You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jw...@apache.org on 2002/05/16 21:05:24 UTC
cvs commit: httpd-2.0/docs/manual/ssl ssl_faq.html
jwoolley 02/05/16 12:05:24
Modified: . CHANGES
docs/conf ssl-std.conf
docs/manual/ssl ssl_faq.html
Log:
The group consensus was that we're no longer supporting "make certificate,"
as test certificates just allow people who don't know what they're doing
to dig a bigger hole for themselves and don't really help anybody who
DOES know what they're doing much. So all of the documentation references
to "make certificate" are now removed.
PR: 8724
Revision Changes Path
1.775 +5 -0 httpd-2.0/CHANGES
Index: CHANGES
===================================================================
RCS file: /home/cvs/httpd-2.0/CHANGES,v
retrieving revision 1.774
retrieving revision 1.775
diff -u -d -u -r1.774 -r1.775
--- CHANGES 16 May 2002 06:09:12 -0000 1.774
+++ CHANGES 16 May 2002 19:05:23 -0000 1.775
@@ -1,5 +1,10 @@
Changes with Apache 2.0.37
+ *) Removed documentation references to the no-longer-supported
+ "make certificate" feature of mod_ssl for Apache 1.3.x. Test
+ certificates, if truly desired, can be generated using openssl
+ commands. PR 8724. [Cliff Woolley]
+
*) Remove SSLLog and SSLLogLevel directives in favor of having
mod_ssl use the standard ErrorLog directives. [Justin Erenkrantz]
1.9 +4 -5 httpd-2.0/docs/conf/ssl-std.conf
Index: ssl-std.conf
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/conf/ssl-std.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -d -u -r1.8 -r1.9
--- ssl-std.conf 16 May 2002 06:09:13 -0000 1.8
+++ ssl-std.conf 16 May 2002 19:05:24 -0000 1.9
@@ -107,11 +107,10 @@
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A test
-# certificate can be generated with `make certificate' under
-# built time. Keep in mind that if you've both a RSA and a DSA
-# certificate you can configure both in parallel (to also allow
-# the use of DSA ciphers, etc.)
+# pass phrase. Note that a kill -HUP will prompt again. Keep
+# in mind that if you have both an RSA and a DSA certificate you
+# can configure both in parallel (to also allow the use of DSA
+# ciphers, etc.)
SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server.crt
#SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
1.5 +4 -35 httpd-2.0/docs/manual/ssl/ssl_faq.html
Index: ssl_faq.html
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/manual/ssl/ssl_faq.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -u -r1.4 -r1.5
--- ssl_faq.html 17 Jan 2002 11:18:03 -0000 1.4
+++ ssl_faq.html 16 May 2002 19:05:24 -0000 1.5
@@ -87,7 +87,6 @@
<ul>
<li><a href="#ToC25">What are Keys, CSRs and Certs?</a></li>
<li><a href="#ToC26">Difference on startup?</a></li>
-<li><a href="#ToC27">How to create a dummy cert?</a></li>
<li><a href="#ToC28">How to create a real cert?</a></li>
<li><a href="#ToC29">How to create my own CA?</a></li>
<li><a href="#ToC30">How to change a pass phrase?</a></li>
@@ -443,7 +442,6 @@
<strong id="faq">
When I fire up the server, mod_ssl stops with the error
"Failed to generate temporary 512 bit RSA private key", why?
-And a "PRNG not seeded" error occurs if I try "make certificate".
</strong>
[<a href="#entropy"><b>L</b></a>]
<p>
@@ -456,13 +454,8 @@
encryption. As of version 0.9.5, the OpenSSL functions that need
randomness report an error if the PRNG has not been seeded with
at least 128 bits of randomness. So mod_ssl has to provide enough
- entropy to the PRNG to work correctly. For this one has to use the
- <code>SSLRandomSeed</code> directives (to solve the run-time problem)
- and create a <code>$HOME/.rnd</code> file to make sure enough
- entropy is available also for the "<code>make certificate</code>"
- step (in case the "<code>make certificate</code>" procedure is not
- able to gather enough entropy theirself by searching for system
- files).
+ entropy to the PRNG to work correctly. For this one has to use the
+ <code>SSLRandomSeed</code> directives.
</ul>
<p>
<br>
@@ -633,30 +626,6 @@
below under ``How can I get rid of the pass-phrase dialog at Apache
startup time?''.
<p>
-<li><a name="ToC27"></a>
- <a name="cert-dummy"></a>
- <strong id="faq">
-How can I create a dummy SSL server Certificate for testing purposes?
-</strong>
- [<a href="#cert-dummy"><b>L</b></a>]
- <p>
- A Certificate does not have to be signed by a public CA. You can use your
- private key to sign the Certificate which contains your public key. You
- can install this Certificate into your server, and people using Netscape
- Navigator (not MSIE) will be able to connect after clicking OK to a
- warning dialogue. You can get MSIE to work, and your customers can
- eliminate the dialogue, by installing that Certificate manually into their
- browsers.
- <p>
- Just use the ``<code>make certificate</code>'' command at the top-level
- directory of the Apache source tree right before installing Apache via
- ``<code>make install</code>''. This creates a self-signed SSL Certificate
- which expires after 30 days and isn't encrypted (which means you don't
- need to enter a pass-phrase at Apache startup time).
- <p>
- BUT REMEMBER: YOU REALLY HAVE TO CREATE A REAL CERTIFICATE FOR THE LONG
- RUN! HOW THIS IS DONE IS DESCRIBED IN THE NEXT ANSWER.
-<p>
<li><a name="ToC28"></a>
<a name="cert-real"></a>
<strong id="faq">
@@ -1097,8 +1066,8 @@
Either you have messed up your <code>SSLCipherSuite</code>
directive (compare it with the pre-configured example in
<code>httpd.conf-dist</code>) or you have choosen the DSA/DH
- algorithms instead of RSA under "<code>make certificate</code>"
- and ignored or overseen the warnings. Because if you have choosen
+ algorithms instead of RSA when you generated your private key
+ and ignored or overlooked the warnings. If you have choosen
DSA/DH, then your server no longer speaks RSA-based SSL ciphers
(at least not until you also configure an additional RSA-based
certificate/key pair). But current browsers like NS or IE only speak