diff options
| author | Rich Bowen <rbowen@apache.org> | 2002-07-25 21:46:42 +0000 |
|---|---|---|
| committer | Rich Bowen <rbowen@apache.org> | 2002-07-25 21:46:42 +0000 |
| commit | d78c998c6a23a703722fefbf74b7a26537032925 (patch) | |
| tree | d4762b096bc04ad7c5fe82b3620ddf5e8c194371 /docs/manual | |
| parent | a0406e92e5492c56515fae433b55f2689ee982c5 (diff) | |
| download | httpd-d78c998c6a23a703722fefbf74b7a26537032925.tar.gz | |
Patch submitted by David Shane Holden to make docs valid xhtml.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@96194 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual')
72 files changed, 1918 insertions, 1937 deletions
diff --git a/docs/manual/bind.html.en b/docs/manual/bind.html.en index a52d8ee3d0..ba3cdf93a1 100644 --- a/docs/manual/bind.html.en +++ b/docs/manual/bind.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Setting which addresses and ports Apache + <h1 align="center">Setting which addresses and ports Apache uses</h1> <p>When Apache starts, it connects to some port and address on diff --git a/docs/manual/cgi_path.html.en b/docs/manual/cgi_path.html.en index 4ed74ade20..b019173b90 100644 --- a/docs/manual/cgi_path.html.en +++ b/docs/manual/cgi_path.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">PATH_INFO Changes in the CGI + <h1 align="center">PATH_INFO Changes in the CGI Environment</h1> <hr /> diff --git a/docs/manual/configuring.html.en b/docs/manual/configuring.html.en index f0b3e2e47f..2d03fd5af8 100644 --- a/docs/manual/configuring.html.en +++ b/docs/manual/configuring.html.en @@ -1,62 +1,21 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> - -<html xmlns="http://www.w3.org/1999/xhtml"> - <head> - <meta name="generator" content="HTML Tidy, see www.w3.org" /> - - <title>Configuration Files</title> - </head> - <!-- Background white, links blue (unvisited), navy (visited), red (active) --> - - <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" - vlink="#000080" alink="#FF0000"> - <!--#include virtual="header.html" --> - - <h1 align="CENTER">Configuration Files</h1> - - <ul> - <li><a href="#main">Main Configuration Files</a></li> - - <li><a href="#syntax">Syntax of the Configuration - Files</a></li> - - <li><a href="#modules">Modules</a></li> - - <li><a href="#scope">Scope of Directives</a></li> - - <li><a href="#htaccess">.htaccess Files</a></li> - </ul> - <hr /> - - <h2><a id="main" name="main">Main Configuration Files</a></h2> - - <table border="1"> - <tr> - <td valign="top"><strong>Related Modules</strong><br /> - <br /> - <a href="mod/mod_mime.html">mod_mime</a><br /> - </td> - - <td valign="top"><strong>Related Directives</strong><br /> - <br /> - <a - href="mod/core.html#ifdefine"><IfDefine></a><br /> - <a href="mod/core.html#include">Include</a><br /> - <a - href="mod/mod_mime.html#typesconfig">TypesConfig</a><br /> - </td> - </tr> - </table> - - <p>Apache is configured by placing <a - href="mod/directives.html">directives</a> in plain text +<html xmlns="http://www.w3.org/TR/xhtml1/strict"><head><!-- + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + This file is generated from xml source: DO NOT EDIT + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + --><title>Configuration Files- Apache HTTP Server</title><link href="./style/manual.css" type="text/css" rel="stylesheet"/></head><body><blockquote><div align="center"><img src="./images/sub.gif" alt="[APACHE DOCUMENTATION]"/><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module + Configuration Files</h1> +<p>This document describes the files used to configure the Apache +HTTP server.</p> +<ul><li><a href="#main">Main Configuration Files</a></li><li><a href="#syntax">Syntax of the Configuration Files</a></li><li><a href="#modules">Modules</a></li><li><a href="#scope">Scope of Directives</a></li><li><a href="#htaccess">.htaccess Files</a></li></ul><hr/><h2><a name="main">Main Configuration Files</a></h2> + + <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/><code><a href="./mod/mod_mime.html">mod_mime</a></code><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#ifdefine" class="directive"><code class="directive"><IfDefine></code></a><br/><a href="./mod/core.html#include" class="directive"><code class="directive">Include</code></a><br/><a href="./mod/mod_mime.html#typesconfig" class="directive"><code class="directive">TypesConfig</code></a><br/></td></tr></table> + + <p>Apache is configured by placing <a href="mod/directives.html">directives</a> in plain text configuration files. The main configuration file is usually called <code>httpd.conf</code>. The location of this file is set at compile-time, but may be overridden with the <code>-f</code> command line flag. In addition, other - configuration files may be added using the <code><a - href="mod/core.html#include">Include</a></code> directive. Any + configuration files may be added using the <a href="./mod/core.html#include" class="directive"><code class="directive">Include</code></a> directive. Any directive may be placed in any of these configuration files. Changes to the main configuration files are only recognized by Apache when it is started or restarted.</p> @@ -72,13 +31,10 @@ makes automating such processes much easier.</p> <p>The server also reads a file containing mime document types; - the filename is set by the <a - href="mod/mod_mime.html#typesconfig">TypesConfig</a> directive, + the filename is set by the <a href="./mod/mod_mime.html#typesconfig" class="directive"><code class="directive">TypesConfig</code></a> directive, and is <code>mime.types</code> by default.</p> - <hr /> - - <h2><a id="syntax" name="syntax">Syntax of the Configuration - Files</a></h2> + <h2><a name="syntax">Syntax of the Configuration Files</a></h2> + <p>Apache configuration files contain one directive per line. The back-slash "\" may be used as the last character on a line @@ -98,83 +54,35 @@ without starting the server by using <code>apachectl configtest</code> or the <code>-t</code> command line option.</p> - <hr /> - - <h2><a id="modules" name="modules">Modules</a></h2> - - <table border="1"> - <tr> - <td valign="top"><strong>Related Modules</strong><br /> - <br /> - <a href="mod/mod_so.html">mod_so</a><br /> - </td> - - <td valign="top"><strong>Related Directives</strong><br /> - <br /> - <a href="mod/core.html#addmodule">AddModule</a><br /> - <a - href="mod/core.html#clearmodulelist">ClearModuleList</a><br /> - <a - href="mod/core.html#ifmodule"><IfModule></a><br /> - <a href="mod/mod_so.html#loadmodule">LoadModule</a><br /> - </td> - </tr> - </table> + <h2><a name="modules">Modules</a></h2> + + + <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/><code><a href="./mod/mod_so.html">mod_so</a></code><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#addmodule" class="directive"><code class="directive">AddModule</code></a><br/><a href="./mod/core.html#clearmodulelist" class="directive"><code class="directive">ClearModuleList</code></a><br/><a href="./mod/core.html#ifmodule" class="directive"><code class="directive"><IfModule></code></a><br/><a href="./mod/mod_so.html#loadmodule" class="directive"><code class="directive">LoadModule</code></a><br/></td></tr></table> <p>Apache is a modular server. This implies that only the most basic functionality is included in the core server. Extended - features are available through <a - href="mod/index-bytype.html">modules</a> which can be loaded - into Apache. By default, a <a - href="mod/module-dict.html#Status">base</a> set of modules is + features are available through <a href="mod/index-bytype.html">modules</a> which can be loaded + into Apache. By default, a <a href="mod/module-dict.html#Status">base</a> set of modules is included in the server at compile-time. If the server is compiled to use <a href="dso.html">dynamically loaded</a> modules, then modules can be compiled separately and added at - any time using the <a - href="mod/mod_so.html#loadmodule">LoadModule</a> directive. + any time using the <a href="./mod/mod_so.html#loadmodule" class="directive"><code class="directive">LoadModule</code></a> + directive. Otherwise, Apache must be recompiled to add or remove modules. Configuration directives may be included conditional on a - presence of a particular module by enclosing them in an <a - href="mod/core.html#ifmodule"><IfModule></a> block.</p> + presence of a particular module by enclosing them in an<a href="./mod/core.html#ifmodule" class="directive"><code class="directive"><IfModule></code></a> block.</p> <p>To see which modules are currently compiled into the server, you can use the <code>-l</code> command line option.</p> - <hr /> - - <h2><a id="scope" name="scope">Scope of Directives</a></h2> - - <table border="1"> - <tr> - <td valign="top"><strong>Related Directives</strong><br /> - <br /> - <a - href="mod/core.html#directory"><Directory></a><br /> - <a - href="mod/core.html#directorymatch"><DirectoryMatch></a><br /> - <a href="mod/core.html#files"><Files></a><br /> - <a - href="mod/core.html#filesmatch"><FilesMatch></a><br /> - <a - href="mod/core.html#location"><Location></a><br /> - <a - href="mod/core.html#locationmatch"><LocationMatch></a><br /> - <a - href="mod/core.html#virtualhost"><VirtualHost></a><br /> - </td> - </tr> - </table> + <h2><a name="scope">Scope of Directives</a></h2> + + + <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#directory" class="directive"><code class="directive"><Directory></code></a><br/><a href="./mod/core.html#directorymatch" class="directive"><code class="directive"><DirectoryMatch></code></a><br/><a href="./mod/core.html#files" class="directive"><code class="directive"><Files></code></a><br/><a href="./mod/core.html#filesmatch" class="directive"><code class="directive"><FilesMatch></code></a><br/><a href="./mod/core.html#location" class="directive"><code class="directive"><Location></code></a><br/><a href="./mod/core.html#locationmatch" class="directive"><code class="directive"><LocationMatch></code></a><br/><a href="./mod/core.html#virtualhost" class="directive"><code class="directive"><VirtualHost></code></a><br/></td></tr></table> <p>Directives placed in the main configuration files apply to the entire server. If you wish to change the configuration for only a part of the server, you can scope your directives by - placing them in <code><a - href="mod/core.html#directory"><Directory></a>, <a - href="mod/core.html#directorymatch"><DirectoryMatch></a>, - <a href="mod/core.html#files"><Files></a>, <a - href="mod/core.html#filesmatch"><FilesMatch></a>, <a - href="mod/core.html#location"><Location></a>,</code> and - <code><a - href="mod/core.html#locationmatch"><LocationMatch></a></code> + placing them in <a href="./mod/core.html#directory" class="directive"><code class="directive"><Directory></code></a>, <a href="./mod/core.html#directorymatch" class="directive"><code class="directive"><DirectoryMatch></code></a>, <a href="./mod/core.html#files" class="directive"><code class="directive"><Files></code></a>, <a href="./mod/core.html#filesmatch" class="directive"><code class="directive"><FilesMatch></code></a>, <a href="./mod/core.html#location" class="directive"><code class="directive"><Location></code></a>, and <a href="./mod/core.html#locationmatch" class="directive"><code class="directive"><LocationMatch></code></a> sections. These sections limit the application of the directives which they enclose to particular filesystem locations or URLs. They can also be nested, allowing for very @@ -183,8 +91,7 @@ <p>Apache has the capability to serve many different websites simultaneously. This is called <a href="vhosts/">Virtual Hosting</a>. Directives can also be scoped by placing them - inside <code><a - href="mod/core.html#virtualhost"><VirtualHost></a></code> + inside <a href="./mod/core.html#virtualhost" class="directive"><code class="directive"><VirtualHost></code></a> sections, so that they will only apply to requests for a particular website.</p> @@ -192,32 +99,18 @@ sections, some directives do not make sense in some contexts. For example, directives controlling process creation can only be placed in the main server context. To find which directives - can be placed in which sections, check the <a - href="mod/directive-dict.html#Context">Context</a> of the - directive. For further information, we provide details on <a - href="sections.html">How Directory, Location and Files sections + can be placed in which sections, check the <a href="mod/directive-dict.html#Context">Context</a> of the + directive. For further information, we provide details on <a href="sections.html">How Directory, Location and Files sections work</a>.</p> - <hr /> - - <h2><a id="htaccess" name="htaccess">.htaccess Files</a></h2> - - <table border="1"> - <tr> - <td valign="top"><strong>Related Directives</strong><br /> - <br /> - <a - href="mod/core.html#accessfilename">AccessFileName</a><br /> - <a - href="mod/core.html#allowoverride">AllowOverride</a><br /> - </td> - </tr> - </table> + <h2><a name="htaccess">.htaccess Files</a></h2> + + + <table border="1"><tr><td valign="top"><strong>Related Modules</strong><br/><br/></td><td valign="top"><strong>Related Directives</strong><br/><br/><a href="./mod/core.html#accessfilename" class="directive"><code class="directive">AccessFileName</code></a><br/><a href="./mod/core.html#allowoverride" class="directive"><code class="directive">AllowOverride</code></a><br/></td></tr></table> <p>Apache allows for decentralized management of configuration via special files placed inside the web tree. The special files are usually called <code>.htaccess</code>, but any name can be - specified in the <a - href="mod/core.html#accessfilename"><code>AccessFileName</code></a> + specified in the <a href="./mod/core.html#accessfilename" class="directive"><code class="directive">AccessFileName</code></a> directive. Directives placed in <code>.htaccess</code> files apply to the directory where you place the file, and all sub-directories. The <code>.htaccess</code> files follow the @@ -226,19 +119,13 @@ made in these files take immediate effect.</p> <p>To find which directives can be placed in - <code>.htaccess</code> files, check the <a - href="mod/directive-dict.html#Context">Context</a> of the + <code>.htaccess</code> files, check the <a href="mod/directive-dict.html#Context">Context</a> of the directive. The server administrator further controls what directives may be placed in <code>.htaccess</code> files by - configuring the <a - href="mod/core.html#allowoverride"><code>AllowOverride</code></a> + configuring the <a href="./mod/core.html#allowoverride" class="directive"><code class="directive">AllowOverride</code></a> directive in the main configuration files.</p> <p>For more information on <code>.htaccess</code> files, see - Ken Coar's tutorial on <a - href="http://apache-server.com/tutorials/ATusing-htaccess.html"> + Ken Coar's tutorial on <a href="http://apache-server.com/tutorials/ATusing-htaccess.html"> Using .htaccess Files with Apache</a>.</p> - <!--#include virtual="footer.html" --> - </body> -</html> - + </blockquote><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img src="./images/index.gif" alt="Index"/></a><a href="./"><img src="./images/home.gif" alt="Home"/></a></body></html>
\ No newline at end of file diff --git a/docs/manual/content-negotiation.html.en b/docs/manual/content-negotiation.html.en index 0f4e03ce31..8466779bb5 100644 --- a/docs/manual/content-negotiation.html.en +++ b/docs/manual/content-negotiation.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Content Negotiation</h1> + <h1 align="center">Content Negotiation</h1> <p>Apache's supports content negotiation as described in the HTTP/1.1 specification. It can choose the best @@ -606,7 +606,7 @@ <tt>CacheNegotiatedDocs</tt> can be used to allow caching of responses which were subject to negotiation. This directive can be given in the server config or virtual host, and takes no - arguments. It has no effect on requests from HTTP/1.1 clients. + arguments. It has no effect on requests from HTTP/1.1 clients.</p> <h2>More Information</h2> diff --git a/docs/manual/custom-error.html.en b/docs/manual/custom-error.html.en index 3cbb570436..2a4741d321 100644 --- a/docs/manual/custom-error.html.en +++ b/docs/manual/custom-error.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Custom error responses</h1> + <h1 align="center">Custom error responses</h1> <dl> <dt>Purpose</dt> diff --git a/docs/manual/developer/API.html b/docs/manual/developer/API.html index 2c0a4ad8cc..1d39165b8f 100644 --- a/docs/manual/developer/API.html +++ b/docs/manual/developer/API.html @@ -20,7 +20,7 @@ relevant, but please use it with care. </blockquote> - <h1 align="CENTER">Apache API notes</h1> + <h1 align="center">Apache API notes</h1> These are some notes on the Apache API and the data structures you have to deal with, <em>etc.</em> They are not yet nearly complete, but hopefully, they will help you get your bearings. diff --git a/docs/manual/developer/debugging.html b/docs/manual/developer/debugging.html index 79594dfbe5..b76522d4b9 100644 --- a/docs/manual/developer/debugging.html +++ b/docs/manual/developer/debugging.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Debugging Memory Allocation in APR<br /> + <h1 align="center">Debugging Memory Allocation in APR<br /> </h1> <p>The allocation mechanism's within APR have a number of diff --git a/docs/manual/developer/documenting.html b/docs/manual/developer/documenting.html index a342a62afe..77199bcddc 100644 --- a/docs/manual/developer/documenting.html +++ b/docs/manual/developer/documenting.html @@ -61,13 +61,12 @@ At the top of the header file, always include: * @package Name of library header */ </pre> -<pre> <br /> +<pre> ScanDoc uses a new html file for each package. The html files are named {Name_of_library_header}.html, so try to be concise with your names. - -<!--#include virtual="footer.html" --> </pre> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/developer/footer.html b/docs/manual/developer/footer.html index 965ff02cf8..03ee28e6bd 100644 --- a/docs/manual/developer/footer.html +++ b/docs/manual/developer/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/developer/header.html b/docs/manual/developer/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/developer/header.html +++ b/docs/manual/developer/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/developer/modules.html.en b/docs/manual/developer/modules.html.en index 259e27defe..f4934c9cae 100644 --- a/docs/manual/developer/modules.html.en +++ b/docs/manual/developer/modules.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">From Apache 1.3 to Apache 2.0<br /> + <h1 align="center">From Apache 1.3 to Apache 2.0<br /> Modules</h1> <p>This is a first attempt at writing the lessons I learned diff --git a/docs/manual/dns-caveats.html b/docs/manual/dns-caveats.html index a68c8c5a7e..4e771abdf9 100644 --- a/docs/manual/dns-caveats.html +++ b/docs/manual/dns-caveats.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Issues Regarding DNS and Apache</h1> + <h1 align="center">Issues Regarding DNS and Apache</h1> <p>This page could be summarized with the statement: <em>don't require Apache to use DNS for any parsing of the configuration @@ -210,8 +210,8 @@ a webserver has no requirement to do DNS lookups during configuration. But as of March 1997 these features have not been deployed widely enough to be put into use on critical - webservers. <!--#include virtual="footer.html" --> - </p> + webservers.</p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/ebcdic.html b/docs/manual/ebcdic.html index 8936ec3a4e..b543ab06dc 100644 --- a/docs/manual/ebcdic.html +++ b/docs/manual/ebcdic.html @@ -20,7 +20,7 @@ relevant, but please use it with care. </blockquote> - <h1 align="CENTER">Overview of the Apache EBCDIC Port</h1> + <h1 align="center">Overview of the Apache EBCDIC Port</h1> <p>Version 1.3 of the Apache HTTP Server is the first version which includes a port to a (non-ASCII) mainframe machine which @@ -52,7 +52,7 @@ <p>This document serves as a rationale to describe some of the design decisions of the port to this machine.</p> - <h2 align="CENTER">Design Goals</h2> + <h2 align="center">Design Goals</h2> <p>One objective of the EBCDIC port was to maintain enough backwards compatibility with the (EBCDIC) CERN server to make @@ -68,7 +68,7 @@ problem by defining an "ebcdic-handler" for all documents which must be converted.</p> - <h2 align="CENTER">Technical Solution</h2> + <h2 align="center">Technical Solution</h2> <p>Since all Apache input and output is based upon the BUFF data type and its methods, the easiest solution was to add the @@ -100,7 +100,7 @@ <br /> - <h2 align="CENTER">Porting Notes</h2> + <h2 align="center">Porting Notes</h2> <ol> <li> @@ -242,9 +242,9 @@ <br /> - <h2 align="CENTER">Document Storage Notes</h2> + <h2 align="center">Document Storage Notes</h2> - <h3 align="CENTER">Binary Files</h3> + <h3 align="center">Binary Files</h3> <p>All files with a <samp>Content-Type:</samp> which does not start with <samp>text/</samp> are regarded as <em>binary @@ -258,22 +258,22 @@ <samp>rcp -b</samp> command from the mainframe host (the -b switch is not supported in unix rcp's).</p> - <h3 align="CENTER">Text Documents</h3> + <h3 align="center">Text Documents</h3> <p>The default assumption of the server is that Text Files (<em>i.e.</em>, all files whose <samp>Content-Type:</samp> starts with <samp>text/</samp>) are stored in the native character set of the host, EBCDIC.</p> - <h3 align="CENTER">Server Side Included Documents</h3> + <h3 align="center">Server Side Included Documents</h3> <p>SSI documents must currently be stored in EBCDIC only. No provision is made to convert it from ASCII before processing.</p> - <h2 align="CENTER">Apache Modules' Status</h2> + <h2 align="center">Apache Modules' Status</h2> - <table border="1" align="middle"> + <table border="1" align="center"> <tr> <th>Module</th> @@ -283,318 +283,318 @@ </tr> <tr> - <td align="LEFT">http_core</td> + <td align="left">http_core</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_access</td> + <td align="left">mod_access</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_actions</td> + <td align="left">mod_actions</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_alias</td> + <td align="left">mod_alias</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_asis</td> + <td align="left">mod_asis</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_auth</td> + <td align="left">mod_auth</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_auth_anon</td> + <td align="left">mod_auth_anon</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_auth_dbm</td> + <td align="left">mod_auth_dbm</td> - <td align="CENTER">?</td> + <td align="center">?</td> <td>with own libdb.a</td> </tr> <tr> - <td align="LEFT">mod_autoindex</td> + <td align="left">mod_autoindex</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_cern_meta</td> + <td align="left">mod_cern_meta</td> - <td align="CENTER">?</td> + <td align="center">?</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_cgi</td> + <td align="left">mod_cgi</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_digest</td> + <td align="left">mod_digest</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_dir</td> + <td align="left">mod_dir</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_so</td> + <td align="left">mod_so</td> - <td align="CENTER">-</td> + <td align="center">-</td> <td>no shared libs</td> </tr> <tr> - <td align="LEFT">mod_env</td> + <td align="left">mod_env</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_example</td> + <td align="left">mod_example</td> - <td align="CENTER">-</td> + <td align="center">-</td> <td>(test bed only)</td> </tr> <tr> - <td align="LEFT">mod_expires</td> + <td align="left">mod_expires</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_headers</td> + <td align="left">mod_headers</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_imap</td> + <td align="left">mod_imap</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_include</td> + <td align="left">mod_include</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_info</td> + <td align="left">mod_info</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_log_agent</td> + <td align="left">mod_log_agent</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_log_config</td> + <td align="left">mod_log_config</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_log_referer</td> + <td align="left">mod_log_referer</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_mime</td> + <td align="left">mod_mime</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_mime_magic</td> + <td align="left">mod_mime_magic</td> - <td align="CENTER">?</td> + <td align="center">?</td> <td>not ported yet</td> </tr> <tr> - <td align="LEFT">mod_negotiation</td> + <td align="left">mod_negotiation</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_proxy</td> + <td align="left">mod_proxy</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_rewrite</td> + <td align="left">mod_rewrite</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td>untested</td> </tr> <tr> - <td align="LEFT">mod_setenvif</td> + <td align="left">mod_setenvif</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_speling</td> + <td align="left">mod_speling</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_status</td> + <td align="left">mod_status</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_unique_id</td> + <td align="left">mod_unique_id</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_userdir</td> + <td align="left">mod_userdir</td> - <td align="CENTER">+</td> + <td align="center">+</td> <td> </td> </tr> <tr> - <td align="LEFT">mod_usertrack</td> + <td align="left">mod_usertrack</td> - <td align="CENTER">?</td> + <td align="center">?</td> <td>untested</td> </tr> </table> - <h2 align="CENTER">Third Party Modules' Status</h2> + <h2 align="center">Third Party Modules' Status</h2> - <table border="1" align="middle"> + <table border="1" align="center"> <tr> <th>Module</th> @@ -604,40 +604,40 @@ </tr> <tr> - <td align="LEFT"><a + <td align="left"><a href="http://java.apache.org/">mod_jserv</a> </td> - <td align="CENTER">-</td> + <td align="center">-</td> <td>JAVA still being ported.</td> </tr> <tr> - <td align="LEFT"><a href="http://www.php.net/">mod_php3</a> + <td align="left"><a href="http://www.php.net/">mod_php3</a> </td> - <td align="CENTER">+</td> + <td align="center">+</td> <td>mod_php3 runs fine, with LDAP and GD and FreeType libraries</td> </tr> <tr> - <td align="LEFT"><a + <td align="left"><a href="http://hpwww.ec-lyon.fr/~vincent/apache/mod_put.html"> mod_put</a> </td> - <td align="CENTER">?</td> + <td align="center">?</td> <td>untested</td> </tr> <tr> - <td align="LEFT"><a + <td align="left"><a href="ftp://hachiman.vidya.com/pub/apache/">mod_session</a> </td> - <td align="CENTER">-</td> + <td align="center">-</td> <td>untested</td> </tr> diff --git a/docs/manual/faq/footer.html b/docs/manual/faq/footer.html index 54f6044a57..bda0e28b8b 100644 --- a/docs/manual/faq/footer.html +++ b/docs/manual/faq/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/faq/header.html b/docs/manual/faq/header.html index cbdcb99591..61d9a9121b 100644 --- a/docs/manual/faq/header.html +++ b/docs/manual/faq/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/faq/index.html b/docs/manual/faq/index.html index 5916e75968..0cf11788d0 100644 --- a/docs/manual/faq/index.html +++ b/docs/manual/faq/index.html @@ -17,7 +17,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Frequently Asked Questions</h1> + <h1 align="center">Frequently Asked Questions</h1> <p>The latest version of this FAQ is always available from the main Apache web site, at <<a diff --git a/docs/manual/faq/support.html b/docs/manual/faq/support.html index 1501ec7687..f8fd9b3de4 100644 --- a/docs/manual/faq/support.html +++ b/docs/manual/faq/support.html @@ -15,7 +15,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Frequently Asked Questions</h1> + <h1 align="center">Frequently Asked Questions</h1> <!--#endif --> <h2><a id="support.html" name="support.html">Support</a></h2> @@ -111,6 +111,7 @@ href="http://groups.google.com/groups?group=comp.infosystems.www.authoring.cgi"> google</a>]</li> </ul> + </li> <li> <strong>If all else fails, report the problem in the bug diff --git a/docs/manual/filter.html.en b/docs/manual/filter.html.en index 7c1b2b46de..85c460ab38 100644 --- a/docs/manual/filter.html.en +++ b/docs/manual/filter.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Filters</h1> + <h1 align="center">Filters</h1> <table border="1"> <tr> diff --git a/docs/manual/footer.html b/docs/manual/footer.html index 48bfc2cbfb..74b1ddf0f5 100644 --- a/docs/manual/footer.html +++ b/docs/manual/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="images/index.gif" alt="Index" /></a> diff --git a/docs/manual/glossary.html b/docs/manual/glossary.html index 8a328768c8..90e0a03ff3 100644 --- a/docs/manual/glossary.html +++ b/docs/manual/glossary.html @@ -9,7 +9,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">Glossary</h1> +<h1 align="center">Glossary</h1> @@ -147,7 +147,7 @@ a network entity, consisting of a hostname and a domain name that can resolve to an IP address. For example, <code>www</code> is a hostname, <code>whatever.com</code> is a domain name, and <code>www.whatever.com</code> is a fully-qualified domain name.<br -/><br /></dt> +/><br /></dd> <dt><a name="handler">Handler</a></dt> <dd>An internal Apache representation of the action to be performed when a file is @@ -238,7 +238,7 @@ href="ssl/">SSL/TLS Encryption</a><br /><br /></dd> <dd>The unencrypted text.<br /><br /></dd> <dt><a name="privatekey">Private Key</a></dt> <dd>The secret key in a -<a name="#publickeycryptography">Public Key Cryptography</a> system, +<a name="publickeycryptography">Public Key Cryptography</a> system, used to decrypt incoming messages and sign outgoing ones.<br /> See: <a href="ssl/">SSL/TLS Encryption</a><br /><br /></dd> @@ -249,10 +249,10 @@ server, and then returns the response from the origin server to the client. If several clients request the same content, the proxy can deliver that content from its cache, rather than requesting it from the origin server each time, thereby reducing response time.<br /> -See: <a href="mod/mod_proxy.html">mod_proxy</a><br /><br /></dt> +See: <a href="mod/mod_proxy.html">mod_proxy</a><br /><br /></dd> <dt><a name="publickey">Public Key</a></dt> <dd>The publically -available key in a <a name="#publickeycryptography">Public Key +available key in a <a name="publickeycryptography">Public Key Cryptography</a> system, used to encrypt messages bound for its owner and to decrypt signatures made by its owner.<br /> See: <a href="ssl/">SSL/TLS Encryption</a><br /><br /></dd> @@ -279,7 +279,7 @@ Apache uses Perl Compatible Regular Expressions provided by the href="#proxy">proxy</a> server that appears to the client as if it is an <em>origin server</em>. This is useful to hide the real origin server from the client for security reasons, or to load balance.<br -/><br /></dt> +/><br /></dd> <dt><a name="securesocketslayer">Secure Sockets Layer</a> <a name="ssl">(SSL)</a></dt> <dd>A protocol created by Netscape @@ -341,11 +341,11 @@ documentation</a><br /><br /></dd> <dt><a name="x.509">X.509</a></dt> <dd>An authentication certificate scheme recommended by the International Telecommunication Union -(ITU-T) which is used for SSL/TLS authentication.<br > See: <a +(ITU-T) which is used for SSL/TLS authentication.<br /> See: <a href="ssl/">SSL/TLS Encryption</a><br /><br /></dd> </dl> -<p><!--#include virtual="footer.html" --> </p> +<!--#include virtual="footer.html" --> </body> </html>
\ No newline at end of file diff --git a/docs/manual/handler.html.en b/docs/manual/handler.html.en index 8545b0da26..f937095dcd 100644 --- a/docs/manual/handler.html.en +++ b/docs/manual/handler.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache's Handler Use</h1> + <h1 align="center">Apache's Handler Use</h1> <ul> <li><a href="#definition">What is a Handler</a></li> diff --git a/docs/manual/header.html b/docs/manual/header.html index 040cd98d4c..579bb14f8f 100644 --- a/docs/manual/header.html +++ b/docs/manual/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/howto/cgi.html.en b/docs/manual/howto/cgi.html.en index 8d80d532d5..8322e0ed0a 100644 --- a/docs/manual/howto/cgi.html.en +++ b/docs/manual/howto/cgi.html.en @@ -14,7 +14,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Dynamic Content with CGI</h1> + <h1 align="center">Dynamic Content with CGI</h1> <a id="__index__" name="__index__"></a> <!-- INDEX BEGIN --> diff --git a/docs/manual/howto/footer.html b/docs/manual/howto/footer.html index 965ff02cf8..03ee28e6bd 100644 --- a/docs/manual/howto/footer.html +++ b/docs/manual/howto/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/howto/header.html b/docs/manual/howto/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/howto/header.html +++ b/docs/manual/howto/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/howto/ssi.html.en b/docs/manual/howto/ssi.html.en index 90e82d1fba..e80a2a2988 100644 --- a/docs/manual/howto/ssi.html.en +++ b/docs/manual/howto/ssi.html.en @@ -15,7 +15,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache Tutorial: Introduction to Server Side + <h1 align="center">Apache Tutorial: Introduction to Server Side Includes</h1> <a id="__index__" name="__index__"></a> <!-- INDEX BEGIN --> @@ -34,7 +34,7 @@ <a href="#basicssidirectives">Basic SSI directives</a> <ul> - <li><a href="#today'sdate">Today's date</a></li> + <li><a href="#todaysdate">Today's date</a></li> <li><a href="#modificationdateofthefile">Modification date of the file</a></li> @@ -237,7 +237,7 @@ series. For now, here are some examples of what you can do with SSI</p> - <h3><a id="today'sdate" name="today'sdate">Today's + <h3><a id="todaysdate" name="todaysdate">Today's date</a></h3> <pre> <!--#echo var="DATE_LOCAL" --> diff --git a/docs/manual/install.html.en b/docs/manual/install.html.en index 7495c5aeb6..be9eaaf4ae 100644 --- a/docs/manual/install.html.en +++ b/docs/manual/install.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Compiling and Installing</h1> + <h1 align="center">Compiling and Installing</h1> <p>This document covers compilation and installation of Apache on Unix and Unix-like systems only. For compiling and diff --git a/docs/manual/invoking.html.en b/docs/manual/invoking.html.en index a9c625551f..3ab8d7f473 100644 --- a/docs/manual/invoking.html.en +++ b/docs/manual/invoking.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Starting Apache</h1> + <h1 align="center">Starting Apache</h1> <ul> <li><a href="#windows">Starting Apache on Windows</a></li> diff --git a/docs/manual/misc/custom_errordocs.html b/docs/manual/misc/custom_errordocs.html index 2623a97331..6a426a76f2 100644 --- a/docs/manual/misc/custom_errordocs.html +++ b/docs/manual/misc/custom_errordocs.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Using XSSI and <samp>ErrorDocument</samp> to + <h1 align="center">Using XSSI and <samp>ErrorDocument</samp> to configure customized international server error responses</h1> <h2>Index</h2> diff --git a/docs/manual/misc/descriptors.html b/docs/manual/misc/descriptors.html index 6f8485c09c..75aaedf874 100644 --- a/docs/manual/misc/descriptors.html +++ b/docs/manual/misc/descriptors.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Descriptors and Apache</h1> + <h1 align="center">Descriptors and Apache</h1> <p>A <em>descriptor</em>, also commonly called a <em>file handle</em> is an object that a program uses to read or write @@ -189,9 +189,8 @@ you problems, you can disable it. Add <code>-DNO_SLACK</code> to <code>EXTRA_CFLAGS</code> and rebuild. But please report it to our <a href="http://httpd.apache.org/bug_report.html">Bug - Report Page</a> so that we can investigate. + Report Page</a> so that we can investigate. </p> <!--#include virtual="footer.html" --> - </p> </body> </html> diff --git a/docs/manual/misc/fin_wait_2.html b/docs/manual/misc/fin_wait_2.html index 5b3276e58a..413bab5571 100644 --- a/docs/manual/misc/fin_wait_2.html +++ b/docs/manual/misc/fin_wait_2.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Connections in the FIN_WAIT_2 state and + <h1 align="center">Connections in the FIN_WAIT_2 state and Apache</h1> <ol> @@ -248,7 +248,7 @@ patch available</a> for adding a timeout to the FIN_WAIT_2 state; it was originally intended for BSD/OS, but should be adaptable to most systems using BSD networking code. You - need kernel source code to be able to use it. + need kernel source code to be able to use it. </p> <h3>Compile without using <code>lingering_close()</code></h3> diff --git a/docs/manual/misc/footer.html b/docs/manual/misc/footer.html index 24e2703091..5ee7eec68a 100644 --- a/docs/manual/misc/footer.html +++ b/docs/manual/misc/footer.html @@ -1,5 +1,5 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/misc/header.html b/docs/manual/misc/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/misc/header.html +++ b/docs/manual/misc/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/misc/index.html b/docs/manual/misc/index.html index 8e05abcea4..eb40b5996f 100644 --- a/docs/manual/misc/index.html +++ b/docs/manual/misc/index.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache Miscellaneous Documentation</h1> + <h1 align="center">Apache Miscellaneous Documentation</h1> <p>Below is a list of additional documentation pages that apply to the Apache web server development project.</p> diff --git a/docs/manual/misc/known_client_problems.html b/docs/manual/misc/known_client_problems.html index 54643ef69a..1896aeabbe 100644 --- a/docs/manual/misc/known_client_problems.html +++ b/docs/manual/misc/known_client_problems.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Known Problems in Clients</h1> + <h1 align="center">Known Problems in Clients</h1> <p>Over time the Apache Group has discovered or been notified of problems with various clients which we have had to work @@ -149,7 +149,7 @@ href="http://www.apache.org/dist/httpd/patches/apply_to_1.2.1/msie_4_0b2_fixes.patch"> patch</a> against 1.2.1. - <h3><a id="257th-byte" name="257th-byte">Boundary problems with + <h3><a id="byte-257" name="byte-257">Boundary problems with header parsing</a></h3> <p>All versions of Navigator from 2.0 through 4.0b2 (and diff --git a/docs/manual/misc/perf-tuning.html b/docs/manual/misc/perf-tuning.html index fbe23faef1..586486e848 100644 --- a/docs/manual/misc/perf-tuning.html +++ b/docs/manual/misc/perf-tuning.html @@ -706,7 +706,7 @@ DirectoryIndex index.cgi index.pl index.shtml index.html <p>Here is a system call trace of Apache 2.0.38 with the worker MPM on Solaris 8. This trace was collected using:</p> <blockquote> -<code>truss -l -p <i>httpd_child_pid</i></code>.</code> +<code>truss -l -p <i>httpd_child_pid</i></code>. </blockquote> <p>The <code>-l</code> option tells truss to log the ID of the LWP (lightweight process--Solaris's form of kernel-level thread) @@ -719,13 +719,14 @@ DirectoryIndex index.cgi index.pl index.shtml index.html <p>In this trace, a client has requested a 10KB static file from the httpd. Traces of non-static requests or requests with content negotiation look wildly different (and quite ugly - in some cases). + in some cases).</p> - <blockquote> +<blockquote> <pre> /67: accept(3, 0x00200BEC, 0x00200C0C, 1) (sleeping...) /67: accept(3, 0x00200BEC, 0x00200C0C, 1) = 9 </pre> +</blockquote> <blockquote> <p>In this trace, the listener thread is running within LWP #67.</p> <p>Note the lack of accept(2) serialization. On this particular @@ -763,7 +764,7 @@ custom memory allocators (<code>apr_pool</code> and <code>apr_bucket_alloc</code>) for most request processing. In this trace, the httpd has just been started, so it must call malloc(3) to get the blocks of raw memory with which -to create the custom memory allocators. +to create the custom memory allocators.</p> </blockquote> <pre> /65: fcntl(9, F_GETFL, 0x00000000) = 2 @@ -795,7 +796,7 @@ and <code>AllowOverride None</code>. Thus it doesn't need to lstat(2) each directory in the path leading up to the requested file, nor check for <code>.htaccess</code> files. It simply calls stat(2) to verify that the file: 1) exists, and 2) is a regular file, not a -directory. +directory.</p> </blockquote> <pre> /65: sendfilev(0, 9, 0x00200F90, 2, 0xFAF7B53C) = 10269 @@ -836,7 +837,7 @@ as much overhead as a typical system call.</p> and blocks until the listener assigns it another connection.</p> </blockquote> <pre> -/67: accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...)</pre> +/67: accept(3, 0x001FEB74, 0x001FEB94, 1) (sleeping...) </pre> <blockquote> <p>Meanwhile, the listener thread is able to accept another connection @@ -847,8 +848,7 @@ this trace, the next accept(2) can (and usually does, under high load conditions) occur in parallel with the worker thread's handling of the just-accepted connection.</p> </blockquote> - </blockquote> - + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/misc/rewriteguide.html b/docs/manual/misc/rewriteguide.html index 7ad778f62a..8079c2b88e 100644 --- a/docs/manual/misc/rewriteguide.html +++ b/docs/manual/misc/rewriteguide.html @@ -14,7 +14,7 @@ <blockquote> <!--#include virtual="header.html" --> - <div align="CENTER"> + <div align="center"> <h1>Apache 1.3<br /> URL Rewriting Guide<br /> </h1> diff --git a/docs/manual/misc/security_tips.html b/docs/manual/misc/security_tips.html index 26a47fbfa1..1223afcb11 100644 --- a/docs/manual/misc/security_tips.html +++ b/docs/manual/misc/security_tips.html @@ -12,7 +12,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Security Tips for Server Configuration</h1> + <h1 align="center">Security Tips for Server Configuration</h1> <ul> <li><a href="#serverroot">Permissions on ServerRoot @@ -342,7 +342,7 @@ href="http://httpd.apache.org/bug_report.html">please let us know</a>.</p> - <p><!--#include virtual="footer.html" --></p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/misc/tutorials.html b/docs/manual/misc/tutorials.html index 17f488a676..020c760ec0 100644 --- a/docs/manual/misc/tutorials.html +++ b/docs/manual/misc/tutorials.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache Tutorials</h1> + <h1 align="center">Apache Tutorials</h1> <blockquote> <strong>Warning:</strong> This document has not been updated @@ -204,8 +204,8 @@ <p>If you have a pointer to an accurate and well-written tutorial not included here, please let us know by submitting it to the <a href="http://bugs.apache.org/">Apache Bug - Database</a>. <!--#include virtual="footer.html" --> - </p> + Database</a>. </p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/mod/directive-dict.html.en b/docs/manual/mod/directive-dict.html.en index deedf08aca..1f539b1b28 100644 --- a/docs/manual/mod/directive-dict.html.en +++ b/docs/manual/mod/directive-dict.html.en @@ -14,7 +14,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Terms Used to Describe Apache + <h1 align="center">Terms Used to Describe Apache Directives</h1> <p>Each Apache configuration directive is described using a diff --git a/docs/manual/mod/footer.html b/docs/manual/mod/footer.html index 54f6044a57..bda0e28b8b 100644 --- a/docs/manual/mod/footer.html +++ b/docs/manual/mod/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/mod/header.html b/docs/manual/mod/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/mod/header.html +++ b/docs/manual/mod/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/new_features_2_0.html.en b/docs/manual/new_features_2_0.html.en index f977e65f2c..cadb5dd856 100644 --- a/docs/manual/new_features_2_0.html.en +++ b/docs/manual/new_features_2_0.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Overview of New Features in Apache 2.0</h1> + <h1 align="center">Overview of New Features in Apache 2.0</h1> <p>Enhancements: <a href="#core">Core</a> | <a href="#module">Module</a></p> diff --git a/docs/manual/platform/netware.html b/docs/manual/platform/netware.html index fe465fc356..f22ee8ee6b 100644 --- a/docs/manual/platform/netware.html +++ b/docs/manual/platform/netware.html @@ -13,20 +13,20 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Using Apache With Novell NetWare</h1> + <h1 align="center">Using Apache With Novell NetWare</h1> <p>This document explains how to install, configure and run Apache 2.0 under Novell NetWare 5.x and above. If you find any bugs, or wish to contribute in other ways, please - use our <a HREF="http://httpd.apache.org/bug_report.html">bug reporting + use our <a href="http://httpd.apache.org/bug_report.html">bug reporting page.</a></p> <p>The bug reporting page and dev-httpd mailing list are <em>not</em> provided to answer questions about configuration or running Apache. Before you submit a bug report or request, first consult this document, the - <a HREF="faq/index.html">Frequently Asked Questions</a> page and the other + <a href="faq/index.html">Frequently Asked Questions</a> page and the other relevant documentation topics. If you still have a question or problem, - post it to the <a HREF="news://developer-forums.novell.com/novell.devsup.webserver"> + post it to the <a href="news://developer-forums.novell.com/novell.devsup.webserver"> novell.devsup.webserver</a> newsgroup, where many Apache users are more than willing to answer new and obscure questions about using Apache on NetWare.</p> diff --git a/docs/manual/platform/perf-hp.html b/docs/manual/platform/perf-hp.html index 9a88c4b08e..26d6bb33d9 100644 --- a/docs/manual/platform/perf-hp.html +++ b/docs/manual/platform/perf-hp.html @@ -15,7 +15,7 @@ <!--#include virtual="header.html" --> - <h1 align="CENTER">Running a High-Performance Web Server for + <h1 align="center">Running a High-Performance Web Server for HPUX</h1> <pre> Date: Wed, 05 Nov 1997 16:59:34 -0800 @@ -92,7 +92,7 @@ Subject: HP-UX tuning tips href="http://www.cup.hp.com/netperf/NetperfPage.html">http://www.cup.hp.com/netperf/NetperfPage.html</a></p> <hr /> - <h3 align="CENTER">Apache HTTP Server Version 1.3</h3> + <h3 align="center">Apache HTTP Server Version 1.3</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> </body> diff --git a/docs/manual/platform/win_service.html b/docs/manual/platform/win_service.html index 405ff5108c..70c324231f 100644 --- a/docs/manual/platform/win_service.html +++ b/docs/manual/platform/win_service.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Running Apache for Windows as a Service</h1> + <h1 align="center">Running Apache for Windows as a Service</h1> <p>Apache can be run as a service on Windows NT/2000. (There is also some HIGHLY EXPERIMENTAL support for similar behavior on diff --git a/docs/manual/platform/windows.html b/docs/manual/platform/windows.html index dc03236a47..c0cd2b1e01 100644 --- a/docs/manual/platform/windows.html +++ b/docs/manual/platform/windows.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Using Apache with Microsoft Windows</h1> + <h1 align="center">Using Apache with Microsoft Windows</h1> <p>This document explains how to install, configure and run Apache 2.0 under Microsoft Windows. If you find any bugs, or diff --git a/docs/manual/programs/footer.html b/docs/manual/programs/footer.html index 54f6044a57..bda0e28b8b 100644 --- a/docs/manual/programs/footer.html +++ b/docs/manual/programs/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/programs/header.html b/docs/manual/programs/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/programs/header.html +++ b/docs/manual/programs/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/programs/index.html b/docs/manual/programs/index.html index 9964f1c0ab..2cb298a7ae 100755 --- a/docs/manual/programs/index.html +++ b/docs/manual/programs/index.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Server and Supporting Programs</h1> + <h1 align="center">Server and Supporting Programs</h1> <p>This page documents all the executable programs included with the Apache HTTP Server.</p> diff --git a/docs/manual/programs/other.html b/docs/manual/programs/other.html index 226674ded5..80b4819487 100755 --- a/docs/manual/programs/other.html +++ b/docs/manual/programs/other.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Other Programs</h1> + <h1 align="center">Other Programs</h1> <p>The following programs are simple support programs included with the Apache HTTP Server which do not have their own manual diff --git a/docs/manual/sections.html.en b/docs/manual/sections.html.en index 94a7ed1cb6..2324296576 100644 --- a/docs/manual/sections.html.en +++ b/docs/manual/sections.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">How Directory, Location and Files sections + <h1 align="center">How Directory, Location and Files sections work</h1> <p>The sections <a diff --git a/docs/manual/ssl/footer.html b/docs/manual/ssl/footer.html index 965ff02cf8..03ee28e6bd 100644 --- a/docs/manual/ssl/footer.html +++ b/docs/manual/ssl/footer.html @@ -1,6 +1,6 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/ssl/header.html b/docs/manual/ssl/header.html index 749461de9e..78b9744837 100644 --- a/docs/manual/ssl/header.html +++ b/docs/manual/ssl/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/ssl/index.html.en b/docs/manual/ssl/index.html.en index 971686a1b7..b843a19005 100644 --- a/docs/manual/ssl/index.html.en +++ b/docs/manual/ssl/index.html.en @@ -9,7 +9,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption</h1> +<h1 align="center">SSL/TLS Strong Encryption</h1> <p>The Apache HTTP Server module <a href="../mod/mod_ssl.html">mod_ssl</a> provides an interface to the <a @@ -31,6 +31,6 @@ provided by this module is provided in the <a href="../mod/mod_ssl.html">mod_ssl reference documentation</a>.</p> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/ssl/ssl_compat.html b/docs/manual/ssl/ssl_compat.html index 9b395c0289..18ae58bdb3 100644 --- a/docs/manual/ssl/ssl_compat.html +++ b/docs/manual/ssl/ssl_compat.html @@ -5,9 +5,9 @@ <head> <title>Apache SSL/TLS Encryption: Compatibility</title> <style type="text/css"><!-- -#H { +.H { } -#D { +.D { background-color: #f0f0f0; } --></style> @@ -16,7 +16,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption: Compatibility</h1> +<h1 align="center">SSL/TLS Strong Encryption: Compatibility</h1> <div align="right"> <table cellspacing="0" cellpadding="0" width="200" summary=""> @@ -56,7 +56,7 @@ The idea in mod_ssl is mainly the following: because mod_ssl provides mostly a superset of the functionality of all other solutions we can easily provide backward compatibility for most of the cases. Actually there are three compatibility areas we currently address: configuration directives, -environment variables and custom log functions. +environment variables and custom log functions.</p> <ul> <li><a href="#ToC1">Configuration Directives</a></li> @@ -65,7 +65,7 @@ environment variables and custom log functions. </ul> <h2><a name="ToC1">Configuration Directives</a></h2> -For backward compatibility to the configuration directives of other SSL +<p>For backward compatibility to the configuration directives of other SSL solutions we do an on-the-fly mapping: directives which have a direct counterpart in mod_ssl are mapped silently while other directives lead to a warning message in the logfiles. The currently implemented directive mapping @@ -76,167 +76,164 @@ special functionality in these interfaces which mod_ssl (still) doesn't provide.</p> -<p> <div align="center"> <a name="table1"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 1: Configuration Directive Mapping</caption> +<caption align="bottom" >Table 1: Configuration Directive Mapping</caption> <tr><td bgcolor="#cccccc"> <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> <tr><td valign="top" align="center" bgcolor="#ffffff"> <table border="0" cellspacing="0" cellpadding="2" width="598" summary=""> -<tr id="D"> +<tr class="D"> <td><strong>Old Directive</strong></td> <td><strong>mod_ssl Directive</strong></td> <td><strong>Comment</strong></td> </tr> -<tr id="H"><td colspan="3"><b>Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</b></td></tr> -<tr id="D"><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr> -<tr id="H"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr> -<tr id="D"><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr> -<tr id="H"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr> -<tr id="H"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr> -<tr id="D"><td><code>SSLFakeBasicAuth</td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr> -<tr id="H"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr> -<tr id="D"><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr> -<tr id="H"><td colspan="3"><b>Apache-SSL 1.x compatibility:</b></td></tr> -<tr id="D"><td><code>SSLExportClientCertificates</td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr> -<tr id="H"><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td colspan="3"><b>Sioux 1.x compatibility:</b></td></tr> -<tr id="H"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr> -<tr id="D"><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr> -<tr id="H"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr> -<tr id="D"><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td colspan="3"><b>Stronghold 2.x compatibility:</b></td></tr> -<tr id="H"><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> -<tr id="D"><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr> -<tr id="H"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> -<tr id="D"><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="H"><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr> -<tr id="D"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td colspan="3"><b>Apache-SSL 1.x & mod_ssl 2.0.x compatibility:</b></td></tr> +<tr class="D"><td><code>SSLEnable</code></td><td><code>SSLEngine on</code></td><td>compactified</td></tr> +<tr class="H"><td><code>SSLDisable</code></td><td><code>SSLEngine off</code></td><td>compactified</td></tr> +<tr class="D"><td><code>SSLLogFile</code> <em>file</em></td><td><code>SSLLog</code> <em>file</em></td><td>compactified</td></tr> +<tr class="H"><td><code>SSLRequiredCiphers</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSLRequireCipher</code> <em>c1</em> ...</td><td><code>SSLRequire %{SSL_CIPHER} in {"</code><em>c1</em><code>", ...}</code></td><td>generalized</td></tr> +<tr class="H"><td><code>SSLBanCipher</code> <em>c1</em> ...</td><td><code>SSLRequire not (%{SSL_CIPHER} in {"</code><em>c1</em><code>", ...})</code></td><td>generalized</td></tr> +<tr class="D"><td><code>SSLFakeBasicAuth</code></td><td><code>SSLOptions +FakeBasicAuth</code></td><td>merged</td></tr> +<tr class="H"><td><code>SSLCacheServerPath</code> <em>dir</em></td><td>-</td><td>functionality removed</td></tr> +<tr class="D"><td><code>SSLCacheServerPort</code> <em>integer</em></td><td>-</td><td>functionality removed</td></tr> +<tr class="H"><td colspan="3"><b>Apache-SSL 1.x compatibility:</b></td></tr> +<tr class="D"><td><code>SSLExportClientCertificates</code></td><td><code>SSLOptions +ExportCertData</code></td><td>merged</td></tr> +<tr class="H"><td><code>SSLCacheServerRunDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td colspan="3"><b>Sioux 1.x compatibility:</b></td></tr> +<tr class="H"><td><code>SSL_CertFile</code> <em>file</em></td><td><code>SSLCertificateFile</code> <em>file</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_KeyFile</code> <em>file</em></td><td><code>SSLCertificateKeyFile</code> <em>file</em></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CipherSuite</code> <em>arg</em></td><td><code>SSLCipherSuite</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_X509VerifyDir</code> <em>arg</em></td><td><code>SSLCACertificatePath</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_Log</code> <em>file</em></td><td><code>SSLLogFile</code> <em>file</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_Connect</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_ClientAuth</code> <em>arg</em></td><td><code>SSLVerifyClient</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_X509VerifyDepth</code> <em>arg</em></td><td><code>SSLVerifyDepth</code> <em>arg</em></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_FetchKeyPhraseFrom</code> <em>arg</em></td><td>-</td><td>not directly mappable; use SSLPassPhraseDialog</td></tr> +<tr class="D"><td><code>SSL_SessionDir</code> <em>dir</em></td><td>-</td><td>not directly mappable; use SSLSessionCache</td></tr> +<tr class="H"><td><code>SSL_Require</code> <em>expr</em></td><td>-</td><td>not directly mappable; use SSLRequire</td></tr> +<tr class="D"><td><code>SSL_CertFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSL_KeyFileType</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSL_X509VerifyPolicy</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSL_LogX509Attributes</code> <em>arg</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td colspan="3"><b>Stronghold 2.x compatibility:</b></td></tr> +<tr class="H"><td><code>StrongholdAccelerator</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>StrongholdKey</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>StrongholdLicenseFile</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSLFlag</code> <em>flag</em></td><td><code>SSLEngine</code> <em>flag</em></td><td>renamed</td></tr> +<tr class="H"><td><code>SSLSessionLockFile</code> <em>file</em></td><td><code>SSLMutex</code> <em>file</em></td><td>renamed</td></tr> +<tr class="D"><td><code>SSLCipherList</code> <em>spec</em></td><td><code>SSLCipherSuite</code> <em>spec</em></td><td>renamed</td></tr> +<tr class="H"><td><code>RequireSSL</code></td><td><code>SSLRequireSSL</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSLErrorFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSLRoot</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSL_CertificateLogDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>AuthCertDir</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSL_Group</code> <em>name</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSLProxyMachineCertPath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSLProxyMachineCertFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSLProxyCACertificatePath</code> <em>dir</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSLProxyCACertificateFile</code> <em>file</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="H"><td><code>SSLProxyVerifyDepth</code> <em>number</em></td><td>-</td><td>functionality not supported</td></tr> +<tr class="D"><td><code>SSLProxyCipherList</code> <em>spec</em></td><td>-</td><td>functionality not supported</td></tr> </table> </td> </tr></table> </td></tr></table> </div> -<p> -<br> +<br /> <h2><a name="ToC2">Environment Variables</a></h2> -When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment +<p>When you use ``<code>SSLOptions +CompatEnvVars</code>'' additional environment variables are generated. They all correspond to existing official mod_ssl variables. The currently implemented variable derivation is listed in <a -href="#table2">Table 2</a>. -<p> +href="#table2">Table 2</a>.</p> <div align="center"> <a name="table2"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 2: Environment Variable Derivation</caption> +<caption align="bottom" >Table 2: Environment Variable Derivation</caption> <tr><td bgcolor="#cccccc"> <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> <tr><td valign="top" align="center" bgcolor="#ffffff"> <table border="0" cellspacing="0" cellpadding="2" width="598" summary=""> -<tr id="D"> +<tr class="D"> <td><strong>Old Variable</strong></td> <td><strong>mod_ssl Variable</strong></td> <td><strong>Comment</strong></td> </tr> -<tr id="H"><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> -<tr id="H"><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> -<tr id="D"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr id="H"><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr> -<tr id="D"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> -<tr id="H"><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> -<tr id="D"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="H"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="H"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="H"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="H"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="H"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> -<tr id="D"><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_PROTOCOL_VERSION</code></td><td><code>SSL_PROTOCOL</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> +<tr class="H"><td><code>HTTPS_SECRETKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> +<tr class="D"><td><code>HTTPS_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr class="H"><td><code>HTTPS_CIPHER</code></td><td><code>SSL_CIPHER</code></td><td>renamed</td></tr> +<tr class="D"><td><code>HTTPS_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_CERTIFICATE</code></td><td><code>SSL_SERVER_CERT</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_CERT_START</code></td><td><code>SSL_SERVER_V_START</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_CERT_END</code></td><td><code>SSL_SERVER_V_END</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_CERT_SERIAL</code></td><td><code>SSL_SERVER_M_SERIAL</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_SIGNATURE_ALGORITHM</code></td><td><code>SSL_SERVER_A_SIG</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_DN</code></td><td><code>SSL_SERVER_S_DN</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_CN</code></td><td><code>SSL_SERVER_S_DN_CN</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_EMAIL</code></td><td><code>SSL_SERVER_S_DN_Email</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_O</code></td><td><code>SSL_SERVER_S_DN_O</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_OU</code></td><td><code>SSL_SERVER_S_DN_OU</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_C</code></td><td><code>SSL_SERVER_S_DN_C</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_SP</code></td><td><code>SSL_SERVER_S_DN_SP</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_L</code></td><td><code>SSL_SERVER_S_DN_L</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_IDN</code></td><td><code>SSL_SERVER_I_DN</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_ICN</code></td><td><code>SSL_SERVER_I_DN_CN</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_IEMAIL</code></td><td><code>SSL_SERVER_I_DN_Email</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_IO</code></td><td><code>SSL_SERVER_I_DN_O</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_IOU</code></td><td><code>SSL_SERVER_I_DN_OU</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_IC</code></td><td><code>SSL_SERVER_I_DN_C</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SERVER_ISP</code></td><td><code>SSL_SERVER_I_DN_SP</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SERVER_IL</code></td><td><code>SSL_SERVER_I_DN_L</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_CERTIFICATE</code></td><td><code>SSL_CLIENT_CERT</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_CERT_START</code></td><td><code>SSL_CLIENT_V_START</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_CERT_END</code></td><td><code>SSL_CLIENT_V_END</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_CERT_SERIAL</code></td><td><code>SSL_CLIENT_M_SERIAL</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_SIGNATURE_ALGORITHM</code></td><td><code>SSL_CLIENT_A_SIG</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_DN</code></td><td><code>SSL_CLIENT_S_DN</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_CN</code></td><td><code>SSL_CLIENT_S_DN_CN</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_EMAIL</code></td><td><code>SSL_CLIENT_S_DN_Email</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_O</code></td><td><code>SSL_CLIENT_S_DN_O</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_OU</code></td><td><code>SSL_CLIENT_S_DN_OU</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_C</code></td><td><code>SSL_CLIENT_S_DN_C</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_SP</code></td><td><code>SSL_CLIENT_S_DN_SP</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_L</code></td><td><code>SSL_CLIENT_S_DN_L</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_IDN</code></td><td><code>SSL_CLIENT_I_DN</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_ICN</code></td><td><code>SSL_CLIENT_I_DN_CN</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_IEMAIL</code></td><td><code>SSL_CLIENT_I_DN_Email</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_IO</code></td><td><code>SSL_CLIENT_I_DN_O</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_IOU</code></td><td><code>SSL_CLIENT_I_DN_OU</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_IC</code></td><td><code>SSL_CLIENT_I_DN_C</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_CLIENT_ISP</code></td><td><code>SSL_CLIENT_I_DN_SP</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_CLIENT_IL</code></td><td><code>SSL_CLIENT_I_DN_L</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_EXPORT</code></td><td><code>SSL_CIPHER_EXPORT</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_KEYSIZE</code></td><td><code>SSL_CIPHER_ALGKEYSIZE</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_SECKEYSIZE</code></td><td><code>SSL_CIPHER_USEKEYSIZE</code></td><td>renamed</td></tr> +<tr class="H"><td><code>SSL_SSLEAY_VERSION</code></td><td><code>SSL_VERSION_LIBRARY</code></td><td>renamed</td></tr> +<tr class="D"><td><code>SSL_STRONG_CRYPTO</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_SERVER_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="D"><td><code>SSL_SERVER_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_SERVER_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="D"><td><code>SSL_SERVER_SESSIONDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_SERVER_CERTIFICATELOGDIR</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="D"><td><code>SSL_SERVER_CERTFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_SERVER_KEYFILE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="D"><td><code>SSL_SERVER_KEYFILETYPE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_CLIENT_KEY_EXP</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="D"><td><code>SSL_CLIENT_KEY_ALGORITHM</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> +<tr class="H"><td><code>SSL_CLIENT_KEY_SIZE</code></td><td><code>-</code></td><td>Not supported by mod_ssl</td></tr> </table> </td> </tr></table> </td></tr></table> </div> -<p> -<br> +<br /> <h2><a name="ToC3">Custom Log Functions</a></h2> +<p> When mod_ssl is built into Apache or at least loaded (under DSO situation) additional functions exist for the <a href="../mod/mod_log_config.html#formats">Custom Log Format</a> of <a @@ -246,31 +243,30 @@ eXtension format function which can be used to expand any variables provided by any module, an additional Cryptography ``<code>%{</code><em>name</em><code>}c</code>'' cryptography format function exists for backward compatibility. The currently implemented function calls -are listed in <a href="#table3">Table 3</a>. -<p> +are listed in <a href="#table3">Table 3</a>.</p> <div align="center"> <a name="table3"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 3: Custom Log Cryptography Function</caption> +<caption align="bottom" >Table 3: Custom Log Cryptography Function</caption> <tr><td bgcolor="#cccccc"> <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> <tr><td valign="top" align="center" bgcolor="#ffffff"> <table border="0" cellspacing="0" cellpadding="2" width="598" summary=""> -<tr id="H"> +<tr class="D"> <td><strong>Function Call</strong></td> <td><strong>Description</strong></td> </tr> -<tr id="D"><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr> -<tr id="H"><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr> -<tr id="D"><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr> -<tr id="H"><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr> -<tr id="D"><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr> -<tr id="H"><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr> +<tr class="H"><td><code>%...{version}c</code></td> <td>SSL protocol version</td></tr> +<tr class="D"><td><code>%...{cipher}c</code></td> <td>SSL cipher</td></tr> +<tr class="H"><td><code>%...{subjectdn}c</code></td> <td>Client Certificate Subject Distinguished Name</td></tr> +<tr class="D"><td><code>%...{issuerdn}c</code></td> <td>Client Certificate Issuer Distinguished Name</td></tr> +<tr class="H"><td><code>%...{errcode}c</code></td> <td>Certificate Verification Error (numerical)</td></tr> +<tr class="D"><td><code>%...{errstr}c</code></td> <td>Certificate Verification Error (string)</td></tr> </table> </td> </tr></table> </td></tr></table> </div> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html>
\ No newline at end of file diff --git a/docs/manual/ssl/ssl_faq.html b/docs/manual/ssl/ssl_faq.html index 37430c8ef2..0f56ecc3cb 100644 --- a/docs/manual/ssl/ssl_faq.html +++ b/docs/manual/ssl/ssl_faq.html @@ -16,7 +16,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption: FAQ</h1> +<h1 align="center">SSL/TLS Strong Encryption: FAQ</h1> <div align="right"> @@ -47,11 +47,11 @@ href="news:comp.infosystems.www.servers.unix"> <code>comp.infosystems.www.servers.unix</code></a> or the mod_ssl Support Mailing List <a href="mailto:modssl-users@modssl.org"> <code>modssl-users@modssl.org</code></a>. They are collected at this place -to avoid answering the same questions over and over. +to avoid answering the same questions over and over.</p> <p> Please read this chapter at least once when installing mod_ssl or at least search for your problem here before submitting a problem report to the -author. +author.</p> <ul> <li><a href="#ToC1">About the module</a> @@ -62,8 +62,12 @@ author. <li><a href="#ToC5">mod_ssl/Apache versions?</a></li> <li><a href="#ToC6">mod_ssl and Year 2000?</a></li> <li><a href="#ToC7">mod_ssl and Wassenaar Arrangement?</a></li> -</ul></li> -<li><a href="#ToC8">About Installation</a></li> +</ul> +</li> +</ul> + +<ul> +<li><a href="#ToC8">About Installation</a> <ul> <li><a href="#ToC9">Core dumps for HTTPS requests?</a></li> <li><a href="#ToC10">Core dumps for Apache+mod_ssl+PHP3?</a></li> @@ -72,8 +76,12 @@ author. <li><a href="#ToC13">Shared memory and process size?</a></li> <li><a href="#ToC14">Shared memory and pathname?</a></li> <li><a href="#ToC15">PRNG and not enough entropy?</a></li> -</ul></li> -<li><a href="#ToC16">About Configuration</a></li> +</ul> +</li> +</ul> + +<ul> +<li><a href="#ToC16">About Configuration</a> <ul> <li><a href="#ToC17">HTTP and HTTPS with a single server?</a></li> <li><a href="#ToC18">Where is the HTTPS port?</a></li> @@ -82,8 +90,12 @@ author. <li><a href="#ToC21">Why do I get connection refused?</a></li> <li><a href="#ToC22">Why are the SSL_XXX variables missing?</a></li> <li><a href="#ToC23">How to switch with relative hyperlinks?</a></li> -</ul></li> -<li><a href="#ToC24">About Certificates</a></li> +</ul> +</li> +</ul> + +<ul> +<li><a href="#ToC24">About Certificates</a> <ul> <li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li> <li><a href="#ToC26">Difference on startup?</a></li> @@ -99,8 +111,12 @@ author. <li><a href="#ToC37">Verisign and the magic getca program?</a></li> <li><a href="#ToC38">Global IDs or SGC?</a></li> <li><a href="#ToC39">Global IDs and Cert Chain?</a></li> -</ul></li> -<li><a href="#ToC40">About SSL Protocol</a></li> +</ul> +</li> +</ul> + +<ul> +<li><a href="#ToC40">About SSL Protocol</a> <ul> <li><a href="#ToC41">Random SSL errors under heavy load?</a></li> <li><a href="#ToC42">Why has the server a higher load?</a></li> @@ -112,29 +128,32 @@ author. <li><a href="#ToC48">The lock icon in Netscape locks very late</a></li> <li><a href="#ToC49">Why do I get I/O errors with MSIE clients?</a></li> <li><a href="#ToC50">Why do I get I/O errors with NS clients?</a></li> -</ul></li> -<li><a href="#ToC51">About Support</a></li> +</ul> +</li> +</ul> + +<ul> +<li><a href="#ToC51">About Support</a> <ul> <li><a href="#ToC52">Resources in case of problems?</a></li> <li><a href="#ToC53">Support in case of problems?</a></li> <li><a href="#ToC54">How to write a problem report?</a></li> <li><a href="#ToC55">I got a core dump, can you help me?</a></li> <li><a href="#ToC56">How to get a backtrace?</a></li> -</ul></li> +</ul> +</li> </ul> <h2><a name="ToC1">About the module</a></h2> <ul> -<p> <li><a name="ToC2"></a> <a name="history"></a> - <strong id="faq"> + <strong> What is the history of mod_ssl? </strong> [<a href="#history"><b>L</b></a>] - <p> - The mod_ssl v1 package was initially created in April 1998 by <a + <p>The mod_ssl v1 package was initially created in April 1998 by <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> via porting <a href="mailto:ben@algroup.co.uk">Ben Laurie</a>'s <a href="http://www.apache-ssl.org/">Apache-SSL</a> 1.17 source patches for @@ -143,34 +162,34 @@ What is the history of mod_ssl? Apache 1.3.0 by merging the old mod_ssl 1.x with the newer Apache-SSL 1.18. From this point on mod_ssl lived its own life as mod_ssl v2. The first publically released version was mod_ssl 2.0.0 from August 10th, - 1998. As of this writing (August 1999) the current mod_ssl version is 2.4.0. - <p> - After one year of very active development with over 1000 working hours and + 1998. As of this writing (August 1999) the current mod_ssl version + is 2.4.0.</p> + + <p>After one year of very active development with over 1000 working hours and over 40 releases mod_ssl reached its current state. The result is an already very clean source base implementing a very rich functionality. The code size increased by a factor of 4 to currently a total of over 10.000 lines of ANSI C consisting of approx. 70% code and 30% code documentation. From the original Apache-SSL code currently approx. 5% is - remaining only. - <p> - After the US export restrictions for cryptographic software were - opened, mod_ssl was integrated into the code base of Apache V2 in 2001. -<p> + remaining only.</p> + + <p>After the US export restrictions for cryptographic software were + opened, mod_ssl was integrated into the code base of Apache V2 in 2001.</p> +</li> <li><a name="ToC3"></a> <a name="apssl-diff"></a> - <strong id="faq"> + <strong> What are the functional differences between mod_ssl and Apache-SSL, from which it is originally derived? </strong> [<a href="#apssl-diff"><b>L</b></a>] - <p> - This neither can be answered in short (there were too many code changes) + <p>This neither can be answered in short (there were too many code changes) nor can be answered at all by the author (there would immediately be flame wars with no reasonable results at the end). But as you easily can guess from the 5% of remaining Apache-SSL code, a lot of differences exists, - although user-visible backward compatibility exists for most things. - <p> - When you really want a detailed comparison you have to read the entries in + although user-visible backward compatibility exists for most things.</p> + + <p>When you really want a detailed comparison you have to read the entries in the large <code>CHANGES</code> file that is in the mod_ssl distribution. Usually this is much too hard-core. So I recommend you to either believe in the opinion and recommendations of other users (the @@ -179,9 +198,9 @@ it is originally derived? href="http://www.modssl.org/">http://www.modssl.org</a>) and Apache-SSL (from <a href="http://www.apache-ssl.org/">http://www.apache-ssl.org</a>), install both packages, read their documentation and try them out yourself. - Then choose the one which pleases you most. - <p> - A few final hints to help direct your comparison: quality of documentation + Then choose the one which pleases you most.</p> + + <p>A few final hints to help direct your comparison: quality of documentation ("can you easily find answers and are they sufficient?"), quality of source code ("is the source code reviewable so you can make sure there aren't any trapdoors or inherent security risks because of bad programming @@ -195,34 +214,33 @@ it is originally derived? quality of functionality ("is the provided SSL functionality and control possibilities sufficient for your situation?"), quality of problem tracing ("is it possible for you to easily trace down the problems via logfiles, - etc?"), etc. pp. -<p> + etc?"), etc. pp.</p> +</li> <li><a name="ToC4"></a> <a name="apssl-diff"></a> - <strong id="faq"> + <strong> What are the major differences between mod_ssl and the commercial alternatives like Raven or Stronghold? </strong> [<a href="#apssl-diff"><b>L</b></a>] - <p> - In the past (until September 20th, 2000) the major difference was + <p>In the past (until September 20th, 2000) the major difference was the RSA license which one received (very cheaply in contrast to a direct licensing from RSA DSI) with the commercial Apache SSL products. On the other hand, one needed this license only in the US, of course. So for non-US citizens this point was useless. But now even for US citizens the situations changed because the RSA patent expired on September 20th, 2000 and RSA DSI also placed the RSA - algorithm explicitly into the public domain. - <p> - Second, there is the point that one has guaranteed support from + algorithm explicitly into the public domain.</p> + + <p>Second, there is the point that one has guaranteed support from the commercial vendors. On the other hand, if you monitored the Open Source quality of mod_ssl and the support activities found on <a href="mailto:modssl-users@modssl.org"> <code>modssl-users@modssl.org</code></a>, you could ask yourself whether you are really convinced that you can get better support - from a commercial vendor. - <p> - Third, people often think they would receive perhaps at least a + from a commercial vendor.</p> + + <p>Third, people often think they would receive perhaps at least a better technical SSL solution than mod_ssl from the commercial vendors. But this is not really true, because all commercial alternatives (Raven 1.4.x, Stronghold 3.x, RedHat SWS 2.x, etc.) @@ -238,63 +256,60 @@ the commercial alternatives like Raven or Stronghold? it sometimes occurs that a vendor version includes useful changes which are not available through the official freely available packages. But most vendors play fair and contribute back those - changes to the free software world, of course. - <p> - So, in short: There are lots of commercial versions of the popular + changes to the free software world, of course.</p> + + <p>So, in short: There are lots of commercial versions of the popular Apache+mod_ssl+OpenSSL server combination available. Every user should decide carefully whether they really need to buy a commercial version or whether it would not be sufficient to directly use the free and official versions of the Apache, mod_ssl and OpenSSL - packages. -<p> + packages.</p> +</li> <li><a name="ToC5"></a> <a name="what-version"></a> - <strong id="faq"> + <strong> How do I know which mod_ssl version is for which Apache version? </strong> [<a href="#what-version"><b>L</b></a>] - <p> - That's trivial: mod_ssl uses version strings of the syntax + <p>That's trivial: mod_ssl uses version strings of the syntax <em><mod_ssl-version></em>-<em><apache-version></em>, for instance <code>2.4.0-1.3.9</code>. This directly indicates that it's mod_ssl version 2.4.0 for Apache version 1.3.9. And this also means you <em>only</em> can apply this mod_ssl version to exactly this Apache version (unless you use the <code>--force</code> option to mod_ssl's - <code>configure</code> command ;-). -<p> + <code>configure</code> command ;-).</p> +</li> <li><a name="ToC6"></a> <a name="y2k"></a> - <strong id="faq"> + <strong> Is mod_ssl Year 2000 compliant? </strong> [<a href="#y2k"><b>L</b></a>] - <p> - Yes, mod_ssl is Year 2000 compliant. - <p> - Because first mod_ssl internally never stores years as two digits. + <p>Yes, mod_ssl is Year 2000 compliant.</p> + + <p>Because first mod_ssl internally never stores years as two digits. Instead it always uses the ANSI C & POSIX numerical data type <code>time_t</code> type, which on almost all Unix platforms at the moment is a <code>signed long</code> (usually 32-bits) representing seconds since epoch of January 1st, 1970, 00:00 UTC. This signed value overflows in early January 2038 and not in the year 2000. Second, date and time presentations (for instance the variable ``<code>%{TIME_YEAR}</code>'') - are done with full year value instead of abbreviating to two digits. - <p> - Additionally according to a <a + are done with full year value instead of abbreviating to two digits.</p> + + <p>Additionally according to a <a href="http://www.apache.org/docs/misc/FAQ.html#year2000">Year 2000 statement</a> from the Apache Group, the Apache webserver is Year 2000 compliant, too. But whether OpenSSL or the underlaying Operating System (either a Unix or Win32 platform) is Year 2000 compliant is a different - question which cannot be answered here. -<p> + question which cannot be answered here.</p> +</li> <li><a name="ToC7"></a> <a name="wassenaar"></a> - <strong id="faq"> + <strong> What about mod_ssl and the Wassenaar Arrangement? </strong> [<a href="#wassenaar"><b>L</b></a>] - <p> - First, let us explain what <i>Wassenaar</i> and its <i>Arrangement on + <p>First, let us explain what <i>Wassenaar</i> and its <i>Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies</i> is: This is a international regime, established 1995, to control trade in conventional arms and dual-use goods and technology. It @@ -305,16 +320,16 @@ What about mod_ssl and the Wassenaar Arrangement? of Korea, Romania, Russian Federation, Slovak Republic, Spain, Sweden, Switzerland, Turkey, Ukraine, United Kingdom and United States. For more details look at <a - href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>. - <p> - In short: The aim of the Wassenaar Arrangement is to prevent the build up + href="http://www.wassenaar.org/">http://www.wassenaar.org/</a>.</p> + + <p>In short: The aim of the Wassenaar Arrangement is to prevent the build up of military capabilities that threaten regional and international security and stability. The Wassenaar Arrangement controls the export of cryptography as a dual-use good, i.e., one that has both military and civilian applications. However, the Wassenaar Arrangement also provides an - exemption from export controls for mass-market software and free software. - <p> - In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And + exemption from export controls for mass-market software and free software.</p> + + <p>In the current Wassenaar ``<i>List of Dual Use Goods and Technologies And Munitions</i>'', under ``<i>GENERAL SOFTWARE NOTE</i>'' (GSN) it says ``<i>The Lists do not control "software" which is either: 1. [...] 2. "in the public domain".</i>'' And under ``<i>DEFINITIONS OF TERMS USED IN @@ -322,13 +337,13 @@ What about mod_ssl and the Wassenaar Arrangement? domain": This means "technology" or "software" which has been made available without restrictions upon its further dissemination. N.B. Copyright restrictions do not remove "technology" or "software" from being - "in the public domain".</i>'' - <p> - So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes + "in the public domain".</i>''</p> + + <p>So, both mod_ssl and OpenSSL are ``in the public domain'' for the purposes of the Wassenaar Agreement and its ``<i>List of Dual Use Goods and - Technologies And Munitions List</i>''. - <p> - Additionally the Wassenaar Agreement itself has no direct consequence for + Technologies And Munitions List</i>''.</p> + + <p>Additionally the Wassenaar Agreement itself has no direct consequence for exporting cryptography software. What is actually allowed or forbidden to be exported from the countries has still to be defined in the local laws of each country. And at least according to official press releases from @@ -337,82 +352,76 @@ What about mod_ssl and the Wassenaar Arrangement? Switzerland Bawi (see <a href="http://jya.com/wass-ch.htm">here</a>) there will be no forthcoming export restriction for free cryptography software for their countries. Remember that mod_ssl is created in Germany and - distributed from Switzerland. - <p> - So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement. + distributed from Switzerland.</p> + + <p>So, mod_ssl and OpenSSL are not affected by the Wassenaar Agreement.</p> +</li> </ul> -<p> -<br> +<br /> <h2><a name="ToC8">About Installation</a></h2> <ul> -<p> <li><a name="ToC9"></a> <a name="core-dbm"></a> - <strong id="faq"> + <strong> When I access my website the first time via HTTPS I get a core dump? </strong> [<a href="#core-dbm"><b>L</b></a>] - <p> - There can be a lot of reasons why a core dump can occur, of course. + <p>There can be a lot of reasons why a core dump can occur, of course. Ranging from buggy third-party modules, over buggy vendor libraries up to a buggy mod_ssl version. But the above situation is often caused by old or broken vendor DBM libraries. To solve it either build mod_ssl with the built-in SDBM library (specify <tt>--enable-rule=SSL_SDBM</tt> at the APACI command line) or switch from ``<tt>SSLSessionCache dbm:</tt>'' to the newer ``<tt>SSLSessionCache shm:</tt>'' variant (after you have rebuilt - Apache with MM, of course). -<p> + Apache with MM, of course).</p> +</li> <li><a name="ToC10"></a> <a name="core-php3"></a> - <strong id="faq"> + <strong> My Apache dumps core when I add both mod_ssl and PHP3? </strong> [<a href="#core-php3"><b>L</b></a>] - <p> - Make sure you add mod_ssl to the Apache source tree first and then do a + <p>Make sure you add mod_ssl to the Apache source tree first and then do a fresh configuration and installation of PHP3. For SSL support EAPI patches are required which have to change internal Apache structures. PHP3 needs to know about these in order to work correctly. Always make sure that - <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is built. -<p> + <tt>-DEAPI</tt> is contained in the compiler flags when PHP3 is built.</p> +</li> <li><a name="ToC11"></a> <a name="dso-sym"></a> - <strong id="faq"> + <strong> When I startup Apache I get errors about undefined symbols like ap_global_ctx? </strong> [<a href="#dso-sym"><b>L</b></a>] - <p> - This actually means you installed mod_ssl as a DSO, but without rebuilding + <p>This actually means you installed mod_ssl as a DSO, but without rebuilding Apache with EAPI. Because EAPI is a requirement for mod_ssl, you need an extra patched Apache (containing the EAPI patches) and you have to build this Apache with EAPI enabled (explicitly specify - <tt>--enable-rule=EAPI</tt> at the APACI command line). -<p> + <tt>--enable-rule=EAPI</tt> at the APACI command line).</p> +</li> <li><a name="ToC12"></a> <a name="mutex-perm"></a> - <strong id="faq"> + <strong> When I startup Apache I get permission errors related to SSLMutex? </strong> [<a href="#mutex-perm"><b>L</b></a>] - <p> - When you receive entries like ``<code>mod_ssl: Child could not open + <p>When you receive entries like ``<code>mod_ssl: Child could not open SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows) [...] System: Permission denied (errno: 13)</code>'' this is usually caused by to restrictive permissions on the <i>parent</i> directories. Make sure that all parent directories (here <code>/opt</code>, <code>/opt/apache</code> and <code>/opt/apache/logs</code>) have the x-bit set at least for the UID under which Apache's children are running (see - the <code>User</code> directive of Apache). -<p> + the <code>User</code> directive of Apache).</p> +</li> <li><a name="ToC13"></a> <a name="mm"></a> - <strong id="faq"> + <strong> When I use the MM library and the shared memory cache each process grows 1.5MB according to `top' although I specified 512000 as the cache size? </strong> [<a href="#mm"><b>L</b></a>] - <p> - The additional 1MB are caused by the global shared memory pool EAPI + <p>The additional 1MB are caused by the global shared memory pool EAPI allocates for all modules and which is not used by mod_ssl for various reasons. So the actually allocated shared memory is always 1MB more than what you specify on <code>SSLSessionCache</code>. @@ -420,32 +429,30 @@ When I use the MM library and the shared memory cache each process grows indicates that <i>each</i> process grow, this is not reality, of course. Instead the additional memory consumption is shared by all processes, i.e. the 1.5MB are allocated only once per Apache - instance and not once per Apache server process. -<p> + instance and not once per Apache server process.</p> +</li> <li><a name="ToC14"></a> <a name="mmpath"></a> - <strong id="faq"> + <strong> Apache creates files in a directory declared by the internal EAPI_MM_CORE_PATH define. Is there a way to override the path using a configuration directive? </strong> [<a href="#mmpath"><b>L</b></a>] - <p> - No, there is not configuration directive, because for technical + <p>No, there is not configuration directive, because for technical bootstrapping reasons, a directive not possible at all. Instead use ``<code>CFLAGS='-DEAPI_MM_CORE_PATH="/path/to/wherever/"' ./configure ...</code>'' when building Apache or use option - <b>-d</b> when starting <code>httpd</code>. -<p> + <b>-d</b> when starting <code>httpd</code>.</p> +</li> <li><a name="ToC15"></a> <a name="entropy"></a> - <strong id="faq"> + <strong> When I fire up the server, mod_ssl stops with the error "Failed to generate temporary 512 bit RSA private key", why? </strong> [<a href="#entropy"><b>L</b></a>] - <p> - Cryptographic software needs a source of unpredictable data + <p>Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness device" that serves this purpose (usually named <code>/dev/random</code>). On other systems, applications have to @@ -455,124 +462,116 @@ When I fire up the server, mod_ssl stops with the error randomness report an error if the PRNG has not been seeded with at least 128 bits of randomness. So mod_ssl has to provide enough entropy to the PRNG to work correctly. For this one has to use the - <code>SSLRandomSeed</code> directives. + <code>SSLRandomSeed</code> directives.</p> +</li> </ul> -<p> -<br> +<br /> <h2><a name="ToC16">About Configuration</a></h2> <ul> -<p> <li><a name="ToC17"></a> <a name="https-parallel"></a> - <strong id="faq"> -Is it possible to provide HTTP and HTTPS with a single server?</strong> + <strong> +Is it possible to provide HTTP and HTTPS with a single server? </strong> [<a href="#https-parallel"><b>L</b></a>] - <p> - Yes, HTTP and HTTPS use different server ports, so there is no direct + <p>Yes, HTTP and HTTPS use different server ports, so there is no direct conflict between them. Either run two separate server instances (one binds to port 80, the other to port 443) or even use Apache's elegant virtual hosting facility where you can easily create two virtual servers which Apache dispatches: one responding to port 80 and speaking HTTP and one - responding to port 443 speaking HTTPS. -<p> + responding to port 443 speaking HTTPS.</p> +</li> <li><a name="ToC18"></a> <a name="https-port"></a> - <strong id="faq"> + <strong> I know that HTTP is on port 80, but where is HTTPS? </strong> [<a href="#https-port"><b>L</b></a>] - <p> - You can run HTTPS on any port, but the standards specify port 443, which + <p>You can run HTTPS on any port, but the standards specify port 443, which is where any HTTPS compliant browser will look by default. You can force your browser to look on a different port by specifying it in the URL like - this (for port 666): <code>https://secure.server.dom:666/</code> -<p> + this (for port 666): <code>https://secure.server.dom:666/</code></p> +</li> <li><a name="ToC19"></a> <a name="https-test"></a> - <strong id="faq"> + <strong> How can I speak HTTPS manually for testing purposes? </strong> [<a href="#https-test"><b>L</b></a>] - <p> - While you usually just use - <p> - <code><b>$ telnet localhost 80</b></code><br> - <code><b>GET / HTTP/1.0</b></code> - <p> - for simple testing the HTTP protocol of Apache, it's not so easy for + <p>While you usually just use</p> + + <p><code><b>$ telnet localhost 80</b></code><br /> + <code><b>GET / HTTP/1.0</b></code></p> + + <p>for simple testing the HTTP protocol of Apache, it's not so easy for HTTPS because of the SSL protocol between TCP and HTTP. But with the help of OpenSSL's <code>s_client</code> command you can do a similar - check even for HTTPS: - <p> - <code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br> - <code><b>GET / HTTP/1.0</b></code> - <p> - Before the actual HTTP response you receive detailed information about the + check even for HTTPS:</p> + + <p><code><b>$ openssl s_client -connect localhost:443 -state -debug</b></code><br /> + <code><b>GET / HTTP/1.0</b></code></p> + + <p>Before the actual HTTP response you receive detailed information about the SSL handshake. For a more general command line client which directly understands both the HTTP and HTTPS scheme, can perform GET and POST methods, can use a proxy, supports byte ranges, etc. you should have a look at nifty <a href="http://curl.haxx.nu/">cURL</a> tool. With it you can directly check if your Apache is running fine on - Port 80 and 443 as following: - <p> - <code><b>$ curl http://localhost/</b></code><br> - <code><b>$ curl https://localhost/</b></code><br> -<p> + Port 80 and 443 as following:</p> + + <p><code><b>$ curl http://localhost/</b></code><br /> + <code><b>$ curl https://localhost/</b></code><br /></p> +</li> <li><a name="ToC20"></a> <a name="hang"></a> - <strong id="faq"> + <strong> Why does the connection hang when I connect to my SSL-aware Apache server? </strong> [<a href="#hang"><b>L</b></a>] - <p> - Because you connected with HTTP to the HTTPS port, i.e. you used an URL of + <p>Because you connected with HTTP to the HTTPS port, i.e. you used an URL of the form ``<code>http://</code>'' instead of ``<code>https://</code>''. This also happens the other way round when you connect via HTTPS to a HTTP port, i.e. when you try to use ``<code>https://</code>'' on a server that doesn't support SSL (on this port). Make sure you are connecting to a virtual server that supports SSL, which is probably the IP associated with - your hostname, not localhost (127.0.0.1). -<p> + your hostname, not localhost (127.0.0.1).</p> +</li> <li><a name="ToC21"></a> <a name="hang"></a> - <strong id="faq"> + <strong> Why do I get ``Connection Refused'' messages when trying to access my freshly installed Apache+mod_ssl server via HTTPS? </strong> [<a href="#hang"><b>L</b></a>] - <p> - There can be various reasons. Some of the common mistakes is that people + <p>There can be various reasons. Some of the common mistakes is that people start Apache with just ``<tt>apachectl start</tt>'' (or ``<tt>httpd</tt>'') instead of ``<tt>apachectl startssl</tt>'' (or ``<tt>httpd -DSSL</tt>''. Or you're configuration is not correct. At least make sure that your ``<tt>Listen</tt>'' directives match your ``<tt><VirtualHost></tt>'' directives. And if all fails, please do yourself a favor and start over with the default configuration mod_ssl - provides you. -<p> + provides you.</p> +</li> <li><a name="ToC22"></a> <a name="env-vars"></a> - <strong id="faq"> + <strong> In my CGI programs and SSI scripts the various documented <code>SSL_XXX</code> variables do not exist. Why? </strong> [<a href="#env-vars"><b>L</b></a>] - <p> - Just make sure you have ``<code>SSLOptions +StdEnvVars</code>'' - enabled for the context of your CGI/SSI requests. -<p> + <p>Just make sure you have ``<code>SSLOptions +StdEnvVars</code>'' + enabled for the context of your CGI/SSI requests.</p> +</li> <li><a name="ToC23"></a> <a name="relative-links"></a> - <strong id="faq"> + <strong> How can I use relative hyperlinks to switch between HTTP and HTTPS? </strong> [<a href="#relative-links"><b>L</b></a>] - <p> - Usually you have to use fully-qualified hyperlinks because + <p>Usually you have to use fully-qualified hyperlinks because you have to change the URL scheme. But with the help of some URL manipulations through mod_rewrite you can achieve the same effect while - you still can use relative URLs: + you still can use relative URLs:</p> <pre> RewriteEngine on RewriteRule ^/(.*):SSL$ https://%{SERVER_NAME}/$1 [R,L] @@ -580,22 +579,20 @@ How can I use relative hyperlinks to switch between HTTP and HTTPS? </pre> This rewrite ruleset lets you use hyperlinks of the form <pre> - <a href="document.html:SSL"> + <a href="document.html:SSL"> </pre> +</li> </ul> -<p> -<br> +<br /> <h2><a name="ToC24">About Certificates</a></h2> <ul> -<p> <li><a name="ToC25"></a> <a name="what-is"></a> - <strong id="faq"> -What are RSA Private Keys, CSRs and Certificates?</strong> + <strong> +What are RSA Private Keys, CSRs and Certificates? </strong> [<a href="#what-is"><b>L</b></a>] - <p> - The RSA private key file is a digital file that you can use to decrypt + <p>The RSA private key file is a digital file that you can use to decrypt messages sent to you. It has a public component which you distribute (via your Certificate file) which allows people to encrypt those messages to you. A Certificate Signing Request (CSR) is a digital file which contains @@ -606,71 +603,72 @@ What are RSA Private Keys, CSRs and Certificates?</strong> Certificate, thereby obtaining your RSA public key. That enables them to send messages which only you can decrypt. See the <a href="ssl_intro.html">Introduction</a> chapter for a general - description of the SSL protocol. -<p> + description of the SSL protocol.</p> +</li> <li><a name="ToC26"></a> <a name="startup"></a> - <strong id="faq"> + <strong> Seems like there is a difference on startup between the original Apache and an SSL-aware Apache? </strong> [<a href="#startup"><b>L</b></a>] - <p> - Yes, in general, starting Apache with a built-in mod_ssl is just like + <p>Yes, in general, starting Apache with a built-in mod_ssl is just like starting an unencumbered Apache, except for the fact that when you have a pass phrase on your SSL private key file. Then a startup dialog pops up - asking you to enter the pass phrase. - <p> - To type in the pass phrase manually when starting the server can be + asking you to enter the pass phrase.</p> + + <p>To type in the pass phrase manually when starting the server can be problematic, for instance when starting the server from the system boot scripts. As an alternative to this situation you can follow the steps below under ``How can I get rid of the pass-phrase dialog at Apache - startup time?''. -<p> + startup time?''.</p> +</li> <li><a name="ToC28"></a> <a name="cert-real"></a> - <strong id="faq"> + <strong> Ok, I've got my server installed and want to create a real SSL server Certificate for it. How do I do it? </strong> [<a href="#cert-real"><b>L</b></a>] - <p> - Here is a step-by-step description: - <p> + <p>Here is a step-by-step description:</p> + <ol> <li>Make sure OpenSSL is really installed and in your <code>PATH</code>. But some commands even work ok when you just run the ``<code>openssl</code>'' program from within the OpenSSL source tree as - ``<code>./apps/openssl</code>''. - <p> + ``<code>./apps/openssl</code>''.<br /> + <br /> + </li> <li>Create a RSA private key for your Apache server - (will be Triple-DES encrypted and PEM formatted): - <p> - <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code> - <p> + (will be Triple-DES encrypted and PEM formatted):<br /> + <br /> + <code><strong>$ openssl genrsa -des3 -out server.key 1024</strong></code><br /> + <br /> Please backup this <code>server.key</code> file and remember the pass-phrase you had to enter at a secure location. - You can see the details of this RSA private key via the command: - <p> - <code><strong>$ openssl rsa -noout -text -in server.key</strong></code> - <p> + You can see the details of this RSA private key via the command:<br /> + <br /> + <code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br /> + <br /> And you could create a decrypted PEM version (not recommended) - of this RSA private key via: - <p> - <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code> - <p> + of this RSA private key via:<br /> + <br /> + <code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br /> + <br /> + </li> <li>Create a Certificate Signing Request (CSR) with the server RSA private - key (output will be PEM formatted): - <p> - <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code> - <p> + key (output will be PEM formatted):<br /> + <br /> + <code><strong>$ openssl req -new -key server.key -out server.csr</strong></code><br /> + <br /> Make sure you enter the FQDN ("Fully Qualified Domain Name") of the server when OpenSSL prompts you for the "CommonName", i.e. when you generate a CSR for a website which will be later accessed via <code>https://www.foo.dom/</code>, enter "www.foo.dom" here. - You can see the details of this CSR via the command - <p> - <code><strong>$ openssl req -noout -text -in server.csr</strong></code> - <p> + You can see the details of this CSR via the command<br /> + <br /> + <code><strong>$ openssl req -noout -text -in server.csr</strong></code><br /> + <br /> + </li> <li>You now have to send this Certificate Signing Request (CSR) to a Certifying Authority (CA) for signing. The result is then a real Certificate which can be used for Apache. Here you have two options: @@ -678,42 +676,48 @@ server Certificate for it. How do I do it? Thawte. Then you usually have to post the CSR into a web form, pay for the signing and await the signed Certificate you then can store into a server.crt file. For more information about commercial CAs have a look - at the following locations: - <p> - <ul> - <li> Verisign<br> + at the following locations:<br /> + <br /> + <ol> + <li> Verisign<br /> <a href="http://digitalid.verisign.com/server/apacheNotice.htm"> http://digitalid.verisign.com/server/apacheNotice.htm </a> - <li> Thawte Consulting<br> + </li> + <li> Thawte Consulting<br /> <a href="http://www.thawte.com/certs/server/request.html"> http://www.thawte.com/certs/server/request.html </a> - <li> CertiSign Certificadora Digital Ltda.<br> + </li> + <li> CertiSign Certificadora Digital Ltda.<br /> <a href="http://www.certisign.com.br"> http://www.certisign.com.br </a> - <li> IKS GmbH<br> + </li> + <li> IKS GmbH<br /> <a href="http://www.iks-jena.de/produkte/ca/"> http://www.iks-jena.de/produkte/ca/ </a> - <li> Uptime Commerce Ltd.<br> + </li> + <li> Uptime Commerce Ltd.<br /> <a href="http://www.uptimecommerce.com"> http://www.uptimecommerce.com </a> - <li> BelSign NV/SA<br> + </li> + <li> BelSign NV/SA<br /> <a href="http://www.belsign.be"> http://www.belsign.be </a> - </ul> - <p> + </li> + </ol> + <br /> Second you can use your own CA and now have to sign the CSR yourself by this CA. Read the next answer in this FAQ on how to sign a CSR with your CA yourself. - You can see the details of the received Certificate via the command: - <p> - <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code> - <p> + You can see the details of the received Certificate via the command:<br /> + <br /> + <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> + </li> <li>Now you have two files: <code>server.key</code> and <code>server.crt</code>. These now can be used as following inside your Apache's <code>httpd.conf</code> file: @@ -722,213 +726,210 @@ server Certificate for it. How do I do it? SSLCertificateKeyFile /path/to/this/server.key </pre> The <code>server.csr</code> file is no longer needed. + </li> </ol> -<p> +</li> <li><a name="ToC29"></a> <a name="cert-ownca"></a> - <strong id="faq"> + <strong> How can I create and use my own Certificate Authority (CA)? </strong> [<a href="#cert-ownca"><b>L</b></a>] - <p> - The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code> - script provided by OpenSSL. The long and manual answer is this: - <p> + <p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code> + script provided by OpenSSL. The long and manual answer is this:</p> + <ol> <li>Create a RSA private key for your CA - (will be Triple-DES encrypted and PEM formatted): - <p> - <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code> - <p> + (will be Triple-DES encrypted and PEM formatted):<br /> + <br /> + <code><strong>$ openssl genrsa -des3 -out ca.key 1024</strong></code><br /> + <br /> Please backup this <code>ca.key</code> file and remember the pass-phrase you currently entered at a secure location. - You can see the details of this RSA private key via the command - <p> - <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code> - <p> + You can see the details of this RSA private key via the command<br /> + <br /> + <code><strong>$ openssl rsa -noout -text -in ca.key</strong></code><br /> + <br /> And you can create a decrypted PEM version (not recommended) of this - private key via: - <p> - <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code> - <p> + private key via:<br /> + <br /> + <code><strong>$ openssl rsa -in ca.key -out ca.key.unsecure</strong></code><br /> + <br /> + </li> <li>Create a self-signed CA Certificate (X509 structure) - with the RSA key of the CA (output will be PEM formatted): - <p> - <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code> - <p> - You can see the details of this Certificate via the command: - <p> - <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code> - <p> + with the RSA key of the CA (output will be PEM formatted):<br /> + <br /> + <code><strong>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt</strong></code><br /> + <br /> + You can see the details of this Certificate via the command:<br /> + <br /> + <code><strong>$ openssl x509 -noout -text -in ca.crt</strong></code><br /> + <br /> + </li> <li>Prepare a script for signing which is needed because the ``<code>openssl ca</code>'' command has some strange requirements and the default OpenSSL config doesn't allow one easily to use ``<code>openssl ca</code>'' directly. So a script named <code>sign.sh</code> is distributed with the mod_ssl distribution (subdir <code>pkg.contrib/</code>). Use this script for signing. - <p> + </li> <li>Now you can use this CA to sign server CSR's in order to create real SSL Certificates for use inside an Apache webserver (assuming - you already have a <code>server.csr</code> at hand): - <p> - <code><strong>$ ./sign.sh server.csr</strong></code> - <p> - This signs the server CSR and results in a <code>server.crt</code> file. + you already have a <code>server.csr</code> at hand):<br /> + <br /> + <code><strong>$ ./sign.sh server.csr</strong></code><br /> + <br /> + This signs the server CSR and results in a <code>server.crt</code> file.<br /> + </li> </ol> -<p> +</li> <li><a name="ToC30"></a> <a name="change-passphrase"></a> - <strong id="faq"> + <strong> How can I change the pass-phrase on my private key file? </strong> [<a href="#change-passphrase"><b>L</b></a>] - <p> - You simply have to read it with the old pass-phrase and write it again + <p>You simply have to read it with the old pass-phrase and write it again by specifying the new pass-phrase. You can accomplish this with the following - commands: - <p> - <code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br> - <code><strong>$ mv server.key.new server.key</strong></code><br> - <p> - Here you're asked two times for a PEM pass-phrase. At the first + commands:</p> + + <p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br /> + <code><strong>$ mv server.key.new server.key</strong></code><br /></p> + + <p>Here you're asked two times for a PEM pass-phrase. At the first prompt enter the old pass-phrase and at the second prompt - enter the new pass-phrase. -<p> + enter the new pass-phrase.</p> +</li> <li><a name="ToC31"></a> <a name="remove-passphrase"></a> - <strong id="faq"> + <strong> How can I get rid of the pass-phrase dialog at Apache startup time? </strong> [<a href="#remove-passphrase"><b>L</b></a>] - <p> - The reason why this dialog pops up at startup and every re-start + <p>The reason why this dialog pops up at startup and every re-start is that the RSA private key inside your server.key file is stored in encrypted format for security reasons. The pass-phrase is needed to be able to read and parse this file. When you can be sure that your server is - secure enough you perform two steps: - <p> + secure enough you perform two steps:</p> + <ol> <li>Remove the encryption from the RSA private key (while - preserving the original file): - <p> - <code><strong>$ cp server.key server.key.org</strong></code><br> - <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code> - <p> - <li>Make sure the server.key file is now only readable by root: - <p> - <code><strong>$ chmod 400 server.key</strong></code> + preserving the original file):<br /> + <br /> + <code><strong>$ cp server.key server.key.org</strong></code><br /> + <code><strong>$ openssl rsa -in server.key.org -out server.key</strong></code><br /> + <br /> + </li> + <li>Make sure the server.key file is now only readable by root:<br /> + <br /> + <code><strong>$ chmod 400 server.key</strong></code><br /> + <br /> + </li> </ol> - <p> - Now <code>server.key</code> will contain an unencrypted copy of the key. + <p>Now <code>server.key</code> will contain an unencrypted copy of the key. If you point your server at this file it will not prompt you for a pass-phrase. HOWEVER, if anyone gets this key they will be able to impersonate you on the net. PLEASE make sure that the permissions on that file are really such that only root or the web server user can read it (preferably get your web server to start as root but run as another - server, and have the key readable only by root). - <p> - As an alternative approach you can use the ``<code>SSLPassPhraseDialog + server, and have the key readable only by root).</p> + + <p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog exec:/path/to/program</code>'' facility. But keep in mind that this is - neither more nor less secure, of course. -<p> + neither more nor less secure, of course.</p> +</li> <li><a name="ToC32"></a> <a name="verify-key"></a> - <strong id="faq"> + <strong> How do I verify that a private key matches its Certificate? </strong> [<a href="#verify-key"><b>L</b></a>] - <p> - The private key contains a series of numbers. Two of those numbers form + <p>The private key contains a series of numbers. Two of those numbers form the "public key", the others are part of your "private key". The "public key" bits are also embedded in your Certificate (we get them from your CSR). To check that the public key in your cert matches the public portion of your private key, you need to view the cert and the key and compare the numbers. To view the Certificate and the key run the - commands: - <p> - <code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br> - <code><strong>$ openssl rsa -noout -text -in server.key</strong></code> - <p> - The `modulus' and the `public exponent' portions in the key and the + commands:</p> + + <p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br /> + <code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p> + + <p>The `modulus' and the `public exponent' portions in the key and the Certificate must match. But since the public exponent is usually 65537 and it's bothering comparing long modulus you can use the following - approach: - <p> - <code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br> - <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code> - <p> - And then compare these really shorter numbers. With overwhelming + approach:</p> + + <p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br /> + <code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p> + + <p>And then compare these really shorter numbers. With overwhelming probability they will differ if the keys are different. BTW, if I want to - check to which key or certificate a particular CSR belongs you can compute - <p> - <code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code> -<p> + check to which key or certificate a particular CSR belongs you can compute</p> + + <p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p> +</li> <li><a name="ToC33"></a> <a name="keysize1"></a> - <strong id="faq"> + <strong> What does it mean when my connections fail with an "alert bad certificate" error? </strong> [<a href="#keysize1"><b>L</b></a>] - <p> - Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL + <p>Usually when you see errors like ``<tt>OpenSSL: error:14094412: SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate</tt>'' in the SSL logfile, this means that the browser was unable to handle the server certificate/private-key which perhaps contain a RSA-key not equal to 1024 - bits. For instance Netscape Navigator 3.x is one of those browsers. -<p> + bits. For instance Netscape Navigator 3.x is one of those browsers.</p> +</li> <li><a name="ToC34"></a> <a name="keysize2"></a> - <strong id="faq"> + <strong> Why does my 2048-bit private key not work? </strong> [<a href="#keysize2"><b>L</b></a>] - <p> - The private key sizes for SSL must be either 512 or 1024 for compatibility + <p>The private key sizes for SSL must be either 512 or 1024 for compatibility with certain web browsers. A keysize of 1024 bits is recommended because keys larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that - use RSA's BSAFE cryptography toolkit. -<p> + use RSA's BSAFE cryptography toolkit.</p> +</li> <li><a name="ToC35"></a> <a name="hash-symlinks"></a> - <strong id="faq"> + <strong> Why is client authentication broken after upgrading from SSLeay version 0.8 to 0.9? </strong> [<a href="#hash-symlinks"><b>L</b></a>] - <p> - The CA certificates under the path you configured with + <p>The CA certificates under the path you configured with <code>SSLCACertificatePath</code> are found by SSLeay through hash symlinks. These hash values are generated by the `<code>openssl x509 -noout -hash</code>' command. But the algorithm used to calculate the hash for a certificate has changed between SSLeay 0.8 and 0.9. So you have to remove all old hash symlinks and re-create new ones after upgrading. Use the - <code>Makefile</code> mod_ssl placed into this directory. -<p> + <code>Makefile</code> mod_ssl placed into this directory.</p> +</li> <li><a name="ToC36"></a> <a name="pem-to-der"></a> - <strong id="faq"> + <strong> How can I convert a certificate from PEM to DER format? </strong> [<a href="#pem-to-der"><b>L</b></a>] - <p> - The default certificate format for SSLeay/OpenSSL is PEM, which actually + <p>The default certificate format for SSLeay/OpenSSL is PEM, which actually is Base64 encoded DER with header and footer lines. For some applications (e.g. Microsoft Internet Explorer) you need the certificate in plain DER format. You can convert a PEM file <code>cert.pem</code> into the corresponding DER file <code>cert.der</code> with the following command: - <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code> -<p> + <code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p> +</li> <li><a name="ToC37"></a> <a name="verisign-getca"></a> - <strong id="faq"> + <strong> I try to install a Verisign certificate. Why can't I find neither the <code>getca</code> nor <code>getverisign</code> programs Verisign mentions? </strong> [<a href="#verisign-getca"><b>L</b></a>] - <p> - This is because Verisign has never provided specific instructions + <p>This is because Verisign has never provided specific instructions for Apache+mod_ssl. Rather they tell you what you should do if you were using C2Net's Stronghold (a commercial Apache based server with SSL support). The only thing you have to do @@ -938,132 +939,122 @@ I try to install a Verisign certificate. Why can't I find neither the <code>SSLCertificateKeyFile</code> directive). For a better CA-related overview on SSL certificate fiddling you can look at <a href="http://www.thawte.com/certs/server/keygen/mod_ssl.html"> - Thawte's mod_ssl instructions</a>. -<p> + Thawte's mod_ssl instructions</a>.</p> +</li> <li><a name="ToC38"></a> <a name="gid"></a> - <strong id="faq"> + <strong> Can I use the Server Gated Cryptography (SGC) facility (aka Verisign Global ID) also with mod_ssl? </strong> [<a href="#gid"><b>L</b></a>] - <p> - Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have + <p>Yes, mod_ssl since version 2.1 supports the SGC facility. You don't have to configure anything special for this, just use a Global ID as your server certificate. The <i>step up</i> of the clients are then automatically handled by mod_ssl under run-time. For details please read - the <tt>README.GlobalID</tt> document in the mod_ssl distribution. -<p> + the <tt>README.GlobalID</tt> document in the mod_ssl distribution.</p> +</li> <li><a name="ToC39"></a> <a name="gid"></a> - <strong id="faq"> + <strong> After I have installed my new Verisign Global ID server certificate, the browsers complain that they cannot verify the server certificate? </strong> [<a href="#gid"><b>L</b></a>] - <p> - That is because Verisign uses an intermediate CA certificate between + <p>That is because Verisign uses an intermediate CA certificate between the root CA certificate (which is installed in the browsers) and the server certificate (which you installed in the server). You should have received this additional CA certificate from Verisign. If not, complain to them. Then configure this certificate with the <code>SSLCertificateChainFile</code> directive in the server. This makes sure the intermediate CA certificate is send to the browser - and this way fills the gap in the certificate chain. + and this way fills the gap in the certificate chain.</p> +</li> </ul> -<p> -<br> +<br /> <h2><a name="ToC40">About SSL Protocol</a></h2> <ul> -<p> <li><a name="ToC41"></a> <a name="random-errors"></a> - <strong id="faq"> + <strong> Why do I get lots of random SSL protocol errors under heavy server load? </strong> [<a href="#random-errors"><b>L</b></a>] - <p> - There can be a number of reasons for this, but the main one + <p>There can be a number of reasons for this, but the main one is problems with the SSL session Cache specified by the <tt>SSLSessionCache</tt> directive. The DBM session cache is most likely the source of the problem, so trying the SHM session cache or - no cache at all may help. -<p> + no cache at all may help.</p> +</li> <li><a name="ToC42"></a> <a name="load"></a> - <strong id="faq"> + <strong> Why has my webserver a higher load now that I run SSL there? </strong> [<a href="#load"><b>L</b></a>] - <p> - Because SSL uses strong cryptographic encryption and this needs a lot of + <p>Because SSL uses strong cryptographic encryption and this needs a lot of number crunching. And because when you request a webpage via HTTPS even the images are transfered encrypted. So, when you have a lot of HTTPS - traffic the load increases. -<p> + traffic the load increases.</p> +</li> <li><a name="ToC43"></a> <a name="random"></a> - <strong id="faq"> + <strong> Often HTTPS connections to my server require up to 30 seconds for establishing the connection, although sometimes it works faster? </strong> [<a href="#random"><b>L</b></a>] - <p> - Usually this is caused by using a <code>/dev/random</code> device for + <p>Usually this is caused by using a <code>/dev/random</code> device for <code>SSLRandomSeed</code> which is blocking in read(2) calls if not enough entropy is available. Read more about this problem in the refernce - chapter under <code>SSLRandomSeed</code>. -<p> + chapter under <code>SSLRandomSeed</code>.</p> +</li> <li><a name="ToC44"></a> <a name="ciphers"></a> - <strong id="faq"> + <strong> What SSL Ciphers are supported by mod_ssl? </strong> [<a href="#ciphers"><b>L</b></a>] - <p> - Usually just all SSL ciphers which are supported by the + <p>Usually just all SSL ciphers which are supported by the version of OpenSSL in use (can depend on the way you built - OpenSSL). Typically this at least includes the following: - <p> - <ul> - <li>RC4 with MD5 - <li>RC4 with MD5 (export version restricted to 40-bit key) - <li>RC2 with MD5 - <li>RC2 with MD5 (export version restricted to 40-bit key) - <li>IDEA with MD5 - <li>DES with MD5 - <li>Triple-DES with MD5 - </ul> - <p> - To determine the actual list of supported ciphers you can - run the following command: - <p> - <code><strong>$ openssl ciphers -v</strong></code><br> -<p> + OpenSSL). Typically this at least includes the following:</p> + + <ol> + <li>RC4 with MD5</li> + <li>RC4 with MD5 (export version restricted to 40-bit key)</li> + <li>RC2 with MD5</li> + <li>RC2 with MD5 (export version restricted to 40-bit key)</li> + <li>IDEA with MD5</li> + <li>DES with MD5</li> + <li>Triple-DES with MD5</li> + </ol> + + <p>To determine the actual list of supported ciphers you can + run the following command:</p> + <code><strong>$ openssl ciphers -v</strong></code><br /> +</li> <li><a name="ToC45"></a> <a name="cipher-adh"></a> - <strong id="faq"> + <strong> I want to use Anonymous Diffie-Hellman (ADH) ciphers, but I always get ``no shared cipher'' errors? </strong> [<a href="#cipher-adh"><b>L</b></a>] - <p> - In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough + <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, it is not enough to just put ``<code>ADH</code>'' into your <code>SSLCipherSuite</code>. Additionally you have to build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>''. Because per default OpenSSL does not allow ADH ciphers for security reasons. So if you are actually enabling - these ciphers make sure you are informed about the side-effects. -<p> + these ciphers make sure you are informed about the side-effects.</p> +</li> <li><a name="ToC46"></a> <a name="cipher-shared"></a> - <strong id="faq"> + <strong> I always just get a 'no shared ciphers' error if I try to connect to my freshly installed server? </strong> [<a href="#cipher-shared"><b>L</b></a>] - <p> - Either you have messed up your <code>SSLCipherSuite</code> + <p>Either you have messed up your <code>SSLCipherSuite</code> directive (compare it with the pre-configured example in <code>httpd.conf-dist</code>) or you have choosen the DSA/DH algorithms instead of RSA when you generated your private key @@ -1073,16 +1064,15 @@ I try to connect to my freshly installed server? certificate/key pair). But current browsers like NS or IE only speak RSA ciphers. The result is the "no shared ciphers" error. To fix this, regenerate your server certificate/key pair and this time - choose the RSA algorithm. -<p> + choose the RSA algorithm.</p> +</li> <li><a name="ToC47"></a> <a name="vhosts"></a> - <strong id="faq"> + <strong> Why can't I use SSL with name-based/non-IP-based virtual hosts? </strong> [<a href="#vhosts"><b>L</b></a>] - <p> - The reason is very technical. Actually it's some sort of a chicken and + <p>The reason is very technical. Actually it's some sort of a chicken and egg problem: The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the @@ -1092,18 +1082,17 @@ Why can't I use SSL with name-based/non-IP-based virtual hosts? Apache has to know the <code>Host</code> HTTP header field. For this the HTTP request header has to be read. This cannot be done before the SSL handshake is finished. But the information is already needed at the SSL - handshake phase. Bingo! -<p> + handshake phase. Bingo!</p> +</li> <li><a name="ToC48"></a> <a name="lock-icon"></a> - <strong id="faq"> + <strong> When I use Basic Authentication over HTTPS the lock icon in Netscape browsers still shows the unlocked state when the dialog pops up. Does this mean the username/password is still transmitted unencrypted? </strong> [<a href="#lock-icon"><b>L</b></a>] - <p> - No, the username/password is already transmitted encrypted. The icon in + <p>No, the username/password is already transmitted encrypted. The icon in Netscape browsers is just not really synchronized with the SSL/TLS layer (it toggles to the locked state when the first part of the actual webpage data is transferred which is not quite correct) and this way confuses @@ -1111,29 +1100,28 @@ username/password is still transmitted unencrypted? this layer is above the SSL/TLS layer in HTTPS. And before any HTTP data communication takes place in HTTPS the SSL/TLS layer has already done the handshake phase and switched to encrypted communication. So, don't get - confused by this icon. -<p> + confused by this icon.</p> +</li> <li><a name="ToC49"></a> <a name="io-ie"></a> - <strong id="faq"> + <strong> When I connect via HTTPS to an Apache+mod_ssl+OpenSSL server with Microsoft Internet Explorer (MSIE) I get various I/O errors. What is the reason? </strong> [<a href="#io-ie"><b>L</b></a>] - <p> - The first reason is that the SSL implementation in some MSIE versions has + <p>The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic with some MSIE versions, too. You've to work-around these problems by forcing Apache+mod_ssl+OpenSSL to not use HTTP/1.1, keep-alive connections or sending the SSL close notify messages to MSIE clients. This can be done by - using the following directive in your SSL-aware virtual host section: + using the following directive in your SSL-aware virtual host section:</p> <pre> SetEnvIf User-Agent ".*MSIE.*" \ <b>nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0</b></pre> - Additionally it is known some MSIE versions have also problems + <p>Additionally it is known some MSIE versions have also problems with particular ciphers. Unfortunately one cannot workaround these bugs only for those MSIE particular clients, because the ciphers are already used in the SSL handshake phase. So a MSIE-specific @@ -1141,41 +1129,41 @@ Explorer (MSIE) I get various I/O errors. What is the reason? has to do more drastic adjustments to the global parameters. But before you decide to do this, make sure your clients really have problems. If not, do not do this, because it affects all(!) your - clients, i.e., also your non-MSIE clients. - <p> - The next problem is that 56bit export versions of MSIE 5.x browsers have a + clients, i.e., also your non-MSIE clients.</p> + + <p>The next problem is that 56bit export versions of MSIE 5.x browsers have a broken SSLv3 implementation which badly interacts with OpenSSL versions greater than 0.9.4. You can either accept this and force your clients to upgrade their browsers, or you downgrade to OpenSSL 0.9.4 (hmmm), or you can decide to workaround it by accepting the drawback that your workaround - will horribly affect also other browsers: + will horribly affect also other browsers:</p> <pre> SSLProtocol all <b>-SSLv3</b></pre> - This completely disables the SSLv3 protocol and lets those browsers work. + <p>This completely disables the SSLv3 protocol and lets those browsers work. But usually this is an even less acceptable workaround. A more reasonable workaround is to address the problem more closely and disable only the - ciphers which cause trouble. + ciphers which cause trouble.</p> <pre> SSLCipherSuite ALL:!ADH:<b>!EXPORT56</b>:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</pre> - This also lets the broken MSIE versions work, but only removes the - newer 56bit TLS ciphers. - <p> - Another problem with MSIE 5.x clients is that they refuse to connect to + <p>This also lets the broken MSIE versions work, but only removes the + newer 56bit TLS ciphers.</p> + + <p>Another problem with MSIE 5.x clients is that they refuse to connect to URLs of the form <tt>https://12.34.56.78/</tt> (IP-addresses are used instead of the hostname), if the server is using the Server Gated Cryptography (SGC) facility. This can only be avoided by using the fully qualified domain name (FQDN) of the website in hyperlinks instead, because - MSIE 5.x has an error in the way it handles the SGC negotiation. - <p> - And finally there are versions of MSIE which seem to require that + MSIE 5.x has an error in the way it handles the SGC negotiation.</p> + + <p>And finally there are versions of MSIE which seem to require that an SSL session can be reused (a totally non standard-conforming behaviour, of course). Connection with those MSIE versions only work if a SSL session cache is used. So, as a work-around, make sure you - are using a session cache (see <tt>SSLSessionCache</tt> directive). -<p> + are using a session cache (see <tt>SSLSessionCache</tt> directive).</p> +</li> <li><a name="ToC50"></a> <a name="io-ns"></a> - <strong id="faq"> + <strong> When I connect via HTTPS to an Apache+mod_ssl server with Netscape Navigator I get I/O errors and the message "Netscape has encountered bad data from the server" What's the reason? @@ -1187,168 +1175,167 @@ server" What's the reason? server certificate. Once you clear the entry in your browser for the old certificate, everything usually will work fine. Netscape's SSL implementation is correct, so when you encounter I/O errors with Netscape - Navigator it is most of the time caused by the configured certificates. + Navigator it is most of the time caused by the configured certificates.</p> +</li> </ul> -<p> -<br> +<br /> <h2><a name="ToC51">About Support</a></h2> <ul> -<p> <li><a name="ToC52"></a> <a name="resources"></a> - <strong id="faq"> + <strong> What information resources are available in case of mod_ssl problems? </strong> [<a href="#resources"><b>L</b></a>] - <p> -The following information resources are available. -In case of problems you should search here first. -<p> -<ol> -<li><em>Answers in the User Manual's F.A.Q. List (this)</em><br> - <a href="http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html"> - http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html</a><br> - First look inside the F.A.Q. (this text), perhaps your problem is such - popular that it was already answered a lot of times in the past. -<p> -<li><em>Postings from the modssl-users Support Mailing List</em> - <a href="http://www.modssl.org/support/"> - http://www.modssl.org/support/</a><br> - Second search for your problem in one of the existing archives of the - modssl-users mailing list. Perhaps your problem popped up at least once for - another user, too. -<p> -<li><em>Problem Reports in the Bug Database</em> - <a href="http://www.modssl.org/support/bugdb/"> - http://www.modssl.org/support/bugdb/</a><br> - Third look inside the mod_ssl Bug Database. Perhaps - someone else already has reported the problem. -</ol> -<p> + <p>The following information resources are available. + In case of problems you should search here first.</p> + + <ol> + <li><em>Answers in the User Manual's F.A.Q. List (this)</em><br /> + <a href="http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html"> + http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html</a><br /> + First look inside the F.A.Q. (this text), perhaps your problem is such + popular that it was already answered a lot of times in the past. + </li> + <li><em>Postings from the modssl-users Support Mailing List</em> + <a href="http://www.modssl.org/support/"> + http://www.modssl.org/support/</a><br /> + Second search for your problem in one of the existing archives of the + modssl-users mailing list. Perhaps your problem popped up at least once for + another user, too. + </li> + <li><em>Problem Reports in the Bug Database</em> + <a href="http://www.modssl.org/support/bugdb/"> + http://www.modssl.org/support/bugdb/</a><br /> + Third look inside the mod_ssl Bug Database. Perhaps + someone else already has reported the problem. + </li> + </ol> +</li> <li><a name="ToC53"></a> <a name="contact"></a> - <strong id="faq"> + <strong> What support contacts are available in case of mod_ssl problems? </strong> [<a href="#contact"><b>L</b></a>] - <p> -The following lists all support possibilities for mod_ssl, in order of -preference, i.e. start in this order and do not pick the support possibility -you just like most, please. -<p> -<ol> -<li><em>Write a Problem Report into the Bug Database</em><br> - <a href="http://www.modssl.org/support/bugdb/"> - http://www.modssl.org/support/bugdb/</a><br> - This is the preferred way of submitting your problem report, because this - way it gets filed into the bug database (it cannot be lost) <em>and</em> - send to the modssl-users mailing list (others see the current problems and - learn from answers). -<p> -<li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br> - <a href="mailto:modssl-users@modssl.org"> - modssl-users @ modssl.org</a><br> - This is the second way of submitting your problem report. You have to - subscribe to the list first, but then you can easily discuss your problem - with both the author and the whole mod_ssl user community. -<p> -<li><em>Write a Problem Report to the author</em><br> - <a href="mailto:rse@engelschall.com"> - rse @ engelschall.com</a><br> - This is the last way of submitting your problem report. Please avoid this - in your own interest because the author is really a very busy men. Your - mail will always be filed to one of his various mail-folders and is - usually not processed as fast as a posting on modssl-users. -</ol> -<p> + <p>The following lists all support possibilities for mod_ssl, in order of + preference, i.e. start in this order and do not pick the support possibility + you just like most, please.</p> + + <ol> + <li><em>Write a Problem Report into the Bug Database</em><br /> + <a href="http://www.modssl.org/support/bugdb/"> + http://www.modssl.org/support/bugdb/</a><br /> + This is the preferred way of submitting your problem report, because this + way it gets filed into the bug database (it cannot be lost) <em>and</em> + send to the modssl-users mailing list (others see the current problems and + learn from answers). + </li> + <li><em>Write a Problem Report to the modssl-users Support Mailing List</em><br /> + <a href="mailto:modssl-users@modssl.org"> + modssl-users @ modssl.org</a><br /> + This is the second way of submitting your problem report. You have to + subscribe to the list first, but then you can easily discuss your problem + with both the author and the whole mod_ssl user community. + </li> + <li><em>Write a Problem Report to the author</em><br /> + <a href="mailto:rse@engelschall.com"> + rse @ engelschall.com</a><br /> + This is the last way of submitting your problem report. Please avoid this + in your own interest because the author is really a very busy men. Your + mail will always be filed to one of his various mail-folders and is + usually not processed as fast as a posting on modssl-users. + </li> + </ol> +</li> <li><a name="ToC54"></a> <a name="report-details"></a> - <strong id="faq"> + <strong> What information and details I've to provide to the author when writing a bug report? </strong> [<a href="#report-details"><b>L</b></a>] - <p> -You have to at least always provide the following information: -<p> -<ul> -<li><em>Apache, mod_ssl and OpenSSL version information</em><br> - The mod_ssl version you should really know. For instance, it's the version - number in the distribution tarball. The Apache version can be determined - by running ``<code>httpd -v</code>''. The OpenSSL version can be - determined by running ``<code>openssl version</code>''. Alternatively when - you have Lynx installed you can run the command ``<code>lynx -mime_header - http://localhost/ | grep Server</code>'' to determine all information in a - single step. -<p> -<li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br> - For this you can provide a logfile of your terminal session which shows - the configuration and install steps. Alternatively you can at least - provide the author with the APACI `<code>configure</code>'' command line - you used (assuming you used APACI, of course). -<p> -<li><em>In case of core dumps please include a Backtrace</em><br> - In case your Apache+mod_ssl+OpenSSL should really dumped core please attach - a stack-frame ``backtrace'' (see the next question on how to get it). - Without this information the reason for your core dump cannot be found. - So you have to provide the backtrace, please. -<p> -<li><em>A detailed description of your problem</em><br> - Don't laugh, I'm totally serious. I already got a lot of problem reports - where the people not really said what's the actual problem is. So, in your - own interest (you want the problem be solved, don't you?) include as much - details as possible, please. But start with the essentials first, of - course. -</ul> -<p> + <p>You have to at least always provide the following information:</p> + + <ol> + <li><em>Apache, mod_ssl and OpenSSL version information</em><br /> + The mod_ssl version you should really know. For instance, it's the version + number in the distribution tarball. The Apache version can be determined + by running ``<code>httpd -v</code>''. The OpenSSL version can be + determined by running ``<code>openssl version</code>''. Alternatively when + you have Lynx installed you can run the command ``<code>lynx -mime_header + http://localhost/ | grep Server</code>'' to determine all information in a + single step. + </li> + <li><em>The details on how you built and installed Apache+mod_ssl+OpenSSL</em><br /> + For this you can provide a logfile of your terminal session which shows + the configuration and install steps. Alternatively you can at least + provide the author with the APACI `<code>configure</code>'' command line + you used (assuming you used APACI, of course). + </li> + <li><em>In case of core dumps please include a Backtrace</em><br /> + In case your Apache+mod_ssl+OpenSSL should really dumped core please attach + a stack-frame ``backtrace'' (see the next question on how to get it). + Without this information the reason for your core dump cannot be found. + So you have to provide the backtrace, please. + </li> + <li><em>A detailed description of your problem</em><br /> + Don't laugh, I'm totally serious. I already got a lot of problem reports + where the people not really said what's the actual problem is. So, in your + own interest (you want the problem be solved, don't you?) include as much + details as possible, please. But start with the essentials first, of + course. + </li> + </ol> +</li> <li><a name="ToC55"></a> <a name="core-dumped"></a> - <strong id="faq"> + <strong> I got a core dump, can you help me? </strong> [<a href="#core-dumped"><b>L</b></a>] - <p> - In general no, at least not unless you provide more details about the code + <p>In general no, at least not unless you provide more details about the code location where Apache dumped core. What is usually always required in order to help you is a backtrace (see next question). Without this information it is mostly impossible to find the problem and help you in - fixing it. -<p> + fixing it.</p> +</li> <li><a name="ToC56"></a> <a name="report-backtrace"></a> - <strong id="faq"> + <strong> Ok, I got a core dump but how do I get a backtrace to find out the reason for it? </strong> [<a href="#report-backtrace"><b>L</b></a>] - <p> -Follow the following steps: -<p> -<ol> -<li>Make sure you have debugging symbols available in at least - Apache and mod_ssl. On platforms where you use GCC/GDB you have to build - Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On - other platforms at least ``<code>OPTIM="-g"</code>'' is needed. -<p> -<li>Startup the server and try to produce the core-dump. For this you perhaps - want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to - make sure that the core-dump file can be written. You then should get a - <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you - don't get this, try to run your server under an UID != 0 (root), because - most "current" kernels do not allow a process to dump core after it has - done a <code>setuid()</code> (unless it does an <code>exec()</code>) for - security reasons (there can be privileged information left over in - memory). Additionally you can run ``<code>/path/to/httpd -X</code>'' - manually to force Apache to not fork. -<p> -<li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd - /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then - just have to enter the ``<code>bt</code>'' command and, voila, you get the - backtrace. For other debuggers consult your local debugger manual. Send - this backtrace to the author. -</ol> + <p>Follow the following steps:</p> + + <ol> + <li>Make sure you have debugging symbols available in at least + Apache and mod_ssl. On platforms where you use GCC/GDB you have to build + Apache+mod_ssl with ``<code>OPTIM="-g -ggdb3"</code>'' to achieve this. On + other platforms at least ``<code>OPTIM="-g"</code>'' is needed. + </li> + <li>Startup the server and try to produce the core-dump. For this you perhaps + want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to + make sure that the core-dump file can be written. You then should get a + <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. When you + don't get this, try to run your server under an UID != 0 (root), because + most "current" kernels do not allow a process to dump core after it has + done a <code>setuid()</code> (unless it does an <code>exec()</code>) for + security reasons (there can be privileged information left over in + memory). Additionally you can run ``<code>/path/to/httpd -X</code>'' + manually to force Apache to not fork. + </li> + <li>Analyze the core-dump. For this run ``<code>gdb /path/to/httpd + /tmp/httpd.core</code>'' or a similar command has to run. In GDB you then + just have to enter the ``<code>bt</code>'' command and, voila, you get the + backtrace. For other debuggers consult your local debugger manual. Send + this backtrace to the author. + </li> + </ol> +</li> </ul> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/ssl/ssl_glossary.html b/docs/manual/ssl/ssl_glossary.html index b55633b316..366e850a7c 100644 --- a/docs/manual/ssl/ssl_glossary.html +++ b/docs/manual/ssl/ssl_glossary.html @@ -16,7 +16,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption: Glossary</h1> +<h1 align="center">SSL/TLS Strong Encryption: Glossary</h1> <div align="right"> <table cellspacing="0" cellpadding="0" width="300" summary=""> @@ -39,146 +39,231 @@ Richard Nixon </div> <dl> -<dt><div id="term">Authentication</div> +<dt>Authentication</dt> <dd>The positive identification of a network entity such as a server, a client, or a user. In SSL context the server and client <em>Certificate</em> verification process. -<p> -<dt><div id="term">Access Control</div> +</dd> +</dl> + +<dl> +<dt>Access Control</dt> <dd>The restriction of access to network realms. In Apache context usually the restriction of access to certain <em>URLs</em>. -<p> -<dt><div id="term">Algorithm</div> +</dd> +</dl> + +<dl> +<dt>Algorithm</dt> <dd>An unambiguous formula or set of rules for solving a problem in a finite number of steps. Algorithms for encryption are usually called <em>Ciphers</em>. -<p> -<dt><div id="term">Certificate</div> +</dd> +</dl> + +<dl> +<dt>Certificate</dt> <dd>A data record used for authenticating network entities such as a server or a client. A certificate contains X.509 information pieces about its owner (called the subject) and the signing <em>Certificate Authority</em> (called the issuer), plus the owner's public key and the signature made by the CA. Network entities verify these signatures using CA certificates. -<p> -<dt><div id="term">Certification Authority (CA)</div> +</dd> +</dl> + +<dl> +<dt>Certification Authority (CA)</dt> <dd>A trusted third party whose purpose is to sign certificates for network entities it has authenticated using secure means. Other network entities can check the signature to verify that a CA has authenticated the bearer of a certificate. -<p> -<dt><div id="term">Certificate Signing Request (CSR)</div> +</dd> +</dl> + +<dl> +<dt>Certificate Signing Request (CSR)</dt> <dd>An unsigned certificate for submission to a <em>Certification Authority</em>, which signs it with the <em>Private Key</em> of their CA <em>Certificate</em>. Once the CSR is signed, it becomes a real certificate. -<p> -<dt><div id="term">Cipher</div> +</dd> +</dl> + +<dl> +<dt>Cipher</dt> <dd>An algorithm or system for data encryption. Examples are DES, IDEA, RC4, etc. -<p> -<dt><div id="term">Ciphertext</div> +</dd> +</dl> + +<dl> +<dt>Ciphertext</dt> <dd>The result after a <em>Plaintext</em> passed a <em>Cipher</em>. -<p> -<dt><div id="term">Configuration Directive</div> +</dd> +</dl> + +<dl> +<dt>Configuration Directive</dt> <dd>A configuration command that controls one or more aspects of a program's behavior. In Apache context these are all the command names in the first column of the configuration files. -<p> -<dt><div id="term">CONNECT</div> +</dd> +</dl> + +<dl> +<dt>CONNECT</dt> <dd>A HTTP command for proxying raw data channels over HTTP. It can be used to encapsulate other protocols, such as the SSL protocol. -<p> -<dt><div id="term">Digital Signature</div> +</dd> +</dl> + +<dl> +<dt>Digital Signature</dt> <dd>An encrypted text block that validates a certificate or other file. A <em>Certification Authority</em> creates a signature by generating a hash of the <em>Public Key</em> embedded in a <em>Certificate</em>, then encrypting the hash with its own <em>Private Key</em>. Only the CA's public key can decrypt the signature, verifying that the CA has authenticated the network entity that owns the <em>Certificate</em>. -<p> -<dt><div id="term">Export-Crippled</div> +</dd> +</dl> + +<dl> +<dt>Export-Crippled</dt> <dd>Diminished in cryptographic strength (and security) in order to comply with the United States' Export Administration Regulations (EAR). Export-crippled cryptographic software is limited to a small key size, resulting in <em>Ciphertext</em> which usually can be decrypted by brute force. -<p> -<dt><div id="term">Fully-Qualified Domain-Name (FQDN)</div> +</dd> +</dl> + +<dl> +<dt>Fully-Qualified Domain-Name (FQDN)</dt> <dd>The unique name of a network entity, consisting of a hostname and a domain name that can resolve to an IP address. For example, <code>www</code> is a hostname, <code>whatever.com</code> is a domain name, and <code>www.whatever.com</code> is a fully-qualified domain name. -<p> -<dt><div id="term">HyperText Transfer Protocol (HTTP)</div> +</dd> +</dl> + +<dl> +<dt>HyperText Transfer Protocol (HTTP)</dt> <dd>The HyperText Transport Protocol is the standard transmission protocol used on the World Wide Web. -<p> -<dt><div id="term">HTTPS</div> +</dd> +</dl> + +<dl> +<dt>HTTPS</dt> <dd>The HyperText Transport Protocol (Secure), the standard encrypted communication mechanism on the World Wide Web. This is actually just HTTP over SSL. -<p> -<dt><div id="term">Message Digest</div> +</dd> +</dl> + +<dl> +<dt>Message Digest</dt> <dd>A hash of a message, which can be used to verify that the contents of the message have not been altered in transit. -<p> -<dt><div id="term">OpenSSL</div> +</dd> +</dl> + +<dl> +<dt>OpenSSL</dt> <dd>The Open Source toolkit for SSL/TLS; see <a href="http://www.openssl.org/">http://www.openssl.org/</a> -<p> -<dt><div id="term">Pass Phrase</div> +</dd> +</dl> + +<dl> +<dt>Pass Phrase</dt> <dd>The word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for <em>Ciphers</em>. -<p> -<dt><div id="term">Plaintext</div> +</dd> +</dl> + +<dl> +<dt>Plaintext</dt> <dd>The unencrypted text. -<p> -<dt><div id="term">Private Key</div> +</dd> +</dl> + +<dl> +<dt>Private Key</dt> <dd>The secret key in a <em>Public Key Cryptography</em> system, used to decrypt incoming messages and sign outgoing ones. -<p> -<dt><div id="term">Public Key</div> +</dd> +</dl> + +<dl> +<dt>Public Key</dt> <dd>The publically available key in a <em>Public Key Cryptography</em> system, used to encrypt messages bound for its owner and to decrypt signatures made by its owner. -<p> -<dt><div id="term">Public Key Cryptography</div> +</dd> +</dl> + +<dl> +<dt>Public Key Cryptography</dt> <dd>The study and application of asymmetric encryption systems, which use one key for encryption and another for decryption. A corresponding pair of such keys constitutes a key pair. Also called Asymmetric Crypography. -<p> -<dt><div id="term">Secure Sockets Layer (SSL)</div> +</dd> +</dl> + +<dl> +<dt>Secure Sockets Layer (SSL)</dt> <dd>A protocol created by Netscape Communications Corporation for general communication authentication and encryption over TCP/IP networks. The most popular usage is <em>HTTPS</em>, i.e. the HyperText Transfer Protocol (HTTP) over SSL. -<p> -<dt><div id="term">Session</div> +</dd> +</dl> + +<dl> +<dt>Session</dt> <dd>The context information of an SSL communication. -<p> -<dt><div id="term">SSLeay</div> +</dd> +</dl> + +<dl> +<dt>SSLeay</dt> <dd>The original SSL/TLS implementation library developed by Eric A. Young <eay@aus.rsa.com>; see <a href="http://www.ssleay.org/">http://www.ssleay.org/</a> -<p> -<dt><div id="term">Symmetric Cryptography</div> +</dd> +</dl> + +<dl> +<dt>Symmetric Cryptography</dt> <dd>The study and application of <em>Ciphers</em> that use a single secret key for both encryption and decryption operations. -<p> -<dt><div id="term">Transport Layer Security (TLS)</div> +</dd> +</dl> + +<dl> +<dt>Transport Layer Security (TLS)</dt> <dd>The successor protocol to SSL, created by the Internet Engineering Task Force (IETF) for general communication authentication and encryption over TCP/IP networks. TLS version 1 and is nearly identical with SSL version 3. -<p> -<dt><div id="term">Uniform Resource Locator (URL)</div> +</dd> +</dl> + +<dl> +<dt>Uniform Resource Locator (URL)</dt> <dd>The formal identifier to locate various resources on the World Wide Web. The most popular URL scheme is <code>http</code>. SSL uses the scheme <code>https</code> -<p> -<dt><div id="term">X.509</div> +</dd> +</dl> + +<dl> +<dt>X.509</dt> <dd>An authentication certificate scheme recommended by the International Telecommunication Union (ITU-T) which is used for SSL/TLS authentication. +</dd> </dl> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html>
\ No newline at end of file diff --git a/docs/manual/ssl/ssl_howto.html b/docs/manual/ssl/ssl_howto.html index ba42683f70..d5eab18c67 100644 --- a/docs/manual/ssl/ssl_howto.html +++ b/docs/manual/ssl/ssl_howto.html @@ -16,7 +16,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption: How-To</h1> +<h1 align="center">SSL/TLS Strong Encryption: How-To</h1> <div align="right"> @@ -39,14 +39,13 @@ Standard textbook cookie </table> </div> -<p> -How to solve particular security constraints for an SSL-aware webserver +<p>How to solve particular security constraints for an SSL-aware webserver is not always obvious because of the coherences between SSL, HTTP and Apache's way of processing requests. This chapter gives instructions on how to solve such typical situations. Treat is as a first step to find out the final solution, but always try to understand the stuff before you use it. Nothing is worse than using a security solution without knowing its restrictions and -coherences. +coherences.</p> <ul> <li><a href="#ToC1">Cipher Suites and Enforced Strong Security</a></li> @@ -63,593 +62,577 @@ coherences. <h2><a name="ToC1">Cipher Suites and Enforced Strong Security</a></h2> <ul> -<p> <li><a name="ToC2"></a> <a name="cipher-sslv2"></a> - <strong id="howto"> + <strong> How can I create a real SSLv2-only server? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sslv2"><b>L</b></a>] - <p> -The following creates an SSL server which speaks only the SSLv2 protocol and -its ciphers. -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLProtocol -all +SSLv2 -SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>The following creates an SSL server which speaks only the SSLv2 protocol and + its ciphers.</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLProtocol -all +SSLv2 + SSLCipherSuite SSLv2:+HIGH:+MEDIUM:+LOW:+EXP + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC3"></a> <a name="cipher-strong"></a> - <strong id="howto"> + <strong> How can I create an SSL server which accepts strong encryption only? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-strong"><b>L</b></a>] - <p> -The following enables only the seven strongest ciphers: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLProtocol all -SSLCipherSuite HIGH:MEDIUM - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>The following enables only the seven strongest ciphers:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLProtocol all + SSLCipherSuite HIGH:MEDIUM + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC4"></a> <a name="cipher-sgc"></a> - <strong id="howto"> + <strong> How can I create an SSL server which accepts strong encryption only, but allows export browsers to upgrade to stronger encryption? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-sgc"><b>L</b></a>] - <p> -This facility is called Server Gated Cryptography (SGC) and details you can -find in the <code>README.GlobalID</code> document in the mod_ssl distribution. -In short: The server has a Global ID server certificate, signed by a special -CA certificate from Verisign which enables strong encryption in export -browsers. This works as following: The browser connects with an export cipher, -the server sends its Global ID certificate, the browser verifies it and -subsequently upgrades the cipher suite before any HTTP communication takes -place. The question now is: How can we allow this upgrade, but enforce strong -encryption. Or in other words: Browser either have to initially connect with -strong encryption or have to upgrade to strong encryption, but are not allowed -to keep the export ciphers. The following does the trick: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# allow all ciphers for the inital handshake, -# so export browsers can upgrade via SGC facility -SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -<Directory /usr/local/apache/htdocs> -# but finally deny all browsers which haven't upgraded -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>This facility is called Server Gated Cryptography (SGC) and details you can + find in the <code>README.GlobalID</code> document in the mod_ssl distribution. + In short: The server has a Global ID server certificate, signed by a special + CA certificate from Verisign which enables strong encryption in export + browsers. This works as following: The browser connects with an export cipher, + the server sends its Global ID certificate, the browser verifies it and + subsequently upgrades the cipher suite before any HTTP communication takes + place. The question now is: How can we allow this upgrade, but enforce strong + encryption. Or in other words: Browser either have to initially connect with + strong encryption or have to upgrade to strong encryption, but are not allowed + to keep the export ciphers. The following does the trick:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + # allow all ciphers for the inital handshake, + # so export browsers can upgrade via SGC facility + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + <Directory /usr/local/apache/htdocs> + # but finally deny all browsers which haven't upgraded + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + </Directory> + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC5"></a> <a name="cipher-perdir"></a> - <strong id="howto"> + <strong> How can I create an SSL server which accepts all types of ciphers in general, but requires a strong ciphers for access to a particular URL? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#cipher-perdir"><b>L</b></a>] - <p> -Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which -restricts the ciphers to the strong variants. But mod_ssl allows you to -reconfigure the cipher suite in per-directory context and automatically forces -a renegotiation of the SSL parameters to meet the new configuration. So, the -solution is: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# be liberal in general -SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL -<Location /strong/area> -# but https://hostname/strong/area/ and below requires strong ciphers -SSLCipherSuite HIGH:MEDIUM -</Location> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> + <p>Obviously you cannot just use a server-wide <code>SSLCipherSuite</code> which + restricts the ciphers to the strong variants. But mod_ssl allows you to + reconfigure the cipher suite in per-directory context and automatically forces + a renegotiation of the SSL parameters to meet the new configuration. So, the + solution is:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + # be liberal in general + SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + <Location /strong/area> + # but https://hostname/strong/area/ and below requires strong ciphers + SSLCipherSuite HIGH:MEDIUM + </Location> + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> </ul> <h2><a name="ToC6">Client Authentication and Access Control</a></h2> <ul> -<p> <li><a name="ToC7"></a> <a name="auth-simple"></a> - <strong id="howto"> + <strong> How can I authenticate clients based on certificates when I know all my clients? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-simple"><b>L</b></a>] - <p> -When you know your user community (i.e. a closed user group situation), as -it's the case for instance in an Intranet, you can use plain certificate -authentication. All you have to do is to create client certificates signed by -your own CA certificate <code>ca.crt</code> and then verifiy the clients -against this certificate. -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -# require a client certificate which has to be directly -# signed by our CA certificate in ca.crt -SSLVerifyClient require -SSLVerifyDepth 1 -SSLCACertificateFile conf/ssl.crt/ca.crt - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>When you know your user community (i.e. a closed user group situation), as + it's the case for instance in an Intranet, you can use plain certificate + authentication. All you have to do is to create client certificates signed by + your own CA certificate <code>ca.crt</code> and then verifiy the clients + against this certificate.</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + # require a client certificate which has to be directly + # signed by our CA certificate in ca.crt + SSLVerifyClient require + SSLVerifyDepth 1 + SSLCACertificateFile conf/ssl.crt/ca.crt + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC8"></a> <a name="auth-selective"></a> - <strong id="howto"> + <strong> How can I authenticate my clients for a particular URL based on certificates but still allow arbitrary clients to access the remaining parts of the server? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-selective"><b>L</b></a>] - <p> -For this we again use the per-directory reconfiguration feature of mod_ssl: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -SSLCACertificateFile conf/ssl.crt/ca.crt -<Location /secure/area> -SSLVerifyClient require -SSLVerifyDepth 1 -</Location> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>For this we again use the per-directory reconfiguration feature of mod_ssl:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLVerifyClient none + SSLCACertificateFile conf/ssl.crt/ca.crt + <Location /secure/area> + SSLVerifyClient require + SSLVerifyDepth 1 + </Location> + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC9"></a> <a name="auth-particular"></a> - <strong id="howto"> + <strong> How can I authenticate only particular clients for a some URLs based on certificates but still allow arbitrary clients to access the remaining parts of the server? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-particular"><b>L</b></a>] - <p> -The key is to check for various ingredients of the client certficate. Usually -this means to check the whole or part of the Distinguished Name (DN) of the -Subject. For this two methods exists: The <code>mod_auth</code> based variant -and the <code>SSLRequire</code> variant. The first method is good when the -clients are of totally different type, i.e. when their DNs have no common -fields (usually the organisation, etc.). In this case you've to establish a -password database containing <em>all</em> clients. The second method is better -when your clients are all part of a common hierarchy which is encoded into the -DN. Then you can match them more easily. -<p> -The first method: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -<Directory /usr/local/apache/htdocs/secure/area> -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -AuthName "Snake Oil Authentication" -AuthType Basic -AuthUserFile /usr/local/apache/conf/httpd.passwd -require valid-user -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.passwd</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA -/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA -/C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> -The second method: -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLVerifyClient none -<Directory /usr/local/apache/htdocs/secure/area> -SSLVerifyClient require -SSLVerifyDepth 5 -SSLCACertificateFile conf/ssl.crt/ca.crt -SSLCACertificatePath conf/ssl.crt -SSLOptions +FakeBasicAuth -SSLRequireSSL -SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ - %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> -<p> + <p>The key is to check for various ingredients of the client certficate. Usually + this means to check the whole or part of the Distinguished Name (DN) of the + Subject. For this two methods exists: The <code>mod_auth</code> based variant + and the <code>SSLRequire</code> variant. The first method is good when the + clients are of totally different type, i.e. when their DNs have no common + fields (usually the organisation, etc.). In this case you've to establish a + password database containing <em>all</em> clients. The second method is better + when your clients are all part of a common hierarchy which is encoded into the + DN. Then you can match them more easily.</p> + + <p>The first method:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLVerifyClient none + <Directory /usr/local/apache/htdocs/secure/area> + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + AuthName "Snake Oil Authentication" + AuthType Basic + AuthUserFile /usr/local/apache/conf/httpd.passwd + require valid-user + </Directory> + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +<br /> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.passwd</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + /C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA + /C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA + /C=US/L=L.A./O=Snake Oil, Ltd./OU=Dev/CN=Quux:xxj31ZMTZzkVA + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> + + <p>The second method:</p> + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLVerifyClient none + <Directory /usr/local/apache/htdocs/secure/area> + SSLVerifyClient require + SSLVerifyDepth 5 + SSLCACertificateFile conf/ssl.crt/ca.crt + SSLCACertificatePath conf/ssl.crt + SSLOptions +FakeBasicAuth + SSLRequireSSL + SSLRequire %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." and \ + %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} + </Directory> + + </pre> + </td> + </tr> + </table> + </td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> <li><a name="ToC10"></a> <a name="auth-intranet"></a> - <strong id="howto"> How can + <strong> How can I require HTTPS with strong ciphers and either basic authentication or client certificates for access to a subarea on the Intranet website for clients coming from the Internet but still allow plain HTTP access for clients on the Intranet? </strong> [<a href="http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#auth-intranet"><b>L</b></a>] - <p> -Let us assume the Intranet can be distinguished through the IP network -192.160.1.0/24 and the subarea on the Intranet website has the URL -<tt>/subarea</tt>. Then configure the following outside your HTTPS virtual -host (so it applies to both HTTPS and HTTP): -<p> -<table border="0" cellpadding="0" cellspacing="0" summary=""> - <tr> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0"></td> - <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> - <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0"></td> - <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0"></td> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0"></td> - </tr> - <tr> - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - <td colspan="3" bgcolor="#ffffff"> - <table border="0" cellspacing="4" summary=""> - <tr> - <td> -<pre> - -SSLCACertificateFile conf/ssl.crt/company-ca.crt - -<Directory /usr/local/apache/htdocs> -# Outside the subarea only Intranet access is granted -Order deny,allow -Deny from all -Allow from 192.168.1.0/24 -</Directory> - -<Directory /usr/local/apache/htdocs/subarea> -# Inside the subarea any Intranet access is allowed -# but from the Internet only HTTPS + Strong-Cipher + Password -# or the alternative HTTPS + Strong-Cipher + Client-Certificate - -# If HTTPS is used, make sure a strong cipher is used. -# Additionally allow client certs as alternative to basic auth. -SSLVerifyClient optional -SSLVerifyDepth 1 -SSLOptions +FakeBasicAuth +StrictRequire -SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 - -# Force clients from the Internet to use HTTPS -RewriteEngine on -RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ -RewriteCond %{HTTPS} !=on -RewriteRule .* - [F] - -# Allow Network Access and/or Basic Auth -Satisfy any - -# Network Access Control -Order deny,allow -Deny from all -Allow 192.168.1.0/24 - -# HTTP Basic Authentication -AuthType basic -AuthName "Protected Intranet Area" -AuthUserFile conf/protected.passwd -Require valid-user -</Directory> - -</pre> -</td> - </tr> - </table> - </td> - - <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> - <tr> - <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0"></td> - </tr> -</table> + <p>Let us assume the Intranet can be distinguished through the IP network + 192.160.1.0/24 and the subarea on the Intranet website has the URL + <tt>/subarea</tt>. Then configure the following outside your HTTPS virtual + host (so it applies to both HTTPS and HTTP):</p> + + <table border="0" cellpadding="0" cellspacing="0" summary=""> + <tr> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="8" align="bottom" border="0" /></td> + <td rowspan="3"> <font face="Arial,Helvetica" color="#999999">httpd.conf</font> </td> + <td colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc" colspan="2"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="40" height="1" align="bottom" border="0" /></td> + <td bgcolor="#ffffff"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="300" height="1" align="bottom" border="0" /></td> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="5" align="bottom" border="0" /></td> + </tr> + <tr> + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + <td colspan="3" bgcolor="#ffffff"> + <table border="0" cellspacing="4" summary=""> + <tr> + <td> + <pre> + + SSLCACertificateFile conf/ssl.crt/company-ca.crt + + <Directory /usr/local/apache/htdocs> + # Outside the subarea only Intranet access is granted + Order deny,allow + Deny from all + Allow from 192.168.1.0/24 + </Directory> + + <Directory /usr/local/apache/htdocs/subarea> + # Inside the subarea any Intranet access is allowed + # but from the Internet only HTTPS + Strong-Cipher + Password + # or the alternative HTTPS + Strong-Cipher + Client-Certificate + + # If HTTPS is used, make sure a strong cipher is used. + # Additionally allow client certs as alternative to basic auth. + SSLVerifyClient optional + SSLVerifyDepth 1 + SSLOptions +FakeBasicAuth +StrictRequire + SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 + + # Force clients from the Internet to use HTTPS + RewriteEngine on + RewriteCond %{REMOTE_ADDR} !^192\.168\.1\.[0-9]+$ + RewriteCond %{HTTPS} !=on + RewriteRule .* - [F] + + # Allow Network Access and/or Basic Auth + Satisfy any + + # Network Access Control + Order deny,allow + Deny from all + Allow 192.168.1.0/24 + + # HTTP Basic Authentication + AuthType basic + AuthName "Protected Intranet Area" + AuthUserFile conf/protected.passwd + Require valid-user + </Directory> + + </pre> + </td> + </tr> + </table> + </td> + + <td bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + <tr> + <td colspan="5" bgcolor="#cccccc"><img src="ssl_template.imgdot-1x1-transp.gif" alt="" width="1" height="1" align="bottom" border="0" /></td> + </tr> + </table> +</li> </ul> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/ssl/ssl_intro.html b/docs/manual/ssl/ssl_intro.html index 248e62ce24..251c710059 100644 --- a/docs/manual/ssl/ssl_intro.html +++ b/docs/manual/ssl/ssl_intro.html @@ -16,7 +16,7 @@ <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> -<h1 align="CENTER">SSL/TLS Strong Encryption: An Introduction</h1> +<h1 align="center">SSL/TLS Strong Encryption: An Introduction</h1> <div align="right"> <table cellspacing="0" cellpadding="0" width="400" summary=""> @@ -38,17 +38,16 @@ A. Tanenbaum, ``Introduction to Computer Networks'' </tr> </table> </div> -<p> -As an introduction this chapter is aimed at readers who are familiar +<p>As an introduction this chapter is aimed at readers who are familiar with the Web, HTTP, and Apache, but are not security experts. It is not intended to be a definitive guide to the SSL protocol, nor does it discuss specific techniques for managing certificates in an organization, or the important legal issues of patents and import and export restrictions. Rather, it is intended to provide a common background to mod_ssl users by pulling together various concepts, definitions, and examples as a starting point for -further exploration. -<p> -The presented content is mainly derived, with permission by the author, from +further exploration.</p> + +<p>The presented content is mainly derived, with permission by the author, from the article <a href="http://www.ultranet.com/~fhirsch/Papers/wwwj/index.html"><em>Introducing SSL and Certificates using SSLeay</em></a> from <a @@ -60,12 +59,7 @@ Please send any postive feedback to <a href="mailto:fjh@alum.mit.edu">Frederick Hirsch</a> (the original article author) and all negative feedback to <a href="mailto:rse@engelschall.com">Ralf S. Engelschall</a> (the mod_ssl -author). -</td> -<td> - -</td> -<td> +author).</p> <ul> <li><a href="#ToC1">Cryptographic Techniques</a></li> @@ -90,13 +84,13 @@ author). </ul> <h2><a name="ToC1">Cryptographic Techniques</a></h2> -Understanding SSL requires an understanding of cryptographic algorithms, +<p>Understanding SSL requires an understanding of cryptographic algorithms, message digest functions (aka. one-way or hash functions), and digital signatures. These techniques are the subject of entire books (see for instance [<a href="#AC96">AC96</a>]) and provide the basis for privacy, integrity, and -authentication. +authentication.</p> <h3><a name="ToC2">Cryptographic Algorithms</a></h3> -Suppose Alice wants to send a message to her bank to transfer some money. +<p>Suppose Alice wants to send a message to her bank to transfer some money. Alice would like the message to be private, since it will include information such as her account number and transfer amount. One solution is to use a cryptographic algorithm, a technique that would transform her message into an @@ -104,10 +98,9 @@ encrypted form, unreadable except by those it is intended for. Once in this form, the message may only be interpreted through the use of a secret key. Without the key the message is useless: good cryptographic algorithms make it so difficult for intruders to decode the original text that it isn't worth -their effort. -<p> -There are two categories of cryptographic algorithms: -conventional and public key. +their effort.</p> +<p>There are two categories of cryptographic algorithms: +conventional and public key.</p> <ul> <li><em>Conventional cryptography</em>, also known as symmetric cryptography, requires the sender and receiver to share a key: a secret @@ -115,151 +108,191 @@ piece of information that may be used to encrypt or decrypt a message. If this key is secret, then nobody other than the sender or receiver may read the message. If Alice and the bank know a secret key, then they may send each other private messages. The task of privately choosing a key -before communicating, however, can be problematic. -<p> +before communicating, however, can be problematic.<br /> +<br /> +</li> <li><em>Public key cryptography</em>, also known as asymmetric cryptography, solves the key exchange problem by defining an algorithm which uses two keys, each of which may be used to encrypt a message. If one key is used to encrypt a message then the other must be used to decrypt it. This makes it possible to receive secure messages by simply publishing one key (the public key) and keeping the other secret (the private key). -<p> -Anyone may encrypt a message using the public key, but only the owner of the +</li> +</ul> +<p>Anyone may encrypt a message using the public key, but only the owner of the private key will be able to read it. In this way, Alice may send private messages to the owner of a key-pair (the bank), by encrypting it using their -public key. Only the bank will be able to decrypt it. -</ul> +public key. Only the bank will be able to decrypt it.</p> + <h3><a name="ToC3">Message Digests</a></h3> -Although Alice may encrypt her message to make it private, there is still a +<p>Although Alice may encrypt her message to make it private, there is still a concern that someone might modify her original message or substitute it with a different one, in order to transfer the money to themselves, for instance. One way of guaranteeing the integrity of Alice's message is to create a concise summary of her message and send this to the bank as well. Upon receipt of the message, the bank creates its own summary and compares it -with the one Alice sent. If they agree then the message was received intact. -<p> -A summary such as this is called a <em>message digest</em>, <em>one-way +with the one Alice sent. If they agree then the message was received intact.</p> +<p>A summary such as this is called a <em>message digest</em>, <em>one-way function</em> or <em>hash function</em>. Message digests are used to create short, fixed-length representations of longer, variable-length messages. Digest algorithms are designed to produce unique digests for different messages. Message digests are designed to make it too difficult to determine the message from the digest, and also impossible to find two different messages which create the same digest -- thus eliminating the possibility of -substituting one message for another while maintaining the same digest. -<p> -Another challenge that Alice faces is finding a way to send the digest to the +substituting one message for another while maintaining the same digest.</p> +<p>Another challenge that Alice faces is finding a way to send the digest to the bank securely; when this is achieved, the integrity of the associated message is assured. One way to to this is to include the digest in a digital -signature. +signature.</p> <h3><a name="ToC4">Digital Signatures</a></h3> -When Alice sends a message to the bank, the bank needs to ensure that the +<p>When Alice sends a message to the bank, the bank needs to ensure that the message is really from her, so an intruder does not request a transaction involving her account. A <em>digital signature</em>, created by Alice and -included with the message, serves this purpose. -<p> -Digital signatures are created by encrypting a digest of the message, +included with the message, serves this purpose.</p> +<p>Digital signatures are created by encrypting a digest of the message, and other information (such as a sequence number) with the sender's private key. Though anyone may <em>decrypt</em> the signature using the public key, only the signer knows the private key. This means that only they may have signed it. Including the digest in the signature means the signature is only good for that message; it also ensures the integrity of the message since -no one can change the digest and still sign it. -<p> -To guard against interception and reuse of the signature by an intruder at a +no one can change the digest and still sign it.</p> +<p>To guard against interception and reuse of the signature by an intruder at a later date, the signature contains a unique sequence number. This protects the bank from a fraudulent claim from Alice that she did not send the message --- only she could have signed it (non-repudiation). +-- only she could have signed it (non-repudiation).</p> <h2><a name="ToC5">Certificates</a></h2> -Although Alice could have sent a private message to the bank, signed it, and +<p>Although Alice could have sent a private message to the bank, signed it, and ensured the integrity of the message, she still needs to be sure that she is really communicating with the bank. This means that she needs to be sure that the public key she is using corresponds to the bank's private key. Similarly, the bank also needs to verify that the message signature really corresponds to -Alice's signature. -<p> -If each party has a certificate which validates the other's identity, confirms +Alice's signature.</p> +<p>If each party has a certificate which validates the other's identity, confirms the public key, and is signed by a trusted agency, then they both will be assured that they are communicating with whom they think they are. Such a trusted agency is called a <em>Certificate Authority</em>, and certificates are -used for authentication. +used for authentication.</p> <h3><a name="ToC6">Certificate Contents</a></h3> -A certificate associates a public key with the real identity of an individual, +<p>A certificate associates a public key with the real identity of an individual, server, or other entity, known as the subject. As shown in <a href="#table1">Table 1</a>, information about the subject includes identifying information (the distinguished name), and the public key. It also includes the identification and signature of the Certificate Authority that issued the certificate, and the period of time during which the certificate is valid. It may have additional information (or extensions) as well as administrative -information for the Certificate Authority's use, such as a serial number. -<p> +information for the Certificate Authority's use, such as a serial number.</p> <div align="center"> <a name="table1"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 1: Certificate Information</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<table summary=""> -<tr valign="top"><td><b>Subject:</b></td> -<td>Distinguished Name, Public Key</td></tr> -<tr valign="top"><td><b>Issuer:</b></td> -<td>Distinguished Name, Signature</td></tr> -<tr><td><b>Period of Validity:</b></td> -<td>Not Before Date, Not After Date</td></tr> -<tr><td><b>Administrative Information:</b></td> -<td>Version, Serial Number</td></TR> -<tr><td><b>Extended Information:</b></td> -<td>Basic Contraints, Netscape Flags, etc.</td></TR> + <caption align="bottom">Table 1: Certificate Information</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <table summary=""> + <tr valign="top"> + <td><b>Subject:</b></td> + <td>Distinguished Name, Public Key</td> + </tr> + <tr valign="top"> + <td><b>Issuer:</b></td> + <td>Distinguished Name, Signature</td> + </tr> + <tr> + <td><b>Period of Validity:</b></td> + <td>Not Before Date, Not After Date</td> + </tr> + <tr> + <td><b>Administrative Information:</b></td> + <td>Version, Serial Number</td> + </tr> + <tr> + <td><b>Extended Information:</b></td> + <td>Basic Contraints, Netscape Flags, etc.</td> + </tr> + </table> + </td> + </tr> + </table> + </td> + </tr> </table> -</td> -</tr></table> -</td></tr></table> </div> -<p> -A distinguished name is used to provide an identity in a specific context -- +<p>A distinguished name is used to provide an identity in a specific context -- for instance, an individual might have a personal certificate as well as one for their identity as an employee. Distinguished names are defined by the -X.509 standard [<a href="#X509">X509</A>], which defines the fields, field +X.509 standard [<a href="#X509">X509</a>], which defines the fields, field names, and abbreviations used to refer to the fields -(see <a href="#table2">Table 2</a>). -<p> +(see <a href="#table2">Table 2</a>).</p> + <div align="center"> <a name="table2"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 2: Distinguished Name Information</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<table summary=""> -<tr valign="top"><td><b>DN Field:</b></td><td><b>Abbrev.:</b></td><td><b>Description:</b></td> -<td><b>Example:</b></td> -</t> -<tr valign="top"><td>Common Name</td><td>CN</td> -<td>Name being certified</td><td>CN=Joe Average</td></tr> -<tr valign="top"><td>Organization or Company</td><td>O</td> -<td>Name is associated with this<br>organization</td><td>O=Snake Oil, Ltd.</td></tr> -<tr valign="top"><td>Organizational Unit</td><td>OU</td> -<td>Name is associated with this <br>organization unit, such as a department</td><td>OU=Research Institute</td></tr> -<tr valign="top"><td>City/Locality</td><td>L</td> -<td>Name is located in this City</td><td>L=Snake City</td></tr> -<tr valign="top"><td>State/Province</td><td>ST</td> -<td>Name is located in this State/Province</td><td>ST=Desert</td></tr> -<tr valign="top"><td>Country</td><td>C</td> -<td>Name is located in this Country (ISO code)</td><td>C=XZ</td></tr> + <caption align="bottom">Table 2: Distinguished Name Information</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <table summary=""> + <tr valign="top"> + <td><b>DN Field:</b></td> + <td><b>Abbrev.:</b></td> + <td><b>Description:</b></td> + <td><b>Example:</b></td> + </tr> + <tr valign="top"> + <td>Common Name</td> + <td>CN</td> + <td>Name being certified</td> + <td>CN=Joe Average</td> + </tr> + <tr valign="top"> + <td>Organization or Company</td> + <td>O</td> + <td>Name is associated with this<br />organization</td> + <td>O=Snake Oil, Ltd.</td> + </tr> + <tr valign="top"> + <td>Organizational Unit</td> + <td>OU</td> + <td>Name is associated with this <br />organization unit, such as a department</td> + <td>OU=Research Institute</td> + </tr> + <tr valign="top"> + <td>City/Locality</td> + <td>L</td> + <td>Name is located in this City</td> + <td>L=Snake City</td> + </tr> + <tr valign="top"> + <td>State/Province</td> + <td>ST</td> + <td>Name is located in this State/Province</td> + <td>ST=Desert</td> + </tr> + <tr valign="top"> + <td>Country</td> + <td>C</td> + <td>Name is located in this Country (ISO code)</td> + <td>C=XZ</td> + </tr> + </table> + </td> + </tr> + </table> + </td> + </tr> </table> -</td> -</tr></table> -</td></tr></table> </div> -<p> -A Certificate Authority may define a policy specifying which distinguished +<p>A Certificate Authority may define a policy specifying which distinguished field names are optional, and which are required. It may also place requirements upon the field contents, as may users of certificates. As an example, a Netscape browser requires that the Common Name for a certificate representing a server has a name which matches a wildcard pattern for the -domain name of that server, such as <code>*.snakeoil.com</code>. -<p> -The binary format of a certificate is defined using the ASN.1 notation [ <a +domain name of that server, such as <code>*.snakeoil.com</code>.</p> +<p>The binary format of a certificate is defined using the ASN.1 notation [ <a href="#X208">X208</a>] [<a href="#PKCS">PKCS</a>]. This notation defines how to specify the contents, and encoding rules define how this information is translated into binary form. The binary encoding of the certificate is @@ -268,12 +301,12 @@ general Basic Encoding Rules (BER). For those transmissions which cannot handle binary, the binary form may be translated into an ASCII form by using Base64 encoding [<a href="#MIME">MIME</a>]. This encoded version is called PEM encoded (the name comes from "Privacy Enhanced Mail"), when placed between -begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>. -<p> +begin and end delimiter lines as illustrated in <a href="#table3">Table 3</a>.</p> + <div align="center"> <a name="table3"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption> +<caption align="bottom">Table 3: Example of a PEM-encoded certificate (snakeoil.crt)</caption> <tr><td bgcolor="#cccccc"> <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> <tr><td valign="top" align="center" bgcolor="#ffffff"> @@ -303,20 +336,20 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4NMGBCQ== </td></tr></table> </div> <h3><a name="ToC7">Certificate Authorities</a></h3> -By first verifying the information in a certificate request before granting +<p>By first verifying the information in a certificate request before granting the certificate, the Certificate Authority assures the identity of the private key owner of a key-pair. For instance, if Alice requests a personal certificate, the Certificate Authority must first make sure that Alice really -is the person the certificate request claims. +is the person the certificate request claims.</p> <h4><a name="ToC8">Certificate Chains</a></h4> -A Certificate Authority may also issue a certificate for another Certificate +<p>A Certificate Authority may also issue a certificate for another Certificate Authority. When examining a certificate, Alice may need to examine the certificate of the issuer, for each parent Certificate Authority, until reaching one which she has confidence in. She may decide to trust only certificates with a limited chain of issuers, to reduce her risk of a "bad" -certificate in the chain. +certificate in the chain.</p> <h4><a name="ToC9">Creating a Root-Level CA</a></h4> -As noted earlier, each certificate requires an issuer to assert the validity +<p>As noted earlier, each certificate requires an issuer to assert the validity of the identity of the certificate subject, up to the top-level Certificate Authority (CA). This presents a problem: Since this is who vouches for the certificate of the top-level authority, which has no issuer? @@ -325,22 +358,20 @@ certificate is the same as the subject. As a result, one must exercise extra care in trusting a self-signed certificate. The wide publication of a public key by the root authority reduces the risk in trusting this key -- it would be obvious if someone else publicized a key claiming to be the authority. -Browsers are preconfigured to trust well-known certificate authorities. -<p> -A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and +Browsers are preconfigured to trust well-known certificate authorities.</p> +<p>A number of companies, such as <a href="http://www.thawte.com/">Thawte</a> and <a href="http://www.verisign.com/">VeriSign</a> have established themselves as -Certificate Authorities. These companies provide the following services: +Certificate Authorities. These companies provide the following services:</p> <ul> -<li>Verifying certificate requests -<li>Processing certificate requests -<li>Issuing and managing certificates +<li>Verifying certificate requests</li> +<li>Processing certificate requests</li> +<li>Issuing and managing certificates</li> </ul> -<p> -It is also possible to create your own Certificate Authority. Although risky +<p>It is also possible to create your own Certificate Authority. Although risky in the Internet environment, it may be useful within an Intranet where the -organization can easily verify the identities of individuals and servers. +organization can easily verify the identities of individuals and servers.</p> <h4><a name="ToC10">Certificate Management</a></h4> -Establishing a Certificate Authority is a responsibility which requires a +<p>Establishing a Certificate Authority is a responsibility which requires a solid administrative, technical, and management framework. Certificate Authorities not only issue certificates, they also manage them -- that is, they determine how long certificates are valid, they renew them, and @@ -352,295 +383,309 @@ certificates are objects that get passed around, it is impossible to tell from the certificate alone that it has been revoked. When examining certificates for validity, therefore, it is necessary to contact the issuing Certificate Authority to check CRLs -- this is not usually -an automated part of the process. -<p> -<div align="center"><B>Note:</B></div> -If you use a Certificate Authority that is not configured into browsers by +an automated part of the process.</p> +<div align="center"><b>Note:</b></div> +<p>If you use a Certificate Authority that is not configured into browsers by default, it is necessary to load the Certificate Authority certificate into the browser, enabling the browser to validate server certificates signed by that Certificate Authority. Doing so may be dangerous, since once loaded, the -browser will accept all certificates signed by that Certificate Authority. +browser will accept all certificates signed by that Certificate Authority.</p> <h2><a name="ToC11">Secure Sockets Layer (SSL)</a></h2> -The Secure Sockets Layer protocol is a protocol layer which may be placed +<p>The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable connection-oriented network layer protocol (e.g. TCP/IP) and the application protocol layer (e.g. HTTP). SSL provides for secure communication between client and server by allowing mutual authentication, the -use of digital signatures for integrity, and encryption for privacy. -<p> -The protocol is designed to support a range of choices for specific algorithms +use of digital signatures for integrity, and encryption for privacy.</p> +<p>The protocol is designed to support a range of choices for specific algorithms used for cryptography, digests, and signatures. This allows algorithm selection for specific servers to be made based on legal, export or other concerns, and also enables the protocol to take advantage of new algorithms. Choices are negotiated between client and server at the start of establishing -a protocol session. -<p> +a protocol session.</p> <div align="center"> <a name="table4"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Table 4: Versions of the SSL protocol</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<table summary=""> -<tr valign="top"> -<td><b>Version:</b></td> -<td><b>Source:</b></td> -<td><b>Description:</b></td> -<td><b>Browser Support:</b></td> -</tr> -<tr valign="top"> -<td>SSL v2.0</td> -<td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td> -<td>First SSL protocol for which implementations exists</td> -<td>- NS Navigator 1.x/2.x<br> - - MS IE 3.x<br> - - Lynx/2.8+OpenSSL -</td> -</tr> -<tr valign="top"> -<td>SSL v3.0</td> -<td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td> -<td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td> -<td>- NS Navigator 2.x/3.x/4.x<br> - - MS IE 3.x/4.x<br> - - Lynx/2.8+OpenSSL -</td> -</tr> -<tr valign="top"> -<td>TLS v1.0</td> -<td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td> -<td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for - block ciphers, message order standardization and more alert messages. -</td> -<td>- Lynx/2.8+OpenSSL</td> + <caption align="bottom">Table 4: Versions of the SSL protocol</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <table summary=""> + <tr valign="top"> + <td><b>Version:</b></td> + <td><b>Source:</b></td> + <td><b>Description:</b></td> + <td><b>Browser Support:</b></td> + </tr> + <tr valign="top"> + <td>SSL v2.0</td> + <td>Vendor Standard (from Netscape Corp.) [<a href="#SSL2">SSL2</a>]</td> + <td>First SSL protocol for which implementations exists</td> + <td>- NS Navigator 1.x/2.x<br /> + - MS IE 3.x<br /> + - Lynx/2.8+OpenSSL + </td> + </tr> + <tr valign="top"> + <td>SSL v3.0</td> + <td>Expired Internet Draft (from Netscape Corp.) [<a href="#SSL3">SSL3</a>]</td> + <td>Revisions to prevent specific security attacks, add non-RSA ciphers, and support for certificate chains</td> + <td>- NS Navigator 2.x/3.x/4.x<br /> + - MS IE 3.x/4.x<br /> + - Lynx/2.8+OpenSSL + </td> + </tr> + <tr valign="top"> + <td>TLS v1.0</td> + <td>Proposed Internet Standard (from IETF) [<a href="#TLS1">TLS1</a>]</td> + <td>Revision of SSL 3.0 to update the MAC layer to HMAC, add block padding for + block ciphers, message order standardization and more alert messages. + </td> + <td>- Lynx/2.8+OpenSSL</td> + </tr> + </table> + </td> + </tr> + </table> + </td> + </tr> </table> -</td> -</tr></table> -</td></tr></table> </div> -<p> -There are a number of versions of the SSL protocol, as shown in <a +<p>There are a number of versions of the SSL protocol, as shown in <a href="#table4">Table 4</a>. As noted there, one of the benefits in SSL 3.0 is that it adds support of certificate chain loading. This feature allows a server to pass a server certificate along with issuer certificates to the browser. Chain loading also permits the browser to validate the server certificate, even if Certificate Authority certificates are not installed for the intermediate issuers, since they are included in the certificate chain. -SSL 3.0 is the basis for the Transport Layer Security [<A -HREF="#TLS1">TLS</A>] protocol standard, currently in development by the -Internet Engineering Task Force (IETF). +SSL 3.0 is the basis for the Transport Layer Security [<a +href="#TLS1">TLS</a>] protocol standard, currently in development by the +Internet Engineering Task Force (IETF).</p> <h3><a name="ToC12">Session Establishment</a></h3> -The SSL session is established by following a <I>handshake sequence</I> +<p>The SSL session is established by following a <a>handshake sequence</a> between client and server, as shown in <a href="#figure1">Figure 1</a>. This sequence may vary, depending on whether the server is configured to provide a server certificate or request a client certificate. Though cases exist where additional handshake steps are required for management of cipher information, this article summarizes one common scenario: see the SSL specification for the -full range of possibilities. -<p> +full range of possibilities.</p> <div align="center"><b>Note</b></div> -Once an SSL session has been established it may be reused, thus avoiding the +<p>Once an SSL session has been established it may be reused, thus avoiding the performance penalty of repeating the many steps needed to start a session. For this the server assigns each SSL session a unique session identifier which is cached in the server and which the client can use on forthcoming connections to reduce the handshake (until the session identifer expires in -the cache of the server). -<p> +the cache of the server).</p> <div align="center"> <a name="figure1"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Figure 1: Simplified SSL Handshake Sequence</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<img src="ssl_intro_fig1.gif" alt="" width="423" height="327"> -</td> -</tr></table> -</td></tr></table> + <caption align="bottom">Figure 1: Simplified SSL Handshake Sequence</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <img src="ssl_intro_fig1.gif" alt="" width="423" height="327" /> + </td> + </tr> + </table> + </td> + </tr> + </table> </div> -<p> -The elements of the handshake sequence, as used by the client and server, are -listed below: +<p>The elements of the handshake sequence, as used by the client and server, are +listed below:</p> <ol> -<li>Negotiate the Cipher Suite to be used during data transfer -<li>Establish and share a session key between client and server -<li>Optionally authenticate the server to the client -<li>Optionally authenticate the client to the server +<li>Negotiate the Cipher Suite to be used during data transfer</li> +<li>Establish and share a session key between client and server</li> +<li>Optionally authenticate the server to the client</li> +<li>Optionally authenticate the client to the server</li> </ol> -<p> -The first step, Cipher Suite Negotiation, allows the client and server to +<p>The first step, Cipher Suite Negotiation, allows the client and server to choose a Cipher Suite supportable by both of them. The SSL3.0 protocol specification defines 31 Cipher Suites. A Cipher Suite is defined by the -following components: +following components:</p> <ul> -<li>Key Exchange Method -<li>Cipher for Data Transfer -<li>Message Digest for creating the Message Authentication Code (MAC) +<li>Key Exchange Method</li> +<li>Cipher for Data Transfer</li> +<li>Message Digest for creating the Message Authentication Code (MAC)</li> </ul> -These three elements are described in the sections that follow. +<p>These three elements are described in the sections that follow.</p> <h3><a name="ToC13">Key Exchange Method</a></h3> -The key exchange method defines how the shared secret symmetric cryptography +<p>The key exchange method defines how the shared secret symmetric cryptography key used for application data transfer will be agreed upon by client and server. SSL 2.0 uses RSA key exchange only, while SSL 3.0 supports a choice of key exchange algorithms including the RSA key exchange when certificates are used, and Diffie-Hellman key exchange for exchanging keys without certificates -and without prior communication between client and server. -<p> -One variable in the choice of key exchange methods is digital signatures -- +and without prior communication between client and server.</p> +<p>One variable in the choice of key exchange methods is digital signatures -- whether or not to use them, and if so, what kind of signatures to use. Signing with a private key provides assurance against a man-in-the-middle-attack during the information exchange used in generating -the shared key [<a href="#AC96">AC96</a>, p516]. +the shared key [<a href="#AC96">AC96</a>, p516].</p> <h3><a name="ToC14">Cipher for Data Transfer</a></h3> -SSL uses the conventional cryptography algorithm (symmetric cryptography) +<p>SSL uses the conventional cryptography algorithm (symmetric cryptography) described earlier for encrypting messages in a session. There are nine -choices, including the choice to perform no encryption: +choices, including the choice to perform no encryption:</p> <ul> -<li>No encryption +<li>No encryption</li> <li>Stream Ciphers <ul> - <li>RC4 with 40-bit keys - <li>RC4 with 128-bit keys + <li>RC4 with 40-bit keys</li> + <li>RC4 with 128-bit keys</li> </ul> +</li> <li>CBC Block Ciphers <ul> - <li>RC2 with 40 bit key - <li>DES with 40 bit key - <li>DES with 56 bit key - <li>Triple-DES with 168 bit key - <li>Idea (128 bit key) - <li>Fortezza (96 bit key) + <li>RC2 with 40 bit key</li> + <li>DES with 40 bit key</li> + <li>DES with 56 bit key</li> + <li>Triple-DES with 168 bit key</li> + <li>Idea (128 bit key)</li> + <li>Fortezza (96 bit key)</li> </ul> +</li> </ul> -Here "CBC" refers to Cipher Block Chaining, which means that a portion of the +<p>Here "CBC" refers to Cipher Block Chaining, which means that a portion of the previously encrypted cipher text is used in the encryption of the current block. "DES" refers to the Data Encryption Standard [<a href="#AC96">AC96</a>, ch12], which has a number of variants (including DES40 and 3DES_EDE). "Idea" is one of the best and cryptographically strongest available algorithms, and "RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96">AC96</a>, -ch13]. +ch13].</p> <h3><a name="ToC15">Digest Function</a></h3> -The choice of digest function determines how a digest is created from a record -unit. SSL supports the following: +<p>The choice of digest function determines how a digest is created from a record +unit. SSL supports the following:</p> <ul> -<li>No digest (Null choice) -<li>MD5, a 128-bit hash -<li>Secure Hash Algorithm (SHA-1), a 160-bit hash +<li>No digest (Null choice)</li> +<li>MD5, a 128-bit hash</li> +<li>Secure Hash Algorithm (SHA-1), a 160-bit hash</li> </ul> -The message digest is used to create a Message Authentication Code (MAC) which +<p>The message digest is used to create a Message Authentication Code (MAC) which is encrypted with the message to provide integrity and to prevent against -replay attacks. +replay attacks.</p> <h3><a name="ToC16">Handshake Sequence Protocol</a></h3> -The handshake sequence uses three protocols: +<p>The handshake sequence uses three protocols:</p> <ul> <li>The <em>SSL Handshake Protocol</em> for performing the client and server SSL session establishment. +</li> <li>The <em>SSL Change Cipher Spec Protocol</em> for actually establishing agreement on the Cipher Suite for the session. +</li> <li>The <em>SSL Alert Protocol</em> for conveying SSL error messages between client and server. +</li> </ul> These protocols, as well as application protocol data, are encapsulated in the <em>SSL Record Protocol</em>, as shown in <a href="#figure2">Figure 2</a>. An encapsulated protocol is transferred as data by the lower layer protocol, which does not examine the data. The encapsulated protocol has no knowledge of the underlying protocol. -<p> <div align="center"> <a name="figure2"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Figure 2: SSL Protocol Stack</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<img src="ssl_intro_fig2.gif" alt="" width="428" height="217"> -</td> -</tr></table> -</td></tr></table> + <caption align="bottom">Figure 2: SSL Protocol Stack</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <img src="ssl_intro_fig2.gif" alt="" width="428" height="217" /> + </td> + </tr> + </table> + </td> + </tr> +</table> </div> -<p> -The encapsulation of SSL control protocols by the record protocol means that +<p>The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there were no session before, then the Null cipher suite is used, which means there is no encryption and messages have no integrity -digests until the session has been established. +digests until the session has been established.</p> <h3><a name="ToC17">Data Transfer</a></h3> -The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to +<p>The SSL Record Protocol, shown in <a href="#figure3">Figure 3</a>, is used to transfer application and SSL Control data between the client and server, possibly fragmenting this data into smaller units, or combining multiple higher level protocol data messages into single units. It may compress, attach digest signatures, and encrypt these units before transmitting them using the underlying reliable transport protocol (Note: currently all major SSL -implementations lack support for compression). -<p> +implementations lack support for compression).</p> <div align="center"> <a name="figure3"></a> <table width="600" cellspacing="0" cellpadding="1" border="0" summary=""> -<caption align="bottom" id="sf">Figure 3: SSL Record Protocol</caption> -<tr><td bgcolor="#cccccc"> -<table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> -<tr><td valign="top" align="center" bgcolor="#ffffff"> -<img src="ssl_intro_fig3.gif" alt="" width="423" height="323"> -</td> -</tr></table> -</td></tr></table> + <caption align="bottom">Figure 3: SSL Record Protocol</caption> + <tr> + <td bgcolor="#cccccc"> + <table width="598" cellpadding="5" cellspacing="0" border="0" summary=""> + <tr> + <td valign="top" align="center" bgcolor="#ffffff"> + <img src="ssl_intro_fig3.gif" alt="" width="423" height="323" /> + </td> + </tr> + </table> + </td> + </tr> +</table> </div> <h3><a name="ToC18">Securing HTTP Communication</a></h3> -One common use of SSL is to secure Web HTTP communication between a browser +<p>One common use of SSL is to secure Web HTTP communication between a browser and a webserver. This case does not preclude the use of non-secured HTTP. The secure version is mainly plain HTTP over SSL (named HTTPS), but with one major difference: it uses the URL scheme <code>https</code> rather than <code>http</code> and a different server port (by default 443). This mainly -is what mod_ssl provides to you for the Apache webserver... +is what mod_ssl provides to you for the Apache webserver...</p> <h2><a name="ToC19">References</a></h2> <ul> -<p> <li><a name="AC96"></a> [AC96] Bruce Schneier, <em>Applied Cryptography</em>, 2nd Edition, Wiley, 1996. See <a href="http://www.counterpane.com/">http://www.counterpane.com/</a> for various other materials by Bruce Schneier. -<p> +</li> <li><a name="X208"></a> [X208] ITU-T Recommendation X.208, <em>Specification of Abstract Syntax Notation One (ASN.1)</em>, 1988. See for instance <a href="ftp://ftp.neda.com/pub/itu/x.series/x208.ps"> ftp://ftp.neda.com/pub/itu/x.series/x208.ps</a>. -<p> +</li> <li><a name="X509"></a> [X509] ITU-T Recommendation X.509, <em>The Directory - Authentication Framework</em>, 1988. See for instance <a href="ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc"> ftp://ftp.bull.com/pub/OSIdirectory/ITUnov96/X.509/97x509final.doc</a>. -<p> +</li> <li><a name="PKCS"></a> [PKCS] Kaliski, Burton S., Jr., <em>An Overview of the PKCS Standards</em>, An RSA Laboratories Technical Note, revised November 1, 1993. See <a href="http://www.rsa.com/rsalabs/pubs/PKCS/"> http://www.rsa.com/rsalabs/pubs/PKCS/</a>. -<p> +</li> <li><a name="MIME"></a> [MIME] N. Freed, N. Borenstein, <em>Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message Bodies</em>, RFC2045. See for instance <a href="ftp://ftp.isi.edu/in-notes/rfc2045.txt"> ftp://ftp.isi.edu/in-notes/rfc2045.txt</a>. -<p> +</li> <li><a name="SSL2"></a> [SSL2] Kipp E.B. Hickman, <em>The SSL Protocol</em>, 1995. See <a href="http://www.netscape.com/eng/security/SSL_2.html"> http://www.netscape.com/eng/security/SSL_2.html</a>. -<p> +</li> <li><a name="SSL3"></a> [SSL3] Alan O. Freier, Philip Karlton, Paul C. Kocher, <em>The SSL Protocol Version 3.0</em>, 1996. See <a href="http://www.netscape.com/eng/ssl3/draft302.txt"> http://www.netscape.com/eng/ssl3/draft302.txt</a>. -<p> +</li> <li><a name="TLS1"></a> [TLS1] Tim Dierks, Christopher Allen, <em>The TLS Protocol Version 1.0</em>, 1997. See <a href="ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt"> ftp://ftp.ietf.org/internet-drafts/draft-ietf-tls-protocol-06.txt</a>. +</li> </ul> -<p><!--#include virtual="footer.html" --> </p> + <!--#include virtual="footer.html" --> </body> </html> diff --git a/docs/manual/stopping.html.en b/docs/manual/stopping.html.en index 628c40403b..654fba471b 100644 --- a/docs/manual/stopping.html.en +++ b/docs/manual/stopping.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Stopping and Restarting the Server</h1> + <h1 align="center">Stopping and Restarting the Server</h1> <p>This document covers stopping and restarting Apache on Unix-like systems. Windows users should see <a @@ -201,9 +201,8 @@ timeouts. In practice it doesn't seem to affect anything either -- in a test case the server was restarted twenty times per second and clients successfully browsed the site without - getting broken images or empty documents. + getting broken images or empty documents. </p> <!--#include virtual="footer.html" --> - </p> </body> </html> diff --git a/docs/manual/suexec.html.en b/docs/manual/suexec.html.en index 61c68fd438..58967a7f39 100644 --- a/docs/manual/suexec.html.en +++ b/docs/manual/suexec.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache suEXEC Support</h1> + <h1 align="center">Apache suEXEC Support</h1> <ol> <li><big><strong>CONTENTS</strong></big></li> @@ -43,14 +43,14 @@ <h3><a id="what" name="what">What is suEXEC?</a></h3> - <p align="LEFT">The <strong>suEXEC</strong> feature provides + <p align="left">The <strong>suEXEC</strong> feature provides Apache users the ability to run <strong>CGI</strong> and <strong>SSI</strong> programs under user IDs different from the user ID of the calling web-server. Normally, when a CGI or SSI program executes, it runs as the same user who is running the web server.</p> - <p align="LEFT">Used properly, this feature can reduce + <p align="left">Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems @@ -59,30 +59,30 @@ security issues they present, we highly recommend that you not consider using suEXEC.</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="before" name="before">Before we begin.</a></h3> - <p align="LEFT">Before jumping head-first into this document, + <p align="left">Before jumping head-first into this document, you should be aware of the assumptions made on the part of the Apache Group and this document.</p> - <p align="LEFT">First, it is assumed that you are using a UNIX + <p align="left">First, it is assumed that you are using a UNIX derivate operating system that is capable of <strong>setuid</strong> and <strong>setgid</strong> operations. All command examples are given in this regard. Other platforms, if they are capable of supporting suEXEC, may differ in their configuration.</p> - <p align="LEFT">Second, it is assumed you are familiar with + <p align="left">Second, it is assumed you are familiar with some basic concepts of your computer's security and its administration. This involves an understanding of <strong>setuid/setgid</strong> operations and the various effects they may have on your system and its level of security.</p> - <p align="LEFT">Third, it is assumed that you are using an + <p align="left">Third, it is assumed that you are using an <strong>unmodified</strong> version of suEXEC code. All code for suEXEC has been carefully scrutinized and tested by the developers as well as numerous beta testers. Every precaution @@ -93,7 +93,7 @@ particulars of security programming and are willing to share your work with the Apache Group for consideration.</p> - <p align="LEFT">Fourth, and last, it has been the decision of + <p align="left">Fourth, and last, it has been the decision of the Apache Group to <strong>NOT</strong> make suEXEC part of the default installation of Apache. To this end, suEXEC configuration requires of the administrator careful attention @@ -107,20 +107,20 @@ installation only to those who are careful and determined enough to use it.</p> - <p align="LEFT">Still with us? Yes? Good. Let's move on!</p> + <p align="left">Still with us? Yes? Good. Let's move on!</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="model" name="model">suEXEC Security Model</a></h3> - <p align="LEFT">Before we begin configuring and installing + <p align="left">Before we begin configuring and installing suEXEC, we will first discuss the security model you are about to implement. By doing so, you may better understand what exactly is going on inside suEXEC and what precautions are taken to ensure your system's security.</p> - <p align="LEFT"><strong>suEXEC</strong> is based on a setuid + <p align="left"><strong>suEXEC</strong> is based on a setuid "wrapper" program that is called by the main Apache web server. This wrapper is called when an HTTP request is made for a CGI or SSI program that the administrator has designated to run as @@ -129,7 +129,7 @@ program's name and the user and group IDs under which the program is to execute.</p> - <p align="LEFT">The wrapper then employs the following process + <p align="left">The wrapper then employs the following process to determine success or failure -- if any one of these conditions fail, the program logs the failure and exits with an error, otherwise it will continue:</p> @@ -348,28 +348,28 @@ <br /> - <p align="LEFT">This is the standard operation of the the + <p align="left">This is the standard operation of the the suEXEC wrapper's security model. It is somewhat stringent and can impose new limitations and guidelines for CGI/SSI design, but it was developed carefully step-by-step with security in mind.</p> - <p align="LEFT">For more information as to how this security + <p align="left">For more information as to how this security model can limit your possibilities in regards to server configuration, as well as what security risks can be avoided with a proper suEXEC setup, see the <a href="#jabberwock">"Beware the Jabberwock"</a> section of this document.</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="install" name="install">Configuring & Installing suEXEC</a></h3> - <p align="LEFT">Here's where we begin the fun.</p> + <p align="left">Here's where we begin the fun.</p> - <p align="LEFT"><strong>suEXEC configuration + <p align="left"><strong>suEXEC configuration options</strong><br /> </p> @@ -453,7 +453,7 @@ <br /> - <p align="LEFT"><strong>Checking your suEXEC + <p align="left"><strong>Checking your suEXEC setup</strong><br /> Before you compile and install the suEXEC wrapper you can check the configuration with the --layout option.<br /> @@ -473,7 +473,7 @@ <br /> - <p align="LEFT"><strong>Compiling and installing the suEXEC + <p align="left"><strong>Compiling and installing the suEXEC wrapper</strong><br /> If you have enabled the suEXEC feature with the --enable-suexec option the suexec binary (together with Apache @@ -490,13 +490,13 @@ owner <code><em>root</em></code> and must have the setuserid execution bit set for file modes.</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="enable" name="enable">Enabling & Disabling suEXEC</a></h3> - <p align="LEFT">Upon startup of Apache, it looks for the file + <p align="left">Upon startup of Apache, it looks for the file "suexec" in the "sbin" directory (default is "/usr/local/apache/sbin/suexec"). If Apache finds a properly configured suEXEC wrapper, it will print the following message @@ -517,12 +517,12 @@ <br /> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="usage" name="usage">Using suEXEC</a></h3> - <p align="LEFT"><strong>Virtual Hosts:</strong><br /> + <p align="left"><strong>Virtual Hosts:</strong><br /> One way to use the suEXEC wrapper is through the <a href="mod/mod_suexec.html#suexecusergroup">SuexecUserGroup</a> directive in <a @@ -545,30 +545,30 @@ meet the scrutiny of the <a href="#model">security checks</a> above.</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="debug" name="debug">Debugging suEXEC</a></h3> - <p align="LEFT">The suEXEC wrapper will write log information + <p align="left">The suEXEC wrapper will write log information to the file defined with the --with-suexec-logfile option as indicated above. If you feel you have configured and installed the wrapper properly, have a look at this log and the error_log for the server to see where you may have gone astray.</p> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <h3><a id="jabberwock" name="jabberwock">Beware the Jabberwock: Warnings & Examples</a></h3> - <p align="LEFT"><strong>NOTE!</strong> This section may not be + <p align="left"><strong>NOTE!</strong> This section may not be complete. For the latest revision of this section of the documentation, see the Apache Group's <a href="http://www.apache.org/docs/suexec.html">Online Documentation</a> version.</p> - <p align="LEFT">There are a few points of interest regarding + <p align="left">There are a few points of interest regarding the wrapper that can cause limitations on server setup. Please review these before submitting any "bugs" regarding suEXEC.</p> @@ -613,7 +613,7 @@ </li> </ul> - <p align="CENTER"><strong><a href="suexec.html">BACK TO + <p align="center"><strong><a href="suexec.html">BACK TO CONTENTS</a></strong></p> <!--#include virtual="footer.html" --> </body> diff --git a/docs/manual/upgrading.html.en b/docs/manual/upgrading.html.en index 9872f077c3..aa454ab013 100644 --- a/docs/manual/upgrading.html.en +++ b/docs/manual/upgrading.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Upgrading to 2.0 from 1.3</h1> + <h1 align="center">Upgrading to 2.0 from 1.3</h1> <p>In order to assist folks upgrading, we maintain a document describing information critical to existing Apache users. These diff --git a/docs/manual/vhosts/details.html b/docs/manual/vhosts/details.html index 24da6ad406..a3e9c3025c 100644 --- a/docs/manual/vhosts/details.html +++ b/docs/manual/vhosts/details.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">An In-Depth Discussion of Virtual Host + <h1 align="center">An In-Depth Discussion of Virtual Host Matching</h1> <p>The virtual host code was completely rewritten in diff --git a/docs/manual/vhosts/examples.html b/docs/manual/vhosts/examples.html index c08a8f288f..df5fe970c4 100644 --- a/docs/manual/vhosts/examples.html +++ b/docs/manual/vhosts/examples.html @@ -13,7 +13,7 @@ alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Virtual Host examples for common setups</h1> + <h1 align="center">Virtual Host examples for common setups</h1> <p>This document attempts to answer the commonly-asked questions about setting up virtual hosts. These scenarios are those involving multiple @@ -399,7 +399,7 @@ wrong site</li> there is one.</p> <hr /> - <h3><a id="#ipport" name="#ipport">Mixed port-based and ip-based + <h3><a id="ipport" name="ipport">Mixed port-based and ip-based virtual hosts</a></h3> <p><strong>Setup:</strong></p> diff --git a/docs/manual/vhosts/fd-limits.html.en b/docs/manual/vhosts/fd-limits.html.en index 3eaa8f65e3..10bd3b2552 100644 --- a/docs/manual/vhosts/fd-limits.html.en +++ b/docs/manual/vhosts/fd-limits.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">File Descriptor Limits</h1> + <h1 align="center">File Descriptor Limits</h1> <p>When using a large number of Virtual Hosts, Apache may run out of available file descriptors (sometimes called <cite>file @@ -85,7 +85,7 @@ directive, and the <code>%v</code> variable. Add this to the beginning of your log format string:</p> <blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code> - LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost<br> + LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost<br /> CustomLog logs/multiple_vhost_log vhost </code></td></tr></table></blockquote> diff --git a/docs/manual/vhosts/footer.html b/docs/manual/vhosts/footer.html index 24e2703091..5ee7eec68a 100644 --- a/docs/manual/vhosts/footer.html +++ b/docs/manual/vhosts/footer.html @@ -1,5 +1,5 @@ <hr /> - <h3 align="CENTER">Apache HTTP Server Version 2.0</h3> + <h3 align="center">Apache HTTP Server Version 2.0</h3> <a href="./"><img src="../images/index.gif" alt="Index" /></a> <a href="../"><img src="../images/home.gif" alt="Home" /></a> diff --git a/docs/manual/vhosts/header.html b/docs/manual/vhosts/header.html index cbdcb99591..61d9a9121b 100644 --- a/docs/manual/vhosts/header.html +++ b/docs/manual/vhosts/header.html @@ -1,4 +1,4 @@ - <div align="CENTER"> + <div align="center"> <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> <h3>Apache HTTP Server Version 2.0</h3> diff --git a/docs/manual/vhosts/index.html.en b/docs/manual/vhosts/index.html.en index 80eae78476..5d869dcda3 100644 --- a/docs/manual/vhosts/index.html.en +++ b/docs/manual/vhosts/index.html.en @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache Virtual Host documentation</h1> + <h1 align="center">Apache Virtual Host documentation</h1> <p>The term <cite>Virtual Host</cite> refers to the practice of running more than one web site (such as @@ -74,7 +74,7 @@ <li><a href="../mod/core.html#serverpath">ServerPath</a></li> <li><b>See also</b> <a - href="../mod/mod_vhost_alias.html">mod_vhost_alias</a> + href="../mod/mod_vhost_alias.html">mod_vhost_alias</a></li> </ul> <p>If you are trying to debug your virtual host configuration, you diff --git a/docs/manual/vhosts/ip-based.html b/docs/manual/vhosts/ip-based.html index aa833f35b2..7b8b908898 100644 --- a/docs/manual/vhosts/ip-based.html +++ b/docs/manual/vhosts/ip-based.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Apache IP-based Virtual Host Support</h1> + <h1 align="center">Apache IP-based Virtual Host Support</h1> <strong>See also:</strong> <a href="name-based.html">Name-based Virtual Hosts Support</a> <hr /> diff --git a/docs/manual/vhosts/mass.html b/docs/manual/vhosts/mass.html index eb46f3db6f..3ce888e462 100644 --- a/docs/manual/vhosts/mass.html +++ b/docs/manual/vhosts/mass.html @@ -13,7 +13,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Dynamically configured mass virtual + <h1 align="center">Dynamically configured mass virtual hosting</h1> <p>This document describes how to efficiently serve an diff --git a/docs/manual/vhosts/name-based.html.en b/docs/manual/vhosts/name-based.html.en index 075140a6bf..f77b3b5960 100644 --- a/docs/manual/vhosts/name-based.html.en +++ b/docs/manual/vhosts/name-based.html.en @@ -11,7 +11,7 @@ vlink="#000080" alink="#FF0000"> <!--#include virtual="header.html" --> - <h1 align="CENTER">Name-based Virtual Host Support</h1> + <h1 align="center">Name-based Virtual Host Support</h1> <p>This document describes when and how to use name-based virtual hosts.</p> @@ -69,8 +69,8 @@ they are on separate IP addresses.</li> <h2><a name="using">Using Name-based Virtual Hosts</a></h2> <table border="1"> -<tr><td align="top"> -<strong>Related Directives</strong><br><br> +<tr><td valign="top"> +<strong>Related Directives</strong><br /><br /> <a href="../mod/core.html#documentroot">DocumentRoot</a><br /> <a href="../mod/core.html#namevirtualhost">NameVirtualHost</a><br /> |