

      BACK TO +

      BACK TO CONTENTS

      Using suEXEC

      -

      Virtual Hosts:
      +

      Virtual Hosts:
      One way to use the suEXEC wrapper is through the SuexecUserGroup directive in security checks above.

      -

      BACK TO +

      BACK TO CONTENTS

      Debugging suEXEC

      -

      The suEXEC wrapper will write log information +

      The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile option as indicated above. If you feel you have configured and installed the wrapper properly, have a look at this log and the error_log for the server to see where you may have gone astray.

      -

      BACK TO +

      BACK TO CONTENTS

      Beware the Jabberwock: Warnings & Examples

      -

      NOTE! This section may not be +

      NOTE! This section may not be complete. For the latest revision of this section of the documentation, see the Apache Group's Online Documentation version.

      -

      There are a few points of interest regarding +

      There are a few points of interest regarding the wrapper that can cause limitations on server setup. Please review these before submitting any "bugs" regarding suEXEC.

      @@ -613,7 +613,7 @@ -

      BACK TO +

      BACK TO CONTENTS

      diff --git a/docs/manual/upgrading.html.en b/docs/manual/upgrading.html.en index 9872f077c34..aa454ab0137 100644 --- a/docs/manual/upgrading.html.en +++ b/docs/manual/upgrading.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      Upgrading to 2.0 from 1.3

      +

      Upgrading to 2.0 from 1.3

      In order to assist folks upgrading, we maintain a document describing information critical to existing Apache users. These diff --git a/docs/manual/vhosts/details.html b/docs/manual/vhosts/details.html index 24da6ad4067..a3e9c3025c8 100644 --- a/docs/manual/vhosts/details.html +++ b/docs/manual/vhosts/details.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      An In-Depth Discussion of Virtual Host +

      An In-Depth Discussion of Virtual Host Matching

      The virtual host code was completely rewritten in diff --git a/docs/manual/vhosts/examples.html b/docs/manual/vhosts/examples.html index c08a8f288f7..df5fe970c47 100644 --- a/docs/manual/vhosts/examples.html +++ b/docs/manual/vhosts/examples.html @@ -13,7 +13,7 @@ alink="#FF0000"> -

      Virtual Host examples for common setups

      +

      Virtual Host examples for common setups

      This document attempts to answer the commonly-asked questions about setting up virtual hosts. These scenarios are those involving multiple @@ -399,7 +399,7 @@ wrong site there is one.

      -

      Mixed port-based and ip-based +

      Mixed port-based and ip-based virtual hosts

      Setup:

      diff --git a/docs/manual/vhosts/fd-limits.html.en b/docs/manual/vhosts/fd-limits.html.en index 3eaa8f65e34..10bd3b2552b 100644 --- a/docs/manual/vhosts/fd-limits.html.en +++ b/docs/manual/vhosts/fd-limits.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      File Descriptor Limits

      +

      File Descriptor Limits

      When using a large number of Virtual Hosts, Apache may run out of available file descriptors (sometimes called file @@ -85,7 +85,7 @@ directive, and the %v variable. Add this to the beginning of your log format string:

      - LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost
      + LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost
      CustomLog logs/multiple_vhost_log vhost
      diff --git a/docs/manual/vhosts/footer.html b/docs/manual/vhosts/footer.html index 24e2703091e..5ee7eec68a6 100644 --- a/docs/manual/vhosts/footer.html +++ b/docs/manual/vhosts/footer.html @@ -1,5 +1,5 @@
      -

      Apache HTTP Server Version 2.0

      +

      Apache HTTP Server Version 2.0

      Index Home diff --git a/docs/manual/vhosts/header.html b/docs/manual/vhosts/header.html index cbdcb995915..61d9a9121b7 100644 --- a/docs/manual/vhosts/header.html +++ b/docs/manual/vhosts/header.html @@ -1,4 +1,4 @@ -
      +
      [APACHE DOCUMENTATION]

      Apache HTTP Server Version 2.0

      diff --git a/docs/manual/vhosts/index.html.en b/docs/manual/vhosts/index.html.en index 80eae78476b..5d869dcda3e 100644 --- a/docs/manual/vhosts/index.html.en +++ b/docs/manual/vhosts/index.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      Apache Virtual Host documentation

      +

      Apache Virtual Host documentation

      The term Virtual Host refers to the practice of running more than one web site (such as @@ -74,7 +74,7 @@

    2. ServerPath
    3. See also mod_vhost_alias + href="../mod/mod_vhost_alias.html">mod_vhost_alias

      4. If you are trying to debug your virtual host configuration, you diff --git a/docs/manual/vhosts/ip-based.html b/docs/manual/vhosts/ip-based.html index aa833f35b2a..7b8b908898f 100644 --- a/docs/manual/vhosts/ip-based.html +++ b/docs/manual/vhosts/ip-based.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      Apache IP-based Virtual Host Support

      +

      Apache IP-based Virtual Host Support

      See also: Name-based Virtual Hosts Support
      diff --git a/docs/manual/vhosts/mass.html b/docs/manual/vhosts/mass.html index eb46f3db6f9..3ce888e4625 100644 --- a/docs/manual/vhosts/mass.html +++ b/docs/manual/vhosts/mass.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> -

      Dynamically configured mass virtual +

      Dynamically configured mass virtual hosting

      This document describes how to efficiently serve an diff --git a/docs/manual/vhosts/name-based.html.en b/docs/manual/vhosts/name-based.html.en index 075140a6bf8..f77b3b5960f 100644 --- a/docs/manual/vhosts/name-based.html.en +++ b/docs/manual/vhosts/name-based.html.en @@ -11,7 +11,7 @@ vlink="#000080" alink="#FF0000"> -

      Name-based Virtual Host Support

      +

      Name-based Virtual Host Support

      This document describes when and how to use name-based virtual hosts.

      @@ -69,8 +69,8 @@ they are on separate IP addresses.

      Using Name-based Virtual Hosts

      -
      -Related Directives

      +
      +Related Directives

      DocumentRoot
      NameVirtualHost
      -- 2.47.2