You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2005/07/08 17:17:30 UTC

svn commit: r209811 - in /httpd/httpd/trunk/docs/manual: mod/mod_ssl.html.en mod/mod_ssl.xml ssl/ssl_faq.html.en

Author: jim
Date: Fri Jul  8 08:17:28 2005
New Revision: 209811

URL: http://svn.apache.org/viewcvs?rev=209811&view=rev
Log:
Fold in latest SSL doc changes

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=209811&r1=209810&r2=209811&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Fri Jul  8 08:17:28 2005
@@ -108,6 +108,7 @@
 <tr><td><code>SSL_CIPHER_EXPORT</code></td>             <td>string</td>    <td><code>true</code> if cipher is an export cipher</td></tr>
 <tr><td><code>SSL_CIPHER_USEKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (actually used)</td></tr>
 <tr><td><code>SSL_CIPHER_ALGKEYSIZE</code></td>         <td>number</td>    <td>Number of cipher bits (possible)</td></tr>
+<tr><td><code>SSL_COMPRESS_METHOD</code></td>           <td>string</td>    <td>SSL compression method negotiated</td></tr>
 <tr><td><code>SSL_VERSION_INTERFACE</code></td>         <td>string</td>    <td>The mod_ssl program version</td></tr>
 <tr><td><code>SSL_VERSION_LIBRARY</code></td>           <td>string</td>    <td>The OpenSSL program version</td></tr>
 <tr><td><code>SSL_CLIENT_M_VERSION</code></td>          <td>string</td>    <td>The version of the client certificate</td></tr>
@@ -1530,6 +1531,13 @@
     will incur a noticeable speed penalty and may cause problems if
     using certain browsers, particularly if client certificates are
     enabled.  This setting is not recommended.</p></li>
+
+<li><code>internal</code>
+
+    <p>This disables any global/inter-process Session Cache.  However
+    it does allow OpenSSL to use its own internal session cache. This in
+    mainly useful in situations where a global cache cannot be used
+    but the client requires a non-null session ID.</p></li>
 
 <li><code>dbm:/path/to/datafile</code>
 

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=209811&r1=209810&r2=209811&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Fri Jul  8 08:17:28 2005
@@ -412,6 +412,13 @@
     using certain browsers, particularly if client certificates are
     enabled.  This setting is not recommended.</p></li>
 
+<li><code>internal</code>
+
+    <p>This disables any global/inter-process Session Cache.  However
+    it does allow OpenSSL to use its own internal session cache. This in
+    mainly useful in situations where a global cache cannot be used
+    but the client requires a non-null session ID.</p></li>
+
 <li><code>dbm:/path/to/datafile</code>
 
     <p>This makes use of a DBM hashfile on the local disk to

Modified: httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en?rev=209811&r1=209810&r2=209811&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en (original)
+++ httpd/httpd/trunk/docs/manual/ssl/ssl_faq.html.en Fri Jul  8 08:17:28 2005
@@ -671,6 +671,7 @@
 <li><a href="#vhosts">HTTPS and name-based vhosts</a></li>
 <li><a href="#vhosts2">Why is it not possible to use Name-Based Virtual
 Hosting to identify different SSL virtual hosts?</a></li>
+<li><a href="#comp">How do I get SSL compression working?</a></li>
 <li><a href="#lockicon">The lock icon in Netscape locks very late</a></li>
 <li><a href="#msie">Why do I get I/O errors with MSIE clients?</a></li>
 <li><a href="#nn">Why do I get I/O errors with NS clients?</a></li>
@@ -793,6 +794,23 @@
 
     <p>Use separate IP addresses for different SSL hosts. 
     Use different port numbers for different SSL hosts.</p> 
+
+
+<h3><a name="comp" id="comp">How do I get SSL compression working?</a></h3>
+<p>Although SSL compression negotiation was already defined in the specification
+of SSLv2 and TLS, it took until May 2004 when RFC 3749 defined DEFLATE as
+a negotiable standard compression method.
+</p>
+<p>OpenSSL 0.9.8 started to support this by default when compiled with the
+<code>zlib</code> option. If both the client and the server support compression,
+it will be used. However, most clients still try to initially connect with an
+SSLv2 Hello. As SSLv2 did not include an array of prefered compression algorithms
+in its handshake, compression can not be negotiated with these clients.
+If the client disables support for SSLv2, based on the used SSL library 
+a SSLv3 or TLS Hello might be sent and compression might be set up.
+You can verify if clients make use of SSL compression by logging the
+<code>%{SSL_COMPRESS_METHOD}x</code> variable.
+</p>
 
 
 <h3><a name="lockicon" id="lockicon">When I use Basic Authentication over HTTPS the lock icon in Netscape browsers