You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2011/09/23 15:36:43 UTC
svn commit: r1174747 [6/6] - in /httpd/httpd/trunk/docs/manual: ./
developer/ howto/ misc/ mod/ platform/ programs/ rewrite/ ssl/ style/lang/
vhosts/
Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.xml Fri Sep 23 13:36:39 2011
@@ -36,13 +36,13 @@ he poses the right questions.</p>
<section id="installation"><title>Installation</title>
<ul>
-<li><a href="#mutex">Why do I get permission errors related to
+<li><a href="#mutex">Why do I get permission errors related to
SSLMutex when I start Apache?</a></li>
-<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to
+<li><a href="#entropy">Why does mod_ssl stop with the error "Failed to
generate temporary 512 bit RSA private key" when I start Apache?</a></li>
</ul>
-<section id="mutex"><title>Why do I get permission errors related to
+<section id="mutex"><title>Why do I get permission errors related to
SSLMutex when I start Apache?</title>
<p>Errors such as ``<code>mod_ssl: Child could not open
SSLMutex lockfile /opt/apache/logs/ssl_mutex.18332 (System error follows)
@@ -55,7 +55,7 @@ generate temporary 512 bit RSA private k
</section>
<section id="entropy"><title>Why does mod_ssl stop with the error
- "Failed to generate temporary 512 bit RSA private key" when I start
+ "Failed to generate temporary 512 bit RSA private key" when I start
Apache?</title>
<p>Cryptographic software needs a source of unpredictable data
to work correctly. Many open source operating systems provide
@@ -66,9 +66,9 @@ generate temporary 512 bit RSA private k
encryption. As of version 0.9.5, the OpenSSL functions that need
randomness report an error if the PRNG has not been seeded with
at least 128 bits of randomness.</p>
- <p>To prevent this error, <module>mod_ssl</module> has to provide
- enough entropy to the PRNG to allow it to work correctly. This can
- be done via the <directive module="mod_ssl">SSLRandomSeed</directive>
+ <p>To prevent this error, <module>mod_ssl</module> has to provide
+ enough entropy to the PRNG to allow it to work correctly. This can
+ be done via the <directive module="mod_ssl">SSLRandomSeed</directive>
directive.</p>
</section>
</section>
@@ -76,29 +76,29 @@ generate temporary 512 bit RSA private k
<section id="aboutconfig"><title>Configuration</title>
<ul>
-<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from
+<li><a href="#parallel">Is it possible to provide HTTP and HTTPS from
the same server?</a></li>
<li><a href="#ports">Which port does HTTPS use?</a></li>
-<li><a href="#httpstest">How do I speak HTTPS manually for testing
+<li><a href="#httpstest">How do I speak HTTPS manually for testing
purposes?</a></li>
-<li><a href="#hang">Why does the connection hang when I connect to my
+<li><a href="#hang">Why does the connection hang when I connect to my
SSL-aware Apache server?</a></li>
-<li><a href="#refused">Why do I get ``Connection Refused'' errors, when
+<li><a href="#refused">Why do I get ``Connection Refused'' errors, when
trying to access my newly installed Apache+mod_ssl server via HTTPS?</a></li>
<li><a href="#envvars">Why are the <code>SSL_XXX</code> variables not
available to my CGI & SSI scripts?</a></li>
-<li><a href="#relative">How can I switch between HTTP and HTTPS in
+<li><a href="#relative">How can I switch between HTTP and HTTPS in
relative hyperlinks?</a></li>
</ul>
-<section id="parallel"><title>Is it possible to provide HTTP and HTTPS
+<section id="parallel"><title>Is it possible to provide HTTP and HTTPS
from the same server?</title>
- <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to
- port 80, HTTPS to port 443), so there is no direct conflict between
- them. You can either run two separate server instances bound to
- these ports, or use Apache's elegant virtual hosting facility to
- create two virtual servers, both served by the same instance of Apache
- - one responding over HTTP to requests on port 80, and the other
+ <p>Yes. HTTP and HTTPS use different server ports (HTTP binds to
+ port 80, HTTPS to port 443), so there is no direct conflict between
+ them. You can either run two separate server instances bound to
+ these ports, or use Apache's elegant virtual hosting facility to
+ create two virtual servers, both served by the same instance of Apache
+ - one responding over HTTP to requests on port 80, and the other
responding over HTTPS to requests on port 443.</p>
</section>
@@ -112,15 +112,15 @@ relative hyperlinks?</a></li>
<section id="httpstest"><title>How do I speak HTTPS manually for testing purposes?</title>
<p>While you usually just use</p>
-
+
<example>$ telnet localhost 80<br />
GET / HTTP/1.0</example>
<p>for simple testing of Apache via HTTP, it's not so easy for
HTTPS because of the SSL protocol between TCP and HTTP. With the
- help of OpenSSL's <code>s_client</code> command, however, you can
+ help of OpenSSL's <code>s_client</code> command, however, you can
do a similar check via HTTPS:</p>
-
+
<example>$ openssl s_client -connect localhost:443 -state -debug<br />
GET / HTTP/1.0</example>
@@ -137,7 +137,7 @@ relative hyperlinks?</a></li>
$ curl https://localhost/</example>
</section>
-<section id="hang"><title>Why does the connection hang when I connect
+<section id="hang"><title>Why does the connection hang when I connect
to my SSL-aware Apache server?</title>
<p>This can happen when you try to connect to a HTTPS server (or virtual
@@ -148,29 +148,29 @@ relative hyperlinks?</a></li>
or which supports it on a non-standard port). Make sure that you're
connecting to a (virtual) server that supports SSL.</p></section>
-<section id="refused"><title>Why do I get ``Connection Refused'' messages,
+<section id="refused"><title>Why do I get ``Connection Refused'' messages,
when trying to access my newly installed Apache+mod_ssl server via HTTPS?</title>
<p>
This error can be caused by an incorrect configuration.
Please make sure that your <directive module="mpm_common"
- >Listen</directive> directives match your
+ >Listen</directive> directives match your
<directive type="section" module="core">VirtualHost</directive>
- directives. If all else fails, please start afresh, using the default
+ directives. If all else fails, please start afresh, using the default
configuration provided by <module>mod_ssl</module>.</p>
</section>
-<section id="envvars"><title>Why are the <code>SSL_XXX</code> variables
+<section id="envvars"><title>Why are the <code>SSL_XXX</code> variables
not available to my CGI & SSI scripts?</title>
<p>Please make sure you have ``<code>SSLOptions +StdEnvVars</code>''
enabled for the context of your CGI/SSI requests.</p>
</section>
<section id="relative">
-<title>How can I switch between HTTP and HTTPS in relative
+<title>How can I switch between HTTP and HTTPS in relative
hyperlinks?</title>
-<p>Usually, to switch between HTTP and HTTPS, you have to use
- fully-qualified hyperlinks (because you have to change the URL
- scheme). Using <module>mod_rewrite</module> however, you can
+<p>Usually, to switch between HTTP and HTTPS, you have to use
+ fully-qualified hyperlinks (because you have to change the URL
+ scheme). Using <module>mod_rewrite</module> however, you can
manipulate relative hyperlinks, to achieve the same effect.</p>
<example>
RewriteEngine on<br />
@@ -187,24 +187,24 @@ relative hyperlinks?</a></li>
<section id="aboutcerts"><title>Certificates</title>
<ul>
-<li><a href="#keyscerts">What are RSA Private Keys, CSRs and
+<li><a href="#keyscerts">What are RSA Private Keys, CSRs and
Certificates?</a></li>
<li><a href="#startup">Is there a difference on startup between
a non-SSL-aware Apache and an SSL-aware Apache?</a></li>
-<li><a href="#selfcert">How do I create a self-signed SSL
+<li><a href="#selfcert">How do I create a self-signed SSL
Certificate for testing purposes?</a></li>
<li><a href="#realcert">How do I create a real SSL Certificate?</a></li>
-<li><a href="#ownca">How do I create and use my own Certificate
+<li><a href="#ownca">How do I create and use my own Certificate
Authority (CA)?</a></li>
-<li><a href="#passphrase">How can I change the pass-phrase on my private
+<li><a href="#passphrase">How can I change the pass-phrase on my private
key file?</a></li>
-<li><a href="#removepassphrase">How can I get rid of the pass-phrase
+<li><a href="#removepassphrase">How can I get rid of the pass-phrase
dialog at Apache startup time?</a></li>
-<li><a href="#verify">How do I verify that a private key matches its
+<li><a href="#verify">How do I verify that a private key matches its
Certificate?</a></li>
-<li><a href="#badcert">Why do connections fail with an "alert bad
+<li><a href="#badcert">Why do connections fail with an "alert bad
certificate" error?</a></li>
-<li><a href="#pemder">How can I convert a certificate from PEM to DER
+<li><a href="#pemder">How can I convert a certificate from PEM to DER
format?</a></li>
<li><a href="#gid">Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</a></li>
@@ -217,7 +217,7 @@ verify my Verisign Global ID server cert
you.</p>
<p>A Certificate Signing Request (CSR) is a digital file which contains
your public key and your name. You send the CSR to a Certifying Authority
- (CA), who will convert it into a real Certificate, by signing it.</p>
+ (CA), who will convert it into a real Certificate, by signing it.</p>
<p>A Certificate contains your
RSA public key, your name, the name of the CA, and is digitally signed by
the CA. Browsers that know the CA can verify the signature on that
@@ -227,23 +227,23 @@ verify my Verisign Global ID server cert
description of the SSL protocol.</p>
</section>
-<section id="startup"><title>Is there a difference on startup between
+<section id="startup"><title>Is there a difference on startup between
a non-SSL-aware Apache and an SSL-aware Apache?</title>
-<p>Yes. In general, starting Apache with
- <module>mod_ssl</module> built-in is just like starting Apache
- without it. However, if you have a passphrase on your SSL private
- key file, a startup dialog will pop up which asks you to enter the
+<p>Yes. In general, starting Apache with
+ <module>mod_ssl</module> built-in is just like starting Apache
+ without it. However, if you have a passphrase on your SSL private
+ key file, a startup dialog will pop up which asks you to enter the
pass phrase.</p>
-
- <p>Having to manually enter the passphrase when starting the server
- can be problematic - for example, when starting the server from the
+
+ <p>Having to manually enter the passphrase when starting the server
+ can be problematic - for example, when starting the server from the
system boot scripts. In this case, you can follow the steps
<a href="#removepassphrase">below</a> to remove the passphrase from
your private key. Bear in mind that doing so brings additional security
risks - proceed with caution!</p>
</section>
-<section id="selfcert"><title>How do I create a self-signed SSL
+<section id="selfcert"><title>How do I create a self-signed SSL
Certificate for testing purposes?</title>
<ol>
<li>Make sure OpenSSL is installed and in your <code>PATH</code>.<br />
@@ -251,23 +251,23 @@ Certificate for testing purposes?</title
</li>
<li>Run the following command, to create <code>server.key</code> and
<code>server.crt</code> files:<br />
- <code><strong>$ openssl req -new -x509 -nodes -out server.crt
+ <code><strong>$ openssl req -new -x509 -nodes -out server.crt
-keyout server.key</strong></code><br />
- These can be used as follows in your <code>httpd.conf</code>
+ These can be used as follows in your <code>httpd.conf</code>
file:
<pre>
SSLCertificateFile /path/to/this/server.crt
SSLCertificateKeyFile /path/to/this/server.key
</pre>
</li>
- <li>It is important that you are aware that this
+ <li>It is important that you are aware that this
<code>server.key</code> does <em>not</em> have any passphrase.
- To add a passphrase to the key, you should run the following
+ To add a passphrase to the key, you should run the following
command, and enter & verify the passphrase as requested.<br />
- <p><code><strong>$ openssl rsa -des3 -in server.key -out
+ <p><code><strong>$ openssl rsa -des3 -in server.key -out
server.key.new</strong></code><br />
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
- Please backup the <code>server.key</code> file, and the passphrase
+ Please backup the <code>server.key</code> file, and the passphrase
you entered, in a secure location.
</li>
</ol>
@@ -292,7 +292,7 @@ Certificate for testing purposes?</title
<br />
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
<br />
- If necessary, you can also create a decrypted PEM version (not
+ If necessary, you can also create a decrypted PEM version (not
recommended) of this RSA private key with:<br />
<br />
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
@@ -315,18 +315,18 @@ Certificate for testing purposes?</title
<br />
</li>
<li>You now have to send this Certificate Signing Request (CSR) to
- a Certifying Authority (CA) to be signed. Once the CSR has been
+ a Certifying Authority (CA) to be signed. Once the CSR has been
signed, you will have a real Certificate, which can be used by
- Apache. You can have a CSR signed by a commercial CA, or you can
+ Apache. You can have a CSR signed by a commercial CA, or you can
create your own CA to sign it.<br />
- Commercial CAs usually ask you to post the CSR into a web form,
- pay for the signing, and then send a signed Certificate, which
+ Commercial CAs usually ask you to post the CSR into a web form,
+ pay for the signing, and then send a signed Certificate, which
you can store in a server.crt file.<br />
For details on how to create your own CA, and use this to sign
a CSR, see <a href="#ownca">below</a>.<br />
-
- Once your CSR has been signed, you can see the details of the
+
+ Once your CSR has been signed, you can see the details of the
Certificate as follows:<br />
<br />
<code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
@@ -347,10 +347,10 @@ Certificate for testing purposes?</title
<section id="ownca"><title>How do I create and use my own Certificate Authority (CA)?</title>
<p>The short answer is to use the <code>CA.sh</code> or <code>CA.pl</code>
- script provided by OpenSSL. Unless you have a good reason not to,
+ script provided by OpenSSL. Unless you have a good reason not to,
you should use these for preference. If you cannot, you can create a
self-signed Certificate as follows:</p>
-
+
<ol>
<li>Create a RSA private key for your server
(will be Triple-DES encrypted and PEM formatted):<br />
@@ -359,11 +359,11 @@ Certificate for testing purposes?</title
<br />
Please backup this <code>host.key</code> file and the
pass-phrase you entered in a secure location.
- You can see the details of this RSA private key by using the
+ You can see the details of this RSA private key by using the
command:<br />
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code><br />
<br />
- If necessary, you can also create a decrypted PEM version (not
+ If necessary, you can also create a decrypted PEM version (not
recommended) of this RSA private key with:<br />
<br />
<code><strong>$ openssl rsa -in server.key -out server.key.unsecure</strong></code><br />
@@ -372,7 +372,7 @@ Certificate for testing purposes?</title
<li>Create a self-signed Certificate (X509 structure)
with the RSA key you just created (output will be PEM formatted):<br />
<br />
- <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365
+ <code><strong>$ openssl req -new -x509 -nodes -sha1 -days 365
-key server.key -out server.crt</strong></code><br />
<br />
This signs the server CSR and results in a <code>server.crt</code> file.<br />
@@ -389,14 +389,14 @@ Certificate for testing purposes?</title
specifying the new pass-phrase. You can accomplish this with the following
commands:</p>
-
+
<p><code><strong>$ openssl rsa -des3 -in server.key -out server.key.new</strong></code><br />
<code><strong>$ mv server.key.new server.key</strong></code><br /></p>
-
+
<p>The first time you're asked for a PEM pass-phrase, you should
- enter the old pass-phrase. After that, you'll be asked again to
+ enter the old pass-phrase. After that, you'll be asked again to
enter a pass-phrase - this time, use the new pass-phrase. If you
- are asked to verify the pass-phrase, you'll need to enter the new
+ are asked to verify the pass-phrase, you'll need to enter the new
pass-phrase a second time.</p>
</section>
@@ -404,7 +404,7 @@ Certificate for testing purposes?</title
<p>The reason this dialog pops up at startup and every re-start
is that the RSA private key inside your server.key file is stored in
encrypted format for security reasons. The pass-phrase is needed to decrypt
- this file, so it can be read and parsed. Removing the pass-phrase
+ this file, so it can be read and parsed. Removing the pass-phrase
removes a layer of security from your server - proceed with caution!</p>
<ol>
<li>Remove the encryption from the RSA private key (while
@@ -429,7 +429,7 @@ Certificate for testing purposes?</title
file are such that only root or the web server user can read it
(preferably get your web server to start as root but run as another
user, and have the key readable only by root).</p>
-
+
<p>As an alternative approach you can use the ``<code>SSLPassPhraseDialog
exec:/path/to/program</code>'' facility. Bear in mind that this is
neither more nor less secure, of course.</p>
@@ -441,28 +441,28 @@ Certificate for testing purposes?</title
key" bits are included when you generate a CSR, and subsequently form
part of the associated Certificate.</p>
<p>To check that the public key in your Certificate matches the public
- portion of your private key, you simply need to compare these numbers.
+ portion of your private key, you simply need to compare these numbers.
To view the Certificate and the key run the commands:</p>
-
+
<p><code><strong>$ openssl x509 -noout -text -in server.crt</strong></code><br />
<code><strong>$ openssl rsa -noout -text -in server.key</strong></code></p>
-
+
<p>The `modulus' and the `public exponent' portions in the key and the
Certificate must match. As the public exponent is usually 65537
and it's difficult to visually check that the long modulus numbers
are the same, you can use the following approach:</p>
-
+
<p><code><strong>$ openssl x509 -noout -modulus -in server.crt | openssl md5</strong></code><br />
<code><strong>$ openssl rsa -noout -modulus -in server.key | openssl md5</strong></code></p>
-
+
<p>This leaves you with two rather shorter numbers to compare. It is,
- in theory, possible that these numbers may be the same, without the
- modulus numbers being the same, but the chances of this are
+ in theory, possible that these numbers may be the same, without the
+ modulus numbers being the same, but the chances of this are
overwhelmingly remote.</p>
- <p>Should you wish to check to which key or certificate a particular
- CSR belongs you can perform the same calculation on the CSR as
+ <p>Should you wish to check to which key or certificate a particular
+ CSR belongs you can perform the same calculation on the CSR as
follows:</p>
-
+
<p><code><strong>$ openssl req -noout -modulus -in server.csr | openssl md5</strong></code></p>
</section>
@@ -475,15 +475,15 @@ Certificate for testing purposes?</title
<code><strong>$ openssl x509 -in cert.pem -out cert.der -outform DER</strong></code></p>
</section>
-<section id="gid"><title>Why do browsers complain that they cannot
+<section id="gid"><title>Why do browsers complain that they cannot
verify my Verisign Global ID server certificate?</title>
-<p>Verisign uses an intermediate CA certificate between the root CA
- certificate (which is installed in the browsers) and the server
- certificate (which you installed on the server). You should have
+<p>Verisign uses an intermediate CA certificate between the root CA
+ certificate (which is installed in the browsers) and the server
+ certificate (which you installed on the server). You should have
received this additional CA certificate from Verisign.
If not, complain to them. Then, configure this certificate with the
- <directive module="mod_ssl">SSLCertificateChainFile</directive>
- directive. This ensures that the intermediate CA certificate is
+ <directive module="mod_ssl">SSLCertificateChainFile</directive>
+ directive. This ensures that the intermediate CA certificate is
sent to the browser, filling the gap in the certificate chain.</p>
</section>
</section>
@@ -491,7 +491,7 @@ verify my Verisign Global ID server cert
<section id="aboutssl"><title>The SSL Protocol</title>
<ul>
-<li><a href="#random">Why do I get lots of random SSL protocol
+<li><a href="#random">Why do I get lots of random SSL protocol
errors under heavy server load?</a></li>
<li><a href="#load">Why does my webserver have a higher load, now
that it serves SSL encrypted traffic?</a></li>
@@ -502,7 +502,7 @@ sometimes take up to 30 seconds to estab
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</a></li>
<li><a href="#sharedciphers">Why do I get a 'no shared ciphers'
error when connecting to my newly installed server?</a></li>
-<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based
+<li><a href="#vhosts">Why can't I use SSL with name-based/non-IP-based
virtual hosts?</a></li>
<li><a href="#vhosts2">Is it possible to use Name-Based Virtual
Hosting to identify different SSL virtual hosts?</a></li>
@@ -511,11 +511,11 @@ Hosting to identify different SSL virtua
the lock icon in Netscape browsers stays unlocked when the dialog pops up.
Does this mean the username/password is being sent unencrypted?</a></li>
<li><a href="#msie">Why do I get I/O errors when connecting via
-HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer
+HTTPS to an Apache+mod_ssl server with Microsoft Internet Explorer
(MSIE)?</a></li>
</ul>
-<section id="random"><title>Why do I get lots of random SSL protocol
+<section id="random"><title>Why do I get lots of random SSL protocol
errors under heavy server load?</title>
<p>There can be a number of reasons for this, but the main one
is problems with the SSL session Cache specified by the
@@ -524,7 +524,7 @@ errors under heavy server load?</title>
no cache at all) may help.</p>
</section>
-<section id="load"><title>Why does my webserver have a higher load, now
+<section id="load"><title>Why does my webserver have a higher load, now
that it serves SSL encrypted traffic?</title>
<p>SSL uses strong cryptographic encryption, which necessitates a lot of
number crunching. When you request a webpage via HTTPS, everything (even
@@ -532,63 +532,63 @@ that it serves SSL encrypted traffic?</t
traffic leads to load increases.</p>
</section>
-<section id="establishing"><title>Why do HTTPS connections to my server
+<section id="establishing"><title>Why do HTTPS connections to my server
sometimes take up to 30 seconds to establish a connection?</title>
<p>This is usually caused by a <code>/dev/random</code> device for
- <directive module="mod_ssl">SSLRandomSeed</directive> which blocks the
- read(2) call until enough entropy is available to service the
+ <directive module="mod_ssl">SSLRandomSeed</directive> which blocks the
+ read(2) call until enough entropy is available to service the
request. More information is available in the reference
manual for the <directive module="mod_ssl">SSLRandomSeed</directive>
directive.</p>
</section>
<section id="ciphers"><title>What SSL Ciphers are supported by mod_ssl?</title>
-<p>Usually, any SSL ciphers supported by the version of OpenSSL in use,
- are also supported by <module>mod_ssl</module>. Which ciphers are
- available can depend on the way you built OpenSSL. Typically, at
+<p>Usually, any SSL ciphers supported by the version of OpenSSL in use,
+ are also supported by <module>mod_ssl</module>. Which ciphers are
+ available can depend on the way you built OpenSSL. Typically, at
least the following ciphers are supported:</p>
-
+
<ol>
<li>RC4 with SHA1</li>
<li>AES with SHA1</li>
<li>Triple-DES with SHA1</li>
</ol>
-
- <p>To determine the actual list of ciphers available, you should run
+
+ <p>To determine the actual list of ciphers available, you should run
the following:</p>
<example>$ openssl ciphers -v</example>
</section>
-<section id="adh"><title>Why do I get ``no shared cipher'' errors, when
+<section id="adh"><title>Why do I get ``no shared cipher'' errors, when
trying to use Anonymous Diffie-Hellman (ADH) ciphers?</title>
<p>By default, OpenSSL does <em>not</em> allow ADH ciphers, for security
- reasons. Please be sure you are aware of the potential side-effects
+ reasons. Please be sure you are aware of the potential side-effects
if you choose to enable these ciphers.</p>
- <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must
+ <p>In order to use Anonymous Diffie-Hellman (ADH) ciphers, you must
build OpenSSL with ``<code>-DSSL_ALLOW_ADH</code>'', and then add
``<code>ADH</code>'' into your <directive module="mod_ssl"
>SSLCipherSuite</directive>.</p>
</section>
-<section id="sharedciphers"><title>Why do I get a 'no shared ciphers'
+<section id="sharedciphers"><title>Why do I get a 'no shared ciphers'
error when connecting to my newly installed server?</title>
-<p>Either you have made a mistake with your
+<p>Either you have made a mistake with your
<directive module="mod_ssl">SSLCipherSuite</directive>
directive (compare it with the pre-configured example in
<code>extra/httpd-ssl.conf</code>) or you chose to use DSA/DH
algorithms instead of RSA when you generated your private key
and ignored or overlooked the warnings. If you have chosen
- DSA/DH, then your server cannot communicate using RSA-based SSL
+ DSA/DH, then your server cannot communicate using RSA-based SSL
ciphers (at least until you configure an additional RSA-based
- certificate/key pair). Modern browsers like NS or IE can only
- communicate over SSL using RSA ciphers. The result is the
- "no shared ciphers" error. To fix this, regenerate your server
+ certificate/key pair). Modern browsers like NS or IE can only
+ communicate over SSL using RSA ciphers. The result is the
+ "no shared ciphers" error. To fix this, regenerate your server
certificate/key pair, using the RSA algorithm.</p>
</section>
<section id="vhosts"><title>Why can't I use SSL with name-based/non-IP-based virtual hosts?</title>
-<p>The reason is very technical, and a somewhat "chicken and egg" problem.
- The SSL protocol layer stays below the HTTP protocol layer and
+<p>The reason is very technical, and a somewhat "chicken and egg" problem.
+ The SSL protocol layer stays below the HTTP protocol layer and
encapsulates HTTP. When an SSL connection (HTTPS) is established
Apache/mod_ssl has to negotiate the SSL protocol parameters with the
client. For this, mod_ssl has to consult the configuration of the virtual
@@ -596,7 +596,7 @@ error when connecting to my newly instal
certificate, etc.). But in order to go to the correct virtual server
Apache has to know the <code>Host</code> HTTP header field. To do this, the
HTTP request header has to be read. This cannot be done before the SSL
- handshake is finished, but the information is needed in order to
+ handshake is finished, but the information is needed in order to
complete the SSL handshake phase. See the next question for how to
circumvent this issue.</p>
</section>
@@ -615,12 +615,12 @@ Virtual Hosting to identify different SS
specification added, called Server Name Indication (SNI).</p>
<p>The reason is that the SSL protocol is a separate layer which
- encapsulates the HTTP protocol. So the SSL session is a separate
- transaction, that takes place before the HTTP session has begun.
- The server receives an SSL request on IP address X and port Y
- (usually 443). Since the SSL request did not contain any Host:
+ encapsulates the HTTP protocol. So the SSL session is a separate
+ transaction, that takes place before the HTTP session has begun.
+ The server receives an SSL request on IP address X and port Y
+ (usually 443). Since the SSL request did not contain any Host:
field, the server had no way to decide which SSL virtual host to use.
- Usually, it just used the first one it found which matched the
+ Usually, it just used the first one it found which matched the
port and IP address specified.</p>
<p>If you are using a version of the web server and OpenSSL that
@@ -629,19 +629,19 @@ Virtual Hosting to identify different SS
web server can select the correct SSL virtual host.</p>
<p>You can, of course, use Name-Based Virtual Hosting to identify many
- non-SSL virtual hosts (all on port 80, for example) and then
+ non-SSL virtual hosts (all on port 80, for example) and then
have a single SSL virtual host (on port 443). But if you do this,
you must make sure to put the non-SSL port number on the NameVirtualHost
- directive, e.g.</p>
+ directive, e.g.</p>
<example>
NameVirtualHost 192.168.1.1:80
</example>
-
+
<p>Other workaround solutions include: </p>
- <p>Using separate IP addresses for different SSL hosts.
- Using different port numbers for different SSL hosts.</p>
+ <p>Using separate IP addresses for different SSL hosts.
+ Using different port numbers for different SSL hosts.</p>
</section>
<section id="comp"><title>How do I get SSL compression working?</title>
@@ -655,50 +655,50 @@ it will be used. However, most clients s
SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
in its handshake, compression cannot be negotiated with these clients.
If the client disables support for SSLv2, either an SSLv3 or TLS Hello
-may be sent, depending on which SSL library is used, and compression may
-be set up. You can verify whether clients make use of SSL compression by
+may be sent, depending on which SSL library is used, and compression may
+be set up. You can verify whether clients make use of SSL compression by
logging the <code>%{SSL_COMPRESS_METHOD}x</code> variable.
</p>
</section>
-<section id="lockicon"><title>When I use Basic Authentication over HTTPS
-the lock icon in Netscape browsers stays unlocked when the dialog pops up.
+<section id="lockicon"><title>When I use Basic Authentication over HTTPS
+the lock icon in Netscape browsers stays unlocked when the dialog pops up.
Does this mean the username/password is being sent unencrypted?</title>
<p>No, the username/password is transmitted encrypted. The icon in
Netscape browsers is not actually synchronized with the SSL/TLS layer.
- It only toggles to the locked state when the first part of the actual
- webpage data is transferred, which may confuse people. The Basic
- Authentication facility is part of the HTTP layer, which is above
- the SSL/TLS layer in HTTPS. Before any HTTP data communication takes
- place in HTTPS, the SSL/TLS layer has already completed its handshake
+ It only toggles to the locked state when the first part of the actual
+ webpage data is transferred, which may confuse people. The Basic
+ Authentication facility is part of the HTTP layer, which is above
+ the SSL/TLS layer in HTTPS. Before any HTTP data communication takes
+ place in HTTPS, the SSL/TLS layer has already completed its handshake
phase, and switched to encrypted communication. So don't be
confused by this icon.</p>
</section>
-<section id="msie"><title>Why do I get I/O errors when connecting via
+<section id="msie"><title>Why do I get I/O errors when connecting via
HTTPS to an Apache+mod_ssl server with older versions of Microsoft Internet
Explorer (MSIE)?</title>
<p>The first reason is that the SSL implementation in some MSIE versions has
some subtle bugs related to the HTTP keep-alive facility and the SSL close
notify alerts on socket connection close. Additionally the interaction
- between SSL and HTTP/1.1 features are problematic in some MSIE versions.
- You can work around these problems by forcing Apache not to use HTTP/1.1,
- keep-alive connections or send the SSL close notify messages to MSIE clients.
- This can be done by using the following directive in your SSL-aware
+ between SSL and HTTP/1.1 features are problematic in some MSIE versions.
+ You can work around these problems by forcing Apache not to use HTTP/1.1,
+ keep-alive connections or send the SSL close notify messages to MSIE clients.
+ This can be done by using the following directive in your SSL-aware
virtual host section:</p>
<example>
SetEnvIf User-Agent "MSIE [2-5]" \<br />
nokeepalive ssl-unclean-shutdown \<br />
downgrade-1.0 force-response-1.0
</example>
- <p>Further, some MSIE versions have problems with particular ciphers.
- Unfortunately, it is not possible to implement a MSIE-specific
- workaround for this, because the ciphers are needed as early as the
- SSL handshake phase. So a MSIE-specific
- <directive module="mod_setenvif">SetEnvIf</directive> won't solve these
+ <p>Further, some MSIE versions have problems with particular ciphers.
+ Unfortunately, it is not possible to implement a MSIE-specific
+ workaround for this, because the ciphers are needed as early as the
+ SSL handshake phase. So a MSIE-specific
+ <directive module="mod_setenvif">SetEnvIf</directive> won't solve these
problems. Instead, you will have to make more drastic
adjustments to the global parameters. Before you decide to do
- this, make sure your clients really have problems. If not, do not
+ this, make sure your clients really have problems. If not, do not
make these changes - they will affect <em>all</em> your clients, MSIE
or otherwise.</p>
</section>
@@ -708,11 +708,11 @@ Explorer (MSIE)?</title>
<section id="support"><title>mod_ssl Support</title>
<ul>
-<li><a href="#resources">What information resources are available in
+<li><a href="#resources">What information resources are available in
case of mod_ssl problems?</a></li>
-<li><a href="#contact">What support contacts are available in case of
+<li><a href="#contact">What support contacts are available in case of
mod_ssl problems?</a></li>
-<li><a href="#reportdetails">What information should I
+<li><a href="#reportdetails">What information should I
provide when writing a bug report?</a></li>
<li><a href="#coredumphelp">I had a core dump, can you help me?</a></li>
<li><a href="#backtrace">How do I get a backtrace, to help find the reason
@@ -734,10 +734,10 @@ for my core dump?</a></li>
</dl>
</section>
-<section id="contact"><title>What support contacts are available in case
+<section id="contact"><title>What support contacts are available in case
of mod_ssl problems?</title>
<p>The following lists all support possibilities for mod_ssl, in order of
- preference. Please go through these possibilities
+ preference. Please go through these possibilities
<em>in this order</em> - don't just pick the one you like the look of. </p>
<ol>
@@ -775,22 +775,22 @@ provide when writing a bug report?</titl
<dt>The details on how you built and installed Apache httpd and OpenSSL</dt>
<dd>For this you can provide a logfile of your terminal session which shows
- the configuration and install steps. If this is not possible, you
+ the configuration and install steps. If this is not possible, you
should at least provide the <program>configure</program> command line you used.
</dd>
<dt>In case of core dumps please include a Backtrace</dt>
<dd>If your Apache httpd dumps its core, please attach
- a stack-frame ``backtrace'' (see <a href="#backtrace">below</a>
+ a stack-frame ``backtrace'' (see <a href="#backtrace">below</a>
for information on how to get this). This information is required
in order to find a reason for your core dump.
</dd>
-
+
<dt>A detailed description of your problem</dt>
- <dd>Don't laugh, we really mean it! Many problem reports don't
+ <dd>Don't laugh, we really mean it! Many problem reports don't
include a description of what the actual problem is. Without this,
- it's very difficult for anyone to help you. So, it's in your own
- interest (you want the problem be solved, don't you?) to include as
+ it's very difficult for anyone to help you. So, it's in your own
+ interest (you want the problem be solved, don't you?) to include as
much detail as possible, please. Of course, you should still include
all the essentials above too.
</dd>
@@ -805,7 +805,7 @@ provide when writing a bug report?</titl
fixing it.</p>
</section>
-<section id="backtrace"><title>How do I get a backtrace, to help find
+<section id="backtrace"><title>How do I get a backtrace, to help find
the reason for my core dump?</title>
<p>Following are the steps you will need to complete, to get a backtrace:</p>
<ol>
@@ -819,7 +819,7 @@ the reason for my core dump?</title>
want to use a directive like ``<code>CoreDumpDirectory /tmp</code>'' to
make sure that the core-dump file can be written. This should result
in a <code>/tmp/core</code> or <code>/tmp/httpd.core</code> file. If you
- don't get one of these, try running your server under a non-root UID.
+ don't get one of these, try running your server under a non-root UID.
Many modern kernels do not allow a process to dump core after it has
done a <code>setuid()</code> (unless it does an <code>exec()</code>) for
security reasons (there can be privileged information left over in
@@ -828,9 +828,9 @@ the reason for my core dump?</title>
</li>
<li>Analyze the core-dump. For this, run <code>gdb /path/to/httpd
- /tmp/httpd.core</code> or a similar command. In GDB, all you
+ /tmp/httpd.core</code> or a similar command. In GDB, all you
have to do then is to enter <code>bt</code>, and voila, you get the
- backtrace. For other debuggers consult your local debugger manual.
+ backtrace. For other debuggers consult your local debugger manual.
</li>
</ol>
</section>
Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_howto.xml Fri Sep 23 13:36:39 2011
@@ -57,7 +57,7 @@ following directives.</p>
<title>Cipher Suites and Enforcing Strong Security</title>
<ul>
<li><a href="#onlystrong">How can I create an SSL server which accepts strong encryption only?</a></li>
-<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but
+<li><a href="#strongurl">How can I create an SSL server which accepts all types of ciphers in general, but
requires a strong cipher for access to a particular URL?</a></li>
</ul>
@@ -88,8 +88,8 @@ only?</title>
in general, but requires a strong ciphers for access to a particular
URL?</title>
<p>Obviously, a server-wide <directive
- module="mod_ssl">SSLCipherSuite</directive> which restricts
- ciphers to the strong variants, isn't the answer here. However,
+ module="mod_ssl">SSLCipherSuite</directive> which restricts
+ ciphers to the strong variants, isn't the answer here. However,
<module>mod_ssl</module> can be reconfigured within <code>Location</code>
blocks, to give a per-directory solution, and can automatically force
a renegotiation of the SSL parameters to meet the new configuration.
@@ -112,7 +112,7 @@ URL?</title>
<title>Client Authentication and Access Control</title>
<ul>
<li><a href="#allclients">How can I force clients to authenticate using certificates?</a></li>
-<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a
+<li><a href="#arbitraryclients">How can I force clients to authenticate using certificates for a
particular URL, but still allow arbitrary clients to access the rest of the server?</a></li>
<li><a href="#certauthenticate">How can I allow only clients who have certificates to access a
particular URL, but allow all clients to access the rest of the server?</a></li>
@@ -165,14 +165,14 @@ Intranet website, for clients coming fro
matches what you expect. Usually this means checking all or part of the
Distinguished Name (DN), to see if it contains some known string.
There are two ways to do this, using either <module>mod_auth_basic</module> or
- <directive module="mod_ssl">SSLRequire</directive>.</p>
-
+ <directive module="mod_ssl">SSLRequire</directive>.</p>
+
<p>The <module>mod_auth_basic</module> method is generally required when
the certificates are completely arbitrary, or when their DNs have
no common fields (usually the organisation, etc.). In this case,
you should establish a password database containing <em>all</em>
clients allowed, as follows:</p>
-
+
<example><title>httpd.conf</title><pre>
SSLVerifyClient none
<Directory /usr/local/apache2/htdocs/secure/area>
@@ -190,11 +190,11 @@ AuthUserFile /usr/local/apache2/
Require valid-user
</Directory></pre>
</example>
-
+
<p>The password used in this example is the DES encrypted string "password".
- See the <directive module="mod_ssl">SSLOptions</directive> docs for more
+ See the <directive module="mod_ssl">SSLOptions</directive> docs for more
information.</p>
-
+
<example><title>httpd.passwd</title><pre>
/C=DE/L=Munich/O=Snake Oil, Ltd./OU=Staff/CN=Foo:xxj31ZMTZzkVA
/C=US/L=S.F./O=Snake Oil, Ltd./OU=CA/CN=Bar:xxj31ZMTZzkVA
@@ -227,10 +227,10 @@ SSLVerifyClient none
authentication or client certificates, for access to part of the
Intranet website, for clients coming from the Internet? I still want to allow
plain HTTP access for clients on the Intranet.</title>
-
- <p>These examples presume that clients on the Intranet have IPs in the range
+
+ <p>These examples presume that clients on the Intranet have IPs in the range
192.168.1.0/24, and that the part of the Intranet website you want to allow
- internet access to is <code>/usr/local/apache2/htdocs/subarea</code>.
+ internet access to is <code>/usr/local/apache2/htdocs/subarea</code>.
This configuration should remain outside of your HTTPS virtual host, so
that it applies to both HTTPS and HTTP.</p>
Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_intro.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/ssl/ssl_intro.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_intro.xml (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_intro.xml Fri Sep 23 13:36:39 2011
@@ -41,7 +41,7 @@ intended to be a definitive guide to the
specific techniques for managing certificates in an organization, or the
important legal issues of patents and import and export restrictions.
Rather, it is intended to provide a common background to <module
->mod_ssl</module> users by pulling together various concepts, definitions,
+>mod_ssl</module> users by pulling together various concepts, definitions,
and examples as a starting point for further exploration.</p>
<p>The presented content is mainly derived, with the author's permission,
@@ -75,7 +75,7 @@ integrity, and authentication.</p>
solution is to use a cryptographic algorithm, a technique that would
transform her message into an encrypted form, unreadable until it is
decrypted. Once in this form, the message can only be
- decrypted by using a secret key. Without the key the message is useless:
+ decrypted by using a secret key. Without the key the message is useless:
good cryptographic algorithms make it so difficult
for intruders to decode the original text that it isn't worth their
effort.</p>
@@ -87,11 +87,11 @@ integrity, and authentication.</p>
<dt>Conventional cryptography</dt>
<dd>also known as symmetric cryptography, requires the sender and
receiver to share a key: a secret piece of information that may be
- used to encrypt or decrypt a message. As long as this key is kept
- secret, nobody other than the sender or recipient can read the message.
+ used to encrypt or decrypt a message. As long as this key is kept
+ secret, nobody other than the sender or recipient can read the message.
If Alice and the bank know a secret key, then they can send each other
private messages. The task of sharing a key between sender and recipient
- before communicating, while also keeping it secret from others, can be
+ before communicating, while also keeping it secret from others, can be
problematic.</dd>
<dt>Public key cryptography</dt>
@@ -116,9 +116,9 @@ integrity, and authentication.</p>
is still a concern that someone might modify her original message or
substitute it with a different one, in order to transfer the money
to themselves, for instance. One way of guaranteeing the integrity
- of Alice's message is for her to create a concise summary of her
- message and send this to the bank as well. Upon receipt of the message,
- the bank creates its own summary and compares it with the one Alice
+ of Alice's message is for her to create a concise summary of her
+ message and send this to the bank as well. Upon receipt of the message,
+ the bank creates its own summary and compares it with the one Alice
sent. If the summaries are the same then the message has been received
intact.</p>
@@ -126,10 +126,10 @@ integrity, and authentication.</p>
function</em> or <em>hash function</em>. Message digests are used to create
a short, fixed-length representation of a longer, variable-length message.
Digest algorithms are designed to produce a unique digest for each
- message. Message digests are designed to make it impractically difficult
- to determine the message from the digest and (in theory) impossible to
- find two different messages which create the same digest -- thus
- eliminating the possibility of substituting one message for another while
+ message. Message digests are designed to make it impractically difficult
+ to determine the message from the digest and (in theory) impossible to
+ find two different messages which create the same digest -- thus
+ eliminating the possibility of substituting one message for another while
maintaining the same digest.</p>
<p>Another challenge that Alice faces is finding a way to send the digest
@@ -137,8 +137,8 @@ integrity, and authentication.</p>
be compromised and with it the possibility for the bank to determine the
integrity of the original message. Only if the digest is sent securely can
the integrity of the associated message be determined.</p>
-
- <p>One way to send the digest securely is to include it in a digital
+
+ <p>One way to send the digest securely is to include it in a digital
signature.</p>
</section>
@@ -168,7 +168,7 @@ the bank from a fraudulent claim from Al
<p>Although Alice could have sent a private message to the bank, signed
it and ensured the integrity of the message, she still needs to be sure
that she is really communicating with the bank. This means that she needs
-to be sure that the public key she is using is part of the bank's key-pair,
+to be sure that the public key she is using is part of the bank's key-pair,
and not an intruder's. Similarly, the bank needs to verify that the message
signature really was signed by the private key that belongs to Alice.</p>
@@ -257,7 +257,7 @@ certificates are used for authentication
distinguished field names are optional and which are required. It
may also place requirements upon the field contents, as may users of
certificates. For example, a Netscape browser requires that the
- Common Name for a certificate representing a server matches a wildcard
+ Common Name for a certificate representing a server matches a wildcard
pattern for the domain name of that server, such
as <code>*.snakeoil.com</code>.</p>
@@ -300,9 +300,9 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4
<title>Certificate Authorities</title>
<p>By verifying the information in a certificate request
before granting the certificate, the Certificate Authority assures
- itself of the identity of the private key owner of a key-pair.
- For instance, if Alice requests a personal certificate, the
- Certificate Authority must first make sure that Alice really is the
+ itself of the identity of the private key owner of a key-pair.
+ For instance, if Alice requests a personal certificate, the
+ Certificate Authority must first make sure that Alice really is the
person the certificate request claims she is.</p>
<section id="certificatechains">
@@ -356,17 +356,17 @@ dUHzICxBVC1lnHyYGjDuAMhe396lYAn8bCld1/L4
they also manage them -- that is, they determine for how long
certificates remain valid, they renew them and keep lists of
certificates that were issued in the past but are no longer valid
- (Certificate Revocation Lists, or CRLs).</p>
+ (Certificate Revocation Lists, or CRLs).</p>
- <p>For example, if Alice is entitled to a certificate as an
+ <p>For example, if Alice is entitled to a certificate as an
employee of a company but has now left
that company, her certificate may need to be revoked.
Because certificates are only issued after the subject's identity has
- been verified and can then be passed around to all those with whom
- the subject may communicate, it is impossible to tell from the
- certificate alone that it has been revoked.
- Therefore when examining certificates for validity
- it is necessary to contact the issuing Certificate Authority to
+ been verified and can then be passed around to all those with whom
+ the subject may communicate, it is impossible to tell from the
+ certificate alone that it has been revoked.
+ Therefore when examining certificates for validity
+ it is necessary to contact the issuing Certificate Authority to
check CRLs -- this is usually not an automated part of the process.</p>
<note><title>Note</title>
@@ -433,14 +433,14 @@ establishing a protocol session.</p>
</table>
</section>
-<p>There are a number of versions of the SSL protocol, as shown in
+<p>There are a number of versions of the SSL protocol, as shown in
<a href="#table4">Table 4</a>. As noted there, one of the benefits in
SSL 3.0 is that it adds support of certificate chain loading. This feature
allows a server to pass a server certificate along with issuer certificates
to the browser. Chain loading also permits the browser to validate the
server certificate, even if Certificate Authority certificates are not
installed for the intermediate issuers, since they are included in the
-certificate chain. SSL 3.0 is the basis for the Transport Layer Security
+certificate chain. SSL 3.0 is the basis for the Transport Layer Security
[<a href="#TLS1">TLS</a>] protocol standard, currently in development by
the Internet Engineering Task Force (IETF).</p>
@@ -506,14 +506,14 @@ the Internet Engineering Task Force (IET
<p>One variable in the choice of key exchange methods is digital
signatures -- whether or not to use them, and if so, what kind of
- signatures to use. Signing with a private key provides protection
+ signatures to use. Signing with a private key provides protection
against a man-in-the-middle-attack during the information exchange
used to generating the shared key [<a href="#AC96">AC96</a>, p516].</p>
</section>
<section id="ciphertransfer">
<title>Cipher for Data Transfer</title>
- <p>SSL uses conventional symmetric cryptography, as described earlier,
+ <p>SSL uses conventional symmetric cryptography, as described earlier,
for encrypting messages in a session.
There are nine choices of how to encrypt, including the option not to
encrypt:</p>
@@ -539,8 +539,8 @@ the Internet Engineering Task Force (IET
portion of the previously encrypted cipher text is used in the
encryption of the current block. "DES" refers to the Data Encryption
Standard [<a href="#AC96">AC96</a>, ch12], which has a number of
- variants (including DES40 and 3DES_EDE). "Idea" is currently one of
- the best and cryptographically strongest algorithms available,
+ variants (including DES40 and 3DES_EDE). "Idea" is currently one of
+ the best and cryptographically strongest algorithms available,
and "RC2" is a proprietary algorithm from RSA DSI [<a href="#AC96"
>AC96</a>, ch13].</p>
</section>
@@ -589,7 +589,7 @@ the Internet Engineering Task Force (IET
<p>The encapsulation of SSL control protocols by the record protocol
means that if an active session is renegotiated the control protocols
- will be transmitted securely. If there was no previous session,
+ will be transmitted securely. If there was no previous session,
the Null cipher suite is used, which means there will be no encryption and
messages will have no integrity digests, until the session has been
established.</p>
@@ -617,8 +617,8 @@ the Internet Engineering Task Force (IET
<title>Securing HTTP Communication</title>
<p>One common use of SSL is to secure Web HTTP communication between
a browser and a webserver. This does not preclude the use of
- non-secured HTTP - the secure version (called HTTPS) is the same as
- plain HTTP over SSL, but uses the URL scheme <code>https</code>
+ non-secured HTTP - the secure version (called HTTPS) is the same as
+ plain HTTP over SSL, but uses the URL scheme <code>https</code>
rather than <code>http</code>, and a different server port (by default,
port 443). This functionality is a large part of what <module
>mod_ssl</module> provides for the Apache webserver.</p>
@@ -650,7 +650,7 @@ href="http://www.itu.int/rec/recommendat
</dd>
<dt><a id="PKCS" name="PKCS">[PKCS]</a></dt>
-<dd><q>Public Key Cryptography Standards (PKCS)</q>,
+<dd><q>Public Key Cryptography Standards (PKCS)</q>,
RSA Laboratories Technical Notes, See <a
href="http://www.rsasecurity.com/rsalabs/pkcs/"
>http://www.rsasecurity.com/rsalabs/pkcs/</a>.</dd>
Modified: httpd/httpd/trunk/docs/manual/stopping.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/stopping.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/stopping.xml (original)
+++ httpd/httpd/trunk/docs/manual/stopping.xml Fri Sep 23 13:36:39 2011
@@ -116,7 +116,7 @@
been created, then create enough to pick up the slack. Hence the
code tries to maintain both the number of children appropriate for
the current load on the server, and respect your wishes with the
- <directive module="mpm_common">StartServers</directive>
+ <directive module="mpm_common">StartServers</directive>
parameter.</p>
<p>Users of <module>mod_status</module>
@@ -147,7 +147,7 @@
ensure that there are no errors in the configuration files.
If your configuration file has errors in it, you will get an
error message about that syntax error, and the server will refuse to
- restart. This avoids the situation where the server halts and then
+ restart. This avoids the situation where the server halts and then
cannot restart, leaving you with a non-functioning server.</p>
<p>This still will not
@@ -192,35 +192,35 @@ syntax error(s).</note>
<p>The <code>WINCH</code> or <code>graceful-stop</code> signal causes
the parent process to <em>advise</em> the children to exit after
their current request (or to exit immediately if they're not
- serving anything). The parent will then remove its <directive
+ serving anything). The parent will then remove its <directive
module="mpm_common">PidFile</directive> and cease listening on
all ports. The parent will continue to run, and monitor children
which are handling requests. Once all children have finalised
- and exited or the timeout specified by the <directive
+ and exited or the timeout specified by the <directive
module="mpm_common">GracefulShutdownTimeout</directive> has been
reached, the parent will also exit. If the timeout is reached,
any remaining children will be sent the <code>TERM</code> signal
to force them to exit.</p>
-
- <p>A <code>TERM</code> signal will immediately terminate the
+
+ <p>A <code>TERM</code> signal will immediately terminate the
parent process and all children when in the "graceful" state. However
as the <directive module="mpm_common">PidFile</directive> will
- have been removed, you will not be able to use
+ have been removed, you will not be able to use
<code>apachectl</code> or <code>httpd</code> to send this signal.</p>
<note><p>The <code>graceful-stop</code> signal allows you to run multiple
- identically configured instances of <program>httpd</program> at the
- same time. This is a powerful feature when performing graceful
- upgrades of httpd, however it can also cause deadlocks and race
- conditions with some configurations.</p>
+ identically configured instances of <program>httpd</program> at the
+ same time. This is a powerful feature when performing graceful
+ upgrades of httpd, however it can also cause deadlocks and race
+ conditions with some configurations.</p>
<p>Care has been taken to ensure that on-disk files such as lock files
(<directive module="core">Mutex</directive>) and Unix socket files
(<directive module="mod_cgid">ScriptSock</directive>) contain the server
PID, and should coexist without problem. However, if a configuration
- directive, third-party module or persistent CGI utilises any other on-disk
- lock or state files, care should be taken to ensure that multiple running
- instances of <program>httpd</program> do not clobber each other's files.</p>
+ directive, third-party module or persistent CGI utilises any other on-disk
+ lock or state files, care should be taken to ensure that multiple running
+ instances of <program>httpd</program> do not clobber each other's files.</p>
<p>You should also be wary of other potential race conditions, such as
using <program>rotatelogs</program> style piped logging. Multiple running
Modified: httpd/httpd/trunk/docs/manual/style/lang/de.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/style/lang/de.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/style/lang/de.xml (original)
+++ httpd/httpd/trunk/docs/manual/style/lang/de.xml Fri Sep 23 13:36:39 2011
@@ -108,7 +108,7 @@
<!-- Used for glossary link titles -->
<message id="glossarylink">siehe Glossar</message>
-
+
<!-- Used in headers and footers -->
<message id="apachetitle">- Apache HTTP Server</message>
<message id="apachehttpserver">Apache HTTP Server Version
Modified: httpd/httpd/trunk/docs/manual/style/lang/fr.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/style/lang/fr.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/style/lang/fr.xml (original)
+++ httpd/httpd/trunk/docs/manual/style/lang/fr.xml Fri Sep 23 13:36:39 2011
@@ -136,7 +136,7 @@
<message id="before-license">Autorisé sous</message>
<message id="after-license"></message>
<message id="langavail">Langues Disponibles</message>
-
+
<!-- not up to date -->
<message id="outofdate">Cette traduction peut être périmée. Vérifiez la version
anglaise pour les changements récents.</message>
Modified: httpd/httpd/trunk/docs/manual/style/lang/pt-br.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/style/lang/pt-br.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/style/lang/pt-br.xml (original)
+++ httpd/httpd/trunk/docs/manual/style/lang/pt-br.xml Fri Sep 23 13:36:39 2011
@@ -133,9 +133,9 @@
<message id="before-license">Licenciado sob a</message>
<message id="after-license"></message>
<message id="langavail">Línguas Disponíveis</message>
-
+
<!-- not up to date -->
- <message id="outofdate">Esta tradução pode estar desatualizada.
+ <message id="outofdate">Esta tradução pode estar desatualizada.
Confira a versão em Inglês para mudanças recentes.</message>
<!-- directive not translated yet -->
<message id="nottranslated">The documentation for this directive has
Modified: httpd/httpd/trunk/docs/manual/upgrading.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/upgrading.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/upgrading.xml (original)
+++ httpd/httpd/trunk/docs/manual/upgrading.xml Fri Sep 23 13:36:39 2011
@@ -57,7 +57,7 @@
found in <code>build/config.nice</code> in the installed server
directory) can be used in most cases. There are some changes in
the default settings. Some details of changes:</p>
-
+
<ul>
<li>These modules have been removed: mod_authn_default,
mod_authz_default, mod_mem_cache. If you were using
Modified: httpd/httpd/trunk/docs/manual/vhosts/details.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/vhosts/details.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/vhosts/details.xml (original)
+++ httpd/httpd/trunk/docs/manual/vhosts/details.xml Fri Sep 23 13:36:39 2011
@@ -69,7 +69,7 @@
<p>The address can be specified as
<code>*</code>, which will match a request if no
other vhost has the explicit address on which the request was
- received. </p>
+ received. </p>
<p>The address appearing in the <code>VirtualHost</code>
directive can have an optional port. If the port is unspecified,
@@ -83,9 +83,9 @@
Use the <directive module="core">Listen</directive> directive to
control the addresses and ports on which the server listens.)
</p>
-
+
<p>Collectively the
- entire set of addresses (including multiple
+ entire set of addresses (including multiple
results from DNS lookups) are called the vhost's
<em>address set</em>.</p>
@@ -94,7 +94,7 @@
whenever the most specific match for an IP address and port combination
is listed in multiple virtual hosts.</p>
- <p>The
+ <p>The
<directive module="core">ServerName</directive> directive
may appear anywhere within the definition of a server. However,
each appearance overrides the previous appearance (within that
@@ -195,7 +195,7 @@
<p>If there are multiple <code>VirtualHost</code> directives listing
the IP address and port combination that was determined to be the
- best match, the "list" in the remaining steps refers to the list of vhosts
+ best match, the "list" in the remaining steps refers to the list of vhosts
that matched, in the order they were in the configuration file.</p>
<p>If the connection is using SSL, the server supports <glossary
@@ -272,11 +272,11 @@
the client sent the request.</li>
<li>If two vhosts have an address in common, those common addresses
- act as name-based virtual hosts implicitly. This is new behavior as of
+ act as name-based virtual hosts implicitly. This is new behavior as of
2.3.11.</li>
<li>The main server is only used to serve a request if the IP
- address and port number to which the client connected
+ address and port number to which the client connected
does not match any vhost (including a
<code>*</code> vhost). In other words, the main server
only catches a request for an unspecified address/port
Modified: httpd/httpd/trunk/docs/manual/vhosts/fd-limits.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/vhosts/fd-limits.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/vhosts/fd-limits.xml (original)
+++ httpd/httpd/trunk/docs/manual/vhosts/fd-limits.xml Fri Sep 23 13:36:39 2011
@@ -48,7 +48,7 @@
<li>The number of file descriptors required exceeds the hard
limit.</li>
-
+
<li>Your system imposes other limits on file descriptors,
such as a limit on stdio streams only using file descriptors
below 256. (Solaris 2)</li>
Modified: httpd/httpd/trunk/docs/manual/vhosts/ip-based.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/vhosts/ip-based.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/vhosts/ip-based.xml (original)
+++ httpd/httpd/trunk/docs/manual/vhosts/ip-based.xml Fri Sep 23 13:36:39 2011
@@ -52,7 +52,7 @@ Virtual Hosts</a> to help you decide. <
most commonly used to set them up), and/or using multiple
port numbers.</p>
- <p> In the terminology of Apache HTTP Server, using a single IP address
+ <p> In the terminology of Apache HTTP Server, using a single IP address
but multiple TCP ports, is also IP-based virtual hosting.</p>
</section>
@@ -157,7 +157,7 @@ Virtual Hosts</a> to help you decide. <
<p> Specific IP addresses or ports have precedence over their wildcard
equivalents, and any virtual host that matches has precedence over
- the servers base configuration.</p>
+ the servers base configuration.</p>
<p>Almost <strong>any</strong> configuration directive can be
put in the VirtualHost directive, with the exception of
Modified: httpd/httpd/trunk/docs/manual/vhosts/mass.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/vhosts/mass.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/vhosts/mass.xml (original)
+++ httpd/httpd/trunk/docs/manual/vhosts/mass.xml Fri Sep 23 13:36:39 2011
@@ -82,7 +82,7 @@
<p>The main disadvantage is that you cannot have a different log file for
each virtual host; however, if you have many virtual hosts, doing
this can be a bad idea anyway, because of the <a
- href="fd-limits.html">number of file descriptors needed</a>.
+ href="fd-limits.html">number of file descriptors needed</a>.
It is better to <a href="../logs.html#piped">log to a pipe or a fifo</a>,
and arrange for the process at the other end to split up the log
files into one per virtual host. One example of such a process can
@@ -99,9 +99,9 @@
in the HTTP request. The dynamic mass virtual hosting technique
used here is based on automatically inserting this information into the
pathname of the file that is used to satisfy the request. This
- can be most easily done by using <module>mod_vhost_alias</module>
- with Apache httpd. Alternatively,
- <a href="../rewrite/vhosts.html">mod_rewrite can
+ can be most easily done by using <module>mod_vhost_alias</module>
+ with Apache httpd. Alternatively,
+ <a href="../rewrite/vhosts.html">mod_rewrite can
be used</a>.</p>
<p>Both of these modules are disabled by default; you must enable
one of them when configuring and building Apache httpd if you want to
@@ -263,7 +263,7 @@ LogFormat "%V %h %l %u %t \"%r\" %s %b"
<title>Note</title>
<p>If the first VirtualHost block does <em>not</em> include a
<directive module="core">ServerName</directive> directive, the reverse
- DNS of the relevant IP will be used instead.
+ DNS of the relevant IP will be used instead.
If this is not the server name you
wish to use, a bogus entry (eg. <code>ServerName
none.example.com</code>) can be added to get around this
Modified: httpd/httpd/trunk/docs/manual/vhosts/name-based.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/vhosts/name-based.xml?rev=1174747&r1=1174746&r2=1174747&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/vhosts/name-based.xml (original)
+++ httpd/httpd/trunk/docs/manual/vhosts/name-based.xml Fri Sep 23 13:36:39 2011
@@ -39,8 +39,8 @@
determine the correct virtual host to serve. Therefore you need to
have a separate IP address for each host.</p>
- <p>With name-based virtual hosting, the server relies on the client to
- report the hostname as part of the HTTP headers. Using this technique,
+ <p>With name-based virtual hosting, the server relies on the client to
+ report the hostname as part of the HTTP headers. Using this technique,
many different hosts can share the same IP address.</p>
<p>Name-based virtual hosting is usually simpler, since you need
@@ -67,19 +67,19 @@
after narrowing down the candidates to the best IP-based match. Using a wildcard (*)
for the IP address in all of the VirtualHost directives makes this
IP-based mapping irrelevant.</p>
-
- <p>When a request arrives, the server will find the best (most specific) matching
+
+ <p>When a request arrives, the server will find the best (most specific) matching
<directive type="section" module="core">VirtualHost</directive> argument based on
the IP address and port used by the request. If there is more than one virtual host
containing this best-match address and port combination, Apache will further
- compare the <directive module="core" >ServerName</directive> and <directive
+ compare the <directive module="core" >ServerName</directive> and <directive
module="core">ServerAlias</directive> directives to the server name
present in the request.</p>
<section id="defaultvhost"><title>The default name-based vhost for an IP and port combination </title>
- <p> If no matching ServerName or ServerAlias is found in the set of
- virtual hosts containing the most specific matching IP address and port
- combination, then <strong>the first listed virtual host</strong> that
+ <p> If no matching ServerName or ServerAlias is found in the set of
+ virtual hosts containing the most specific matching IP address and port
+ combination, then <strong>the first listed virtual host</strong> that
matches that will be used.</p></section>
</section>
@@ -112,11 +112,11 @@
module="core">VirtualHost</directive> is handled by the global
server configuration, regardless of the hostname or ServerName.</p>
- <p> When you add a name-based virtual host to an existing server, and
- the virtual host arguments match preexisting IP and port combinations,
+ <p> When you add a name-based virtual host to an existing server, and
+ the virtual host arguments match preexisting IP and port combinations,
requests will now be handled by an explicit virtual host. In this case,
it's usually wise to create a <a href="#defaultvhost">default virtual host</a>
- with a <directive module="core">ServerName</directive> matching that of
+ with a <directive module="core">ServerName</directive> matching that of
the base server. New domains on the same interface and port, but
requiring separate configurations, can then be added as subsequent (non-default)
virtual hosts.</p>